Attachment #21661 for bug #57153

View | Details | Raw Unified | Return to bug 57153
Collapse All | Expand All

Lines 1850-1858 Link Here

(-)strongswan-2.1.1/programs/pluto/x509.c (-3 / +7 lines)
1850	bool	1850	bool
1851	verify_x509cert(const x509cert_t cert, bool strict, time_t until)	1851	verify_x509cert(const x509cert_t cert, bool strict, time_t until)
1852	{	1852	{
		1853	int pathlen;
		1854
1853	*until = cert->notAfter;	1855	*until = cert->notAfter;
1854	for (;;)	1856	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
1855	{	1857	{
1856	x509cert_t *issuer_cert;	1858	x509cert_t *issuer_cert;
1857	u_char buf[BUF_LEN];	1859	u_char buf[BUF_LEN];
Lines 1909-1916 Link Here
1909	)	1911	)
1910	unlock_authcert_list("verify_x509cert");	1912	unlock_authcert_list("verify_x509cert");
1911	/* check if cert is self-signed */	1913	/* check if cert is a self-signed root ca */
1912	if (same_dn(cert->issuer, cert->subject))	1914	if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
1913	{	1915	{
1914	DBG(DBG_CONTROL,	1916	DBG(DBG_CONTROL,
1915	DBG_log("reached self-signed root ca")	1917	DBG_log("reached self-signed root ca")
Lines 1928-1933 Link Here
1928	/* go up one step in the trust chain */	1930	/* go up one step in the trust chain */
1929	cert = issuer_cert;	1931	cert = issuer_cert;
1930	}	1932	}
		1933	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
		1934	return FALSE;
1931	}	1935	}
1932	/*	1936	/*

Lines 2210-2224 Link Here

(-)freeswan-1.99-0.9.39/pluto/x509.c (-10 / +26 lines)
2210	bool	2210	bool
2211	verify_x509cert(const x509cert_t cert, bool strict, time_t until)	2211	verify_x509cert(const x509cert_t cert, bool strict, time_t until)
2212	{	2212	{
2213	u_char buf[BUF_LEN];	2213	int pathlen;
2214	x509cert_t *issuer_cert;
2215	x509crl_t *crl;
2216	bool rootCA;
2217	*until = cert->notAfter;	2214	*until = cert->notAfter;
2218	do	2215	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
2219	{	2216	{
		2217	u_char buf[BUF_LEN];
		2218	x509cert_t *issuer_cert;
		2219	x509crl_t *crl;
		2220
2220	DBG(DBG_PARSING,	2221	DBG(DBG_PARSING,
2221	dntoa(buf, BUF_LEN, cert->subject);	2222	dntoa(buf, BUF_LEN, cert->subject);
2222	DBG_log("Subject: '%s'",buf);	2223	DBG_log("Subject: '%s'",buf);
Lines 2290-2302 Link Here
2290	log("CRL signature is invalid");	2291	log("CRL signature is invalid");
2291	}	2292	}
2292	}	2293	}
2293	/* check if cert is self-signed */	2294
2294	rootCA = same_dn(cert->issuer, cert->subject);	2295	/* check if cert is a self-signed root ca */
2295	/* otherwise go up one step in the trust chain */	2296	if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
		2297	{
		2298	DBG(DBG_CONTROL,
		2299	DBG_log("reached self-signed root ca")
		2300	)
		2301	return TRUE;
		2302	}
2296	cert = issuer_cert;	2303	cert = issuer_cert;
2297	}	2304	}
2298	while (!rootCA);	2305	log("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
2299	return TRUE;	2306	return FALSE;
2300	}	2307	}
2301	/*	2308	/*
		2309	I have applied this to the SUSE FreeSWAN2 package.
		2310	Is it the final version of the fix?
		2311
		2312	As this problem has been posted to the list, I assume it's public, so we
		2313	can release updated packages?
		2314
		2315	Any news on the patch for x509-0.9.x (freeswan-1.9x)?
		2316
		2317	Thanks

Return to bug 57153