diff options
| author | miod <> | 2014-07-11 13:54:41 +0000 |
|---|---|---|
| committer | miod <> | 2014-07-11 13:54:41 +0000 |
| commit | ee97859e652ffea256e1a341b4a0c6603893e06a (patch) | |
| tree | 30f7190d71bee7b653346e671cbece1dd74f38ef | |
| parent | ee4da9dc358e4c53e3a18da9efc7ff567ac72167 (diff) | |
| download | openbsd-ee97859e652ffea256e1a341b4a0c6603893e06a.tar.gz openbsd-ee97859e652ffea256e1a341b4a0c6603893e06a.tar.bz2 openbsd-ee97859e652ffea256e1a341b4a0c6603893e06a.zip | |
Tolerate critical AKID in CRLs; OpenSSL PR #3014 via OpenSSL trunk, and
also update the comments to reflect what the code now does.
| -rw-r--r-- | src/lib/libcrypto/asn1/x_crl.c | 15 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/asn1/x_crl.c | 15 |
2 files changed, 16 insertions, 14 deletions
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c index ad77ef7737..bdec50dc80 100644 --- a/src/lib/libcrypto/asn1/x_crl.c +++ b/src/lib/libcrypto/asn1/x_crl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x_crl.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */ | 1 | /* $OpenBSD: x_crl.c,v 1.18 2014/07/11 13:54:41 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -238,8 +238,8 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) | |||
| 238 | crl->flags |= EXFLAG_INVALID; | 238 | crl->flags |= EXFLAG_INVALID; |
| 239 | 239 | ||
| 240 | /* See if we have any unhandled critical CRL extensions and | 240 | /* See if we have any unhandled critical CRL extensions and |
| 241 | * indicate this in a flag. We only currently handle IDP so | 241 | * indicate this in a flag. We only currently handle IDP, |
| 242 | * anything else critical sets the flag. | 242 | * AKID and deltas, so anything else critical sets the flag. |
| 243 | * | 243 | * |
| 244 | * This code accesses the X509_CRL structure directly: | 244 | * This code accesses the X509_CRL structure directly: |
| 245 | * applications shouldn't do this. | 245 | * applications shouldn't do this. |
| @@ -254,10 +254,11 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) | |||
| 254 | if (nid == NID_freshest_crl) | 254 | if (nid == NID_freshest_crl) |
| 255 | crl->flags |= EXFLAG_FRESHEST; | 255 | crl->flags |= EXFLAG_FRESHEST; |
| 256 | if (ext->critical > 0) { | 256 | if (ext->critical > 0) { |
| 257 | /* We handle IDP and deltas */ | 257 | /* We handle IDP, AKID and deltas */ |
| 258 | if ((nid == NID_issuing_distribution_point) || | 258 | if (nid == NID_issuing_distribution_point || |
| 259 | (nid == NID_delta_crl)) | 259 | nid == NID_authority_key_identifier || |
| 260 | break;; | 260 | nid == NID_delta_crl) |
| 261 | break; | ||
| 261 | crl->flags |= EXFLAG_CRITICAL; | 262 | crl->flags |= EXFLAG_CRITICAL; |
| 262 | break; | 263 | break; |
| 263 | } | 264 | } |
diff --git a/src/lib/libssl/src/crypto/asn1/x_crl.c b/src/lib/libssl/src/crypto/asn1/x_crl.c index ad77ef7737..bdec50dc80 100644 --- a/src/lib/libssl/src/crypto/asn1/x_crl.c +++ b/src/lib/libssl/src/crypto/asn1/x_crl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x_crl.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */ | 1 | /* $OpenBSD: x_crl.c,v 1.18 2014/07/11 13:54:41 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -238,8 +238,8 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) | |||
| 238 | crl->flags |= EXFLAG_INVALID; | 238 | crl->flags |= EXFLAG_INVALID; |
| 239 | 239 | ||
| 240 | /* See if we have any unhandled critical CRL extensions and | 240 | /* See if we have any unhandled critical CRL extensions and |
| 241 | * indicate this in a flag. We only currently handle IDP so | 241 | * indicate this in a flag. We only currently handle IDP, |
| 242 | * anything else critical sets the flag. | 242 | * AKID and deltas, so anything else critical sets the flag. |
| 243 | * | 243 | * |
| 244 | * This code accesses the X509_CRL structure directly: | 244 | * This code accesses the X509_CRL structure directly: |
| 245 | * applications shouldn't do this. | 245 | * applications shouldn't do this. |
| @@ -254,10 +254,11 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) | |||
| 254 | if (nid == NID_freshest_crl) | 254 | if (nid == NID_freshest_crl) |
| 255 | crl->flags |= EXFLAG_FRESHEST; | 255 | crl->flags |= EXFLAG_FRESHEST; |
| 256 | if (ext->critical > 0) { | 256 | if (ext->critical > 0) { |
| 257 | /* We handle IDP and deltas */ | 257 | /* We handle IDP, AKID and deltas */ |
| 258 | if ((nid == NID_issuing_distribution_point) || | 258 | if (nid == NID_issuing_distribution_point || |
| 259 | (nid == NID_delta_crl)) | 259 | nid == NID_authority_key_identifier || |
| 260 | break;; | 260 | nid == NID_delta_crl) |
| 261 | break; | ||
| 261 | crl->flags |= EXFLAG_CRITICAL; | 262 | crl->flags |= EXFLAG_CRITICAL; |
| 262 | break; | 263 | break; |
| 263 | } | 264 | } |