From d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 3 Sep 2014 14:33:40 +0200
Subject: when comparing an end-certificate with the trusted list compare the
 entire certificate

---
 lib/x509/common.h |  2 +-
 lib/x509/verify.c | 28 ++++++++++++++++++++--------
 2 files changed, 21 insertions(+), 9 deletions(-)

(limited to 'lib')

diff --git a/lib/x509/common.h b/lib/x509/common.h
index 76ba54a123..f79d6b53e7 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -177,7 +177,7 @@ _gnutls_x509_get_raw_field2(ASN1_TYPE c2, gnutls_datum_t * raw,
 
 bool
 _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
-			   gnutls_datum_t * cert2bin);
+			   gnutls_datum_t *cert2bin);
 
 bool
 _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 7f9831a6e9..af302b8a7e 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -39,14 +39,20 @@
 #include <gnutls_pk.h>
 #include <stdbool.h>
 
-/* Checks if two certs have the same name and the same key.  Return 1 on match. */
+/* Checks if two certs have the same name and the same key.  Return 1 on match. 
+ * If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert()
+ */
 static bool
 _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
-			   gnutls_x509_crt_t cert2)
+			  gnutls_x509_crt_t cert2,
+			  unsigned is_ca)
 {
 	int ret;
 	bool result;
 
+	if (is_ca == 0)
+		return _gnutls_check_if_same_cert(cert1, cert2);
+
 	ret = _gnutls_is_same_dn(cert1, cert2);
 	if (ret == 0)
 		return 0;
@@ -57,7 +63,6 @@ _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
 	else
 		result = 0;
 
- fail:
 	return result;
 }
 
@@ -78,7 +83,7 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
 		return gnutls_assert_val(0);
 	}
 
-	ret = _gnutls_check_if_same_key(cert1, cert2);
+	ret = _gnutls_check_if_same_key(cert1, cert2, 1);
 
 	gnutls_x509_crt_deinit(cert2);
 	return ret;
@@ -887,7 +892,7 @@ _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
 			 * because it can happen that a CA certificate is upgraded from intermediate
 			 * CA to self-signed CA at some point. */
 			if (_gnutls_check_if_same_key
-			    (certificate_list[i], trusted_cas[j]) != 0) {
+			    (certificate_list[i], trusted_cas[j], i) != 0) {
 				/* explicit time check for trusted CA that we remove from
 				 * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
 				 */
@@ -1032,9 +1037,16 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
 		i = 1;		/* do not replace the first one */
 
 	for (; i < clist_size; i++) {
-		if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], 
-			GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
-			GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED) != 0) {
+		unsigned vflags;
+
+		if (i == 0) /* in the end certificate do full comparison */
+			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+				GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
+		else
+			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+				GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
+
+		if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
 
 			if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) &&
 				!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {
-- 
cgit v1.2.1