diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-12-18 14:04:35 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-19 20:12:58 +0100 |
| commit | 321a017fa467d200a9a8a446febfb5abda2519fe (patch) | |
| tree | 5bf1cdecbf44128896861b3fb819cc9084d13964 | |
| parent | 3cbeffcb7d4a70858b1c46fe955516b9eab0ef8e (diff) | |
| download | gnutls-321a017fa467d200a9a8a446febfb5abda2519fe.tar.gz | |
is_level_acceptable: apply the system-wide profile in all verifications
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | lib/priority.c | 5 | ||||
| -rw-r--r-- | lib/profiles.h | 2 | ||||
| -rw-r--r-- | lib/x509/verify.c | 14 |
4 files changed, 23 insertions, 1 deletions
@@ -20,6 +20,9 @@ See the end for copying conditions. enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. +** libgnutls: The min-verification-profile from system configuration applies + for all certificate verifications, not only under TLS. + ** API and ABI modifications: gnutls_ocsp_req_const_t: Added diff --git a/lib/priority.c b/lib/priority.c index c1669220c6..822874a76f 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -976,6 +976,11 @@ static time_t system_priority_last_mod = 0; #define OVERRIDES_SECTION "overrides" #define MAX_ALGO_NAME 128 +gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void) +{ + return system_wide_verification_profile; +} + /* removes spaces */ static char *clear_spaces(const char *str, char out[MAX_ALGO_NAME]) { diff --git a/lib/profiles.h b/lib/profiles.h index a2aae2a687..d5c35d2f96 100644 --- a/lib/profiles.h +++ b/lib/profiles.h @@ -29,4 +29,6 @@ gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) __GNUTLS_PURE__; gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) __GNUTLS_PURE__; +gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void); + #endif /* GNUTLS_LIB_PROFILES_H */ diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 8234702755..4ca04eb48d 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -38,6 +38,7 @@ #include <common.h> #include <pk.h> #include "supported_exts.h" +#include "profiles.h" /* Checks if two certs have the same name and the same key. Return 1 on match. * If @is_ca is zero then this function is identical to gnutls_x509_crt_equals() @@ -460,9 +461,20 @@ static unsigned is_level_acceptable( gnutls_pk_params_st params; gnutls_sec_param_t sp; int hash; + gnutls_certificate_verification_profiles_t min_profile; - if (profile == GNUTLS_PROFILE_UNKNOWN) + min_profile = _gnutls_get_system_wide_verification_profile(); + + if (min_profile) { + if (profile < min_profile) { + gnutls_assert(); + profile = min_profile; + } + } + + if (profile == GNUTLS_PROFILE_UNKNOWN) { return 1; + } pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &bits); if (pkalg < 0) |