Commit ba61a82a authored by Jean-Baptiste Kempf's avatar Jean-Baptiste Kempf

Contrib: gnutls, do not reject blindly self-signed certificates

See upstream #347 (fixed in 3.6.x branch)

Close #19400
parent c292144a
From 32b56287cc9d07dfbbc2ee21b70a8fbe1f2d9f2f Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 30 Dec 2017 19:57:08 +0100
Subject: [PATCH] x509/verify: when verifying against a self signed certificate ignore issuer
That is, ignore issuer when checking the issuer's parameters strength. That
resolves the issue of marking self-signed certificates as with insecure
parameters during verification.
Resolves #347
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
lib/x509/verify.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 26b1ab3..a59e637 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -431,11 +431,13 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
_gnutls_debug_log(#level": certificate's security level is unacceptable\n"); \
return gnutls_assert_val(0); \
} \
- sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \
- if (sp < level) { \
- _gnutls_cert_log("issuer", issuer); \
- _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \
- return gnutls_assert_val(0); \
+ if (issuer) { \
+ sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \
+ if (sp < level) { \
+ _gnutls_cert_log("issuer", issuer); \
+ _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \
+ return gnutls_assert_val(0); \
+ } \
} \
break;
--
libgit2 0.26.0
......@@ -19,6 +19,7 @@ $(TARBALLS)/gnutls-$(GNUTLS_VERSION).tar.xz:
gnutls: gnutls-$(GNUTLS_VERSION).tar.xz .sum-gnutls
$(UNPACK)
$(APPLY) $(SRC)/gnutls/32b5628-upstream.patch
$(APPLY) $(SRC)/gnutls/gnutls-pkgconfig-static.patch
ifdef HAVE_WIN32
$(APPLY) $(SRC)/gnutls/gnutls-win32.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment