diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-27 14:48:37 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-02 16:03:20 +0100 |
commit | fce973b74a3a1717511460f98dd994a81ba97541 (patch) | |
tree | 6c2a8ff0028b36e681fccb7e2087e3bb8b0eef43 /lib/cert.c | |
parent | ae7cfbb001e27104cd0825261186ec1639963601 (diff) | |
download | gnutls-fce973b74a3a1717511460f98dd994a81ba97541.tar.gz |
x509/verify: refuse to verify certificates with unknown critical extensions
That is, introduced flag GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS, which is
set when the chain under verification contains unsupported extensions marked
as critical.
Resolves: #177
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/cert.c')
-rw-r--r-- | lib/cert.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/cert.c b/lib/cert.c index 9e42de1c51..825354509f 100644 --- a/lib/cert.c +++ b/lib/cert.c @@ -1052,6 +1052,11 @@ gnutls_certificate_verification_status_print(unsigned int status, _ ("The received OCSP status response is invalid. ")); + if (status & GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS) + _gnutls_buffer_append_str(&str, + _ + ("The certificate contains an unknown critical extension. ")); + return _gnutls_buffer_to_datum(&str, out, 1); } |