This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new ca0f888c1 Add nonce checks to OCSP lookups
ca0f888c1 is described below
commit ca0f888c186f87540cc4fb8b56ef9382d31308a1
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Dec 11 08:44:11 2025 +0000
Add nonce checks to OCSP lookups
---
native/src/sslutils.c | 15 +++++++++++++--
xdocs/miscellaneous/changelog.xml | 4 ++++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 6c4f26d72..89b636846 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -950,6 +950,9 @@ static OCSP_REQUEST *get_ocsp_request(X509 *cert, X509
*issuer)
return NULL;
}
+ // Add a nonce to protect against replay attacks
+ OCSP_request_add1_nonce(ocsp_req, NULL, -1);
+
return ocsp_req;
}
@@ -1006,7 +1009,8 @@ end:
/* Process the OCSP_RESPONSE and returns the corresponding
answer according to the status.
*/
-static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509
*issuer)
+static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE
*ocsp_resp, X509 *cert, X509 *issuer,
+ X509_STORE_CTX *ctx)
{
int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
OCSP_BASICRESP *bs;
@@ -1018,7 +1022,13 @@ static int process_ocsp_response(OCSP_RESPONSE
*ocsp_resp, X509 *cert, X509 *iss
if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
return OCSP_STATUS_UNKNOWN;
}
+
bs = OCSP_response_get1_basic(ocsp_resp);
+ if (OCSP_check_nonce(ocsp_req, bs) == 0) {
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_RESP_INVALID);
+ o = OCSP_STATUS_UNKNOWN;
+ goto clean_bs;
+ }
certid = OCSP_cert_to_id(NULL, cert, issuer);
if (certid == NULL) {
@@ -1037,6 +1047,7 @@ static int process_ocsp_response(OCSP_RESPONSE
*ocsp_resp, X509 *cert, X509 *iss
/* we clean up */
OCSP_CERTID_free(certid);
+clean_bs:
OCSP_BASICRESP_free(bs);
return o;
}
@@ -1072,7 +1083,7 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer,
X509_STORE_CTX *ctx)
if (req != NULL) {
resp = get_ocsp_response(p, ocsp_urls[0], req);
if (resp != NULL) {
- rv = process_ocsp_response(resp, cert, issuer);
+ rv = process_ocsp_response(req, resp, cert, issuer, ctx);
} else {
/* correct error code for application errors? */
X509_STORE_CTX_set_error(ctx,
X509_V_ERR_APPLICATION_VERIFICATION);
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 3e0aebf77..b6e3da7e1 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -37,6 +37,10 @@
The Windows binaries are now built with OCSP support enabled by default.
(markt)
</update>
+ <add>
+ Include a nonce with OCSP requests and check the nonce, if any, in the
+ OCSP response. (markt)
+ </add>
</changelog>
</section>
<section name="Changes in 2.0.9">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
