Don't accept “SSL client” as a substitute for S/MIME in the Netscape cert type extension.

I believe that case was the only way that X509_check_purpose could return anything other than zero or one. Thus eliminate the last use of X509_V_FLAG_X509_STRICT. Change-Id: If2f071dfa934b924491db2b615ec17390564e7de Reviewed-on: https://boringssl-review.googlesource.com/30344 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Matt Braithwaite <mab@google.com>
il y a 6 ans · e27793940e
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -661,9 +661,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
        }
        if (ctx->param->purpose > 0) {
            ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
            if ((ret == 0)
                || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
                    && (ret != 1))) {
            if (ret != 1) {
                ret = 0;
                ctx->error = X509_V_ERR_INVALID_PURPOSE;
                ctx->error_depth = i;
                ctx->current_cert = x;
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -638,7 +638,8 @@ static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
    return ret;
 }

 /* common S/MIME checks */
 /* purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
 * (|ca| is one) certificate, and zero otherwise. */
 static int purpose_smime(const X509 *x, int ca)
 {
    if (xku_reject(x, XKU_SMIME))
@@ -653,12 +654,7 @@ static int purpose_smime(const X509 *x, int ca)
        return check_ca(x);
    }
    if (x->ex_flags & EXFLAG_NSCERT) {
        if (x->ex_nscert & NS_SMIME)
            return 1;
        /* Workaround for some buggy certificates */
        if (x->ex_nscert & NS_SSL_CLIENT)
            return 2;
        return 0;
        return (x->ex_nscert & NS_SMIME) == NS_SMIME;
    }
    return 1;
 }
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -382,9 +382,8 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define	X509_V_FLAG_CRL_CHECK_ALL		0x8
 /* Ignore unhandled critical extensions */
 #define	X509_V_FLAG_IGNORE_CRITICAL		0x10
 /* Enforces stricter checking on certificate purposes.
 * TODO(agl): eliminate. */
 #define	X509_V_FLAG_X509_STRICT			0x20
 /* Does nothing as its functionality has been enabled by default. */
 #define	X509_V_FLAG_X509_STRICT			0x00
 /* Enable proxy certificate validation */
 #define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40
 /* Enable policy checking */