[gnutls-devel] Wrong return value from gnutls_x509_crl_verify

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 1 08:41:54 CET 2016


Nice catch Adrien. However, given that this is a quite old function I
think it may be better to also document the old behavior as well. I
have submitted a merge request at:
https://gitlab.com/gnutls/gnutls/merge_requests/166

regards,
Nikos

On Wed, Nov 30, 2016 at 8:27 PM, Adrien Béraud
<adrien.beraud at savoirfairelinux.com> wrote:
> While using gnutls_x509_crl_verify I noticed it returned 1 for a valid CRL.
> The documentation only mention 0 on success and a negative code on failure.
>
> It turned out the value comes from
> _gnutls_x509_verify_data
> which takes its value from
> pubkey_verify_data
> which returns 1 on success.
>
> Attached is a patch to fix the issue.
>
> best regards,
> Adrien Béraud
> Savoir-faire Linux
>
> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index ecd2369..d4966d0 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -1477,13 +1477,13 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
>              /* error. ignore it */
>              if (verify)
>                  *verify |= GNUTLS_CERT_SIGNATURE_FAILURE;
> -            result = 0;
>          } else if (result < 0) {
>              gnutls_assert();
>              if (verify)
>                  *verify |= GNUTLS_CERT_INVALID;
>              goto cleanup;
>          }
> +        result = 0;
>      }
>
>      {
>
>
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel



More information about the Gnutls-devel mailing list