|
|
71e593 |
From 0606a40ed924f4c1793946365076b5d1277395a4 Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Wed, 10 Oct 2018 15:37:16 +0200
|
|
|
71e593 |
Subject: [PATCH 51/57] p11_child: add OCSP check ot the OpenSSL version
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3489
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit 91c608d0eb48435b5b5d2f3631a4bb2a40b8d519)
|
|
|
71e593 |
---
|
|
|
71e593 |
src/man/sssd.conf.5.xml | 26 ++-
|
|
|
71e593 |
src/p11_child/p11_child_openssl.c | 346 ++++++++++++++++++++++++++++++++++++++
|
|
|
71e593 |
src/tests/cmocka/test_utils.c | 3 +
|
|
|
71e593 |
src/util/util.c | 2 +
|
|
|
71e593 |
4 files changed, 370 insertions(+), 7 deletions(-)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
71e593 |
index c8d53f01f3eedea1e37f6593d02ce1eeaf11d2de..5e3ae48d04cc38ea54547a63c6c31795e12544c2 100644
|
|
|
71e593 |
--- a/src/man/sssd.conf.5.xml
|
|
|
71e593 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
71e593 |
@@ -479,8 +479,8 @@
|
|
|
71e593 |
be replaced with the URL of the OCSP
|
|
|
71e593 |
default responder e.g.
|
|
|
71e593 |
http://example.com:80/ocsp.</para>
|
|
|
71e593 |
- <para>This option must be used together
|
|
|
71e593 |
- with
|
|
|
71e593 |
+ <para>(NSS Version) This option must be
|
|
|
71e593 |
+ used together with
|
|
|
71e593 |
ocsp_default_responder_signing_cert.
|
|
|
71e593 |
</para>
|
|
|
71e593 |
</listitem>
|
|
|
71e593 |
@@ -489,17 +489,29 @@
|
|
|
71e593 |
<term>
|
|
|
71e593 |
ocsp_default_responder_signing_cert=NAME</term>
|
|
|
71e593 |
<listitem>
|
|
|
71e593 |
- <para>The nickname of the cert to trust
|
|
|
71e593 |
- (expected) to sign the OCSP responses.
|
|
|
71e593 |
- The certificate with the given nickname
|
|
|
71e593 |
- must be available in the systems NSS
|
|
|
71e593 |
- database.</para>
|
|
|
71e593 |
+ <para>(NSS Version) The nickname of the
|
|
|
71e593 |
+ cert to trust (expected) to sign the
|
|
|
71e593 |
+ OCSP responses. The certificate with
|
|
|
71e593 |
+ the given nickname must be available in
|
|
|
71e593 |
+ the systems NSS database.</para>
|
|
|
71e593 |
<para>This option must be used together
|
|
|
71e593 |
with ocsp_default_responder.</para>
|
|
|
71e593 |
+ <para>(OpenSSL version) This option is
|
|
|
71e593 |
+ currently ignored. All needed
|
|
|
71e593 |
+ certificates must be available in the
|
|
|
71e593 |
+ PEM file given by
|
|
|
71e593 |
+ pam_cert_db_path.</para>
|
|
|
71e593 |
</listitem>
|
|
|
71e593 |
</varlistentry>
|
|
|
71e593 |
</variablelist>
|
|
|
71e593 |
</para>
|
|
|
71e593 |
+ <para condition="with_nss">
|
|
|
71e593 |
+ This man page was generated for the NSS version.
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
+ <para condition="with_openssl">
|
|
|
71e593 |
+ This man page was generated for the OpenSSL
|
|
|
71e593 |
+ version.
