From: Joe Orton <jorton@apache.org>
Date: Mon, 3 Dec 2007 11:51:14 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Extract the
X-Git-Tag: 2.3.0~1179
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=734ba05d421aab067a153a5112d904ad9ee75f86;p=apache

* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Extract the
  validity period from the OCSP response and check it.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600493 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index 042ad0341c..db4a967a98 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -184,9 +184,10 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
     
     if (rc == V_OCSP_CERTSTATUS_GOOD) {
         int reason = -1, status;
+        ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
 
         rc = OCSP_resp_find_status(basicResponse, certID, &status,
-                                   &reason, NULL, NULL, NULL);
+                                   &reason, NULL, &thisup, &nextup);
         if (rc != 1) {
             ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
             ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
@@ -194,6 +195,27 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
             rc = V_OCSP_CERTSTATUS_UNKNOWN;
         }
         else {
+            rc = status;
+        }
+
+        /* TODO: make these configurable. */
+#define MAX_SKEW (60)
+#define MAX_AGE (360)
+
+        /* Check whether the response is inside the defined validity
+         * period; otherwise fail.  */
+        if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
+            int vrc  = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
+            
+            if (vrc != 1) {
+                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+                ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
+                                "OCSP response outside validity period");
+                rc = V_OCSP_CERTSTATUS_UNKNOWN;
+            }
+        }
+
+        {
             int level = 
                 (status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
             const char *result = 
@@ -204,7 +226,6 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
                             "OCSP validation completed, "
                             "certificate status: %s (%d, %d)",
                             result, status, reason);
-            rc = status;
         }
     }