narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[crypto] Require OCSP check if certificate provides an OCSP URI 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/6/head
Michael Brown 2012-05-22 00:53:44 +01:00
parent 073331c2ee
commit 7fa1f41f7d
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/crypto/x509.c
View File

@ -98,6 +98,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
__einfo_error ( EINFO_EACCES_EMPTY ) __einfo_error ( EINFO_EACCES_EMPTY )
#define EINFO_EACCES_EMPTY \ #define EINFO_EACCES_EMPTY \
__einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" ) __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
#define EACCES_OCSP_REQUIRED \
__einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
#define EINFO_EACCES_OCSP_REQUIRED \
__einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
/** Certificate cache */ /** Certificate cache */
static LIST_HEAD ( x509_cache ); static LIST_HEAD ( x509_cache );
@ -1343,6 +1347,14 @@ int x509_validate ( struct x509_certificate *cert,
return -EACCES_PATH_LEN; return -EACCES_PATH_LEN;
} }
/* Fail if OCSP is required */
if ( cert->extensions.auth_info.ocsp.uri &&
( ! cert->extensions.auth_info.ocsp.good ) ) {
DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
cert, cert->subject.name );
return -EACCES_OCSP_REQUIRED;
}
/* Calculate effective path length */ /* Calculate effective path length */
cert->path_remaining = ( issuer->path_remaining - 1 ); cert->path_remaining = ( issuer->path_remaining - 1 );
max_path_remaining = ( cert->extensions.basic.path_len + 1 ); max_path_remaining = ( cert->extensions.basic.path_len + 1 );