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
<para>
|
|
|
71e593 |
Unknown options are reported but ignored.
|
|
|
71e593 |
</para>
|
|
|
71e593 |
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
|
71e593 |
index 000e1c94f11edc32abceafb39e98b16ca0664c50..d66a2f82becfa24eae867a2f3df3e23263a5273c 100644
|
|
|
71e593 |
--- a/src/p11_child/p11_child_openssl.c
|
|
|
71e593 |
+++ b/src/p11_child/p11_child_openssl.c
|
|
|
71e593 |
@@ -28,6 +28,7 @@
|
|
|
71e593 |
#include <openssl/x509.h>
|
|
|
71e593 |
#include <openssl/err.h>
|
|
|
71e593 |
#include <openssl/rand.h>
|
|
|
71e593 |
+#include <openssl/ocsp.h>
|
|
|
71e593 |
#include <p11-kit/p11-kit.h>
|
|
|
71e593 |
#include <p11-kit/uri.h>
|
|
|
71e593 |
|
|
|
71e593 |
@@ -42,8 +43,344 @@ struct p11_ctx {
|
|
|
71e593 |
X509_STORE *x509_store;
|
|
|
71e593 |
const char *ca_db;
|
|
|
71e593 |
bool wait_for_card;
|
|
|
71e593 |
+ struct cert_verify_opts *cert_verify_opts;
|
|
|
71e593 |
};
|
|
|
71e593 |
|
|
|
71e593 |
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
|
|
|
71e593 |
+ const char *path,
|
|
|
71e593 |
+ OCSP_REQUEST *req, int req_timeout)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ int fd;
|
|
|
71e593 |
+ int rv;
|
|
|
71e593 |
+ OCSP_REQ_CTX *ctx = NULL;
|
|
|
71e593 |
+ OCSP_RESPONSE *rsp = NULL;
|
|
|
71e593 |
+ fd_set confds;
|
|
|
71e593 |
+ struct timeval tv;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (req_timeout != -1) {
|
|
|
71e593 |
+ BIO_set_nbio(cbio, 1);
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ rv = BIO_do_connect(cbio);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Error connecting BIO\n");
|
|
|
71e593 |
+ return NULL;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (BIO_get_fd(cbio, &fd) < 0) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Can't get connection fd\n");
|
|
|
71e593 |
+ goto err;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (req_timeout != -1 && rv <= 0) {
|
|
|
71e593 |
+ FD_ZERO(&confds);
|
|
|
71e593 |
+ FD_SET(fd, &confds);
|
|
|
71e593 |
+ tv.tv_usec = 0;
|
|
|
71e593 |
+ tv.tv_sec = req_timeout;
|
|
|
71e593 |
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv;;
|
|
|
71e593 |
+ if (rv == 0) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on connect\n");
|
|
|
71e593 |
+ return NULL;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
|
|
|
71e593 |
+ if (ctx == NULL) {
|
|
|
71e593 |
+ return NULL;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) {
|
|
|
71e593 |
+ goto err;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
|
|
|
71e593 |
+ goto err;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ for (;;) {
|
|
|
71e593 |
+ rv = OCSP_sendreq_nbio(&rsp, ctx);
|
|
|
71e593 |
+ if (rv != -1)
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ if (req_timeout == -1)
|
|
|
71e593 |
+ continue;
|
|
|
71e593 |
+ FD_ZERO(&confds);
|
|
|
71e593 |
+ FD_SET(fd, &confds);
|
|
|
71e593 |
+ tv.tv_usec = 0;
|
|
|
71e593 |
+ tv.tv_sec = req_timeout;
|
|
|
71e593 |
+ if (BIO_should_read(cbio)) {
|
|
|
71e593 |
+ rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv;;
|
|
|
71e593 |
+ } else if (BIO_should_write(cbio)) {
|
|
|
71e593 |
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv;;
|
|
|
71e593 |
+ } else {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Unexpected retry condition\n");
|
|
|
71e593 |
+ goto err;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ if (rv == 0) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on request\n");
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ if (rv == -1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Select error\n");
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ err:
|
|
|
71e593 |
+ OCSP_REQ_CTX_free(ctx);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return rsp;
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
71e593 |
+#define TLS_client_method SSLv23_client_method
|
|
|
71e593 |
+#define X509_STORE_get0_objects(store) (store->objs)
|
|
|
71e593 |
