gnutls fails to use Verisign CA cert without a Basic Constraint
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jan 9 18:06:00 CET 2009
On 01/09/2009 11:54 AM, Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
>> Also should line 444 be |= rather the ^= ?
>
> That code is meant to _remove_ the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
> flag from the flags parameter, unless
> GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT is set.
But ^= is bitwise xor, which *flips* the relevant bit, rather than
removing it. I think we want something like this, no?
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index c00b4bf..6ad4495 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -442,7 +442,7 @@ _gnutls_x509_verify_certificate (const
gnutls_x509_crt_t * certificate_list,
* certificates can exist in a supplied chain.
*/
if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
- flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
+ flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
if ((ret =
_gnutls_verify_certificate2 (certificate_list[i - 1],
&certificate_list[i], 1, flags,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090109/06fbcf9d/attachment.pgp>
More information about the Gnutls-devel
mailing list