diff options
Diffstat (limited to 'src/lib/libtls/tls_ocsp.c')
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 44 |
1 files changed, 26 insertions, 18 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index f7d7ba9199..bfd06e3c6a 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */ | 1 | /* $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> | 3 | * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> |
| 4 | * Copyright (c) 2016 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2016 Bob Beck <beck@openbsd.org> |
| @@ -85,7 +85,7 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status, | |||
| 85 | ctx->ocsp->ocsp_result = NULL; | 85 | ctx->ocsp->ocsp_result = NULL; |
| 86 | 86 | ||
| 87 | if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) { | 87 | if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) { |
| 88 | tls_set_error(ctx, "calloc"); | 88 | tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); |
| 89 | return -1; | 89 | return -1; |
| 90 | } | 90 | } |
| 91 | info->response_status = response_status; | 91 | info->response_status = response_status; |
| @@ -102,19 +102,19 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status, | |||
| 102 | info->revocation_time = info->this_update = info->next_update = -1; | 102 | info->revocation_time = info->this_update = info->next_update = -1; |
| 103 | if (revtime != NULL && | 103 | if (revtime != NULL && |
| 104 | tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { | 104 | tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { |
| 105 | tls_set_error(ctx, | 105 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, |
| 106 | "unable to parse revocation time in OCSP reply"); | 106 | "unable to parse revocation time in OCSP reply"); |
| 107 | goto err; | 107 | goto err; |
| 108 | } | 108 | } |
| 109 | if (thisupd != NULL && | 109 | if (thisupd != NULL && |
| 110 | tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { | 110 | tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { |
| 111 | tls_set_error(ctx, | 111 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, |
| 112 | "unable to parse this update time in OCSP reply"); | 112 | "unable to parse this update time in OCSP reply"); |
| 113 | goto err; | 113 | goto err; |
| 114 | } | 114 | } |
| 115 | if (nextupd != NULL && | 115 | if (nextupd != NULL && |
| 116 | tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { | 116 | tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { |
| 117 | tls_set_error(ctx, | 117 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, |
| 118 | "unable to parse next update time in OCSP reply"); | 118 | "unable to parse next update time in OCSP reply"); |
| 119 | goto err; | 119 | goto err; |
| 120 | } | 120 | } |
| @@ -180,19 +180,21 @@ tls_ocsp_setup_from_peer(struct tls *ctx) | |||
| 180 | ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn); | 180 | ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn); |
| 181 | ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn); | 181 | ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn); |
| 182 | if (ocsp->main_cert == NULL) { | 182 | if (ocsp->main_cert == NULL) { |
| 183 | tls_set_errorx(ctx, "no peer certificate for OCSP"); | 183 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 184 | "no peer certificate for OCSP"); | ||
| 184 | goto err; | 185 | goto err; |
| 185 | } | 186 | } |
| 186 | 187 | ||
| 187 | ocsp_urls = X509_get1_ocsp(ocsp->main_cert); | 188 | ocsp_urls = X509_get1_ocsp(ocsp->main_cert); |
| 188 | if (ocsp_urls == NULL) { | 189 | if (ocsp_urls == NULL) { |
| 189 | tls_set_errorx(ctx, "no OCSP URLs in peer certificate"); | 190 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 191 | "no OCSP URLs in peer certificate"); | ||
| 190 | goto err; | 192 | goto err; |
| 191 | } | 193 | } |
| 192 | 194 | ||
| 193 | ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0)); | 195 | ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0)); |
| 194 | if (ocsp->ocsp_url == NULL) { | 196 | if (ocsp->ocsp_url == NULL) { |
| 195 | tls_set_errorx(ctx, "out of memory"); | 197 | tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); |
| 196 | goto err; | 198 | goto err; |
| 197 | } | 199 | } |
| 198 | 200 | ||
| @@ -217,7 +219,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) | |||
| 217 | unsigned long flags; | 219 | unsigned long flags; |
| 218 | 220 | ||
| 219 | if ((br = OCSP_response_get1_basic(resp)) == NULL) { | 221 | if ((br = OCSP_response_get1_basic(resp)) == NULL) { |
| 220 | tls_set_errorx(ctx, "cannot load ocsp reply"); | 222 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "cannot load ocsp reply"); |
| 221 | goto err; | 223 | goto err; |
| 222 | } | 224 | } |
| 223 | 225 | ||