+#define X509_OBJECT_get_type(object) (object->type)
|
|
|
71e593 |
+#define X509_OBJECT_get0_X509(object) (object->data.x509)
|
|
|
71e593 |
+#endif
|
|
|
71e593 |
+
|
|
|
71e593 |
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
|
|
|
71e593 |
+ const char *host, const char *path,
|
|
|
71e593 |
+ const char *port, int use_ssl,
|
|
|
71e593 |
+ int req_timeout)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ BIO *cbio = NULL;
|
|
|
71e593 |
+ SSL_CTX *ctx = NULL;
|
|
|
71e593 |
+ OCSP_RESPONSE *resp = NULL;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ cbio = BIO_new_connect(host);
|
|
|
71e593 |
+ if (cbio == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating connect BIO\n");
|
|
|
71e593 |
+ goto end;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ if (port != NULL)
|
|
|
71e593 |
+ BIO_set_conn_port(cbio, port);
|
|
|
71e593 |
+ if (use_ssl == 1) {
|
|
|
71e593 |
+ BIO *sbio;
|
|
|
71e593 |
+ ctx = SSL_CTX_new(TLS_client_method());
|
|
|
71e593 |
+ if (ctx == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating SSL context.\n");
|
|
|
71e593 |
+ goto end;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
|
|
|
71e593 |
+ sbio = BIO_new_ssl(ctx, 1);
|
|
|
71e593 |
+ cbio = BIO_push(sbio, cbio);
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ resp = query_responder(cbio, host, path, req, req_timeout);
|
|
|
71e593 |
+ if (resp == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Error querying OCSP responder\n");
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ end:
|
|
|
71e593 |
+ BIO_free_all(cbio);
|
|
|
71e593 |
+ SSL_CTX_free(ctx);
|
|
|
71e593 |
+ return resp;
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
+static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ OCSP_REQUEST *ocsp_req = NULL;
|
|
|
71e593 |
+ OCSP_RESPONSE *ocsp_resp = NULL;
|
|
|
71e593 |
+ OCSP_BASICRESP *ocsp_basic = NULL;
|
|
|
71e593 |
+ OCSP_CERTID *cid = NULL;
|
|
|
71e593 |
+ STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
|
|
|
71e593 |
+ char *url_str;
|
|
|
71e593 |
+ X509 *issuer = NULL;
|
|
|
71e593 |
+ int req_timeout = -1;
|
|
|
71e593 |
+ int status;
|
|
|
71e593 |
+ int ret = EIO;
|
|
|
71e593 |
+ int reason;
|
|
|
71e593 |
+ ASN1_GENERALIZEDTIME *revtime;
|
|
|
71e593 |
+ ASN1_GENERALIZEDTIME *thisupd;
|
|
|
71e593 |
+ ASN1_GENERALIZEDTIME *nextupd;
|
|
|
71e593 |
+ long grace_time = (5 * 60); /* Allow 5 minutes time difference when
|
|
|
71e593 |
+ * checking the validity of the OCSP response */
|
|
|
71e593 |
+ char *host = NULL;
|
|
|
71e593 |
+ char *path = NULL;
|
|
|
71e593 |
+ char *port = NULL;
|
|
|
71e593 |
+ int use_ssl;
|
|
|
71e593 |
+ X509_NAME *issuer_name = NULL;
|
|
|
71e593 |
+ X509_OBJECT *x509_obj;
|
|
|
71e593 |
+ STACK_OF(X509_OBJECT) *store_objects;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ocsp_urls = X509_get1_ocsp(cert);
|
|
|
71e593 |
+ if (ocsp_urls == NULL
|
|
|
71e593 |
+ && p11_ctx->cert_verify_opts->ocsp_default_responder == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "No OCSP URL in certificate and no default responder defined, "
|
|
|
71e593 |
+ "skipping OCSP check.\n");
|
|
|
71e593 |
+ return EOK;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (p11_ctx->cert_verify_opts->ocsp_default_responder != NULL) {
|
|
|
71e593 |
+ url_str = p11_ctx->cert_verify_opts->ocsp_default_responder;
|
|
|
71e593 |
+ } else {
|
|
|
71e593 |
+ if (sk_OPENSSL_STRING_num(ocsp_urls) > 1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
71e593 |
+ "Found more than 1 OCSP URLs, just using the first.\n");
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ url_str = sk_OPENSSL_STRING_value(ocsp_urls, 0);
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Using OCSP URL [%s].\n", url_str);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = OCSP_parse_url(url_str, &host, &port, &path, &use_ssl);
|
|
|
71e593 |
+ if (ret != 1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_parse_url failed to parse [%s].\n",
|
|
|
71e593 |
+ url_str);
