[Pkg-gnutls-commits] r665 - in /packages/gnutls26/trunk/debian: changelog patches/24_intermedcert.patch patches/26_movedowncrlchackagain.patch
ametzler at users.alioth.debian.org
ametzler at users.alioth.debian.org
Sat Feb 7 11:57:48 UTC 2009
Author: ametzler
Date: Sat Feb 7 11:57:48 2009
New Revision: 665
URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=665
Log:
Merge 24_intermedcert.patch and 26_movedowncrlchackagain.patch
Removed:
packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch
Modified:
packages/gnutls26/trunk/debian/changelog
packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=665&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sat Feb 7 11:57:48 2009
@@ -4,14 +4,12 @@
* New patches, syncing with 2.4.3 upstream oldstable release:
+ 24_intermedcertificate.patch If a non-root certificate ist trusted
gnutls certificateificate verification stops there instead of checking
- to up to the root of the certificate chain.
+ up to the root of the certificate chain.
+ 22_whitespace.patch - Whitespace only changes, to make it possible to
apply upstream fixes without manual changes.
- + 25_1_bufferoverrun.patch. Fix buffer overrun bug in
+ + 25_bufferoverrun.patch. Fix buffer overrun bug in
gnutls_x509_crt_list_import.
http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
- + 26_movedowncrlchackagain.patch revert crl check order applied in
- 25_1_bufferoverrun.patch.
-- Andreas Metzler <ametzler at debian.org> Sat, 31 Jan 2009 18:10:25 +0100
Modified: packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/24_intermedcert.patch?rev=665&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/patches/24_intermedcert.patch (original)
+++ packages/gnutls26/trunk/debian/patches/24_intermedcert.patch Sat Feb 7 11:57:48 2009
@@ -18,12 +18,18 @@
has a chance to validate correctly. Reported by "Douglas E. Engert"
<deengert at anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
+
+
+Subject: Move down revocation check to revert code to how it looked before.
+
+The idea is that if you have marked a cert as trusted, you may want to trust
+it even though some authority has revoked it. This changes back how
+this code used to work.
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index ffc7704..ee66060 100644
---- a/lib/x509/verify.c
+diff -u b/lib/x509/verify.c b/lib/x509/verify.c
+--- b/lib/x509/verify.c
+++ b/lib/x509/verify.c
-@@ -51,6 +51,38 @@ static int _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
+@@ -51,6 +51,38 @@
int tcas_size, unsigned int flags,
unsigned int *output);
@@ -62,7 +68,7 @@
/* Checks if the issuer of a certificate is a
* Certificate Authority, or if the certificate is the same
-@@ -365,16 +397,12 @@ gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
+@@ -365,16 +397,12 @@
}
@@ -82,29 +88,7 @@
*/
static unsigned int
_gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
-@@ -387,34 +415,72 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
- int i = 0, ret;
- unsigned int status = 0, output;
-
-+ /* Check for revoked certificates in the chain
-+ */
-+#ifdef ENABLE_PKI
-+ for (i = 0; i < clist_size; i++)
-+ {
-+ ret = gnutls_x509_crt_check_revocation (certificate_list[i],
-+ CRLs, crls_size);
-+ if (ret == 1)
-+ { /* revoked */
-+ status |= GNUTLS_CERT_REVOKED;
-+ status |= GNUTLS_CERT_INVALID;
-+ return status;
-+ }
-+ }
-+#endif
-+
- if (clist_size > 1)
- {
- /* Check if the last certificate in the path is self signed.
+@@ -393,28 +421,50 @@
* In that case ignore it (a certificate is trusted only if it
* leads to a trusted party by us, not the server's).
*
@@ -164,30 +148,12 @@
if (ret == 0)
{
/* if the last certificate in the certificate
-@@ -427,23 +493,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
- return status;
+@@ -443,7 +493,7 @@
}
+ #endif
-- /* Check for revoked certificates in the chain
-- */
--#ifdef ENABLE_PKI
-- for (i = 0; i < clist_size; i++)
-- {
-- ret = gnutls_x509_crt_check_revocation (certificate_list[i],
-- CRLs, crls_size);
-- if (ret == 1)
-- { /* revoked */
-- status |= GNUTLS_CERT_REVOKED;
-- status |= GNUTLS_CERT_INVALID;
-- return status;
-- }
-- }
--#endif
--
- /* Verify the certificate path (chain)
+ /* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
{
---
-cgit v0.8.2
More information about the Pkg-gnutls-commits
mailing list