diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-02 07:10:10 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-02-06 05:42:53 +0100 |
commit | daf6650142f63c0f602b99c92ba941ff1d9f851c (patch) | |
tree | 753847078224af18f0b43f3e240021c368203d7c /tests/cipher-neg-common.c | |
parent | 71afdf09b820180f3125eeefaeb787155e7333fc (diff) | |
download | gnutls-daf6650142f63c0f602b99c92ba941ff1d9f851c.tar.gz |
Enforce the certificate key usage restrictions on all cases
That is, we require a signing certificate when negotiating
TLS1.3, or when sending a client certificate (on all cases).
Before we would not perform any checks under TLS1.3 or when client
certificates are sent, assuming that the certificates used will always
be signing ones. However if the user sets up incorrectly a decryption
certificate we would use it for signing. This fix makes sure that an
error is returned early when these scenarios are detected.
Resolves: #690
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/cipher-neg-common.c')
-rw-r--r-- | tests/cipher-neg-common.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tests/cipher-neg-common.c b/tests/cipher-neg-common.c index bfbda8b05b..1fcd6048b3 100644 --- a/tests/cipher-neg-common.c +++ b/tests/cipher-neg-common.c @@ -54,8 +54,8 @@ static void try(test_case_st *test) gnutls_certificate_set_known_dh_params(s_cert_cred, GNUTLS_SEC_PARAM_MEDIUM); assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM) >= 0); - assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, GNUTLS_X509_FMT_PEM) >= 0); assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_localhost_rsa_sign_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM) >= 0); + assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, GNUTLS_X509_FMT_PEM) >= 0); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_cert_cred); |