[Pkg-gnutls-commits] r661 - in /packages/gnutls26/trunk/debian: changelog patches/24_intermedcert.patch patches/25_bufferoverrun.patch

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Wed Feb 4 19:23:24 UTC 2009


Author: ametzler
Date: Wed Feb  4 19:23:24 2009
New Revision: 661

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=661
Log:
2.4.3 in disguise

Added:
    packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
    packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch
Modified:
    packages/gnutls26/trunk/debian/changelog

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=661&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Wed Feb  4 19:23:24 2009
@@ -1,6 +1,13 @@
 gnutls26 (2.4.2-6) UNRELEASED; urgency=low
 
   * NOT RELEASED YET
+  * To new patches, making this 2.4.3 in disguise:
+    + 24_intermedcertificate.patch If a non-root certificate ist trusted
+      gnutls certificateificate verification stops there instead of checking
+      to up to the root of the certificate chain.
+    + 25_1_bufferoverrun.patch. Fix buffer overrun bug in
+      gnutls_x509_crt_list_import.
+      http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
 
  -- Andreas Metzler <ametzler at debian.org>  Sat, 31 Jan 2009 18:10:25 +0100
 

Added: packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/24_intermedcert.patch?rev=661&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/24_intermedcert.patch (added)
+++ packages/gnutls26/trunk/debian/patches/24_intermedcert.patch Wed Feb  4 19:23:24 2009
@@ -1,0 +1,166 @@
+
+** libgnutls: Accept chains where intermediary certs are trusted.
+Before GnuTLS needed to validate the entire chain back to a
+self-signed certificate.  GnuTLS will now stop looking when it has
+found an intermediary trusted certificate.  The new behaviour is
+useful when chains, for example, contains a top-level CA, an
+intermediary CA signed using RSA-MD5, and an end-entity certificate.
+To avoid chain validation errors due to the RSA-MD5 cert, you can
+explicitly add the intermediary RSA-MD5 cert to your trusted certs.
+The signature on trusted certificates are not checked, so the chain
+has a chance to validate correctly.  Reported by "Douglas E. Engert"
+<deengert at anl.gov> in
+<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
+
+--- x/lib/verify.c	2009-02-04 19:52:19.000000000 +0100
++++ x/lib/x509/verify.c	2009-02-04 20:06:24.000000000 +0100
+@@ -53,6 +53,38 @@
+ 				int tcas_size, unsigned int flags,
+ 				unsigned int *output);
+ 
++/* Checks if two certs are identical.  Return 0 onn match. */
++static int
++check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
++{
++  gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = { NULL, 0 };
++  int result;
++
++  result = _gnutls_x509_der_encode (cert1->cert, "", &cert1bin, 0);
++  if (result < 0)
++    {
++      gnutls_assert ();
++      goto cleanup;
++    }
++
++  result = _gnutls_x509_der_encode (cert2->cert, "", &cert2bin, 0);
++  if (result < 0)
++    {
++      gnutls_assert ();
++      goto cleanup;
++    }
++
++  if ((cert1bin.size == cert2bin.size) &&
++      (memcmp (cert1bin.data, cert2bin.data, cert1bin.size) == 0))
++    result = 0;
++  else
++    result = 1;
++
++ cleanup:
++  _gnutls_free_datum (&cert1bin);
++  _gnutls_free_datum (&cert2bin);
++  return result;
++}
+ 
+ /* Checks if the issuer of a certificate is a
+  * Certificate Authority, or if the certificate is the same
+@@ -367,16 +399,12 @@
+ }
+ 
+ 
+-/* The algorithm used is:
+- * 1. Check last certificate in the chain. If it is not verified return.
+- * 2. Check if any certificates in the chain are revoked. If yes return.
+- * 3. Try to verify the rest of certificates in the chain. If not verified return.
+- * 4. Return 0.
++/* Verify X.509 certificate chain.
+  *
+  * Note that the return value is an OR of GNUTLS_CERT_* elements.
+  *
+- * This function verifies a X.509 certificate list. The certificate list should
+- * lead to a trusted CA in order to be trusted.
