Package: gnutls26 / 2.12.20-8+deb7u5

31_allow_key_usage_violation.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Description:  
 ** libgnutls: Always tolerate key usage violation errors from the side
 of the peer, but also notify via an audit message.
. 
 Pulled from uptream GIT, combining
 http://gitorious.org/gnutls/gnutls/commit/afd6b636d1d9b079699afb0c3b20692edcf5b262
 and
 http://gitorious.org/gnutls/gnutls/commit/dbc72ae47b16c6718cb5e53d4a31205bc45d3742

--- gnutls26-2.12.20.orig/lib/gnutls_sig.c
+++ gnutls26-2.12.20/lib/gnutls_sig.c
@@ -222,7 +222,7 @@ sign_tls_hash (gnutls_session_t session,
         if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
           {
             gnutls_assert ();
-            return GNUTLS_E_KEY_USAGE_VIOLATION;
+            _gnutls_debug_log("Key usage violation was detected (ignored).\n");
           }
 
       /* External signing. */
@@ -270,7 +270,7 @@ es_cleanup:
 }
 
 static int
-verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
+verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * cert,
                     const gnutls_datum_t * hash_concat,
                     gnutls_datum_t * signature, size_t sha1pos,
                     gnutls_pk_algorithm_t pk_algo)
@@ -292,7 +292,7 @@ verify_tls_hash (gnutls_protocol_t ver,
     if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
       {
         gnutls_assert ();
-        return GNUTLS_E_KEY_USAGE_VIOLATION;
+        _gnutls_debug_log("Key usage violation was detected (ignored).\n");
       }
 
   if (pk_algo == GNUTLS_PK_UNKNOWN)
@@ -425,7 +425,7 @@ _gnutls_handshake_verify_data (gnutls_se
       dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
     }
 
-  ret = verify_tls_hash (ver, cert, &dconcat, signature,
+  ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
                             dconcat.size -
                             _gnutls_hash_get_algo_len (hash_algo),
                             _gnutls_sign_get_pk_algorithm (algo));
@@ -490,7 +490,7 @@ _gnutls_handshake_verify_cert_vrfy12 (gn
   dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
 
   ret =
-    verify_tls_hash (ver, cert, &dconcat, signature, 0,
+    verify_tls_hash (session, ver, cert, &dconcat, signature, 0,
                         cert->subject_pk_algorithm);
   if (ret < 0)
     {
@@ -581,7 +581,7 @@ _gnutls_handshake_verify_cert_vrfy (gnut
   dconcat.size = 20 + 16;       /* md5+ sha */
 
   ret =
-    verify_tls_hash (ver, cert, &dconcat, signature, 16,
+    verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
                         cert->subject_pk_algorithm);
   if (ret < 0)
     {