cert-session: check OCSP error responses

If the OCSP responder returns an error code, such as tryLater, we
can't proceed to examine the response bytes.  In that case, just skip
the check unless the stapling is mandatory on this certificate.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/cert-session.c b/lib/cert-session.c
index db04a25e5de29631f2face7965523ab27dfb7422..5192083211d270d457d2b59d725de4a904bbfdcc 100644 (file)
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -224,6 +224,11 @@ gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res,
 }
 
 #ifdef ENABLE_OCSP
+static int
+_gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session,
+                                      gnutls_x509_crt_t cert,
+                                      unsigned int * ocsp_status);
+
 /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.
  * 
  * Returns:
@@ -260,6 +265,22 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
                goto cleanup;
        }
 
+       if (gnutls_ocsp_resp_get_status(resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) {
+               ret = _gnutls_ocsp_verify_mandatory_stapling(session, cert, ostatus);
+               if (ret < 0) {
+                       gnutls_assert();
+                       goto cleanup;
+               }
+               if (*ostatus & GNUTLS_CERT_MISSING_OCSP_STATUS) {
+                       _gnutls_audit_log(session,
+                                         "Missing basic OCSP response while required: %s.\n",
+                                         gnutls_strerror(ret));
+                       check_failed = 1;
+               }
+               ret = gnutls_assert_val(0);
+               goto cleanup;
+       }
+
        ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
        if (ret < 0) {
                ret = gnutls_assert_val(0);

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8d71fc4bf082870d5dfa1674823b850e4bb9d550..0387bf73898db37276e77654906705069d99f129 100644 (file)
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -57,7 +57,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
        scripts/common.sh scripts/starttls-common.sh \
        rng-op.c x509sign-verify-common.h common-key-tests.h \
        ocsp-tests/certs/ca.key ocsp-tests/certs/ca.pem ocsp-tests/certs/ocsp-server.key ocsp-tests/certs/ocsp-server.pem ocsp-tests/response1.der \
-       ocsp-tests/response2.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \
+       ocsp-tests/response2.der ocsp-tests/response3.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \
        ocsp-tests/response1.pem ocsp-tests/response2.pem \
        ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \
        ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \

diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection
index 49c355dda39878a9f9a311e37853a529866eac94..55d718ddf0ec9bcd9c4ab77a8c9d97eadc980e5f 100755 (executable)
--- a/tests/ocsp-tests/ocsp-must-staple-connection
+++ b/tests/ocsp-tests/ocsp-must-staple-connection
@@ -26,6 +26,7 @@ GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}"
 DIFF="${DIFF:-diff}"
 TEMPLATE_FILE="ms-out.$$.tmpl.tmp"
 SERVER_CERT_FILE="ms-cert.$$.pem.tmp"
+SERVER_CERT_NO_EXT_FILE="ms-cert-no-ext.$$.pem.tmp"
 OCSP_RESPONSE_FILE="ms-resp.$$.tmp"
 OCSP_REQ_FILE="ms-req.$$.tmp"
 
@@ -86,6 +87,7 @@ stop_servers ()
     test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
     rm -f "$TEMPLATE_FILE"
     rm -f "$SERVER_CERT_FILE"
+    rm -f "$SERVER_CERT_NO_EXT_FILE"
     rm -f "$OCSP_RESPONSE_FILE"
     rm -f "$OCSP_REQ_FILE"
 }
@@ -97,9 +99,17 @@ rm -f "$TEMPLATE_FILE"
 cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE"
 chmod u+w "$TEMPLATE_FILE"
 echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
-echo "tls_feature = 5" >>"$TEMPLATE_FILE"
 
 # Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+       --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+       --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+       --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+       --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_NO_EXT_FILE}" 2>/dev/null
+
+# Generate certificates with the random port (with mandatory stapling extension)
+echo "tls_feature = 5" >>"$TEMPLATE_FILE"
+
 datefudge -s "${CERTDATE}" ${CERTTOOL} \
        --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
        --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
@@ -392,6 +402,105 @@ kill "${TLS_SERVER_PID}"
 wait "${TLS_SERVER_PID}"
 unset TLS_SERVER_PID
 
+echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+         datefudge "${TESTDATE}" \
+         "${GNUTLS_SERV}" --echo --disable-client-cert \
+         --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+         --x509certfile="${SERVER_CERT_FILE}" \
+         --port="${TLS_SERVER_PORT}" \
+         --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+    datefudge -s "${TESTDATE}" \
+             "${GNUTLS_CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+             --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+    echo "Connecting to server with valid certificate and OCSP error response failed"
+    exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+         datefudge "${TESTDATE}" \
+         "${GNUTLS_SERV}" --echo --disable-client-cert \
+         --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+         --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
+         --port="${TLS_SERVER_PORT}" \
+         --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+    datefudge -s "${TESTDATE}" \
+             "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+             --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+    echo "Connecting to server with valid certificate and OCSP error response failed"
+    exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 9: OSCP response error - client sends status_request, TLS feature extension present ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+         datefudge "${TESTDATE}" \
+         "${GNUTLS_SERV}" --echo --disable-client-cert \
+         --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+         --x509certfile="${SERVER_CERT_FILE}" \
+         --port="${TLS_SERVER_PORT}" \
+         --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+    datefudge -s "${TESTDATE}" \
+             "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+             --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" = "0"; then
+    echo "Connecting to server with valid certificate and OCSP error response unexpectedly succeeded"
+    exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
 
 kill ${OCSP_PID}
 wait ${OCSP_PID}

diff --git a/tests/ocsp-tests/response3.der b/tests/ocsp-tests/response3.der
new file mode 100644 (file)
index 0000000..39e09cf
--- /dev/null
+++ b/tests/ocsp-tests/response3.der
@@ -0,0 +1,2 @@
+0\ 3
+\ 1\ 3
\ No newline at end of file