Fail closed in CheckOcspRequest when ocspCheckAll and no URL

CheckOcspRequest used to return CERT_GOOD whenever a certificate
lacked an AIA extension and no override URL was configured, with
the rationale 'Cert has no OCSP URL, assuming CERT_GOOD'. That is
a fail-open soft-fail: an operator who turned on
WOLFSSL_OCSP_CHECKALL expecting every certificate in the chain to
be revocation-checked would still silently accept a certificate
that omits its OCSP responder URL, letting a misconfigured (or
attacker-controlled) issuer bypass revocation for non-stapled
flows.

Gate the fail-open path on cm->ocspCheckAll. When the caller has
asked for full-chain OCSP checking, return OCSP_NEED_URL so the
chain is refused. The legacy behavior is preserved when
ocspCheckAll is not set, keeping the soft-fail default for plain
WOLFSSL_OCSP_ENABLE users.

F-3227
This commit is contained in:
Juliusz Sosinowicz
2026-04-30 22:39:55 +02:00
parent ed4f4ce826
commit fd91f681e5
+8 -1
View File
@@ -544,7 +544,14 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
urlSz = ocspRequest->urlSz;
}
else {
/* cert doesn't have extAuthInfo, assuming CERT_GOOD */
/* No AIA URL and no override. ocspCheckAll asks for strict chain
* checking, so fail closed - but only on the client verification
* instance (cm->ocsp); stapling (cm->ocsp_stapling) shares the cm
* flag and must stay best-effort. */
if (ocsp->cm->ocspCheckAll && ocsp == ocsp->cm->ocsp) {
WOLFSSL_MSG("Cert has no OCSP URL and ocspCheckAll is set");
return OCSP_NEED_URL;
}
WOLFSSL_MSG("Cert has no OCSP URL, assuming CERT_GOOD");
return 0;
}