From 39bed15e53c233f559ed85142500712debbe7a77 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 24 May 2001 23:00:46 +0000 Subject: [PATCH] Add missing variable length cipher flag for Blowfish. Only use trust settings if either trust or reject settings are present, otherwise use compatibility mode. This stops root CAs being rejected if they have alias of keyid set. --- CHANGES | 7 +++++++ crypto/evp/e_bf.c | 2 +- crypto/x509/x509_trs.c | 3 ++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index e1dfac5d4d..1ff891caf7 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,13 @@ Changes between 0.9.6a and 0.9.6b [XX xxx XXXX] + *) Fix for compatibility mode trust settings: ignore trust settings + unless some valid trust or reject settings are present. + [Steve Henson] + + *) Fix for blowfish EVP: its a variable length cipher. + [Steve Henson] + *) Fix various bugs related to DSA S/MIME verification. Handle missing parameters in DSA public key structures and return an error in the DSA routines if parameters are absent. diff --git a/crypto/evp/e_bf.c b/crypto/evp/e_bf.c index 72047f64da..53559b0b65 100644 --- a/crypto/evp/e_bf.c +++ b/crypto/evp/e_bf.c @@ -67,7 +67,7 @@ static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); IMPLEMENT_BLOCK_CIPHER(bf, bf_ks, BF, bf_ks, NID_bf, 8, 16, 8, - 0, bf_init_key, NULL, + EVP_CIPH_VARIABLE_LENGTH, bf_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index a7b1543461..86b3b79dcc 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -228,7 +228,8 @@ int X509_TRUST_get_trust(X509_TRUST *xp) static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - if(x->aux) return obj_trust(trust->arg1, x, flags); + if(x->aux && (x->aux->trust || x->aux->reject)) + return obj_trust(trust->arg1, x, flags); /* we don't have any trust settings: for compatibility * we return trusted if it is self signed */ -- 2.25.1