From: Nikos Mavrogiannopoulos Date: Sun, 16 Sep 2012 21:02:35 +0000 (+0200) Subject: Added verification flags GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, which is enabled by... X-Git-Tag: gnutls_3_1_2~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de90e7f1e82925e11486bf791086145ccd6801d4;p=thirdparty%2Fgnutls.git Added verification flags GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, which is enabled by default for verifying TLS sessions. --- diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 605b7d8a2a..76c5e047e3 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -231,6 +231,7 @@ int ret; } (*res)->verify_bits = DEFAULT_VERIFY_BITS; (*res)->verify_depth = DEFAULT_VERIFY_DEPTH; + (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN; return 0; } diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 608462b869..7775f59700 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -659,7 +659,8 @@ gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res, * * This function will set the flags to be used at verification of the * certificates. Flags must be OR of the - * #gnutls_certificate_verify_flags enumerations. + * #gnutls_certificate_verify_flags enumerations. The default + * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. * **/ void diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 6c06cd04b2..8ca2e1b64a 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -601,6 +601,8 @@ extern "C" * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by * anyone trusted but exists in the trusted CA list do not treat it * as trusted. + * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated + * if unsorted (the case with many TLS servers out there). * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that * have version 1 (both root and intermediate). This might be * dangerous since those haven't the basicConstraints @@ -630,6 +632,7 @@ extern "C" GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128, GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256, GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512, + GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024, } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index d8addbaeb3..05fb771efa 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -553,7 +553,8 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, if (cert_list == NULL || cert_list_size < 1) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - cert_list = sort_clist(sorted, cert_list, &cert_list_size); + if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN) + cert_list = sort_clist(sorted, cert_list, &cert_list_size); cert_list_size = shorten_clist(list, cert_list, cert_list_size); if (cert_list_size <= 0) diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c index 336cef2f7a..716fbd20db 100644 --- a/tests/chainverify-unsorted.c +++ b/tests/chainverify-unsorted.c @@ -613,7 +613,7 @@ doit (void) gnutls_x509_crt_t *crts; unsigned int crts_size, i; gnutls_x509_trust_list_t tl; - unsigned int status; + unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN; /* this must be called once in the program */ @@ -644,7 +644,7 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { fail("gnutls_x509_trust_list_verify_crt - 1\n"); @@ -665,10 +665,10 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { - fail("gnutls_x509_trust_list_verify_crt - 1\n"); + fail("gnutls_x509_trust_list_verify_crt - 2\n"); exit(1); } @@ -686,10 +686,10 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { - fail("gnutls_x509_trust_list_verify_crt - 1\n"); + fail("gnutls_x509_trust_list_verify_crt - 3\n"); exit(1); } @@ -707,10 +707,31 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { - fail("gnutls_x509_trust_list_verify_crt - 1\n"); + fail("gnutls_x509_trust_list_verify_crt - 4\n"); + exit(1); + } + + for (i=0;i