source-git / gnutls

Clone
Source Code
GIT

Blame src/ocsptool-common.c

c8 c8s master
  1.   b97e568fddb0c347c225fc68303960b41a24f19f
  2.   src
  3.   ocsptool-common.c
Blob History Raw
Packit Service 4684c1 
/*
Packit Service 4684c1 
 * Copyright (C) 2012-2014 Free Software Foundation, Inc.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This file is part of GnuTLS.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * GnuTLS is free software: you can redistribute it and/or modify it
Packit Service 4684c1 
 * under the terms of the GNU General Public License as published by
Packit Service 4684c1 
 * the Free Software Foundation, either version 3 of the License, or
Packit Service 4684c1 
 * (at your option) any later version.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * GnuTLS is distributed in the hope that it will be useful, but
Packit Service 4684c1 
 * WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 4684c1 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit Service 4684c1 
 * General Public License for more details.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * You should have received a copy of the GNU General Public License
Packit Service 4684c1 
 * along with this program.  If not, see
Packit Service 4684c1 
 * <https://www.gnu.org/licenses/>.
Packit Service 4684c1 
 */
Packit Service 4684c1
Packit Service 4684c1 
#include <config.h>
Packit Service 4684c1
Packit Service 4684c1 
#include <stdio.h>
Packit Service 4684c1 
#include <stdlib.h>
Packit Service 4684c1 
#include <string.h>
Packit Service 4684c1 
#include <errno.h>
Packit Service 4684c1 
#include "common.h"
Packit Service 4684c1
Packit Service 4684c1 
#include <gnutls/gnutls.h>
Packit Service 4684c1 
#include <gnutls/ocsp.h>
Packit Service 4684c1 
#include <gnutls/x509.h>
Packit Service 4684c1 
#include <gnutls/crypto.h>
Packit Service 4684c1
Packit Service 4684c1 
/* Gnulib portability files. */
Packit Service 4684c1 
#include <read-file.h>
Packit Service 4684c1 
#include <socket.h>
Packit Service 4684c1
Packit Service 4684c1 
#include <ocsptool-common.h>
Packit Service 4684c1
Packit Service 4684c1 
#define MAX_BUF 4*1024
Packit Service 4684c1 
#define HEADER_PATTERN "POST /%s HTTP/1.0\r\n" \
Packit Service 4684c1 
  "Host: %s\r\n" \
Packit Service 4684c1 
  "Accept: */*\r\n" \
Packit Service 4684c1 
  "Content-Type: application/ocsp-request\r\n" \
Packit Service 4684c1 
  "Content-Length: %u\r\n" \
Packit Service 4684c1 
  "Connection: close\r\n\r\n"
Packit Service 4684c1 
static char buffer[MAX_BUF + 1];
Packit Service 4684c1
Packit Service 4684c1 
/* returns the host part of a URL */
Packit Service 4684c1 
static const char *host_from_url(const char *url, unsigned int *port, const char **path)
Packit Service 4684c1 
{
Packit Service 4684c1 
	static char hostname[512];
Packit Service 4684c1 
	char *p;
Packit Service 4684c1
Packit Service 4684c1 
	*port = 0;
Packit Service 4684c1 
	*path = "";
Packit Service 4684c1
Packit Service 4684c1 
	if ((p = strstr(url, "http://")) != NULL) {
Packit Service 4684c1 
		snprintf(hostname, sizeof(hostname), "%s", p + 7);
Packit Service 4684c1 
		p = strchr(hostname, '/');
Packit Service 4684c1 
		if (p != NULL) {
Packit Service 4684c1 
			*p = 0;
Packit Service 4684c1 
			*path = p+1;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		p = strchr(hostname, ':');
Packit Service 4684c1 
		if (p != NULL) {
Packit Service 4684c1 
			*p = 0;
Packit Service 4684c1 
			*port = atoi(p + 1);
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		return hostname;
Packit Service 4684c1 
	} else {
Packit Service 4684c1 
		return url;
Packit Service 4684c1 
	}
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
void
Packit Service 4684c1 
_generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
Packit Service 4684c1 
		  gnutls_datum_t * rdata, gnutls_datum_t *nonce)
Packit Service 4684c1 
{
Packit Service 4684c1 
	gnutls_ocsp_req_t req;
Packit Service 4684c1 
	int ret;
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_req_init(&req;;
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		fprintf(stderr, "ocsp_req_init: %s", gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_req_add_cert(req, GNUTLS_DIG_SHA1, issuer, cert);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		fprintf(stderr, "ocsp_req_add_cert: %s",
Packit Service 4684c1 
			gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (nonce) {
