From 894a54df05aae48b1ccfb4d0acd6170e67c7bd80 Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 28 Apr 2023 16:50:16 +0000 Subject: Enable policy checking by default now that we are DAG implementation based. This ensures that we will no longer silently ignore a certificate with a critical policy extention by default. ok tb@ --- src/lib/libcrypto/x509/x509_verify.c | 5 ++--- src/lib/libcrypto/x509/x509_vfy.c | 4 ++-- src/lib/libcrypto/x509/x509_vfy.h | 9 ++++++--- src/lib/libcrypto/x509/x509_vpm.c | 5 +---- src/regress/lib/libcrypto/x509/policy/policy.c | 13 ++++++++++++- 5 files changed, 23 insertions(+), 13 deletions(-) diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 6cb372dbce..ccdf256a1f 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.64 2023/04/16 07:59:57 tb Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -439,8 +439,7 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, if (!x509_vfy_check_revocation(ctx->xsc)) goto err; - if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK && - !x509_vfy_check_policy(ctx->xsc)) + if (!x509_vfy_check_policy(ctx->xsc)) goto err; ret = 1; diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 93dc06ed05..f1aa10c563 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.118 2023/04/28 16:50:16 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -586,7 +586,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) goto end; /* If we get this far evaluate policies */ - if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) + if (!bad_chain) ok = ctx->check_policy(ctx); end: diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h index 7e91155dc3..202cf7438f 100644 --- a/src/lib/libcrypto/x509/x509_vfy.h +++ b/src/lib/libcrypto/x509/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.62 2023/04/25 18:32:42 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -226,7 +226,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_X509_STRICT 0x20 /* Enable proxy certificate validation */ #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 -/* Enable policy checking */ +/* Does nothing as its functionality has been enabled by default */ #define X509_V_FLAG_POLICY_CHECK 0x80 /* Policy variable require-explicit-policy */ #define X509_V_FLAG_EXPLICIT_POLICY 0x100 @@ -264,7 +264,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_VP_FLAG_LOCKED 0x8 #define X509_VP_FLAG_ONCE 0x10 -/* Internal use: mask of policy related options */ +/* + * Obsolete internal use: mask of policy related options. + * This should really go away. + */ #define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ | X509_V_FLAG_EXPLICIT_POLICY \ | X509_V_FLAG_INHIBIT_ANY \ diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c index 9ac3f929dc..4896fe8b7e 100644 --- a/src/lib/libcrypto/x509/x509_vpm.c +++ b/src/lib/libcrypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.36 2023/04/16 19:16:32 tb Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.37 2023/04/28 16:50:16 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -418,8 +418,6 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; - if (flags & X509_V_FLAG_POLICY_MASK) - param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; } LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags); @@ -527,7 +525,6 @@ X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, return 0; } } - param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; } LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies); diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c index 289f96db78..70f60af0a3 100644 --- a/src/regress/lib/libcrypto/x509/policy/policy.c +++ b/src/regress/lib/libcrypto/x509/policy/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */ +/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */ /* * Copyright (c) 2020 Joel Sing * Copyright (c) 2020-2023 Bob Beck @@ -328,6 +328,17 @@ struct verify_cert_test verify_cert_tests[] = { .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, .want_legacy_error_depth = 0, }, + { + .id = "invalid leaf without explicit policy", + .root_file = CERTSDIR "/" "policy_root.pem", + .intermediate_file = CERTSDIR "/" "policy_intermediate.pem", + .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem", + .want_chains = 0, + .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION, + .want_error_depth = 0, + .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, + .want_legacy_error_depth = 0, + }, /* There is a duplicate policy in the leaf policy extension. */ { .id = "1 in duplicate policy extension in leaf", -- cgit v1.2.3-55-g6feb