From 9ea5adce307f8bdfeff096e924f25957a5e1c63f Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 2 Nov 2012 13:11:46 +0100
Subject: [PATCH] Added verification flag
 GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN

The default is now GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN, and
removed gnutls_certificate_update_verify_flags().
---
 NEWS                            |  5 ++++-
 lib/gnutls_cert.c               |  1 -
 lib/gnutls_ui.c                 | 19 -------------------
 lib/includes/gnutls/gnutls.h.in |  2 --
 lib/includes/gnutls/x509.h      | 28 ++++++++++++++++------------
 lib/x509/verify-high.c          |  2 +-
 tests/chainverify-unsorted.c    |  3 ++-
 7 files changed, 23 insertions(+), 37 deletions(-)

diff --git a/NEWS b/NEWS
index 72ea41a6f..ef4f7035e 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,9 @@ if check fails.
 ** libgnutls: gnutls_x509_crl_verify() includes the time
 checks.
 
+** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
+and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
+
 ** gnutls-cli: Added --local-dns option.
 
 ** danetool: Corrected bug that prevented loading PEM files.
@@ -33,7 +36,6 @@ a site's DANE data.
 
 ** API and ABI modifications:
 gnutls_session_get_id2: Added
-gnutls_certificate_update_verify_flags: Added
 gnutls_certificate_verify_peers3: Added
 gnutls_certificate_verification_status_print: Added
 gnutls_srtp_set_profile: Added
@@ -50,6 +52,7 @@ dane_verification_status_print: Added
 GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
 GNUTLS_CERT_REVOCATION_DATA_INVALID: Added
 GNUTLS_CERT_UNEXPECTED_OWNER: Added
+GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added
 
 * Version 3.1.3 (released 2012-10-12)
 
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 21a3a5d86..8c2d27d42 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -234,7 +234,6 @@ int ret;
     }
   (*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS;
   (*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH;
-  (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
 
   return 0;
 }
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 71888d405..110ebae81 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -697,25 +697,6 @@ gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t
 }
 
 /**
- * gnutls_certificate_update_verify_flags:
- * @res: is a gnutls_certificate_credentials_t structure
- * @flags: are the new flags
- *
- * This function will update the default flags to be used for verification 
- * of certificates.  The provided flags must be an OR of the
- * #gnutls_certificate_verify_flags enumerations. The default
- * for TLS sessions is GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN.
- *
- * Since: 3.1.4
- **/
-void
-gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
-                                     res, unsigned int flags)
-{
-  res->verify_flags |= flags;
-}
-
-/**
  * gnutls_certificate_set_verify_limits:
  * @res: is a gnutls_certificate_credentials structure
  * @max_bits: is the number of bits of an acceptable certificate (default 8200)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 5cd3850e3..505b9929b 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1197,8 +1197,6 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
                                          gnutls_dh_params_t dh_params);
   void gnutls_certificate_set_verify_flags (gnutls_certificate_credentials_t
                                             res, unsigned int flags);
-  void gnutls_certificate_update_verify_flags (gnutls_certificate_credentials_t
-                                            res, unsigned int flags);
   void gnutls_certificate_set_verify_limits (gnutls_certificate_credentials_t
                                              res, unsigned int max_bits,
                                              unsigned int max_depth);
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 8fd32eb07..a3cf72575 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -632,7 +632,10 @@ extern "C"
  *   anyone trusted but exists in the trusted CA list do not treat it
  *   as trusted.
  * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
- *   if unsorted (the case with many TLS servers out there).
+ *   if unsorted (the case with many TLS servers out there). This is the
+ *   default since GnuTLS 3.1.4.
+ * @GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Do not tolerate an unsorted
+ *   certificate chain.
  * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
  *   have version 1 (both root and intermediate). This might be
  *   dangerous since those haven't the basicConstraints
@@ -652,17 +655,18 @@ extern "C"
  */
   typedef enum gnutls_certificate_verify_flags
   {
-    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
-    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
-    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
-    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
-    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
-    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
-    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
-    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256,
-    GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512,
-    GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024,
+    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1<<0,
+    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 1<<1,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 1<<2,
+    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 1<<3,
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 1<<4,
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 1<<5,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 1<<6,
+    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 1<<7,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 1<<8,
+    GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 1<<9,
+    GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1<<10,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1<<11,
   } gnutls_certificate_verify_flags;
 
   int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index cf603a269..ffc973036 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -553,7 +553,7 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
     if (cert_list == NULL || cert_list_size < 1)
         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-    if (flags & GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN)
+    if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN))
       cert_list = sort_clist(sorted, cert_list, &cert_list_size);
 
     cert_list_size = shorten_clist(list, cert_list, cert_list_size);
diff --git a/tests/chainverify-unsorted.c b/tests/chainverify-unsorted.c
index 716fbd20d..354c16bd4 100644
--- a/tests/chainverify-unsorted.c
+++ b/tests/chainverify-unsorted.c
@@ -614,6 +614,7 @@ doit (void)
   unsigned int crts_size, i;
   gnutls_x509_trust_list_t tl;
   unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
+  unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN;
 
   /* this must be called once in the program
    */
@@ -728,7 +729,7 @@ doit (void)
       exit(1);
     }
   
-  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+  ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, not_flags, &status, NULL);
   if (ret < 0 || status == 0)
     {
       fail("gnutls_x509_trust_list_verify_crt - 5\n");
-- 
2.11.4.GIT