handle differently OCSP responses that are revoked and of unknown status

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-02-04 10:14:55 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-02-04 10:16:33 +0100
commit: 3a33bfb4118f8f35207210def7bae82f51fa56d2 (patch)
tree: ba403dabc124e10ec8cb9a99729e6a674a154f0e /src/cli.c
parent: 064da84a6f3eb5f329acc6548e8c99896ae7fef3 (diff)
download: gnutls-3a33bfb4118f8f35207210def7bae82f51fa56d2.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/cli.c b/src/cli.c
index 998a1190ab..ca203cdc11 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1820,6 +1820,7 @@ static int cert_verify_ocsp(gnutls_session_t session)
 	gnutls_x509_crt_t cert, issuer;
 	const gnutls_datum_t *cert_list;
 	unsigned int cert_list_size = 0, ok = 0;
+	unsigned failed = 0;
 	int deinit_issuer = 0, deinit_cert;
 	gnutls_datum_t resp;
 	unsigned char noncebuf[23];
@@ -1883,8 +1884,10 @@ static int cert_verify_ocsp(gnutls_session_t session)
 		ret = check_ocsp_response(cert, issuer, &resp, &nonce, verbose);
 		if (ret == 1)
 			ok++;
-		else
+		else if (ret == 0) {
+			failed++;
 			break;
+		}
 	}
 
 cleanup:
@@ -1893,5 +1896,7 @@ cleanup:
 	if (deinit_cert)
 		gnutls_x509_crt_deinit(cert);
 
+	if (failed > 0)
+		return -1;
 	return ok > 1 ? (int) ok : -1;
 }
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-02-04 10:14:55 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-02-04 10:16:33 +0100
commit	3a33bfb4118f8f35207210def7bae82f51fa56d2 (patch)
tree	ba403dabc124e10ec8cb9a99729e6a674a154f0e /src/cli.c
parent	064da84a6f3eb5f329acc6548e8c99896ae7fef3 (diff)
download	gnutls-3a33bfb4118f8f35207210def7bae82f51fa56d2.tar.gz