/src/gnutls/lib/ocsp-api.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2012-2017 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2017 Red Hat, Inc. |
4 | | * |
5 | | * Author: Simon Josefsson, Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | /* |
25 | | * Status Request (OCSP) API. |
26 | | */ |
27 | | |
28 | | #include "gnutls_int.h" |
29 | | #include "errors.h" |
30 | | #include "auth.h" |
31 | | #include "auth/cert.h" |
32 | | #include "handshake.h" |
33 | | #include <minmax.h> |
34 | | |
35 | | #ifdef ENABLE_OCSP |
36 | | |
37 | | #include <gnutls/ocsp.h> |
38 | | #include "x509/ocsp.h" |
39 | | |
40 | | /** |
41 | | * gnutls_ocsp_status_request_get: |
42 | | * @session: is a #gnutls_session_t type. |
43 | | * @response: a #gnutls_datum_t with DER encoded OCSP response |
44 | | * |
45 | | * This function returns the OCSP status response received |
46 | | * from the TLS server. The @response should be treated as |
47 | | * constant. If no OCSP response is available then |
48 | | * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. |
49 | | * |
50 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, |
51 | | * otherwise a negative error code is returned. |
52 | | * |
53 | | * Since: 3.1.3 |
54 | | **/ |
55 | | int gnutls_ocsp_status_request_get(gnutls_session_t session, |
56 | | gnutls_datum_t *response) |
57 | 0 | { |
58 | 0 | return gnutls_ocsp_status_request_get2(session, 0, response); |
59 | 0 | } |
60 | | |
61 | | /** |
62 | | * gnutls_ocsp_status_request_get2: |
63 | | * @session: is a #gnutls_session_t type. |
64 | | * @idx: the index of peer's certificate |
65 | | * @response: a #gnutls_datum_t with DER encoded OCSP response |
66 | | * |
67 | | * This function returns the OCSP status response received |
68 | | * from the TLS server for the certificate index provided. |
69 | | * The index corresponds to certificates as returned by |
70 | | * gnutls_certificate_get_peers. When index is zero this |
71 | | * function operates identically to gnutls_ocsp_status_request_get(). |
72 | | * |
73 | | * The returned @response should be treated as |
74 | | * constant. If no OCSP response is available for the |
75 | | * given index then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE |
76 | | * is returned. |
77 | | * |
78 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, |
79 | | * otherwise a negative error code is returned. |
80 | | * |
81 | | * Since: 3.6.3 |
82 | | **/ |
83 | | int gnutls_ocsp_status_request_get2(gnutls_session_t session, unsigned idx, |
84 | | gnutls_datum_t *response) |
85 | 0 | { |
86 | 0 | const version_entry_st *ver = get_version(session); |
87 | 0 | cert_auth_info_t info = |
88 | 0 | _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); |
89 | |
|
90 | 0 | if (!ver->tls13_sem && |
91 | 0 | session->security_parameters.entity == GNUTLS_SERVER) |
92 | 0 | return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); |
93 | | |
94 | 0 | if (info == NULL || info->raw_ocsp_list == NULL || info->nocsp <= idx || |
95 | 0 | info->raw_ocsp_list[idx].size == 0) |
96 | 0 | return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); |
97 | | |
98 | 0 | response->data = info->raw_ocsp_list[idx].data; |
99 | 0 | response->size = info->raw_ocsp_list[idx].size; |
100 | |
|
101 | 0 | return 0; |
102 | 0 | } |
103 | | |
104 | | /** |
105 | | * gnutls_certificate_set_ocsp_status_request_function: |
106 | | * @sc: is a #gnutls_certificate_credentials_t type. |
107 | | * @ocsp_func: function pointer to OCSP status request callback. |
108 | | * @ptr: opaque pointer passed to callback function |
109 | | * |
