summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaiki Ueno <dueno@redhat.com>2020-01-08 16:01:38 +0100
committerDaiki Ueno <dueno@redhat.com>2020-01-10 11:22:21 +0100
commit50c1b8c49ade94f781064e62f794ce8f9e869261 (patch)
treebf6909791bc299255a6610f15081232a1270987a /lib
parent14794f5707c2414f9dcb64a629948fba7753510a (diff)
downloadgnutls-50c1b8c49ade94f781064e62f794ce8f9e869261.tar.gz
ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation
This makes the OCSP based certificate verification adhere to the convention used throughout the library: "The 'GNUTLS_CERT_INVALID' flag is always set on a verification error and more detailed flags will also be set when appropriate." Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/cert-session.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c
index 4d0e8961d5..67e38d638a 100644
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -255,6 +255,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
gnutls_strerror(ret));
ret = gnutls_assert_val(0);
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -265,6 +266,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
_gnutls_audit_log(session,
"Got OCSP response with an unrelated certificate.\n");
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -296,6 +298,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
ret = gnutls_assert_val(0);
gnutls_assert();
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -309,6 +312,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
ret = gnutls_assert_val(0);
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -322,6 +326,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
gnutls_strerror(ret));
ret = gnutls_assert_val(0);
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -330,6 +335,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
_gnutls_audit_log(session,
"The certificate was revoked via OCSP\n");
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_REVOKED;
ret = gnutls_assert_val(0);
goto cleanup;
@@ -344,6 +350,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
_gnutls_audit_log(session,
"The OCSP response is old\n");
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;
goto cleanup;
}
@@ -353,6 +360,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
_gnutls_audit_log(session,
"There is a newer OCSP response but was not provided by the server\n");
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID;
*ostatus |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;
goto cleanup;
}