Skip to content
Snippets Groups Projects
Commit 7aabe346 authored by Adrien Béraud's avatar Adrien Béraud
Browse files

contrib: update opendht 

Change-Id: Iabc63814f515d53f1de8fc539ba49e154843a1cd
parent d7a83d24
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
contrib/src/opendht/SHA512SUMS
+ 1
1
View file @ 7aabe346
948a4a0ede624d7604535040e88d74a559b9fd6d8509d5e98d2595110cfc810b1f062b3efca26cdf8b24ef79bdfeaca7c656d4c6b0a6536b5261da01c07a6cbc opendht-2.2.0rc2.tar.gz
\ No newline at end of file
beb019785130c514d44d1861c9b0c17d383daae307cd08dba72bea881e91a14f8cf510862bc8969d27083c4b7d8a463423f38e9fb00fed4c0229a8d460914112 opendht-2.2.0rc4.tar.gz
\ No newline at end of file
contrib/src/opendht/package.json
+ 1
1
View file @ 7aabe346
{
"name": "opendht",
"version": "2.2.0rc2",
"version": "2.2.0rc4",
"url": "https://github.com/savoirfairelinux/opendht/archive/__VERSION__.tar.gz",
"deps": [
"argon2",
......
contrib/src/opendht/rules.mak
+ 1
1
View file @ 7aabe346
# OPENDHT
OPENDHT_VERSION := 2.2.0rc2
OPENDHT_VERSION := 2.2.0rc4
OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz
PKGS += opendht
......
src/security/tls_session.cpp
+ 15
21
View file @ 7aabe346
......@@ -653,6 +653,8 @@ TlsSession::TlsSessionImpl::verifyCertificateWrapper(gnutls_session_t session)
verified = this_->callbacks_.verifyCertificate(session);
if (verified != GNUTLS_E_SUCCESS)
return verified;
} else {
verified = GNUTLS_E_SUCCESS;
}
/*
* Support only x509 format
......@@ -679,7 +681,7 @@ TlsSession::TlsSessionImpl::verifyCertificateWrapper(gnutls_session_t session)
std::string ocspUrl = getOcspUrl(cert.cert);
if (ocspUrl.empty()) {
JAMI_DBG("Skipping OCSP verification %s: AIA not found", cert.getUID().c_str());
// Skipping OCSP verification: AIA not found
return verified;
}
......@@ -748,7 +750,7 @@ TlsSession::TlsSessionImpl::verifyOcsp(const std::string& aia_uri,
return;
}
JAMI_DBG("HTTP OCSP Request done!");
unsigned int verify = 0;
gnutls_ocsp_cert_status_t verify = GNUTLS_OCSP_CERT_UNKNOWN;
try {
cert.ocspResponse = std::make_shared<dht::crypto::OcspResponse>(
(const uint8_t*) r.body.data(), r.body.size());
......@@ -756,32 +758,24 @@ TlsSession::TlsSessionImpl::verifyOcsp(const std::string& aia_uri,
verify = cert.ocspResponse->verifyDirect(cert, nonce);
} catch (dht::crypto::CryptoException& e) {
JAMI_ERR("Failed to verify OCSP response: %s", e.what());
}
if (verify == GNUTLS_OCSP_CERT_UNKNOWN) {
// Soft-fail
if (cb)
cb(GNUTLS_E_INVALID_REQUEST);
cb(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
return;
}
if (verify == 0)
int status = GNUTLS_E_SUCCESS;
if (verify == GNUTLS_OCSP_CERT_GOOD) {
JAMI_DBG("OCSP verification success!");
else
JAMI_ERR("OCSP verification error!");
if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
JAMI_ERR("Signer cert not found");
if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
JAMI_ERR("Signer cert keyusage error");
if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
JAMI_ERR("Signer cert is not trusted");
if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
JAMI_ERR("Insecure algorithm");
if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
JAMI_ERR("Signature failure");
if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
JAMI_ERR("Signer cert not yet activated");
if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
JAMI_ERR("Signer cert expired");
} else {
status = GNUTLS_E_CERTIFICATE_ERROR;
JAMI_ERR("OCSP verification: certificate is revoked!");
}
// Save response into the certificate store
tls::CertificateStore::instance().pinOcspResponse(cert);
if (cb)
cb(verify);
cb(status);
});
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment