diff options
Diffstat (limited to 'lib/x509/verify-high.c')
-rw-r--r-- | lib/x509/verify-high.c | 49 |
1 files changed, 24 insertions, 25 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b1421ef17a..763c527a59 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -851,11 +851,10 @@ static int shorten_clist(gnutls_x509_trust_list_t list, return clist_size; } -static -int trust_list_get_issuer(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - gnutls_x509_crt_t * issuer, - unsigned int flags) +int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + gnutls_x509_crt_t * issuer, + unsigned int flags) { int ret; unsigned int i; @@ -968,7 +967,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, { int ret; - ret = trust_list_get_issuer(list, cert, issuer, flags); + ret = _gnutls_trust_list_get_issuer(list, cert, issuer, flags); if (ret == 0) { return 0; } @@ -1192,11 +1191,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, #define LAST_DN cert_list[cert_list_size-1]->raw_dn #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn -/* This macro is introduced to detect a verification output - * which indicates an unknown signer, or a signer which uses - * an insecure algorithm (e.g., sha1), something that indicates - * a superseded signer */ -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) +/* This macro is introduced to detect a verification output which + * indicates an unknown signer, a signer which uses an insecure + * algorithm (e.g., sha1), a signer has expired, or something that + * indicates a superseded signer */ +#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ + (output & GNUTLS_CERT_EXPIRED) || \ + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) /** @@ -1333,11 +1334,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } *voutput = - _gnutls_verify_crt_status(cert_list, cert_list_size, - list->node[hash].trusted_cas, - list-> - node[hash].trusted_ca_size, - flags, purpose, func); + _gnutls_verify_crt_status(list, cert_list, cert_list_size, + list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, + flags, purpose, func); saved_output = *voutput; if (SIGNER_OLD_OR_UNKNOWN(*voutput) && @@ -1355,11 +1355,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, _gnutls_debug_log("issuer in verification was not found or insecure; trying against trust list\n"); *voutput = - _gnutls_verify_crt_status(cert_list, cert_list_size, - list->node[hash].trusted_cas, - list-> - node[hash].trusted_ca_size, - flags, purpose, func); + _gnutls_verify_crt_status(list, cert_list, cert_list_size, + list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, + flags, purpose, func); if (*voutput != 0) { if (SIGNER_WAS_KNOWN(saved_output)) *voutput = saved_output; @@ -1373,10 +1372,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (SIGNER_OLD_OR_UNKNOWN(*voutput) && list->pkcs11_token) { /* use the token for verification */ - *voutput = _gnutls_pkcs11_verify_crt_status(list->pkcs11_token, - cert_list, cert_list_size, - purpose, - flags, func); + *voutput = _gnutls_pkcs11_verify_crt_status(list, list->pkcs11_token, + cert_list, cert_list_size, + purpose, + flags, func); if (*voutput != 0) { if (SIGNER_WAS_KNOWN(saved_output)) *voutput = saved_output; |