From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 14 Aug 2015 10:14:55 +0000 (+0200)
Subject: Enable key usage checks in the client side of RSA ciphersuites
X-Git-Tag: gnutls_3_5_0~733
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e46646edefa793dc43d40033c0d2d52ce2f1040;p=thirdparty%2Fgnutls.git

Enable key usage checks in the client side of RSA ciphersuites
---

diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index e43b296871..d8d0edf29a 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -62,6 +62,25 @@ const mod_auth_st rsa_auth_struct = {
 	_gnutls_proc_cert_cert_req	/* proc server cert request */
 };
 
+static
+int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage)
+{
+	if (key_usage != 0) {
+		if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) && !(key_usage & GNUTLS_KEY_KEY_AGREEMENT)) {
+			gnutls_assert();
+			if (session->internals.priorities.allow_key_usage_violation == 0) {
+				_gnutls_audit_log(session,
+					  "Peer's certificate does not allow encryption. Key usage violation detected.\n");
+				return GNUTLS_E_KEY_USAGE_VIOLATION;
+			} else {
+				_gnutls_audit_log(session,
+					  "Peer's certificate does not allow encryption. Key usage violation detected (ignored).\n");
+			}
+		}
+	}
+	return 0;
+}
+
 /* This function reads the RSA parameters from peer's certificate;
  */
 int
@@ -70,6 +89,7 @@ _gnutls_get_public_rsa_params(gnutls_session_t session,
 {
 	int ret;
 	cert_auth_info_t info;
+	unsigned key_usage;
 	gnutls_pcert_st peer_cert;
 
 	/* normal non export case */
@@ -91,6 +111,14 @@ _gnutls_get_public_rsa_params(gnutls_session_t session,
 		return ret;
 	}
 
+	gnutls_pubkey_get_key_usage(peer_cert.pubkey, &key_usage);
+
+	ret = check_key_usage_for_enc(session, key_usage);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup2;
+	}
+
 	gnutls_pk_params_init(params);
 
 	ret = _gnutls_pubkey_get_mpis(peer_cert.pubkey, params);