[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-18-g1680962
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-18-g1680962 |
Date: |
Sat, 15 Sep 2012 18:24:19 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=16809623d2e9a10097124fe1153213cd19321695
The branch, gnutls_3_1_x has been updated
via 16809623d2e9a10097124fe1153213cd19321695 (commit)
via 6e4fad12db1d80fa8a64e2123f2b9c19e237f8da (commit)
via 15c63ccb168a9459ea3fa1d554b5bc0e63c0f9d1 (commit)
from cc24cc4d66e79df77e4d67f796d22700fa5a9df2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 16809623d2e9a10097124fe1153213cd19321695
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 20:24:12 2012 +0200
documented update
commit 6e4fad12db1d80fa8a64e2123f2b9c19e237f8da
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 20:21:02 2012 +0200
Key usage violations are allowed when the COMPAT keyword is specified.
I've noticed in the SSL observatory data that most key usage bits in
a certificate are set randomly (e.g., there are DSA certificates marked
for encryption, and most RSA certificates marked for signature only are used
for encryption anyway). There is no point of being strict in such
environment.
commit 15c63ccb168a9459ea3fa1d554b5bc0e63c0f9d1
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 20:13:39 2012 +0200
Do not ask unnecessary questions when signing a certificate (request).
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +++
lib/gnutls_int.h | 1 +
lib/gnutls_priority.c | 1 +
lib/gnutls_sig.c | 10 ++++++++--
src/certtool.c | 30 +++++++++++++++++++-----------
5 files changed, 32 insertions(+), 13 deletions(-)
diff --git a/NEWS b/NEWS
index 5b845ff..7cbe240 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ of certificates in the windows platform.
** libgnutls: Better mingw32 support (patch by LRN).
+** libgnutls: The %COMPAT keyword, if specified, will tolerate
+key usage violation errors (they are far too common to ignore).
+
** libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(),
which provides a tool to counter compression-related attacks where
parts of the data are controlled by the attacker.
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 02241a8..a120426 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -586,6 +586,7 @@ struct gnutls_priority_st
safe_renegotiation_t sr;
unsigned int ssl3_record_version:1;
unsigned int server_precedence:1;
+ unsigned int allow_key_usage_violation:1;
unsigned int additional_verify_flags;
};
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 091780e..decd6d5 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -980,6 +980,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
{
(*priority_cache)->no_padding = 1;
(*priority_cache)->allow_large_records = 1;
+ (*priority_cache)->allow_key_usage_violation = 1;
}
else if (strcasecmp (&broken_list[i][1], "NO_EXTENSIONS") == 0)
{
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 256ca1c..4ba1527 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -184,7 +184,10 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- return GNUTLS_E_KEY_USAGE_VIOLATION;
+ if (session->internals.priorities.allow_key_usage_violation == 0)
+ return GNUTLS_E_KEY_USAGE_VIOLATION;
+ else
+ _gnutls_audit_log(session, "Key usage violation was detected
(ignored).\n");
}
/* External signing. Deprecated. To be removed. */
@@ -256,7 +259,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st*
cert,
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- return GNUTLS_E_KEY_USAGE_VIOLATION;
+ if (session->internals.priorities.allow_key_usage_violation == 0)
+ return GNUTLS_E_KEY_USAGE_VIOLATION;
+ else
+ _gnutls_audit_log(session, "Key usage violation was detected
(ignored).\n");
}
if (pk_algo == GNUTLS_PK_UNKNOWN)
diff --git a/src/certtool.c b/src/certtool.c
index 1040bdc..c2952a2 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -421,9 +421,8 @@ generate_certificate (gnutls_privkey_t * ret_key,
pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL);
- if (pk != GNUTLS_PK_DSA)
- { /* DSA keys can only sign.
- */
+ if (pk == GNUTLS_PK_RSA)
+ { /* DSA and ECDSA keys can only sign. */
result = get_sign_status (server);
if (result)
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
@@ -1734,7 +1733,7 @@ generate_request (common_info_st * cinfo)
gnutls_x509_privkey_t xkey;
gnutls_pubkey_t pubkey;
gnutls_privkey_t pkey;
- int ret, ca_status, path_len;
+ int ret, ca_status, path_len, pk;
const char *pass;
unsigned int usage = 0;
@@ -1765,6 +1764,8 @@ generate_request (common_info_st * cinfo)
pubkey = load_public_key_or_import (1, pkey, cinfo);
+ pk = gnutls_pubkey_get_pk_algorithm (pubkey, NULL);
+
/* Set the DN.
*/
get_country_crq_set (crq);
@@ -1804,14 +1805,21 @@ generate_request (common_info_st * cinfo)
error (EXIT_FAILURE, 0, "set_basic_constraints: %s",
gnutls_strerror (ret));
- ret = get_sign_status (1);
- if (ret)
- usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+ if (pk == GNUTLS_PK_RSA)
+ {
+ ret = get_sign_status (1);
+ if (ret)
+ usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
- ret = get_encrypt_status (1);
- if (ret)
- usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
- else
+ /* Only ask for an encryption certificate
+ * if it is an RSA one */
+ ret = get_encrypt_status (1);
+ if (ret)
+ usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
+ else
+ usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+ }
+ else /* DSA and ECDSA are always signing */
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
if (ca_status)
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-18-g1680962,
Nikos Mavrogiannopoulos <=