Changeset 2a1ffd6 in mod_gnutls for src/gnutls_ocsp.c
- Timestamp:
- May 31, 2016, 1:12:53 PM (4 years ago)
- Branches:
- debian/master, debian/stretch-backports, master, upstream
- Children:
- 64856fd
- Parents:
- d35b98e
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
rd35b98e r2a1ffd6 86 86 return GNUTLS_E_NO_CERTIFICATE_FOUND; 87 87 } 88 gnutls_x509_trust_list_t issuer; 89 int ret = gnutls_x509_trust_list_init(&issuer, 1); 90 if (ret != GNUTLS_E_SUCCESS) 91 { 92 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 93 "Could not create issuer trust list: %s (%d)", 94 gnutls_strerror(ret), ret); 95 goto trust_cleanup; 96 } 88 97 89 /* Only the direct issuer may sign the OCSP response or an OCSP 98 90 * signer. Assuming the certificate file is properly ordered, it 99 91 * should be the one directly after the server's. */ 100 ret = gnutls_x509_trust_list_add_cas(issuer, 92 gnutls_x509_trust_list_t issuer; 93 int ret = mgs_create_ocsp_trust_list(&issuer, 101 94 &(ctxt->sc->certs_x509_crt_chain[1]), 102 1 , 0);103 if (ret != 1)104 { 105 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 106 "Could not populate issuer trust list.");107 ret = GNUTLS_E_CERTIFICATE_ERROR;108 goto trust_cleanup;95 1); 96 if (ret != GNUTLS_E_SUCCESS) 97 { 98 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 99 "Could not create issuer trust list: %s (%d)", 100 gnutls_strerror(ret), ret); 101 return ret; 109 102 } 110 103 … … 205 198 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 206 199 "OCSP response has expired at %s!", date_str); 200 /* Do not send a stale response */ 207 201 ret = GNUTLS_E_OCSP_RESPONSE_ERROR; 208 202 goto resp_cleanup; … … 229 223 resp_cleanup: 230 224 gnutls_ocsp_resp_deinit(resp); 231 trust_cleanup:232 225 /* deinit trust list, but not the certificates */ 233 226 gnutls_x509_trust_list_deinit(issuer, 0); … … 265 258 return GNUTLS_E_NO_CERTIFICATE_STATUS; 266 259 } 260 261 262 263 int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl, 264 const gnutls_x509_crt_t *chain, 265 const int num) 266 { 267 int added = 0; 268 int ret = gnutls_x509_trust_list_init(tl, num); 269 270 if (ret == GNUTLS_E_SUCCESS) 271 added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0); 272 273 if (added != num) 274 ret = GNUTLS_E_CERTIFICATE_ERROR; 275 276 /* Clean up trust list in case of error */ 277 if (ret != GNUTLS_E_SUCCESS) 278 gnutls_x509_trust_list_deinit(*tl, 0); 279 280 return ret; 281 }
Note: See TracChangeset
for help on using the changeset viewer.