From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 23 Nov 2023 16:51:57 +0000 (+0100)
Subject: revocation: Reject OCSP error responses
X-Git-Tag: 5.9.13rc1~1^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d345b3dde76489a7012bd1df4d961d820eeec2a;p=thirdparty%2Fstrongswan.git

revocation: Reject OCSP error responses

Otherwise, there is lengthy code that tries to validate such responses,
even though they don't contain any signatures.
---

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index a4e16dffe0..4bf2cfb5c6 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -121,8 +121,14 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 		request->destroy(request);
 		return NULL;
 	}
-	ocsp_request = (ocsp_request_t*)request;
 	ocsp_response = (ocsp_response_t*)response;
+	if (ocsp_response->get_ocsp_status(ocsp_response) != OCSP_SUCCESSFUL)
+	{
+		response->destroy(response);
+		request->destroy(request);
+		return NULL;
+	}
+	ocsp_request = (ocsp_request_t*)request;
 	if (ocsp_response->get_nonce(ocsp_response).len &&
 		!chunk_equals_const(ocsp_request->get_nonce(ocsp_request),
 							ocsp_response->get_nonce(ocsp_response)))