[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sr #107489] ipsec_ike_key created in wrong code path
|
From: |
Micah Anderson |
|
Subject: |
[sr #107489] ipsec_ike_key created in wrong code path |
|
Date: |
Sat, 02 Oct 2010 13:36:40 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.13) Gecko/20100916 Iceweasel/3.5.13 (like Firefox/3.5.13) |
URL:
<http://savannah.gnu.org/support/?107489>
Summary: ipsec_ike_key created in wrong code path
Project: GnuTLS
Submitted by: micahanderson
Submitted on: Sat 02 Oct 2010 01:36:39 PM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
The ipsec_ike_key patch submitted in #107485 creates a certificate with the
KU flag for ipsec IKE only when the "ca" flag is set. The reason for this is
the get_ipsec_ike_status() check in src/certtool.c:547 is wrapped inside an if
(ca_status) predicate.
This is wrong, because you should not be a CA to offer a cert for IKE. In
fact, IKE should not appear in a CA certificate, but otherwise should be
independent of any other status as it is not unreasonable to want to use such
a certificate for other things on the host, such as a WWW server.
It is for this reason I've adjusted the patch to make it fall under the if
(!ca_status || server) predicate, instead of under the if (ca_status)
predicate.
Additionally, an IKE certificate should be able to set the SubjectAltName
(ie. dns_name parameters in the config; and ip_address parameters in the
config) v3 extensions. To achieve this I've added an is_ike check and added
the test to see if that is set along with the other checks that were
happening, and then if so add the get_dns_name_set (TYPE_CRT, crt);
get_ip_addr_set (TYPE_CRT, crt); to the cert.
Attached is a patch to the 2_10_x branch, as well as patch to the HEAD of
master. You can also find these commits in my repository
git://labs.riseup.net/~micah/gnutls there are two branches there, one for
2_10_x and one against master (which has been rebased against the latest
upstream commits).
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sat 02 Oct 2010 01:36:39 PM GMT Name: ipsec_ike_gnutls_2_10_2.diff
Size: 2kB By: micahanderson
<http://savannah.gnu.org/support/download.php?file_id=21593>
-------------------------------------------------------
Date: Sat 02 Oct 2010 01:36:39 PM GMT Name: ipsec_ike_gnutls_master.diff
Size: 2kB By: micahanderson
<http://savannah.gnu.org/support/download.php?file_id=21594>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107489>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [sr #107489] ipsec_ike_key created in wrong code path,
Micah Anderson <=
- [sr #107489] ipsec_ike_key created in wrong code path, Micah Anderson, 2010/10/02
- [sr #107489] ipsec_ike_key created in wrong code path, Micah Anderson, 2010/10/02
- [sr #107489] ipsec_ike_key created in wrong code path, Nikos Mavrogiannopoulos, 2010/10/02
- [sr #107489] ipsec_ike_key created in wrong code path, Micah Anderson, 2010/10/04
- [sr #107489] ipsec_ike_key created in wrong code path, Micah Anderson, 2010/10/04
- [sr #107489] ipsec_ike_key created in wrong code path, anonymous, 2010/10/05
- [sr #107489] ipsec_ike_key created in wrong code path, Micah Anderson, 2010/10/05
- [sr #107489] ipsec_ike_key created in wrong code path, Nikos Mavrogiannopoulos, 2010/10/07
- [sr #107489] ipsec_ike_key created in wrong code path, Nikos Mavrogiannopoulos, 2010/10/08