diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-19 20:50:22 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-19 20:52:04 +0200 |
commit | 4a6d863c0b5f0f21d8e2e03abd7f5e5430f5e9c0 (patch) | |
tree | bfa37d88df400b7c83d66167b1ea54fe3182b786 | |
parent | 04b93f62e1d64d8b3a920210e32df67681d2f313 (diff) | |
download | gnutls-4a6d863c0b5f0f21d8e2e03abd7f5e5430f5e9c0.tar.gz |
ocsptool: introduced --verify-allow-broken option
This allows verification to succeed even when broken algorithms are
involved.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | src/ocsptool-args.def | 6 | ||||
-rw-r--r-- | src/ocsptool.c | 8 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/ocsptool-args.def b/src/ocsptool-args.def index c293863bc7..8ef8ba859f 100644 --- a/src/ocsptool-args.def +++ b/src/ocsptool-args.def @@ -30,6 +30,12 @@ flag = { }; flag = { + name = verify-allow-broken; + descrip = "Allow broken algorithms, such as MD5 for verification"; + doc = "This can be combined with --verify-response."; +}; + +flag = { name = request-info; value = i; descrip = "Print information on a OCSP request"; diff --git a/src/ocsptool.c b/src/ocsptool.c index 525108d425..480f9b0383 100644 --- a/src/ocsptool.c +++ b/src/ocsptool.c @@ -47,6 +47,7 @@ static const char *outfile_name = NULL; /* to delete on exit */ FILE *infile; static unsigned int encoding; unsigned int verbose = 0; +static unsigned int vflags = 0; const char *get_pass(void) { @@ -339,7 +340,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, fprintf(stdout, "Loaded %d trust anchors\n", x509_ncas); - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, vflags); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n", gnutls_strerror(ret)); @@ -367,7 +368,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, - 0); + vflags); if (ret < 0) { fprintf(stderr, "\nVerifying OCSP Response: %s\n", @@ -588,6 +589,9 @@ int main(int argc, char **argv) gnutls_global_set_log_function(tls_log_func); gnutls_global_set_log_level(OPT_VALUE_DEBUG); + if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; + if (HAVE_OPT(OUTFILE)) { outfile = fopen(OPT_ARG(OUTFILE), "wb"); if (outfile == NULL) { |