From: Nikos Mavrogiannopoulos Date: Tue, 16 Sep 2014 08:49:19 +0000 (+0200) Subject: check for CAs with the same key in gnutls_x509_trust_list_add_cas X-Git-Tag: gnutls_3_4_0~931 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8a0b7c9fc3db697577fcda01489be5452966f69;p=thirdparty%2Fgnutls.git check for CAs with the same key in gnutls_x509_trust_list_add_cas That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA will overwrite any previous one with the same name and key. --- diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 14038b6f2d..d86b0ef655 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -1251,6 +1251,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t #define GNUTLS_TL_VERIFY_CRL 1 #define GNUTLS_TL_USE_IN_TLS (1<<1) #define GNUTLS_TL_NO_DUPLICATES (1<<2) +#define GNUTLS_TL_NO_DUPLICATE_KEY (1<<3) int gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, const gnutls_x509_crt_t * clist, diff --git a/lib/x509/common.h b/lib/x509/common.h index 582d482bae..cdcdf8224a 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -182,6 +182,11 @@ int _gnutls_x509_get_raw_field2(ASN1_TYPE c2, gnutls_datum_t * raw, const char *whom, gnutls_datum_t * dn); +bool +_gnutls_check_if_same_key(gnutls_x509_crt_t cert1, + gnutls_x509_crt_t cert2, + unsigned is_ca); + bool _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, gnutls_datum_t *cert2bin); diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 86b49a2975..ef744bcf81 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -243,9 +243,13 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, hash %= list->size; /* avoid duplicates */ - if (flags & GNUTLS_TL_NO_DUPLICATES) { + if (flags & GNUTLS_TL_NO_DUPLICATES || flags & GNUTLS_TL_NO_DUPLICATE_KEY) { for (j=0;jnode[hash].trusted_ca_size;j++) { - if (_gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]) != 0) { + if (flags & GNUTLS_TL_NO_DUPLICATES) + ret = _gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]); + else + ret = _gnutls_check_if_same_key(list->node[hash].trusted_cas[j], clist[i], 1); + if (ret != 0) { exists = 1; break; } @@ -694,7 +698,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, * persistent. It will be deallocated when the trust list is. */ ret = gnutls_x509_trust_list_add_trust_mem(list, &der, NULL, - GNUTLS_X509_FMT_DER, GNUTLS_TL_NO_DUPLICATES, 0); + GNUTLS_X509_FMT_DER, GNUTLS_TL_NO_DUPLICATE_KEY, 0); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 030297318a..b515d17d5f 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -42,7 +42,7 @@ /* Checks if two certs have the same name and the same key. Return 1 on match. * If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert() */ -static bool +bool _gnutls_check_if_same_key(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2, unsigned is_ca)