110 | | * This function is to be used by server to register a callback to |
111 | | * handle OCSP status requests from the client. The callback will be |
112 | | * invoked if the client supplied a status-request OCSP extension. |
113 | | * The callback function prototype is: |
114 | | * |
115 | | * typedef int (*gnutls_status_request_ocsp_func) |
116 | | * (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response); |
117 | | * |
118 | | * The callback will be invoked if the client requests an OCSP certificate |
119 | | * status. The callback may return %GNUTLS_E_NO_CERTIFICATE_STATUS, if |
120 | | * there is no recent OCSP response. If the callback returns %GNUTLS_E_SUCCESS, |
121 | | * it is expected to have the @ocsp_response field set with a valid (DER-encoded) |
122 | | * OCSP response. The response must be a value allocated using gnutls_malloc(), |
123 | | * and will be deinitialized by the caller. |
124 | | * |
125 | | * It is possible to set a specific callback for each provided certificate |
126 | | * using gnutls_certificate_set_ocsp_status_request_function2(). |
127 | | * |
128 | | * Since: 3.1.3 |
129 | | **/ |
130 | | void gnutls_certificate_set_ocsp_status_request_function( |
131 | | gnutls_certificate_credentials_t sc, |
132 | | gnutls_status_request_ocsp_func ocsp_func, void *ptr) |
133 | 0 | { |
134 | 0 | sc->glob_ocsp_func = ocsp_func; |
135 | 0 | sc->glob_ocsp_func_ptr = ptr; |
136 | 0 | } |
137 | | |
138 | | /** |
139 | | * gnutls_certificate_set_ocsp_status_request_function2: |
140 | | * @sc: is a #gnutls_certificate_credentials_t type. |
141 | | * @idx: is a certificate index as returned by gnutls_certificate_set_key() and friends |
142 | | * @ocsp_func: function pointer to OCSP status request callback. |
143 | | * @ptr: opaque pointer passed to callback function |
144 | | * |
145 | | * This function is to be used by server to register a callback to |
146 | | * provide OCSP status requests that correspond to the indexed certificate chain |
147 | | * from the client. The callback will be invoked if the client supplied a |
148 | | * status-request OCSP extension. |
149 | | * |
150 | | * The callback function prototype is: |
151 | | * |
152 | | * typedef int (*gnutls_status_request_ocsp_func) |
153 | | * (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response); |
154 | | * |
155 | | * The callback will be invoked if the client requests an OCSP certificate |
156 | | * status. The callback may return %GNUTLS_E_NO_CERTIFICATE_STATUS, if |
157 | | * there is no recent OCSP response. If the callback returns %GNUTLS_E_SUCCESS, |
158 | | * it is expected to have the @ocsp_response field set with a valid (DER-encoded) |
159 | | * OCSP response. The response must be a value allocated using gnutls_malloc(), |
160 | | * and will be deinitialized by the caller. |
161 | | * |
162 | | * Note: the ability to set multiple OCSP responses per credential |
163 | | * structure via the index @idx was added in version 3.5.6. To keep |
164 | | * backwards compatibility, it requires using gnutls_certificate_set_flags() |
165 | | * with the %GNUTLS_CERTIFICATE_API_V2 flag to make the set certificate |
166 | | * functions return an index usable by this function. |
167 | | * |
168 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, |
169 | | * otherwise a negative error code is returned. |
170 | | * |
171 | | * Since: 3.5.5 |
172 | | **/ |
173 | | int gnutls_certificate_set_ocsp_status_request_function2( |
174 | | gnutls_certificate_credentials_t sc, unsigned idx, |
175 | | gnutls_status_request_ocsp_func ocsp_func, void *ptr) |
176 | 0 | { |
177 | 0 | if (idx >= sc->ncerts) |
