[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_8_x, updated. gnutls_2_8_6-8-g6921dd7
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_2_8_x, updated. gnutls_2_8_6-8-g6921dd7 |
Date: |
Sat, 02 Oct 2010 21:32:55 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=6921dd790adb1cb75f0173ea312a00f291d56903
The branch, gnutls_2_8_x has been updated
via 6921dd790adb1cb75f0173ea312a00f291d56903 (commit)
from 9fec32126e86ef1d46ea3e4cd60782545e6f2d98 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6921dd790adb1cb75f0173ea312a00f291d56903
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 2 23:32:45 2010 +0200
Applied patch on IKE extension by Micah Anderson
-----------------------------------------------------------------------
Summary of changes:
src/certtool.c | 31 ++++++++++++++++++++++++-------
1 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/src/certtool.c b/src/certtool.c
index 5693cf2..fe694de 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -259,7 +259,7 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
size_t size;
int ret;
int client;
- int days, result, ca_status = 0, path_len;
+ int days, result, ca_status = 0, is_ike = 0, path_len;
int vers;
unsigned int usage = 0, server;
gnutls_x509_crq_t crq; /* request */
@@ -411,17 +411,18 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
}
+ is_ike = get_ipsec_ike_status ();
server = get_tls_server_status ();
+ if ((server != 0 && !proxy) || is_ike)
+ {
+ get_dns_name_set (TYPE_CRT, crt);
+ get_ip_addr_set (TYPE_CRT, crt);
+ }
+
if (server != 0)
{
result = 0;
- if (!proxy)
- {
- get_dns_name_set (TYPE_CRT, crt);
- get_ip_addr_set (TYPE_CRT, crt);
- }
-
result =
gnutls_x509_crt_set_key_purpose_oid (crt,
GNUTLS_KP_TLS_WWW_SERVER, 0);
@@ -453,6 +454,17 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
}
else
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+
+ if (is_ike)
+ {
+ result =
+ gnutls_x509_crt_set_key_purpose_oid (crt,
+ GNUTLS_KP_IPSEC_IKE,
+ 0);
+ if (result < 0)
+ error (EXIT_FAILURE, 0, "key_kp: %s",
+ gnutls_strerror (result));
+ }
}
@@ -505,6 +517,11 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
if (usage != 0)
{
+ /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
+ set, then either digitalSignature or the nonRepudiation bits in the
+ KeyUsage extension MUST for all IKE certs */
+ if (is_ike && (get_sign_status (server) != 1))
+ usage |= GNUTLS_KEY_NON_REPUDIATION;
result = gnutls_x509_crt_set_key_usage (crt, usage);
if (result < 0)
error (EXIT_FAILURE, 0, "key_usage: %s",
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_8_x, updated. gnutls_2_8_6-8-g6921dd7,
Nikos Mavrogiannopoulos <=