Packit Service 4684c1 
		ret = gnutls_ocsp_req_set_nonce(req, 0, nonce);
Packit Service 4684c1 
		if (ret < 0) {
Packit Service 4684c1 
			fprintf(stderr, "ocsp_req_set_nonce: %s",
Packit Service 4684c1 
				gnutls_strerror(ret));
Packit Service 4684c1 
			exit(1);
Packit Service 4684c1 
		}
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_req_export(req, rdata);
Packit Service 4684c1 
	if (ret != 0) {
Packit Service 4684c1 
		fprintf(stderr, "ocsp_req_export: %s",
Packit Service 4684c1 
			gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	gnutls_ocsp_req_deinit(req);
Packit Service 4684c1 
	return;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
static size_t get_data(void *buf, size_t size, size_t nmemb,
Packit Service 4684c1 
		       void *userp)
Packit Service 4684c1 
{
Packit Service 4684c1 
	gnutls_datum_t *ud = userp;
Packit Service 4684c1
Packit Service 4684c1 
	size *= nmemb;
Packit Service 4684c1
Packit Service 4684c1 
	ud->data = realloc(ud->data, size + ud->size);
Packit Service 4684c1 
	if (ud->data == NULL) {
Packit Service 4684c1 
		fprintf(stderr, "Not enough memory for the request\n");
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	memcpy(&ud->data[ud->size], buf, size);
Packit Service 4684c1 
	ud->size += size;
Packit Service 4684c1
Packit Service 4684c1 
	return size;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
/* Returns 0 on ok, and -1 on error */
Packit Service 4684c1 
int send_ocsp_request(const char *server,
Packit Service 4684c1 
		      gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
Packit Service 4684c1 
		      gnutls_datum_t * resp_data, gnutls_datum_t *nonce)
Packit Service 4684c1 
{
Packit Service 4684c1 
	gnutls_datum_t ud;
Packit Service 4684c1 
	int ret;
Packit Service 4684c1 
	gnutls_datum_t req;
Packit Service 4684c1 
	char *url = (void *) server;
Packit Service 4684c1 
	char headers[1024];
Packit Service 4684c1 
	char service[16];
Packit Service 4684c1 
	unsigned char *p;
Packit Service 4684c1 
	const char *hostname;
Packit Service 4684c1 
	const char *path = "";
Packit Service 4684c1 
	unsigned i;
Packit Service 4684c1 
	unsigned int headers_size = 0, port;
Packit Service 4684c1 
	socket_st hd;
Packit Service 4684c1
Packit Service 4684c1 
	sockets_init();
Packit Service 4684c1
Packit Service 4684c1 
	if (url == NULL) {
Packit Service 4684c1 
		/* try to read URL from issuer certificate */
Packit Service 4684c1 
		gnutls_datum_t data;
Packit Service 4684c1
Packit Service 4684c1 
		i = 0;
Packit Service 4684c1 
		do {
Packit Service 4684c1 
			ret = gnutls_x509_crt_get_authority_info_access(cert, i++,
Packit Service 4684c1 
									GNUTLS_IA_OCSP_URI,
Packit Service 4684c1 
									&data,
Packit Service 4684c1 
									NULL);
Packit Service 4684c1 
		} while(ret == GNUTLS_E_UNKNOWN_ALGORITHM);
Packit Service 4684c1
Packit Service 4684c1 
		if (ret < 0) {
Packit Service 4684c1 
			i = 0;
Packit Service 4684c1 
			do {
Packit Service 4684c1 
				ret =
Packit Service 4684c1 
				    gnutls_x509_crt_get_authority_info_access
Packit Service 4684c1 
				    (issuer, i++, GNUTLS_IA_OCSP_URI, &data, NULL);
Packit Service 4684c1 
			} while(ret == GNUTLS_E_UNKNOWN_ALGORITHM);
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		if (ret < 0) {
Packit Service 4684c1 
			fprintf(stderr,
Packit Service 4684c1 
				"*** Cannot find OCSP server URI in certificate: %s\n",
Packit Service 4684c1 
				gnutls_strerror(ret));
Packit Service 4684c1 
			return ret;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		url = malloc(data.size + 1);
Packit Service 4684c1 
		if (url == NULL) {
Packit Service 4684c1 
		    return -1;
Packit Service 4684c1 
		}
Packit Service 4684c1 
		memcpy(url, data.data, data.size);
Packit Service 4684c1 
		url[data.size] = 0;
Packit Service 4684c1
Packit Service 4684c1 
		gnutls_free(data.data);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	hostname = host_from_url(url, &port, &path);
Packit Service 4684c1 
	if (port != 0)
Packit Service 4684c1 
		snprintf(service, sizeof(service), "%u", port);
Packit Service 4684c1 
	else
Packit Service 4684c1 
		strcpy(service, "80");
Packit Service 4684c1
Packit Service 4684c1 
	fprintf(stderr, "Connecting to OCSP server: %s...\n", hostname);
Packit Service 4684c1
Packit Service 4684c1 
	memset(&ud, 0, sizeof(ud));
Packit Service 4684c1
Packit Service 4684c1 
	_generate_request(cert, issuer, &req, nonce);
