diff options
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 5 | ||||
-rw-r--r-- | lib/ocsp-api.c | 14 |
2 files changed, 18 insertions, 1 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 755ec78127..120ee33454 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1778,12 +1778,15 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res); * gnutls_certificate_flags: * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check. * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero. + * @GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK: If set, the gnutls_certificate_set_ocsp_status_request_file + * function, will not check whether the response set matches any of the certificates. * * Enumeration of different certificate credentials flags. */ typedef enum gnutls_certificate_flags { GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1, - GNUTLS_CERTIFICATE_API_V2 = (1<<1) + GNUTLS_CERTIFICATE_API_V2 = (1<<1), + GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK = (1<<2) } gnutls_certificate_flags; void gnutls_certificate_set_flags(gnutls_certificate_credentials_t, diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c index 1150bd4b84..e5c002f0fb 100644 --- a/lib/ocsp-api.c +++ b/lib/ocsp-api.c @@ -241,6 +241,9 @@ unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, const gnutls_pcert_st *cert * when multiple responses which apply to the chain are available. * If the response provided does not match any certificates present * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned. + * To force the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK + * in the certificate credentials structure. In that case, only the + * end-certificates OCSP response can be set. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. @@ -264,6 +267,17 @@ gnutls_certificate_set_ocsp_status_request_file(gnutls_certificate_credentials_t if (ret < 0) return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) { + /* quick load of first response */ + gnutls_free(sc->certs[idx].ocsp_responses[0].data); + + sc->certs[idx].ocsp_responses[0].data = der.data; + der.data = NULL; + sc->certs[idx].ocsp_responses[0].size = der.size; + + return 0; + } + ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { gnutls_assert(); |