Richard Levitte via RT
2016-07-11 12:14:24 UTC
Mattias,
Can you explain why this is needed, what the code is trying to do?
Kurt
Hi!Can you explain why this is needed, what the code is trying to do?
Kurt
The modification of the extension flags happens in at least four
different packages. The modification they do is to add the
EXFLAG_PROXY
bit to the flags.
https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692
This looks like an old workaround, and I wonder if it's really needed any more.
If it's still needed, I'd say this may uncover a bug within OpenSSL, but in
that case, I'd rather fix that in 1.1
https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665
https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740
I see what this code does, it makes a name constraint check that should havehttps://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740
been present in OpenSSL but wasn't... until 1.1. However, there's other stuff
in that function that looks odd..
https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655
https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719
This is the same code as the voms you pointed at above.https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719
https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184
This is the same code as the globus-gsi-callback pointer above.
I guess having a more restrictive accessor that only sets the
EXFLAG_PROXY bit could work. I suggested the more general solution of
having set/clear accessors for arbitrary flags since it was - well
more
general.
Mm, I'm really unsure about this one. ex_flags is part of a cache ofEXFLAG_PROXY bit could work. I suggested the more general solution of
having set/clear accessors for arbitrary flags since it was - well
more
general.
information that OpenSSL fiddles with whenever it checks the extensions for a
certificate. Calling anything that ends up calling X509_check_issued(),
X509_check_ca() or X509_check_purpose() will cause values to be checked and
cached for the certificates involved in the call of those functions. In the
proxy certificate case, EXFLAG_PROXY will be set for a certificate any time the
proxyCertInfo is found among its extensions.
To be blunt, I would much rather see a bug report that shows when that cache
isn't being built properly, and possibly a fix for it.
Cheers,
Richard
--
Richard Levitte
***@openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev