Loading CHANGES +5 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,11 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] Changes between 0.9.5a and 0.9.6 [xx XXX 2000] *) Fix for SSL server purpose checking. Server checking was rejecting certificates which had extended key usage present but no ssl client purpose. [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>] *) Make PKCS#12 code work with no password. The PKCS#12 spec *) Make PKCS#12 code work with no password. The PKCS#12 spec is a little unclear about how a blank password is handled. is a little unclear about how a blank password is handled. Since the password in encoded as a BMPString with terminating Since the password in encoded as a BMPString with terminating Loading crypto/x509v3/v3_purp.c +18 −14 Original line number Original line Diff line number Diff line Loading @@ -64,6 +64,7 @@ static void x509v3_cache_extensions(X509 *x); static void x509v3_cache_extensions(X509 *x); static int ca_check(X509 *x); static int ca_check(X509 *x); static int check_ssl_ca(X509 *x); static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); Loading Loading @@ -356,11 +357,9 @@ static int ca_check(X509 *x) } } } } /* Check SSL CA: common checks for SSL client and server */ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) static int check_ssl_ca(X509 *x) { { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) { int ca_ret; int ca_ret; ca_ret = ca_check(x); ca_ret = ca_check(x); if(!ca_ret) return 0; if(!ca_ret) return 0; Loading @@ -372,6 +371,12 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) if(ca_ret != 2) return ca_ret; if(ca_ret != 2) return ca_ret; else return 0; else return 0; } } static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ /* nsCertType if present should allow SSL client use */ Loading @@ -382,8 +387,7 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca) static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca) { { if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; /* Otherwise same as SSL client for a CA */ if(ca) return check_ssl_ca(x); if(ca) return check_purpose_ssl_client(xp, x, 1); if(ns_reject(x, NS_SSL_SERVER)) return 0; if(ns_reject(x, NS_SSL_SERVER)) return 0; /* Now as for keyUsage: we'll at least need to sign OR encipher */ /* Now as for keyUsage: we'll at least need to sign OR encipher */ Loading Loading
CHANGES +5 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,11 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] Changes between 0.9.5a and 0.9.6 [xx XXX 2000] *) Fix for SSL server purpose checking. Server checking was rejecting certificates which had extended key usage present but no ssl client purpose. [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>] *) Make PKCS#12 code work with no password. The PKCS#12 spec *) Make PKCS#12 code work with no password. The PKCS#12 spec is a little unclear about how a blank password is handled. is a little unclear about how a blank password is handled. Since the password in encoded as a BMPString with terminating Since the password in encoded as a BMPString with terminating Loading
crypto/x509v3/v3_purp.c +18 −14 Original line number Original line Diff line number Diff line Loading @@ -64,6 +64,7 @@ static void x509v3_cache_extensions(X509 *x); static void x509v3_cache_extensions(X509 *x); static int ca_check(X509 *x); static int ca_check(X509 *x); static int check_ssl_ca(X509 *x); static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); Loading Loading @@ -356,11 +357,9 @@ static int ca_check(X509 *x) } } } } /* Check SSL CA: common checks for SSL client and server */ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) static int check_ssl_ca(X509 *x) { { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) { int ca_ret; int ca_ret; ca_ret = ca_check(x); ca_ret = ca_check(x); if(!ca_ret) return 0; if(!ca_ret) return 0; Loading @@ -372,6 +371,12 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) if(ca_ret != 2) return ca_ret; if(ca_ret != 2) return ca_ret; else return 0; else return 0; } } static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ /* nsCertType if present should allow SSL client use */ Loading @@ -382,8 +387,7 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca) static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca) { { if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; /* Otherwise same as SSL client for a CA */ if(ca) return check_ssl_ca(x); if(ca) return check_purpose_ssl_client(xp, x, 1); if(ns_reject(x, NS_SSL_SERVER)) return 0; if(ns_reject(x, NS_SSL_SERVER)) return 0; /* Now as for keyUsage: we'll at least need to sign OR encipher */ /* Now as for keyUsage: we'll at least need to sign OR encipher */ Loading
