From f74bfe0b83d815ebc880a091e170f46a95ad2d84 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 21 Aug 2015 13:15:11 +0200 Subject: x509: when appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted. --- lib/x509/verify-high.c | 33 +++++++++++++++++++++++++++++++-- lib/x509/verify-high2.c | 2 +- 2 files changed, 32 insertions(+), 3 deletions(-) (limited to 'lib/x509') diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index f369f66d1c..ff5524e4e0 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -688,7 +688,10 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, * during this structure's lifetime. * * This function must be called after gnutls_x509_trust_list_add_cas() - * to allow verifying the CRLs for validity. + * to allow verifying the CRLs for validity. If the flag %GNUTLS_TL_NO_DUPLICATES + * is given, then any provided CRLs that are a duplicate, will be deinitialized + * and not added to the list (that assumes that gnutls_x509_trust_list_deinit() + * will be called with all=1). * * Returns: The number of added elements is returned. * @@ -701,6 +704,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, unsigned int verification_flags) { int ret, i, j = 0; + unsigned x; unsigned int vret = 0; uint32_t hash; @@ -726,8 +730,31 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, trusted_ca_size, verification_flags, &vret); - if (ret < 0 || vret != 0) + if (ret < 0 || vret != 0) { + _gnutls_debug_log("CRL verification failed, not adding it\n"); continue; + } + } + + /* If the CRL added overrides a previous one, then overwrite + * the old one */ + if (flags & GNUTLS_TL_NO_DUPLICATES) { + for (x=0;xnode[hash].crl_size;x++) { + if (crl_list[i]->raw_issuer_dn.size == list->node[hash].crls[x]->raw_issuer_dn.size && + memcmp(crl_list[i]->raw_issuer_dn.data, list->node[hash].crls[x]->raw_issuer_dn.data, crl_list[i]->raw_issuer_dn.size) == 0) { + if (gnutls_x509_crl_get_this_update(crl_list[i]) >= + gnutls_x509_crl_get_this_update(list->node[hash].crls[x])) { + + gnutls_x509_crl_deinit(list->node[hash].crls[x]); + list->node[hash].crls[x] = crl_list[i]; + goto next; + } else { + /* The new is older, discard it */ + gnutls_x509_crl_deinit(crl_list[i]); + continue; + } + } + } } list->node[hash].crls = @@ -744,6 +771,8 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; list->node[hash].crl_size++; + + next: j++; } diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index b7b69c29bf..558fa89e43 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -104,7 +104,7 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, - x509_ncrls, tl_flags, + x509_ncrls, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); gnutls_free(x509_crl_list); -- cgit v1.2.1