summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaiki Ueno <ueno@gnu.org>2020-08-20 13:20:49 +0000
committerDaiki Ueno <ueno@gnu.org>2020-08-20 13:20:49 +0000
commite77ac722063385d7c92ae1c6a0c1473b92cab682 (patch)
tree6be2a0cdecf856f84f094b40c8106e8092169f44
parent1417bb3336be25a90af9bb5aa8965ebf9c6feabb (diff)
parent1b1b5b90cc3dd72dc4639c723b97e1ae6792be0a (diff)
downloadgnutls-e77ac722063385d7c92ae1c6a0c1473b92cab682.tar.gz
Merge branch 'tmp-ocsp-resp-status' into 'master'
cert-session: check OCSP error responses Closes #1062 See merge request gnutls/gnutls!1308
Diffstat
-rw-r--r--lib/cert-session.c21
-rw-r--r--tests/Makefile.am2
-rwxr-xr-xtests/ocsp-tests/ocsp-must-staple-connection111
-rw-r--r--tests/ocsp-tests/response3.der2
4 files changed, 134 insertions, 2 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c
index 97f31597d5..86fa5868d0 100644
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -224,6 +224,11 @@ gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res,
}
#ifdef ENABLE_OCSP
+static int
+_gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session,
+ gnutls_x509_crt_t cert,
+ unsigned int * ocsp_status);
+
/* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.
*
* Returns:
@@ -260,6 +265,22 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
goto cleanup;
}
+ if (gnutls_ocsp_resp_get_status(resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) {
+ ret = _gnutls_ocsp_verify_mandatory_stapling(session, cert, ostatus);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ if (*ostatus & GNUTLS_CERT_MISSING_OCSP_STATUS) {
+ _gnutls_audit_log(session,
+ "Missing basic OCSP response while required: %s.\n",
+ gnutls_strerror(ret));
+ check_failed = 1;
+ }
+ ret = gnutls_assert_val(0);
+ goto cleanup;
+ }
+
ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
if (ret < 0) {
ret = gnutls_assert_val(0);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8d71fc4bf0..0387bf7389 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -57,7 +57,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
scripts/common.sh scripts/starttls-common.sh \
rng-op.c x509sign-verify-common.h common-key-tests.h \
ocsp-tests/certs/ca.key ocsp-tests/certs/ca.pem ocsp-tests/certs/ocsp-server.key ocsp-tests/certs/ocsp-server.pem ocsp-tests/response1.der \
- ocsp-tests/response2.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \
+ ocsp-tests/response2.der ocsp-tests/response3.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \
ocsp-tests/response1.pem ocsp-tests/response2.pem \
ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \
ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection
index 49c355dda3..55d718ddf0 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection
+++ b/tests/ocsp-tests/ocsp-must-staple-connection
@@ -26,6 +26,7 @@ GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}"
DIFF="${DIFF:-diff}"
TEMPLATE_FILE="ms-out.$$.tmpl.tmp"
SERVER_CERT_FILE="ms-cert.$$.pem.tmp"
+SERVER_CERT_NO_EXT_FILE="ms-cert-no-ext.$$.pem.tmp"
OCSP_RESPONSE_FILE="ms-resp.$$.tmp"
OCSP_REQ_FILE="ms-req.$$.tmp"
@@ -86,6 +87,7 @@ stop_servers ()
test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
rm -f "$TEMPLATE_FILE"
rm -f "$SERVER_CERT_FILE"
+ rm -f "$SERVER_CERT_NO_EXT_FILE"
rm -f "$OCSP_RESPONSE_FILE"
rm -f "$OCSP_REQ_FILE"
}
@@ -97,13 +99,21 @@ rm -f "$TEMPLATE_FILE"
cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE"
chmod u+w "$TEMPLATE_FILE"
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
-echo "tls_feature = 5" >>"$TEMPLATE_FILE"
# Generate certificates with the random port
datefudge -s "${CERTDATE}" ${CERTTOOL} \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_NO_EXT_FILE}" 2>/dev/null
+
+# Generate certificates with the random port (with mandatory stapling extension)
+echo "tls_feature = 5" >>"$TEMPLATE_FILE"
+
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
--template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
echo "=== Bringing OCSP server up ==="
@@ -392,6 +402,105 @@ kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID
+echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 9: OSCP response error - client sends status_request, TLS feature extension present ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response unexpectedly succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
kill ${OCSP_PID}
wait ${OCSP_PID}
diff --git a/tests/ocsp-tests/response3.der b/tests/ocsp-tests/response3.der
new file mode 100644
index 0000000000..39e09cffaa
--- /dev/null
+++ b/tests/ocsp-tests/response3.der
@@ -0,0 +1,2 @@
+0
+ \ No newline at end of file
View Lorry Controller Status