This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 1.3.x in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit b8e9ee126ac9cfaada3f1b81d4a83edfb45f56c3 Author: Mark Thomas <[email protected]> AuthorDate: Thu Dec 11 09:06:31 2025 +0000 More verification of OCSP responses - timestamps --- native/include/ssl_private.h | 2 ++ native/src/sslutils.c | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index 3eefd13ed..bce883321 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -218,6 +218,8 @@ extern ENGINE *tcn_ssl_engine; #define OCSP_STATUS_OK 0 #define OCSP_STATUS_REVOKED 1 #define OCSP_STATUS_UNKNOWN 2 +/* 15 minutes - aligns with JSSE */ +#define OCSP_MAX_SKEW 900 #endif #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ diff --git a/native/src/sslutils.c b/native/src/sslutils.c index 03aeed5d3..66790d3e3 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -1036,6 +1036,8 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res OCSP_BASICRESP *bs; OCSP_SINGLERESP *ss; OCSP_CERTID *certid; + ASN1_GENERALIZEDTIME *thisupd; + ASN1_GENERALIZEDTIME *nextupd; STACK_OF(X509) *certStack; r = OCSP_response_status(ocsp_resp); @@ -1043,7 +1045,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) { return OCSP_STATUS_UNKNOWN; } - + bs = OCSP_response_get1_basic(ocsp_resp); if (OCSP_check_nonce(ocsp_req, bs) == 0) { X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_RESP_INVALID); @@ -1066,7 +1068,18 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res } ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial number and get the matching response */ - i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL); + i = OCSP_single_get0_status(ss, NULL, NULL, &thisupd, &nextupd); + if (OCSP_check_validity(thisupd, nextupd, OCSP_MAX_SKEW, -1) <= 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_NOT_YET_VALID); + o = OCSP_STATUS_UNKNOWN; + goto clean_certid; + } + if (OCSP_check_validity(thisupd, nextupd, OCSP_MAX_SKEW, OCSP_MAX_SKEW) <= 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_HAS_EXPIRED); + o = OCSP_STATUS_UNKNOWN; + goto clean_certid; + } + if (i == V_OCSP_CERTSTATUS_GOOD) o = OCSP_STATUS_OK; else if (i == V_OCSP_CERTSTATUS_REVOKED) @@ -1074,7 +1087,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res else if (i == V_OCSP_CERTSTATUS_UNKNOWN) o = OCSP_STATUS_UNKNOWN; - /* we clean up */ +clean_certid: OCSP_CERTID_free(certid); clean_bs: OCSP_BASICRESP_free(bs); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
