[Pkg-gnutls-commits] r661 - in /packages/gnutls26/trunk/debian: changelog patches/24_intermedcert.patch patches/25_bufferoverrun.patch
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Wed Feb 4 19:23:24 UTC 2009
Author: ametzler
Date: Wed Feb 4 19:23:24 2009
New Revision: 661
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=661
Log:
2.4.3 in disguise
Added:
packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch
Modified:
packages/gnutls26/trunk/debian/changelog
Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=661&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Wed Feb 4 19:23:24 2009
@@ -1,6 +1,13 @@
gnutls26 (2.4.2-6) UNRELEASED; urgency=low
* NOT RELEASED YET
+ * To new patches, making this 2.4.3 in disguise:
+ + 24_intermedcertificate.patch If a non-root certificate ist trusted
+ gnutls certificateificate verification stops there instead of checking
+ to up to the root of the certificate chain.
+ + 25_1_bufferoverrun.patch. Fix buffer overrun bug in
+ gnutls_x509_crt_list_import.
+ http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
-- Andreas Metzler <ametzler at debian.org> Sat, 31 Jan 2009 18:10:25 +0100
Added: packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/24_intermedcert.patch?rev=661&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/24_intermedcert.patch (added)
+++ packages/gnutls26/trunk/debian/patches/24_intermedcert.patch Wed Feb 4 19:23:24 2009
@@ -1,0 +1,166 @@
+
+** libgnutls: Accept chains where intermediary certs are trusted.
+Before GnuTLS needed to validate the entire chain back to a
+self-signed certificate. GnuTLS will now stop looking when it has
+found an intermediary trusted certificate. The new behaviour is
+useful when chains, for example, contains a top-level CA, an
+intermediary CA signed using RSA-MD5, and an end-entity certificate.
+To avoid chain validation errors due to the RSA-MD5 cert, you can
+explicitly add the intermediary RSA-MD5 cert to your trusted certs.
+The signature on trusted certificates are not checked, so the chain
+has a chance to validate correctly. Reported by "Douglas E. Engert"
+<deengert at anl.gov> in
+<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
+
+--- x/lib/verify.c 2009-02-04 19:52:19.000000000 +0100
++++ x/lib/x509/verify.c 2009-02-04 20:06:24.000000000 +0100
+@@ -53,6 +53,38 @@
+ int tcas_size, unsigned int flags,
+ unsigned int *output);
+
++/* Checks if two certs are identical. Return 0 onn match. */
++static int
++check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
++{
++ gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = { NULL, 0 };
++ int result;
++
++ result = _gnutls_x509_der_encode (cert1->cert, "", &cert1bin, 0);
++ if (result < 0)
++ {
++ gnutls_assert ();
++ goto cleanup;
++ }
++
++ result = _gnutls_x509_der_encode (cert2->cert, "", &cert2bin, 0);
++ if (result < 0)
++ {
++ gnutls_assert ();
++ goto cleanup;
++ }
++
++ if ((cert1bin.size == cert2bin.size) &&
++ (memcmp (cert1bin.data, cert2bin.data, cert1bin.size) == 0))
++ result = 0;
++ else
++ result = 1;
++
++ cleanup:
++ _gnutls_free_datum (&cert1bin);
++ _gnutls_free_datum (&cert2bin);
++ return result;
++}
+
+ /* Checks if the issuer of a certificate is a
+ * Certificate Authority, or if the certificate is the same
+@@ -367,16 +399,12 @@
+ }
+
+
+-/* The algorithm used is:
+- * 1. Check last certificate in the chain. If it is not verified return.
+- * 2. Check if any certificates in the chain are revoked. If yes return.
+- * 3. Try to verify the rest of certificates in the chain. If not verified return.
+- * 4. Return 0.
++/* Verify X.509 certificate chain.
+ *
+ * Note that the return value is an OR of GNUTLS_CERT_* elements.
+ *
+- * This function verifies a X.509 certificate list. The certificate list should
+- * lead to a trusted CA in order to be trusted.
++ * This function verifies a X.509 certificate list. The certificate
++ * list should lead to a trusted certificate in order to be trusted.
+ */
+ static unsigned int
+ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+@@ -389,16 +417,32 @@
+ int i = 0, ret;
+ unsigned int status = 0, output;
+
++ /* Check for revoked certificates in the chain
++ */
++#ifdef ENABLE_PKI
++ for (i = 0; i < clist_size; i++)
++ {
++ ret = gnutls_x509_crt_check_revocation (certificate_list[i],
++ CRLs, crls_size);
++ if (ret == 1)
++ { /* revoked */
++ status |= GNUTLS_CERT_REVOKED;
++ status |= GNUTLS_CERT_INVALID;
++ return status;
++ }
++ }
++#endif
++
+ if (clist_size > 1)
+ {
+ /* Check if the last certificate in the path is self signed.
+ * In that case ignore it (a certificate is trusted only if it
+ * leads to a trusted party by us, not the server's).
+ *
+- * This in addition prevents from verifying self signed certificates
+- * against themselves. This although not bad caused verification
+- * failures on some root self signed certificates that use the MD2
+- * algorithm.
++ * This prevents from verifying self signed certificates against
++ * themselves. This (although not bad) caused verification
++ * failures on some root self signed certificates that use the
++ * MD2 algorithm.
+ */
+ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+ certificate_list[clist_size - 1]) > 0)
+@@ -407,6 +451,30 @@
+ }
+ }
+
++ /* We want to shorten the chain by removing the cert that matches
++ * one of the certs we trust and all the certs after that i.e. if
++ * cert chain is A signed-by B signed-by C signed-by D (signed-by
++ * self-signed E but already removed above), and we trust B, remove
++ * B, C and D. We must leave the first cert on chain. */
++ if (clist_size > 1 && !(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
++ {
++ for (i = 1; i < clist_size; i++)
++ {
++ int j;
++
++ for (j = 0; j < tcas_size; j++)
++ {
++ if (check_if_same_cert (certificate_list[i],
++ trusted_cas[j]) == 0)
++ {
++ clist_size = i;
++ break;
++ }
++ }
++ /* clist_size may have been changed which gets out of loop */
++ }
++ }
++
+ /* Verify the last certificate in the certificate path
+ * against the trusted CA certificate list.
+ *
+@@ -429,22 +497,6 @@
+ return status;
+ }
+
+- /* Check for revoked certificates in the chain
+- */
+-#ifdef ENABLE_PKI
+- for (i = 0; i < clist_size; i++)
+- {
+- ret = gnutls_x509_crt_check_revocation (certificate_list[i],
+- CRLs, crls_size);
+- if (ret == 1)
+- { /* revoked */
+- status |= GNUTLS_CERT_REVOKED;
+- status |= GNUTLS_CERT_INVALID;
+- return status;
+- }
+- }
+-#endif
+-
+ /* Verify the certificate path (chain)
+ */
+ for (i = clist_size - 1; i > 0; i--)
Added: packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch?rev=661&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch (added)
+++ packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch Wed Feb 4 19:23:24 2009
@@ -1,0 +1,21 @@
+From 2c98c4fe8b2ce7deb852c9308d848c4f371c751c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at crystal.(none)>
+Date: Tue, 23 Sep 2008 18:02:39 +0000
+Subject: Corrected buffer overrun in crt_list_import. Reported and patch by Jonathan Manktelow.
+
+---
+diff --git a/lib/x509/x509.c b/lib/x509/x509.c
+index 8ee8105..8be70e1 100644
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -2826,7 +2826,7 @@ gnutls_x509_crt_list_import (gnutls_x509_crt_t * certs,
+ }
+
+ tmp.data = (void *) ptr;
+- tmp.size = size;
++ tmp.size = data->size - (ptr - (char *) data->data);
+
+ ret =
+ gnutls_x509_crt_import (certs[count], &tmp, GNUTLS_X509_FMT_PEM);
+--
+cgit v0.8.2
More information about the Pkg-gnutls-commits
mailing list