diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-04-06 10:43:05 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-04-06 10:43:05 +0000 |
| commit | 6b0bd0da5708f9295736e1d6c7e5e1101edfb039 (patch) | |
| tree | 854f78793cc85363a04571a50138a91478999d86 | |
| parent | f8add6eed03ecca93e8bdbb782a81ac9de426e37 (diff) | |
| download | gnutls-6b0bd0da5708f9295736e1d6c7e5e1101edfb039.tar.gz | |
fixed case where a certificate could be both invalid and trusted.
| -rw-r--r-- | lib/x509_verify.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/x509_verify.c b/lib/x509_verify.c index f2508ef5c4..87d031064b 100644 --- a/lib/x509_verify.c +++ b/lib/x509_verify.c @@ -231,7 +231,7 @@ int gnutls_verify_certificate2(gnutls_cert * cert, /* The algorithm used is: * 1. Check the certificate chain given by the peer, if it is ok. - * 2. If any certificate in the chain are expired, revoked, not + * 2. If any certificate in the chain are revoked, not * valid, or they are not CAs then the certificate is invalid. * 3. If 1 is ok, then find a certificate in the trusted CAs file * that has the DN of the issuer field in the last certificate @@ -282,7 +282,13 @@ int _gnutls_x509_verify_certificate(gnutls_cert * certificate_list, } } - + if (status > 0) { /* If there is any problem in the + * certificate chain then mark as not trusted + * and return immediately. + */ + return (status | GNUTLS_CERT_NOT_TRUSTED); + } + /* Now verify the last certificate in the certificate path * against the trusted CA certificate list. * @@ -296,7 +302,7 @@ int _gnutls_x509_verify_certificate(gnutls_cert * certificate_list, if (ret > 0) { /* if the last certificate in the certificate - * list is expired, then the certificate is not + * list is invalid, then the certificate is not * trusted. */ gnutls_assert(); |