[patch] ocspcheck: nextUpdate is optional according to RFC 6960

Sat, 02 Sep 2017 10:29:20 -0700

ocspcheck effectively treats a missing nextUpdate like an error, i.e., it always provides a warning and no staplefile is written out. According to RFC 6960, the nextUpdate field is optional. The following patch should handle this case more gracefully and include a suitable debug message only in case -vv is specified. 

OK?

Index: src/usr.sbin/ocspcheck/ocspcheck.c
===================================================================
RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 ocspcheck.c
--- src/usr.sbin/ocspcheck/ocspcheck.c  8 May 2017 20:15:34 -0000       1.21
+++ src/usr.sbin/ocspcheck/ocspcheck.c  2 Sep 2017 17:09:00 -0000
@@ -368,7 +368,7 @@ validate_response(char *buf, size_t size
 {
        ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL;
        const unsigned char **p = (const unsigned char **)&buf;
-       int status, cert_status=0, crl_reason=0;
+       int status, cert_status=0, crl_reason=0, next_update=0;
        time_t now, rev_t = -1, this_t, next_t;
        OCSP_RESPONSE *resp;
        OCSP_BASICRESP *bresp;
@@ -447,12 +447,14 @@ validate_response(char *buf, size_t size
                return 0;
        }
        if ((next_t = parse_ocsp_time(nextupd)) == -1) {
-               warnx("unable to parse next update time in OCSP reply");
-               return 0;
+               if (verbose >= 2)
+ fprintf(stderr, "Optional timestamp for next update not included in OCSP reply\n"); 
        }
+       else
+               next_update = 1;        

        /* Don't allow this update to precede next update */
-       if (this_t >= next_t) {
+       if (next_update == 1 && this_t >= next_t) {
                warnx("Invalid OCSP reply: this update >= next update");
                return 0;
        }
@@ -481,7 +483,7 @@ validate_response(char *buf, size_t size
        /*
         * Check that next update is still valid
         */
-       if (next_t < now - JITTER_SEC) {
+       if (next_update == 1 && next_t < now - JITTER_SEC) {
                warnx("Invalid OCSP reply: reply has expired (%s)",
                    ctime(&next_t));
                return 0;
@@ -489,7 +491,8 @@ validate_response(char *buf, size_t size

        vspew("OCSP response validated from %s\n", host);
        vspew("       This Update: %s", ctime(&this_t));
-       vspew("       Next Update: %s", ctime(&next_t));
+       if (next_update == 1)
+               vspew("       Next Update: %s", ctime(&next_t));
        return 1;
 }

Reply via email to