Don't accept “SSL client” as a substitute for S/MIME in the Netscape cert type extension.

I believe that case was the only way that X509_check_purpose could return anything other than zero or one. Thus eliminate the last use of X509_V_FLAG_X509_STRICT. Change-Id: If2f071dfa934b924491db2b615ec17390564e7de Reviewed-on: https://boringssl-review.googlesource.com/30344 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Matt Braithwaite <mab@google.com>
2018-08-06 13:54:41 -07:00 · 2018-08-06 13:54:41 -07:00 · e27793940e
commit e27793940e
parent e833a6dfa2
3 changed files with 7 additions and 13 deletions
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -661,9 +661,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
        }
        if (ctx->param->purpose > 0) {
            ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
-            if ((ret == 0)
-                || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
-                    && (ret != 1))) {
+            if (ret != 1) {
+                ret = 0;
                ctx->error = X509_V_ERR_INVALID_PURPOSE;
                ctx->error_depth = i;
                ctx->current_cert = x;
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@ -638,7 +638,8 @@ static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
    return ret;
 }

-/* common S/MIME checks */
+/* purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
+ * (|ca| is one) certificate, and zero otherwise. */
 static int purpose_smime(const X509 *x, int ca)
 {
    if (xku_reject(x, XKU_SMIME))
@ -653,12 +654,7 @@ static int purpose_smime(const X509 *x, int ca)
        return check_ca(x);
    }
    if (x->ex_flags & EXFLAG_NSCERT) {
-        if (x->ex_nscert & NS_SMIME)
-            return 1;
-        /* Workaround for some buggy certificates */
-        if (x->ex_nscert & NS_SSL_CLIENT)
-            return 2;
-        return 0;
+        return (x->ex_nscert & NS_SMIME) == NS_SMIME;
    }
    return 1;
 }
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@ -382,9 +382,8 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define	X509_V_FLAG_CRL_CHECK_ALL		0x8
 /* Ignore unhandled critical extensions */
 #define	X509_V_FLAG_IGNORE_CRITICAL		0x10
-/* Enforces stricter checking on certificate purposes.
- * TODO(agl): eliminate. */
-#define	X509_V_FLAG_X509_STRICT			0x20
+/* Does nothing as its functionality has been enabled by default. */
+#define	X509_V_FLAG_X509_STRICT			0x00
 /* Enable proxy certificate validation */
 #define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40
 /* Enable policy checking */