diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 25 |
2 files changed, 19 insertions, 9 deletions
@@ -1,4 +1,4 @@ -Version 1.0.17 +Version 1.0.17 (02/08/2004) - Updated the SRP authentication to conform to the latest (yet unreleased) draft. Unfortunately this breaks compatibility with previous versions. @@ -6,6 +6,7 @@ Version 1.0.17 - Added some default limits in the verification of certificate chains, to avoid denial of service attacks. Also added gnutls_certificate_set_verify_limits() to override them. + Issue pointed out by Patrik Hornik <patrik@hornik.sk>. - Added gnutls_certificate_verify_peers2(). Version 1.0.16 (10/07/2004) diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 81875677ad..81d99f066b 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -522,14 +522,18 @@ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) * @status: is the output of the verification * * This function will try to verify the peer's certificate and return its status (trusted, invalid etc.). - * The value of @status should be one or more of the gnutls_certificate_status_t - * enumerated elements bitwise or'd. - * However you must also check the peer's name in order to check if the verified certificate belongs to the - * actual peer. + * The value of @status should be one or more of the gnutls_certificate_status + * enumerated elements bitwise or'd. To avoid denial of service attacks + * some default upper limits regarding the certificate key size and + * chain size are set. To override them use gnutls_certificate_set_verify_limits(). + * + * Note that you must also check the peer's name in order to + * check if the verified certificate belongs to the actual peer. * * Returns a negative error code on error and zero on success. * - * This is the same as gnutls_x509_verify_certificate(). + * This is the same as gnutls_x509_verify_certificate() and + * uses the loaded CAs in the credentials as trusted CAs. * **/ int gnutls_certificate_verify_peers2(gnutls_session session, unsigned int *status) @@ -574,13 +578,18 @@ int gnutls_certificate_verify_peers2(gnutls_session session, unsigned int *statu * @session: is a gnutls session * * This function will try to verify the peer's certificate and return its status (trusted, invalid etc.). - * However you must also check the peer's name in order to check if the verified certificate belongs to the - * actual peer. + * To avoid denial of service attacks + * some default upper limits regarding the certificate key size and + * chain size are set. To override them use gnutls_certificate_set_verify_limits(). * + * Note that you must also check the peer's name in order to + * check if the verified certificate belongs to the actual peer. + * * The return value should be one or more of the gnutls_certificate_status * enumerated elements bitwise or'd, or a negative error code on error. * - * This is the same as gnutls_x509_verify_certificate(). + * This is the same as gnutls_x509_verify_certificate() and + * uses the loaded CAs in the credentials as trusted CAs. * **/ int gnutls_certificate_verify_peers(gnutls_session session) |