]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Key usage violations are allowed when the COMPAT keyword is specified.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 15 Sep 2012 18:21:02 +0000 (20:21 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 15 Sep 2012 18:21:06 +0000 (20:21 +0200)
I've noticed in the SSL observatory data that most key usage bits in
a certificate are set randomly (e.g., there are DSA certificates marked
for encryption, and most RSA certificates marked for signature only are used
for encryption anyway). There is no point of being strict in such environment.

lib/gnutls_int.h
lib/gnutls_priority.c
lib/gnutls_sig.c

index 7ec43afca4d372d0671aa843d6c6541c3229571f..11c099d44f1c0475cba33c73fd83f61628e4ec46 100644 (file)
@@ -588,6 +588,7 @@ struct gnutls_priority_st
   safe_renegotiation_t sr;
   unsigned int ssl3_record_version:1;
   unsigned int server_precedence:1;
+  unsigned int allow_key_usage_violation:1;
   unsigned int additional_verify_flags;
 };
 
index 091780e13d376388416dc8b5b8413418648c78e9..decd6d507f91768deb196eee887c21b4ed22e3e3 100644 (file)
@@ -980,6 +980,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
             {
               (*priority_cache)->no_padding = 1;
               (*priority_cache)->allow_large_records = 1;
+              (*priority_cache)->allow_key_usage_violation = 1;
             }
           else if (strcasecmp (&broken_list[i][1], "NO_EXTENSIONS") == 0)
             {
index 256ca1c92394d87d8b7de99316f77099ccb12e7e..4ba1527be3b800460e4081bb747192d793619bb3 100644 (file)
@@ -184,7 +184,10 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
         if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
           {
             gnutls_assert ();
-            return GNUTLS_E_KEY_USAGE_VIOLATION;
+            if (session->internals.priorities.allow_key_usage_violation == 0)
+              return GNUTLS_E_KEY_USAGE_VIOLATION;
+            else
+              _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n");
           }
 
       /* External signing. Deprecated. To be removed. */
@@ -256,7 +259,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
     if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
       {
         gnutls_assert ();
-        return GNUTLS_E_KEY_USAGE_VIOLATION;
+        if (session->internals.priorities.allow_key_usage_violation == 0)
+          return GNUTLS_E_KEY_USAGE_VIOLATION;
+        else
+          _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n");
       }
 
   if (pk_algo == GNUTLS_PK_UNKNOWN)