Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

Bob Beck Tue, 05 Sep 2017 19:42:03 -0700

Andreas where are you seeing this as being a real issue - who is shipping
out OCSP responses without a next update field?




On Sat, Sep 2, 2017 at 11:28 AM, Andreas Bartelt <o...@bartula.de> wrote:

> ocspcheck effectively treats a missing nextUpdate like an error, i.e., it
> always provides a warning and no staplefile is written out. According to
> RFC 6960, the nextUpdate field is optional. The following patch should
> handle this case more gracefully and include a suitable debug message only
> in case -vv is specified.
>
> OK?
>
> Index: src/usr.sbin/ocspcheck/ocspcheck.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 ocspcheck.c
> --- src/usr.sbin/ocspcheck/ocspcheck.c  8 May 2017 20:15:34 -0000
>  1.21
> +++ src/usr.sbin/ocspcheck/ocspcheck.c  2 Sep 2017 17:09:00 -0000
> @@ -368,7 +368,7 @@ validate_response(char *buf, size_t size
>  {
>         ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd =
> NULL;
>         const unsigned char **p = (const unsigned char **)&buf;
> -       int status, cert_status=0, crl_reason=0;
> +       int status, cert_status=0, crl_reason=0, next_update=0;
>         time_t now, rev_t = -1, this_t, next_t;
>         OCSP_RESPONSE *resp;
>         OCSP_BASICRESP *bresp;
> @@ -447,12 +447,14 @@ validate_response(char *buf, size_t size
>                 return 0;
>         }
>         if ((next_t = parse_ocsp_time(nextupd)) == -1) {
> -               warnx("unable to parse next update time in OCSP reply");
> -               return 0;
> +               if (verbose >= 2)
> +                       fprintf(stderr, "Optional timestamp for next
> update not included in OCSP reply\n");
>         }
> +       else
> +               next_update = 1;
>
>         /* Don't allow this update to precede next update */
> -       if (this_t >= next_t) {
> +       if (next_update == 1 && this_t >= next_t) {
>                 warnx("Invalid OCSP reply: this update >= next update");
>                 return 0;
>         }
> @@ -481,7 +483,7 @@ validate_response(char *buf, size_t size
>         /*
>          * Check that next update is still valid
>          */
> -       if (next_t < now - JITTER_SEC) {
> +       if (next_update == 1 && next_t < now - JITTER_SEC) {
>                 warnx("Invalid OCSP reply: reply has expired (%s)",
>                     ctime(&next_t));
>                 return 0;
> @@ -489,7 +491,8 @@ validate_response(char *buf, size_t size
>
>         vspew("OCSP response validated from %s\n", host);
>         vspew("    This Update: %s", ctime(&this_t));
> -       vspew("    Next Update: %s", ctime(&next_t));
> +       if (next_update == 1)
> +               vspew("    Next Update: %s", ctime(&next_t));
>         return 1;
>  }
>
>

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

Reply via email to