diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-08-21 13:15:11 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-08-21 13:17:06 +0200 |
commit | f74bfe0b83d815ebc880a091e170f46a95ad2d84 (patch) | |
tree | 59c06ebdca9e5e0859af2465d6a7cb4e8adbc2b3 /lib/x509 | |
parent | e8c8adf4ca622b0601e146b53f077ba3499fc861 (diff) | |
download | gnutls-f74bfe0b83d815ebc880a091e170f46a95ad2d84.tar.gz |
x509: when appending CRLs to a trust list ensure that we don't have duplicates
That is, overwrite CRLs if they have been obsoleted.
Diffstat (limited to 'lib/x509')
-rw-r--r-- | lib/x509/verify-high.c | 33 | ||||
-rw-r--r-- | lib/x509/verify-high2.c | 2 |
2 files changed, 32 insertions, 3 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index f369f66d1c..ff5524e4e0 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -688,7 +688,10 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, * during this structure's lifetime. * * This function must be called after gnutls_x509_trust_list_add_cas() - * to allow verifying the CRLs for validity. + * to allow verifying the CRLs for validity. If the flag %GNUTLS_TL_NO_DUPLICATES + * is given, then any provided CRLs that are a duplicate, will be deinitialized + * and not added to the list (that assumes that gnutls_x509_trust_list_deinit() + * will be called with all=1). * * Returns: The number of added elements is returned. * @@ -701,6 +704,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, unsigned int verification_flags) { int ret, i, j = 0; + unsigned x; unsigned int vret = 0; uint32_t hash; @@ -726,8 +730,31 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, trusted_ca_size, verification_flags, &vret); - if (ret < 0 || vret != 0) + if (ret < 0 || vret != 0) { + _gnutls_debug_log("CRL verification failed, not adding it\n"); continue; + } + } + + /* If the CRL added overrides a previous one, then overwrite + * the old one */ + if (flags & GNUTLS_TL_NO_DUPLICATES) { + for (x=0;x<list->node[hash].crl_size;x++) { + if (crl_list[i]->raw_issuer_dn.size == list->node[hash].crls[x]->raw_issuer_dn.size && + memcmp(crl_list[i]->raw_issuer_dn.data, list->node[hash].crls[x]->raw_issuer_dn.data, crl_list[i]->raw_issuer_dn.size) == 0) { + if (gnutls_x509_crl_get_this_update(crl_list[i]) >= + gnutls_x509_crl_get_this_update(list->node[hash].crls[x])) { + + gnutls_x509_crl_deinit(list->node[hash].crls[x]); + list->node[hash].crls[x] = crl_list[i]; + goto next; + } else { + /* The new is older, discard it */ + gnutls_x509_crl_deinit(crl_list[i]); + continue; + } + } + } } list->node[hash].crls = @@ -744,6 +771,8 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; list->node[hash].crl_size++; + + next: j++; } diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index b7b69c29bf..558fa89e43 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -104,7 +104,7 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, - x509_ncrls, tl_flags, + x509_ncrls, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); gnutls_free(x509_crl_list); |