From: Marcel Poul Date: Tue, 7 Aug 2012 16:20:43 +0000 (+0000) Subject: return appr. errors if OCSP verification fails X-Git-Tag: glite-lbjp-common-gss_R_3_2_4_1~35 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=26be6e7b71ee374c457379332463e9c93f4802fa;p=jra1mw.git return appr. errors if OCSP verification fails --- diff --git a/emi.canl.canl-c/src/canl_ocsp.c b/emi.canl.canl-c/src/canl_ocsp.c index 1ae0048..690103d 100644 --- a/emi.canl.canl-c/src/canl_ocsp.c +++ b/emi.canl.canl-c/src/canl_ocsp.c @@ -5,6 +5,8 @@ #define USENONCE 0 typedef enum { + CANL_OCSPRESULT_ERROR_NOSTATUS = -17, + CANL_OCSPRESULT_ERROR_INVTIME = -16, CANL_OCSPRESULT_ERROR_VERIFYRESPONSE = -15, CANL_OCSPRESULT_ERROR_NOTCONFIGURED = -14, CANL_OCSPRESULT_ERROR_NOAIAOCSPURI = -13, @@ -411,9 +413,6 @@ int do_ocsp_verify (canl_ocsprequest_t *data) goto end; if (USENONCE && OCSP_check_nonce(req, basic) <= 0) goto end; - /*TODO make the store*/ - if (data->store) - goto end; store = canl_create_x509store(data->store); if (!store) goto end; @@ -429,10 +428,15 @@ int do_ocsp_verify (canl_ocsprequest_t *data) } if (!OCSP_resp_find_status(basic, id, &status, &reason, &producedAt, - &thisUpdate, &nextUpdate)) + &thisUpdate, &nextUpdate)){ + result = CANL_OCSPRESULT_ERROR_NOSTATUS; goto end; - if (!OCSP_check_validity(thisUpdate, nextUpdate, data->skew, data->maxage)) + } + if (!OCSP_check_validity(thisUpdate, nextUpdate, + data->skew, data->maxage)) { + result = CANL_OCSPRESULT_ERROR_INVTIME; goto end; + } /* All done. Set the return code based on the status from the response. */ if (status == V_OCSP_CERTSTATUS_REVOKED) { @@ -449,6 +453,10 @@ end: if (req) OCSP_REQUEST_free(req); if (resp) OCSP_RESPONSE_free(resp); if (basic) OCSP_BASICRESP_free(basic); + if (verify_other) + sk_X509_pop_free(verify_other, X509_free); + if (store) + X509_STORE_free(store); return result; }