[gnutls-devel] GnuTLS | Fix removal of duplicate certs during verification (!1653)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Oct 17 01:14:43 CEST 2022
Daiki Ueno commented on a discussion on lib/x509/verify-high.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1653#note_1137184768
> - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
> - sorted_size = _gnutls_sort_clist(&cert_list[i],
> - cert_list_size - i);
> - }
> -
> - /* Remove duplicates. Start with index 1, as the first element
> - * may be re-checked after issuer retrieval. */
> - for (j = 1; j < sorted_size; j++) {
> - if (cert_set_contains(&cert_set, cert_list[i + j])) {
> - if (i + j < cert_list_size - 1) {
> - memmove(&cert_list[i + j],
> - &cert_list[i + j + 1],
> - sizeof(cert_list[i]));
> + /* Remove duplicates */
> + for (i = 0; i < cert_list_size - 1 && cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ++i) {
> + for (j = i + 1; j < cert_list_size && cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ++j) {
That's a good point. The only reason we start from `cert_list[i + 1]` is that, if issuer retrieval happens, `cert_list[i]` is already marked as seen in `cert_set` and reported as a duplicate. So I guess a fix would be something like: (1) do not skip the first element and (2) delay registering `cert_list[i]` after issuer retrieval.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1653#note_1137184768
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20221016/4b9409db/attachment-0001.html>
More information about the Gnutls-devel
mailing list