diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-24 09:24:19 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-24 10:30:53 +0100 |
commit | 2c452107b3876c6e76726bd95962c3c10e50d8e0 (patch) | |
tree | 8cd09aae1703a076d7a20819ad5d2943581850c2 | |
parent | 10ebf799f12d331b4e28336deeff6f13a39c0e87 (diff) | |
download | gnutls-tmp-prepare-for-sha1-ban.tar.gz |
gnutls_ocsp_resp_verify_direct, gnutls_ocsp_resp_verify: defined flags argumenttmp-prepare-for-sha1-ban
That was defined to be gnutls_certificate_verify_flags, and
it allows passing verification flags, such as flags to allow
broken algorithms.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/ocsp.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index 69ca230e22..16a42fac13 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -2018,7 +2018,7 @@ _ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, goto done; } - rc = gnutls_pubkey_verify_data2(pubkey, sigalg, 0, &data, &sig); + rc = gnutls_pubkey_verify_data2(pubkey, sigalg, flags, &data, &sig); if (rc == GNUTLS_E_PK_SIG_VERIFY_FAILED) { gnutls_assert(); *verify = GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE; @@ -2090,7 +2090,7 @@ static int check_ocsp_purpose(gnutls_x509_crt_t signercert) * @resp: should contain a #gnutls_ocsp_resp_t type * @issuer: certificate believed to have signed the response * @verify: output variable with verification status, an #gnutls_ocsp_verify_reason_t - * @flags: verification flags, 0 for now. + * @flags: verification flags from #gnutls_certificate_verify_flags * * Verify signature of the Basic OCSP Response against the public key * in the @issuer certificate. @@ -2131,7 +2131,7 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, unsigned int vtmp; - rc = gnutls_x509_crt_verify(signercert, &issuer, 1, 0, + rc = gnutls_x509_crt_verify(signercert, &issuer, 1, flags, &vtmp); if (rc != GNUTLS_E_SUCCESS) { gnutls_assert(); @@ -2168,7 +2168,7 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, * @resp: should contain a #gnutls_ocsp_resp_t type * @trustlist: trust anchors as a #gnutls_x509_trust_list_t type * @verify: output variable with verification status, an #gnutls_ocsp_verify_reason_t - * @flags: verification flags, 0 for now. + * @flags: verification flags from #gnutls_certificate_verify_flags * * Verify signature of the Basic OCSP Response against the public key * in the certificate of a trusted signer. The @trustlist should be @@ -2250,7 +2250,7 @@ gnutls_ocsp_resp_verify(gnutls_ocsp_resp_t resp, rc = gnutls_x509_trust_list_verify_crt2(trustlist, &signercert, 1, &vdata, 1, - 0, &vtmp, NULL); + flags, &vtmp, NULL); if (rc != GNUTLS_E_SUCCESS) { gnutls_assert(); goto done; |