[Pkg-gnutls-commits] r652 - in /packages/gnutls26/trunk/debian: changelog patches/23_permit_v1_CA.diff

Sat Jan 31 14:54:25 UTC 2009

Author: ametzler
Date: Sat Jan 31 14:54:24 2009
New Revision: 652

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=652
Log:
Make gnutls behave as documented, accepting v1 x509 CA certs if GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593

Added:
    packages/gnutls26/trunk/debian/patches/23_permit_v1_CA.diff
Modified:
    packages/gnutls26/trunk/debian/changelog

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=652&op=diff
==============================================================================

--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sat Jan 31 14:54:24 2009
@@ -1,8 +1,11 @@
 gnutls26 (2.4.2-5) UNRELEASED; urgency=low
 
-  * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org>  Sat, 06 Dec 2008 12:23:37 +0100
+  * New patch 23_permit_v1_CA.diff pulled from upstream. Make gnutls behave
+    as documented, accepting v1 x509 CA certs if
+    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
+    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593
+
+ -- Andreas Metzler <ametzler at debian.org>  Sat, 31 Jan 2009 15:35:01 +0100
 
 gnutls26 (2.4.2-4) unstable; urgency=medium
 

Added: packages/gnutls26/trunk/debian/patches/23_permit_v1_CA.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/23_permit_v1_CA.diff?rev=652&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/23_permit_v1_CA.diff (added)
+++ packages/gnutls26/trunk/debian/patches/23_permit_v1_CA.diff Sat Jan 31 14:54:24 2009
@@ -1,0 +1,49 @@
+From: Simon Josefsson <simon at josefsson.org>
+Date: Fri, 9 Jan 2009 09:55:01 +0000 (+0100)
+Subject: Permit V1 Certificate Authorities properly.
+X-Git-Url: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff_plain;h=423fc8b82f2b9aa3ea820cd5cf75d5813dffbbf0
+
+Permit V1 Certificate Authorities properly.
+Before they were mistakenly rejected even though
+GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
+GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied.  Reported by
+"Douglas E. Engert" <deengert at anl.gov> in
+<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
+---
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index a644b13..ffc7704 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
++ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
+  *
+  * Author: Nikos Mavrogiannopoulos
+  *
+@@ -125,11 +125,23 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ 	  }
+       }
+ 
+-  if (gnutls_x509_crt_get_ca_status (issuer, NULL) == 1)
++  result = gnutls_x509_crt_get_ca_status (issuer, NULL);
++  if (result == 1)
+     {
+       result = 1;
+       goto cleanup;
+     }
++  /* Handle V1 CAs that do not have a basicConstraint, but accept
++     these certs only if the appropriate flags are set. */
++  else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
++	   ((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) ||
++	    ((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) &&
++	     (gnutls_x509_crt_check_issuer (issuer, issuer) == 1))))
++    {
++      gnutls_assert ();
++      result = 1;
++      goto cleanup;
++    }
+   else
+     gnutls_assert ();
+ 


