mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 13:40:49 +02:00
Fail closed in CheckOcspRequest when ocspCheckAll and no URL
CheckOcspRequest used to return CERT_GOOD whenever a certificate lacked an AIA extension and no override URL was configured, with the rationale 'Cert has no OCSP URL, assuming CERT_GOOD'. That is a fail-open soft-fail: an operator who turned on WOLFSSL_OCSP_CHECKALL expecting every certificate in the chain to be revocation-checked would still silently accept a certificate that omits its OCSP responder URL, letting a misconfigured (or attacker-controlled) issuer bypass revocation for non-stapled flows. Gate the fail-open path on cm->ocspCheckAll. When the caller has asked for full-chain OCSP checking, return OCSP_NEED_URL so the chain is refused. The legacy behavior is preserved when ocspCheckAll is not set, keeping the soft-fail default for plain WOLFSSL_OCSP_ENABLE users. F-3227
This commit is contained in:
+8
-1
@@ -544,7 +544,14 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
|
||||
urlSz = ocspRequest->urlSz;
|
||||
}
|
||||
else {
|
||||
/* cert doesn't have extAuthInfo, assuming CERT_GOOD */
|
||||
/* No AIA URL and no override. ocspCheckAll asks for strict chain
|
||||
* checking, so fail closed - but only on the client verification
|
||||
* instance (cm->ocsp); stapling (cm->ocsp_stapling) shares the cm
|
||||
* flag and must stay best-effort. */
|
||||
if (ocsp->cm->ocspCheckAll && ocsp == ocsp->cm->ocsp) {
|
||||
WOLFSSL_MSG("Cert has no OCSP URL and ocspCheckAll is set");
|
||||
return OCSP_NEED_URL;
|
||||
}
|
||||
WOLFSSL_MSG("Cert has no OCSP URL, assuming CERT_GOOD");
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user