[SCM] GNU gnutls branch, master, updated. gnutls_3_1

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-84-gde90e7f

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-84-gde90e7f
Date:	Sun, 16 Sep 2012 21:02:43 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=de90e7f1e82925e11486bf791086145ccd6801d4

The branch, master has been updated
       via  de90e7f1e82925e11486bf791086145ccd6801d4 (commit)
      from  e7b65df28abd19bd9a2e8de11d7b1c9ead9c5fcf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit de90e7f1e82925e11486bf791086145ccd6801d4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Sep 16 23:02:35 2012 +0200

    Added verification flags GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, which is 
enabled by default for verifying TLS sessions.

-----------------------------------------------------------------------

Summary of changes:
 lib/gnutls_cert.c            |    1 +
 lib/gnutls_ui.c              |    3 ++-
 lib/includes/gnutls/x509.h   |    3 +++
 lib/x509/verify-high.c       |    3 ++-
 tests/chainverify-unsorted.c |   37 +++++++++++++++++++++++++++++--------
 5 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 605b7d8..76c5e04 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -231,6 +231,7 @@ int ret;
     }
   (*res)->verify_bits = DEFAULT_VERIFY_BITS;
   (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
+  (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
 
   return 0;
 }
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 608462b..7775f59 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -659,7 +659,8 @@ gnutls_certificate_set_params_function 
(gnutls_certificate_credentials_t res,
  *
  * This function will set the flags to be used at verification of the
  * certificates.  Flags must be OR of the
- * #gnutls_certificate_verify_flags enumerations.
+ * #gnutls_certificate_verify_flags enumerations. The default
+ * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
  *
  **/
 void
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 6c06cd0..8ca2e1b 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -601,6 +601,8 @@ extern "C"
  * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
  *   anyone trusted but exists in the trusted CA list do not treat it
  *   as trusted.
+ * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
+ *   if unsorted (the case with many TLS servers out there).
  * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
  *   have version 1 (both root and intermediate). This might be
  *   dangerous since those haven't the basicConstraints
@@ -630,6 +632,7 @@ extern "C"
     GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
     GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256,
     GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512,
+    GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024,
   } gnutls_certificate_verify_flags;
 
   int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index d8addba..05fb771 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -553,7 +553,8 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t 
list,
     if (cert_list == NULL || cert_list_size < 1)
         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-    cert_list = sort_clist(sorted, cert_list, &cert_list_size);
+    if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN)
+      cert_list = sort_clist(sorted, cert_list, &cert_list_size);
 
     cert_list_size = shorten_clist(list, cert_list, cert_list_size);
     if (cert_list_size <= 0)
diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c
index 336cef2..716fbd2 100644
--- a/tests/chainverify-unsorted.c
+++ b/tests/chainverify-unsorted.c
@@ -613,7 +613,7 @@ doit (void)
   gnutls_x509_crt_t *crts;
   unsigned int crts_size, i;
   gnutls_x509_trust_list_t tl;
-  unsigned int status;
+  unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
 
   /* this must be called once in the program
    */
@@ -644,7 +644,7 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, 
NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, 
NULL);
   if (ret < 0 || status != 0)
     {
       fail("gnutls_x509_trust_list_verify_crt - 1\n");
@@ -665,10 +665,10 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, 
NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, 
NULL);
   if (ret < 0 || status != 0)
     {
-      fail("gnutls_x509_trust_list_verify_crt - 1\n");
+      fail("gnutls_x509_trust_list_verify_crt - 2\n");
       exit(1);
     }
     
@@ -686,10 +686,10 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, 
NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, 
NULL);
   if (ret < 0 || status != 0)
     {
-      fail("gnutls_x509_trust_list_verify_crt - 1\n");
+      fail("gnutls_x509_trust_list_verify_crt - 3\n");
       exit(1);
     }
     
@@ -707,10 +707,31 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, 
NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, 
NULL);
   if (ret < 0 || status != 0)
     {
-      fail("gnutls_x509_trust_list_verify_crt - 1\n");
+      fail("gnutls_x509_trust_list_verify_crt - 4\n");
+      exit(1);
+    }
+    
+  for (i=0;i<crts_size;i++)
+    gnutls_x509_crt_deinit(crts[i]);
+  gnutls_free(crts);
+
+  /* Check if an unsorted list would fail if the unsorted flag is not given */
+  data.data = (void*) chain2;
+  data.size = sizeof(chain2);
+  ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, 
GNUTLS_X509_FMT_PEM, 0);
+  if (ret < 0)
+    {
+      fail("gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret));
+      exit(1);
+    }
+  
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, 
NULL);
+  if (ret < 0 || status == 0)
+    {
+      fail("gnutls_x509_trust_list_verify_crt - 5\n");
       exit(1);
     }
     


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-84-gde90e7f, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-83-ge7b65df
Next by Date: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-19-g804f01c
Previous by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-83-ge7b65df
Next by thread: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-19-g804f01c
Index(es):
- Date
- Thread