diff options
| author | Nikos <nmav@crystal.(none)> | 2008-02-17 16:07:42 +0200 |
|---|---|---|
| committer | Nikos <nmav@crystal.(none)> | 2008-02-17 16:07:42 +0200 |
| commit | f2c808eba80f47390ca2b401d5ffb5ea3a8c2d2c (patch) | |
| tree | 289b4e140c04d7535a597bfc2082db50a5e7da8a | |
| parent | 66517fd0db7930dda583390df4cbd5941d25fe4b (diff) | |
| download | gnutls-f2c808eba80f47390ca2b401d5ffb5ea3a8c2d2c.tar.gz | |
Increased the default certificate verification chain limits and allowed
for checks without limitation.
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 4 | ||||
| -rw-r--r-- | lib/gnutls_ui.c | 1 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 4 |
4 files changed, 8 insertions, 4 deletions
@@ -11,6 +11,9 @@ Thanks to Laurence Withers <l@lwithers.me.uk>. ** Corrected memory leaks in session resuming and DHE ciphersuites. Reported by Daniel Stenberg. +** Increased the default certificate verification chain limits and allowed +for checks without limitation. + ** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name() and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary strings and return the proper size. diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index d8d94c706d..9194a4ff27 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -99,8 +99,8 @@ /* defaults for verification functions */ -#define DEFAULT_VERIFY_DEPTH 6 -#define DEFAULT_VERIFY_BITS 8200 +#define DEFAULT_VERIFY_DEPTH 32 +#define DEFAULT_VERIFY_BITS 16*1024 #include <gnutls_mem.h> diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index eea8b2f892..4ca006371e 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -622,6 +622,7 @@ gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t * * This function will set some upper limits for the default verification function, * gnutls_certificate_verify_peers2(), to avoid denial of service attacks. + * You can set them to zero to disable limits. * **/ void diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index e9005a9515..39c47536c2 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -70,7 +70,7 @@ check_bits (gnutls_x509_crt_t crt, unsigned int max_bits) return ret; } - if (bits > max_bits) + if (bits > max_bits && max_bits > 0) { gnutls_assert (); return GNUTLS_E_CONSTRAINT_ERROR; @@ -125,7 +125,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, if (info->raw_certificate_list == NULL || info->ncerts == 0) return GNUTLS_E_NO_CERTIFICATE_FOUND; - if (info->ncerts > cred->verify_depth) + if (info->ncerts > cred->verify_depth && cred->verify_depth > 0) { gnutls_assert (); return GNUTLS_E_CONSTRAINT_ERROR; |