| @@ -230,14 +232,15 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) | |||
| 230 | /* now verify */ | 232 | /* now verify */ |
| 231 | if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, | 233 | if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, |
| 232 | SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { | 234 | SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { |
| 233 | tls_set_errorx(ctx, "ocsp verify failed"); | 235 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ocsp verify failed"); |
| 234 | goto err; | 236 | goto err; |
| 235 | } | 237 | } |
| 236 | 238 | ||
| 237 | /* signature OK, look inside */ | 239 | /* signature OK, look inside */ |
| 238 | response_status = OCSP_response_status(resp); | 240 | response_status = OCSP_response_status(resp); |
| 239 | if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { | 241 | if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
| 240 | tls_set_errorx(ctx, "ocsp verify failed: response - %s", | 242 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 243 | "ocsp verify failed: response - %s", | ||
| 241 | OCSP_response_status_str(response_status)); | 244 | OCSP_response_status_str(response_status)); |
| 242 | goto err; | 245 | goto err; |
| 243 | } | 246 | } |
| @@ -245,19 +248,21 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) | |||
| 245 | cid = tls_ocsp_get_certid(ctx->ocsp->main_cert, | 248 | cid = tls_ocsp_get_certid(ctx->ocsp->main_cert, |
| 246 | ctx->ocsp->extra_certs, ctx->ssl_ctx); | 249 | ctx->ocsp->extra_certs, ctx->ssl_ctx); |
| 247 | if (cid == NULL) { | 250 | if (cid == NULL) { |
| 248 | tls_set_errorx(ctx, "ocsp verify failed: no issuer cert"); | 251 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 252 | "ocsp verify failed: no issuer cert"); | ||
| 249 | goto err; | 253 | goto err; |
| 250 | } | 254 | } |
| 251 | 255 | ||
| 252 | if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason, | 256 | if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason, |
| 253 | &revtime, &thisupd, &nextupd) != 1) { | 257 | &revtime, &thisupd, &nextupd) != 1) { |
| 254 | tls_set_errorx(ctx, "ocsp verify failed: no result for cert"); | 258 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 259 | "ocsp verify failed: no result for cert"); | ||
| 255 | goto err; | 260 | goto err; |
| 256 | } | 261 | } |
| 257 | 262 | ||
| 258 | if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC, | 263 | if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC, |
| 259 | MAXAGE_SEC) != 1) { | 264 | MAXAGE_SEC) != 1) { |
| 260 | tls_set_errorx(ctx, | 265 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 261 | "ocsp verify failed: ocsp response not current"); | 266 | "ocsp verify failed: ocsp response not current"); |
| 262 | goto err; | 267 | goto err; |
| 263 | } | 268 | } |
| @@ -269,8 +274,9 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) | |||
| 269 | /* finally can look at status */ | 274 | /* finally can look at status */ |
| 270 | if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status != | 275 | if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status != |
| 271 | V_OCSP_CERTSTATUS_UNKNOWN) { | 276 | V_OCSP_CERTSTATUS_UNKNOWN) { |
| 272 | tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s", | 277 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 273 | OCSP_crl_reason_str(crl_reason)); | 278 | "ocsp verify failed: revoked cert - %s", |
| 279 | OCSP_crl_reason_str(crl_reason)); | ||
| 274 | goto err; | 280 | goto err; |
| 275 | } | 281 | } |
| 276 | ret = 0; | 282 | ret = 0; |
| @@ -298,7 +304,8 @@ tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *respons | |||
| 298 | if (resp == NULL) { | 304 | if (resp == NULL) { |
| 299 | tls_ocsp_free(ctx->ocsp); | 305 | tls_ocsp_free(ctx->ocsp); |
| 300 | ctx->ocsp = NULL; | 306 | ctx->ocsp = NULL; |
| 301 | tls_set_error(ctx, "unable to parse OCSP response"); | 307 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, |
| 308 | "unable to parse OCSP response"); | ||
| 302 | return -1; | 309 | return -1; |
| 303 | } | 310 | } |
| 304 | ret = tls_ocsp_verify_response(ctx, resp); | 311 | ret = tls_ocsp_verify_response(ctx, resp); |
| @@ -320,7 +327,8 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 320 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); | 327 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); |
| 321 | if (size <= 0) { | 328 | if (size <= 0) { |
| 322 | if (ctx->config->ocsp_require_stapling) { | 329 | if (ctx->config->ocsp_require_stapling) { |
| 323 | tls_set_errorx(ctx, "no stapled OCSP response provided"); | 330 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 331 | "no stapled OCSP response provided"); | ||
| 324 | return 0; | 332 | return 0; |
| 325 | } | 333 | } |
| 326 | return 1; | 334 | return 1; |