diff options
Diffstat (limited to 'lib/x509/verify-high.c')
| -rw-r--r-- | lib/x509/verify-high.c | 684 |
1 files changed, 307 insertions, 377 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 7b8b270d69..7109bb0a8c 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -25,7 +25,7 @@ #include "errors.h" #include <libtasn1.h> #include <global.h> -#include <num.h> /* MAX */ +#include <num.h> /* MAX */ #include <tls-sig.h> #include <str.h> #include <datum.h> @@ -80,8 +80,8 @@ static bool cert_eq(const void *cert1, const void *cert2) static size_t cert_hashcode(const void *cert) { const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert; - return hash_pjw_bare(c->raw_dn.data, - c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH; + return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % + DEFAULT_MAX_VERIFY_DEPTH; } /** @@ -96,8 +96,8 @@ static size_t cert_hashcode(const void *cert) * * Since: 3.0.0 **/ -int -gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, unsigned int size) +int gnutls_x509_trust_list_init(gnutls_x509_trust_list_t *list, + unsigned int size) { gnutls_x509_trust_list_t tmp; @@ -122,7 +122,7 @@ gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, unsigned int size) *list = tmp; - return 0; /* success */ + return 0; /* success */ } /** @@ -137,8 +137,8 @@ gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, unsigned int size) * * Since: 3.0.0 **/ -void -gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, unsigned int all) +void gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, + unsigned int all) { unsigned int i, j; @@ -158,8 +158,8 @@ gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, unsigned int all) for (i = 0; i < list->size; i++) { if (all) { for (j = 0; j < list->node[i].trusted_ca_size; j++) { - gnutls_x509_crt_deinit(list->node[i]. - trusted_cas[j]); + gnutls_x509_crt_deinit( + list->node[i].trusted_cas[j]); } } gnutls_free(list->node[i].trusted_cas); @@ -173,8 +173,8 @@ gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, unsigned int all) if (all) { for (j = 0; j < list->node[i].named_cert_size; j++) { - gnutls_x509_crt_deinit(list->node[i].named_certs - [j].cert); + gnutls_x509_crt_deinit( + list->node[i].named_certs[j].cert); } } gnutls_free(list->node[i].named_certs); @@ -186,8 +186,8 @@ gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, unsigned int all) gnutls_free(list); } -static int -add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, gnutls_x509_crt_t ca) +static int add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t ca) { gnutls_datum_t tmp; size_t newsize; @@ -228,17 +228,16 @@ add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, gnutls_x509_crt_t ca) * deallocated on deinit. This is to handle get_issuer() with * pkcs11 trust modules when the GNUTLS_TL_GET_COPY flag isn't * given. It is not thread safe. */ -static int -trust_list_add_compat(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert) +static int trust_list_add_compat(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert) { if (unlikely(INT_ADD_OVERFLOW(list->keep_certs_size, 1))) { return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } - list->keep_certs = - _gnutls_reallocarray_fast(list->keep_certs, - list->keep_certs_size + 1, - sizeof(list->keep_certs[0])); + list->keep_certs = _gnutls_reallocarray_fast( + list->keep_certs, list->keep_certs_size + 1, + sizeof(list->keep_certs[0])); if (list->keep_certs == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -279,10 +278,9 @@ trust_list_add_compat(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert) * * Since: 3.0.0 **/ -int -gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, - const gnutls_x509_crt_t * clist, - unsigned clist_size, unsigned int flags) +int gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, + const gnutls_x509_crt_t *clist, + unsigned clist_size, unsigned int flags) { unsigned i, j; size_t hash; @@ -291,27 +289,22 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, for (i = 0; i < clist_size; i++) { exists = 0; - hash = - hash_pjw_bare(clist[i]->raw_dn.data, clist[i]->raw_dn.size); + hash = hash_pjw_bare(clist[i]->raw_dn.data, + clist[i]->raw_dn.size); hash %= list->size; /* avoid duplicates */ - if (flags & GNUTLS_TL_NO_DUPLICATES - || flags & GNUTLS_TL_NO_DUPLICATE_KEY) { + if (flags & GNUTLS_TL_NO_DUPLICATES || + flags & GNUTLS_TL_NO_DUPLICATE_KEY) { for (j = 0; j < list->node[hash].trusted_ca_size; j++) { if (flags & GNUTLS_TL_NO_DUPLICATES) - ret = - gnutls_x509_crt_equals(list->node - [hash].trusted_cas - [j], - clist[i]); + ret = gnutls_x509_crt_equals( + list->node[hash].trusted_cas[j], + clist[i]); else - ret = - _gnutls_check_if_same_key(list->node - [hash].trusted_cas - [j], - clist[i], - 1); + ret = _gnutls_check_if_same_key( + list->node[hash].trusted_cas[j], + clist[i], 1); if (ret != 0) { exists = 1; break; @@ -319,27 +312,23 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, } if (exists != 0) { - gnutls_x509_crt_deinit(list-> - node[hash].trusted_cas - [j]); + gnutls_x509_crt_deinit( + list->node[hash].trusted_cas[j]); list->node[hash].trusted_cas[j] = clist[i]; continue; } } - if (unlikely - (INT_ADD_OVERFLOW(list->node[hash].trusted_ca_size, 1))) { + if (unlikely(INT_ADD_OVERFLOW(list->node[hash].trusted_ca_size, + 1))) { gnutls_assert(); return i; } - list->node[hash].trusted_cas = - _gnutls_reallocarray_fast(list->node[hash].trusted_cas, - list->node[hash].trusted_ca_size + - 1, - sizeof(list-> - node[hash].trusted_cas - [0])); + list->node[hash].trusted_cas = _gnutls_reallocarray_fast( + list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size + 1, + sizeof(list->node[hash].trusted_cas[0])); if (list->node[hash].trusted_cas == NULL) { gnutls_assert(); return i; @@ -350,15 +339,16 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, gnutls_datum_t dn; gnutls_assert(); if (gnutls_x509_crt_get_dn2(clist[i], &dn) >= 0) { - _gnutls_audit_log(NULL, - "There was a non-CA certificate in the trusted list: %s.\n", - dn.data); + _gnutls_audit_log( + NULL, + "There was a non-CA certificate in the trusted list: %s.\n", + dn.data); gnutls_free(dn.data); } } list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] = - clist[i]; + clist[i]; list->node[hash].trusted_ca_size++; if (flags & GNUTLS_TL_USE_IN_TLS) { @@ -373,8 +363,8 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, return i; } -static int -advance_iter(gnutls_x509_trust_list_t list, gnutls_x509_trust_list_iter_t iter) +static int advance_iter(gnutls_x509_trust_list_t list, + gnutls_x509_trust_list_iter_t iter) { if (iter->node_index < list->size) { ++iter->ca_index; @@ -382,7 +372,7 @@ advance_iter(gnutls_x509_trust_list_t list, gnutls_x509_trust_list_iter_t iter) /* skip entries */ while (iter->node_index < list->size && iter->ca_index >= - list->node[iter->node_index].trusted_ca_size) { + list->node[iter->node_index].trusted_ca_size) { ++iter->node_index; iter->ca_index = 0; } @@ -394,18 +384,14 @@ advance_iter(gnutls_x509_trust_list_t list, gnutls_x509_trust_list_iter_t iter) #ifdef ENABLE_PKCS11 if (list->pkcs11_token != NULL) { if (iter->pkcs11_list == NULL) { - int ret = - gnutls_pkcs11_obj_list_import_url2 - (&iter->pkcs11_list, - &iter->pkcs11_size, - list->pkcs11_token, - (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE - | - GNUTLS_PKCS11_OBJ_FLAG_CRT - | - GNUTLS_PKCS11_OBJ_FLAG_MARK_CA - | GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), - 0); + int ret = gnutls_pkcs11_obj_list_import_url2( + &iter->pkcs11_list, &iter->pkcs11_size, + list->pkcs11_token, + (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE | + GNUTLS_PKCS11_OBJ_FLAG_CRT | + GNUTLS_PKCS11_OBJ_FLAG_MARK_CA | + GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), + 0); if (ret < 0) return gnutls_assert_val(ret); @@ -446,17 +432,16 @@ advance_iter(gnutls_x509_trust_list_t list, gnutls_x509_trust_list_iter_t iter) * * Since: 3.4.0 **/ -int -gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, - gnutls_x509_trust_list_iter_t * iter, - gnutls_x509_crt_t * crt) +int gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, + gnutls_x509_trust_list_iter_t *iter, + gnutls_x509_crt_t *crt) { int ret; /* initialize iterator */ if (*iter == NULL) { - *iter = - gnutls_malloc(sizeof(struct gnutls_x509_trust_list_iter)); + *iter = gnutls_malloc( + sizeof(struct gnutls_x509_trust_list_iter)); if (*iter == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); @@ -488,10 +473,9 @@ gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, if (ret < 0) return gnutls_assert_val(ret); - ret = - _gnutls_x509_crt_cpy(*crt, - list->node[(*iter)-> - node_index].trusted_cas[(*iter)->ca_index]); + ret = _gnutls_x509_crt_cpy( + *crt, list->node[(*iter)->node_index] + .trusted_cas[(*iter)->ca_index]); if (ret < 0) { gnutls_x509_crt_deinit(*crt); return gnutls_assert_val(ret); @@ -503,10 +487,8 @@ gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, if (ret < 0) return gnutls_assert_val(ret); - ret = - gnutls_x509_crt_import_pkcs11(*crt, - (*iter)-> - pkcs11_list[(*iter)->pkcs11_index]); + ret = gnutls_x509_crt_import_pkcs11( + *crt, (*iter)->pkcs11_list[(*iter)->pkcs11_index]); if (ret < 0) { gnutls_x509_crt_deinit(*crt); return gnutls_assert_val(ret); @@ -604,31 +586,30 @@ static gnutls_x509_crt_t crt_cpy(gnutls_x509_crt_t src) * * Since: 3.1.10 **/ -int -gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, - const gnutls_x509_crt_t * clist, - unsigned clist_size) +int gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, + const gnutls_x509_crt_t *clist, + unsigned clist_size) { int r = 0; unsigned j, i; size_t hash; for (i = 0; i < clist_size; i++) { - hash = - hash_pjw_bare(clist[i]->raw_dn.data, clist[i]->raw_dn.size); + hash = hash_pjw_bare(clist[i]->raw_dn.data, + clist[i]->raw_dn.size); hash %= list->size; for (j = 0; j < list->node[hash].trusted_ca_size; j++) { - if (gnutls_x509_crt_equals - (clist[i], list->node[hash].trusted_cas[j]) != 0) { - - gnutls_x509_crt_deinit(list->node[hash]. - trusted_cas[j]); + if (gnutls_x509_crt_equals( + clist[i], + list->node[hash].trusted_cas[j]) != 0) { + gnutls_x509_crt_deinit( + list->node[hash].trusted_cas[j]); list->node[hash].trusted_cas[j] = - list->node[hash].trusted_cas[list-> - node[hash]. - trusted_ca_size - - 1]; + list->node[hash].trusted_cas + [list->node[hash] + .trusted_ca_size - + 1]; list->node[hash].trusted_ca_size--; r++; break; @@ -643,10 +624,9 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, * This will prevent a subordinate CA from being valid, and * ensure that a server certificate will also get rejected. */ - list->distrusted = - _gnutls_reallocarray_fast(list->distrusted, - list->distrusted_size + 1, - sizeof(list->distrusted[0])); + list->distrusted = _gnutls_reallocarray_fast( + list->distrusted, list->distrusted_size + 1, + sizeof(list->distrusted[0])); if (list->distrusted == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); @@ -685,39 +665,40 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, * * Since: 3.0.0 **/ -int -gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - const void *name, size_t name_size, - unsigned int flags) +int gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + const void *name, size_t name_size, + unsigned int flags) { size_t hash; if (name_size >= MAX_SERVER_NAME_SIZE) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - hash = - hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); + hash = hash_pjw_bare(cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); hash %= list->size; if (unlikely(INT_ADD_OVERFLOW(list->node[hash].named_cert_size, 1))) { return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } - list->node[hash].named_certs = - _gnutls_reallocarray_fast(list->node[hash].named_certs, - list->node[hash].named_cert_size + 1, - sizeof(list->node[hash].named_certs[0])); + list->node[hash].named_certs = _gnutls_reallocarray_fast( + list->node[hash].named_certs, + list->node[hash].named_cert_size + 1, + sizeof(list->node[hash].named_certs[0])); if (list->node[hash].named_certs == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); list->node[hash].named_certs[list->node[hash].named_cert_size].cert = - cert; - memcpy(list->node[hash]. - named_certs[list->node[hash].named_cert_size].name, name, - name_size); - list->node[hash].named_certs[list->node[hash]. - named_cert_size].name_size = name_size; + cert; + memcpy(list->node[hash] + .named_certs[list->node[hash].named_cert_size] + .name, + name, name_size); + list->node[hash] + .named_certs[list->node[hash].named_cert_size] + .name_size = name_size; list->node[hash].named_cert_size++; @@ -751,11 +732,10 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, * * Since: 3.0 **/ -int -gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, - const gnutls_x509_crl_t * crl_list, - unsigned crl_size, unsigned int flags, - unsigned int verification_flags) +int gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, + const gnutls_x509_crl_t *crl_list, + unsigned crl_size, unsigned int flags, + unsigned int verification_flags) { int ret; unsigned x, i, j = 0; @@ -770,28 +750,23 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, return 0; for (i = 0; i < crl_size; i++) { - hash = - hash_pjw_bare(crl_list[i]->raw_issuer_dn.data, - crl_list[i]->raw_issuer_dn.size); + hash = hash_pjw_bare(crl_list[i]->raw_issuer_dn.data, + crl_list[i]->raw_issuer_dn.size); hash %= list->size; if (flags & GNUTLS_TL_VERIFY_CRL) { - - ret = - gnutls_x509_crl_verify(crl_list[i], - list->node[hash].trusted_cas, - list->node[hash]. - trusted_ca_size, - verification_flags, &vret); + ret = gnutls_x509_crl_verify( + crl_list[i], list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, + verification_flags, &vret); if (ret < 0 || vret != 0) { - _gnutls_debug_log - ("CRL verification failed, not adding it\n"); + _gnutls_debug_log( + "CRL verification failed, not adding it\n"); if (flags & GNUTLS_TL_NO_DUPLICATES) gnutls_x509_crl_deinit(crl_list[i]); if (flags & GNUTLS_TL_FAIL_ON_INVALID_CRL) - return - gnutls_assert_val - (GNUTLS_E_CRL_VERIFICATION_ERROR); + return gnutls_assert_val( + GNUTLS_E_CRL_VERIFICATION_ERROR); continue; } } @@ -801,26 +776,29 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, if (flags & GNUTLS_TL_NO_DUPLICATES) { for (x = 0; x < list->node[hash].crl_size; x++) { if (crl_list[i]->raw_issuer_dn.size == - list->node[hash].crls[x]->raw_issuer_dn.size - && memcmp(crl_list[i]->raw_issuer_dn.data, - list->node[hash]. - crls[x]->raw_issuer_dn.data, - crl_list[i]-> - raw_issuer_dn.size) == 0) { - if (gnutls_x509_crl_get_this_update - (crl_list[i]) >= - gnutls_x509_crl_get_this_update - (list->node[hash].crls[x])) { - - gnutls_x509_crl_deinit - (list->node[hash].crls[x]); + list->node[hash] + .crls[x] + ->raw_issuer_dn.size && + memcmp(crl_list[i]->raw_issuer_dn.data, + list->node[hash] + .crls[x] + ->raw_issuer_dn.data, + crl_list[i]->raw_issuer_dn.size) == + 0) { + if (gnutls_x509_crl_get_this_update( + crl_list[i]) >= + gnutls_x509_crl_get_this_update( + list->node[hash].crls[x])) { + gnutls_x509_crl_deinit( + list->node[hash] + .crls[x]); list->node[hash].crls[x] = - crl_list[i]; + crl_list[i]; goto next; } else { /* The new is older, discard it */ - gnutls_x509_crl_deinit(crl_list - [i]); + gnutls_x509_crl_deinit( + crl_list[i]); goto next; } } @@ -844,13 +822,13 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; list->node[hash].crl_size++; - next: + next: j++; } return j; - error: +error: ret = i; if (flags & GNUTLS_TL_NO_DUPLICATES) while (i < crl_size) @@ -864,7 +842,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, * Returns the new size of the list or a negative number on error. */ static int shorten_clist(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t * certificate_list, + gnutls_x509_crt_t *certificate_list, unsigned int clist_size) { unsigned int j, i; @@ -880,9 +858,9 @@ static int shorten_clist(gnutls_x509_trust_list_t list, * failures on some root self signed certificates that use the * MD2 algorithm. */ - if (gnutls_x509_crt_check_issuer - (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) != 0) { + if (gnutls_x509_crt_check_issuer( + certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) != 0) { clist_size--; } } @@ -893,15 +871,14 @@ static int shorten_clist(gnutls_x509_trust_list_t list, * self-signed E but already removed above), and we trust B, remove * B, C and D. */ for (i = 1; i < clist_size; i++) { - hash = - hash_pjw_bare(certificate_list[i]->raw_issuer_dn.data, - certificate_list[i]->raw_issuer_dn.size); + hash = hash_pjw_bare(certificate_list[i]->raw_issuer_dn.data, + certificate_list[i]->raw_issuer_dn.size); hash %= list->size; for (j = 0; j < list->node[hash].trusted_ca_size; j++) { - if (gnutls_x509_crt_equals - (certificate_list[i], - list->node[hash].trusted_cas[j]) != 0) { + if (gnutls_x509_crt_equals( + certificate_list[i], + list->node[hash].trusted_cas[j]) != 0) { /* cut the list at the point of first the trusted certificate */ clist_size = i + 1; break; @@ -918,11 +895,10 @@ static int shorten_clist(gnutls_x509_trust_list_t list, * * Returns the new size of the list or a negative number on error. */ -static int -retrieve_issuers(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t subject, - gnutls_x509_crt_t * certificate_list, - unsigned int clist_size_max) +static int retrieve_issuers(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t subject, + gnutls_x509_crt_t *certificate_list, + unsigned int clist_size_max) { gnutls_x509_crt_t *issuers; unsigned int issuers_size; @@ -965,7 +941,7 @@ retrieve_issuers(gnutls_x509_trust_list_t list, memcpy(certificate_list, issuers, ret * sizeof(gnutls_x509_crt_t)); - cleanup: +cleanup: for (i = ret; i < issuers_size; i++) { gnutls_x509_crt_deinit(issuers[i]); } @@ -976,26 +952,23 @@ retrieve_issuers(gnutls_x509_trust_list_t list, int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert, - gnutls_x509_crt_t * issuer, - unsigned int flags) + gnutls_x509_crt_t *issuer, unsigned int flags) { int ret; unsigned int i; size_t hash; - hash = - hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); + hash = hash_pjw_bare(cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { - ret = - gnutls_x509_crt_check_issuer(cert, - list->node[hash]. - trusted_cas[i]); + ret = gnutls_x509_crt_check_issuer( + cert, list->node[hash].trusted_cas[i]); if (ret != 0) { if (flags & GNUTLS_TL_GET_COPY) { - *issuer = - crt_cpy(list->node[hash].trusted_cas[i]); + *issuer = crt_cpy( + list->node[hash].trusted_cas[i]); } else { *issuer = list->node[hash].trusted_cas[i]; } @@ -1006,11 +979,11 @@ int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } -static -int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, - const gnutls_datum_t * dn, - const gnutls_datum_t * spki, - gnutls_x509_crt_t * issuer, unsigned int flags) +static int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, + const gnutls_datum_t *dn, + const gnutls_datum_t *spki, + gnutls_x509_crt_t *issuer, + unsigned int flags) { int ret; unsigned int i, j; @@ -1023,28 +996,24 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { - ret = - _gnutls_x509_compare_raw_dn(dn, - &list-> - node[hash].trusted_cas - [i]->raw_dn); + ret = _gnutls_x509_compare_raw_dn( + dn, &list->node[hash].trusted_cas[i]->raw_dn); if (ret != 0) { if (spki && spki->size > 0) { tmp_size = sizeof(tmp); - ret = - gnutls_x509_crt_get_subject_key_id - (list->node[hash].trusted_cas[i], - tmp, &tmp_size, NULL); + ret = gnutls_x509_crt_get_subject_key_id( + list->node[hash].trusted_cas[i], + tmp, &tmp_size, NULL); if (ret < 0) continue; - if (spki->size != tmp_size - || memcmp(spki->data, tmp, - spki->size) != 0) + if (spki->size != tmp_size || + memcmp(spki->data, tmp, + spki->size) != 0) continue; } - *issuer = - crt_cpy(list->node[hash].trusted_cas[i]); + *issuer = crt_cpy( + list->node[hash].trusted_cas[i]); return 0; } } @@ -1054,15 +1023,14 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, for (j = 0; j < list->node[i].trusted_ca_size; j++) { tmp_size = sizeof(tmp); - ret = - gnutls_x509_crt_get_subject_key_id - (list->node[i].trusted_cas[j], tmp, - &tmp_size, NULL); + ret = gnutls_x509_crt_get_subject_key_id( + list->node[i].trusted_cas[j], tmp, + &tmp_size, NULL); if (ret < 0) continue; - if (spki->size != tmp_size - || memcmp(spki->data, tmp, spki->size) != 0) + if (spki->size != tmp_size || + memcmp(spki->data, tmp, spki->size) != 0) continue; *issuer = crt_cpy(list->node[i].trusted_cas[j]); @@ -1097,7 +1065,7 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert, - gnutls_x509_crt_t * issuer, + gnutls_x509_crt_t *issuer, unsigned int flags) { int ret; @@ -1112,10 +1080,9 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_x509_crt_t crt; gnutls_datum_t der = { NULL, 0 }; /* use the token for verification */ - ret = - gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der, - GNUTLS_X509_FMT_DER, - GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); + ret = gnutls_pkcs11_get_raw_issuer( + list->pkcs11_token, cert, &der, GNUTLS_X509_FMT_DER, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1170,8 +1137,8 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, * Since: 3.4.0 **/ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, - const gnutls_datum_t * dn, - gnutls_x509_crt_t * issuer, + const gnutls_datum_t *dn, + gnutls_x509_crt_t *issuer, unsigned int flags) { int ret; @@ -1186,11 +1153,9 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, gnutls_x509_crt_t crt; gnutls_datum_t der = { NULL, 0 }; /* use the token for verification */ - ret = - gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, - &der, - GNUTLS_X509_FMT_DER, - GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); + ret = gnutls_pkcs11_get_raw_issuer_by_dn( + list->pkcs11_token, dn, &der, GNUTLS_X509_FMT_DER, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1232,15 +1197,10 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, * * Since: 3.4.2 **/ -int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t - list, - const gnutls_datum_t * - dn, - const gnutls_datum_t * - spki, - gnutls_x509_crt_t * - issuer, - unsigned int flags) +int gnutls_x509_trust_list_get_issuer_by_subject_key_id( + gnutls_x509_trust_list_t list, const gnutls_datum_t *dn, + const gnutls_datum_t *spki, gnutls_x509_crt_t *issuer, + unsigned int flags) { int ret; @@ -1254,10 +1214,9 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t gnutls_x509_crt_t crt; gnutls_datum_t der = { NULL, 0 }; /* use the token for verification */ - ret = - gnutls_pkcs11_get_raw_issuer_by_subject_key_id - (list->pkcs11_token, dn, spki, &der, GNUTLS_X509_FMT_DER, - GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); + ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id( + list->pkcs11_token, dn, spki, &der, GNUTLS_X509_FMT_DER, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1283,11 +1242,10 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t return ret; } -static -int check_if_in_blocklist(gnutls_x509_crt_t * cert_list, - unsigned int cert_list_size, - gnutls_x509_crt_t * blocklist, - unsigned int blocklist_size) +static int check_if_in_blocklist(gnutls_x509_crt_t *cert_list, + unsigned int cert_list_size, + gnutls_x509_crt_t *blocklist, + unsigned int blocklist_size) { unsigned i, j; @@ -1296,8 +1254,8 @@ int check_if_in_blocklist(gnutls_x509_crt_t * cert_list, for (i = 0; i < cert_list_size; i++) { for (j = 0; j < blocklist_size; j++) { - if (gnutls_x509_crt_equals(cert_list[i], blocklist[j]) - != 0) { + if (gnutls_x509_crt_equals(cert_list[i], + blocklist[j]) != 0) { return 1; } } @@ -1326,28 +1284,26 @@ int check_if_in_blocklist(gnutls_x509_crt_t * cert_list, * * Since: 3.0 **/ -int -gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t * cert_list, - unsigned int cert_list_size, - unsigned int flags, - unsigned int *voutput, - gnutls_verify_output_function func) +int gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t *cert_list, + unsigned int cert_list_size, + unsigned int flags, unsigned int *voutput, + gnutls_verify_output_function func) { - return gnutls_x509_trust_list_verify_crt2(list, cert_list, - cert_list_size, NULL, 0, - flags, voutput, func); + return gnutls_x509_trust_list_verify_crt2( + list, cert_list, cert_list_size, NULL, 0, flags, voutput, func); } -#define LAST_DN cert_list[cert_list_size-1]->raw_dn -#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn +#define LAST_DN cert_list[cert_list_size - 1]->raw_dn +#define LAST_IDN cert_list[cert_list_size - 1]->raw_issuer_dn /* This macro is introduced to detect a verification output which * indicates an unknown signer, a signer which uses an insecure * algorithm (e.g., sha1), a signer has expired, or something that * indicates a superseded signer */ -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ - (output & GNUTLS_CERT_EXPIRED) || \ - (output & GNUTLS_CERT_INSECURE_ALGORITHM)) +#define SIGNER_OLD_OR_UNKNOWN(output) \ + ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ + (output & GNUTLS_CERT_EXPIRED) || \ + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) /** @@ -1396,15 +1352,11 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, * * Since: 3.3.8 **/ -int -gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t * cert_list, - unsigned int cert_list_size, - gnutls_typed_vdata_st * data, - unsigned int elements, - unsigned int flags, - unsigned int *voutput, - gnutls_verify_output_function func) +int gnutls_x509_trust_list_verify_crt2( + gnutls_x509_trust_list_t list, gnutls_x509_crt_t *cert_list, + unsigned int cert_list_size, gnutls_typed_vdata_st *data, + unsigned int elements, unsigned int flags, unsigned int *voutput, + gnutls_verify_output_function func) { int ret = 0; unsigned int i; @@ -1430,8 +1382,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } if (have_set_name != 0) - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); have_set_name = 1; } else if (data[i].type == GNUTLS_DT_IP_ADDRESS) { if (data[i].size > 0) { @@ -1440,32 +1392,29 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } if (have_set_name != 0) - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); have_set_name = 1; } else if (data[i].type == GNUTLS_DT_RFC822NAME) { email = (void *)data[i].data; if (have_set_name != 0) - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); have_set_name = 1; } else if (data[i].type == GNUTLS_DT_KEY_PURPOSE_OID) { purpose = (void *)data[i].data; } } - if (hostname) { /* shortcut using the named certs - if any */ + if (hostname) { /* shortcut using the named certs - if any */ unsigned vtmp = 0; if (hostname_size == 0) hostname_size = strlen(hostname); - ret = gnutls_x509_trust_list_verify_named_crt(list, - cert_list[0], - hostname, - hostname_size, - flags, &vtmp, - func); + ret = gnutls_x509_trust_list_verify_named_crt( + list, cert_list[0], hostname, hostname_size, flags, + &vtmp, func); if (ret == 0 && vtmp == 0) { *voutput = vtmp; return 0; @@ -1475,14 +1424,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); cert_list = sorted; - records = - gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, - NULL, false); + records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, + cert_hashcode, NULL, false); if (records == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); for (i = 0; i < cert_list_size && - cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) { + cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) { unsigned int sorted_size = 1; unsigned int j; gnutls_x509_crt_t issuer; @@ -1520,11 +1468,9 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, /* If the issuer of the certificate is known, no need * for further processing. */ - if (gnutls_x509_trust_list_get_issuer(list, - cert_list[i - 1], - &issuer, - GNUTLS_TL_GET_COPY) == - 0) { + if (gnutls_x509_trust_list_get_issuer( + list, cert_list[i - 1], &issuer, + GNUTLS_TL_GET_COPY) == 