[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnutls fails to use Verisign CA cert without a Basic Constraint

From: Simon Josefsson
Subject: Re: gnutls fails to use Verisign CA cert without a Basic Constraint
Date: Sat, 10 Jan 2009 13:11:10 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)

Daniel Kahn Gillmor <address@hidden> writes:

> On 01/09/2009 11:54 AM, Simon Josefsson wrote:
>> "Douglas E. Engert" <address@hidden> writes:
>>> Also should line 444 be |= rather the ^= ?
>> That code is meant to _remove_ the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
>> flag from the flags parameter, unless
> But ^= is bitwise xor, which *flips* the relevant bit, rather than
> removing it.  I think we want something like this, no?

Indeed.  It would be nice if we could come up with a X.509 chain and
necessary flags that arguable trigger incorrect behaviour with the
current code before changing this though.  That could go into the
chainverify.c self-test.

Hm.  I'm not sure the code results in incorrect behaviour though -- the
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag only matters for root certs, but
those aren't touched by this code anyway, are they?  They are removed
earlier in the same function.  However, maybe the function searches for
the root cert and finds it through some other mechanism...

Anyway, coming up with an example that triggers incorrect behaviour
would be the best here, and would give more confidence in the patch.
Could you try and create such an example?


> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index c00b4bf..6ad4495 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -442,7 +442,7 @@ _gnutls_x509_verify_certificate (const
> gnutls_x509_crt_t * certificate_list,
>         * certificates can exist in a supplied chain.
>         */
>        if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
> -     flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
> +     flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
>        if ((ret =
>          _gnutls_verify_certificate2 (certificate_list[i - 1],
>                                       &certificate_list[i], 1, flags,
>       --dkg
> _______________________________________________
> Gnutls-devel mailing list
> address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]