diff options
| author | Daiki Ueno <dueno@redhat.com> | 2020-01-08 16:01:38 +0100 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2020-01-10 11:22:21 +0100 |
| commit | 50c1b8c49ade94f781064e62f794ce8f9e869261 (patch) | |
| tree | bf6909791bc299255a6610f15081232a1270987a | |
| parent | 14794f5707c2414f9dcb64a629948fba7753510a (diff) | |
| download | gnutls-50c1b8c49ade94f781064e62f794ce8f9e869261.tar.gz | |
ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation
This makes the OCSP based certificate verification adhere to the
convention used throughout the library: "The 'GNUTLS_CERT_INVALID'
flag is always set on a verification error and more detailed flags
will also be set when appropriate."
Signed-off-by: Daiki Ueno <dueno@redhat.com>
| -rw-r--r-- | lib/cert-session.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index 4d0e8961d5..67e38d638a 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -255,6 +255,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, gnutls_strerror(ret)); ret = gnutls_assert_val(0); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -265,6 +266,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "Got OCSP response with an unrelated certificate.\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -296,6 +298,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, ret = gnutls_assert_val(0); gnutls_assert(); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -309,6 +312,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, ret = gnutls_assert_val(0); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -322,6 +326,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, gnutls_strerror(ret)); ret = gnutls_assert_val(0); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -330,6 +335,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "The certificate was revoked via OCSP\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_REVOKED; ret = gnutls_assert_val(0); goto cleanup; @@ -344,6 +350,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "The OCSP response is old\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; goto cleanup; } @@ -353,6 +360,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; goto cleanup; } |