Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
openssl-1_1.32465
openssl-s_client-check-ocsp-status.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-s_client-check-ocsp-status.patch of Package openssl-1_1.32465
From c43f598838acaf3b98df4fce4b6babb663d2f902 Mon Sep 17 00:00:00 2001 From: Otto Hollmann <otto.hollmann@suse.com> Date: Fri, 30 Jun 2023 11:15:30 +0200 Subject: [PATCH] Add OCSP_RESPONSE_check_status(), a function to check OCSP response for revoked certificate in s_client. --- apps/s_client.c | 10 ++++++++-- crypto/ocsp/ocsp_vfy.c | 31 +++++++++++++++++++++++++++++++ include/openssl/ocsp.h | 1 + util/libcrypto.num | 1 + 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index a6c5a559a9da..e1090d23f44b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3608,7 +3608,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; - int len; + int len, ret; OCSP_RESPONSE *rsp; len = SSL_get_tlsext_status_ocsp_resp(s, &p); BIO_puts(arg, "OCSP response: "); @@ -3625,8 +3625,14 @@ static int ocsp_resp_cb(SSL *s, void *arg) BIO_puts(arg, "\n======================================\n"); OCSP_RESPONSE_print(arg, rsp, 0); BIO_puts(arg, "======================================\n"); + ret = OCSP_RESPONSE_check_status(rsp); OCSP_RESPONSE_free(rsp); - return 1; + if (ret <= -1) { + BIO_puts(arg, "unable to verify OCSP response\n"); + } else if (ret == 0) { + BIO_puts(arg, "revoked certificate found in OCSP response\n"); + } + return ret; } # endif diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index b0827e9a22c0..dd4ea3d0a99e 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -438,3 +438,34 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, } return 0; } + +/* + * Check an OCSP response for revoked certificate. Return a negative value on + * error; 0 if the response is not acceptable (in which case the handshake + * will fail) or a positive value if it is acceptable (no revoked certificate + * is found). + */ + +int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o) +{ + int i; + OCSP_BASICRESP *br = NULL; + OCSP_RESPDATA *rd = NULL; + OCSP_SINGLERESP *single = NULL; + OCSP_RESPBYTES *rb = o->responseBytes; + if (rb == NULL) + return -1; + if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) + return -1; + if ((br = OCSP_response_get1_basic(o)) == NULL) + return -1; + rd = &br->tbsResponseData; + for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { + if (!sk_OCSP_SINGLERESP_value(rd->responses, i)) + continue; + single = sk_OCSP_SINGLERESP_value(rd->responses, i); + if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) + return 0; + } + return 1; +} diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index e2cc2716b56b..c94ebd2906d4 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -375,6 +375,7 @@ const char *OCSP_crl_reason_str(long s); int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); +int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o); int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); diff --git a/util/libcrypto.num b/util/libcrypto.num index d909721a3681..6d7ab664b4e3 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5518,3 +5518,4 @@ X509_STORE_CTX_init_rpk ? 3_2_0 EXIST::FUNCTION: fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: +OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
