The _gnutls_x509_verify_certificate fix

Andreas Metzler ametzler at downhill.at.eu.org
Tue Nov 11 20:16:49 CET 2008 

On 2008-11-11 Simon Josefsson <simon at josefsson.org> wrote:
[...]
> So the patch in v2.6.1 and in the advisory causes crashes when the chain
> contains just one self-signed certificate.  Ouch.  Thinking more about
> this, I suspect the entire optimization to remove the final certificate
> is pointless.  So this patch (against v2.6.1) should also work:

> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index 8fa90dc..92ef722 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -374,17 +374,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
>    int i = 0, ret;
>    unsigned int status = 0, output;

> -  /* Check if the last certificate in the path is self signed.
> -   * In that case ignore it (a certificate is trusted only if it
> -   * leads to a trusted party by us, not the server's).
> -   */
> -  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
> -				    certificate_list[clist_size - 1]) > 0
> -      && clist_size > 0)
> -    {
> -      clist_size--;
> -    }
> -
>    /* Verify the last certificate in the certificate path
>     * against the trusted CA certificate list.
>     *
[...]

Hello,
So combining this one and the patch in advisory I would get:
----------------------
--- /tmp/verify.c.origal        2008-11-11 18:46:43.000000000 +0000
+++ lib/x509/verify.c   2008-11-11 18:48:08.000000000 +0000
@@ -414,17 +414,6 @@
     }
 #endif
 
-  /* Check if the last certificate in the path is self signed.
-   * In that case ignore it (a certificate is trusted only if it
-   * leads to a trusted party by us, not the server's).
-   */
-  if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
-                                   certificate_list[clist_size - 1]) > 0
-      && clist_size > 0)
-    {
-      clist_size--;
-    }
-
   /* Verify the certificate path (chain) 
    */
   for (i = clist_size - 1; i > 0; i--)
----------------------

Applying this to 2.4.2 this does away with the crash, however it does
not fix the advisory anymore. (The way to reproduce described in
http://news.gmane.org/find-root.php?message_id=%3c4918143A.3050103%40gmx.net%3e
works again.
cu and- wondering when lists.gnu.org is accessible by SMTP again -reas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list