Packit Service 4684c1
Packit Service 4684c1 
	snprintf(headers, sizeof(headers), HEADER_PATTERN, path, hostname,
Packit Service 4684c1 
		 (unsigned int) req.size);
Packit Service 4684c1 
	headers_size = strlen(headers);
Packit Service 4684c1
Packit Service 4684c1 
	socket_open(&hd, hostname, service, NULL, SOCKET_FLAG_RAW|SOCKET_FLAG_SKIP_INIT, CONNECT_MSG, NULL);
Packit Service 4684c1
Packit Service 4684c1 
	socket_send(&hd, headers, headers_size);
Packit Service 4684c1 
	socket_send(&hd, req.data, req.size);
Packit Service 4684c1 
	gnutls_free(req.data);
Packit Service 4684c1
Packit Service 4684c1 
	do {
Packit Service 4684c1 
		ret = socket_recv(&hd, buffer, sizeof(buffer));
Packit Service 4684c1 
		if (ret > 0)
Packit Service 4684c1 
			get_data(buffer, ret, 1, &ud);
Packit Service 4684c1 
	} while (ret > 0);
Packit Service 4684c1
Packit Service 4684c1 
	if (ret < 0 || ud.size == 0) {
Packit Service 4684c1 
		perror("recv");
Packit Service 4684c1 
		ret = -1;
Packit Service 4684c1 
		goto cleanup;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	socket_bye(&hd, 0);
Packit Service 4684c1
Packit Service 4684c1 
	p = memmem(ud.data, ud.size, "\r\n\r\n", 4);
Packit Service 4684c1 
	if (p == NULL) {
Packit Service 4684c1 
		fprintf(stderr, "Cannot interpret HTTP response\n");
Packit Service 4684c1 
		ret = -1;
Packit Service 4684c1 
		goto cleanup;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	p += 4;
Packit Service 4684c1 
	resp_data->size = ud.size - (p - ud.data);
Packit Service 4684c1 
	resp_data->data = malloc(resp_data->size);
Packit Service 4684c1 
	if (resp_data->data == NULL) {
Packit Service 4684c1 
		perror("recv");
Packit Service 4684c1 
		ret = -1;
Packit Service 4684c1 
		goto cleanup;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	memcpy(resp_data->data, p, resp_data->size);
Packit Service 4684c1
Packit Service 4684c1 
	ret = 0;
Packit Service 4684c1
Packit Service 4684c1 
 cleanup:
Packit Service 4684c1 
	free(ud.data);
Packit Service 4684c1 
	if (url != server)
Packit Service 4684c1 
		free(url);
Packit Service 4684c1
Packit Service 4684c1 
	return ret;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
void print_ocsp_verify_res(unsigned int output)
Packit Service 4684c1 
{
Packit Service 4684c1 
	int comma = 0;
Packit Service 4684c1
Packit Service 4684c1 
	if (output) {
Packit Service 4684c1 
		printf("Failure");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	} else {
Packit Service 4684c1 
		printf("Success");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Signer cert not found");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Signer cert keyusage error");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Signer cert is not trusted");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Insecure algorithm");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Signature failure");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Signer cert not yet activated");
Packit Service 4684c1 
		comma = 1;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (output & GNUTLS_OCSP_VERIFY_CERT_EXPIRED) {
Packit Service 4684c1 
		if (comma)
Packit Service 4684c1 
			printf(", ");
Packit Service 4684c1 
		printf("Signer cert expired");
Packit Service 4684c1 
		/*comma = 1;*/
Packit Service 4684c1 
	}
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
/* three days */
Packit Service 4684c1 
#define OCSP_VALIDITY_SECS (3*60*60*24)
Packit Service 4684c1
Packit Service 4684c1 
/* Returns:
Packit Service 4684c1 
 *  0: certificate is revoked
Packit Service 4684c1 
 *  1: certificate is ok
Packit Service 4684c1 
 *  -1: dunno
Packit Service 4684c1 
 */
Packit Service 4684c1 
int
Packit Service 4684c1 
check_ocsp_response(gnutls_x509_crt_t cert,
Packit Service 4684c1 
		    gnutls_x509_crt_t issuer, gnutls_datum_t * data,
Packit Service 4684c1 
		    gnutls_datum_t * nonce, int verbose)
Packit Service 4684c1 
{
Packit Service 4684c1 
	gnutls_ocsp_resp_t resp;
Packit Service 4684c1 
	int ret;
Packit Service 4684c1 
	unsigned int status, cert_status;
Packit Service 4684c1 
	time_t rtime, vtime, ntime, now;
Packit Service 4684c1 
	char timebuf1[SIMPLE_CTIME_BUF_SIZE];
Packit Service 4684c1 
	char timebuf2[SIMPLE_CTIME_BUF_SIZE];
Packit Service 4684c1
Packit Service 4684c1 
	now = time(0);
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_resp_init(&resp);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		fprintf(stderr, "ocsp_resp_init: %s",
