This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 1.3.x in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 48251c33542f928ceb03f16655abf12e1d3341ed Author: Mark Thomas <[email protected]> AuthorDate: Thu Dec 11 08:44:11 2025 +0000 Add nonce checks to OCSP lookups --- native/src/sslutils.c | 15 +++++++++++++-- xdocs/miscellaneous/changelog.xml | 4 ++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/native/src/sslutils.c b/native/src/sslutils.c index da4547bc9..7c2740bbe 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -970,6 +970,9 @@ static OCSP_REQUEST *get_ocsp_request(X509 *cert, X509 *issuer) return NULL; } + // Add a nonce to protect against replay attacks + OCSP_request_add1_nonce(ocsp_req, NULL, -1); + return ocsp_req; } @@ -1026,7 +1029,8 @@ end: /* Process the OCSP_RESPONSE and returns the corresponding answer according to the status. */ -static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer) +static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer, + X509_STORE_CTX *ctx) { int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i; OCSP_BASICRESP *bs; @@ -1038,7 +1042,13 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *iss if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) { return OCSP_STATUS_UNKNOWN; } + bs = OCSP_response_get1_basic(ocsp_resp); + if (OCSP_check_nonce(ocsp_req, bs) == 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_RESP_INVALID); + o = OCSP_STATUS_UNKNOWN; + goto clean_bs; + } certid = OCSP_cert_to_id(NULL, cert, issuer); if (certid == NULL) { @@ -1057,6 +1067,7 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *iss /* we clean up */ OCSP_CERTID_free(certid); +clean_bs: OCSP_BASICRESP_free(bs); return o; } @@ -1092,7 +1103,7 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx) if (req != NULL) { resp = get_ocsp_response(p, ocsp_urls[0], req); if (resp != NULL) { - rv = process_ocsp_response(resp, cert, issuer); + rv = process_ocsp_response(req, resp, cert, issuer, ctx); } else { /* correct error code for application errors? */ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml index b6426b37d..6af9b4c56 100644 --- a/xdocs/miscellaneous/changelog.xml +++ b/xdocs/miscellaneous/changelog.xml @@ -52,6 +52,10 @@ The Windows binaries are now built with OCSP support enabled by default. (markt) </update> + <add> + Include a nonce with OCSP requests and check the nonce, if any, in the + OCSP response. (markt) + </add> </changelog> </section> <section name="Changes in 1.3.1"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
