Check the OCSP verify function return value. Ignore, if the URI of the OCSP responder...

diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h
index 0f923c5..7a317ca 100644 (file)
--- a/emi.canl.canl-c/src/canl_ssl.h
+++ b/emi.canl.canl-c/src/canl_ssl.h
@@ -25,6 +25,9 @@ canl_err_code CANL_CALLCONV
 canl_ctx_set_ca_dir(canl_ctx, const char *);
 
 canl_err_code CANL_CALLCONV
+canl_ctx_set_crl_dir(canl_ctx, const char *);
+
+canl_err_code CANL_CALLCONV
 canl_ctx_set_ca_fn(canl_ctx, const char *);
 
 canl_err_code CANL_CALLCONV

diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c
index c37a981..5270c01 100644 (file)
--- a/emi.canl.canl-c/src/proxy/sslutils.c
+++ b/emi.canl.canl-c/src/proxy/sslutils.c
@@ -2196,6 +2196,7 @@ proxy_verify_callback(
      */
     if (!ocsp_data)
         ocsprequest_init(&ocsp_data);
+    ret = 0;
     if (ocsp_data) {
         if (ctx->current_cert)
             ocsp_data->cert = ctx->current_cert;
@@ -2210,17 +2211,20 @@ proxy_verify_callback(
             ocsp_data->cert_chain = ctx->chain;
         /*Timeout should be set here 
           ocsp_data->timeout = -1; */
-        do_ocsp_verify (ocsp_data);
+        ret = do_ocsp_verify (ocsp_data);
         /* TODO sign key and cert */
         ocsprequest_free(ocsp_data);
         ocsp_data = NULL;
     }
 
     EVP_PKEY_free(key);
-
     if (objset)
         X509_OBJECT_free_contents(&obj);
 
+    if (ret != 0)
+        if (ret != CANL_OCSPRESULT_ERROR_NOAIAOCSPURI)
+            ok = 0;
+
     return(ok);
 
 fail_verify: