[gnutls-devel] Wrong return value from gnutls_x509_crl_verify
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Dec 1 08:41:54 CET 2016
Nice catch Adrien. However, given that this is a quite old function I
think it may be better to also document the old behavior as well. I
have submitted a merge request at:
https://gitlab.com/gnutls/gnutls/merge_requests/166
regards,
Nikos
On Wed, Nov 30, 2016 at 8:27 PM, Adrien Béraud
<adrien.beraud at savoirfairelinux.com> wrote:
> While using gnutls_x509_crl_verify I noticed it returned 1 for a valid CRL.
> The documentation only mention 0 on success and a negative code on failure.
>
> It turned out the value comes from
> _gnutls_x509_verify_data
> which takes its value from
> pubkey_verify_data
> which returns 1 on success.
>
> Attached is a patch to fix the issue.
>
> best regards,
> Adrien Béraud
> Savoir-faire Linux
>
> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index ecd2369..d4966d0 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -1477,13 +1477,13 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
> /* error. ignore it */
> if (verify)
> *verify |= GNUTLS_CERT_SIGNATURE_FAILURE;
> - result = 0;
> } else if (result < 0) {
> gnutls_assert();
> if (verify)
> *verify |= GNUTLS_CERT_INVALID;
> goto cleanup;
> }
> + result = 0;
> }
>
> {
>
>
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel
More information about the Gnutls-devel
mailing list