* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Extract the

author Joe Orton <jorton@apache.org>

Mon, 3 Dec 2007 11:51:14 +0000 (11:51 +0000)

committer Joe Orton <jorton@apache.org>

Mon, 3 Dec 2007 11:51:14 +0000 (11:51 +0000)
author Joe Orton <jorton@apache.org>
Mon, 3 Dec 2007 11:51:14 +0000 (11:51 +0000)
committer Joe Orton <jorton@apache.org>
Mon, 3 Dec 2007 11:51:14 +0000 (11:51 +0000)
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c

index 042ad0341c109848c84b5d124c9bff4073a8dbbd..db4a967a98b166234be7ca979dd661072b335136 100644 (file)
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -184,9 +184,10 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
      
      if (rc == V_OCSP_CERTSTATUS_GOOD) {
          int reason = -1, status;
+        ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
  
          rc = OCSP_resp_find_status(basicResponse, certID, &status,
-                                   &reason, NULL, NULL, NULL);
+                                   &reason, NULL, &thisup, &nextup);
          if (rc != 1) {
              ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
              ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
@@ -194,6 +195,27 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
              rc = V_OCSP_CERTSTATUS_UNKNOWN;
          }
          else {
+            rc = status;
+        }
+
+        /* TODO: make these configurable. */
+#define MAX_SKEW (60)
+#define MAX_AGE (360)
+
+        /* Check whether the response is inside the defined validity
+         * period; otherwise fail.  */
+        if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
+            int vrc  = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
+            
+            if (vrc != 1) {
+                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+                ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
+                                "OCSP response outside validity period");
+                rc = V_OCSP_CERTSTATUS_UNKNOWN;
+            }
+        }
+
+        {
              int level = 
                  (status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
              const char *result = 
@@ -204,7 +226,6 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
                              "OCSP validation completed, "
                              "certificate status: %s (%d, %d)",
                              result, status, reason);
-            rc = status;
          }
      }
author	Joe Orton <jorton@apache.org>
	Mon, 3 Dec 2007 11:51:14 +0000 (11:51 +0000)
committer	Joe Orton <jorton@apache.org>
	Mon, 3 Dec 2007 11:51:14 +0000 (11:51 +0000)