[Pkg-gnutls-commits] r1497 - in /packages/gnutls26/trunk/debian: changelog patches/25_nssldapsfix.diff patches/series

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Thu Jun 7 17:26:07 UTC 2012 

Author: ametzler
Date: Thu Jun  7 17:26:06 2012
New Revision: 1497

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=1497
Log:
Pull debian/patches/25_nssldapsfix.diff from upstream git, fixing NSS LDAP with
TLS.

Added:
    packages/gnutls26/trunk/debian/patches/25_nssldapsfix.diff
Modified:
    packages/gnutls26/trunk/debian/changelog
    packages/gnutls26/trunk/debian/patches/series

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=1497&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Thu Jun  7 17:26:06 2012
@@ -1,8 +1,9 @@
-gnutls26 (2.12.19-2) UNRELEASED; urgency=low
-
-  * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler at debian.org>  Sat, 05 May 2012 20:09:42 +0200
+gnutls26 (2.12.19-2) unstable; urgency=low
+
+  * Pull debian/patches/25_nssldapsfix.diff from upstream git.
+    (LP: #1003841)
+
+ -- Andreas Metzler <ametzler at debian.org>  Thu, 07 Jun 2012 19:17:07 +0200
 
 gnutls26 (2.12.19-1) unstable; urgency=low
 

Added: packages/gnutls26/trunk/debian/patches/25_nssldapsfix.diff
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/25_nssldapsfix.diff?rev=1497&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/patches/25_nssldapsfix.diff (added)
+++ packages/gnutls26/trunk/debian/patches/25_nssldapsfix.diff Thu Jun  7 17:26:06 2012
@@ -1,0 +1,106 @@
+From 1b6cfff1c9aad0207498f11d372b8fc3d542cab2 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 24 May 2012 18:20:32 +0200
+Subject: [PATCH 1/3] When checking for an issuer check for a match in the key
+ identifiers.
+
+---
+ NEWS              |    9 ++++++++-
+ lib/x509/verify.c |   40 ++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 243e14c..4c70f28 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,14 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
+               2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
+ See the end for copying conditions.
+ 
++Version 2.12.20 (unreleased)
++
++** libgnutls: Check key identifiers when checking for an issuer.
++
++** API and ABI modifications:
++No changes since last version.
++
++
+ Version 2.12.19 (released 2012-05-05)
+ 
+ ** libgnutls: When decoding a PKCS #11 URL the pin-source field
+@@ -15,7 +23,6 @@ SRP key exchange public keys.
+ ** minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).
+ 
+ ** API and ABI modifications:
+-
+ No changes since last version.
+ 
+ 
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 97606be..2efcebf 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -227,9 +227,12 @@ cleanup:
+ static int
+ is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert)
+ {
+-  gnutls_datum_t dn1 = { NULL, 0 }, dn2 =
+-  {
+-  NULL, 0};
++  gnutls_datum_t dn1 = { NULL, 0 }, 
++                 dn2 = { NULL, 0};
++  uint8_t id1[512];
++  uint8_t id2[512];
++  size_t id1_size;
++  size_t id2_size;
+   int ret;
+ 
+   ret = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1);
+@@ -247,6 +250,34 @@ is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert)
+     }
+ 
+   ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2);
++  
++  if (ret != 0)
++    {
++      /* check if the authority key identifier matches the subject key identifier
++       * of the isser */
++       id1_size = sizeof(id1);
++       
++       ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL);
++       if (ret < 0)
++         {
++           ret = 1;
++           goto cleanup;
++         }
++
++       id2_size = sizeof(id2);
++       ret = gnutls_x509_crt_get_subject_key_id(issuer_cert, id2, &id2_size, NULL);
++       if (ret < 0)
++         {
++           ret = 1;
++           gnutls_assert();
++           goto cleanup;
++         }
++    
++       if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0)
++         ret = 1;
++       else
++         ret = 0;
++    }
+ 
+ cleanup:
+   _gnutls_free_datum (&dn1);
+@@ -416,7 +447,8 @@ cleanup:
+  * @issuer: is the certificate of a possible issuer
+  *
+  * This function will check if the given certificate was issued by the
+- * given issuer.
++ * given issuer. It checks the DN fields and the authority
++ * key identifier and subject key identifier fields match.
+  *
+  * Returns: It will return true (1) if the given certificate is issued
+  *   by the given issuer, and false (0) if not.  A negative value is
+-- 
+1.7.10
+

Modified: packages/gnutls26/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/series?rev=1497&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/patches/series (original)
+++ packages/gnutls26/trunk/debian/patches/series Thu Jun  7 17:26:06 2012
@@ -3,3 +3,4 @@
 17_ignoretestsuitteerrors.diff
 18_gpgerrorinpkgconfig.diff
 20_tests-select.diff
+25_nssldapsfix.diff

More information about the Pkg-gnutls-commits mailing list