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ issuer_name = X509_get_issuer_name(cert);
|
|
|
71e593 |
+ if (issuer_name == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate has no issuer, "
|
|
|
71e593 |
+ "cannot run OCSP check.\n");
|
|
|
71e593 |
+ ret = EINVAL;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ store_objects = X509_STORE_get0_objects(p11_ctx->x509_store);
|
|
|
71e593 |
+ if (store_objects == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "No objects found in certificate store, OCSP failed.\n");
|
|
|
71e593 |
+ ret = EINVAL;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ x509_obj = X509_OBJECT_retrieve_by_subject(store_objects, X509_LU_X509,
|
|
|
71e593 |
+ issuer_name);
|
|
|
71e593 |
+ if (x509_obj == NULL || X509_OBJECT_get_type(x509_obj) != X509_LU_X509) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Issuer not found.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ issuer = X509_OBJECT_get0_X509(x509_obj);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ocsp_req = OCSP_REQUEST_new();
|
|
|
71e593 |
+ if (ocsp_req == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_REQUEST_new failed.\n");
|
|
|
71e593 |
+ ret = ENOMEM;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
|
|
|
71e593 |
+ if (cid == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_cert_to_id failed.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (OCSP_request_add0_id(ocsp_req, cid) == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_request_add0_id failed.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ OCSP_request_add1_nonce(ocsp_req, NULL, -1);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
|
|
|
71e593 |
+ req_timeout);
|
|
|
71e593 |
+ if (ocsp_resp == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "process_responder failed.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ status = OCSP_response_status(ocsp_resp);
|
|
|
71e593 |
+ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response error: [%d][%s].\n",
|
|
|
71e593 |
+ status, OCSP_response_status_str(status));
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ocsp_basic = OCSP_response_get1_basic(ocsp_resp);
|
|
|
71e593 |
+ if (ocsp_resp == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_response_get1_basic failed.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ switch (OCSP_check_nonce(ocsp_req, ocsp_basic)) {
|
|
|
71e593 |
+ case -1:
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "No nonce in OCSP response. This might "
|
|
|
71e593 |
+ "indicate a replay attack or an OCSP responder which does not "
|
|
|
71e593 |
+ "support nonces. Accepting response.\n");
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ case 0:
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Nonce in OCSP response does not match the "
|
|
|
71e593 |
+ "one used in the request.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ case 1:
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Nonce in OCSP response is the same as the one "
|
|
|
71e593 |
+ "used in the request.\n");
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ case 2:
|
|
|
71e593 |
+ case 3:
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing nonce in OCSP request, this should"
|
|
|
71e593 |
+ "never happen.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
+ default:
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected result of OCSP_check_nonce.\n");
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
|
|
|
71e593 |
+ if (status != 1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP_base_verify failed to verify OCSP "
|
|
|
71e593 |
+ "response.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = OCSP_resp_find_status(ocsp_basic, cid, &status, &reason,
|
|
|
71e593 |
+ &revtime, &thisupd, &nextupd);
|
|
|
71e593 |
+ if (ret != 1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response does not contain status of "
|
|
|
71e593 |
+ "our certificate.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (status != V_OCSP_CERTSTATUS_GOOD) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP check failed with [%d][%s].\n",
