diff options
| author | Daiki Ueno <ueno@gnu.org> | 2020-01-10 12:16:43 +0000 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2020-01-10 12:16:43 +0000 |
| commit | 85af41159d76fc9733f2ead54a9a2ab64aeb2b80 (patch) | |
| tree | d7f13a86db7a1f2570ba0b1cd821a68af45ae5d3 /lib | |
| parent | 2e52d307be9f971c721a94a908f487df5e8e483b (diff) | |
| parent | d916a006e1172f05ac943b7218355065d29dee0b (diff) | |
| download | gnutls-85af41159d76fc9733f2ead54a9a2ab64aeb2b80.tar.gz | |
Merge branch 'tmp-ocsp-revocation' into 'master'
ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation
See merge request gnutls/gnutls!1159
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/cert-session.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index e56445d68b..db04a25e5d 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -255,6 +255,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, gnutls_strerror(ret)); ret = gnutls_assert_val(0); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -265,6 +266,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "Got OCSP response with an unrelated certificate.\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -296,6 +298,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, ret = gnutls_assert_val(0); gnutls_assert(); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -309,6 +312,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, ret = gnutls_assert_val(0); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -322,6 +326,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, gnutls_strerror(ret)); ret = gnutls_assert_val(0); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; goto cleanup; } @@ -330,6 +335,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "The certificate was revoked via OCSP\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_REVOKED; ret = gnutls_assert_val(0); goto cleanup; @@ -344,6 +350,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "The OCSP response is old\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; goto cleanup; } @@ -353,6 +360,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n"); check_failed = 1; + *ostatus |= GNUTLS_CERT_INVALID; *ostatus |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; goto cleanup; } |