diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-01 11:47:17 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-02 16:03:27 +0100 |
| commit | c653a8e384f329bc9d63ef9c0995e03540a6837d (patch) | |
| tree | bbe7fc7fa9e86fbc22f5e4c2e93fb135dfbd2f3d | |
| parent | 6f7c7db6469adb72db27a1173218dd55aeb1e90f (diff) | |
| download | gnutls-c653a8e384f329bc9d63ef9c0995e03540a6837d.tar.gz | |
x509.h: introduced flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
That flag signals the verification process, not to fail on unknown critical
extensions. This can be used when the critical extension checking in a chain
is handled externally.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/includes/gnutls/x509.h | 5 | ||||
| -rw-r--r-- | lib/x509/verify.c | 12 |
2 files changed, 12 insertions, 5 deletions
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index c47fad1c8c..1972c91140 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -902,6 +902,8 @@ int gnutls_x509_crl_set_number(gnutls_x509_crl_t crl, * check in the verification, do not consider any wildcards. * @GNUTLS_VERIFY_USE_TLS1_RSA: This indicates that a (raw) RSA signature is provided * as in the TLS 1.0 protocol. Not all functions accept this flag. + * @GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: This signals the verification + * process, not to fail on unknown critical extensions. * * Enumeration of different certificate verify flags. Additional * verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS() @@ -920,7 +922,8 @@ typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10, GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12, - GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13 + GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13, + GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS = 1 << 14 /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */ } gnutls_certificate_verify_flags; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index bc04f6c3ff..2ba65aca50 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -566,9 +566,9 @@ typedef struct verify_state_st { gnutls_verify_output_function *func; } verify_state_st; -#define MARK_INVALID(x) gnutls_assert(); \ +#define MARK_INVALID(x) { gnutls_assert(); \ out |= (x|GNUTLS_CERT_INVALID); \ - result = 0 + result = 0; } /* * Verifies the given certificate against a certificate list of @@ -750,14 +750,18 @@ verify_crt(gnutls_x509_crt_t cert, /* we always check the issuer for unsupported critical extensions */ if (issuer && check_for_unknown_exts(issuer) != 0) { - MARK_INVALID(GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS); + if (!(flags & GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS)) { + MARK_INVALID(GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS); + } } /* we only check the end-certificate for critical extensions; that * way do not perform this check twice on the certificates when * verifying a large list */ if (end_cert && check_for_unknown_exts(cert) != 0) { - MARK_INVALID(GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS); + if (!(flags & GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS)) { + MARK_INVALID(GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS); + } } if (sigalg >= 0) { |