0) { gnutls_x509_crt_deinit(issuer); cert_list_size = i; break; @@ -1538,22 +1484,19 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, continue; } - ret = retrieve_issuers(list, - cert_list[i - 1], - &retrieved[retrieved_size], - DEFAULT_MAX_VERIFY_DEPTH - - MAX(retrieved_size, cert_list_size)); + ret = retrieve_issuers( + list, cert_list[i - 1], &retrieved[retrieved_size], + DEFAULT_MAX_VERIFY_DEPTH - + MAX(retrieved_size, cert_list_size)); if (ret < 0) { break; } else if (ret > 0) { assert((unsigned int)ret <= DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); - memmove(&cert_list[i + ret], - &cert_list[i], + memmove(&cert_list[i + ret], &cert_list[i], (cert_list_size - i) * - sizeof(gnutls_x509_crt_t)); - memcpy(&cert_list[i], - &retrieved[retrieved_size], + sizeof(gnutls_x509_crt_t)); + memcpy(&cert_list[i], &retrieved[retrieved_size], ret * sizeof(gnutls_x509_crt_t)); retrieved_size += ret; cert_list_size += ret; @@ -1568,13 +1511,12 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (cert_list_size <= 0) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - hash = - hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data, - cert_list[cert_list_size - 1]->raw_issuer_dn.size); + hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data, + cert_list[cert_list_size - 1]->raw_issuer_dn.size); hash %= list->size; - ret = check_if_in_blocklist(cert_list, cert_list_size, - list->distrusted, list->distrusted_size); + ret = check_if_in_blocklist(cert_list, cert_list_size, list->distrusted, + list->distrusted_size); if (ret != 0) { *voutput = 0; *voutput |= GNUTLS_CERT_REVOKED; @@ -1583,33 +1525,30 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, goto cleanup; } - *voutput = - _gnutls_verify_crt_status(list, cert_list, cert_list_size, - list->node[hash].trusted_cas, - list->node[hash].trusted_ca_size, - flags, purpose, func); + *voutput = _gnutls_verify_crt_status(list, cert_list, cert_list_size, + list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, + flags, purpose, func); saved_output = *voutput; if (SIGNER_OLD_OR_UNKNOWN(*voutput) && (LAST_DN.size != LAST_IDN.size || memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) { - /* if we couldn't find the issuer, try to see if the last * certificate is in the trusted list and try to verify against * (if it is not self signed) */ - hash = - hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.data, - cert_list[cert_list_size - 1]->raw_dn.size); + hash = hash_pjw_bare( + cert_list[cert_list_size - 1]->raw_dn.data, + cert_list[cert_list_size - 1]->raw_dn.size); hash %= list->size; - _gnutls_debug_log - ("issuer in verification was not found or insecure; trying against trust list\n"); + _gnutls_debug_log( + "issuer in verification was not found or insecure; trying against trust list\n"); - *voutput = - _gnutls_verify_crt_status(list, cert_list, cert_list_size, - list->node[hash].trusted_cas, - list->node[hash].trusted_ca_size, - flags, purpose, func); + *voutput = _gnutls_verify_crt_status( + list, cert_list, cert_list_size, + list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, flags, purpose, func); if (*voutput != 0) { if (SIGNER_WAS_KNOWN(saved_output)) *voutput = saved_output; @@ -1623,10 +1562,9 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (SIGNER_OLD_OR_UNKNOWN(*voutput) && list->pkcs11_token) { /* use the token for verification */ - *voutput = - _gnutls_pkcs11_verify_crt_status(list, list->pkcs11_token, - cert_list, cert_list_size, - purpose, flags, func); + *voutput = _gnutls_pkcs11_verify_crt_status( + list, list->pkcs11_token, cert_list, cert_list_size, + purpose, flags, func); if (*voutput != 0) { if (SIGNER_WAS_KNOWN(saved_output)) *voutput = saved_output; @@ -1640,30 +1578,28 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, ret = _gnutls_check_key_purpose(cert_list[0], purpose, 0); if (ret != 1) { gnutls_assert(); - *voutput |= - GNUTLS_CERT_PURPOSE_MISMATCH | GNUTLS_CERT_INVALID; + *voutput |= GNUTLS_CERT_PURPOSE_MISMATCH | + GNUTLS_CERT_INVALID; } } if (hostname) { - ret = - gnutls_x509_crt_check_hostname2(cert_list[0], hostname, - flags); + ret = gnutls_x509_crt_check_hostname2(cert_list[0], hostname, + flags); if (ret == 0) { gnutls_assert(); - *voutput |= - GNUTLS_CERT_UNEXPECTED_OWNER | GNUTLS_CERT_INVALID; + *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER | + GNUTLS_CERT_INVALID; } } if (ip.data) { - ret = - gnutls_x509_crt_check_ip(cert_list[0], ip.data, ip.size, - flags); + ret = gnutls_x509_crt_check_ip(cert_list[0], ip.data, ip.size, + flags); if (ret == 0) { gnutls_assert(); - *voutput |= - GNUTLS_CERT_UNEXPECTED_OWNER | GNUTLS_CERT_INVALID; + *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER | + GNUTLS_CERT_INVALID; } } @@ -1671,8 +1607,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, ret = gnutls_x509_crt_check_email(cert_list[0], email, 0); if (ret == 0) { gnutls_assert(); - *voutput |= - GNUTLS_CERT_UNEXPECTED_OWNER | GNUTLS_CERT_INVALID; + *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER | + GNUTLS_CERT_INVALID; } } @@ -1686,12 +1622,11 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, /* Check revocation of individual certificates. * start with the last one that we already have its hash */ - ret = - _gnutls_x509_crt_check_revocation(cert_list - [cert_list_size - 1], - list->node[hash].crls, - list->node[hash].crl_size, func); - if (ret == 1) { /* revoked */ + ret = _gnutls_x509_crt_check_revocation(cert_list[cert_list_size - 1], + list->node[hash].crls, + list->node[hash].crl_size, + func); + if (ret == 1) { /* revoked */ *voutput |= GNUTLS_CERT_REVOKED; *voutput |= GNUTLS_CERT_INVALID; ret = 0; @@ -1699,18 +1634,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } for (i = 0; i < cert_list_size - 1; i++) { - hash = - hash_pjw_bare(cert_list[i]->raw_issuer_dn.data, - cert_list[i]->raw_issuer_dn.size); + hash = hash_pjw_bare(cert_list[i]->raw_issuer_dn.data, + cert_list[i]->raw_issuer_dn.size); hash %= list->size; - ret = _gnutls_x509_crt_check_revocation(cert_list[i], - list->node[hash].crls, - list->node[hash]. - crl_size, func); + ret = _gnutls_x509_crt_check_revocation( + cert_list[i], list->node[hash].crls, + list->node[hash].crl_size, func); if (ret < 0) { gnutls_assert(); - } else if (ret == 1) { /* revoked */ + } else if (ret == 1) { /* revoked */ *voutput |= GNUTLS_CERT_REVOKED; *voutput |= GNUTLS_CERT_INVALID; ret = 0; @@ -1718,7 +1651,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } } - cleanup: +cleanup: for (i = 0; i < retrieved_size; i++) { gnutls_x509_crt_deinit(retrieved[i]); } @@ -1752,25 +1685,23 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, * * Since: 3.0.0 **/ -int -gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - const void *name, - size_t name_size, - unsigned int flags, - unsigned int *voutput, - gnutls_verify_output_function func) +int gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + const void *name, size_t name_size, + unsigned int flags, + unsigned int *voutput, + gnutls_verify_output_function func) { int ret; unsigned int i; size_t hash; - hash = - hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); + hash = hash_pjw_bare(cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); hash %= list->size; - ret = check_if_in_blocklist(&cert, 1, - list->distrusted, list->distrusted_size); + ret = check_if_in_blocklist(&cert, 1, list->distrusted, + list->distrusted_size); if (ret != 0) { *voutput = 0; *voutput |= GNUTLS_CERT_REVOKED; @@ -1781,11 +1712,13 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, *voutput = GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; for (i = 0; i < list->node[hash].named_cert_size; i++) { - if (gnutls_x509_crt_equals(cert, list->node[hash].named_certs[i].cert) != 0) { /* check if name matches */ + if (gnutls_x509_crt_equals( + cert, list->node[hash].named_certs[i].cert) != + 0) { /* check if name matches */ if (list->node[hash].named_certs[i].name_size == - name_size - && memcmp(list->node[hash].named_certs[i].name, - name, name_size) == 0) { + name_size && + memcmp(list->node[hash].named_certs[i].name, name, + name_size) == 0) { *voutput = 0; break; } @@ -1798,11 +1731,9 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, /* Check revocation of individual certificates. * start with the last one that we already have its hash */ - ret = _gnutls_x509_crt_check_revocation(cert, - list->node[hash].crls, - list->node[hash].crl_size, - func); - if (ret == 1) { /* revoked */ + ret = _gnutls_x509_crt_check_revocation( + cert, list->node[hash].crls, list->node[hash].crl_size, func); + if (ret == 1) { /* revoked */ *voutput |= GNUTLS_CERT_REVOKED; *voutput |= GNUTLS_CERT_INVALID; return 0; @@ -1812,8 +1743,8 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, } /* return 1 if @cert is in @list, 0 if not */ -int -_gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert) +int _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert) { int ret; unsigned int i; @@ -1823,9 +1754,8 @@ _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert) hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { - ret = - gnutls_x509_crt_equals(cert, - list->node[hash].trusted_cas[i]); + ret = gnutls_x509_crt_equals(cert, + list->node[hash].trusted_cas[i]); if (ret != 0) return 1; } |