** libgnutls: gnutls_x509_crl_verify() includes the time
checks.
+** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
+and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
+
** gnutls-cli: Added --local-dns option.
** danetool: Corrected bug that prevented loading PEM files.
** API and ABI modifications:
gnutls_session_get_id2: Added
-gnutls_certificate_update_verify_flags: Added
gnutls_certificate_verify_peers3: Added
gnutls_certificate_verification_status_print: Added
gnutls_srtp_set_profile: Added
GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
GNUTLS_CERT_REVOCATION_DATA_INVALID: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
+GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added
* Version 3.1.3 (released 2012-10-12)
}
(*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS;
(*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH;
- (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
return 0;
}
res->verify_flags = flags;
}
-/**
- * gnutls_certificate_update_verify_flags:
- * @res: is a gnutls_certificate_credentials_t structure
- * @flags: are the new flags
- *
- * This function will update the default flags to be used for verification
- * of certificates. The provided flags must be an OR of the
- * #gnutls_certificate_verify_flags enumerations. The default
- * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
- *
- * Since: 3.1.4
- **/
-void
-gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
- res, unsigned int flags)
-{
- res->verify_flags |= flags;
-}
-
/**
* gnutls_certificate_set_verify_limits:
* @res: is a gnutls_certificate_credentials structure
gnutls_dh_params_t dh_params);
void gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t
res, unsigned int flags);
- void gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
- res, unsigned int flags);
void gnutls_certificate_set_verify_limits (gnutls_certificate_credentials_t
res, unsigned int max_bits,
unsigned int max_depth);
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
* @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
- * if unsorted (the case with many TLS servers out there).
+ * if unsorted (the case with many TLS servers out there). This is the
+ * default since GnuTLS 3.1.4.
+ * @GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Do not tolerate an unsorted
+ * certificate chain.
* @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
* have version 1 (both root and intermediate). This might be
* dangerous since those haven't the basicConstraints
*/
typedef enum gnutls_certificate_verify_flags
{
- GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
- GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
- GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
- GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
- GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
- GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256,
- GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512,
- GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024,
+ GNUTLS_VERIFY_DISABLE_CA_SIGN = 1<<0,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 1<<1,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 1<<2,
+ GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 1<<3,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 1<<4,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 1<<5,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 1<<6,
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 1<<7,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 1<<8,
+ GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 1<<9,
+ GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1<<10,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1<<11,
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN)
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN))
cert_list = sort_clist(sorted, cert_list, &cert_list_size);
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
unsigned int crts_size, i;
gnutls_x509_trust_list_t tl;
unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
+ unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN;
/* this must be called once in the program
*/
exit(1);
}
- ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, not_flags, &status, NULL);
if (ret < 0 || status == 0)
{
fail("gnutls_x509_trust_list_verify_crt - 5\n");