|
@@ -98,6 +98,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
|
98
|
98
|
__einfo_error ( EINFO_EACCES_EMPTY )
|
99
|
99
|
#define EINFO_EACCES_EMPTY \
|
100
|
100
|
__einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
|
|
101
|
+#define EACCES_OCSP_REQUIRED \
|
|
102
|
+ __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
|
|
103
|
+#define EINFO_EACCES_OCSP_REQUIRED \
|
|
104
|
+ __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
|
101
|
105
|
|
102
|
106
|
/** Certificate cache */
|
103
|
107
|
static LIST_HEAD ( x509_cache );
|
|
@@ -1343,6 +1347,14 @@ int x509_validate ( struct x509_certificate *cert,
|
1343
|
1347
|
return -EACCES_PATH_LEN;
|
1344
|
1348
|
}
|
1345
|
1349
|
|
|
1350
|
+ /* Fail if OCSP is required */
|
|
1351
|
+ if ( cert->extensions.auth_info.ocsp.uri &&
|
|
1352
|
+ ( ! cert->extensions.auth_info.ocsp.good ) ) {
|
|
1353
|
+ DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
|
|
1354
|
+ cert, cert->subject.name );
|
|
1355
|
+ return -EACCES_OCSP_REQUIRED;
|
|
1356
|
+ }
|
|
1357
|
+
|
1346
|
1358
|
/* Calculate effective path length */
|
1347
|
1359
|
cert->path_remaining = ( issuer->path_remaining - 1 );
|
1348
|
1360
|
max_path_remaining = ( cert->extensions.basic.path_len + 1 );
|