From e22f714d85bb3e659c4f6e357f27c94a9e784c57 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 26 Nov 2010 12:46:16 +0100 Subject: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. --- NEWS | 9 +++++++++ lib/gnutls_cert.c | 5 ----- lib/includes/gnutls/x509.h | 11 ++++++----- lib/x509/verify.c | 4 ++-- src/certtool.c | 4 ++-- src/cli.c | 3 +-- tests/chainverify.c | 12 +++++------- 7 files changed, 25 insertions(+), 23 deletions(-) diff --git a/NEWS b/NEWS index fdda943892..4fc35929ea 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,15 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc. See the end for copying conditions. +* Version 2.10.4 (unreleased) + +** libgnutls: Reverted default behavior for verification and +introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default +V1 trusted CAs are allowed, unless the new flag is specified. + +** API and ABI modifications: +No changes since last version. + * Version 2.10.3 (released 2010-11-19) ** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key. diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 5072c8ec17..633da1c7be 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -606,11 +606,6 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session, * This function uses gnutls_x509_crt_list_verify() with the CAs in * the credentials as trusted CAs. * - * Note that some commonly used X.509 Certificate Authorities are - * still using Version 1 certificates. If you want to accept them, - * you need to call gnutls_certificate_set_verify_flags() with, e.g., - * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. - * * Returns: a negative error code on error and zero on success. **/ int diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index fc2381f81f..e3163f6851 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -506,10 +506,10 @@ extern "C" * @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted * list is never checked for expiration or activation. * @GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT: Allow only trusted CA - * certificates that have version 1. This is safer than - * %GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used - * instead. That way only signers in your trusted list will be - * allowed to have certificates of version 1. + * certificates that have version 1. This is the default. + * @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA + * certificates that have version 1. This option is to be used + * to deprecate all V1 certificates. * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by * anyone trusted but exists in the trusted CA list do not treat it * as trusted. @@ -537,7 +537,8 @@ extern "C" GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64, - GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128 + GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128, + GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256 } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 393b8a5ab0..e7fdbad73e 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -171,7 +171,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, these certs only if the appropriate flags are set. */ else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && ((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) || - ((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && + (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) && (gnutls_x509_crt_check_issuer (issuer, issuer) == 1)))) { gnutls_assert (); @@ -311,7 +311,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, } if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && - !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) + ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version != 1)) { if (check_if_ca (cert, issuer, flags) == 0) { diff --git a/src/certtool.c b/src/certtool.c index 30cde6180e..f908d84bd8 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2065,8 +2065,8 @@ _verify_x509_mem (const void *cert, int cert_size) { const char *ptr; int ret, i; - char name[256]; - char issuer_name[256]; + char name[512]; + char issuer_name[512]; size_t name_size; size_t issuer_name_size; gnutls_datum_t tmp; diff --git a/src/cli.c b/src/cli.c index 3964a93186..fdc8b5571c 100644 --- a/src/cli.c +++ b/src/cli.c @@ -512,8 +512,7 @@ init_tls_session (const char *hostname) gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); gnutls_certificate_set_verify_function (xcred, cert_verify_callback); - gnutls_certificate_set_verify_flags (xcred, - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + gnutls_certificate_set_verify_flags (xcred, 0); /* send the fingerprint */ #ifdef ENABLE_OPENPGP diff --git a/tests/chainverify.c b/tests/chainverify.c index 5aa4b88df1..2e9fd54105 100644 --- a/tests/chainverify.c +++ b/tests/chainverify.c @@ -687,15 +687,13 @@ static struct { "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2], 0, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID }, { "verisign.com v1 fail", verisign_com_chain, &verisign_com_chain[3], - 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, - { "verisign.com v1 fail2", verisign_com_chain, &verisign_com_chain[3], - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, + 0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID }, { "verisign.com v1 ok", verisign_com_chain, &verisign_com_chain[3], GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, 0 }, { "citibank.com v1 fail", citibank_com_chain, &citibank_com_chain[2], - 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, + GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, { "expired self signed", pem_self_cert, &pem_self_cert[0], 0, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID }, { "self signed", pem_self_cert, &pem_self_cert[0], @@ -706,7 +704,7 @@ static struct { "ca=false2", thea_chain, &thea_chain[1], 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, { "hbci v1 fail", hbci_chain, &hbci_chain[2], - 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID}, + GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID}, { "hbci v1 ok expired", hbci_chain, &hbci_chain[2], GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID }, @@ -724,7 +722,7 @@ static struct { "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1], GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0 }, { "v1ca fail", v1ca, &v1ca[2], - 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, + GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, { "v1ca expired", v1ca, &v1ca[2], GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID }, @@ -851,7 +849,7 @@ doit (void) fail ("verify_status: %d expected: %d", verify_status, chains[i].expected_verify_result); - if (debug) + if (!debug) exit (1); } else if (debug) -- cgit v1.2.1