cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK

This allows reverting the new semantics of checking the loaded
OCSP response against the certificates present and return
to the 3.5.x semantics.

That option is also useful for debugging as it allows setting
an arbitrary response and checking gnutls' client behavior with that.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c
index 1150bd4b84..e5c002f0fb 100644
--- a/lib/ocsp-api.c
+++ b/lib/ocsp-api.c
@@ -241,6 +241,9 @@ unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, const gnutls_pcert_st *cert
  * when multiple responses which apply to the chain are available.
  * If the response provided does not match any certificates present
  * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned.
+ * To force the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK
+ * in the certificate credentials structure. In that case, only the
+ * end-certificates OCSP response can be set.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
  *   otherwise a negative error code is returned.
@@ -264,6 +267,17 @@ gnutls_certificate_set_ocsp_status_request_file(gnutls_certificate_credentials_t
 	if (ret < 0)
 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
 
+	if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) {
+		/* quick load of first response */
+		gnutls_free(sc->certs[idx].ocsp_responses[0].data);
+
+		sc->certs[idx].ocsp_responses[0].data = der.data;
+		der.data = NULL;
+		sc->certs[idx].ocsp_responses[0].size = der.size;
+
+		return 0;
+	}
+
 	ret = gnutls_ocsp_resp_init(&resp);
 	if (ret < 0) {
 		gnutls_assert();