This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 1.3.x in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit bf52d7e835e4c0cb6120ddb8fd2fe46169bb99b2 Author: Mark Thomas <[email protected]> AuthorDate: Thu Dec 11 15:49:06 2025 +0000 Add the ability to control the OCSP verification flags. --- native/include/ssl_private.h | 2 ++ native/src/sslconf.c | 25 ++++++++++++++++++++++++- native/src/sslutils.c | 19 ++++++++++--------- xdocs/miscellaneous/changelog.xml | 3 +++ 4 files changed, 39 insertions(+), 10 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index 8a46ba046..25390d79f 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -313,6 +313,7 @@ struct tcn_ssl_ctxt_t { int no_ocsp_check; int ocsp_soft_fail; int ocsp_timeout; + int ocsp_verify_flags; }; #ifdef HAVE_SSL_CONF_CMD @@ -324,6 +325,7 @@ struct tcn_ssl_conf_ctxt_t { int no_ocsp_check; int ocsp_soft_fail; int ocsp_timeout; + int ocsp_verify_flags; }; #endif diff --git a/native/src/sslconf.c b/native/src/sslconf.c index f5b5e5e82..f7fe24c33 100644 --- a/native/src/sslconf.c +++ b/native/src/sslconf.c @@ -188,6 +188,18 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx, return 1; } + if (!strcmp(J2S(cmd), "OCSP_VERIFY_FLAGS")) { + int i; + errno = 0; + i = (int) strtol(J2S(value), NULL, 10); + if (!errno) { + c->ocsp_verify_flags = i; + } + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } + SSL_ERR_clear(); value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd)); ec = SSL_ERR_get(); @@ -244,7 +256,7 @@ TCN_IMPLEMENT_CALL(void, SSLConf, assign)(TCN_STDARGS, jlong cctx, sc->no_ocsp_check = c->no_ocsp_check; sc->ocsp_soft_fail = c->ocsp_soft_fail; sc->ocsp_timeout = c->ocsp_timeout; - // TODO verify + sc->ocsp_verify_flags = c->ocsp_verify_flags; } /* Apply a command to an SSL_CONF context */ @@ -314,6 +326,17 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx, TCN_FREE_CSTRING(value); return 1; } + if (!strcmp(J2S(cmd), "OCSP_VERIFY_FLAGS")) { + int i; + errno = 0; + i = (int) strtol(J2S(value), NULL, 10); + if (!errno) { + c->ocsp_verify_flags = i; + } + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } SSL_ERR_clear(); rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value)); ec = SSL_ERR_get(); diff --git a/native/src/sslutils.c b/native/src/sslutils.c index 0b34f2627..171383006 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -34,8 +34,8 @@ extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data); #define ASN1_SEQUENCE 0x30 #define ASN1_OID 0x06 #define ASN1_STRING 0x86 -static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout); -static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int timeout); +static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout, int verifyFlags); +static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int timeout, int verifyFlags); #endif /* _________________________________________________________________ @@ -326,6 +326,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) int ocsp_check_type = con->ctx->no_ocsp_check; int ocsp_soft_fail = con->ctx->ocsp_soft_fail; int ocsp_timeout = con->ctx->ocsp_timeout; + int ocsp_verify_flags = con->ctx->ocsp_verify_flags; #if defined(SSL_OP_NO_TLSv1_3) con->pha_state = PHA_COMPLETE; @@ -371,7 +372,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) ok = 0; } else { - int ocsp_response = ssl_verify_OCSP(ctx, ocsp_timeout); + int ocsp_response = ssl_verify_OCSP(ctx, ocsp_timeout, ocsp_verify_flags); if (ocsp_response == OCSP_STATUS_REVOKED) { ok = 0 ; errnum = X509_STORE_CTX_get_error(ctx); @@ -514,7 +515,7 @@ int SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char **out, unsigned #ifdef HAVE_OCSP /* Function that is used to do the OCSP verification */ -static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout) +static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout, int verifyFlags) { X509 *cert, *issuer; int r = OCSP_STATUS_UNKNOWN; @@ -539,7 +540,7 @@ static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout) /* if we can't get the issuer, we cannot perform OCSP verification */ issuer = X509_STORE_CTX_get0_current_issuer(ctx); if (issuer != NULL) { - r = ssl_ocsp_request(cert, issuer, ctx, timeout); + r = ssl_ocsp_request(cert, issuer, ctx, timeout, verifyFlags); switch (r) { case OCSP_STATUS_OK: X509_STORE_CTX_set_error(ctx, X509_V_OK); @@ -1034,7 +1035,7 @@ end: answer according to the status. */ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer, - X509_STORE_CTX *ctx) + X509_STORE_CTX *ctx, int verifyFlags) { int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i; OCSP_BASICRESP *bs; @@ -1058,7 +1059,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res } certStack = OCSP_resp_get0_certs(bs); - if (OCSP_basic_verify(bs, certStack, X509_STORE_CTX_get0_store(ctx), 0) <= 0) { + if (OCSP_basic_verify(bs, certStack, X509_STORE_CTX_get0_store(ctx), verifyFlags) <= 0) { X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_SIGNATURE_FAILURE); o = OCSP_STATUS_UNKNOWN; goto clean_bs; @@ -1098,7 +1099,7 @@ clean_bs: return o; } -static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int timeout) +static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int timeout, int verifyFlags) { char **ocsp_urls = NULL; int nid; @@ -1129,7 +1130,7 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int t if (req != NULL) { resp = get_ocsp_response(p, ocsp_urls[0], req, timeout); if (resp != NULL) { - rv = process_ocsp_response(req, resp, cert, issuer, ctx); + rv = process_ocsp_response(req, resp, cert, issuer, ctx, verifyFlags); } else { /* Unable to send request / receive response. */ X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml index 8ba5607ae..4d114b497 100644 --- a/xdocs/miscellaneous/changelog.xml +++ b/xdocs/miscellaneous/changelog.xml @@ -68,6 +68,9 @@ Add a configurable timeout to the writing of OCSP requests and reading of OCSP responses. (markt) </add> + <add> + Add the ability to control the OCSP verification flags. (markt) + </add> </changelog> </section> <section name="Changes in 1.3.1"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
