diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-07-13 18:02:13 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-07-13 18:03:45 +0200 |
commit | a1b44f677aff32d6cfc7f494a47b8de86c81fb21 (patch) | |
tree | aff90d0bcf0ce309d4684ac00ef528add361eef9 /lib | |
parent | 14c40c59ac375185f8f54aba49931f918832105e (diff) | |
download | gnutls-a1b44f677aff32d6cfc7f494a47b8de86c81fb21.tar.gz |
When verifying a certificate chain make sure it is chain.
If the chain is interrupted (wrong) at some point then truncate,
only try to verify the correct part. Patch by David Woodhouse.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/x509/verify-high.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b9572b2f02..3b3c02ceb3 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -350,6 +350,18 @@ static int shorten_clist(gnutls_x509_trust_list_t list, uint32_t hash; gnutls_datum_t dn; + /* Start by truncating any disjoint list of certificates. For + * example, if the server presented a chain A->B->C->X->Y->Z + * where X is *not* actually the issuer of C, truncate at C. + */ + for(i=1;i<clist_size;i++) { + if (!gnutls_x509_crt_check_issuer(certificate_list[i-1], + certificate_list[i])) { + gnutls_assert(); + clist_size = i; + } + } + if (clist_size > 1) { /* Check if the last certificate in the path is self signed. * In that case ignore it (a certificate is trusted only if it |