Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
3921ded7
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
3921ded7
编写于
1月 31, 2016
作者:
V
Viktor Dukhovni
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Ensure correct chain depth for policy checks with DANE bare key TA
Reviewed-by:
N
Dr. Stephen Henson
<
steve@openssl.org
>
上级
895c2f84
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
19 addition
and
0 deletion
+19
-0
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+19
-0
未找到文件。
crypto/x509/x509_vfy.c
浏览文件 @
3921ded7
...
...
@@ -1501,10 +1501,29 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
static
int
check_policy
(
X509_STORE_CTX
*
ctx
)
{
int
ret
;
if
(
ctx
->
parent
)
return
1
;
/*
* With DANE, the trust anchor might be a bare public key, not a
* certificate! In that case our chain does not have the trust anchor
* certificate as a top-most element. This comports well with RFC5280
* chain verification, since there too, the trust anchor is not part of the
* chain to be verified. In particular, X509_policy_check() does not look
* at the TA cert, but assumes that it is present as the top-most chain
* element. We therefore temporarily push a NULL cert onto the chain if it
* was verified via a bare public key, and pop it off right after the
* X509_policy_check() call.
*/
if
(
ctx
->
bare_ta_signed
&&
!
sk_X509_push
(
ctx
->
chain
,
NULL
))
{
X509err
(
X509_F_CHECK_POLICY
,
ERR_R_MALLOC_FAILURE
);
return
0
;
}
ret
=
X509_policy_check
(
&
ctx
->
tree
,
&
ctx
->
explicit_policy
,
ctx
->
chain
,
ctx
->
param
->
policies
,
ctx
->
param
->
flags
);
if
(
ctx
->
bare_ta_signed
)
sk_X509_pop
(
ctx
->
chain
);
if
(
ret
==
X509_PCY_TREE_INTERNAL
)
{
X509err
(
X509_F_CHECK_POLICY
,
ERR_R_MALLOC_FAILURE
);
return
0
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录