[vlc-commits] Contrib: gnutls, do not reject blindly self-signed certificates
Jean-Baptiste Kempf
git at videolan.org
Wed Jan 3 13:43:05 CET 2018
vlc | branch: master | Jean-Baptiste Kempf <jb at videolan.org> | Wed Jan 3 13:42:07 2018 +0100| [ba61a82a6b3b7961d1da46b9e96481a3cbe5dead] | committer: Jean-Baptiste Kempf
Contrib: gnutls, do not reject blindly self-signed certificates
See upstream #347 (fixed in 3.6.x branch)
Close #19400
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ba61a82a6b3b7961d1da46b9e96481a3cbe5dead
---
contrib/src/gnutls/32b5628-upstream.patch | 42 +++++++++++++++++++++++++++++++
contrib/src/gnutls/rules.mak | 1 +
2 files changed, 43 insertions(+)
diff --git a/contrib/src/gnutls/32b5628-upstream.patch b/contrib/src/gnutls/32b5628-upstream.patch
new file mode 100644
index 0000000000..70ffdce4ed
--- /dev/null
+++ b/contrib/src/gnutls/32b5628-upstream.patch
@@ -0,0 +1,42 @@
+From 32b56287cc9d07dfbbc2ee21b70a8fbe1f2d9f2f Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Sat, 30 Dec 2017 19:57:08 +0100
+Subject: [PATCH] x509/verify: when verifying against a self signed certificate ignore issuer
+
+That is, ignore issuer when checking the issuer's parameters strength. That
+resolves the issue of marking self-signed certificates as with insecure
+parameters during verification.
+
+Resolves #347
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+---
+ lib/x509/verify.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 26b1ab3..a59e637 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -431,11 +431,13 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
+ _gnutls_debug_log(#level": certificate's security level is unacceptable\n"); \
+ return gnutls_assert_val(0); \
+ } \
+- sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \
+- if (sp < level) { \
+- _gnutls_cert_log("issuer", issuer); \
+- _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \
+- return gnutls_assert_val(0); \
++ if (issuer) { \
++ sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \
++ if (sp < level) { \
++ _gnutls_cert_log("issuer", issuer); \
++ _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \
++ return gnutls_assert_val(0); \
++ } \
+ } \
+ break;
+
+--
+libgit2 0.26.0
+
diff --git a/contrib/src/gnutls/rules.mak b/contrib/src/gnutls/rules.mak
index d0a7c30a1f..a162adf927 100644
--- a/contrib/src/gnutls/rules.mak
+++ b/contrib/src/gnutls/rules.mak
@@ -19,6 +19,7 @@ $(TARBALLS)/gnutls-$(GNUTLS_VERSION).tar.xz:
gnutls: gnutls-$(GNUTLS_VERSION).tar.xz .sum-gnutls
$(UNPACK)
+ $(APPLY) $(SRC)/gnutls/32b5628-upstream.patch
$(APPLY) $(SRC)/gnutls/gnutls-pkgconfig-static.patch
ifdef HAVE_WIN32
$(APPLY) $(SRC)/gnutls/gnutls-win32.patch
More information about the vlc-commits
mailing list