[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: deprecating MD5 in signature verification for gnutls-{cli, serv}
From: |
Daniel Kahn Gillmor |
Subject: |
Re: deprecating MD5 in signature verification for gnutls-{cli, serv} |
Date: |
Tue, 06 Jan 2009 00:20:15 -0500 |
User-agent: |
Mozilla-Thunderbird 2.0.0.17 (X11/20081018) |
On 01/05/2009 02:31 PM, Daniel Kahn Gillmor wrote:
> I'm sorry that i haven't had the time to debug this further yet.
Ok, i got to look into it tonight with gdb against the gnutls 2.6.3
libraries (i'm using the versions from debian experimental). here's
what i found:
gnutls_certificate_verify_peers2() ultimately calls
_gnutls_verify_certificate2(), which (at lib/x509/verify.c:321) properly
sets the flags in the output variable, but does not set ret to 0.
gnutls_x509_crt_list_verify(), the immediate caller of
_gnutls_verify_certificate2(), does not check the data in *output unless
the return code is actually zero.
So i suspect that the following is the correct patch (against the git
head), but i have not tested it yet (and i need to sleep before it gets
any later):
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 02964ba..c00b4bf 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -320,6 +320,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
{
if (output)
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+ ret = 0;
}
}
@@ -1036,6 +1037,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
{
if (output)
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+ ret = 0;
}
}
Any thoughts about this proposal? This would affect the built-in X.509
verification routines, not just gnutls-cli and gnutls-serv.
--dkg
signature.asc
Description: OpenPGP digital signature
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Tomas Mraz, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Tomas Mraz, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv},
Daniel Kahn Gillmor <=
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Nikos Mavrogiannopoulos, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Nikos Mavrogiannopoulos, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/07
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/06