From 1fb4b204e138fe0d42c4ae042d9d9c07cba03d82 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 13 Oct 2012 23:17:33 +0200 Subject: [PATCH] Added priority string %VERIFY_DISABLE_CRL_CHECKS. --- NEWS | 2 ++ doc/cha-gtls-app.texi | 3 +++ lib/gnutls_priority.c | 6 ++++++ lib/gnutls_x509.c | 9 ++++++--- lib/includes/gnutls/x509.h | 2 +- 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 66f0b72a5..2a247ffa3 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,8 @@ See the end for copying conditions. ** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on the available revocation data validity. +** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS. + ** gnutls-cli: Added --local-dns option. ** API and ABI modifications: diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 8bd5d92a0..e60386614 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1033,6 +1033,9 @@ causes interoperability problems, but is required for full protection. @item %VERIFY_ALLOW_SIGN_RSA_MD5 @tab will allow RSA-MD5 signatures in certificate chains. +@item %VERIFY_DISABLE_CRL_CHECKS @tab +will disable CRL or OCSP checks in the verification of the certificate chain. + @item %VERIFY_ALLOW_X509_V1_CA_CRT @tab will allow V1 CAs in chains. diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 9c0eed95b..b6649ca67 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -996,6 +996,12 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; } else if (strcasecmp (&broken_list[i][1], + "VERIFY_DISABLE_CRL_CHECKS") == 0) + { + (*priority_cache)->additional_verify_flags |= + GNUTLS_VERIFY_DISABLE_CRL_CHECKS; + } + else if (strcasecmp (&broken_list[i][1], "SSL3_RECORD_VERSION") == 0) (*priority_cache)->ssl3_record_version = 1; else if (strcasecmp (&broken_list[i][1], diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 8d52bc4ad..19e6c7357 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -200,6 +200,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, int peer_certificate_list_size, i, x, ret; gnutls_x509_crt_t issuer; unsigned int ocsp_status = 0; + unsigned int verify_flags; CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); @@ -227,6 +228,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, return GNUTLS_E_CONSTRAINT_ERROR; } + verify_flags = cred->verify_flags | session->internals.priorities.additional_verify_flags; /* generate a list of gnutls_certs based on the auth info * raw certs. */ @@ -271,6 +273,9 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, } /* Use the OCSP extension if any */ + if (verify_flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS) + goto skip_ocsp; + ret = gnutls_ocsp_status_request_get(session, &resp); if (ret < 0) goto skip_ocsp; @@ -299,9 +304,7 @@ skip_ocsp: */ ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list, peer_certificate_list_size, - cred->verify_flags | session->internals. - priorities.additional_verify_flags, - status, NULL); + verify_flags, status, NULL); CLEAR_CERTS; diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 7845f22ed..8fd32eb07 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -646,7 +646,7 @@ extern "C" * and expiration validity periods of certificate chains. Don't set * this unless you understand the security implications. * @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity - * using certificate revocation lists. + * using certificate revocation lists or the available OCSP data. * * Enumeration of different certificate verify flags. */ -- 2.11.4.GIT