diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-22 08:36:22 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-26 14:03:44 +0200 |
| commit | 4ff993d7912516a2fd1d5c1e97a6f26a4644c1c6 (patch) | |
| tree | ac313e70bd5b7fef2dc7761ff80aa90c83c0a416 /crypto/ocsp | |
| parent | Generate a certificate with critical id-pkix-ocsp-nocheck extension (diff) | |
| download | openssl-4ff993d7912516a2fd1d5c1e97a6f26a4644c1c6.tar.xz openssl-4ff993d7912516a2fd1d5c1e97a6f26a4644c1c6.zip | |
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Fixes #7761
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
Diffstat (limited to 'crypto/ocsp')
| -rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 92512829c9..0cd59f9221 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -26,7 +26,8 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, unsigned long flags); /* Returns 1 on success, 0 on failure, or -1 on fatal error */ -static int ocsp_verify_signer(X509 *signer, X509_STORE *st, unsigned long flags, +static int ocsp_verify_signer(X509 *signer, int response, + X509_STORE *st, unsigned long flags, STACK_OF(X509) *untrusted, STACK_OF(X509) **chain) { X509_STORE_CTX *ctx = X509_STORE_CTX_new(); @@ -41,9 +42,17 @@ static int ocsp_verify_signer(X509 *signer, X509_STORE *st, unsigned long flags, OCSPerr(0, ERR_R_X509_LIB); goto end; } - if ((flags & OCSP_PARTIAL_CHAIN) != 0 - && (vp = X509_STORE_CTX_get0_param(ctx)) != NULL) + if ((vp = X509_STORE_CTX_get0_param(ctx)) == NULL) + goto end; + if ((flags & OCSP_PARTIAL_CHAIN) != 0) X509_VERIFY_PARAM_set_flags(vp, X509_V_FLAG_PARTIAL_CHAIN); + if (response + && X509_get_ext_by_NID(signer, NID_id_pkix_OCSP_noCheck, -1) >= 0) + /* + * Locally disable revocation status checking for OCSP responder cert. + * Done here for CRLs; TODO should be done also for OCSP-based checks. + */ + X509_VERIFY_PARAM_clear_flags(vp, X509_V_FLAG_CRL_CHECK); X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); /* TODO: why is X509_TRUST_OCSP_REQUEST set? Seems to get ignored. */ @@ -117,7 +126,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } else { untrusted = bs->certs; } - ret = ocsp_verify_signer(signer, st, flags, untrusted, &chain); + ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain); if (ret <= 0) goto end; if ((flags & OCSP_NOCHECKS) != 0) { @@ -390,7 +399,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, return 0; /* not returning 'ret' here for backward compatibility*/ if ((flags & OCSP_NOVERIFY) != 0) return 1; - return ocsp_verify_signer(signer, store, flags, + return ocsp_verify_signer(signer, 0, store, flags, (flags & OCSP_NOCHAIN) != 0 ? NULL : req->optionalSignature->certs, NULL) > 0; /* using '> 0' here to avoid breaking backward compatibility returning -1 */ |