On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx: > > Mattias, > > > > Can you explain why this is needed, what the code is trying to do? > > > > > > Kurt > > > > Hi! > > The modification of the extension flags happens in at least four > different packages. The modification they do is to add the > EXFLAG_PROXY > bit to the flags.
Ok, I just had a look: > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692 This looks like an old workaround, and I wonder if it's really needed any more. If it's still needed, I'd say this may uncover a bug within OpenSSL, but in that case, I'd rather fix that in 1.1 > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665 > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740 I see what this code does, it makes a name constraint check that should have been present in OpenSSL but wasn't... until 1.1. However, there's other stuff in that function that looks odd.. > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655 > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719 This is the same code as the voms you pointed at above. > https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184 This is the same code as the globus-gsi-callback pointer above. > I guess having a more restrictive accessor that only sets the > EXFLAG_PROXY bit could work. I suggested the more general solution of > having set/clear accessors for arbitrary flags since it was - well > more > general. Mm, I'm really unsure about this one. ex_flags is part of a cache of information that OpenSSL fiddles with whenever it checks the extensions for a certificate. Calling anything that ends up calling X509_check_issued(), X509_check_ca() or X509_check_purpose() will cause values to be checked and cached for the certificates involved in the call of those functions. In the proxy certificate case, EXFLAG_PROXY will be set for a certificate any time the proxyCertInfo is found among its extensions. To be blunt, I would much rather see a bug report that shows when that cache isn't being built properly, and possibly a fix for it. Cheers, Richard -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev