[Pkg-gnutls-commits] r664 - in /packages/gnutls26/trunk/debian: changelog patches/26_movedowncrlchackagain.patch

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sat Feb 7 11:19:42 UTC 2009 

Author: ametzler
Date: Sat Feb  7 11:19:42 2009
New Revision: 664

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=664
Log:
add 26_movedowncrlchackagain.patch

Added:
    packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch
Modified:
    packages/gnutls26/trunk/debian/changelog

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=664&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sat Feb  7 11:19:42 2009
@@ -10,6 +10,8 @@
     + 25_1_bufferoverrun.patch. Fix buffer overrun bug in
       gnutls_x509_crt_list_import.
       http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
+    + 26_movedowncrlchackagain.patch revert crl check order applied in
+      25_1_bufferoverrun.patch.
 
  -- Andreas Metzler <ametzler at debian.org>  Sat, 31 Jan 2009 18:10:25 +0100
 

Added: packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch?rev=664&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch (added)
+++ packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch Sat Feb  7 11:19:42 2009
@@ -1,0 +1,61 @@
+From 5c6c117fced2807bd1ea9be92b1d9334c221fa8e Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon at josefsson.org>
+Date: Fri, 06 Feb 2009 19:13:45 +0000
+Subject: Move down revocation check to revert code to how it looked before.
+
+The idea is that if you have marked a cert as trusted, you may want to trust
+it even though some authority has revoked it.  This changes back how
+this code used to work.
+---
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index a35b4e8..e53799c 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -415,22 +415,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+   int i = 0, ret;
+   unsigned int status = 0, output;
+ 
+-  /* Check for revoked certificates in the chain
+-   */
+-#ifdef ENABLE_PKI
+-  for (i = 0; i < clist_size; i++)
+-    {
+-      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
+-					      CRLs, crls_size);
+-      if (ret == 1)
+-	{			/* revoked */
+-	  status |= GNUTLS_CERT_REVOKED;
+-	  status |= GNUTLS_CERT_INVALID;
+-	  return status;
+-	}
+-    }
+-#endif
+-
+   if (clist_size > 1)
+     {
+       /* Check if the last certificate in the path is self signed.
+@@ -493,6 +477,22 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+       return status;
+     }
+ 
++  /* Check for revoked certificates in the chain
++   */
++#ifdef ENABLE_PKI
++  for (i = 0; i < clist_size; i++)
++    {
++      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
++					      CRLs, crls_size);
++      if (ret == 1)
++	{			/* revoked */
++	  status |= GNUTLS_CERT_REVOKED;
++	  status |= GNUTLS_CERT_INVALID;
++	  return status;
++	}
++    }
++#endif
++
+   /* Verify the certificate path (chain)
+    */
+   for (i = clist_size - 1; i > 0; i--)
+--
+cgit v0.8.2

More information about the Pkg-gnutls-commits mailing list