]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
When verifying an OCSP response included in TLS don't fail if the response is old.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Tue, 6 Nov 2012 21:47:02 +0000 (22:47 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Tue, 6 Nov 2012 21:47:04 +0000 (22:47 +0100)
That is to avoid creating more problems for a server that included an
old response, from a server that included none.
Also renamed: Too old -> Superseded.

lib/gnutls_cert.c
lib/gnutls_x509.c
lib/includes/gnutls/gnutls.h.in
lib/x509/verify.c

index f699a889d618914de8850909ace63c2ca31ac1b4..f98ecdc8c22cd82f6384ab3cb536484aa64fc5ed 100644 (file)
@@ -944,8 +944,8 @@ gnutls_certificate_verification_status_print (unsigned int status,
       if (status & GNUTLS_CERT_REVOKED)
         _gnutls_buffer_append_str (&str, _("The certificate chain revoked. "));
 
-      if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
-         _gnutls_buffer_append_str (&str, _("The revocation data are too old. "));
+      if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
+         _gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. "));
 
       if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
          _gnutls_buffer_append_str (&str, _("The revocation data are invalid. "));
index cf8dee55f6d49bcdf4fd9c5631800a98c86e1dce..bd50d23f10206c23aacaa05b5575471427e55605 100644 (file)
@@ -148,6 +148,10 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
       goto cleanup;
     }
   
+  /* Report but do not fail on the following errors. That is
+   * because including the OCSP response in the handshake shouldn't 
+   * cause more problems that not including it.
+   */
   if (ntime == -1)
     {
       if (now - vtime > MAX_OCSP_VALIDITY_SECS)
@@ -161,8 +165,6 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
       if (ntime < now)
         {
           _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n");
-         if (now-ntime > MAX_OCSP_VALIDITY_SECS)
-           *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
         }
     }
   
index d7f07f21ddd92a696b1cf2fe46043f7c99f80514..c12576d4ae05fbd48568fa626ba528df33802dce 100644 (file)
@@ -447,8 +447,8 @@ extern "C"
  *   should not be trusted.
  * @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
  * @GNUTLS_CERT_EXPIRED: The certificate has expired.
- * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
  * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
+ * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and have been superseded.
  * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date.
  * @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
  *
@@ -466,7 +466,7 @@ extern "C"
     GNUTLS_CERT_NOT_ACTIVATED = 1<<9,
     GNUTLS_CERT_EXPIRED = 1<<10,
     GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
-    GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<12,
+    GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12,
     GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13,
     GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14,
     GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
index 7cbbb6329999af00f306a97f07724ca96fed8896..636ae0e27ea8a86eb1100f4adf78f56592c0fe2d 100644 (file)
@@ -1114,7 +1114,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
     *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
     
   if (gnutls_x509_crl_get_next_update (crl) < now)
-    *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+    *output |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;
 
 
 cleanup: