diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-18 16:36:38 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-18 16:36:38 +0100 |
| commit | 12f3130a9a3b776c4674bc0c35ec161a8e99a1d2 (patch) | |
| tree | 16a8adf7dc98fb35d35953d3394f689a02d1be53 /src/ocsptool-common.c | |
| parent | 31e44103c4a3ec0b05f272bbaec73a60c07bfc88 (diff) | |
| download | gnutls-12f3130a9a3b776c4674bc0c35ec161a8e99a1d2.tar.gz | |
When sending a nonce in OCSP check if it is available on the reply.
Diffstat (limited to 'src/ocsptool-common.c')
| -rw-r--r-- | src/ocsptool-common.c | 50 |
1 files changed, 33 insertions, 17 deletions
diff --git a/src/ocsptool-common.c b/src/ocsptool-common.c index 42ca2fee96..9404865ce5 100644 --- a/src/ocsptool-common.c +++ b/src/ocsptool-common.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Free Software Foundation, Inc. + * Copyright (C) 2012-2014 Free Software Foundation, Inc. * * This file is part of GnuTLS. * @@ -73,7 +73,7 @@ static const char *host_from_url(const char *url, unsigned int *port) void _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * rdata, int nonce) + gnutls_datum_t * rdata, gnutls_datum_t *nonce) { gnutls_ocsp_req_t req; int ret; @@ -92,18 +92,7 @@ _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, } if (nonce) { - unsigned char noncebuf[23]; - gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) }; - - ret = - gnutls_rnd(GNUTLS_RND_RANDOM, nonce.data, nonce.size); - if (ret < 0) { - fprintf(stderr, "gnutls_rnd: %s", - gnutls_strerror(ret)); - exit(1); - } - - ret = gnutls_ocsp_req_set_nonce(req, 0, &nonce); + ret = gnutls_ocsp_req_set_nonce(req, 0, nonce); if (ret < 0) { fprintf(stderr, "ocsp_req_set_nonce: %s", gnutls_strerror(ret)); @@ -144,7 +133,7 @@ static size_t get_data(void *buffer, size_t size, size_t nmemb, /* Returns 0 on ok, and -1 on error */ int send_ocsp_request(const char *server, gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - gnutls_datum_t * resp_data, int nonce) + gnutls_datum_t * resp_data, gnutls_datum_t *nonce) { gnutls_datum_t ud; int ret; @@ -311,7 +300,8 @@ void print_ocsp_verify_res(unsigned int output) */ int check_ocsp_response(gnutls_x509_crt_t cert, - gnutls_x509_crt_t issuer, gnutls_datum_t * data) + gnutls_x509_crt_t issuer, gnutls_datum_t * data, + gnutls_datum_t * nonce) { gnutls_ocsp_resp_t resp; int ret; @@ -361,6 +351,7 @@ check_ocsp_response(gnutls_x509_crt_t cert, goto cleanup; } + ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, &cert_status, &vtime, &ntime, &rtime, NULL); @@ -395,10 +386,35 @@ check_ocsp_response(gnutls_x509_crt_t cert, } } + if (nonce) { + gnutls_datum_t rnonce; + + ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fprintf(stderr, "*** The OCSP reply did not include the requested nonce.\n"); + goto finish_ok; + } + + if (ret < 0) { + fprintf(stderr, "could not read response's nonce: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data, + nonce->size) != 0) { + fprintf(stderr, "nonce in the response doesn't match\n"); + exit(1); + } + + gnutls_free(rnonce.data); + } + + finish_ok: printf("- OCSP server flags certificate not revoked as of %s", ctime(&vtime)); ret = 1; - cleanup: + cleanup: gnutls_ocsp_resp_deinit(resp); return ret; |