diff --git a/CHANGES b/CHANGES index 4874d87bd99e16db554a1fe787c7d3b5e7340b26..3f55f9cc9dc171f850384c5e3d0475f743336558 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) Fix for SSL server purpose checking. Server checking was + rejecting certificates which had extended key usage present + but no ssl client purpose. + [Steve Henson, reported by Rene Grosser ] + *) Make PKCS#12 code work with no password. The PKCS#12 spec is a little unclear about how a blank password is handled. Since the password in encoded as a BMPString with terminating diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 5594a1d64f9b257479e11bc4d941910eff37294c..7b4055f1fa299957cae4a2730f57dff8159632e9 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -64,6 +64,7 @@ static void x509v3_cache_extensions(X509 *x); static int ca_check(X509 *x); +static int check_ssl_ca(X509 *x); static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca); @@ -356,22 +357,26 @@ static int ca_check(X509 *x) } } +/* Check SSL CA: common checks for SSL client and server */ +static int check_ssl_ca(X509 *x) +{ + int ca_ret; + ca_ret = ca_check(x); + if(!ca_ret) return 0; + /* check nsCertType if present */ + if(x->ex_flags & EXFLAG_NSCERT) { + if(x->ex_nscert & NS_SSL_CA) return ca_ret; + return 0; + } + if(ca_ret != 2) return ca_ret; + else return 0; +} + static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; - if(ca) { - int ca_ret; - ca_ret = ca_check(x); - if(!ca_ret) return 0; - /* check nsCertType if present */ - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SSL_CA) return ca_ret; - return 0; - } - if(ca_ret != 2) return ca_ret; - else return 0; - } + if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ @@ -382,8 +387,7 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca) static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca) { if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; - /* Otherwise same as SSL client for a CA */ - if(ca) return check_purpose_ssl_client(xp, x, 1); + if(ca) return check_ssl_ca(x); if(ns_reject(x, NS_SSL_SERVER)) return 0; /* Now as for keyUsage: we'll at least need to sign OR encipher */