mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
This commit is contained in:
parent
7189a9f2ab
commit
d98be01fdd
@ -391,6 +391,13 @@ NSSCertDBTrustDomain::CheckRevocation(
|
||||
PR_SetError(cachedResponseErrorCode, 0);
|
||||
return SECFailure;
|
||||
}
|
||||
if (stapledOCSPResponse) {
|
||||
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
||||
("NSSCertDBTrustDomain: returning SECFailure from expired "
|
||||
"stapled response after OCSP request failure"));
|
||||
PR_SetError(SEC_ERROR_OCSP_OLD_RESPONSE, 0);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
||||
("NSSCertDBTrustDomain: returning SECSuccess after "
|
||||
@ -414,10 +421,18 @@ NSSCertDBTrustDomain::CheckRevocation(
|
||||
return rv;
|
||||
}
|
||||
|
||||
if (stapledOCSPResponse) {
|
||||
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
||||
("NSSCertDBTrustDomain: returning SECFailure from expired stapled "
|
||||
"response after OCSP request verification failure"));
|
||||
PR_SetError(SEC_ERROR_OCSP_OLD_RESPONSE, 0);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
||||
("NSSCertDBTrustDomain: end of CheckRevocation"));
|
||||
|
||||
return SECSuccess;
|
||||
return SECSuccess; // Soft fail -> success :(
|
||||
}
|
||||
|
||||
SECStatus
|
||||
|
@ -48,9 +48,14 @@ let ocspResponseUnknown = ocspResponses[4];
|
||||
function run_test() {
|
||||
let ocspResponder = new HttpServer();
|
||||
ocspResponder.registerPrefixHandler("/", function(request, response) {
|
||||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "application/ocsp-response");
|
||||
response.write(gCurrentOCSPResponse);
|
||||
if (gCurrentOCSPResponse) {
|
||||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "application/ocsp-response");
|
||||
response.write(gCurrentOCSPResponse);
|
||||
} else {
|
||||
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
|
||||
response.write("Internal Server Error");
|
||||
}
|
||||
gOCSPRequestCount++;
|
||||
});
|
||||
ocspResponder.start(8080);
|
||||
@ -83,14 +88,40 @@ function add_tests_in_mode(useMozillaPKIX)
|
||||
ocspResponseGood);
|
||||
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
|
||||
ocspResponseGood);
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
|
||||
// With mozilla::pkix, if we can't fetch a more recent response when
|
||||
// given an expired stapled response, we terminate the connection.
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com",
|
||||
useMozillaPKIX
|
||||
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
|
||||
: Cr.NS_OK,
|
||||
expiredOCSPResponseGood);
|
||||
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
|
||||
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
|
||||
useMozillaPKIX
|
||||
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
|
||||
: Cr.NS_OK,
|
||||
expiredOCSPResponseGood);
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com",
|
||||
useMozillaPKIX
|
||||
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
|
||||
: Cr.NS_OK,
|
||||
oldValidityPeriodOCSPResponseGood);
|
||||
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
|
||||
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
|
||||
useMozillaPKIX
|
||||
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
|
||||
: Cr.NS_OK,
|
||||
oldValidityPeriodOCSPResponseGood);
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com",
|
||||
useMozillaPKIX
|
||||
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
|
||||
: Cr.NS_OK,
|
||||
null);
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com",
|
||||
useMozillaPKIX
|
||||
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
|
||||
: Cr.NS_OK,
|
||||
null);
|
||||
// Of course, if the newer response indicates Revoked or Unknown,
|
||||
// that status must be returned.
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
|
||||
ocspResponseRevoked);
|
||||
@ -100,6 +131,9 @@ function add_tests_in_mode(useMozillaPKIX)
|
||||
add_ocsp_test("ocsp-stapling-expired.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
|
||||
ocspResponseUnknown);
|
||||
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
|
||||
ocspResponseUnknown);
|
||||
|
||||
if (useMozillaPKIX) {
|
||||
// These tests are verifying that an valid but very old response
|
||||
@ -124,11 +158,8 @@ function check_ocsp_stapling_telemetry() {
|
||||
do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
|
||||
do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
|
||||
do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
|
||||
do_check_eq(histogram.counts[3], 2 * 9 + 3); // 9 connections with an expired response
|
||||
// 3 connection with a response
|
||||
// considered expired due to being
|
||||
// old but having an overly-long
|
||||
// validity period
|
||||
do_check_eq(histogram.counts[3], 2 * 12 + 3); // 12 connections with an expired response
|
||||
// +3 more mozilla::pkix-only expired responses
|
||||
do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
|
||||
run_next_test();
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user