handle differently OCSP responses that are revoked and of unknown status

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-02-04 10:14:55 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-02-04 10:18:05 +0100
commit: cb040d5f05a6fa9065bef1e14d62eee28f479e22 (patch)
tree: 80a868d248ebeb57c5c231cc3f87e3eae4d2d21a
parent: 02b6f5312d7113f22136539fe444dc04db29aa5f (diff)
download: gnutls-cb040d5f05a6fa9065bef1e14d62eee28f479e22.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/cli.c b/src/cli.c
index c5137cd44b..1064741f82 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1721,6 +1721,7 @@ static int cert_verify_ocsp(gnutls_session_t session)
 	gnutls_x509_crt_t cert, issuer;
 	const gnutls_datum_t *cert_list;
 	unsigned int cert_list_size = 0, ok = 0;
+	unsigned failed = 0;
 	int deinit_issuer = 0, deinit_cert;
 	gnutls_datum_t resp;
 	unsigned char noncebuf[23];
@@ -1784,8 +1785,10 @@ static int cert_verify_ocsp(gnutls_session_t session)
 		ret = check_ocsp_response(cert, issuer, &resp, &nonce, verbose);
 		if (ret == 1)
 			ok++;
-		else
+		else if (ret == 0) {
+			failed++;
 			break;
+		}
 	}
 
 cleanup:
@@ -1794,5 +1797,7 @@ cleanup:
 	if (deinit_cert)
 		gnutls_x509_crt_deinit(cert);
 
+	if (failed > 0)
+		return -1;
 	return ok > 1 ? (int) ok : -1;
 }
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-02-04 10:14:55 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-02-04 10:18:05 +0100
commit	cb040d5f05a6fa9065bef1e14d62eee28f479e22 (patch)
tree	80a868d248ebeb57c5c231cc3f87e3eae4d2d21a
parent	02b6f5312d7113f22136539fe444dc04db29aa5f (diff)
download	gnutls-cb040d5f05a6fa9065bef1e14d62eee28f479e22.tar.gz