revocation: Reject OCSP error responses

Otherwise, there is lengthy code that tries to validate such responses,
even though they don't contain any signatures.

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index a4e16dffe04bcd3c18f4076e0d45205a9e52bff2..4bf2cfb5c6f9ae898228abacf9bc05560d96d2f6 100644 (file)
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -121,8 +121,14 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
                request->destroy(request);
                return NULL;
        }
-       ocsp_request = (ocsp_request_t*)request;
        ocsp_response = (ocsp_response_t*)response;
+       if (ocsp_response->get_ocsp_status(ocsp_response) != OCSP_SUCCESSFUL)
+       {
+               response->destroy(response);
+               request->destroy(request);
+               return NULL;
+       }
+       ocsp_request = (ocsp_request_t*)request;
        if (ocsp_response->get_nonce(ocsp_response).len &&
                !chunk_equals_const(ocsp_request->get_nonce(ocsp_request),
                                                        ocsp_response->get_nonce(ocsp_response)))