diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-12 16:11:58 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-12 16:38:00 +0100 |
commit | b1abfe3d182d68539900092eb42fc62cf1bb7e7c (patch) | |
tree | b7f860681184536f39afad2a6b55cb7a1becd0a4 | |
parent | a49d49d0520fa738c03cb714eb0d8040177108c6 (diff) | |
download | gnutls-b1abfe3d182d68539900092eb42fc62cf1bb7e7c.tar.gz |
Fix bug that prevented the rejection of v1 intermediate CA certificates.
Reported by Suman Jana.
-rw-r--r-- | lib/x509/verify.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 2b64ab690b..b916ee51de 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -193,6 +193,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, result = 1; goto cleanup; } + /* Handle V1 CAs that do not have a basicConstraint, but accept these certs only if the appropriate flags are set. */ else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && @@ -692,8 +693,10 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list, /* note that here we disable this V1 CA flag. So that no version 1 * certificates can exist in a supplied chain. */ - if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; + } if ((ret = _gnutls_verify_certificate2(certificate_list[i - 1], &certificate_list[i], 1, |