[Pkg-gnutls-commits] r664 - in /packages/gnutls26/trunk/debian: changelog patches/26_movedowncrlchackagain.patch
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Sat Feb 7 11:19:42 UTC 2009
Author: ametzler
Date: Sat Feb 7 11:19:42 2009
New Revision: 664
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=664
Log:
add 26_movedowncrlchackagain.patch
Added:
packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch
Modified:
packages/gnutls26/trunk/debian/changelog
Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=664&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sat Feb 7 11:19:42 2009
@@ -10,6 +10,8 @@
+ 25_1_bufferoverrun.patch. Fix buffer overrun bug in
gnutls_x509_crt_list_import.
http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
+ + 26_movedowncrlchackagain.patch revert crl check order applied in
+ 25_1_bufferoverrun.patch.
-- Andreas Metzler <ametzler at debian.org> Sat, 31 Jan 2009 18:10:25 +0100
Added: packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch?rev=664&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch (added)
+++ packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch Sat Feb 7 11:19:42 2009
@@ -1,0 +1,61 @@
+From 5c6c117fced2807bd1ea9be92b1d9334c221fa8e Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon at josefsson.org>
+Date: Fri, 06 Feb 2009 19:13:45 +0000
+Subject: Move down revocation check to revert code to how it looked before.
+
+The idea is that if you have marked a cert as trusted, you may want to trust
+it even though some authority has revoked it. This changes back how
+this code used to work.
+---
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index a35b4e8..e53799c 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -415,22 +415,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ int i = 0, ret;
+ unsigned int status = 0, output;
+
+- /* Check for revoked certificates in the chain
+- */
+-#ifdef ENABLE_PKI
+- for (i = 0; i < clist_size; i++)
+- {
+- ret = gnutls_x509_crt_check_revocation (certificate_list[i],
+- CRLs, crls_size);
+- if (ret == 1)
+- { /* revoked */
+- status |= GNUTLS_CERT_REVOKED;
+- status |= GNUTLS_CERT_INVALID;
+- return status;
+- }
+- }
+-#endif
+-
+ if (clist_size > 1)
+ {
+ /* Check if the last certificate in the path is self signed.
+@@ -493,6 +477,22 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ return status;
+ }
+
++ /* Check for revoked certificates in the chain
++ */
++#ifdef ENABLE_PKI
++ for (i = 0; i < clist_size; i++)
++ {
++ ret = gnutls_x509_crt_check_revocation (certificate_list[i],
++ CRLs, crls_size);
++ if (ret == 1)
++ { /* revoked */
++ status |= GNUTLS_CERT_REVOKED;
++ status |= GNUTLS_CERT_INVALID;
++ return status;
++ }
++ }
++#endif
++
+ /* Verify the certificate path (chain)
+ */
+ for (i = clist_size - 1; i > 0; i--)
+--
+cgit v0.8.2
More information about the Pkg-gnutls-commits
mailing list