[Pkg-gnutls-commits] r653 - in /packages/gnutls26/trunk/debian: changelog patches/22_deprecate_md2_md5_x509_validation.diff

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Sat Jan 31 15:13:42 UTC 2009 

Author: ametzler
Date: Sat Jan 31 15:13:42 2009
New Revision: 653

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=653
Log:
22_deprecate_md2_md5_x509_validation.diff: Verifying untrusted X.509certificates signed with RSA-MD2 or RSA-MD5 will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification output.

Added:
    packages/gnutls26/trunk/debian/patches/22_deprecate_md2_md5_x509_validation.diff
Modified:
    packages/gnutls26/trunk/debian/changelog

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=653&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Sat Jan 31 15:13:42 2009
@@ -1,9 +1,14 @@
 gnutls26 (2.4.2-5) UNRELEASED; urgency=low
 
-  * New patch 23_permit_v1_CA.diff pulled from upstream. Make gnutls behave
-    as documented, accepting v1 x509 CA certs if
-    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593
+  * Pull two patches from upstream stable branch to make gnutls behavior
+    match documentation:
+   + patch 23_permit_v1_CA.diff:Accept v1 x509 CA
+     certs if GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
+     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593
+   + 22_deprecate_md2_md5_x509_validation.diff: Verifying untrusted X.509
+     certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
+     GNUTLS_CERT_INSECURE_ALGORITHM verification output.
+    
 
  -- Andreas Metzler <ametzler at debian.org>  Sat, 31 Jan 2009 15:35:01 +0100
 

Added: packages/gnutls26/trunk/debian/patches/22_deprecate_md2_md5_x509_validation.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/22_deprecate_md2_md5_x509_validation.diff?rev=653&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/22_deprecate_md2_md5_x509_validation.diff (added)
+++ packages/gnutls26/trunk/debian/patches/22_deprecate_md2_md5_x509_validation.diff Sat Jan 31 15:13:42 2009
@@ -1,0 +1,34 @@
+From e7148d9e0f5410e4572adf540764d82fff6aa2b6 Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor<dkg at fifthhorseman.net>
+Date: Wed, 07  Jan  2009  00:55:15  +0000
+Subject: backport fix to deprecate MD5 hashes during X.509 certificate validation
+
+** gnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
+This is a bugfix -- the previous attempt to do this from internal x509
+certificate verification procedures did not return the correct value
+for certificates using a weak hash.
+
+http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index be01b5f..a644b13 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -320,6 +320,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ 	{
+ 	  if (output)
+ 	    *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
++	  ret = 0;
+ 	}
+     }
+ 
+@@ -1036,6 +1037,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
+       {
+ 	if (output)
+ 	  *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
++	ret = 0;
+       }
+   }
+ 
+--
+cgit v0.8.1

More information about the Pkg-gnutls-commits mailing list