close Warning: Failed to sync with repository "(default)": [Errno 12] Cannot allocate memory; repository information may be out of date. Look in the Trac log for more information including mitigation strategies.

Ticket #369: verify-minor-change.diff

File verify-minor-change.diff, 1.3 KB (added by AopicieR, at 2012-01-01T16:19:36Z)

Some small changes: Currently we set GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT but only because I had copied the example code from an old version of the GnuTLS documentation. The current version of the documentation does not set this anymore and doing an apt-cache rdepends libgnutls26 and a bit of browsing through the source code of some of the results suggests that the only people who set this flag are the ones who have also based their code on the example code from the documentation ... Secondly the comment which the patch removes is a blunt lie, I must have been asleep while writing it. We do want this check. Thirdly we need to include bitlbee.h in ssl_openssl.c to get global.conf->cafile which is used to determine if verification was enabled.

  • lib/ssl_gnutls.c 

    === modified file 'lib/ssl_gnutls.c'
     
    7676        gnutls_global_init();
    7777        gnutls_certificate_allocate_credentials( &xcred );
    7878        if( global.conf->cafile )
    79         {
    8079                gnutls_certificate_set_x509_trust_file( xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
    81                 /* TODO: Do we want/need this? */
    82                 gnutls_certificate_set_verify_flags( xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
    83         }
     80
    8481        initialized = TRUE;
    8582       
    8683        atexit( ssl_deinit );
     
    190187                verifyret |= VERIFY_CERT_EXPIRED;
    191188#endif
    192189
    193         /* The following check is already performed inside
    194          * gnutls_certificate_verify_peers2, so we don't need it.
    195 
    196          * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
    197          * return GNUTLS_E_CERTIFICATE_ERROR;
    198          */
    199 
    200         if( gnutls_x509_crt_init( &cert ) < 0 )
     190        if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 || gnutls_x509_crt_init( &cert ) < 0 )
    201191                return VERIFY_CERT_ERROR;
    202192
    203193        cert_list = gnutls_certificate_get_peers( session, &cert_list_size );

  • lib/ssl_openssl.c 

    === modified file 'lib/ssl_openssl.c'
     
    3030#include <openssl/ssl.h>
    3131#include <openssl/err.h>
    3232
     33#include "bitlbee.h"
    3334#include "proxy.h"
    3435#include "ssl_client.h"
    3536#include "sock.h"