You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/12/03 12:51:15 UTC

svn commit: r600493 - /httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c

Author: jorton
Date: Mon Dec  3 03:51:14 2007
New Revision: 600493

URL: http://svn.apache.org/viewvc?rev=600493&view=rev
Log:
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Extract the
  validity period from the OCSP response and check it.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=600493&r1=600492&r2=600493&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Mon Dec  3 03:51:14 2007
@@ -184,9 +184,10 @@
     
     if (rc == V_OCSP_CERTSTATUS_GOOD) {
         int reason = -1, status;
+        ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
 
         rc = OCSP_resp_find_status(basicResponse, certID, &status,
-                                   &reason, NULL, NULL, NULL);
+                                   &reason, NULL, &thisup, &nextup);
         if (rc != 1) {
             ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
             ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
@@ -194,6 +195,27 @@
             rc = V_OCSP_CERTSTATUS_UNKNOWN;
         }
         else {
+            rc = status;
+        }
+
+        /* TODO: make these configurable. */
+#define MAX_SKEW (60)
+#define MAX_AGE (360)
+
+        /* Check whether the response is inside the defined validity
+         * period; otherwise fail.  */
+        if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
+            int vrc  = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
+            
+            if (vrc != 1) {
+                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+                ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
+                                "OCSP response outside validity period");
+                rc = V_OCSP_CERTSTATUS_UNKNOWN;
+            }
+        }
+
+        {
             int level = 
                 (status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
             const char *result = 
@@ -204,7 +226,6 @@
                             "OCSP validation completed, "
                             "certificate status: %s (%d, %d)",
                             result, status, reason);
-            rc = status;
         }
     }