[sr #107489] ipsec_ike_key created in wrong code path

Micah Anderson INVALID.NOREPLY at gnu.org
Sat Oct 2 15:36:40 CEST 2010 

URL:
  <http://savannah.gnu.org/support/?107489>

                 Summary: ipsec_ike_key created in wrong code path
                 Project: GnuTLS
            Submitted by: micahanderson
            Submitted on: Sat 02 Oct 2010 01:36:39 PM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None

    _______________________________________________________

Details:

The ipsec_ike_key patch submitted in #107485 creates a certificate with the
KU flag for ipsec IKE only when the "ca" flag is set. The reason for this is
the get_ipsec_ike_status() check in src/certtool.c:547 is wrapped inside an if
(ca_status) predicate.

This is wrong, because you should not be a CA to offer a cert for IKE. In
fact, IKE should not appear in a CA certificate, but otherwise should be
independent of any other status as it is not unreasonable to want to use such
a certificate for other things on the host, such as a WWW server.

It is for this reason I've adjusted the patch to make it fall under the if
(!ca_status || server) predicate, instead of under the if (ca_status)
predicate.

Additionally, an IKE certificate should be able to set the SubjectAltName
(ie. dns_name parameters in the config; and ip_address parameters in the
config) v3 extensions. To achieve this I've added an is_ike check and added
the test to see if that is set along with the other checks that were
happening, and then if so add the get_dns_name_set (TYPE_CRT, crt);
get_ip_addr_set (TYPE_CRT, crt); to the cert. 

Attached is a patch to the 2_10_x branch, as well as patch to the HEAD of
master. You can also find these commits in my repository
git://labs.riseup.net/~micah/gnutls there are two branches there, one for
2_10_x and one against master (which has been rebased against the latest
upstream commits).



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sat 02 Oct 2010 01:36:39 PM GMT  Name: ipsec_ike_gnutls_2_10_2.diff 
Size: 2kB   By: micahanderson

<http://savannah.gnu.org/support/download.php?file_id=21593>
-------------------------------------------------------
Date: Sat 02 Oct 2010 01:36:39 PM GMT  Name: ipsec_ike_gnutls_master.diff 
Size: 2kB   By: micahanderson

<http://savannah.gnu.org/support/download.php?file_id=21594>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107489>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

More information about the Gnutls-devel mailing list