ocsp: Introduced GNUTLS_CERT_INVALID_OCSP_STATUS

This verification status flag indicates an OCSP status response
being stapled but it being invalid for some reason (e.g., unable
to parse or doesn't contain the expected certificate).

diff --git a/lib/cert.c b/lib/cert.c
index a43f487d3d80e32593dac2a752844336e284d736..c49bbe760ac890e82068e455ccd094ccfaa21957 100644 (file)
--- a/lib/cert.c
+++ b/lib/cert.c
@@ -991,6 +991,11 @@ gnutls_certificate_verification_status_print(unsigned int status,
                                          _
                                          ("The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. "));
 
+       if (status & GNUTLS_CERT_INVALID_OCSP_STATUS)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The received OCSP status response is invalid. "));
+
        return _gnutls_buffer_to_datum(&str, out, 1);
 }
 

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 2a79019976c1111f45a80f4037e53c28e6bc818e..f5aa1730f839139b225448a92f45c79be0396f8b 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -531,6 +531,7 @@ const char
  * @GNUTLS_CERT_MISMATCH: The certificate presented isn't the expected one (TOFU)
  * @GNUTLS_CERT_PURPOSE_MISMATCH: The certificate or an intermediate does not match the intended purpose (extended key usage).
  * @GNUTLS_CERT_MISSING_OCSP_STATUS: The certificate requires the server to send the certifiate status, but no status was received.
+ * @GNUTLS_CERT_INVALID_OCSP_STATUS: The received OCSP status response is invalid.
  *
  * Enumeration of certificate status codes.  Note that the status
  * bits may have different meanings in OpenPGP keys and X.509
@@ -551,7 +552,8 @@ typedef enum {
        GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE = 1 << 16,
        GNUTLS_CERT_MISMATCH = 1 << 17,
        GNUTLS_CERT_PURPOSE_MISMATCH = 1 << 18,
-       GNUTLS_CERT_MISSING_OCSP_STATUS = 1 << 19
+       GNUTLS_CERT_MISSING_OCSP_STATUS = 1 << 19,
+       GNUTLS_CERT_INVALID_OCSP_STATUS = 1 << 20
 } gnutls_certificate_status_t;
 
 /**

diff --git a/lib/x509.c b/lib/x509.c
index f407f7447894526eede47d10e921082b7ce85937..edd8e5bd19966ec55350d45ccaa88d46436fa476 100644 (file)
--- a/lib/x509.c
+++ b/lib/x509.c
@@ -88,6 +88,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
                                  gnutls_strerror(ret));
                ret = gnutls_assert_val(0);
                check_failed = 1;
+               *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
                goto cleanup;
        }
 
@@ -97,6 +98,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
                _gnutls_audit_log(session,
                                  "Got OCSP response with an unrelated certificate.\n");
                check_failed = 1;
+               *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
                goto cleanup;
        }
 
@@ -105,6 +107,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
                ret = gnutls_assert_val(0);
                gnutls_assert();
                check_failed = 1;
+               *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
                goto cleanup;
        }
 
@@ -112,6 +115,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
        if (status != 0) {
                ret = gnutls_assert_val(0);
                check_failed = 1;
+               *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
                goto cleanup;
        }
 
@@ -124,6 +128,7 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
                                  gnutls_strerror(ret));
                ret = gnutls_assert_val(0);
                check_failed = 1;
+               *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;
                goto cleanup;
        }