diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 13:01:51 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-22 08:46:04 +0100 |
| commit | 4ea338ab3e9ac736279acd140abfb422d91a47a8 (patch) | |
| tree | c9883da1c627ca13bcdf51c35cbc3895cc96433b | |
| parent | 9269e45179ef6413f3a0de80c87ca4aecd4fb88e (diff) | |
| download | gnutls-4ea338ab3e9ac736279acd140abfb422d91a47a8.tar.gz | |
check_ocsp_response: utilize the same flags as in certificate verification
That ensures that overrides like using broken algorithms are considered
in OCSP validation.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/x509.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/x509.c b/lib/x509.c index d764939092..af231441bf 100644 --- a/lib/x509.c +++ b/lib/x509.c @@ -74,6 +74,7 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, gnutls_x509_trust_list_t tl, + unsigned verify_flags, gnutls_x509_crt_t *cand_issuers, unsigned cand_issuers_size, gnutls_datum_t * data, unsigned int *ostatus) { @@ -111,10 +112,11 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, } /* Attempt to verify against our trusted list */ - ret = gnutls_ocsp_resp_verify(resp, tl, &status, 0); + ret = gnutls_ocsp_resp_verify(resp, tl, &status, verify_flags); if ((ret < 0 || status != 0) && cand_issuers_size > 0) { /* Attempt to verify against the certificate list provided by the server */ - ret = gnutls_ocsp_resp_verify_direct(resp, cand_issuers[0], &status, 0); + + ret = gnutls_ocsp_resp_verify_direct(resp, cand_issuers[0], &status, verify_flags); /* if verification fails attempt to find whether any of the other * bundled CAs is an issuer of the OCSP response */ if ((ret < 0 || status != 0) && cand_issuers_size > 1) { @@ -122,7 +124,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, unsigned status2, i; for (i=1;i<cand_issuers_size;i++) { - ret2 = gnutls_ocsp_resp_verify_direct(resp, cand_issuers[i], &status2, 0); + ret2 = gnutls_ocsp_resp_verify_direct(resp, cand_issuers[i], &status2, verify_flags); if (ret2 >= 0 && status2 == 0) { status = status2; ret = ret2; @@ -371,8 +373,9 @@ _gnutls_x509_cert_verify_peers(gnutls_session_t session, } ret = - check_ocsp_response(session, peer_certificate_list[0], cred->tlist, cand_issuers, - cand_issuers_size, &resp, &ocsp_status); + check_ocsp_response(session, peer_certificate_list[0], cred->tlist, + verify_flags, cand_issuers, + cand_issuers_size, &resp, &ocsp_status); if (ret < 0) { CLEAR_CERTS; |