Blame gnutls-1.4.1-cve-2008-4989.patch
|
 |
08ca352 |
diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c
|
|
|
08ca352 |
--- gnutls-1.4.1/lib/x509/verify.c.chain-verify 2008-11-11 10:55:19.000000000 +0100
|
|
|
08ca352 |
+++ gnutls-1.4.1/lib/x509/verify.c 2008-11-11 10:58:54.000000000 +0100
|
|
|
08ca352 |
@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g
|
|
|
08ca352 |
int i = 0, ret;
|
|
|
08ca352 |
unsigned int status = 0, output;
|
|
|
08ca352 |
|
|
|
08ca352 |
+ /* Check if the last certificate in the path is self signed.
|
|
|
08ca352 |
+ * In that case ignore it (a certificate is trusted only if it
|
|
|
08ca352 |
+ * leads to a trusted party by us, not the server's).
|
|
|
08ca352 |
+ */
|
|
|
08ca352 |
+ if (clist_size > 1 &&
|
|
|
08ca352 |
+ gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
|
|
|
08ca352 |
+ certificate_list[clist_size - 1]) > 0)
|
|
|
08ca352 |
+ {
|
|
|
08ca352 |
+ clist_size--;
|
|
|
08ca352 |
+ }
|
|
|
08ca352 |
+
|
|
|
08ca352 |
/* Verify the last certificate in the certificate path
|
|
|
08ca352 |
* against the trusted CA certificate list.
|
|
|
08ca352 |
*
|
|
|
08ca352 |
@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g
|
|
|
08ca352 |
}
|
|
|
08ca352 |
#endif
|
|
|
08ca352 |
|
|
|
08ca352 |
- /* Check if the last certificate in the path is self signed.
|
|
|
08ca352 |
- * In that case ignore it (a certificate is trusted only if it
|
|
|
08ca352 |
- * leads to a trusted party by us, not the server's).
|
|
|
08ca352 |
- */
|
|
|
08ca352 |
- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
|
|
|
08ca352 |
- certificate_list[clist_size - 1]) > 0
|
|
|
08ca352 |
- && clist_size > 0)
|
|
|
08ca352 |
- {
|
|
|
08ca352 |
- clist_size--;
|
|
|
08ca352 |
- }
|
|
|
08ca352 |
-
|
|
|
08ca352 |
/* Verify the certificate path (chain)
|
|
|
08ca352 |
*/
|
|
|
08ca352 |
for (i = clist_size - 1; i > 0; i--)
|