diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-01 09:55:51 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-01 09:55:54 +0100 |
| commit | eff5437cecbd4d329e91755c230d5a1666dd64ef (patch) | |
| tree | f03e9574a3c350e912a35a57d828509988d1f94b | |
| parent | 0ca04a5685d136c638d6574237144a1ee5c6830a (diff) | |
| download | gnutls-eff5437cecbd4d329e91755c230d5a1666dd64ef.tar.gz | |
Improved messages and violation handling in signature key usage checks
This will now tolerate violations in server certificate, if
%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS is set.
| -rw-r--r-- | lib/tls-sig.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/lib/tls-sig.c b/lib/tls-sig.c index af98fba51d..53f01a570b 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -158,18 +158,29 @@ _gnutls_handshake_sign_data(gnutls_session_t session, } static -int check_key_usage_for_sig(gnutls_session_t session, unsigned key_usage) +int check_key_usage_for_sig(gnutls_session_t session, unsigned key_usage, unsigned our_cert) { + const char *lstr; + unsigned allow_key_usage_violation; + + if (our_cert) { + lstr = "Local"; + allow_key_usage_violation = session->internals.priorities.allow_server_key_usage_violation; + } else { + lstr = "Peer's"; + allow_key_usage_violation = session->internals.priorities.allow_key_usage_violation; + } + if (key_usage != 0) { if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert(); - if (session->internals.priorities.allow_key_usage_violation == 0) { + if (likely(allow_key_usage_violation == 0)) { _gnutls_audit_log(session, - "Peer's certificate does not allow digital signatures. Key usage violation detected.\n"); + "%s certificate does not allow digital signatures. Key usage violation detected.\n", lstr); return GNUTLS_E_KEY_USAGE_VIOLATION; } else { _gnutls_audit_log(session, - "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n"); + "%s certificate does not allow digital signatures. Key usage violation detected (ignored).\n", lstr); } } } @@ -195,7 +206,7 @@ sign_tls_hash(gnutls_session_t session, const mac_entry_st * hash_algo, if (cert != NULL) { gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage); - ret = check_key_usage_for_sig(session, key_usage); + ret = check_key_usage_for_sig(session, key_usage, 1); if (ret < 0) return gnutls_assert_val(ret); } @@ -228,7 +239,7 @@ verify_tls_hash(gnutls_session_t session, gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage); - ret = check_key_usage_for_sig(session, key_usage); + ret = check_key_usage_for_sig(session, key_usage, 0); if (ret < 0) return gnutls_assert_val(ret); |