From: Nikos Mavrogiannopoulos Date: Fri, 13 Jul 2012 16:02:13 +0000 (+0200) Subject: When verifying a certificate chain make sure it is chain. X-Git-Tag: gnutls_3_1_0pre0~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6824de916dafe17bc72042ba4b7a741b8703c63;p=thirdparty%2Fgnutls.git When verifying a certificate chain make sure it is chain. If the chain is interrupted (wrong) at some point then truncate, only try to verify the correct part. Patch by David Woodhouse. --- diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 83b3cf0adb..4ecab5b66f 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -350,6 +350,18 @@ static int shorten_clist(gnutls_x509_trust_list_t list, uint32_t hash; gnutls_datum_t dn; + /* Start by truncating any disjoint list of certificates. For + * example, if the server presented a chain A->B->C->X->Y->Z + * where X is *not* actually the issuer of C, truncate at C. + */ + for(i=1;i 1) { /* Check if the last certificate in the path is self signed. * In that case ignore it (a certificate is trusted only if it