diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-07 21:57:45 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-07 21:57:45 +0100 |
commit | 16d365ab359436651deb35a8ec6cdc0e76c077d9 (patch) | |
tree | e18fd5271a88e7947a194c3b4c3d3b01976a7aec | |
parent | a00ddedbd3d2103bd28d8077af2a5e165cb62002 (diff) | |
download | gnutls-16d365ab359436651deb35a8ec6cdc0e76c077d9.tar.gz |
Tolerate key usage violation.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/gnutls_int.h | 1 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 1 | ||||
-rw-r--r-- | lib/gnutls_sig.c | 10 |
4 files changed, 5 insertions, 10 deletions
@@ -4,6 +4,9 @@ See the end for copying conditions. * Version 3.0.26 (unreleased) +** libgnutls: Always tolerate key usage violation errors from the side +of the peer, but also notify via an audit message. + ** libgnutls: gnutls_x509_crl_verify() includes the time checks. ** libgnutls: Increased maximum password length in the PKCS #12 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 414a2003b7..437da73452 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -585,7 +585,6 @@ struct gnutls_priority_st safe_renegotiation_t sr; unsigned int ssl3_record_version:1; unsigned int server_precedence:1; - unsigned int allow_key_usage_violation:1; /* Whether stateless compression will be used */ unsigned int stateless_compression:1; unsigned int additional_verify_flags; diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 6a39294748..b4b682679e 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -911,7 +911,6 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, { (*priority_cache)->no_padding = 1; (*priority_cache)->allow_large_records = 1; - (*priority_cache)->allow_key_usage_violation = 1; } else if (strcasecmp (&broken_list[i][1], "NO_EXTENSIONS") == 0) { diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 7c7b64eaec..c6a0f166c3 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -221,10 +221,7 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo, if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - if (session->internals.priorities.allow_key_usage_violation == 0) - return GNUTLS_E_KEY_USAGE_VIOLATION; - else - _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n"); + _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n"); } /* External signing. Deprecated. To be removed. */ @@ -296,10 +293,7 @@ verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_pcert_s if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - if (session->internals.priorities.allow_key_usage_violation == 0) - return GNUTLS_E_KEY_USAGE_VIOLATION; - else - _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n"); + _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n"); } if (pk_algo == GNUTLS_PK_UNKNOWN) |