diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-18 10:32:20 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:37 +0100 |
| commit | c55b43f004aef44303a303d41fe288e0122770e1 (patch) | |
| tree | 1d80af86231ab9fdfa9291d7a2acdebcb101b24f | |
| parent | 1e919486f4f191e372f451f6518f7b93dd19bf22 (diff) | |
| download | gnutls-c55b43f004aef44303a303d41fe288e0122770e1.tar.gz | |
cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK
This allows reverting the new semantics of checking the loaded
OCSP response against the certificates present and return
to the 3.5.x semantics.
That option is also useful for debugging as it allows setting
an arbitrary response and checking gnutls' client behavior with that.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 5 | ||||
| -rw-r--r-- | lib/ocsp-api.c | 14 |
2 files changed, 18 insertions, 1 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 755ec78127..120ee33454 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1778,12 +1778,15 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res); * gnutls_certificate_flags: * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check. * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero. + * @GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK: If set, the gnutls_certificate_set_ocsp_status_request_file + * function, will not check whether the response set matches any of the certificates. * * Enumeration of different certificate credentials flags. */ typedef enum gnutls_certificate_flags { GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1, - GNUTLS_CERTIFICATE_API_V2 = (1<<1) + GNUTLS_CERTIFICATE_API_V2 = (1<<1), + GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK = (1<<2) } gnutls_certificate_flags; void gnutls_certificate_set_flags(gnutls_certificate_credentials_t, diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c index 1150bd4b84..e5c002f0fb 100644 --- a/lib/ocsp-api.c +++ b/lib/ocsp-api.c @@ -241,6 +241,9 @@ unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, const gnutls_pcert_st *cert * when multiple responses which apply to the chain are available. * If the response provided does not match any certificates present * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned. + * To force the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK + * in the certificate credentials structure. In that case, only the + * end-certificates OCSP response can be set. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. @@ -264,6 +267,17 @@ gnutls_certificate_set_ocsp_status_request_file(gnutls_certificate_credentials_t if (ret < 0) return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) { + /* quick load of first response */ + gnutls_free(sc->certs[idx].ocsp_responses[0].data); + + sc->certs[idx].ocsp_responses[0].data = der.data; + der.data = NULL; + sc->certs[idx].ocsp_responses[0].size = der.size; + + return 0; + } + ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { gnutls_assert(); |