Re: [libvirt] [PATCH] Fix TLS tests with gnutls 3

Monday, 4 March 2013

...
 When given a CA cert with basic constraints to set non-critical,
 and key usage of 'key signing', this should be rejected. Version
 of GNUTLS < 3 do not rejecte it though, so we never noticed the
 test case was broken

 Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt;
 --- 
...
 +    /* Technically a CA cert with basic constraints
 +     * key purpose == key signing + non-critical should
 +     * be rejected. GNUTLS < 3 does not reject it and
 +     * we don't anticipate them changing this behaviour
 +     */
 +# if GNUTLS_VERSION_MAJOR >= 3
 +    DO_CTX_TEST(true, cacert5req, servercertreq, true);
 +# else
 +    DO_CTX_TEST(true, cacert5req, servercertreq, false);
 +# endif 
To avoid the #if, you could write this as:

    DO_CTX_TEST(true, cacert5req, servercertreq,
                GNUTLS_VERSION_MAJOR >= 3);

ACK with that tweak.

-- 
Eric Blake   eblake(a)redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH] Fix TLS tests with gnutls 3