178 | 0 | return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); |
179 | | |
180 | 0 | sc->certs[idx].ocsp_func = ocsp_func; |
181 | 0 | sc->certs[idx].ocsp_func_ptr = ptr; |
182 | |
|
183 | 0 | return 0; |
184 | 0 | } |
185 | | |
186 | | static unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, |
187 | | const gnutls_pcert_st *cert) |
188 | 0 | { |
189 | 0 | gnutls_x509_crt_t crt; |
190 | 0 | int ret; |
191 | 0 | unsigned retval; |
192 | |
|
193 | 0 | ret = gnutls_x509_crt_init(&crt); |
194 | 0 | if (ret < 0) |
195 | 0 | return 0; |
196 | | |
197 | 0 | ret = gnutls_x509_crt_import(crt, &cert->cert, GNUTLS_X509_FMT_DER); |
198 | 0 | if (ret < 0) { |
199 | 0 | gnutls_assert(); |
200 | 0 | retval = 0; |
201 | 0 | goto cleanup; |
202 | 0 | } |
203 | | |
204 | 0 | ret = gnutls_ocsp_resp_check_crt(resp, 0, crt); |
205 | 0 | if (ret == 0) |
206 | 0 | retval = 1; |
207 | 0 | else |
208 | 0 | retval = 0; |
209 | |
|
210 | 0 | cleanup: |
211 | 0 | gnutls_x509_crt_deinit(crt); |
212 | 0 | return retval; |
213 | 0 | } |
214 | | |
215 | | /** |
216 | | * gnutls_certificate_set_ocsp_status_request_file: |
217 | | * @sc: is a credentials structure. |
218 | | * @response_file: a filename of the OCSP response |
219 | | * @idx: is a certificate index as returned by gnutls_certificate_set_key() and friends |
220 | | * |
221 | | * This function loads the provided OCSP response. It will be |
222 | | * sent to the client if requests an OCSP certificate status for |
223 | | * the certificate chain specified by @idx. |
224 | | * |
225 | | * Note: the ability to set multiple OCSP responses per credential |
226 | | * structure via the index @idx was added in version 3.5.6. To keep |
227 | | * backwards compatibility, it requires using gnutls_certificate_set_flags() |
228 | | * with the %GNUTLS_CERTIFICATE_API_V2 flag to make the set certificate |
229 | | * functions return an index usable by this function. |
230 | | * |
231 | | * This function can be called multiple times since GnuTLS 3.6.3 |
232 | | * when multiple responses which apply to the chain are available. |
233 | | * If the response provided does not match any certificates present |
234 | | * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned. |
235 | | * To revert to the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK |
236 | | * in the certificate credentials structure. In that case, only the |
237 | | * end-certificate's OCSP response can be set. |
238 | | * If the response is already expired at the time of loading the code |
239 | | * %GNUTLS_E_EXPIRED is returned. |
240 | | * |
241 | | * To revert to the previous behavior of this function which does not return |
242 | | * any errors, set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK |
243 | | * |
244 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, |
245 | | * otherwise a negative error code is returned. |
246 | | * |
247 | | * Since: 3.1.3 |
248 | | **/ |
249 | | int gnutls_certificate_set_ocsp_status_request_file( |
250 | | gnutls_certificate_credentials_t sc, const char *response_file, |
251 | | unsigned idx) |
252 | 0 | { |
253 | 0 | int ret; |
254 | |
|
255 | 0 | ret = gnutls_certificate_set_ocsp_status_request_file2( |
256 | 0 | sc, response_file, idx, GNUTLS_X509_FMT_DER); |
257 | 0 | if (ret >= 0) |
258 | 0 | return 0; |
259 | 0 | else |
260 | 0 | return ret; |
261 | 0 | } |
262 | | |
263 | | static int append_response(gnutls_certificate_credentials_t sc, unsigned idx, |
264 | | gnutls_ocsp_resp_t resp, const gnutls_datum_t *der) |
265 | 0 | { |
266 | 0 | int ret; |
267 | 0 | unsigned i, found = 0; |
268 | 0 | unsigned try_already_set = 0; |
