Enable policy checking by default now that we are DAG implementation based.

This ensures that we will no longer silently ignore a certificate with a critical policy extention by default. ok tb@
2025-01-10 06:47:55 -08:00 · 2023-04-28 16:50:16 +00:00 · 2023-04-28 16:50:16 +00:00 · 7d883af911
commit 7d883af911
parent b737a7be59
5 changed files with 23 additions and 13 deletions
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.64 2023/04/16 07:59:57 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@ -439,8 +439,7 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
 	if (!x509_vfy_check_revocation(ctx->xsc))
 		goto err;

-	if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK &&
-	    !x509_vfy_check_policy(ctx->xsc))
+	if (!x509_vfy_check_policy(ctx->xsc))
 		goto err;

 	ret = 1;
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.118 2023/04/28 16:50:16 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -586,7 +586,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 		goto end;

 	/* If we get this far evaluate policies */
-	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
+	if (!bad_chain)
 		ok = ctx->check_policy(ctx);

 end:
--- a/lib/libcrypto/x509/x509_vfy.h
+++ b/lib/libcrypto/x509/x509_vfy.h
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.62 2023/04/25 18:32:42 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -226,7 +226,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define	X509_V_FLAG_X509_STRICT			0x20
 /* Enable proxy certificate validation */
 #define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40
-/* Enable policy checking */
+/* Does nothing as its functionality has been enabled by default */
 #define X509_V_FLAG_POLICY_CHECK		0x80
 /* Policy variable require-explicit-policy */
 #define X509_V_FLAG_EXPLICIT_POLICY		0x100
@ -264,7 +264,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_VP_FLAG_LOCKED			0x8
 #define X509_VP_FLAG_ONCE			0x10

-/* Internal use: mask of policy related options */
+/*
+ * Obsolete internal use: mask of policy related options.
+ * This should really go away.
+ */
 #define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
 				| X509_V_FLAG_EXPLICIT_POLICY \
 				| X509_V_FLAG_INHIBIT_ANY \
--- a/lib/libcrypto/x509/x509_vpm.c
+++ b/lib/libcrypto/x509/x509_vpm.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.36 2023/04/16 19:16:32 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.37 2023/04/28 16:50:16 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@ -418,8 +418,6 @@ int
 X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
 {
 	param->flags |= flags;
-	if (flags & X509_V_FLAG_POLICY_MASK)
-		param->flags |= X509_V_FLAG_POLICY_CHECK;
 	return 1;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags);
@ -527,7 +525,6 @@ X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
 			return 0;
 		}
 	}
-	param->flags |= X509_V_FLAG_POLICY_CHECK;
 	return 1;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies);
--- a/regress/lib/libcrypto/x509/policy/policy.c
+++ b/regress/lib/libcrypto/x509/policy/policy.c
@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */
+/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>
@ -328,6 +328,17 @@ struct verify_cert_test verify_cert_tests[] = {
 		.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
 		.want_legacy_error_depth = 0,
 	},
+	{
+		.id = "invalid leaf without explicit policy",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+		.want_chains = 0,
+		.want_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
+		.want_error_depth = 0,
+		.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
+		.want_legacy_error_depth = 0,
+	},
 	/*  There is a duplicate policy in the leaf policy extension. */
 	{
 		.id = "1 in duplicate policy extension in leaf",