Add new "valid_flags" field to CERT_PKEY structure which determines what the certificate can be used for (if anything). Set valid_flags field in new tls1_check_chain function. Simplify ssl_set_cert_masks which used to have similar checks in it. Add new "cert_flags" field to CERT structure and include a "strict mode". This enforces some TLS certificate requirements (such as only permitting certificate signature algorithms contained in the supported algorithms extension) which some implementations ignore: this option should be used with caution as it could cause interoperability issues.

commit: d61ff83be977d9622b98f61a49ab3c1ca2db78a1 [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Thu Jun 28 12:45:49 2012 +0000
committer: Dr. Stephen Henson <steve@openssl.org> Thu Jun 28 12:45:49 2012 +0000
tree: f29721e92e40eb9efc2276e1f6efbb74c591ebce
parent: be681e123c3582f7bef18ed41b5ffa4793e8c4f7 [diff] [blame]
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9d9b604..89a5131 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -334,6 +334,7 @@
 				CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
 				}
 			}
+		rpk->valid_flags = 0;
                 if (cert->pkeys[i].authz != NULL)
 			{
 			/* Just copy everything. */
@@ -376,6 +377,8 @@
 	/* Shared sigalgs also NULL */
 	ret->shared_sigalgs = NULL;
 
+	ret->cert_flags = cert->cert_flags;
+
 	return(ret);
 	
 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
@@ -428,6 +431,7 @@
                 if (cpk->authz != NULL)
 			OPENSSL_free(cpk->authz);
 #endif
+		cpk->valid_flags = 0;
 		}
 	}
commit	d61ff83be977d9622b98f61a49ab3c1ca2db78a1	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Thu Jun 28 12:45:49 2012 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	Thu Jun 28 12:45:49 2012 +0000
tree	f29721e92e40eb9efc2276e1f6efbb74c591ebce
parent	be681e123c3582f7bef18ed41b5ffa4793e8c4f7 [diff] [blame]