269 | 0 | time_t t; |
270 | |
|
271 | 0 | retry: |
272 | | |
273 | | /* iterate through all certificates in chain, and add the response |
274 | | * to the certificate that it matches with. |
275 | | */ |
276 | 0 | for (i = 0; |
277 | 0 | i < MIN(sc->certs[idx].cert_list_length, MAX_OCSP_RESPONSES); |
278 | 0 | i++) { |
279 | 0 | if (!try_already_set && |
280 | 0 | sc->certs[idx].ocsp_data[i].response.data) |
281 | 0 | continue; |
282 | | |
283 | 0 | if (!resp_matches_pcert(resp, &sc->certs[idx].cert_list[i])) |
284 | 0 | continue; |
285 | | |
286 | 0 | t = _gnutls_ocsp_get_validity(resp); |
287 | | /* if already invalid */ |
288 | 0 | if (t == (time_t)-1) { |
289 | 0 | _gnutls_debug_log( |
290 | 0 | "the OCSP response associated with chain %d on pos %d, is invalid/expired\n", |
291 | 0 | idx, i); |
292 | 0 | return GNUTLS_E_EXPIRED; |
293 | 0 | } else if (t == (time_t)-2) { |
294 | 0 | _gnutls_debug_log( |
295 | 0 | "the OCSP response associated with chain %d on pos %d, is too old (ignoring)\n", |
296 | 0 | idx, i); |
297 | 0 | return 0; |
298 | 0 | } |
299 | | |
300 | 0 | if (t >= 0) |
301 | 0 | sc->certs[idx].ocsp_data[i].exptime = t; |
302 | 0 | else |
303 | 0 | sc->certs[idx].ocsp_data[i].exptime = 0; |
304 | |
|
305 | 0 | _gnutls_debug_log( |
306 | 0 | "associating OCSP response with chain %d on pos %d\n", |
307 | 0 | idx, i); |
308 | |
|
309 | 0 | gnutls_free(sc->certs[idx].ocsp_data[i].response.data); |
310 | |
|
311 | 0 | ret = _gnutls_set_datum(&sc->certs[idx].ocsp_data[i].response, |
312 | 0 | der->data, der->size); |
313 | 0 | if (ret < 0) { |
314 | 0 | gnutls_assert(); |
315 | 0 | sc->certs[idx].ocsp_data[i].response.data = NULL; |
316 | 0 | sc->certs[idx].ocsp_data[i].response.size = 0; |
317 | 0 | return ret; |
318 | 0 | } |
319 | | |
320 | 0 | if (sc->certs[idx].ocsp_data_length <= i) |
321 | 0 | sc->certs[idx].ocsp_data_length = i + 1; |
322 | |
|
323 | 0 | found = 1; |
324 | 0 | break; |
325 | 0 | } |
326 | | |
327 | 0 | if (!found) { |
328 | | /* slow path; if we found no matching certificate for the OCSP |
329 | | * response, try all the existing, even if a response is already |
330 | | * given. */ |
331 | 0 | if (!try_already_set) { |
332 | 0 | try_already_set = 1; |
333 | 0 | goto retry; |
334 | 0 | } |
335 | 0 | ret = GNUTLS_E_OCSP_MISMATCH_WITH_CERTS; |
336 | 0 | } else { |
337 | 0 | ret = 0; |
338 | 0 | } |
339 | | |
340 | 0 | return ret; |
341 | 0 | } |
342 | | |
343 | | /** |
344 | | * gnutls_certificate_set_ocsp_status_request_file2: |
345 | | * @sc: is a credentials structure. |
346 | | * @response_file: a filename of the OCSP response |
347 | | * @idx: is a certificate index as returned by gnutls_certificate_set_key() and friends |
348 | | * @fmt: is PEM or DER |
349 | | * |
350 | | * This function loads the OCSP responses to be sent to the |
351 | | * peer for the certificate chain specified by @idx. When @fmt is |
352 | | * set to PEM, multiple responses can be loaded. |
353 | | * |
354 | | * This function must be called after setting any certificates, and |
355 | | * cannot be used for certificates that are provided via a callback -- |
356 | | * that is when gnutls_certificate_set_retrieve_function() is used. In |
357 | | * that case consider using gnutls_certificate_set_retrieve_function3(). |
358 | | * |
359 | | * This function can be called multiple times when multiple responses |
360 | | * applicable to the certificate chain are available. |
361 | | * If the response provided does not match any certificates present |
362 | | * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned. |