|
|
|
71e593 |
+ status, OCSP_cert_status_str(status));
|
|
|
71e593 |
+ if (status == V_OCSP_CERTSTATUS_REVOKED) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate is revoked [%d][%s].\n",
|
|
|
71e593 |
+ reason, OCSP_crl_reason_str(reason));
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (OCSP_check_validity(thisupd, nextupd, grace_time, -1) != 1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response is not valid anymore.\n");
|
|
|
71e593 |
+ ret = EIO;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "OCSP check was successful.\n");
|
|
|
71e593 |
+ ret = EOK;
|
|
|
71e593 |
+
|
|
|
71e593 |
+done:
|
|
|
71e593 |
+ OCSP_BASICRESP_free(ocsp_basic);
|
|
|
71e593 |
+ OCSP_RESPONSE_free(ocsp_resp);
|
|
|
71e593 |
+ OCSP_REQUEST_free(ocsp_req);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ OPENSSL_free(host);
|
|
|
71e593 |
+ OPENSSL_free(port);
|
|
|
71e593 |
+ OPENSSL_free(path);
|
|
|
71e593 |
+ X509_email_free(ocsp_urls);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return ret;
|
|
|
71e593 |
+}
|
|
|
71e593 |
|
|
|
71e593 |
static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
|
|
71e593 |
CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
|
|
|
71e593 |
@@ -191,6 +528,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
p11_ctx->x509_store = store;
|
|
|
71e593 |
+ p11_ctx->cert_verify_opts = cert_verify_opts;
|
|
|
71e593 |
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
|
|
|
71e593 |
|
|
|
71e593 |
ret = EOK;
|
|
|
71e593 |
@@ -262,6 +600,14 @@ bool do_verification(struct p11_ctx *p11_ctx, X509 *cert)
|
|
|
71e593 |
goto done;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+ if (p11_ctx->cert_verify_opts->do_ocsp) {
|
|
|
71e593 |
+ ret = do_ocsp(p11_ctx, cert);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "do_ocsp failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
res = true;
|
|
|
71e593 |
|
|
|
71e593 |
done:
|
|
|
71e593 |
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
|
|
71e593 |
index 1a8699a2a87d57ab43c70ceebf9bc71da4def4d4..c86e526e8299122c1c613c8459d3df0d9e4fc878 100644
|
|
|
71e593 |
--- a/src/tests/cmocka/test_utils.c
|
|
|
71e593 |
+++ b/src/tests/cmocka/test_utils.c
|
|
|
71e593 |
@@ -1612,6 +1612,8 @@ static void test_parse_cert_verify_opts(void **state)
|
|
|
71e593 |
&cv_opts);
|
|
|
71e593 |
assert_int_equal(ret, EINVAL);
|
|
|
71e593 |
|
|
|
71e593 |
+/* Only NSS requires that both are set */
|
|
|
71e593 |
+#ifdef HAVE_NSS
|
|
|
71e593 |
ret = parse_cert_verify_opts(global_talloc_context,
|
|
|
71e593 |
"ocsp_default_responder=abc", &cv_opts);
|
|
|
71e593 |
assert_int_equal(ret, EINVAL);
|
|
|
71e593 |
@@ -1620,6 +1622,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
|
71e593 |
"ocsp_default_responder_signing_cert=def",
|
|
|
71e593 |
&cv_opts);
|
|
|
71e593 |
assert_int_equal(ret, EINVAL);
|
|
|
71e593 |
+#endif
|
|
|
71e593 |
|
|
|
71e593 |
ret = parse_cert_verify_opts(global_talloc_context,
|
|
|
71e593 |
"ocsp_default_responder=abc,"
|
|
|
71e593 |
diff --git a/src/util/util.c b/src/util/util.c
|
|
|
71e593 |
index 53dd9a13ab8597b1fec61f10d641c14bf1cedd29..7f475fa9b5f5ddd69e80d5639380824cef82562c 100644
|
|
|
71e593 |
--- a/src/util/util.c
|
|
|
71e593 |
+++ b/src/util/util.c
|
|
|
71e593 |
@@ -1123,6 +1123,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
|
71e593 |
}
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+#ifdef HAVE_NSS
|
|
|
71e593 |
if ((cert_verify_opts->ocsp_default_responder == NULL
|
|
|
71e593 |
&& cert_verify_opts->ocsp_default_responder_signing_cert != NULL)
|
|
|
71e593 |
|| (cert_verify_opts->ocsp_default_responder != NULL
|
|
|
71e593 |
@@ -1135,6 +1136,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
|
71e593 |
ret = EINVAL;
|
|
|
71e593 |
goto done;
|
|
|
71e593 |
}
|
|
|
71e593 |
+#endif
|
|
|
71e593 |
|
|
|
71e593 |
ret = EOK;
|
|
|
71e593 |
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|