Added verification flags GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, which is enabled by default for verifying TLS sessions.

5 files changed, 37 insertions, 10 deletions

diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index ac25051999..357569f0e4 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -231,6 +231,7 @@ int ret;
     }
   (*res)->verify_bits = DEFAULT_VERIFY_BITS;
   (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
+  (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
 
   return 0;
 }
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 6221b5e848..320b1ff887 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -658,7 +658,8 @@ gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res,
  *
  * This function will set the flags to be used at verification of the
  * certificates.  Flags must be OR of the
- * #gnutls_certificate_verify_flags enumerations.
+ * #gnutls_certificate_verify_flags enumerations. The default
+ * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
  *
  **/
 void
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 859966b8d2..52adb7e5cf 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -598,6 +598,8 @@ extern "C"
  * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
  *   anyone trusted but exists in the trusted CA list do not treat it
  *   as trusted.
+ * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
+ *   if unsorted (the case with many TLS servers out there).
  * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
  *   have version 1 (both root and intermediate). This might be
  *   dangerous since those haven't the basicConstraints
@@ -627,6 +629,7 @@ extern "C"
     GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
     GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256,
     GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512,
+    GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024,
   } gnutls_certificate_verify_flags;
 
   int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 094fee8b8b..72070b9ec1 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -559,7 +559,8 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
     if (cert_list == NULL || cert_list_size < 1)
         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-    cert_list = sort_clist(sorted, cert_list, &cert_list_size);
+    if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN)
+      cert_list = sort_clist(sorted, cert_list, &cert_list_size);
 
     cert_list_size = shorten_clist(list, cert_list, cert_list_size);
     if (cert_list_size <= 0)
diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c
index 336cef2f7a..716fbd20db 100644
--- a/tests/chainverify-unsorted.c
+++ b/tests/chainverify-unsorted.c
@@ -613,7 +613,7 @@ doit (void)
   gnutls_x509_crt_t *crts;
   unsigned int crts_size, i;
   gnutls_x509_trust_list_t tl;
-  unsigned int status;
+  unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
 
   /* this must be called once in the program
    */
@@ -644,7 +644,7 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
   if (ret < 0 || status != 0)
     {
       fail("gnutls_x509_trust_list_verify_crt - 1\n");
@@ -665,10 +665,10 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
   if (ret < 0 || status != 0)
     {
-      fail("gnutls_x509_trust_list_verify_crt - 1\n");
+      fail("gnutls_x509_trust_list_verify_crt - 2\n");
       exit(1);
     }
     
@@ -686,10 +686,10 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
   if (ret < 0 || status != 0)
     {
-      fail("gnutls_x509_trust_list_verify_crt - 1\n");
+      fail("gnutls_x509_trust_list_verify_crt - 3\n");
       exit(1);
     }
     
@@ -707,10 +707,31 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
   if (ret < 0 || status != 0)
     {
-      fail("gnutls_x509_trust_list_verify_crt - 1\n");
+      fail("gnutls_x509_trust_list_verify_crt - 4\n");
+      exit(1);
+    }
+    
+  for (i=0;i<crts_size;i++)
+    gnutls_x509_crt_deinit(crts[i]);
+  gnutls_free(crts);
+
+  /* Check if an unsorted list would fail if the unsorted flag is not given */
+  data.data = (void*) chain2;
+  data.size = sizeof(chain2);
+  ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, GNUTLS_X509_FMT_PEM, 0);
+  if (ret < 0)
+    {
+      fail("gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret));
+      exit(1);
+    }
+  
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+  if (ret < 0 || status == 0)
+    {
+      fail("gnutls_x509_trust_list_verify_crt - 5\n");
       exit(1);
     }