** API and ABI modifications:
gnutls_session_get_id2: Added
gnutls_certificate_verify_peers3: Added
+gnutls_ocsp_status_request_is_checked: Added
gnutls_certificate_verification_status_print: Added
gnutls_srtp_set_profile: Added
gnutls_srtp_set_profile_direct: Added
its certificate revocation status and serve it to the clients. That
way a client avoids an additional connection to the OCSP server.
-@showfuncC{gnutls_certificate_set_ocsp_status_request_function,gnutls_certificate_set_ocsp_status_request_file,gnutls_ocsp_status_request_enable_client}
+@showfuncD{gnutls_certificate_set_ocsp_status_request_function,gnutls_certificate_set_ocsp_status_request_file,gnutls_ocsp_status_request_enable_client,gnutls_ocsp_status_request_is_checked}
A server is required to provide the OCSP server's response using the @funcref{gnutls_certificate_set_ocsp_status_request_file}.
The response may be obtained periodically using the following command.
unsigned int hb_actual_retrans_timeout_ms; /* current timeout, in milliseconds*/
unsigned int hb_retrans_timeout_ms; /* the default timeout, in milliseconds*/
unsigned int hb_total_timeout_ms; /* the total timeout, in milliseconds*/
+
+ unsigned int ocsp_check_ok; /* will be zero if the OCSP response TLS extension
+ * check failed (OCSP was old/unrelated or so). */
heartbeat_state_t hb_state; /* for ping */
#endif
return 0;
}
+
+/**
+ * gnutls_ocsp_status_request_is_checked:
+ * @session: is a gnutls session
+ * @flags: should be zero
+ *
+ * Check whether an OCSP status response was included in the handshake
+ * and whether it was checked and valid (not too old or superseded).
+ * This is a helper function when needing to decide whether to perform an
+ * OCSP validity check on the peer's certificate. Must be called after
+ * gnutls_certificate_verify_peers3() is called.
+ *
+ * Returns: non zero it was valid, or a zero if it wasn't sent,
+ * or sent and was invalid.
+ **/
+int
+gnutls_ocsp_status_request_is_checked (gnutls_session_t session, unsigned int flags)
+{
+ return session->internals.ocsp_check_ok;
+}
int ret;
unsigned int status, cert_status;
time_t rtime, vtime, ntime, now;
+ int check_failed;
now = gnutls_time(0);
if (now - vtime > MAX_OCSP_VALIDITY_SECS)
{
_gnutls_audit_log(session, "The OCSP response is old\n");
+ check_failed = 1;
}
}
else
if (ntime < now)
{
_gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n");
+ check_failed = 1;
}
}
+ if (check_failed == 0)
+ session->internals.ocsp_check_ok = 1;
+
ret = 0;
cleanup:
gnutls_ocsp_resp_deinit (resp);
unsigned int ocsp_status = 0;
unsigned int verify_flags;
+ /* No OCSP check so far */
+ session->internals.ocsp_check_ok = 0;
+
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
info = _gnutls_get_auth_info (session);
int gnutls_ocsp_status_request_get (gnutls_session_t session, gnutls_datum_t *response);
+ int gnutls_ocsp_status_request_is_checked (gnutls_session_t session, unsigned int flags);
/* global state functions
*/
gnutls_srtp_get_keys;
gnutls_srtp_get_mki;
gnutls_srtp_set_mki;
+ gnutls_ocsp_status_request_is_checked;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {