From 8fccb481601eea346f3598a969371b90baeb08e1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 12 Aug 2020 07:27:17 +0200 Subject: cert-session: fail hard if mandatory stapling is not honored According to the documentation, the GNUTLS_CERT_INVALID flag must always be set in case of verification failure, together with the flag indicating the actual error cause. Signed-off-by: Daiki Ueno --- lib/cert-session.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..97f31597d5 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -415,6 +415,7 @@ _gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, if (feature == 5 /* TLS ID for status request */) { /* We sent a status request, the certificate mandates a reply, but we did not get any. */ + *ocsp_status |= GNUTLS_CERT_INVALID; *ocsp_status |= GNUTLS_CERT_MISSING_OCSP_STATUS; break; } -- cgit v1.2.1 From 388365cdbb6c8870607120782eb77d29bea97357 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 12 Aug 2020 07:29:30 +0200 Subject: serv, cli: ensure that invalid flag is always set According to the documentation, the GNUTLS_CERT_INVALID flag must always be set in case of verification failure, together with the flag indicating the actual error cause. Signed-off-by: Daiki Ueno --- src/common.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/common.c b/src/common.c index 753481741b..2dc54d09bf 100644 --- a/src/common.c +++ b/src/common.c @@ -282,8 +282,11 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp gnutls_free(out.data); - if (status) + if (status) { + if (!(status & GNUTLS_CERT_INVALID)) + abort(); return 0; + } return 1; } -- cgit v1.2.1