Revert "Check certificate extensions in trusted certificates"

There are some possible strange side effects noticed by the openssl cms regress tests that I missed. Backing this out until I untangle it ok tb@
author: beck <> 2022-11-17 00:42:12 +0000
committer: beck <> 2022-11-17 00:42:12 +0000
commit: e34c353ca0475e362c84929492561dab4f74ec0d (patch)
tree: f783b41d3c79de0feca47daa5b129e0b365152fc /src/lib/libcrypto/x509/x509_vfy.c
parent: 6f8d4c4c4cdd0843000799b6361ddf6edb10edcd (diff)
download: openbsd-e34c353ca0475e362c84929492561dab4f74ec0d.tar.gz
openbsd-e34c353ca0475e362c84929492561dab4f74ec0d.tar.bz2
openbsd-e34c353ca0475e362c84929492561dab4f74ec0d.zip
1 files changed, 3 insertions, 46 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 09c0b8105e..0a9965ae30 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.105 2022/11/14 17:48:50 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.106 2022/11/17 00:42:12 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -725,43 +725,6 @@ get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                return 0;
 }
-/*
- * X509_check_purpose is special.
- * 0 is bad, 1 is good, values > 1 are maybe good for web pki necromancy
- * and certificates that were checked into software unit tests years ago
- * that nobody knows how to change. (Netscape Server Gated Crypto Forever!)
- */
-#define PURPOSE_GOOD(x) (x == 1)
-#define PURPOSE_BAD(x) (x == 0)
-static int
-check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
-    int must_be_ca)
-{
-        int purpose_check, trust;
-        purpose_check = X509_check_purpose(x, purpose, must_be_ca > 0);
-        trust = X509_TRUST_UNTRUSTED;
-        /*
-         * For trusted certificates we want to see whether any auxiliary trust
-         * settings for the desired purpose override the purpose constraints
-         * from the certificate EKU.
-         */
-        if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)
-                trust = x509_check_trust_no_compat(x, ctx->param->trust, 0);
-        /* XXX STRICT should really be the default */
-        if (trust != X509_TRUST_REJECTED && !PURPOSE_BAD(purpose_check)) {
-                return PURPOSE_GOOD(purpose_check) ||
-                    (ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0;
-        }
-        ctx->error = X509_V_ERR_INVALID_PURPOSE;
-        ctx->error_depth = depth;
-        ctx->current_cert = x;
-        return ctx->verify_cb(0, ctx);
-}
 /* Check a certificate chains extensions for consistency
 * with the supplied purpose
 */
@@ -778,7 +741,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
        int proxy_path_length = 0;
        int purpose;
        int allow_proxy_certs;
-        size_t chain_len;
        cb = ctx->verify_cb;
@@ -802,8 +764,8 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
                purpose = ctx->param->purpose;
        }
-        chain_len = sk_X509_num(ctx->chain);
+        /* Check all untrusted certificates */
-        for (i = 0; i < chain_len; i++) {
+        for (i = 0; i < ctx->num_untrusted; i++) {
                int ret;
                x = sk_X509_value(ctx->chain, i);
                if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
@@ -857,11 +819,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
                        if (!ok)
                                goto end;
                }
-                if (purpose > 0) {
-                        ok = check_purpose(ctx, x, purpose, i, must_be_ca);
-                        if (!ok)
-                                goto end;
-                }
                if (ctx->param->purpose > 0) {
                        ret = X509_check_purpose(x, purpose, must_be_ca > 0);
                        if ((ret == 0) ||
author	beck <>	2022-11-17 00:42:12 +0000
committer	beck <>	2022-11-17 00:42:12 +0000
commit	e34c353ca0475e362c84929492561dab4f74ec0d (patch)
tree	f783b41d3c79de0feca47daa5b129e0b365152fc /src/lib/libcrypto/x509/x509_vfy.c
parent	6f8d4c4c4cdd0843000799b6361ddf6edb10edcd (diff)
download	openbsd-e34c353ca0475e362c84929492561dab4f74ec0d.tar.gz openbsd-e34c353ca0475e362c84929492561dab4f74ec0d.tar.bz2 openbsd-e34c353ca0475e362c84929492561dab4f74ec0d.zip

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 09c0b8105e..0a9965ae30 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.105 2022/11/14 17:48:50 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.106 2022/11/17 00:42:12 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -725,43 +725,6 @@ get_issuer_sk(X509 *issuer, X509_STORE_CTX ctx, X509 *x)
725	return 0;	725	return 0;
726	}	726	}
727		727
728	/*
729	* X509_check_purpose is special.
730	* 0 is bad, 1 is good, values > 1 are maybe good for web pki necromancy
731	* and certificates that were checked into software unit tests years ago
732	* that nobody knows how to change. (Netscape Server Gated Crypto Forever!)
733	*/
734	#define PURPOSE_GOOD(x) (x == 1)
735	#define PURPOSE_BAD(x) (x == 0)
736	static int
737	check_purpose(X509_STORE_CTX ctx, X509 x, int purpose, int depth,
738	int must_be_ca)
739	{
740	int purpose_check, trust;
741
742	purpose_check = X509_check_purpose(x, purpose, must_be_ca > 0);
743	trust = X509_TRUST_UNTRUSTED;
744
745	/*
746	* For trusted certificates we want to see whether any auxiliary trust
747	* settings for the desired purpose override the purpose constraints
748	* from the certificate EKU.
749	*/
750	if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)
751	trust = x509_check_trust_no_compat(x, ctx->param->trust, 0);
752
753	/* XXX STRICT should really be the default */
754	if (trust != X509_TRUST_REJECTED && !PURPOSE_BAD(purpose_check)) {
755	return PURPOSE_GOOD(purpose_check) \|\|
756	(ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0;
757	}
758
759	ctx->error = X509_V_ERR_INVALID_PURPOSE;
760	ctx->error_depth = depth;
761	ctx->current_cert = x;
762	return ctx->verify_cb(0, ctx);
763	}
764
765	/* Check a certificate chains extensions for consistency	728	/* Check a certificate chains extensions for consistency
766	* with the supplied purpose	729	* with the supplied purpose
767	*/	730	*/
@@ -778,7 +741,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
778	int proxy_path_length = 0;	741	int proxy_path_length = 0;
779	int purpose;	742	int purpose;
780	int allow_proxy_certs;	743	int allow_proxy_certs;
781	size_t chain_len;
782		744
783	cb = ctx->verify_cb;	745	cb = ctx->verify_cb;
784		746
@@ -802,8 +764,8 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
802	purpose = ctx->param->purpose;	764	purpose = ctx->param->purpose;
803	}	765	}
804		766
805	chain_len = sk_X509_num(ctx->chain);	767	/* Check all untrusted certificates */
806	for (i = 0; i < chain_len; i++) {	768	for (i = 0; i < ctx->num_untrusted; i++) {
807	int ret;	769	int ret;
808	x = sk_X509_value(ctx->chain, i);	770	x = sk_X509_value(ctx->chain, i);
809	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&	771	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
@@ -857,11 +819,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
857	if (!ok)	819	if (!ok)
858	goto end;	820	goto end;
859	}	821	}
860	if (purpose > 0) {
861	ok = check_purpose(ctx, x, purpose, i, must_be_ca);
862	if (!ok)
863	goto end;
864	}
865	if (ctx->param->purpose > 0) {	822	if (ctx->param->purpose > 0) {
866	ret = X509_check_purpose(x, purpose, must_be_ca > 0);	823	ret = X509_check_purpose(x, purpose, must_be_ca > 0);
867	if ((ret == 0) \|\|	824	if ((ret == 0) \|\|