is_level_acceptable: apply the system-wide profile in all verifications

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/NEWS b/NEWS
index cf9deaadbbc4a39ee827c69485b936c699f754ab..c9fcd6c2b790d7afcfd34d20e8a27c9bb6455336 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ See the end for copying conditions.
    enabled both on a server and a client. It is recommended for now to disable
    TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers.
 
+** libgnutls: The min-verification-profile from system configuration applies
+   for all certificate verifications, not only under TLS.
+
 ** API and ABI modifications:
 gnutls_ocsp_req_const_t: Added
 

diff --git a/lib/priority.c b/lib/priority.c
index c1669220c6c7d5967ef02b4db135f77d235a3dce..822874a76fca805371a871fa12fd2d5687451733 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -976,6 +976,11 @@ static time_t system_priority_last_mod = 0;
 #define OVERRIDES_SECTION "overrides"
 #define MAX_ALGO_NAME 128
 
+gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void)
+{
+       return system_wide_verification_profile;
+}
+
 /* removes spaces */
 static char *clear_spaces(const char *str, char out[MAX_ALGO_NAME])
 {

diff --git a/lib/profiles.h b/lib/profiles.h
index a2aae2a687e2997a8f8d6fce2cc72fc696cfbf2e..d5c35d2f96734058ef142804d29cf4d908b650c2 100644 (file)
--- a/lib/profiles.h
+++ b/lib/profiles.h
@@ -29,4 +29,6 @@
 gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) __GNUTLS_PURE__;
 gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) __GNUTLS_PURE__;
 
+gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void);
+
 #endif /* GNUTLS_LIB_PROFILES_H */

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 8234702755d646a4304cea303dab1fc9e135d6ff..4ca04eb48d31c913203cf0eb4512b5d166dd95bd 100644 (file)
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -38,6 +38,7 @@
 #include <common.h>
 #include <pk.h>
 #include "supported_exts.h"
+#include "profiles.h"
 
 /* Checks if two certs have the same name and the same key.  Return 1 on match. 
  * If @is_ca is zero then this function is identical to gnutls_x509_crt_equals()
@@ -460,9 +461,20 @@ static unsigned is_level_acceptable(
        gnutls_pk_params_st params;
        gnutls_sec_param_t sp;
        int hash;
+       gnutls_certificate_verification_profiles_t min_profile;
 
-       if (profile == GNUTLS_PROFILE_UNKNOWN)
+       min_profile = _gnutls_get_system_wide_verification_profile();
+
+       if (min_profile) {
+               if (profile < min_profile) {
+                       gnutls_assert();
+                       profile = min_profile;
+               }
+       }
+
+       if (profile == GNUTLS_PROFILE_UNKNOWN) {
                return 1;
+       }
 
        pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
        if (pkalg < 0)