gnutls fails to use Verisign CA cert without a Basic Constraint
simon at josefsson.org
Sat Jan 10 13:11:10 CET 2009
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> On 01/09/2009 11:54 AM, Simon Josefsson wrote:
>> "Douglas E. Engert" <deengert at anl.gov> writes:
>>> Also should line 444 be |= rather the ^= ?
>> That code is meant to _remove_ the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
>> flag from the flags parameter, unless
>> GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT is set.
> But ^= is bitwise xor, which *flips* the relevant bit, rather than
> removing it. I think we want something like this, no?
Indeed. It would be nice if we could come up with a X.509 chain and
necessary flags that arguable trigger incorrect behaviour with the
current code before changing this though. That could go into the
Hm. I'm not sure the code results in incorrect behaviour though -- the
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag only matters for root certs, but
those aren't touched by this code anyway, are they? They are removed
earlier in the same function. However, maybe the function searches for
the root cert and finds it through some other mechanism...
Anyway, coming up with an example that triggers incorrect behaviour
would be the best here, and would give more confidence in the patch.
Could you try and create such an example?
> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index c00b4bf..6ad4495 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -442,7 +442,7 @@ _gnutls_x509_verify_certificate (const
> gnutls_x509_crt_t * certificate_list,
> * certificates can exist in a supplied chain.
> if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
> - flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
> + flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
> if ((ret =
> _gnutls_verify_certificate2 (certificate_list[i - 1],
> &certificate_list[i], 1, flags,
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
More information about the Gnutls-devel