diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-08 17:12:03 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-08 17:12:03 +0100 |
| commit | dbc72ae47b16c6718cb5e53d4a31205bc45d3742 (patch) | |
| tree | f912bf55f09fc93fa57eb0e7bec067d5b25db264 | |
| parent | 4aa900a0bc8e19c0dbb1e078ca956f7ec100bc92 (diff) | |
| download | gnutls-dbc72ae47b16c6718cb5e53d4a31205bc45d3742.tar.gz | |
tolerate key usage violation.
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 1 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 1 | ||||
| -rw-r--r-- | lib/gnutls_sig.c | 10 |
4 files changed, 4 insertions, 12 deletions
@@ -8,8 +8,8 @@ Version 2.12.21 (unreleased) ** libgnutls: Backported patch to compile with libtasn1 3.0. Minimum libtasn1 dependency is now 2.14. -** libgnutls: The %COMPAT keyword, if specified, will tolerate -key usage violation errors (they are far too common to ignore). +** libgnutls: Always tolerate key usage violation errors from the side +of the peer, but also notify via an audit message. ** API and ABI modifications: No changes since last version. diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 08b006e10a..cafaa914b3 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -447,7 +447,6 @@ struct gnutls_priority_st safe_renegotiation_t sr; int ssl3_record_version:1; int additional_verify_flags; - unsigned int allow_key_usage_violation:1; }; diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index a87d108ff5..bd8cb5af04 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -729,7 +729,6 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, { (*priority_cache)->no_padding = 1; (*priority_cache)->allow_large_records = 1; - (*priority_cache)->allow_key_usage_violation = 1; } else if (strcasecmp (&broken_list[i][1], "VERIFY_ALLOW_SIGN_RSA_MD5") == 0) diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 79ab38acf3..a2f38e564b 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -222,10 +222,7 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo, if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - if (session->internals.priorities.allow_key_usage_violation == 0) - return GNUTLS_E_KEY_USAGE_VIOLATION; - else - _gnutls_debug_log("Key usage violation was detected (ignored).\n"); + _gnutls_debug_log("Key usage violation was detected (ignored).\n"); } /* External signing. */ @@ -295,10 +292,7 @@ verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - if (session->internals.priorities.allow_key_usage_violation == 0) - return GNUTLS_E_KEY_USAGE_VIOLATION; - else - _gnutls_debug_log("Key usage violation was detected (ignored).\n"); + _gnutls_debug_log("Key usage violation was detected (ignored).\n"); } if (pk_algo == GNUTLS_PK_UNKNOWN) |