]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
libgnutls: Add new priority strings for allowing RSA-MD5 and V1-CA.
authorSimon Josefsson <simon@josefsson.org>
Wed, 11 Feb 2009 16:07:30 +0000 (17:07 +0100)
committerSimon Josefsson <simon@josefsson.org>
Wed, 11 Feb 2009 16:07:30 +0000 (17:07 +0100)
NEWS
lib/gnutls_int.h
lib/gnutls_priority.c
lib/gnutls_x509.c

diff --git a/NEWS b/NEWS
index 2f9302449cf12eaa98abbdf89b81c12bd6e1386f..480af7a8c3a791e2f2e87f97840fc4805ee78f3f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,13 @@ The tool now uses libgnutls' functions to print certificate
 information.  This avoids code duplication.
 
 ** gnutls-cli: No longer accepts V1 CAs by default.
+Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
+be used for chain verification.
+
+** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
+** and %VERIFY_ALLOW_X509_V1_CA_CRT.
+They can be used to override the default certificate chain validation
+behaviour.
 
 ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
 
index 1146bcc04f54a7d4b951bb184c02cf5e0ec2f2ec..4c61fdba92db3959dbd631463fb10f3d94d85322 100644 (file)
@@ -412,6 +412,7 @@ struct gnutls_priority_st
 
   /* to disable record padding */
   int no_padding;
+  int additional_verify_flags;
 };
 
 
index 994beeba6ef94395afa6fa7a33f3ef3a32aec96b..f160eef391c7b89e46727980904b326ae3020c3a 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation
+ * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -472,6 +472,9 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority)
   * '!' or '-' appended with an algorithm will remove this algorithm.
   * '+' appended with an algorithm will add this algorithm.
   * '%COMPAT' will enable compatibility features for a server.
+  * '%VERIFY_ALLOW_SIGN_RSA_MD5' will allow RSA-MD5 signatures in
+  * certificate chains.
+  * '%VERIFY_ALLOW_X509_V1_CA_CRT' will allow V1 CAs in chains.
   *
   * To avoid collisions in order to specify a compression algorithm in
   * this string you have to prefix it with "COMP-", protocol versions
@@ -623,6 +626,14 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
        {
          if (strcasecmp (&broken_list[i][1], "COMPAT") == 0)
            (*priority_cache)->no_padding = 1;
+         else if (strcasecmp (&broken_list[i][1],
+                              "VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
+           (*priority_cache)->additional_verify_flags |=
+             GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
+         else if (strcasecmp (&broken_list[i][1],
+                              "VERIFY_ALLOW_X509_V1_CA_CRT") == 0)
+           (*priority_cache)->additional_verify_flags |=
+             GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
          else
            goto error;
        }
index d9e6b64be1f8aed551fbfebd4a8ccb4336ad7616..6b3c76bc2b8ea743e8082d2865b41f5d303c248e 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -171,12 +171,12 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
 
   /* Verify certificate 
    */
-  ret =
-    gnutls_x509_crt_list_verify (peer_certificate_list,
-                                peer_certificate_list_size,
-                                cred->x509_ca_list, cred->x509_ncas,
-                                cred->x509_crl_list, cred->x509_ncrls,
-                                cred->verify_flags, status);
+  ret = gnutls_x509_crt_list_verify (peer_certificate_list,
+                                    peer_certificate_list_size,
+                                    cred->x509_ca_list, cred->x509_ncas,
+                                    cred->x509_crl_list, cred->x509_ncrls,
+                                    cred->verify_flags | session->internals.priorities.additional_verify_flags,
+                                    status);
 
   CLEAR_CERTS;