/
patch-CVE-2014-1959
26 lines (24 loc) · 1.04 KB
/
patch-CVE-2014-1959
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$NetBSD: patch-CVE-2014-1959,v 1.1.2.1 2014/02/20 12:31:26 tron Exp $
https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d182d68539900092eb42fc62cf1bb7e7c
--- lib/x509/verify.c.orig 2013-11-10 17:59:14.000000000 +0000
+++ lib/x509/verify.c
@@ -167,6 +167,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnut
result = 1;
goto cleanup;
}
+
/* Handle V1 CAs that do not have a basicConstraint, but accept
these certs only if the appropriate flags are set. */
else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
@@ -666,8 +667,10 @@ _gnutls_x509_verify_certificate(const gn
/* note that here we disable this V1 CA flag. So that no version 1
* certificates can exist in a supplied chain.
*/
- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+ }
if ((ret =
_gnutls_verify_certificate2(certificate_list[i - 1],
&certificate_list[i], 1,