Commit f55a9eda authored by Nikos Mavrogiannopoulos's avatar Nikos Mavrogiannopoulos
Browse files

gnutls_x509_crt_get_key_usage: ensure that its returned value is properly handled

Reported by Yuan Jochen Kang.
parent 8b97662c
Pipeline #1657824 passed with stage
......@@ -361,7 +361,9 @@ gnutls_pubkey_import_pkcs11(gnutls_pubkey_t key,
goto cleanup_crt;
}
gnutls_x509_crt_get_key_usage(xcrt, &key->key_usage, NULL);
ret = gnutls_x509_crt_get_key_usage(xcrt, &key->key_usage, NULL);
if (ret < 0)
key->key_usage = 0;
ret = 0;
cleanup_crt:
......
......@@ -701,8 +701,11 @@ verify_crt(gnutls_x509_crt_t cert,
ret =
gnutls_x509_crt_get_key_usage(issuer, &usage, NULL);
if (ret >= 0) {
if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
if (ret < 0) {
gnutls_assert();
out |= GNUTLS_CERT_INVALID;
} else if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
gnutls_assert();
out |=
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
......@@ -1461,8 +1464,12 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
result =
gnutls_x509_crt_get_key_usage(issuer, &usage, NULL);
if (result >= 0) {
if (!(usage & GNUTLS_KEY_CRL_SIGN)) {
if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
if (result < 0) {
gnutls_assert();
if (verify)
*verify |= GNUTLS_CERT_INVALID;
} else if (!(usage & GNUTLS_KEY_CRL_SIGN)) {
gnutls_assert();
if (verify)
*verify |=
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment