From: Martin Willi <martin@revosec.ch>
Date: Mon, 31 Mar 2014 12:53:15 +0000 (+0200)
Subject: revocation: Log error if no OCSP signer candidate found
X-Git-Tag: 5.1.3rc1~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94fb33bb8856973748d4377e0f3cdf3a8c2f27c3;p=thirdparty%2Fstrongswan.git

revocation: Log error if no OCSP signer candidate found

Fixes evaluation of ikev2/ocsp-untrusted-cert.
---

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index eb9065fb37..9fd5b2a227 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -118,7 +118,6 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 		{	/* OCSP signer currently invalid */
 			continue;
 		}
-		found = TRUE;
 		if (!ca->equals(ca, issuer))
 		{	/* delegated OCSP signer? */
 			if (!lib->credmgr->issued_by(lib->credmgr, issuer, ca, NULL))
@@ -130,6 +129,7 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 				continue;
 			}
 		}
+		found = TRUE;
 		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
 		{
 			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",