]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
check for CAs with the same key in gnutls_x509_trust_list_add_cas
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 16 Sep 2014 08:49:19 +0000 (10:49 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 16 Sep 2014 09:02:55 +0000 (11:02 +0200)
That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA will
overwrite any previous one with the same name and key.

lib/includes/gnutls/x509.h
lib/x509/common.h
lib/x509/verify-high.c
lib/x509/verify.c

index 14038b6f2dd748610d00e4f8d2b5d2c78b310f14..d86b0ef655c6c8627f533b098a402051a5af32f8 100644 (file)
@@ -1251,6 +1251,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t
 #define GNUTLS_TL_VERIFY_CRL 1
 #define GNUTLS_TL_USE_IN_TLS (1<<1)
 #define GNUTLS_TL_NO_DUPLICATES (1<<2)
+#define GNUTLS_TL_NO_DUPLICATE_KEY (1<<3)
 int
 gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
                               const gnutls_x509_crt_t * clist,
index 582d482bae1f86302e3dc553e4b0cb9f1947a556..cdcdf8224afabf38f087c2cee5bf90e3772a2c3c 100644 (file)
@@ -182,6 +182,11 @@ int
 _gnutls_x509_get_raw_field2(ASN1_TYPE c2, gnutls_datum_t * raw,
                         const char *whom, gnutls_datum_t * dn);
 
+bool
+_gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
+                         gnutls_x509_crt_t cert2,
+                         unsigned is_ca);
+
 bool
 _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
                           gnutls_datum_t *cert2bin);
index 86b49a297531fca6f9b98d2fc542ae453047370a..ef744bcf818dbda8fb033012fe8de02881396c73 100644 (file)
@@ -243,9 +243,13 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
                hash %= list->size;
 
                /* avoid duplicates */
-               if (flags & GNUTLS_TL_NO_DUPLICATES) {
+               if (flags & GNUTLS_TL_NO_DUPLICATES || flags & GNUTLS_TL_NO_DUPLICATE_KEY) {
                        for (j=0;j<list->node[hash].trusted_ca_size;j++) {
-                               if (_gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]) != 0) {
+                               if (flags & GNUTLS_TL_NO_DUPLICATES)
+                                       ret = _gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]);
+                               else
+                                       ret = _gnutls_check_if_same_key(list->node[hash].trusted_cas[j], clist[i], 1);
+                               if (ret != 0) {
                                        exists = 1;
                                        break;
                                }
@@ -694,7 +698,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
                 * persistent. It will be deallocated when the trust list is.
                 */
                ret = gnutls_x509_trust_list_add_trust_mem(list, &der, NULL,
-                       GNUTLS_X509_FMT_DER, GNUTLS_TL_NO_DUPLICATES, 0);
+                       GNUTLS_X509_FMT_DER, GNUTLS_TL_NO_DUPLICATE_KEY, 0);
                if (ret < 0)
                        return gnutls_assert_val(ret);
 
index 030297318a8dd1989a7b51516dc8ef7e8ab300c2..b515d17d5fb1b22f74a8d5b3eaedce6a2bdb353b 100644 (file)
@@ -42,7 +42,7 @@
 /* Checks if two certs have the same name and the same key.  Return 1 on match. 
  * If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert()
  */
-static bool
+bool
 _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
                          gnutls_x509_crt_t cert2,
                          unsigned is_ca)