ocsp: Introduced GNUTLS_CERT_INVALID_OCSP_STATUS

This verification status flag indicates an OCSP status response
being stapled but it being invalid for some reason (e.g., unable
to parse or doesn't contain the expected certificate).

1 files changed, 5 insertions, 0 deletions

diff --git a/lib/x509.c b/lib/x509.c
index f407f74478..edd8e5bd19 100644
--- a/lib/x509.c
+++ b/lib/x509.c
@@ -88,6 +88,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
 				  gnutls_strerror(ret));
 		ret = gnutls_assert_val(0);
 		check_failed = 1;
+		*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
 		goto cleanup;
 	}
 
@@ -97,6 +98,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
 		_gnutls_audit_log(session,
 				  "Got OCSP response with an unrelated certificate.\n");
 		check_failed = 1;
+		*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
 		goto cleanup;
 	}
 
@@ -105,6 +107,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
 		ret = gnutls_assert_val(0);
 		gnutls_assert();
 		check_failed = 1;
+		*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
 		goto cleanup;
 	}
 
@@ -112,6 +115,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
 	if (status != 0) {
 		ret = gnutls_assert_val(0);
 		check_failed = 1;
+		*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
 		goto cleanup;
 	}
 
@@ -124,6 +128,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
 				  gnutls_strerror(ret));
 		ret = gnutls_assert_val(0);
 		check_failed = 1;
+		*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
 		goto cleanup;
 	}