generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add new "valid_flags" field to CERT_PKEY structure which determines what

Browse Source 
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
This commit is contained in:
Dr. Stephen Henson
2012-06-28 12:45:49 +00:00
parent be681e123c
commit d61ff83be9
8 changed files with 258 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/ssl_cert.c
View File

@@ -334,6 +334,7 @@ CERT *ssl_cert_dup(CERT *cert)
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
}
}
rpk->valid_flags = 0;
if (cert->pkeys[i].authz != NULL)
{
/* Just copy everything. */
@@ -376,6 +377,8 @@ CERT *ssl_cert_dup(CERT *cert)
/* Shared sigalgs also NULL */
ret->shared_sigalgs = NULL;
ret->cert_flags = cert->cert_flags;
return(ret);
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
@@ -428,6 +431,7 @@ void ssl_cert_clear_certs(CERT *c)
if (cpk->authz != NULL)
OPENSSL_free(cpk->authz);
#endif
cpk->valid_flags = 0;
}
}