Fix for SSL server purpose checking

diff --git a/CHANGES b/CHANGES
index 4874d87bd99e16db554a1fe787c7d3b5e7340b26..3f55f9cc9dc171f850384c5e3d0475f743336558 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Fix for SSL server purpose checking. Server checking was
+     rejecting certificates which had extended key usage present
+     but no ssl client purpose.
+     [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
+
   *) Make PKCS#12 code work with no password. The PKCS#12 spec
      is a little unclear about how a blank password is handled.
      Since the password in encoded as a BMPString with terminating

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 5594a1d64f9b257479e11bc4d941910eff37294c..7b4055f1fa299957cae4a2730f57dff8159632e9 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -64,6 +64,7 @@
 static void x509v3_cache_extensions(X509 *x);
 
 static int ca_check(X509 *x);
+static int check_ssl_ca(X509 *x);
 static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
 static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
 static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
@@ -356,22 +357,26 @@ static int ca_check(X509 *x)
        }
 }
 
+/* Check SSL CA: common checks for SSL client and server */
+static int check_ssl_ca(X509 *x)
+{
+       int ca_ret;
+       ca_ret = ca_check(x);
+       if(!ca_ret) return 0;
+       /* check nsCertType if present */
+       if(x->ex_flags & EXFLAG_NSCERT) {
+               if(x->ex_nscert & NS_SSL_CA) return ca_ret;
+               return 0;
+       }
+       if(ca_ret != 2) return ca_ret;
+       else return 0;
+}
+       
 
 static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
 {
        if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
-       if(ca) {
-               int ca_ret;
-               ca_ret = ca_check(x);
-               if(!ca_ret) return 0;
-               /* check nsCertType if present */
-               if(x->ex_flags & EXFLAG_NSCERT) {
-                       if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-                       return 0;
-               }
-               if(ca_ret != 2) return ca_ret;
-               else return 0;
-       }
+       if(ca) return check_ssl_ca(x);
        /* We need to do digital signatures with it */
        if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
        /* nsCertType if present should allow SSL client use */ 
@@ -382,8 +387,7 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
 static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
 {
        if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
-       /* Otherwise same as SSL client for a CA */
-       if(ca) return check_purpose_ssl_client(xp, x, 1);
+       if(ca) return check_ssl_ca(x);
 
        if(ns_reject(x, NS_SSL_SERVER)) return 0;
        /* Now as for keyUsage: we'll at least need to sign OR encipher */