cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK

This allows reverting the new semantics of checking the loaded
OCSP response against the certificates present and return
to the 3.5.x semantics.

That option is also useful for debugging as it allows setting
an arbitrary response and checking gnutls' client behavior with that.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 755ec781278b787961ed09af8e1e405cfe81dcb1..120ee33454011b16374c419b037a65496845be97 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1778,12 +1778,15 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res);
  * gnutls_certificate_flags:
  * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check.
  * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero.
+ * @GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK: If set, the gnutls_certificate_set_ocsp_status_request_file
+ *    function, will not check whether the response set matches any of the certificates.
  *
  * Enumeration of different certificate credentials flags.
  */
 typedef enum gnutls_certificate_flags {
        GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1,
-       GNUTLS_CERTIFICATE_API_V2 = (1<<1)
+       GNUTLS_CERTIFICATE_API_V2 = (1<<1),
+       GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK = (1<<2)
 } gnutls_certificate_flags;
 
 void gnutls_certificate_set_flags(gnutls_certificate_credentials_t,

diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c
index 1150bd4b84d76a31267b8c90c345c7d17e9c53ec..e5c002f0fbbb40e1569a5431ee3c82f559fdf097 100644 (file)
--- a/lib/ocsp-api.c
+++ b/lib/ocsp-api.c
@@ -241,6 +241,9 @@ unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, const gnutls_pcert_st *cert
  * when multiple responses which apply to the chain are available.
  * If the response provided does not match any certificates present
  * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned.
+ * To force the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK
+ * in the certificate credentials structure. In that case, only the
+ * end-certificates OCSP response can be set.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
  *   otherwise a negative error code is returned.
@@ -264,6 +267,17 @@ gnutls_certificate_set_ocsp_status_request_file(gnutls_certificate_credentials_t
        if (ret < 0)
                return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
 
+       if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) {
+               /* quick load of first response */
+               gnutls_free(sc->certs[idx].ocsp_responses[0].data);
+
+               sc->certs[idx].ocsp_responses[0].data = der.data;
+               der.data = NULL;
+               sc->certs[idx].ocsp_responses[0].size = der.size;
+
+               return 0;
+       }
+
        ret = gnutls_ocsp_resp_init(&resp);
        if (ret < 0) {
                gnutls_assert();