Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
0cb957a6
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
8 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
0cb957a6
编写于
5月 04, 2000
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix for SSL server purpose checking
上级
a331a305
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
23 addition
and
14 deletion
+23
-14
CHANGES
CHANGES
+5
-0
crypto/x509v3/v3_purp.c
crypto/x509v3/v3_purp.c
+18
-14
未找到文件。
CHANGES
浏览文件 @
0cb957a6
...
...
@@ -4,6 +4,11 @@
Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
*) Fix for SSL server purpose checking. Server checking was
rejecting certificates which had extended key usage present
but no ssl client purpose.
[Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
*) Make PKCS#12 code work with no password. The PKCS#12 spec
is a little unclear about how a blank password is handled.
Since the password in encoded as a BMPString with terminating
...
...
crypto/x509v3/v3_purp.c
浏览文件 @
0cb957a6
...
...
@@ -64,6 +64,7 @@
static
void
x509v3_cache_extensions
(
X509
*
x
);
static
int
ca_check
(
X509
*
x
);
static
int
check_ssl_ca
(
X509
*
x
);
static
int
check_purpose_ssl_client
(
X509_PURPOSE
*
xp
,
X509
*
x
,
int
ca
);
static
int
check_purpose_ssl_server
(
X509_PURPOSE
*
xp
,
X509
*
x
,
int
ca
);
static
int
check_purpose_ns_ssl_server
(
X509_PURPOSE
*
xp
,
X509
*
x
,
int
ca
);
...
...
@@ -356,22 +357,26 @@ static int ca_check(X509 *x)
}
}
/* Check SSL CA: common checks for SSL client and server */
static
int
check_ssl_ca
(
X509
*
x
)
{
int
ca_ret
;
ca_ret
=
ca_check
(
x
);
if
(
!
ca_ret
)
return
0
;
/* check nsCertType if present */
if
(
x
->
ex_flags
&
EXFLAG_NSCERT
)
{
if
(
x
->
ex_nscert
&
NS_SSL_CA
)
return
ca_ret
;
return
0
;
}
if
(
ca_ret
!=
2
)
return
ca_ret
;
else
return
0
;
}
static
int
check_purpose_ssl_client
(
X509_PURPOSE
*
xp
,
X509
*
x
,
int
ca
)
{
if
(
xku_reject
(
x
,
XKU_SSL_CLIENT
))
return
0
;
if
(
ca
)
{
int
ca_ret
;
ca_ret
=
ca_check
(
x
);
if
(
!
ca_ret
)
return
0
;
/* check nsCertType if present */
if
(
x
->
ex_flags
&
EXFLAG_NSCERT
)
{
if
(
x
->
ex_nscert
&
NS_SSL_CA
)
return
ca_ret
;
return
0
;
}
if
(
ca_ret
!=
2
)
return
ca_ret
;
else
return
0
;
}
if
(
ca
)
return
check_ssl_ca
(
x
);
/* We need to do digital signatures with it */
if
(
ku_reject
(
x
,
KU_DIGITAL_SIGNATURE
))
return
0
;
/* nsCertType if present should allow SSL client use */
...
...
@@ -382,8 +387,7 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
static
int
check_purpose_ssl_server
(
X509_PURPOSE
*
xp
,
X509
*
x
,
int
ca
)
{
if
(
xku_reject
(
x
,
XKU_SSL_SERVER
|
XKU_SGC
))
return
0
;
/* Otherwise same as SSL client for a CA */
if
(
ca
)
return
check_purpose_ssl_client
(
xp
,
x
,
1
);
if
(
ca
)
return
check_ssl_ca
(
x
);
if
(
ns_reject
(
x
,
NS_SSL_SERVER
))
return
0
;
/* Now as for keyUsage: we'll at least need to sign OR encipher */
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
