fix error code

[oweals/openssl.git] / crypto / x509v3 / v3_purp.c

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index e00c9ec13016f8ab21e150fa3274c839327b05cb..4b986dfc5d6163158e6d5d8a42bb3e011d1e48e1 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -1,5 +1,5 @@
 /* v3_purp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
@@ -368,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x)
 #ifndef OPENSSL_NO_SHA
        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
 #endif
-       /* Does subject name match issuer ? */
-       if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                        x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */
@@ -447,6 +444,10 @@ static void x509v3_cache_extensions(X509 *x)
                                case NID_dvcs:
                                x->ex_xkusage |= XKU_DVCS;
                                break;
+
+                               case NID_anyExtendedKeyUsage:
+                               x->ex_xkusage |= XKU_ANYEKU;
+                               break;
                        }
                }
                sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
@@ -460,6 +461,14 @@ static void x509v3_cache_extensions(X509 *x)
        }
        x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
        x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+       /* Does subject name match issuer ? */
+       if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+                       {
+                       x->ex_flags |= EXFLAG_SI;
+                       /* If SKID matches AKID also indicate self signed */
+                       if (X509_check_akid(x, x->akid) == X509_V_OK)
+                               x->ex_flags |= EXFLAG_SS;
+                       }
        x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
        x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
        if (!x->nc && (i != -1))
@@ -553,12 +562,18 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int c
 {
        if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
        if(ca) return check_ssl_ca(x);
-       /* We need to do digital signatures with it */
-       if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
+       /* We need to do digital signatures or key agreement */
+       if(ku_reject(x,KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) return 0;
        /* nsCertType if present should allow SSL client use */ 
        if(ns_reject(x, NS_SSL_CLIENT)) return 0;
        return 1;
 }
+/* Key usage needed for TLS/SSL server: digital signature, encipherment or
+ * key agreement. The ssl code can check this more thoroughly for individual
+ * key types.
+ */
+#define KU_TLS \
+       KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT
 
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
@@ -566,8 +581,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int c
        if(ca) return check_ssl_ca(x);
 
        if(ns_reject(x, NS_SSL_SERVER)) return 0;
-       /* Now as for keyUsage: we'll at least need to sign OR encipher */
-       if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
+       if(ku_reject(x, KU_TLS)) return 0;
        
        return 1;