From: Nikos Mavrogiannopoulos Date: Wed, 7 Nov 2012 20:55:36 +0000 (+0100) Subject: key usage violations are tolerated. X-Git-Tag: gnutls_3_1_4~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f48ef4cf9c37338f44f92cea0c3f510ea83442ff;p=thirdparty%2Fgnutls.git key usage violations are tolerated. --- diff --git a/NEWS b/NEWS index bb3b9eff90..d31de8947b 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,9 @@ GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE. ** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default. +** libgnutls: Always tolerate key usage violation errors from the side +of the peer, but also notify via an audit message. + ** gnutls-cli: Added --local-dns option. ** danetool: Corrected bug that prevented loading PEM files. diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index bc03a8c4c4..239c9b3b44 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -605,7 +605,6 @@ struct gnutls_priority_st safe_renegotiation_t sr; unsigned int ssl3_record_version:1; unsigned int server_precedence:1; - unsigned int allow_key_usage_violation:1; unsigned int allow_weak_keys:1; /* Whether stateless compression will be used */ unsigned int stateless_compression:1; @@ -615,7 +614,6 @@ struct gnutls_priority_st #define ENABLE_COMPAT(x) \ (x)->no_padding = 1; \ (x)->allow_large_records = 1; \ - (x)->allow_key_usage_violation = 1; \ (x)->allow_weak_keys = 1 /* DH and RSA parameters types. diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index c3665c6b76..f2c2db3e3f 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -184,10 +184,7 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo, if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - if (session->internals.priorities.allow_key_usage_violation == 0) - return GNUTLS_E_KEY_USAGE_VIOLATION; - else - _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n"); + _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n"); } /* External signing. Deprecated. To be removed. */ @@ -260,10 +257,7 @@ verify_tls_hash (gnutls_session_t session, if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { gnutls_assert (); - if (session->internals.priorities.allow_key_usage_violation == 0) - return GNUTLS_E_KEY_USAGE_VIOLATION; - else - _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n"); + _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n"); } if (pk_algo == GNUTLS_PK_UNKNOWN)