fix X509_PURPOSE_set() to support clearing the purpose requirement as needed for...

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26221)

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index e917c455dec7ceccacade3f03a6a1eb58db2185b..c633474bdcf4fe236f7a1c1b856a3a9180146e02 100644 (file)
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -100,9 +100,10 @@ int X509_check_purpose(X509 *x, int id, int non_leaf)
     return pt->check_purpose(pt, x, non_leaf);
 }
 
+/* resets to default (any) purpose if purpose == X509_PURPOSE_DEFAULT_ANY (0) */
 int X509_PURPOSE_set(int *p, int purpose)
 {
-    if (X509_PURPOSE_get_by_id(purpose) == -1) {
+    if (purpose != X509_PURPOSE_DEFAULT_ANY && X509_PURPOSE_get_by_id(purpose) == -1) {
         ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_PURPOSE);
         return 0;
     }

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b8a5ec49279d9a0fb8dc3e0702e534cb38c0643f..3776edbf6a7ee0df4871668cdd4473f8e3bd371c 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -676,7 +676,7 @@ static int check_extensions(X509_STORE_CTX *ctx)
         }
 
         /* check_purpose() makes the callback as needed */
-        if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
+        if (purpose >= X509_PURPOSE_MIN && !check_purpose(ctx, x, purpose, i, must_be_ca))
             return 0;
         /* Check path length */
         CB_FAIL_IF(i > 1 && x->ex_pathlen != -1

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 023a38a1c9fc80464bf80687228ff485afd46342..8ed41b78673060224cf0b2c51cbac17aeea2d095 100644 (file)
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -296,6 +296,7 @@ int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
     return 1;
 }
 
+/* resets to default (any) purpose if |purpose| == X509_PURPOSE_DEFAULT_ANY */
 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
 {
     return X509_PURPOSE_set(&param->purpose, purpose);

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index fcbbfc4c306734eaba981837f3c512793ef97b9a..221198c86b07e4a7a6ab972af4f0b6b10ec03a99 100644 (file)
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -90,7 +90,7 @@ X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>.
 X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param>
 to B<purpose>. This determines the acceptable purpose of the certificate
 chain, for example B<X509_PURPOSE_SSL_CLIENT>.
-The purpose requirement is cleared if B<purpose> is 0.
+The purpose requirement is cleared if B<purpose> is X509_PURPOSE_DEFAULT_ANY.
 
 X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to
 B<trust>.

diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index a0d80e2eec19ea8a091ff75eff97ce0378fc1247..0a5650353fa1b180218e432a8252b1255a99530e 100644 (file)
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -478,6 +478,7 @@ typedef struct x509_purpose_st {
 -}
 
 
+# define X509_PURPOSE_DEFAULT_ANY        0
 # define X509_PURPOSE_SSL_CLIENT         1
 # define X509_PURPOSE_SSL_SERVER         2
 # define X509_PURPOSE_NS_SSL_SERVER      3