[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-396-ge468763
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-396-ge468763 |
Date: |
Sat, 02 Oct 2010 21:30:21 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e468763b03ec470c1aec999efbc5b74821e4457f
The branch, master has been updated
via e468763b03ec470c1aec999efbc5b74821e4457f (commit)
from 256f3817f97398d89f59d20b654445b07eab6cdc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e468763b03ec470c1aec999efbc5b74821e4457f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Oct 2 23:30:08 2010 +0200
Applied patch on IKE extension by Micah Anderson
-----------------------------------------------------------------------
Summary of changes:
src/certtool.c | 43 ++++++++++++++++++++++++-------------------
1 files changed, 24 insertions(+), 19 deletions(-)
diff --git a/src/certtool.c b/src/certtool.c
index e4fbb75..794a0d6 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -361,7 +361,7 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
size_t size;
int ret;
int client;
- int days, result, ca_status = 0, path_len;
+ int days, result, ca_status = 0, is_ike = 0, path_len;
int vers;
unsigned int usage = 0, server;
gnutls_x509_crq_t crq; /* request */
@@ -513,17 +513,18 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
}
+ is_ike = get_ipsec_ike_status ();
server = get_tls_server_status ();
+ if ((server != 0 && !proxy) || is_ike)
+ {
+ get_dns_name_set (TYPE_CRT, crt);
+ get_ip_addr_set (TYPE_CRT, crt);
+ }
+
if (server != 0)
{
result = 0;
- if (!proxy)
- {
- get_dns_name_set (TYPE_CRT, crt);
- get_ip_addr_set (TYPE_CRT, crt);
- }
-
result =
gnutls_x509_crt_set_key_purpose_oid (crt,
GNUTLS_KP_TLS_WWW_SERVER, 0);
@@ -555,6 +556,17 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
}
else
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+
+ if (is_ike)
+ {
+ result =
+ gnutls_x509_crt_set_key_purpose_oid (crt,
+ GNUTLS_KP_IPSEC_IKE,
+ 0);
+ if (result < 0)
+ error (EXIT_FAILURE, 0, "key_kp: %s",
+ gnutls_strerror (result));
+ }
}
@@ -603,22 +615,15 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
error (EXIT_FAILURE, 0, "key_kp: %s",
gnutls_strerror (result));
}
-
- result = get_ipsec_ike_status ();
- if (result)
- {
- result =
- gnutls_x509_crt_set_key_purpose_oid (crt,
- GNUTLS_KP_IPSEC_IKE,
- 0);
- if (result < 0)
- error (EXIT_FAILURE, 0, "key_kp: %s",
- gnutls_strerror (result));
- }
}
if (usage != 0)
{
+ /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
+ set, then either digitalSignature or the nonRepudiation bits in the
+ KeyUsage extension MUST for all IKE certs */
+ if (is_ike && (get_sign_status (server) != 1))
+ usage |= GNUTLS_KEY_NON_REPUDIATION;
result = gnutls_x509_crt_set_key_usage (crt, usage);
if (result < 0)
error (EXIT_FAILURE, 0, "key_usage: %s",
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-396-ge468763,
Nikos Mavrogiannopoulos <=