Mercurial > pidgin.yaz
changeset 31621:24d62d6f72cc
merge of '4bfdb2f4a2c641b32d5e00e30482664d4ec477be'
and '5aa17ddee0b82b3593aa265d48ac7d5b63375830'
author | Paul Aurich <paul@darkrain42.org> |
---|---|
date | Sun, 30 Jan 2011 17:51:40 +0000 |
parents | e89df17f5ae7 (diff) 23233d000adf (current diff) |
children | c9e4250c5b0d 17a4b32f4d46 |
files | ChangeLog |
diffstat | 2 files changed, 19 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Sun Jan 30 10:18:39 2011 +0000 +++ b/ChangeLog Sun Jan 30 17:51:40 2011 +0000 @@ -10,6 +10,8 @@ * Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras) (#12638) * Added AddTrust External Root CA. (#11554) + * Resolve some issues validating X.509 certificates signed off the CAcert + Class 3 intermediate cert when using the GnuTLS SSL/TLS plugin. Gadu-Gadu: * Don't drop whole messages when text is colored. (Jan Zachorowski)
--- a/libpurple/certificate.c Sun Jan 30 10:18:39 2011 +0000 +++ b/libpurple/certificate.c Sun Jan 30 17:51:40 2011 +0000 @@ -1602,7 +1602,7 @@ GSList *ca_crts, *cur; GByteArray *last_fpr, *ca_fpr; gboolean valid = FALSE; - gchar *ca_id; + gchar *ca_id, *ca2_id; peer_crt = (PurpleCertificate *) chain->data; @@ -1619,7 +1619,6 @@ return; } /* if (self signed) */ - /* Next, attempt to verify the last certificate against a CA */ ca = purple_certificate_find_pool(x509_tls_cached.scheme_name, "ca"); /* Next, check that the certificate chain is valid */ @@ -1669,6 +1668,9 @@ return; } /* if (signature chain not good) */ + /* Next, attempt to verify the last certificate is signed by a trusted + * CA, or is a trusted CA (based on fingerprint). + */ /* If, for whatever reason, there is no Certificate Authority pool loaded, we'll verify the subject name and then warn about thsi. */ if ( !ca ) { @@ -1684,27 +1686,31 @@ end_crt = g_list_last(chain)->data; - /* Attempt to look up the last certificate's issuer */ - ca_id = purple_certificate_get_issuer_unique_id(end_crt); + /* Attempt to look up the last certificate, and the last certificate's + * issuer. + */ + ca_id = purple_certificate_get_issuer_unique_id(end_crt); + ca2_id = purple_certificate_get_unique_id(end_crt); purple_debug_info("certificate/x509/tls_cached", "Checking for a CA with DN=%s\n", ca_id); - ca_crts = x509_ca_get_certs(ca_id); + purple_debug_info("certificate/x509/tls_cached", + "Also checking for a CA with DN=%s\n", + ca2_id); + ca_crts = g_slist_concat(x509_ca_get_certs(ca_id), x509_ca_get_certs(ca2_id)); + g_free(ca_id); + g_free(ca2_id); if ( NULL == ca_crts ) { flags |= PURPLE_CERTIFICATE_CA_UNKNOWN; purple_debug_warning("certificate/x509/tls_cached", - "Certificate Authority with DN='%s' not " - "found. I'll prompt the user, I guess.\n", - ca_id); - g_free(ca_id); + "No Certificate Authorities with either DN found " + "found. I'll prompt the user, I guess.\n"); x509_tls_cached_check_subject_name(vrq, flags); return; } - g_free(ca_id); - /* * Check the fingerprints; if they match, then this certificate *is* one * of the designated "trusted roots", and we don't need to verify the @@ -1714,10 +1720,6 @@ * * If the fingerprints don't match, we'll fall back to checking the * signature. - * - * GnuTLS doesn't seem to include the final root in the verification - * list, so this check will never succeed. NSS *does* include it in - * the list, so here we are. */ last_fpr = purple_certificate_get_fingerprint_sha1(end_crt); for (cur = ca_crts; cur; cur = cur->next) {