diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-07 21:49:49 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-07 21:50:24 +0100 |
| commit | 41c0452a41d61b849ee98dcb37471b9419c43b65 (patch) | |
| tree | 9d0413bacd6c7c1a2e6cabf3010a0bc1caa9f4e6 /lib | |
| parent | 9c167df34a227c6f87a8e138b80c87b12095bd89 (diff) | |
| download | gnutls-41c0452a41d61b849ee98dcb37471b9419c43b65.tar.gz | |
Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP parsing errors.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gnutls_cert.c | 3 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 21 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 2 |
3 files changed, 16 insertions, 10 deletions
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index f98ecdc8c2..a51b2ca3a5 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -947,9 +947,6 @@ gnutls_certificate_verification_status_print (unsigned int status, if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED) _gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. ")); - if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID) - _gnutls_buffer_append_str (&str, _("The revocation data are invalid. ")); - if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE) _gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. ")); diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 8188b79852..1f6363a552 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -112,12 +112,19 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, ret = gnutls_ocsp_resp_import (resp, data); if (ret < 0) - return gnutls_assert_val(ret); + { + _gnutls_audit_log (session, "There was an error parsing the OCSP response: %s.\n", gnutls_strerror(ret)); + ret = gnutls_assert_val(0); + check_failed = 1; + goto cleanup; + } ret = gnutls_ocsp_resp_check_crt(resp, 0, cert); if (ret < 0) { - _gnutls_audit_log (session, "Got OCSP response on an unrelated certificate.\n"); + ret = gnutls_assert_val(0); + _gnutls_audit_log (session, "Got OCSP response with an unrelated certificate.\n"); + check_failed = 1; goto cleanup; } @@ -129,6 +136,7 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, if (status != 0) { ret = gnutls_assert_val(0); + check_failed = 1; goto cleanup; } @@ -136,8 +144,9 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, &cert_status, &vtime, &ntime, &rtime, NULL); if (ret < 0) { + _gnutls_audit_log (session, "There was an error parsing the OCSP response: %s.\n", gnutls_strerror(ret)); ret = gnutls_assert_val(0); - *ostatus |= GNUTLS_CERT_REVOCATION_DATA_INVALID; + check_failed = 1; goto cleanup; } @@ -159,6 +168,7 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, { _gnutls_audit_log(session, "The OCSP response is old\n"); check_failed = 1; + goto cleanup; } } else @@ -168,14 +178,15 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, { _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n"); check_failed = 1; + goto cleanup; } } + ret = 0; +cleanup: if (check_failed == 0) session->internals.ocsp_check_ok = 1; - ret = 0; -cleanup: gnutls_ocsp_resp_deinit (resp); return ret; diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index b91f684df8..800323fc7c 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -447,7 +447,6 @@ extern "C" * should not be trusted. * @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated. * @GNUTLS_CERT_EXPIRED: The certificate has expired. - * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid. * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and have been superseded. * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date. * @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one. @@ -467,7 +466,6 @@ extern "C" GNUTLS_CERT_EXPIRED = 1<<10, GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11, GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12, - GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13, GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14, GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15, GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE = 1<<16, |