]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
key usage violations are tolerated.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 7 Nov 2012 20:55:36 +0000 (21:55 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 7 Nov 2012 20:57:02 +0000 (21:57 +0100)
NEWS
lib/gnutls_int.h
lib/gnutls_sig.c

diff --git a/NEWS b/NEWS
index bb3b9eff9070e4c6fe2135db51668e813381a6cc..d31de8947beba3f45d9dbd91b36e47dd7ace83ff 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,9 @@ GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.
 ** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
 and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
 
+** libgnutls: Always tolerate key usage violation errors from the side
+of the peer, but also notify via an audit message.
+
 ** gnutls-cli: Added --local-dns option.
 
 ** danetool: Corrected bug that prevented loading PEM files.
index bc03a8c4c4d93ec4e12cb525ba14bbc2482ab5c9..239c9b3b4445bd8216eab8728f70be137dd6d412 100644 (file)
@@ -605,7 +605,6 @@ struct gnutls_priority_st
   safe_renegotiation_t sr;
   unsigned int ssl3_record_version:1;
   unsigned int server_precedence:1;
-  unsigned int allow_key_usage_violation:1;
   unsigned int allow_weak_keys:1;
   /* Whether stateless compression will be used */
   unsigned int stateless_compression:1;
@@ -615,7 +614,6 @@ struct gnutls_priority_st
 #define ENABLE_COMPAT(x) \
               (x)->no_padding = 1; \
               (x)->allow_large_records = 1; \
-              (x)->allow_key_usage_violation = 1; \
               (x)->allow_weak_keys = 1
 
 /* DH and RSA parameters types.
index c3665c6b76504f9c0aca7d6d7b5fc0c331edf585..f2c2db3e3f10bdfa9c2cdab524a316ceccf1ac06 100644 (file)
@@ -184,10 +184,7 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
         if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
           {
             gnutls_assert ();
-            if (session->internals.priorities.allow_key_usage_violation == 0)
-              return GNUTLS_E_KEY_USAGE_VIOLATION;
-            else
-              _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n");
+            _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
           }
 
       /* External signing. Deprecated. To be removed. */
@@ -260,10 +257,7 @@ verify_tls_hash (gnutls_session_t session,
     if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
       {
         gnutls_assert ();
-        if (session->internals.priorities.allow_key_usage_violation == 0)
-          return GNUTLS_E_KEY_USAGE_VIOLATION;
-        else
-          _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n");
+        _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
       }
 
   if (pk_algo == GNUTLS_PK_UNKNOWN)