[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-18-g1680962

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-18-g1680962
Date:	Sat, 15 Sep 2012 18:24:19 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=16809623d2e9a10097124fe1153213cd19321695

The branch, gnutls_3_1_x has been updated
       via  16809623d2e9a10097124fe1153213cd19321695 (commit)
       via  6e4fad12db1d80fa8a64e2123f2b9c19e237f8da (commit)
       via  15c63ccb168a9459ea3fa1d554b5bc0e63c0f9d1 (commit)
      from  cc24cc4d66e79df77e4d67f796d22700fa5a9df2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 16809623d2e9a10097124fe1153213cd19321695
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Sep 15 20:24:12 2012 +0200

    documented update

commit 6e4fad12db1d80fa8a64e2123f2b9c19e237f8da
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Sep 15 20:21:02 2012 +0200

    Key usage violations are allowed when the COMPAT keyword is specified.
    
    I've noticed in the SSL observatory data that most key usage bits in
    a certificate are set randomly (e.g., there are DSA certificates marked
    for encryption, and most RSA certificates marked for signature only are used
    for encryption anyway). There is no point of being strict in such 
environment.

commit 15c63ccb168a9459ea3fa1d554b5bc0e63c0f9d1
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Sep 15 20:13:39 2012 +0200

    Do not ask unnecessary questions when signing a certificate (request).

-----------------------------------------------------------------------

Summary of changes:
 NEWS                  |    3 +++
 lib/gnutls_int.h      |    1 +
 lib/gnutls_priority.c |    1 +
 lib/gnutls_sig.c      |   10 ++++++++--
 src/certtool.c        |   30 +++++++++++++++++++-----------
 5 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/NEWS b/NEWS
index 5b845ff..7cbe240 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ of certificates in the windows platform.
 
 ** libgnutls: Better mingw32 support (patch by LRN).
 
+** libgnutls: The %COMPAT keyword, if specified, will tolerate
+key usage violation errors (they are far too common to ignore).
+
 ** libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(),
 which provides a tool to counter compression-related attacks where
 parts of the data are controlled by the attacker.
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 02241a8..a120426 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -586,6 +586,7 @@ struct gnutls_priority_st
   safe_renegotiation_t sr;
   unsigned int ssl3_record_version:1;
   unsigned int server_precedence:1;
+  unsigned int allow_key_usage_violation:1;
   unsigned int additional_verify_flags;
 };
 
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 091780e..decd6d5 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -980,6 +980,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
             {
               (*priority_cache)->no_padding = 1;
               (*priority_cache)->allow_large_records = 1;
+              (*priority_cache)->allow_key_usage_violation = 1;
             }
           else if (strcasecmp (&broken_list[i][1], "NO_EXTENSIONS") == 0)
             {
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 256ca1c..4ba1527 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -184,7 +184,10 @@ sign_tls_hash (gnutls_session_t session, 
gnutls_digest_algorithm_t hash_algo,
         if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
           {
             gnutls_assert ();
-            return GNUTLS_E_KEY_USAGE_VIOLATION;
+            if (session->internals.priorities.allow_key_usage_violation == 0)
+              return GNUTLS_E_KEY_USAGE_VIOLATION;
+            else
+              _gnutls_audit_log(session, "Key usage violation was detected 
(ignored).\n");
           }
 
       /* External signing. Deprecated. To be removed. */
@@ -256,7 +259,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* 
cert,
     if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
       {
         gnutls_assert ();
-        return GNUTLS_E_KEY_USAGE_VIOLATION;
+        if (session->internals.priorities.allow_key_usage_violation == 0)
+          return GNUTLS_E_KEY_USAGE_VIOLATION;
+        else
+          _gnutls_audit_log(session, "Key usage violation was detected 
(ignored).\n");
       }
 
   if (pk_algo == GNUTLS_PK_UNKNOWN)
diff --git a/src/certtool.c b/src/certtool.c
index 1040bdc..c2952a2 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -421,9 +421,8 @@ generate_certificate (gnutls_privkey_t * ret_key,
 
           pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL);
 
-          if (pk != GNUTLS_PK_DSA)
-            {                   /* DSA keys can only sign.
-                                 */
+          if (pk == GNUTLS_PK_RSA)
+            { /* DSA and ECDSA keys can only sign. */
               result = get_sign_status (server);
               if (result)
                 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
@@ -1734,7 +1733,7 @@ generate_request (common_info_st * cinfo)
   gnutls_x509_privkey_t xkey;
   gnutls_pubkey_t pubkey;
   gnutls_privkey_t pkey;
-  int ret, ca_status, path_len;
+  int ret, ca_status, path_len, pk;
   const char *pass;
   unsigned int usage = 0;
 
@@ -1765,6 +1764,8 @@ generate_request (common_info_st * cinfo)
 
   pubkey = load_public_key_or_import (1, pkey, cinfo);
 
+  pk = gnutls_pubkey_get_pk_algorithm (pubkey, NULL);
+
   /* Set the DN.
    */
   get_country_crq_set (crq);
@@ -1804,14 +1805,21 @@ generate_request (common_info_st * cinfo)
         error (EXIT_FAILURE, 0, "set_basic_constraints: %s",
                gnutls_strerror (ret));
 
-      ret = get_sign_status (1);
-      if (ret)
-        usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+      if (pk == GNUTLS_PK_RSA)
+        {
+          ret = get_sign_status (1);
+          if (ret)
+            usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
 
-      ret = get_encrypt_status (1);
-      if (ret)
-        usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
-      else
+          /* Only ask for an encryption certificate
+           * if it is an RSA one */
+          ret = get_encrypt_status (1);
+          if (ret)
+            usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
+          else
+            usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+        }
+      else /* DSA and ECDSA are always signing */
         usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
 
       if (ca_status)


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-18-g1680962, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-70-g4d92572
Next by Date: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-8-g6220817
Previous by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-70-g4d92572
Next by thread: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-8-g6220817
Index(es):
- Date
- Thread