From: Nikos Mavrogiannopoulos Date: Sat, 15 Sep 2012 18:21:02 +0000 (+0200) Subject: Key usage violations are allowed when the COMPAT keyword is specified. X-Git-Tag: gnutls_3_1_2~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4d92572fb63e09209be3d6ed1ff47661c6b4adbe;p=thirdparty%2Fgnutls.git Key usage violations are allowed when the COMPAT keyword is specified. I've noticed in the SSL observatory data that most key usage bits in a certificate are set randomly (e.g., there are DSA certificates marked for encryption, and most RSA certificates marked for signature only are used for encryption anyway). There is no point of being strict in such environment. --- diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 7ec43afca4..11c099d44f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -588,6 +588,7 @@ struct gnutls_priority_st safe_renegotiation_t sr; unsigned int ssl3_record_version:1; unsigned int server_precedence:1; + unsigned int allow_key_usage_violation:1; unsigned int additional_verify_flags; }; diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 091780e13d..decd6d507f 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -980,6 +980,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, { (*priority_cache)->no_padding = 1; (*priority_cache)->allow_large_records = 1; + (*priority_cache)->allow_key_usage_violation = 1; } else if (strcasecmp (&broken_list[i][1], "NO_EXTENSIONS") == 0) { diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 256ca1c923..4ba1527be3 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -184,7 +184,10 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo, if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - return GNUTLS_E_KEY_USAGE_VIOLATION; + if (session->internals.priorities.allow_key_usage_violation == 0) + return GNUTLS_E_KEY_USAGE_VIOLATION; + else + _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n"); } /* External signing. Deprecated. To be removed. */ @@ -256,7 +259,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert, if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - return GNUTLS_E_KEY_USAGE_VIOLATION; + if (session->internals.priorities.allow_key_usage_violation == 0) + return GNUTLS_E_KEY_USAGE_VIOLATION; + else + _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n"); } if (pk_algo == GNUTLS_PK_UNKNOWN)