Bug#829272: Fwd: [openssl.org #4602] Missing accessors

Mon, 11 Jul 2016 05:22:00 -0700 

This is forward of transaction #70156 of a ticket #4602

-------------------------------------------------------------------------
http://rt.openssl.org/Ticket/Display.html?id=4602

Please log in as guest with password guest if prompted
--- Begin Message --- On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
> fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx:
> > Mattias,
> >
> > Can you explain why this is needed, what the code is trying to do?
> >
> >
> > Kurt
> >
>
> Hi!
>
> The modification of the extension flags happens in at least four
> different packages. The modification they do is to add the
> EXFLAG_PROXY
> bit to the flags.

Ok, I just had a look:

> https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692

This looks like an old workaround, and I wonder if it's really needed any more.  If it's still needed, I'd say this may uncover a bug within OpenSSL, but in that case, I'd rather fix that in 1.1

> https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665
> https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740

I see what this code does, it makes a name constraint check that should have been present in OpenSSL but wasn't...  until 1.1.  However, there's other stuff in that function that looks odd..

> https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655
> https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719

This is the same code as the voms you pointed at above.

> https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184

This is the same code as the globus-gsi-callback pointer above.

> I guess having a more restrictive accessor that only sets the
> EXFLAG_PROXY bit could work. I suggested the more general solution of
> having set/clear accessors for arbitrary flags since it was - well
> more
> general.

Mm, I'm really unsure about this one.  ex_flags is part of a cache of information that OpenSSL fiddles with whenever it checks the extensions for a certificate.  Calling anything that ends up calling X509_check_issued(), X509_check_ca() or X509_check_purpose() will cause values to be checked and cached for the certificates involved in the call of those functions.  In the proxy certificate case, EXFLAG_PROXY will be set for a certificate any time the proxyCertInfo is found among its extensions.

To be blunt, I would much rather see a bug report that shows when that cache isn't being built properly, and possibly a fix for it.

Cheers,
Richard

-- 
Richard Levitte
levi...@openssl.org
--- End Message ---

Reply via email to