summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2023-04-28 16:50:16 +0000
committerbeck <>2023-04-28 16:50:16 +0000
commit894a54df05aae48b1ccfb4d0acd6170e67c7bd80 (patch)
treec1ffb128d53575a3341638cccf75fcf2d6427d05
parent1ce60b4afbf4cde527424c04352d010e0bafb51b (diff)
downloadopenbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.gz
openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.bz2
openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.zip
Enable policy checking by default now that we are DAG implementation based.
This ensures that we will no longer silently ignore a certificate with a critical policy extention by default. ok tb@
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c5
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c4
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h9
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c5
-rw-r--r--src/regress/lib/libcrypto/x509/policy/policy.c13
5 files changed, 23 insertions, 13 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 6cb372dbce..ccdf256a1f 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.64 2023/04/16 07:59:57 tb Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -439,8 +439,7 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
439 if (!x509_vfy_check_revocation(ctx->xsc)) 439 if (!x509_vfy_check_revocation(ctx->xsc))
440 goto err; 440 goto err;
441 441
442 if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK && 442 if (!x509_vfy_check_policy(ctx->xsc))
443 !x509_vfy_check_policy(ctx->xsc))
444 goto err; 443 goto err;
445 444
446 ret = 1; 445 ret = 1;
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 93dc06ed05..f1aa10c563 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.118 2023/04/28 16:50:16 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -586,7 +586,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
586 goto end; 586 goto end;
587 587
588 /* If we get this far evaluate policies */ 588 /* If we get this far evaluate policies */
589 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 589 if (!bad_chain)
590 ok = ctx->check_policy(ctx); 590 ok = ctx->check_policy(ctx);
591 591
592 end: 592 end:
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 7e91155dc3..202cf7438f 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.h,v 1.62 2023/04/25 18:32:42 tb Exp $ */ 1/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -226,7 +226,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
226#define X509_V_FLAG_X509_STRICT 0x20 226#define X509_V_FLAG_X509_STRICT 0x20
227/* Enable proxy certificate validation */ 227/* Enable proxy certificate validation */
228#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 228#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
229/* Enable policy checking */ 229/* Does nothing as its functionality has been enabled by default */
230#define X509_V_FLAG_POLICY_CHECK 0x80 230#define X509_V_FLAG_POLICY_CHECK 0x80
231/* Policy variable require-explicit-policy */ 231/* Policy variable require-explicit-policy */
232#define X509_V_FLAG_EXPLICIT_POLICY 0x100 232#define X509_V_FLAG_EXPLICIT_POLICY 0x100
@@ -264,7 +264,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
264#define X509_VP_FLAG_LOCKED 0x8 264#define X509_VP_FLAG_LOCKED 0x8
265#define X509_VP_FLAG_ONCE 0x10 265#define X509_VP_FLAG_ONCE 0x10
266 266
267/* Internal use: mask of policy related options */ 267/*
268 * Obsolete internal use: mask of policy related options.
269 * This should really go away.
270 */
268#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ 271#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
269 | X509_V_FLAG_EXPLICIT_POLICY \ 272 | X509_V_FLAG_EXPLICIT_POLICY \
270 | X509_V_FLAG_INHIBIT_ANY \ 273 | X509_V_FLAG_INHIBIT_ANY \
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 9ac3f929dc..4896fe8b7e 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vpm.c,v 1.36 2023/04/16 19:16:32 tb Exp $ */ 1/* $OpenBSD: x509_vpm.c,v 1.37 2023/04/28 16:50:16 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004. 3 * project 2004.
4 */ 4 */
@@ -418,8 +418,6 @@ int
418X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 418X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
419{ 419{
420 param->flags |= flags; 420 param->flags |= flags;
421 if (flags & X509_V_FLAG_POLICY_MASK)
422 param->flags |= X509_V_FLAG_POLICY_CHECK;
423 return 1; 421 return 1;
424} 422}
425LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags); 423LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags);
@@ -527,7 +525,6 @@ X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
527 return 0; 525 return 0;
528 } 526 }
529 } 527 }
530 param->flags |= X509_V_FLAG_POLICY_CHECK;
531 return 1; 528 return 1;
532} 529}
533LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies); 530LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies);
diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c
index 289f96db78..70f60af0a3 100644
--- a/src/regress/lib/libcrypto/x509/policy/policy.c
+++ b/src/regress/lib/libcrypto/x509/policy/policy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */ 1/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>
@@ -328,6 +328,17 @@ struct verify_cert_test verify_cert_tests[] = {
328 .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, 328 .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
329 .want_legacy_error_depth = 0, 329 .want_legacy_error_depth = 0,
330 }, 330 },
331 {
332 .id = "invalid leaf without explicit policy",
333 .root_file = CERTSDIR "/" "policy_root.pem",
334 .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
335 .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
336 .want_chains = 0,
337 .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
338 .want_error_depth = 0,
339 .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
340 .want_legacy_error_depth = 0,
341 },
331 /* There is a duplicate policy in the leaf policy extension. */ 342 /* There is a duplicate policy in the leaf policy extension. */
332 { 343 {
333 .id = "1 in duplicate policy extension in leaf", 344 .id = "1 in duplicate policy extension in leaf",
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 03:52:46 +0000