X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Fx509v3%2Fv3_purp.c;h=4b986dfc5d6163158e6d5d8a42bb3e011d1e48e1;hb=057c8a2b9e24b91d4e98b38bf1c91f232f065637;hp=e7cf7011604af0ea94ecbfa96686d4d19f94ac53;hpb=b1efb7161f409c81178b9aa95583db3390f90b1b;p=oweals%2Fopenssl.git

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index e7cf701160..4b986dfc5d 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -562,12 +562,18 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int c
 {
 	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
 	if(ca) return check_ssl_ca(x);
-	/* We need to do digital signatures with it */
-	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
+	/* We need to do digital signatures or key agreement */
+	if(ku_reject(x,KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) return 0;
 	/* nsCertType if present should allow SSL client use */	
 	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
 	return 1;
 }
+/* Key usage needed for TLS/SSL server: digital signature, encipherment or
+ * key agreement. The ssl code can check this more thoroughly for individual
+ * key types.
+ */
+#define KU_TLS \
+	KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT
 
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
@@ -575,8 +581,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int c
 	if(ca) return check_ssl_ca(x);
 
 	if(ns_reject(x, NS_SSL_SERVER)) return 0;
-	/* Now as for keyUsage: we'll at least need to sign OR encipher */
-	if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
+	if(ku_reject(x, KU_TLS)) return 0;
 	
 	return 1;