Merge branch 'ocsp-nonce'

This makes sure the nonce sent in an OCSP request is contained in the response (it also fixes parsing the nonce, which didn't matter so far as it was never used)
2019-12-06 09:53:26 +01:00 · 2019-12-06 09:53:26 +01:00 · dc1e02e1de
parent a43407df52 27756b081c
commit dc1e02e1de
5 changed files with 49 additions and 3 deletions
--- a/src/libstrongswan/credentials/certificates/ocsp_request.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_request.h
@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2019 Tobias Brunner
 * Copyright (C) 2008 Martin Willi
 * HSR Hochschule fuer Technik Rapperswil
 *
@ -34,6 +35,13 @@ struct ocsp_request_t {
 	 * Implements certificate_t interface
 	 */
 	certificate_t interface;
+
+	/**
+	 * Get the nonce sent in this OCSP request.
+	 *
+	 * @return					nonce in the request (internal data)
+	 */
+	chunk_t (*get_nonce)(ocsp_request_t *this);
 };

 #endif /** OCSP_REQUEST_H_ @}*/
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2019 Tobias Brunner
 * Copyright (C) 2008 Martin Willi
 * HSR Hochschule fuer Technik Rapperswil
 *
@ -54,6 +55,13 @@ struct ocsp_response_t {
 	 */
 	certificate_t certificate;

+	/**
+	 * Get the nonce received with this OCSP response.
+	 *
+	 * @return					nonce in the response (internal data)
+	 */
+	chunk_t (*get_nonce)(ocsp_response_t *this);
+
 	/**
 	 * Check the status of a certificate by this OCSP response.
 	 *
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@ -64,6 +64,8 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 								 certificate_t *issuer)
 {
 	certificate_t *request, *response;
+	ocsp_request_t *ocsp_request;
+	ocsp_response_t *ocsp_response;
 	chunk_t send, receive = chunk_empty;

 	/* TODO: requestor name, signature */
@ -83,7 +85,6 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 		request->destroy(request);
 		return NULL;
 	}
-	request->destroy(request);

 	DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
 	if (lib->fetcher->fetch(lib->fetcher, url, &receive,
@ -92,6 +93,7 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 							FETCH_END) != SUCCESS)
 	{
 		DBG1(DBG_CFG, "ocsp request to %s failed", url);
+		request->destroy(request);
 		chunk_free(&receive);
 		chunk_free(&send);
 		return NULL;
@ -105,8 +107,19 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 	if (!response)
 	{
 		DBG1(DBG_CFG, "parsing ocsp response failed");
+		request->destroy(request);
 		return NULL;
 	}
+	ocsp_request = (ocsp_request_t*)request;
+	ocsp_response = (ocsp_response_t*)response;
+	if (!chunk_equals_const(ocsp_request->get_nonce(ocsp_request),
+							ocsp_response->get_nonce(ocsp_response)))
+	{
+		DBG1(DBG_CFG, "nonce in ocsp response doesn't match");
+		request->destroy(request);
+		return NULL;
+	}
+	request->destroy(request);
 	return response;
 }

--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2017-2019 Tobias Brunner
 * Copyright (C) 2008-2009 Martin Willi
 * Copyright (C) 2007-2014 Andreas Steffen
 * HSR Hochschule fuer Technik Rapperswil
@ -464,6 +465,12 @@ METHOD(certificate_t, destroy, void,
 	}
 }

+METHOD(ocsp_request_t, get_nonce, chunk_t,
+	private_x509_ocsp_request_t *this)
+{
+	return this->nonce;
+}
+
 /**
 * create an empty but initialized OCSP request
 */
@ -488,6 +495,7 @@ static private_x509_ocsp_request_t *create_empty()
 					.get_ref = _get_ref,
 					.destroy = _destroy,
 				},
+				.get_nonce = _get_nonce,
 			},
 		},
 		.candidates = linked_list_create(),
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2019 Tobias Brunner
 * Copyright (C) 2008-2009 Martin Willi
 * Copyright (C) 2007-2015 Andreas Steffen
 * HSR Hochschule fuer Technik Rapperswil
@ -271,6 +271,12 @@ METHOD(ocsp_response_t, create_response_enumerator, enumerator_t*,
 				filter, NULL, NULL);
 }

+METHOD(ocsp_response_t, get_nonce, chunk_t,
+	private_x509_ocsp_response_t *this)
+{
+	return this->nonce;
+}
+
 /**
 * ASN.1 definition of singleResponse
 */
@ -571,7 +577,9 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 				DBG2(DBG_ASN, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case BASIC_RESPONSE_EXT_VALUE:
-				if (extn_oid == OID_NONCE)
+				if (extn_oid == OID_NONCE &&
+					asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+										parser->get_level(parser)+1, "nonce"))
 				{
 					this->nonce = object;
 				}
@ -871,6 +879,7 @@ static x509_ocsp_response_t *load(chunk_t blob)
 					.get_ref = _get_ref,
 					.destroy = _destroy,
 				},
+				.get_nonce = _get_nonce,
 				.get_status = _get_status,
 				.create_cert_enumerator = _create_cert_enumerator,
 				.create_response_enumerator = _create_response_enumerator,