From 7d883af911e8fa758bfdf87ece7e12f7a84561c0 Mon Sep 17 00:00:00 2001 From: beck Date: Fri, 28 Apr 2023 16:50:16 +0000 Subject: [PATCH] Enable policy checking by default now that we are DAG implementation based. This ensures that we will no longer silently ignore a certificate with a critical policy extention by default. ok tb@ --- lib/libcrypto/x509/x509_verify.c | 5 ++--- lib/libcrypto/x509/x509_vfy.c | 4 ++-- lib/libcrypto/x509/x509_vfy.h | 9 ++++++--- lib/libcrypto/x509/x509_vpm.c | 5 +---- regress/lib/libcrypto/x509/policy/policy.c | 13 ++++++++++++- 5 files changed, 23 insertions(+), 13 deletions(-) diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 6cb372dbce0..ccdf256a1f7 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.64 2023/04/16 07:59:57 tb Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -439,8 +439,7 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, if (!x509_vfy_check_revocation(ctx->xsc)) goto err; - if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK && - !x509_vfy_check_policy(ctx->xsc)) + if (!x509_vfy_check_policy(ctx->xsc)) goto err; ret = 1; diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 93dc06ed05d..f1aa10c5632 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.118 2023/04/28 16:50:16 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -586,7 +586,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) goto end; /* If we get this far evaluate policies */ - if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) + if (!bad_chain) ok = ctx->check_policy(ctx); end: diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h index 7e91155dc37..202cf7438f1 100644 --- a/lib/libcrypto/x509/x509_vfy.h +++ b/lib/libcrypto/x509/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.62 2023/04/25 18:32:42 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -226,7 +226,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_X509_STRICT 0x20 /* Enable proxy certificate validation */ #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 -/* Enable policy checking */ +/* Does nothing as its functionality has been enabled by default */ #define X509_V_FLAG_POLICY_CHECK 0x80 /* Policy variable require-explicit-policy */ #define X509_V_FLAG_EXPLICIT_POLICY 0x100 @@ -264,7 +264,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_VP_FLAG_LOCKED 0x8 #define X509_VP_FLAG_ONCE 0x10 -/* Internal use: mask of policy related options */ +/* + * Obsolete internal use: mask of policy related options. + * This should really go away. + */ #define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ | X509_V_FLAG_EXPLICIT_POLICY \ | X509_V_FLAG_INHIBIT_ANY \ diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c index 9ac3f929dc1..4896fe8b7ed 100644 --- a/lib/libcrypto/x509/x509_vpm.c +++ b/lib/libcrypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.36 2023/04/16 19:16:32 tb Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.37 2023/04/28 16:50:16 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -418,8 +418,6 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; - if (flags & X509_V_FLAG_POLICY_MASK) - param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; } LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags); @@ -527,7 +525,6 @@ X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, return 0; } } - param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; } LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies); diff --git a/regress/lib/libcrypto/x509/policy/policy.c b/regress/lib/libcrypto/x509/policy/policy.c index 289f96db781..70f60af0a34 100644 --- a/regress/lib/libcrypto/x509/policy/policy.c +++ b/regress/lib/libcrypto/x509/policy/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */ +/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */ /* * Copyright (c) 2020 Joel Sing * Copyright (c) 2020-2023 Bob Beck @@ -328,6 +328,17 @@ struct verify_cert_test verify_cert_tests[] = { .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, .want_legacy_error_depth = 0, }, + { + .id = "invalid leaf without explicit policy", + .root_file = CERTSDIR "/" "policy_root.pem", + .intermediate_file = CERTSDIR "/" "policy_intermediate.pem", + .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem", + .want_chains = 0, + .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION, + .want_error_depth = 0, + .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, + .want_legacy_error_depth = 0, + }, /* There is a duplicate policy in the leaf policy extension. */ { .id = "1 in duplicate policy extension in leaf", -- 2.20.1