robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Require OCSP check if certificate provides an OCSP URI 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 13 years ago
parent
073331c2ee
commit
7fa1f41f7d
1 changed files with 12 additions and 0 deletions
Unified View Show Diff Stats
  1. 12
    0
      src/crypto/x509.c

+ 12
- 0
src/crypto/x509.c View File

98 
 	__einfo_error ( EINFO_EACCES_EMPTY )
 98 
 	__einfo_error ( EINFO_EACCES_EMPTY )
99 
 #define EINFO_EACCES_EMPTY \
 99 
 #define EINFO_EACCES_EMPTY \
100 
 	__einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
 100 
 	__einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
101 
+#define EACCES_OCSP_REQUIRED \
102 
+	__einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
103 
+#define EINFO_EACCES_OCSP_REQUIRED \
104 
+	__einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
101
105
102 
 /** Certificate cache */
 106 
 /** Certificate cache */
103 
 static LIST_HEAD ( x509_cache );
 107 
 static LIST_HEAD ( x509_cache );
1343 
 		return -EACCES_PATH_LEN;
 1347 
 		return -EACCES_PATH_LEN;
1344 
 	}
 1348 
 	}
1345
1349
1350 
+	/* Fail if OCSP is required */
1351 
+	if ( cert->extensions.auth_info.ocsp.uri &&
1352 
+	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
1353 
+		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1354 
+		       cert, cert->subject.name );
1355 
+		return -EACCES_OCSP_REQUIRED;
1356 
+	}
1357 
+
1346 
 	/* Calculate effective path length */
 1358 
 	/* Calculate effective path length */
1347 
 	cert->path_remaining = ( issuer->path_remaining - 1 );
 1359 
 	cert->path_remaining = ( issuer->path_remaining - 1 );
1348 
 	max_path_remaining = ( cert->extensions.basic.path_len + 1 );
 1360 
 	max_path_remaining = ( cert->extensions.basic.path_len + 1 );

Write Preview
Loading…
Cancel
Save