[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-70-g4d92572
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-70-g4d92572 |
|
Date: |
Sat, 15 Sep 2012 18:22:46 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=4d92572fb63e09209be3d6ed1ff47661c6b4adbe
The branch, master has been updated
via 4d92572fb63e09209be3d6ed1ff47661c6b4adbe (commit)
from 5ad723cfd66c2dbb0dcb22010ca14af4f21ee710 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4d92572fb63e09209be3d6ed1ff47661c6b4adbe
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 20:21:02 2012 +0200
Key usage violations are allowed when the COMPAT keyword is specified.
I've noticed in the SSL observatory data that most key usage bits in
a certificate are set randomly (e.g., there are DSA certificates marked
for encryption, and most RSA certificates marked for signature only are used
for encryption anyway). There is no point of being strict in such
environment.
-----------------------------------------------------------------------
Summary of changes:
lib/gnutls_int.h | 1 +
lib/gnutls_priority.c | 1 +
lib/gnutls_sig.c | 10 ++++++++--
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 7ec43af..11c099d 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -588,6 +588,7 @@ struct gnutls_priority_st
safe_renegotiation_t sr;
unsigned int ssl3_record_version:1;
unsigned int server_precedence:1;
+ unsigned int allow_key_usage_violation:1;
unsigned int additional_verify_flags;
};
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 091780e..decd6d5 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -980,6 +980,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
{
(*priority_cache)->no_padding = 1;
(*priority_cache)->allow_large_records = 1;
+ (*priority_cache)->allow_key_usage_violation = 1;
}
else if (strcasecmp (&broken_list[i][1], "NO_EXTENSIONS") == 0)
{
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 256ca1c..4ba1527 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -184,7 +184,10 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- return GNUTLS_E_KEY_USAGE_VIOLATION;
+ if (session->internals.priorities.allow_key_usage_violation == 0)
+ return GNUTLS_E_KEY_USAGE_VIOLATION;
+ else
+ _gnutls_audit_log(session, "Key usage violation was detected
(ignored).\n");
}
/* External signing. Deprecated. To be removed. */
@@ -256,7 +259,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st*
cert,
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- return GNUTLS_E_KEY_USAGE_VIOLATION;
+ if (session->internals.priorities.allow_key_usage_violation == 0)
+ return GNUTLS_E_KEY_USAGE_VIOLATION;
+ else
+ _gnutls_audit_log(session, "Key usage violation was detected
(ignored).\n");
}
if (pk_algo == GNUTLS_PK_UNKNOWN)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-70-g4d92572,
Nikos Mavrogiannopoulos <=