[gnutls-devel] Support for OCSP Must-staple ?

Tim Kosse tim.kosse at filezilla-project.org
Tue Jun 14 17:24:54 CEST 2016


I'm not sure whether you have seen my comments. It looks like the
original merge request has been committed to master and released as
3.5.1 unchanged.


On 2016-06-01 18:40, Tim Kosse wrote:
> Hi,
> I had a look at the merge request. While I couldn't find any major
> issues, there are still a few small things that should probably be fixed:
> verify_crt in lib/x509/verify.c:
> Function description still mentions the removed issuer parameter
> verify_crt in lib/x509/verify.c:
> The TLS feature check re-uses the nc_done label from the name
> constraints checks. While the functionality is correct right now, it's
> an easy source for errors should this function be changed in the future.
> I suggest moving the TLS feature checking below the nc_done label and
> adding a separate feat_done label.
> gnutls_x509_tlsfeatures_crt in lib/x509/tls_features.c:
> Line 240, format specifier doesn't match type of arguments. The size in
> gnutls_x509_tlsfeatures_t is unsigned int.
> parse_tlsfeatures in lib/x509/x509_ext.c:
> The size limitation check should be done after the duplicate check,
> otherwise appending fails when verifying chains where certificates use
> the maximum allowed number of features.
> tests/tlsfeature-ext.c:
> Lines 145 and 146: The comment doesn't match the assert.
> Regards,
> Tim

More information about the Gnutls-devel mailing list