Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
gnutls.16449
0003-x509-trigger-fallback-verification-path-wh...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-x509-trigger-fallback-verification-path-when-cert-is.patch of Package gnutls.16449
From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno@gnu.org> Date: Sun, 31 May 2020 13:59:53 +0200 Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is expired gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN to trigger the fallback verification path if the signer of the last certificate is not in the trust store. Previously, it doesn't take into account of the condition where the certificate is expired. Signed-off-by: Daiki Ueno <ueno@gnu.org> --- lib/x509/verify-high.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b1421ef17a..40638ad3aa 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, #define LAST_DN cert_list[cert_list_size-1]->raw_dn #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn -/* This macro is introduced to detect a verification output - * which indicates an unknown signer, or a signer which uses - * an insecure algorithm (e.g., sha1), something that indicates - * a superseded signer */ -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) +/* This macro is introduced to detect a verification output which + * indicates an unknown signer, a signer which uses an insecure + * algorithm (e.g., sha1), a signer has expired, or something that + * indicates a superseded signer */ +#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ + (output & GNUTLS_CERT_EXPIRED) || \ + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) /** -- 2.25.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor