| verify-high.c | verify-high.c | |||
|---|---|---|---|---|
| skipping to change at line 690 | skipping to change at line 690 | |||
| * @crl_list: A list of CRLs | * @crl_list: A list of CRLs | |||
| * @crl_size: The length of the CRL list | * @crl_size: The length of the CRL list | |||
| * @flags: if GNUTLS_TL_VERIFY_CRL is given the CRLs will be verified befor e being added. | * @flags: if GNUTLS_TL_VERIFY_CRL is given the CRLs will be verified befor e being added. | |||
| * @verification_flags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL | * @verification_flags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL | |||
| * | * | |||
| * This function will add the given certificate revocation lists | * This function will add the given certificate revocation lists | |||
| * to the trusted list. The list of CRLs must not be deinitialized | * to the trusted list. The list of CRLs must not be deinitialized | |||
| * during this structure's lifetime. | * during this structure's lifetime. | |||
| * | * | |||
| * This function must be called after gnutls_x509_trust_list_add_cas() | * This function must be called after gnutls_x509_trust_list_add_cas() | |||
| * to allow verifying the CRLs for validity. | * to allow verifying the CRLs for validity. If the flag %GNUTLS_TL_NO_DUPL | |||
| ICATES | ||||
| * is given, then any provided CRLs that are a duplicate, will be deinitial | ||||
| ized | ||||
| * and not added to the list (that assumes that gnutls_x509_trust_list_dein | ||||
| it() | ||||
| * will be called with all=1). | ||||
| * | * | |||
| * Returns: The number of added elements is returned. | * Returns: The number of added elements is returned. | |||
| * | * | |||
| * Since: 3.0 | * Since: 3.0 | |||
| **/ | **/ | |||
| int | int | |||
| gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, | gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, | |||
| const gnutls_x509_crl_t * crl_list, | const gnutls_x509_crl_t * crl_list, | |||
| int crl_size, unsigned int flags, | int crl_size, unsigned int flags, | |||
| unsigned int verification_flags) | unsigned int verification_flags) | |||
| { | { | |||
| int ret, i, j = 0; | int ret, i, j = 0; | |||
| unsigned x; | ||||
| unsigned int vret = 0; | unsigned int vret = 0; | |||
| uint32_t hash; | uint32_t hash; | |||
| /* Probably we can optimize things such as removing duplicates | /* Probably we can optimize things such as removing duplicates | |||
| * etc. | * etc. | |||
| */ | */ | |||
| if (crl_size == 0 || crl_list == NULL) | if (crl_size == 0 || crl_list == NULL) | |||
| return 0; | return 0; | |||
| for (i = 0; i < crl_size; i++) { | for (i = 0; i < crl_size; i++) { | |||
| skipping to change at line 728 | skipping to change at line 732 | |||
| if (flags & GNUTLS_TL_VERIFY_CRL) { | if (flags & GNUTLS_TL_VERIFY_CRL) { | |||
| ret = | ret = | |||
| gnutls_x509_crl_verify(crl_list[i], | gnutls_x509_crl_verify(crl_list[i], | |||
| list->node[hash]. | list->node[hash]. | |||
| trusted_cas, | trusted_cas, | |||
| list->node[hash]. | list->node[hash]. | |||
| trusted_ca_size, | trusted_ca_size, | |||
| verification_flags, | verification_flags, | |||
| &vret); | &vret); | |||
| if (ret < 0 || vret != 0) | if (ret < 0 || vret != 0) { | |||
| _gnutls_debug_log("CRL verification failed, | ||||
| not adding it\n"); | ||||
| continue; | continue; | |||
| } | ||||
| } | ||||
| /* If the CRL added overrides a previous one, then overwrite | ||||
| * the old one */ | ||||
| if (flags & GNUTLS_TL_NO_DUPLICATES) { | ||||
| for (x=0;x<list->node[hash].crl_size;x++) { | ||||
| if (crl_list[i]->raw_issuer_dn.size == list- | ||||
| >node[hash].crls[x]->raw_issuer_dn.size && | ||||
| memcmp(crl_list[i]->raw_issuer_dn.data, | ||||
| list->node[hash].crls[x]->raw_issuer_dn.data, crl_list[i]->raw_issuer_dn.si | ||||
| ze) == 0) { | ||||
| if (gnutls_x509_crl_get_this_update( | ||||
| crl_list[i]) >= | ||||
| gnutls_x509_crl_get_this_update( | ||||
| list->node[hash].crls[x])) { | ||||
| gnutls_x509_crl_deinit(list- | ||||
| >node[hash].crls[x]); | ||||
| list->node[hash].crls[x] = c | ||||
| rl_list[i]; | ||||
| goto next; | ||||
| } else { | ||||
| /* The new is older, discard | ||||
| it */ | ||||
| gnutls_x509_crl_deinit(crl_l | ||||
| ist[i]); | ||||
| continue; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | } | |||
| list->node[hash].crls = | list->node[hash].crls = | |||
| gnutls_realloc_fast(list->node[hash].crls, | gnutls_realloc_fast(list->node[hash].crls, | |||
| (list->node[hash].crl_size + | (list->node[hash].crl_size + | |||
| 1) * | 1) * | |||
| sizeof(list->node[hash]. | sizeof(list->node[hash]. | |||
| trusted_cas[0])); | trusted_cas[0])); | |||
| if (list->node[hash].crls == NULL) { | if (list->node[hash].crls == NULL) { | |||
| gnutls_assert(); | gnutls_assert(); | |||
| return i; | return i; | |||
| } | } | |||
| list->node[hash].crls[list->node[hash].crl_size] = | list->node[hash].crls[list->node[hash].crl_size] = | |||
| crl_list[i]; | crl_list[i]; | |||
| list->node[hash].crl_size++; | list->node[hash].crl_size++; | |||
| next: | ||||
| j++; | j++; | |||
| } | } | |||
| return j; | return j; | |||
| } | } | |||
| /* Takes a certificate list and shortens it if there are | /* Takes a certificate list and shortens it if there are | |||
| * intermedia certificates already trusted by us. | * intermedia certificates already trusted by us. | |||
| * | * | |||
| * Returns the new size of the list or a negative number on error. | * Returns the new size of the list or a negative number on error. | |||
| End of changes. 5 change blocks. | ||||
| 2 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||