++ * This function verifies a X.509 certificate list. The certificate
++ * list should lead to a trusted certificate in order to be trusted.
+  */
+ static unsigned int
+ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+@@ -389,16 +417,32 @@
+   int i = 0, ret;
+   unsigned int status = 0, output;
+ 
++  /* Check for revoked certificates in the chain
++   */
++#ifdef ENABLE_PKI
++  for (i = 0; i < clist_size; i++)
++    {
++      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
++					      CRLs, crls_size);
++      if (ret == 1)
++	{			/* revoked */
++	  status |= GNUTLS_CERT_REVOKED;
++	  status |= GNUTLS_CERT_INVALID;
++	  return status;
++	}
++    }
++#endif
++
+   if (clist_size > 1) 
+     {
+       /* Check if the last certificate in the path is self signed.
+        * In that case ignore it (a certificate is trusted only if it
+        * leads to a trusted party by us, not the server's).
+        *
+-       * This in addition prevents from verifying self signed certificates
+-       * against themselves. This although not bad caused verification
+-       * failures on some root self signed certificates that use the MD2
+-       * algorithm.
++       * This prevents from verifying self signed certificates against
++       * themselves. This (although not bad) caused verification
++       * failures on some root self signed certificates that use the
++       * MD2 algorithm.
+        */
+       if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+   				    certificate_list[clist_size - 1]) > 0)
+@@ -407,6 +451,30 @@
+         }
+     }
+ 
++  /* We want to shorten the chain by removing the cert that matches
++   * one of the certs we trust and all the certs after that i.e. if
++   * cert chain is A signed-by B signed-by C signed-by D (signed-by
++   * self-signed E but already removed above), and we trust B, remove
++   * B, C and D.  We must leave the first cert on chain. */
++  if (clist_size > 1 && !(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
++    {
++      for (i = 1; i < clist_size; i++)
++	{
++	  int j;
++
++	  for (j = 0; j < tcas_size; j++)
++	    {
++	      if (check_if_same_cert (certificate_list[i],
++				      trusted_cas[j]) == 0)
++		{
++		  clist_size = i;
++		  break;
++		}
++	    }
++	  /* clist_size may have been changed which gets out of loop */
++	}
++    }
++
+   /* Verify the last certificate in the certificate path
+    * against the trusted CA certificate list.
+    *
+@@ -429,22 +497,6 @@
+       return status;
+     }
+ 
+-  /* Check for revoked certificates in the chain
+-   */
+-#ifdef ENABLE_PKI
+-  for (i = 0; i < clist_size; i++)
+-    {
+-      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
+-					      CRLs, crls_size);
+-      if (ret == 1)
+-	{			/* revoked */
+-	  status |= GNUTLS_CERT_REVOKED;
+-	  status |= GNUTLS_CERT_INVALID;
+-	  return status;
+-	}
+-    }
+-#endif
+-
+   /* Verify the certificate path (chain) 
+    */
+   for (i = clist_size - 1; i > 0; i--)

Added: packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch?rev=661&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch (added)
+++ packages/gnutls26/trunk/debian/patches/25_bufferoverrun.patch Wed Feb  4 19:23:24 2009
@@ -1,0 +1,21 @@
+From 2c98c4fe8b2ce7deb852c9308d848c4f371c751c Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at crystal.(none)>
+Date: Tue, 23 Sep 2008 18:02:39 +0000
+Subject: Corrected buffer overrun in crt_list_import. Reported and patch by Jonathan Manktelow.
+
+---
+diff --git a/lib/x509/x509.c b/lib/x509/x509.c
+index 8ee8105..8be70e1 100644
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -2826,7 +2826,7 @@ gnutls_x509_crt_list_import (gnutls_x509_crt_t * certs,
+ 	    }
+ 
+ 	  tmp.data = (void *) ptr;
+-	  tmp.size = size;
++	  tmp.size = data->size - (ptr - (char *) data->data);
+ 
+ 	  ret =
+ 	    gnutls_x509_crt_import (certs[count], &tmp, GNUTLS_X509_FMT_PEM);
+--
+cgit v0.8.2




More information about the Pkg-gnutls-commits mailing list