File openssl-s_client-check-ocsp-status.patch of Package openssl-1_1.31477
From c43f598838acaf3b98df4fce4b6babb663d2f902 Mon Sep 17 00:00:00 2001
From: Otto Hollmann <otto.hollmann@suse.com>
Date: Fri, 30 Jun 2023 11:15:30 +0200
Subject: [PATCH] Add OCSP_RESPONSE_check_status(), a function to check OCSP
response for revoked certificate in s_client.
---
apps/s_client.c | 10 ++++++++--
crypto/ocsp/ocsp_vfy.c | 31 +++++++++++++++++++++++++++++++
include/openssl/ocsp.h | 1 +
util/libcrypto.num | 1 +
4 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index a6c5a559a9da..e1090d23f44b 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3608,7 +3608,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
- int len;
+ int len, ret;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
@@ -3625,8 +3625,14 @@ static int ocsp_resp_cb(SSL *s, void *arg)
BIO_puts(arg, "\n======================================\n");
OCSP_RESPONSE_print(arg, rsp, 0);
BIO_puts(arg, "======================================\n");
+ ret = OCSP_RESPONSE_check_status(rsp);
OCSP_RESPONSE_free(rsp);
- return 1;
+ if (ret <= -1) {
+ BIO_puts(arg, "unable to verify OCSP response\n");
+ } else if (ret == 0) {
+ BIO_puts(arg, "revoked certificate found in OCSP response\n");
+ }
+ return ret;
}
# endif
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index b0827e9a22c0..dd4ea3d0a99e 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -438,3 +438,34 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
}
return 0;
}
+
+/*
+ * Check an OCSP response for revoked certificate. Return a negative value on
+ * error; 0 if the response is not acceptable (in which case the handshake
+ * will fail) or a positive value if it is acceptable (no revoked certificate
+ * is found).
+ */
+
+int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o)
+{
+ int i;
+ OCSP_BASICRESP *br = NULL;
+ OCSP_RESPDATA *rd = NULL;
+ OCSP_SINGLERESP *single = NULL;
+ OCSP_RESPBYTES *rb = o->responseBytes;
+ if (rb == NULL)
+ return -1;
+ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+ return -1;
+ if ((br = OCSP_response_get1_basic(o)) == NULL)
+ return -1;
+ rd = &br->tbsResponseData;
+ for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
+ if (!sk_OCSP_SINGLERESP_value(rd->responses, i))
+ continue;
+ single = sk_OCSP_SINGLERESP_value(rd->responses, i);
+ if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED)
+ return 0;
+ }
+ return 1;
+}
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index e2cc2716b56b..c94ebd2906d4 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -375,6 +375,7 @@ const char *OCSP_crl_reason_str(long s);
int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags);
int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags);
+int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o);
int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index d909721a3681..6d7ab664b4e3 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5518,3 +5518,4 @@ X509_STORE_CTX_init_rpk ? 3_2_0 EXIST::FUNCTION:
fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION:
FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION:
FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION:
+OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP