summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2016-06-01 14:13:52 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2016-06-01 16:00:09 +0200
commit63fa76e089e7a46ed687e8efe36c5062648a4be1 (patch)
treec094620ccc49565483671f67071cf7c544e0cacf
parent5e6f4e646e61a6fda9ebc101c62eb4a6c9d9dcd5 (diff)
downloadgnutls-63fa76e089e7a46ed687e8efe36c5062648a4be1.tar.gz
ocsp: Introduced GNUTLS_CERT_INVALID_OCSP_STATUS
This verification status flag indicates an OCSP status response being stapled but it being invalid for some reason (e.g., unable to parse or doesn't contain the expected certificate).
Diffstat
-rw-r--r--lib/cert.c5
-rw-r--r--lib/includes/gnutls/gnutls.h.in4
-rw-r--r--lib/x509.c5
3 files changed, 13 insertions, 1 deletions
diff --git a/lib/cert.c b/lib/cert.c
index a43f487d3d..c49bbe760a 100644
--- a/lib/cert.c
+++ b/lib/cert.c
@@ -991,6 +991,11 @@ gnutls_certificate_verification_status_print(unsigned int status,
_
("The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. "));
+ if (status & GNUTLS_CERT_INVALID_OCSP_STATUS)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The received OCSP status response is invalid. "));
+
return _gnutls_buffer_to_datum(&str, out, 1);
}
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 2a79019976..f5aa1730f8 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -531,6 +531,7 @@ const char
* @GNUTLS_CERT_MISMATCH: The certificate presented isn't the expected one (TOFU)
* @GNUTLS_CERT_PURPOSE_MISMATCH: The certificate or an intermediate does not match the intended purpose (extended key usage).
* @GNUTLS_CERT_MISSING_OCSP_STATUS: The certificate requires the server to send the certifiate status, but no status was received.
+ * @GNUTLS_CERT_INVALID_OCSP_STATUS: The received OCSP status response is invalid.
*
* Enumeration of certificate status codes. Note that the status
* bits may have different meanings in OpenPGP keys and X.509
@@ -551,7 +552,8 @@ typedef enum {
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE = 1 << 16,
GNUTLS_CERT_MISMATCH = 1 << 17,
GNUTLS_CERT_PURPOSE_MISMATCH = 1 << 18,
- GNUTLS_CERT_MISSING_OCSP_STATUS = 1 << 19
+ GNUTLS_CERT_MISSING_OCSP_STATUS = 1 << 19,
+ GNUTLS_CERT_INVALID_OCSP_STATUS = 1 << 20
} gnutls_certificate_status_t;
/**
diff --git a/lib/x509.c b/lib/x509.c
index f407f74478..edd8e5bd19 100644
--- a/lib/x509.c
+++ b/lib/x509.c
@@ -88,6 +88,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
gnutls_strerror(ret));
ret = gnutls_assert_val(0);
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -97,6 +98,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
_gnutls_audit_log(session,
"Got OCSP response with an unrelated certificate.\n");
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -105,6 +107,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
ret = gnutls_assert_val(0);
gnutls_assert();
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -112,6 +115,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
if (status != 0) {
ret = gnutls_assert_val(0);
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
@@ -124,6 +128,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
gnutls_strerror(ret));
ret = gnutls_assert_val(0);
check_failed = 1;
+ *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
goto cleanup;
}
View Lorry Controller Status