pidgin: 0be86888: NSS will not return invalid or irrelevan...

nosnilmot at pidgin.im nosnilmot at pidgin.im
Mon Nov 22 21:01:02 EST 2010 

----------------------------------------------------------------------
Revision: 0be86888d82fc0d9bd61c1426b73e52196b35817
Parent:   6e8da78b6e5ccdafa85c8afebff37e426d9a58d3
Author:   nosnilmot at pidgin.im
Date:     11/22/10 20:50:30
Branch:   im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/0be86888d82fc0d9bd61c1426b73e52196b35817

Changelog: 

NSS will not return invalid or irrelevant intermediate certificates
that the server presented as part of the certificate chain. GnuTLS,
however, will return them, which breaks our certificate validation
when the server is mis-configured.

This fixes our GnuTLS SSL plugin to discard any certificate (and
subsequent certs) in the chain if it did not sign the previous
certificate. This allows GnuTLS users to connect to
omega.contacts.msn.com while it is still misconfigured.

Changes against parent 6e8da78b6e5ccdafa85c8afebff37e426d9a58d3

  patched  libpurple/plugins/ssl/ssl-gnutls.c

-------------- next part --------------
============================================================
--- libpurple/plugins/ssl/ssl-gnutls.c	2f98ac68d428449b43bc257c77a9fa96b1f1cf3b
+++ libpurple/plugins/ssl/ssl-gnutls.c	1da6bdaf868c12329feac7b2dd7141f296a984ea
@@ -520,11 +520,18 @@ x509_import_from_datum(const gnutls_datu
 /* Forward declarations are fun! */
 static PurpleCertificate *
 x509_import_from_datum(const gnutls_datum dt, gnutls_x509_crt_fmt mode);
+/* indeed! */
+static gboolean
+x509_certificate_signed_by(PurpleCertificate * crt,
+			   PurpleCertificate * issuer);
+static void
+x509_destroy_certificate(PurpleCertificate * crt);
 
 static GList *
 ssl_gnutls_get_peer_certificates(PurpleSslConnection * gsc)
 {
 	PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
+	PurpleCertificate *prvcrt = NULL;
 
 	/* List of Certificate instances to return */
 	GList * peer_certs = NULL;
@@ -550,7 +557,17 @@ ssl_gnutls_get_peer_certificates(PurpleS
 		/* Append is somewhat inefficient on linked lists, but is easy
 		   to read. If someone complains, I'll change it.
 		   TODO: Is anyone complaining? (Maybe elb?) */
-		peer_certs = g_list_append(peer_certs, newcrt);
+		/* only append if previous cert was actually signed by this one.
+		 * Thanks Microsoft. */
+		if ((prvcrt == NULL) || x509_certificate_signed_by(prvcrt, newcrt)) {
+			peer_certs = g_list_append(peer_certs, newcrt);
+			prvcrt = newcrt;
+		} else {
+			x509_destroy_certificate(newcrt);
+			purple_debug_error("gnutls", "Dropping further peer certificates "
+			                             "because the chain is broken!\n");
+			break;
+		}
 	}
 
 	/* cert_list doesn't need free()-ing */

More information about the Commits mailing list