On Mon, Mar 04, 2013 at 12:34:33PM -0500, Eric Blake wrote:
When given a CA cert with basic constraints to set non-critical, and key usage of 'key signing', this should be rejected. Version of GNUTLS < 3 do not rejecte it though, so we never noticed the test case was broken
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> ---
+ /* Technically a CA cert with basic constraints + * key purpose == key signing + non-critical should + * be rejected. GNUTLS < 3 does not reject it and + * we don't anticipate them changing this behaviour + */ +# if GNUTLS_VERSION_MAJOR >= 3 + DO_CTX_TEST(true, cacert5req, servercertreq, true); +# else + DO_CTX_TEST(true, cacert5req, servercertreq, false); +# endif
To avoid the #if, you could write this as:
DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
ACK with that tweak.
Ok pushed with that change & tested both gnutls 2.x and 3.x Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|