diff -Nru glib-networking-2.32.1/debian/changelog glib-networking-2.32.1/debian/changelog --- glib-networking-2.32.1/debian/changelog 2012-04-24 08:40:24.000000000 +0000 +++ glib-networking-2.32.1/debian/changelog 2012-08-10 11:04:48.000000000 +0000 @@ -1,3 +1,13 @@ +glib-networking (2.32.1-1ubuntu2) precise-proposed; urgency=low + + * debian/patches/gnutls-Try-to-find-root-certificates-locally-if-no.patch: + - If a server erroneously sends us a root certificate, and it + is not anchored, then try to lookup a certificate for the same + issuer in the database (LP: #1033516) + Thanks to Stef Walter + + -- Michael Vogt Fri, 10 Aug 2012 12:55:58 +0200 + glib-networking (2.32.1-1ubuntu1) precise-proposed; urgency=low * debian/patches/fix-file-scheme-pacfiles.patch: diff -Nru glib-networking-2.32.1/debian/patches/gnutls-Try-to-find-root-certificates-locally-if-no.patch glib-networking-2.32.1/debian/patches/gnutls-Try-to-find-root-certificates-locally-if-no.patch --- glib-networking-2.32.1/debian/patches/gnutls-Try-to-find-root-certificates-locally-if-no.patch 1970-01-01 00:00:00.000000000 +0000 +++ glib-networking-2.32.1/debian/patches/gnutls-Try-to-find-root-certificates-locally-if-no.patch 2012-08-10 11:04:10.000000000 +0000 @@ -0,0 +1,109 @@ +From 1394f87c0a964279a5a5b31f2109627663e52a59 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Wed, 8 Aug 2012 06:52:12 +0200 +Subject: [PATCH] gnutls: Try to find root certificates locally if not + anchored + + * If a server erroneously sends us a root certificate, and it + is not anchored, then try to lookup a certificate for the same + issuer in the database. + * Add a test for this case. + +https://bugzilla.gnome.org/show_bug.cgi?id=681299 +--- + tls/gnutls/gtlsdatabase-gnutls.c | 41 ++++++++++- + tls/tests/file-database.c | 105 ++++++++++++++++++++++++++++ + tls/tests/files/ca-verisign-sha1.pem | 48 +++++++++++++ + tls/tests/files/chain-with-verisign-md2.pem | 81 +++++++++++++++++++++ + 4 files changed, 272 insertions(+), 3 deletions(-) + create mode 100644 tls/tests/files/ca-verisign-sha1.pem + create mode 100644 tls/tests/files/chain-with-verisign-md2.pem + +diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c +index c06c5d0..5ea7b24 100644 +--- a/tls/gnutls/gtlsdatabase-gnutls.c ++++ b/tls/gnutls/gtlsdatabase-gnutls.c +@@ -66,7 +66,9 @@ build_certificate_chain (GTlsDatabaseGnutls *self, + { + + GTlsCertificateGnutls *certificate; ++ GTlsCertificateGnutls *previous; + GTlsCertificate *issuer; ++ gboolean certificate_is_from_db; + + g_assert (anchor); + g_assert (chain); +@@ -81,7 +83,9 @@ build_certificate_chain (GTlsDatabaseGnutls *self, + */ + + *anchor = NULL; ++ previous = NULL; + certificate = chain; ++ certificate_is_from_db = FALSE; + + /* First check for pinned certificate */ + if (g_tls_database_gnutls_lookup_assertion (self, certificate, +@@ -118,15 +122,45 @@ build_certificate_chain (GTlsDatabaseGnutls *self, + /* Is it self-signed? */ + if (is_self_signed (certificate)) + { ++ /* ++ * Since at this point we would fail with 'self-signed', can we replace ++ * this certificate with one from the database and do better? ++ */ ++ if (previous && !certificate_is_from_db) ++ { ++ issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self), ++ G_TLS_CERTIFICATE (previous), ++ interaction, ++ G_TLS_DATABASE_LOOKUP_NONE, ++ cancellable, error); ++ if (*error) ++ { ++ return STATUS_FAILURE; ++ } ++ else if (issuer) ++ { ++ /* Replaced with certificate in the db, restart step again with this certificate */ ++ g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); ++ g_tls_certificate_gnutls_set_issuer (previous, G_TLS_CERTIFICATE_GNUTLS (issuer)); ++ certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); ++ certificate_is_from_db = TRUE; ++ continue; ++ } ++ } ++ + g_tls_certificate_gnutls_set_issuer (certificate, NULL); + return STATUS_SELFSIGNED; + } + ++ previous = certificate; ++ + /* Bring over the next certificate in the chain */ + issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (certificate)); + if (issuer) + { + g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); ++ certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); ++ certificate_is_from_db = FALSE; + } + + /* Search for the next certificate in chain */ +@@ -141,13 +175,14 @@ build_certificate_chain (GTlsDatabaseGnutls *self, + return STATUS_FAILURE; + else if (!issuer) + return STATUS_INCOMPLETE; ++ ++ /* Found a certificate in chain, use for next step */ + g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); + g_tls_certificate_gnutls_set_issuer (certificate, G_TLS_CERTIFICATE_GNUTLS (issuer)); ++ certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); ++ certificate_is_from_db = TRUE; + g_object_unref (issuer); + } +- +- g_assert (issuer); +- certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); + } + + g_assert_not_reached (); diff -Nru glib-networking-2.32.1/debian/patches/series glib-networking-2.32.1/debian/patches/series --- glib-networking-2.32.1/debian/patches/series 2012-04-24 08:40:24.000000000 +0000 +++ glib-networking-2.32.1/debian/patches/series 2012-08-10 11:01:20.000000000 +0000 @@ -1 +1,2 @@ fix-file-scheme-pacfiles.patch +gnutls-Try-to-find-root-certificates-locally-if-no.patch \ No newline at end of file