X.509 certificate verification in GNU TLS Library

Guido Trentalancia guido at trentalancia.com
Sun Sep 27 22:23:27 CEST 2009


I have tested the current GNU TLS Library against the issue reported at
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517 and
I believe the function _gnutls_x509_verify_certificate() in
lib/x509/verify.c needs to be modified according to the attached patch
in order for the certificate verification to work properly.

In fact, at the moment (version 2.8.4 and at least since the problem was
originally reported against branch 2.4.x as GNUTLS-SA-2009-3), the
certificate verification function returns the status after each check,
which implies that not all checks in _gnutls_x509_verify_certificate()
are necessarily performed. I believe the correct behaviour is that all
checks need to be performed (and stored in the variable "status" using
logical OR) and that the result in the variable "status" need to be
returned only then.

After the attached patch is applied, the function returns only at the
end, after all the checks have been performed (and the result contained
in the variable "status" is the logical OR of the results of each check

What I get is that only using this patch, the behaviour is consistent
with the expected results, as they have been outlined in the article
mentioned above.

Could somebody please double-check and eventually confirm ? Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-2.8.4-cert-verification-return-status.patch
Type: text/x-patch
Size: 1337 bytes
Desc: not available
URL: </pipermail/attachments/20090927/aef5af0e/attachment.bin>

More information about the Gnutls-devel mailing list