static void
_response_info (const gnutls_datum_t* data)
{
gnutls_ocsp_resp_t resp;
int ret;
gnutls_datum buf;
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
error (EXIT_FAILURE, 0, "ocsp_resp_init: %s", gnutls_strerror (ret));
ret = gnutls_ocsp_resp_import (resp, data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret));
if (ENABLED_OPT(VERBOSE))
ret = gnutls_ocsp_resp_print (resp, GNUTLS_OCSP_PRINT_FULL, &buf);
else
ret = gnutls_ocsp_resp_print (resp, GNUTLS_OCSP_PRINT_COMPACT, &buf);
if (ret != 0)
error (EXIT_FAILURE, 0, "ocsp_resp_print: %s", gnutls_strerror (ret));
printf ("%.*s", buf.size, buf.data);
gnutls_free (buf.data);
gnutls_ocsp_resp_deinit (resp);
}
static void
_response_info (const gnutls_datum_t * data)
{
gnutls_ocsp_resp_t resp;
int ret;
gnutls_datum buf;
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
exit (1);
ret = gnutls_ocsp_resp_import (resp, data);
if (ret < 0)
exit (1);
ret = gnutls_ocsp_resp_print (resp, GNUTLS_OCSP_PRINT_FULL, &buf);
if (ret != 0)
exit (1);
printf ("%.*s", buf.size, buf.data);
gnutls_free (buf.data);
gnutls_ocsp_resp_deinit (resp);
}
static int check_ocsp(struct tls_connection *conn, gnutls_session_t session,
gnutls_alert_description_t *err)
{
#if GNUTLS_VERSION_NUMBER >= 0x030103
gnutls_datum_t response, buf;
gnutls_ocsp_resp_t resp;
unsigned int cert_status;
int res;
if (!(conn->flags & (TLS_CONN_REQUEST_OCSP | TLS_CONN_REQUIRE_OCSP)))
return 0;
if (!gnutls_ocsp_status_request_is_checked(session, 0)) {
if (conn->flags & TLS_CONN_REQUIRE_OCSP) {
wpa_printf(MSG_INFO,
"GnuTLS: No valid OCSP response received");
goto ocsp_error;
}
wpa_printf(MSG_DEBUG,
"GnuTLS: Valid OCSP response was not received - continue since OCSP was not required");
return 0;
}
/*
* GnuTLS has already verified the OCSP response in
* check_ocsp_response() and rejected handshake if the certificate was
* found to be revoked. However, if the response indicates that the
* status is unknown, handshake continues and reaches here. We need to
* re-import the OCSP response to check for unknown certificate status,
* but we do not need to repeat gnutls_ocsp_resp_check_crt() and
* gnutls_ocsp_resp_verify_direct() calls.
*/
res = gnutls_ocsp_status_request_get(session, &response);
if (res != GNUTLS_E_SUCCESS) {
wpa_printf(MSG_INFO,
"GnuTLS: OCSP response was received, but it was not valid");
goto ocsp_error;
}
if (gnutls_ocsp_resp_init(&resp) != GNUTLS_E_SUCCESS)
goto ocsp_error;
res = gnutls_ocsp_resp_import(resp, &response);
if (res != GNUTLS_E_SUCCESS) {
wpa_printf(MSG_INFO,
"GnuTLS: Could not parse received OCSP response: %s",
gnutls_strerror(res));
gnutls_ocsp_resp_deinit(resp);
goto ocsp_error;
}
res = gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &buf);
if (res == GNUTLS_E_SUCCESS) {
wpa_printf(MSG_DEBUG, "GnuTLS: %s", buf.data);
gnutls_free(buf.data);
}
res = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL,
NULL, &cert_status, NULL,
NULL, NULL, NULL);
gnutls_ocsp_resp_deinit(resp);
if (res != GNUTLS_E_SUCCESS) {
wpa_printf(MSG_INFO,
"GnuTLS: Failed to extract OCSP information: %s",
gnutls_strerror(res));
goto ocsp_error;
}
if (cert_status == GNUTLS_OCSP_CERT_GOOD) {
wpa_printf(MSG_DEBUG, "GnuTLS: OCSP cert status: good");
} else if (cert_status == GNUTLS_OCSP_CERT_REVOKED) {
wpa_printf(MSG_DEBUG,
"GnuTLS: OCSP cert status: revoked");
goto ocsp_error;
} else {
wpa_printf(MSG_DEBUG,
"GnuTLS: OCSP cert status: unknown");
if (conn->flags & TLS_CONN_REQUIRE_OCSP)
goto ocsp_error;
wpa_printf(MSG_DEBUG,
"GnuTLS: OCSP was not required, so allow connection to continue");
}
return 0;
ocsp_error:
gnutls_tls_fail_event(conn, NULL, 0, NULL,
"bad certificate status response",
TLS_FAIL_REVOKED);
*err = GNUTLS_A_CERTIFICATE_REVOKED;
return -1;
#else /* GnuTLS 3.1.3 or newer */
return 0;
#endif /* GnuTLS 3.1.3 or newer */
}
