[Pkg-gnutls-commits] r665 - in /packages/gnutls26/trunk/debian: changelog patches/24_intermedcert.patch patches/26_movedowncrlchackagain.patch

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sat Feb 7 11:57:48 UTC 2009 

Author: ametzler
Date: Sat Feb  7 11:57:48 2009
New Revision: 665

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=665
Log:
Merge 24_intermedcert.patch and 26_movedowncrlchackagain.patch

Removed:
    packages/gnutls26/trunk/debian/patches/26_movedowncrlchackagain.patch
Modified:
    packages/gnutls26/trunk/debian/changelog
    packages/gnutls26/trunk/debian/patches/24_intermedcert.patch

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=665&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sat Feb  7 11:57:48 2009
@@ -4,14 +4,12 @@
   * New patches, syncing with 2.4.3 upstream oldstable release:
     + 24_intermedcertificate.patch If a non-root certificate ist trusted
       gnutls certificateificate verification stops there instead of checking
-      to up to the root of the certificate chain.
+      up to the root of the certificate chain.
     + 22_whitespace.patch - Whitespace only changes, to make it possible to
       apply upstream fixes without manual changes. 
-    + 25_1_bufferoverrun.patch. Fix buffer overrun bug in
+    + 25_bufferoverrun.patch. Fix buffer overrun bug in
       gnutls_x509_crt_list_import.
       http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
-    + 26_movedowncrlchackagain.patch revert crl check order applied in
-      25_1_bufferoverrun.patch.
 
  -- Andreas Metzler <ametzler at debian.org>  Sat, 31 Jan 2009 18:10:25 +0100
 

Modified: packages/gnutls26/trunk/debian/patches/24_intermedcert.patch
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/24_intermedcert.patch?rev=665&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/patches/24_intermedcert.patch (original)
+++ packages/gnutls26/trunk/debian/patches/24_intermedcert.patch Sat Feb  7 11:57:48 2009
@@ -18,12 +18,18 @@
 has a chance to validate correctly.  Reported by "Douglas E. Engert"
 <deengert at anl.gov> in
 <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
+
+
+Subject: Move down revocation check to revert code to how it looked before.
+
+The idea is that if you have marked a cert as trusted, you may want to trust
+it even though some authority has revoked it.  This changes back how
+this code used to work.
  
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index ffc7704..ee66060 100644
---- a/lib/x509/verify.c
+diff -u b/lib/x509/verify.c b/lib/x509/verify.c
+--- b/lib/x509/verify.c
 +++ b/lib/x509/verify.c
-@@ -51,6 +51,38 @@ static int _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
+@@ -51,6 +51,38 @@
  				int tcas_size, unsigned int flags,
  				unsigned int *output);
  
@@ -62,7 +68,7 @@
  
  /* Checks if the issuer of a certificate is a
   * Certificate Authority, or if the certificate is the same
-@@ -365,16 +397,12 @@ gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
+@@ -365,16 +397,12 @@
  }
  
  
@@ -82,29 +88,7 @@
   */
  static unsigned int
  _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
-@@ -387,34 +415,72 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
-   int i = 0, ret;
-   unsigned int status = 0, output;
- 
-+  /* Check for revoked certificates in the chain
-+   */
-+#ifdef ENABLE_PKI
-+  for (i = 0; i < clist_size; i++)
-+    {
-+      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
-+					      CRLs, crls_size);
-+      if (ret == 1)
-+	{			/* revoked */
-+	  status |= GNUTLS_CERT_REVOKED;
-+	  status |= GNUTLS_CERT_INVALID;
-+	  return status;
-+	}
-+    }
-+#endif
-+
-   if (clist_size > 1)
-     {
-       /* Check if the last certificate in the path is self signed.
+@@ -393,28 +421,50 @@
         * In that case ignore it (a certificate is trusted only if it
         * leads to a trusted party by us, not the server's).
         *
@@ -164,30 +148,12 @@
    if (ret == 0)
      {
        /* if the last certificate in the certificate
-@@ -427,23 +493,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
-       return status;
+@@ -443,7 +493,7 @@
      }
+ #endif
  
--  /* Check for revoked certificates in the chain
--   */
--#ifdef ENABLE_PKI
--  for (i = 0; i < clist_size; i++)
--    {
--      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
--					      CRLs, crls_size);
--      if (ret == 1)
--	{			/* revoked */
--	  status |= GNUTLS_CERT_REVOKED;
--	  status |= GNUTLS_CERT_INVALID;
--	  return status;
--	}
--    }
--#endif
--
 -  /* Verify the certificate path (chain) 
 +  /* Verify the certificate path (chain)
     */
    for (i = clist_size - 1; i > 0; i--)
      {
---
-cgit v0.8.2

More information about the Pkg-gnutls-commits mailing list