mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rename the option to disable the new issuer sign check to ‘WOLFSSL_NO_OCSP_ISSUER_CHECK`.

Browse Source
This commit is contained in:
David Garske 2017-06-22 09:56:43 -07:00
parent a3578c6643
commit 3a4edf75bd
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
wolfcrypt/src/asn.c
View File

@ -40,9 +40,8 @@ ASN Options:
chain is not loaded. This only matches on subject and public key and
does not perform a PKI validation, so it is not a secure solution.
Only enabled for OCSP.
* WOLFSSL_NO_OCSP_EXTKEYUSE_OCSP_SIGN: Can be defined for backwards
compatibility to disable matching of OCSP signing authority for the
certificate in question.
* WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to
disable checking of OCSP subject hash with issuer hash.
*/
#ifndef NO_ASN
@ -10770,7 +10769,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
return ret;
}
#ifndef WOLFSSL_NO_OCSP_EXTKEYUSE_OCSP_SIGN
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert.subjectHash,
resp->issuerHash, KEYID_SIZE) == 0) {