[gnutls-devel] Wrong return value from gnutls_x509_crl_verify
Adrien Béraud
adrien.beraud at savoirfairelinux.com
Wed Nov 30 20:27:00 CET 2016
While using gnutls_x509_crl_verify I noticed it returned 1 for a valid CRL.
The documentation only mention 0 on success and a negative code on failure.
It turned out the value comes from
_gnutls_x509_verify_data
which takes its value from
pubkey_verify_data
which returns 1 on success.
Attached is a patch to fix the issue.
best regards,
Adrien Béraud
Savoir-faire Linux
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index ecd2369..d4966d0 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1477,13 +1477,13 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
/* error. ignore it */
if (verify)
*verify |= GNUTLS_CERT_SIGNATURE_FAILURE;
- result = 0;
} else if (result < 0) {
gnutls_assert();
if (verify)
*verify |= GNUTLS_CERT_INVALID;
goto cleanup;
}
+ result = 0;
}
{
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161130/16d7b375/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_verify_result.patch
Type: text/x-patch
Size: 455 bytes
Desc: not available
URL: </pipermail/attachments/20161130/16d7b375/attachment.bin>
More information about the Gnutls-devel
mailing list