363 | | * If the response is already expired at the time of loading the code |
364 | | * %GNUTLS_E_EXPIRED is returned. |
365 | | * |
366 | | * Returns: On success, the number of loaded responses is returned, |
367 | | * otherwise a negative error code. |
368 | | * |
369 | | * Since: 3.1.3 |
370 | | **/ |
371 | | int gnutls_certificate_set_ocsp_status_request_file2( |
372 | | gnutls_certificate_credentials_t sc, const char *response_file, |
373 | | unsigned idx, gnutls_x509_crt_fmt_t fmt) |
374 | 0 | { |
375 | 0 | gnutls_datum_t raw = { NULL, 0 }; |
376 | 0 | int ret; |
377 | |
|
378 | 0 | if (idx >= sc->ncerts) |
379 | 0 | return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); |
380 | | |
381 | 0 | ret = gnutls_load_file(response_file, &raw); |
382 | 0 | if (ret < 0) |
383 | 0 | return gnutls_assert_val(GNUTLS_E_FILE_ERROR); |
384 | | |
385 | 0 | ret = gnutls_certificate_set_ocsp_status_request_mem(sc, &raw, idx, |
386 | 0 | fmt); |
387 | 0 | gnutls_free(raw.data); |
388 | 0 | return ret; |
389 | 0 | } |
390 | | |
391 | 0 | #define PEM_OCSP_RESPONSE "OCSP RESPONSE" |
392 | 0 | #define FULL_PEM_OCSP_RESPONSE "-----BEGIN OCSP RESPONSE" |
393 | | |
394 | | /** |
395 | | * gnutls_certificate_set_ocsp_status_request_mem: |
396 | | * @sc: is a credentials structure. |
397 | | * @resp_data: a memory buffer holding an OCSP response |
398 | | * @idx: is a certificate index as returned by gnutls_certificate_set_key() and friends |
399 | | * @fmt: is PEM or DER |
400 | | * |
401 | | * This function sets the OCSP responses to be sent to the |
402 | | * peer for the certificate chain specified by @idx. When @fmt is set |
403 | | * to PEM, multiple responses can be loaded. |
404 | | * |
405 | | * Note: the ability to set multiple OCSP responses per credential |
406 | | * structure via the index @idx was added in version 3.5.6. To keep |
407 | | * backwards compatibility, it requires using gnutls_certificate_set_flags() |
408 | | * with the %GNUTLS_CERTIFICATE_API_V2 flag to make the set certificate |
409 | | * functions return an index usable by this function. |
410 | | * |
411 | | * This function must be called after setting any certificates, and |
412 | | * cannot be used for certificates that are provided via a callback -- |
413 | | * that is when gnutls_certificate_set_retrieve_function() is used. |
414 | | * |
415 | | * This function can be called multiple times when multiple responses which |
416 | | * apply to the certificate chain are available. |
417 | | * If the response provided does not match any certificates present |
418 | | * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned. |
419 | | * If the response is already expired at the time of loading the code |
420 | | * %GNUTLS_E_EXPIRED is returned. |
421 | | * |
422 | | * Returns: On success, the number of loaded responses is returned, |
423 | | * otherwise a negative error code. |
424 | | * |
425 | | * Since: 3.6.3 |
426 | | **/ |
427 | | int gnutls_certificate_set_ocsp_status_request_mem( |
428 | | gnutls_certificate_credentials_t sc, const gnutls_datum_t *resp_data, |
429 | | unsigned idx, gnutls_x509_crt_fmt_t fmt) |
430 | 0 | { |
431 | 0 | gnutls_datum_t der = { NULL, 0 }; |
432 | 0 | gnutls_ocsp_resp_t resp = NULL; |
433 | 0 | int ret; |
434 | 0 | unsigned int nresp = 0; |
435 | |
|
436 | 0 | ret = gnutls_ocsp_resp_init(&resp); |
437 | 0 | if (ret < 0) { |
438 | 0 | return gnutls_assert_val(ret); |
439 | 0 | } |
440 | | |
441 | 0 | if (fmt == GNUTLS_X509_FMT_PEM) { |
442 | | /* load multiple responses */ |
443 | 0 | gnutls_datum_t p = { resp_data->data, resp_data->size }; |
444 | |
|
445 | 0 | p.data = memmem(p.data, p.size, FULL_PEM_OCSP_RESPONSE, |
446 | 0 | sizeof(FULL_PEM_OCSP_RESPONSE) - 1); |
447 | 0 | if (p.data == NULL) { |
448 | 0 | ret = gnutls_assert_val( |
449 | 0 | GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); |
450 | 0 | goto cleanup; |
451 | 0 | } |
452 | | |
453 | 0 | p.size -= p.data - resp_data->data; |
454 | 0 | if (p.size <= 0) { |
455 | 0 | ret = gnutls_assert_val( |
456 | 0 | GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); |
457 | 0 | goto cleanup; |
458 | 0 | } |
459 | | |
460 | 0 | do { |
461 | 0 | ret = gnutls_pem_base64_decode2(PEM_OCSP_RESPONSE, &p, |
462 | 0 | &der); |
463 | 0 | if (ret < 0) { |
464 | 0 | gnutls_assert(); |
465 | 0 | goto cleanup; |
466 | 0 | } |
467 | | |
468 | 0 | ret = gnutls_certificate_set_ocsp_status_request_mem( |
469 | 0 | sc, &der, idx, GNUTLS_X509_FMT_DER); |
470 | 0 | if (ret < 0) { |
471 | 0 | gnutls_assert(); |
472 | 0 | goto cleanup; |
473 | 0 | } |
474 | 0 | nresp++; |
475 | |
|
476 | 0 | gnutls_free(der.data); |
477 | |
|
478 | 0 | p.data++; |
479 | 0 | p.size--; |
480 | |
|
481 | 0 | p.data = memmem(p.data, p.size, FULL_PEM_OCSP_RESPONSE, |
482 | 0 | sizeof(FULL_PEM_OCSP_RESPONSE) - 1); |
483 | 0 | if (p.data == NULL) |
484 | 0 | break; |
485 | 0 | p.size = resp_data->size - (p.data - resp_data->data); |
486 | 0 | } while (p.size > 0); |
487 | | |
488 | 0 | ret = nresp; |
489 | 0 | } else { |
490 | | /* DER: load a single response */ |
491 | 0 | if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) { |
492 | 0 | ret = gnutls_ocsp_resp_import2(resp, resp_data, |
493 | 0 | GNUTLS_X509_FMT_DER); |
494 | 0 | if (ret >= 0) { |
495 | 0 | sc->certs[idx].ocsp_data[0].exptime = |
496 | 0 | _gnutls_ocsp_get_validity(resp); |
497 | 0 | if (sc->certs[idx].ocsp_data[0].exptime <= 0) |
498 | 0 | sc->certs[idx].ocsp_data[0].exptime = 0; |
499 | 0 | } |
500 | | |
501 | | /* quick load of first response */ |
502 | 0 | gnutls_free(sc->certs[idx].ocsp_data[0].response.data); |
503 | |
|
504 | 0 | ret = _gnutls_set_datum( |
505 | 0 | &sc->certs[idx].ocsp_data[0].response, |
506 | 0 | resp_data->data, resp_data->size); |
507 | 0 | if (ret < 0) { |
508 | 0 | gnutls_assert(); |
509 | 0 | goto cleanup; |
510 | 0 | } |
511 | | |
512 | 0 | sc->certs[idx].ocsp_data_length = 1; |
513 | 0 | goto cleanup; |
514 | 0 | } |
515 | | |
516 | 0 | ret = gnutls_ocsp_resp_import2(resp, resp_data, |
517 | 0 | GNUTLS_X509_FMT_DER); |
518 | 0 | if (ret < 0) { |
519 | 0 | gnutls_assert(); |
520 | 0 | goto cleanup; |
521 | 0 | } |
522 | | |
523 | 0 | ret = append_response(sc, idx, resp, resp_data); |
524 | 0 | if (ret < 0) { |
525 | 0 | gnutls_assert(); |
526 | 0 | goto cleanup; |
527 | 0 | } |
528 | | |
529 | 0 | ret = 1; |
530 | 0 | } |
531 | 0 | cleanup: |
532 | 0 | gnutls_free(der.data); |
533 | 0 | if (resp) |
534 | 0 | gnutls_ocsp_resp_deinit(resp); |
535 | |
|
536 | 0 | return ret; |
537 | 0 | } |
538 | | |
539 | | /** |
540 | | * gnutls_certificate_get_ocsp_expiration: |
541 | | * @sc: is a credentials structure. |
542 | | * @idx: is a certificate chain index as returned by gnutls_certificate_set_key() and friends |
543 | | * @oidx: is an OCSP response index |
544 | | * @flags: should be zero |
545 | | * |
546 | | * This function returns the validity of the loaded OCSP responses, |
547 | | * to provide information on when to reload/refresh them. |
548 | | * |
549 | | * Note that the credentials structure should be read-only when in |
550 | | * use, thus when reloading, either the credentials structure must not |
551 | | * be in use by any sessions, or a new credentials structure should be |
552 | | * allocated for new sessions. |
553 | | * |
554 | | * When @oidx is (-1) then the minimum refresh time for all responses |
555 | | * is returned. Otherwise the index specifies the response corresponding |
556 | | * to the @odix certificate in the certificate chain. |
557 | | * |
558 | | * Returns: On success, the expiration time of the OCSP response. Otherwise |
559 | | * (time_t)(-1) on error, or (time_t)-2 on out of bounds. |
560 | | * |
561 | | * Since: 3.6.3 |
562 | | **/ |
563 | | time_t |
564 | | gnutls_certificate_get_ocsp_expiration(gnutls_certificate_credentials_t sc, |
565 | | unsigned idx, int oidx, unsigned flags) |
566 | 0 | { |
567 | 0 | unsigned j; |
568 | |
|
569 | 0 | if (idx >= sc->ncerts) |
570 | 0 | return (time_t)-2; |
571 | | |
572 | 0 | if (oidx == -1) { |
573 | 0 | time_t min = 0; |
574 | |
|
575 | 0 | for (j = 0; j < MIN(sc->certs[idx].cert_list_length, |
576 | 0 | MAX_OCSP_RESPONSES); |
577 | 0 | j++) { |
578 | 0 | if (min <= 0) |
579 | 0 | min = sc->certs[idx].ocsp_data[j].exptime; |
580 | 0 | else if (sc->certs[idx].ocsp_data[j].exptime > 0 && |
581 | 0 | min >= sc->certs[idx].ocsp_data[j].exptime) |
582 | 0 | min = sc->certs[idx].ocsp_data[j].exptime; |
583 | 0 | } |
584 | 0 | return min; |
585 | 0 | } |
586 | | |
587 | 0 | if (oidx >= MAX_OCSP_RESPONSES || |
588 | 0 | (unsigned)oidx >= sc->certs[idx].cert_list_length) |
589 | 0 | return (time_t)-2; |
590 | | |
591 | 0 | if (sc->certs[idx].ocsp_data[oidx].response.data == NULL) |
592 | 0 | return (time_t)-1; |
593 | | |
594 | 0 | return sc->certs[idx].ocsp_data[oidx].exptime; |
595 | 0 | } |
596 | | |
597 | | /** |
598 | | * gnutls_ocsp_status_request_is_checked: |
599 | | * @session: is a gnutls session |
600 | | * @flags: should be zero or %GNUTLS_OCSP_SR_IS_AVAIL |
601 | | * |
602 | | * When flags are zero this function returns non-zero if a valid OCSP status |
603 | | * response was included in the TLS handshake. That is, an OCSP status response |
604 | | * which is not too old, superseded or marks the certificate as revoked. |
605 | | * It returns zero otherwise. |
606 | | * |
607 | | * When the flag %GNUTLS_OCSP_SR_IS_AVAIL is specified, the function |
608 | | * returns non-zero if an OCSP status response was included in the handshake |
609 | | * even if it was invalid. Otherwise, if no OCSP status response was included, |
610 | | * it returns zero. The %GNUTLS_OCSP_SR_IS_AVAIL flag was introduced in GnuTLS 3.4.0. |
611 | | * |
612 | | * This is a helper function when needing to decide whether to perform an |
613 | | * explicit OCSP validity check on the peer's certificate. Should be called after |
614 | | * any of gnutls_certificate_verify_peers*() are called. |
615 | | * |
616 | | * This function is always usable on client side, but on server side only |
617 | | * under TLS 1.3, which is the first version of TLS that allows cliend-side OCSP |
618 | | * responses. |
619 | | * |
620 | | * Returns: Non-zero if the response was valid, or a zero if it wasn't sent, |
621 | | * or sent and was invalid. |
622 | | * |
623 | | * Since: 3.1.4 |
624 | | **/ |
625 | | unsigned gnutls_ocsp_status_request_is_checked(gnutls_session_t session, |
626 | | unsigned int flags) |
627 | 0 | { |
628 | 0 | int ret; |
629 | 0 | gnutls_datum_t data; |
630 | |
|
631 | 0 | if (flags & GNUTLS_OCSP_SR_IS_AVAIL) { |
632 | 0 | ret = gnutls_ocsp_status_request_get(session, &data); |
633 | 0 | if (ret < 0) |
634 | 0 | return gnutls_assert_val(0); |
635 | | |
636 | 0 | if (data.data == NULL) |
637 | 0 | return gnutls_assert_val(0); |
638 | 0 | return 1; |
639 | 0 | } |
640 | 0 | return session->internals.ocsp_check_ok; |
641 | 0 | } |
642 | | |
643 | | #endif |