[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-30-ga6824de
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-30-ga6824de |
|
Date: |
Fri, 13 Jul 2012 16:03:26 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=a6824de916dafe17bc72042ba4b7a741b8703c63
The branch, master has been updated
via a6824de916dafe17bc72042ba4b7a741b8703c63 (commit)
from 8dcf133d55c6f97c1a5cb1267b1d6b463fb405f4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a6824de916dafe17bc72042ba4b7a741b8703c63
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 13 18:02:13 2012 +0200
When verifying a certificate chain make sure it is chain.
If the chain is interrupted (wrong) at some point then truncate,
only try to verify the correct part. Patch by David Woodhouse.
-----------------------------------------------------------------------
Summary of changes:
lib/x509/verify-high.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 83b3cf0..4ecab5b 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -350,6 +350,18 @@ static int shorten_clist(gnutls_x509_trust_list_t list,
uint32_t hash;
gnutls_datum_t dn;
+ /* Start by truncating any disjoint list of certificates. For
+ * example, if the server presented a chain A->B->C->X->Y->Z
+ * where X is *not* actually the issuer of C, truncate at C.
+ */
+ for(i=1;i<clist_size;i++) {
+ if (!gnutls_x509_crt_check_issuer(certificate_list[i-1],
+ certificate_list[i])) {
+ gnutls_assert();
+ clist_size = i;
+ }
+ }
+
if (clist_size > 1) {
/* Check if the last certificate in the path is self signed.
* In that case ignore it (a certificate is trusted only if it
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-30-ga6824de,
Nikos Mavrogiannopoulos <=