[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_20-4-gafd6b
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_20-4-gafd6b63 |
|
Date: |
Sat, 03 Nov 2012 18:15:05 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=afd6b636d1d9b079699afb0c3b20692edcf5b262
The branch, gnutls_2_12_x has been updated
via afd6b636d1d9b079699afb0c3b20692edcf5b262 (commit)
from 0b9d8d6f21dad85038c6de36d8fbd56271263f64 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit afd6b636d1d9b079699afb0c3b20692edcf5b262
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 20:21:02 2012 +0200
Key usage violations are allowed when the COMPAT keyword is specified.
I've noticed in the SSL observatory data that most key usage bits in
a certificate are set randomly (e.g., there are DSA certificates marked
for encryption, and most RSA certificates marked for signature only are used
for encryption anyway). There is no point of being strict in such
environment.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +++
lib/gnutls_int.h | 1 +
lib/gnutls_priority.c | 1 +
lib/gnutls_sig.c | 18 ++++++++++++------
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/NEWS b/NEWS
index f53e417..d824f98 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ Version 2.12.21 (unreleased)
** libgnutls: Backported patch to compile with libtasn1 3.0.
Minimum libtasn1 dependency is now 2.14.
+** libgnutls: The %COMPAT keyword, if specified, will tolerate
+key usage violation errors (they are far too common to ignore).
+
** API and ABI modifications:
No changes since last version.
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index cafaa91..08b006e 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -447,6 +447,7 @@ struct gnutls_priority_st
safe_renegotiation_t sr;
int ssl3_record_version:1;
int additional_verify_flags;
+ unsigned int allow_key_usage_violation:1;
};
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index bd8cb5a..a87d108 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -729,6 +729,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
{
(*priority_cache)->no_padding = 1;
(*priority_cache)->allow_large_records = 1;
+ (*priority_cache)->allow_key_usage_violation = 1;
}
else if (strcasecmp (&broken_list[i][1],
"VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 9aab689..79ab38a 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -222,7 +222,10 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- return GNUTLS_E_KEY_USAGE_VIOLATION;
+ if (session->internals.priorities.allow_key_usage_violation == 0)
+ return GNUTLS_E_KEY_USAGE_VIOLATION;
+ else
+ _gnutls_debug_log("Key usage violation was detected
(ignored).\n");
}
/* External signing. */
@@ -270,7 +273,7 @@ es_cleanup:
}
static int
-verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
+verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert
* cert,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature, size_t sha1pos,
gnutls_pk_algorithm_t pk_algo)
@@ -292,7 +295,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- return GNUTLS_E_KEY_USAGE_VIOLATION;
+ if (session->internals.priorities.allow_key_usage_violation == 0)
+ return GNUTLS_E_KEY_USAGE_VIOLATION;
+ else
+ _gnutls_debug_log("Key usage violation was detected (ignored).\n");
}
if (pk_algo == GNUTLS_PK_UNKNOWN)
@@ -425,7 +431,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
}
- ret = verify_tls_hash (ver, cert, &dconcat, signature,
+ ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
dconcat.size -
_gnutls_hash_get_algo_len (hash_algo),
_gnutls_sign_get_pk_algorithm (algo));
@@ -490,7 +496,7 @@ _gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t
session,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 0,
+ verify_tls_hash (session, ver, cert, &dconcat, signature, 0,
cert->subject_pk_algorithm);
if (ret < 0)
{
@@ -581,7 +587,7 @@ _gnutls_handshake_verify_cert_vrfy (gnutls_session_t
session,
dconcat.size = 20 + 16; /* md5+ sha */
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 16,
+ verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
cert->subject_pk_algorithm);
if (ret < 0)
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_20-4-gafd6b63,
Nikos Mavrogiannopoulos <=