ocspcheck effectively treats a missing nextUpdate like an error, i.e., it
always provides a warning and no staplefile is written out. According to
RFC 6960, the nextUpdate field is optional. The following patch should
handle this case more gracefully and include a suitable debug message only
in case -vv is specified.
OK?
Index: src/usr.sbin/ocspcheck/ocspcheck.c
===================================================================
RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 ocspcheck.c
--- src/usr.sbin/ocspcheck/ocspcheck.c 8 May 2017 20:15:34 -0000
1.21
+++ src/usr.sbin/ocspcheck/ocspcheck.c 2 Sep 2017 17:09:00 -0000
@@ -368,7 +368,7 @@ validate_response(char *buf, size_t size
{
ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd =
NULL;
const unsigned char **p = (const unsigned char **)&buf;
- int status, cert_status=0, crl_reason=0;
+ int status, cert_status=0, crl_reason=0, next_update=0;
time_t now, rev_t = -1, this_t, next_t;
OCSP_RESPONSE *resp;
OCSP_BASICRESP *bresp;
@@ -447,12 +447,14 @@ validate_response(char *buf, size_t size
return 0;
}
if ((next_t = parse_ocsp_time(nextupd)) == -1) {
- warnx("unable to parse next update time in OCSP reply");
- return 0;
+ if (verbose >= 2)
+ fprintf(stderr, "Optional timestamp for next
update not included in OCSP reply\n");
}
+ else
+ next_update = 1;
/* Don't allow this update to precede next update */
- if (this_t >= next_t) {
+ if (next_update == 1 && this_t >= next_t) {
warnx("Invalid OCSP reply: this update >= next update");
return 0;
}
@@ -481,7 +483,7 @@ validate_response(char *buf, size_t size
/*
* Check that next update is still valid
*/
- if (next_t < now - JITTER_SEC) {
+ if (next_update == 1 && next_t < now - JITTER_SEC) {
warnx("Invalid OCSP reply: reply has expired (%s)",
ctime(&next_t));
return 0;
@@ -489,7 +491,8 @@ validate_response(char *buf, size_t size
vspew("OCSP response validated from %s\n", host);
vspew(" This Update: %s", ctime(&this_t));
- vspew(" Next Update: %s", ctime(&next_t));
+ if (next_update == 1)
+ vspew(" Next Update: %s", ctime(&next_t));
return 1;
}