diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2008-07-13 14:33:16 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2008-07-13 14:33:16 +0000 |
commit | 811e08a2c52ce906107b0929de5f98d7cec2e317 (patch) | |
tree | 0b2abdcbada9be1af53f3bb85d1ecbcfc9a82c30 /crypto/x509v3 | |
parent | dd6e90465dc48bff95eb6c5123dcae5cedd32cca (diff) |
Update from HEAD.
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/pcy_data.c | 8 | ||||
-rw-r--r-- | crypto/x509v3/pcy_tree.c | 7 | ||||
-rw-r--r-- | crypto/x509v3/v3_purp.c | 3 | ||||
-rw-r--r-- | crypto/x509v3/x509v3.h | 2 |
4 files changed, 16 insertions, 4 deletions
diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index 614d2b4935..4711b1ee92 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) X509_POLICY_DATA *ret; if (!policy && !id) return NULL; + if (id) + { + id = OBJ_dup(id); + if (!id) + return NULL; + } ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); if (!ret) return NULL; @@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) if (!ret->expected_policy_set) { OPENSSL_free(ret); + if (id) + ASN1_OBJECT_free(id); return NULL; } diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 4fda1d419a..aed0155c2a 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -131,7 +131,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if (explicit_policy > 0) { explicit_policy--; - if (!(x->ex_flags & EXFLAG_SS) + if (!(x->ex_flags & EXFLAG_SI) && (cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) explicit_policy = cache->explicit_skip; @@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* Any matching allowed if certificate is self * issued and not the last in the chain. */ - if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) + if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else @@ -310,7 +310,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, if (data == NULL) return 0; - data->qualifier_set = curr->anyPolicy->data->qualifier_set; + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; if (!level_add_node(curr, data, node, tree)) { diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b2f5cdfa05..1ef54ae9a1 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -291,6 +291,7 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_ipAddrBlock, /* 290 */ NID_sbgp_autonomousSysNum, /* 291 */ #endif + NID_policy_constraints, /* 401 */ NID_proxyCertInfo /* 661 */ }; @@ -325,7 +326,7 @@ static void x509v3_cache_extensions(X509 *x) #endif /* Does subject name match issuer ? */ if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SS; + x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index db2b0482c1..a208d4b595 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) #define EXFLAG_NSCERT 0x8 #define EXFLAG_CA 0x10 +/* Really self issued not necessarily self signed */ +#define EXFLAG_SI 0x20 #define EXFLAG_SS 0x20 #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 |