diff options
Diffstat (limited to 'lib/cert-session.c')
-rw-r--r-- | lib/cert-session.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..5192083211 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -224,6 +224,11 @@ gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res, } #ifdef ENABLE_OCSP +static int +_gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, + gnutls_x509_crt_t cert, + unsigned int * ocsp_status); + /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED. * * Returns: @@ -260,6 +265,22 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, goto cleanup; } + if (gnutls_ocsp_resp_get_status(resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) { + ret = _gnutls_ocsp_verify_mandatory_stapling(session, cert, ostatus); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + if (*ostatus & GNUTLS_CERT_MISSING_OCSP_STATUS) { + _gnutls_audit_log(session, + "Missing basic OCSP response while required: %s.\n", + gnutls_strerror(ret)); + check_failed = 1; + } + ret = gnutls_assert_val(0); + goto cleanup; + } + ret = gnutls_ocsp_resp_check_crt(resp, 0, cert); if (ret < 0) { ret = gnutls_assert_val(0); |