Skip to content

Commit ca0f888

Browse files
markt-asfmarkt-asf
committed
Add nonce checks to OCSP lookups
1 parent 4b2ea38 commit ca0f888

File tree

2 files changed

+17
-2
lines changed

2 files changed

+17
-2
lines changed

native/src/sslutils.c

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -950,6 +950,9 @@ static OCSP_REQUEST *get_ocsp_request(X509 *cert, X509 *issuer)
950950
return NULL;
951951
}
952952

953+
// Add a nonce to protect against replay attacks
954+
OCSP_request_add1_nonce(ocsp_req, NULL, -1);
955+
953956
return ocsp_req;
954957
}
955958

@@ -1006,7 +1009,8 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, char *url, OCSP_REQUEST *
10061009
/* Process the OCSP_RESPONSE and returns the corresponding
10071010
answer according to the status.
10081011
*/
1009-
static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer)
1012+
static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *issuer,
1013+
X509_STORE_CTX *ctx)
10101014
{
10111015
int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
10121016
OCSP_BASICRESP *bs;
@@ -1018,7 +1022,13 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *iss
10181022
if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
10191023
return OCSP_STATUS_UNKNOWN;
10201024
}
1025+
10211026
bs = OCSP_response_get1_basic(ocsp_resp);
1027+
if (OCSP_check_nonce(ocsp_req, bs) == 0) {
1028+
X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_RESP_INVALID);
1029+
o = OCSP_STATUS_UNKNOWN;
1030+
goto clean_bs;
1031+
}
10221032

10231033
certid = OCSP_cert_to_id(NULL, cert, issuer);
10241034
if (certid == NULL) {
@@ -1037,6 +1047,7 @@ static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert, X509 *iss
10371047

10381048
/* we clean up */
10391049
OCSP_CERTID_free(certid);
1050+
clean_bs:
10401051
OCSP_BASICRESP_free(bs);
10411052
return o;
10421053
}
@@ -1072,7 +1083,7 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx)
10721083
if (req != NULL) {
10731084
resp = get_ocsp_response(p, ocsp_urls[0], req);
10741085
if (resp != NULL) {
1075-
rv = process_ocsp_response(resp, cert, issuer);
1086+
rv = process_ocsp_response(req, resp, cert, issuer, ctx);
10761087
} else {
10771088
/* correct error code for application errors? */
10781089
X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);

xdocs/miscellaneous/changelog.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,10 @@
3737
The Windows binaries are now built with OCSP support enabled by default.
3838
(markt)
3939
</update>
40+
<add>
41+
Include a nonce with OCSP requests and check the nonce, if any, in the
42+
OCSP response. (markt)
43+
</add>
4044
</changelog>
4145
</section>
4246
<section name="Changes in 2.0.9">

0 commit comments

Comments
 (0)