From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 4 May 2000 23:03:49 +0000 (+0000)
Subject: Fix for SSL server purpose checking
X-Git-Tag: OpenSSL_0_9_5~37
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0cb957a6846dde0bee52f69c538aae5e7062ac73;p=oweals%2Fopenssl.git

Fix for SSL server purpose checking
---

diff --git a/CHANGES b/CHANGES
index 4874d87bd9..3f55f9cc9d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Fix for SSL server purpose checking. Server checking was
+     rejecting certificates which had extended key usage present
+     but no ssl client purpose.
+     [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
+
   *) Make PKCS#12 code work with no password. The PKCS#12 spec
      is a little unclear about how a blank password is handled.
      Since the password in encoded as a BMPString with terminating
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 5594a1d64f..7b4055f1fa 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -64,6 +64,7 @@
 static void x509v3_cache_extensions(X509 *x);
 
 static int ca_check(X509 *x);
+static int check_ssl_ca(X509 *x);
 static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
 static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
 static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
@@ -356,22 +357,26 @@ static int ca_check(X509 *x)
 	}
 }
 
+/* Check SSL CA: common checks for SSL client and server */
+static int check_ssl_ca(X509 *x)
+{
+	int ca_ret;
+	ca_ret = ca_check(x);
+	if(!ca_ret) return 0;
+	/* check nsCertType if present */
+	if(x->ex_flags & EXFLAG_NSCERT) {
+		if(x->ex_nscert & NS_SSL_CA) return ca_ret;
+		return 0;
+	}
+	if(ca_ret != 2) return ca_ret;
+	else return 0;
+}
+	
 
 static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
 {
 	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
-	if(ca) {
-		int ca_ret;
-		ca_ret = ca_check(x);
-		if(!ca_ret) return 0;
-		/* check nsCertType if present */
-		if(x->ex_flags & EXFLAG_NSCERT) {
-			if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-			return 0;
-		}
-		if(ca_ret != 2) return ca_ret;
-		else return 0;
-	}
+	if(ca) return check_ssl_ca(x);
 	/* We need to do digital signatures with it */
 	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
 	/* nsCertType if present should allow SSL client use */	
@@ -382,8 +387,7 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
 static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
 {
 	if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
-	/* Otherwise same as SSL client for a CA */
-	if(ca) return check_purpose_ssl_client(xp, x, 1);
+	if(ca) return check_ssl_ca(x);
 
 	if(ns_reject(x, NS_SSL_SERVER)) return 0;
 	/* Now as for keyUsage: we'll at least need to sign OR encipher */