diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-09-16 23:02:35 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-09-18 21:45:28 +0200 |
commit | 22288ba7f1439caf5cdadfe0f0220a1d5a59ed42 (patch) | |
tree | 591ad0b5516a6a2ed33d782f4197e78169e6846b | |
parent | 1c2115dad9f9b1907a3968c34e8ad134bca2ef00 (diff) | |
download | gnutls-22288ba7f1439caf5cdadfe0f0220a1d5a59ed42.tar.gz |
Added verification flags GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, which is enabled by default for verifying TLS sessions.
-rw-r--r-- | lib/gnutls_cert.c | 1 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 3 | ||||
-rw-r--r-- | lib/includes/gnutls/x509.h | 3 | ||||
-rw-r--r-- | lib/x509/verify-high.c | 3 | ||||
-rw-r--r-- | tests/chainverify-unsorted.c | 37 |
5 files changed, 37 insertions, 10 deletions
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index ac25051999..357569f0e4 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -231,6 +231,7 @@ int ret; } (*res)->verify_bits = DEFAULT_VERIFY_BITS; (*res)->verify_depth = DEFAULT_VERIFY_DEPTH; + (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN; return 0; } diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 6221b5e848..320b1ff887 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -658,7 +658,8 @@ gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res, * * This function will set the flags to be used at verification of the * certificates. Flags must be OR of the - * #gnutls_certificate_verify_flags enumerations. + * #gnutls_certificate_verify_flags enumerations. The default + * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. * **/ void diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 859966b8d2..52adb7e5cf 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -598,6 +598,8 @@ extern "C" * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by * anyone trusted but exists in the trusted CA list do not treat it * as trusted. + * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated + * if unsorted (the case with many TLS servers out there). * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that * have version 1 (both root and intermediate). This might be * dangerous since those haven't the basicConstraints @@ -627,6 +629,7 @@ extern "C" GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128, GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256, GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512, + GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024, } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 094fee8b8b..72070b9ec1 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -559,7 +559,8 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, if (cert_list == NULL || cert_list_size < 1) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - cert_list = sort_clist(sorted, cert_list, &cert_list_size); + if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN) + cert_list = sort_clist(sorted, cert_list, &cert_list_size); cert_list_size = shorten_clist(list, cert_list, cert_list_size); if (cert_list_size <= 0) diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c index 336cef2f7a..716fbd20db 100644 --- a/tests/chainverify-unsorted.c +++ b/tests/chainverify-unsorted.c @@ -613,7 +613,7 @@ doit (void) gnutls_x509_crt_t *crts; unsigned int crts_size, i; gnutls_x509_trust_list_t tl; - unsigned int status; + unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN; /* this must be called once in the program */ @@ -644,7 +644,7 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { fail("gnutls_x509_trust_list_verify_crt - 1\n"); @@ -665,10 +665,10 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { - fail("gnutls_x509_trust_list_verify_crt - 1\n"); + fail("gnutls_x509_trust_list_verify_crt - 2\n"); exit(1); } @@ -686,10 +686,10 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { - fail("gnutls_x509_trust_list_verify_crt - 1\n"); + fail("gnutls_x509_trust_list_verify_crt - 3\n"); exit(1); } @@ -707,10 +707,31 @@ doit (void) exit(1); } - ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL); if (ret < 0 || status != 0) { - fail("gnutls_x509_trust_list_verify_crt - 1\n"); + fail("gnutls_x509_trust_list_verify_crt - 4\n"); + exit(1); + } + + for (i=0;i<crts_size;i++) + gnutls_x509_crt_deinit(crts[i]); + gnutls_free(crts); + + /* Check if an unsorted list would fail if the unsorted flag is not given */ + data.data = (void*) chain2; + data.size = sizeof(chain2); + ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) + { + fail("gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret)); + exit(1); + } + + ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL); + if (ret < 0 || status == 0) + { + fail("gnutls_x509_trust_list_verify_crt - 5\n"); exit(1); } |