Fix bug that prevented the rejection of v1 intermediate CA certificates.

Reported by Suman Jana.
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-02-12 16:11:58 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-02-12 16:38:00 +0100
commit: b1abfe3d182d68539900092eb42fc62cf1bb7e7c (patch)
tree: b7f860681184536f39afad2a6b55cb7a1becd0a4
parent: a49d49d0520fa738c03cb714eb0d8040177108c6 (diff)
download: gnutls-b1abfe3d182d68539900092eb42fc62cf1bb7e7c.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 2b64ab690b..b916ee51de 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -193,6 +193,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
 		result = 1;
 		goto cleanup;
 	}
+
 	/* Handle V1 CAs that do not have a basicConstraint, but accept
 	   these certs only if the appropriate flags are set. */
 	else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
@@ -692,8 +693,10 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
 		/* note that here we disable this V1 CA flag. So that no version 1
 		 * certificates can exist in a supplied chain.
 		 */
-		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+		if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
 			flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+			flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+		}
 		if ((ret =
 		     _gnutls_verify_certificate2(certificate_list[i - 1],
 						 &certificate_list[i], 1,
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-02-12 16:11:58 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-02-12 16:38:00 +0100
commit	b1abfe3d182d68539900092eb42fc62cf1bb7e7c (patch)
tree	b7f860681184536f39afad2a6b55cb7a1becd0a4
parent	a49d49d0520fa738c03cb714eb0d8040177108c6 (diff)
download	gnutls-b1abfe3d182d68539900092eb42fc62cf1bb7e7c.tar.gz