[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_3-4-ge22f71
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_3-4-ge22f714 |
|
Date: |
Fri, 26 Nov 2010 13:00:48 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e22f714d85bb3e659c4f6e357f27c94a9e784c57
The branch, gnutls_2_10_x has been updated
via e22f714d85bb3e659c4f6e357f27c94a9e784c57 (commit)
from d3a61f4ad2874f67e226bb768fecaaab31cb10f0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e22f714d85bb3e659c4f6e357f27c94a9e784c57
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 26 12:46:16 2010 +0100
Reverted default behavior for verification and introduced
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT.
Thus by default V1 trusted CAs are allowed, unless the new flag is
specified.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 +++++++++
lib/gnutls_cert.c | 5 -----
lib/includes/gnutls/x509.h | 11 ++++++-----
lib/x509/verify.c | 4 ++--
src/certtool.c | 4 ++--
src/cli.c | 3 +--
tests/chainverify.c | 12 +++++-------
7 files changed, 25 insertions(+), 23 deletions(-)
diff --git a/NEWS b/NEWS
index fdda943..4fc3592 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,15 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
See the end for copying conditions.
+* Version 2.10.4 (unreleased)
+
+** libgnutls: Reverted default behavior for verification and
+introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
+V1 trusted CAs are allowed, unless the new flag is specified.
+
+** API and ABI modifications:
+No changes since last version.
+
* Version 2.10.3 (released 2010-11-19)
** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key.
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 5072c8e..633da1c 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -606,11 +606,6 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
* This function uses gnutls_x509_crt_list_verify() with the CAs in
* the credentials as trusted CAs.
*
- * Note that some commonly used X.509 Certificate Authorities are
- * still using Version 1 certificates. If you want to accept them,
- * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
- * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
- *
* Returns: a negative error code on error and zero on success.
**/
int
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index fc2381f..e3163f6 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -506,10 +506,10 @@ extern "C"
* @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted
* list is never checked for expiration or activation.
* @GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT: Allow only trusted CA
- * certificates that have version 1. This is safer than
- * %GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used
- * instead. That way only signers in your trusted list will be
- * allowed to have certificates of version 1.
+ * certificates that have version 1. This is the default.
+ * @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA
+ * certificates that have version 1. This option is to be used
+ * to deprecate all V1 certificates.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
@@ -537,7 +537,8 @@ extern "C"
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
- GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128
+ GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 393b8a5..e7fdbad 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -171,7 +171,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t
issuer,
these certs only if the appropriate flags are set. */
else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) ||
- ((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) &&
+ (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) &&
(gnutls_x509_crt_check_issuer (issuer, issuer) == 1))))
{
gnutls_assert ();
@@ -311,7 +311,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
}
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
- !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1))
+ ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version
!= 1))
{
if (check_if_ca (cert, issuer, flags) == 0)
{
diff --git a/src/certtool.c b/src/certtool.c
index 30cde61..f908d84 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2065,8 +2065,8 @@ _verify_x509_mem (const void *cert, int cert_size)
{
const char *ptr;
int ret, i;
- char name[256];
- char issuer_name[256];
+ char name[512];
+ char issuer_name[512];
size_t name_size;
size_t issuer_name_size;
gnutls_datum_t tmp;
diff --git a/src/cli.c b/src/cli.c
index 3964a93..fdc8b55 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -512,8 +512,7 @@ init_tls_session (const char *hostname)
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
- gnutls_certificate_set_verify_flags (xcred,
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+ gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
diff --git a/tests/chainverify.c b/tests/chainverify.c
index 5aa4b88..2e9fd54 100644
--- a/tests/chainverify.c
+++ b/tests/chainverify.c
@@ -687,15 +687,13 @@ static struct
{ "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2],
0, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID },
{ "verisign.com v1 fail", verisign_com_chain, &verisign_com_chain[3],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
- { "verisign.com v1 fail2", verisign_com_chain, &verisign_com_chain[3],
- GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+ 0,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3],
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
0 },
{ "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA |
GNUTLS_CERT_INVALID },
{ "expired self signed", pem_self_cert, &pem_self_cert[0],
0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "self signed", pem_self_cert, &pem_self_cert[0],
@@ -706,7 +704,7 @@ static struct
{ "ca=false2", thea_chain, &thea_chain[1],
0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
{ "hbci v1 fail", hbci_chain, &hbci_chain[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID},
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA |
GNUTLS_CERT_INVALID},
{ "hbci v1 ok expired", hbci_chain, &hbci_chain[2],
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
@@ -724,7 +722,7 @@ static struct
{ "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1],
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0 },
{ "v1ca fail", v1ca, &v1ca[2],
- 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
+ GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA |
GNUTLS_CERT_INVALID },
{ "v1ca expired", v1ca, &v1ca[2],
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
@@ -851,7 +849,7 @@ doit (void)
fail ("verify_status: %d expected: %d",
verify_status, chains[i].expected_verify_result);
- if (debug)
+ if (!debug)
exit (1);
}
else if (debug)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_3-4-ge22f714,
Nikos Mavrogiannopoulos <=