From 4a6d863c0b5f0f21d8e2e03abd7f5e5430f5e9c0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 19 Jun 2017 20:50:22 +0200 Subject: ocsptool: introduced --verify-allow-broken option This allows verification to succeed even when broken algorithms are involved. Signed-off-by: Nikos Mavrogiannopoulos --- src/ocsptool-args.def | 6 ++++++ src/ocsptool.c | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/ocsptool-args.def b/src/ocsptool-args.def index c293863bc7..8ef8ba859f 100644 --- a/src/ocsptool-args.def +++ b/src/ocsptool-args.def @@ -29,6 +29,12 @@ flag = { doc = ""; }; +flag = { + name = verify-allow-broken; + descrip = "Allow broken algorithms, such as MD5 for verification"; + doc = "This can be combined with --verify-response."; +}; + flag = { name = request-info; value = i; diff --git a/src/ocsptool.c b/src/ocsptool.c index 525108d425..480f9b0383 100644 --- a/src/ocsptool.c +++ b/src/ocsptool.c @@ -47,6 +47,7 @@ static const char *outfile_name = NULL; /* to delete on exit */ FILE *infile; static unsigned int encoding; unsigned int verbose = 0; +static unsigned int vflags = 0; const char *get_pass(void) { @@ -339,7 +340,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, fprintf(stdout, "Loaded %d trust anchors\n", x509_ncas); - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, vflags); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n", gnutls_strerror(ret)); @@ -367,7 +368,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, - 0); + vflags); if (ret < 0) { fprintf(stderr, "\nVerifying OCSP Response: %s\n", @@ -588,6 +589,9 @@ int main(int argc, char **argv) gnutls_global_set_log_function(tls_log_func); gnutls_global_set_log_level(OPT_VALUE_DEBUG); + if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; + if (HAVE_OPT(OUTFILE)) { outfile = fopen(OPT_ARG(OUTFILE), "wb"); if (outfile == NULL) { -- cgit v1.2.1