Packit Service 4684c1 
			gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_resp_import(resp, data);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		fprintf(stderr, "importing response: %s",
Packit Service 4684c1 
			gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
Packit Service 4684c1 
			printf
Packit Service 4684c1 
			    ("*** Got OCSP response with no data (ignoring)\n");
Packit Service 4684c1 
		} else {
Packit Service 4684c1 
			printf
Packit Service 4684c1 
			    ("*** Got OCSP response on an unrelated certificate (ignoring)\n");
Packit Service 4684c1 
		}
Packit Service 4684c1 
		ret = -1;
Packit Service 4684c1 
		goto cleanup;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_resp_verify_direct(resp, issuer, &status, 0);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		fprintf(stderr, "OCSP verification: %s\n",
Packit Service 4684c1 
			gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (status != 0) {
Packit Service 4684c1 
		printf("*** Verifying OCSP Response: ");
Packit Service 4684c1 
		print_ocsp_verify_res(status);
Packit Service 4684c1 
		printf(".\n");
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	/* do not print revocation data if response was not verified */
Packit Service 4684c1 
	if (status != 0) {
Packit Service 4684c1 
		ret = -1;
Packit Service 4684c1 
		goto cleanup;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
Packit Service 4684c1 
					  &cert_status, &vtime, &ntime,
Packit Service 4684c1 
					  &rtime, NULL);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		fprintf(stderr, "reading response: %s\n",
Packit Service 4684c1 
			gnutls_strerror(ret));
Packit Service 4684c1 
		exit(1);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (cert_status == GNUTLS_OCSP_CERT_REVOKED) {
Packit Service 4684c1 
		printf("*** Certificate was revoked at %s\n", simple_ctime(&rtime, timebuf1));
Packit Service 4684c1 
		ret = 0;
Packit Service 4684c1 
		goto cleanup;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (ntime == -1) {
Packit Service 4684c1 
		if (now - vtime > OCSP_VALIDITY_SECS) {
Packit Service 4684c1 
			printf
Packit Service 4684c1 
			    ("*** The OCSP response is old (was issued at: %s) ignoring\n",
Packit Service 4684c1 
			     simple_ctime(&vtime, timebuf1));
Packit Service 4684c1 
			ret = -1;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1 
	} else {
Packit Service 4684c1 
		/* there is a newer OCSP answer, don't trust this one */
Packit Service 4684c1 
		if (ntime < now) {
Packit Service 4684c1 
			printf("*** The OCSP response was issued at: %s but there is a newer issue at %s\n",
Packit Service 4684c1 
				simple_ctime(&vtime, timebuf1), simple_ctime(&ntime, timebuf2));
Packit Service 4684c1 
			ret = -1;
Packit Service 4684c1 
			goto cleanup;
Packit Service 4684c1 
		}
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (nonce) {
Packit Service 4684c1 
		gnutls_datum_t rnonce;
Packit Service 4684c1
Packit Service 4684c1 
		ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce);
Packit Service 4684c1 
		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
Packit Service 4684c1 
			if (verbose)
Packit Service 4684c1 
				fprintf(stderr, "*** The OCSP reply did not include the requested nonce.\n");
Packit Service 4684c1 
			goto finish_ok;
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		if (ret < 0) {
Packit Service 4684c1 
			fprintf(stderr, "could not read response's nonce: %s\n",
Packit Service 4684c1 
				gnutls_strerror(ret));
Packit Service 4684c1 
			exit(1);
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data,
Packit Service 4684c1 
			nonce->size) != 0) {
Packit Service 4684c1 
			fprintf(stderr, "nonce in the response doesn't match\n");
Packit Service 4684c1 
			exit(1);
Packit Service 4684c1 
		}
Packit Service 4684c1
Packit Service 4684c1 
		gnutls_free(rnonce.data);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
 finish_ok:
Packit Service 4684c1 
	printf("- OCSP server flags certificate not revoked as of %s\n",
Packit Service 4684c1 
	       simple_ctime(&vtime, timebuf1));
Packit Service 4684c1 
	ret = 1;
Packit Service 4684c1 
 cleanup:
Packit Service 4684c1 
	gnutls_ocsp_resp_deinit(resp);
Packit Service 4684c1
Packit Service 4684c1 
	return ret;
Packit Service 4684c1 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation