diff options
Diffstat (limited to 'lib/cert-cred-x509.c')
-rw-r--r-- | lib/cert-cred-x509.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c index 99a0b366e7..f342a420b5 100644 --- a/lib/cert-cred-x509.c +++ b/lib/cert-cred-x509.c @@ -1493,10 +1493,14 @@ gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res, const gnutls_datum_t * CRL, gnutls_x509_crt_fmt_t type) { -int ret; + unsigned flags = GNUTLS_TL_USE_IN_TLS; + int ret; + + if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) + flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1526,6 +1530,10 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, { int ret, i, j; gnutls_x509_crl_t *new_crl = gnutls_malloc(crl_list_size * sizeof(gnutls_x509_crl_t)); + unsigned flags = GNUTLS_TL_USE_IN_TLS; + + if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) + flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; if (!new_crl) return GNUTLS_E_MEMORY_ERROR; @@ -1546,7 +1554,7 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, - crl_list_size, GNUTLS_TL_USE_IN_TLS, 0); + crl_list_size, flags, 0); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -1582,10 +1590,14 @@ gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, const char *crlfile, gnutls_x509_crt_fmt_t type) { -int ret; + int ret; + unsigned flags = GNUTLS_TL_USE_IN_TLS; + + if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) + flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; |