diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-09-16 10:58:06 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-09-16 11:20:06 +0200 |
commit | 63e39ceeffaa89d92dc1b6a871f795d21b0ae73b (patch) | |
tree | f5a93ab2bb7219308a79bb106e2bfaeeda8c3d53 | |
parent | 2ff7411111834bf497eb9ec45bb45670506e0b93 (diff) | |
download | gnutls-63e39ceeffaa89d92dc1b6a871f795d21b0ae73b.tar.gz |
hostname and key purpose checks were moved above CRL checks
-rw-r--r-- | lib/x509/verify-high.c | 54 |
1 files changed, 28 insertions, 26 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index d296a5115c..86b49a2975 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -936,6 +936,34 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } } + /* End-certificate, key purpose and hostname checks. */ + if (purpose) do { + gnutls_datum_t ext_data = {NULL, 0}; + + ret = gnutls_x509_crt_get_extension_by_oid2(cert_list[0], "2.5.29.37", 0, &ext_data, NULL); + if (ret < 0) { + /* it's not a fatal error if the extended key usage extension isn't there */ + gnutls_assert(); + break; + } + + ret = check_key_purpose(cert_list[0], &ext_data, voutput, purpose); + gnutls_free(ext_data.data); + + if (ret < 0) { + gnutls_assert(); + } + } while(0); + + if (hostname) { + ret = + gnutls_x509_crt_check_hostname2(cert_list[0], hostname, flags); + if (ret == 0) + *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; + } + + /* CRL checks follow */ + if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; @@ -974,32 +1002,6 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } } - /* check the purpose if given */ - if (purpose) do { - gnutls_datum_t ext_data = {NULL, 0}; - - ret = gnutls_x509_crt_get_extension_by_oid2(cert_list[0], "2.5.29.37", 0, &ext_data, NULL); - if (ret < 0) { - /* it's not a fatal error if the extended key usage extension isn't there */ - gnutls_assert(); - break; - } - - ret = check_key_purpose(cert_list[0], &ext_data, voutput, purpose); - gnutls_free(ext_data.data); - - if (ret < 0) { - gnutls_assert(); - } - } while(0); - - if (hostname) { - ret = - gnutls_x509_crt_check_hostname2(cert_list[0], hostname, flags); - if (ret == 0) - *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; - } - return 0; } |