From: Dr. David von Oheimb <dev@ddvo.net>
Date: Fri, 20 Dec 2024 08:12:43 +0000 (+0100)
Subject: fix X509_PURPOSE_set() to support clearing the purpose requirement as needed for... 
X-Git-Tag: openssl-3.5.0-alpha1~720
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b48ed247370e03a75e1df5dcf41659def128aaa7;p=thirdparty%2Fopenssl.git

fix X509_PURPOSE_set() to support clearing the purpose requirement as needed for X509_VERIFY_PARAM_set_purpose()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26221)
---

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index e917c455dec..c633474bdcf 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -100,9 +100,10 @@ int X509_check_purpose(X509 *x, int id, int non_leaf)
     return pt->check_purpose(pt, x, non_leaf);
 }
 
+/* resets to default (any) purpose if purpose == X509_PURPOSE_DEFAULT_ANY (0) */
 int X509_PURPOSE_set(int *p, int purpose)
 {
-    if (X509_PURPOSE_get_by_id(purpose) == -1) {
+    if (purpose != X509_PURPOSE_DEFAULT_ANY && X509_PURPOSE_get_by_id(purpose) == -1) {
         ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_PURPOSE);
         return 0;
     }
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b8a5ec49279..3776edbf6a7 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -676,7 +676,7 @@ static int check_extensions(X509_STORE_CTX *ctx)
         }
 
         /* check_purpose() makes the callback as needed */
-        if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
+        if (purpose >= X509_PURPOSE_MIN && !check_purpose(ctx, x, purpose, i, must_be_ca))
             return 0;
         /* Check path length */
         CB_FAIL_IF(i > 1 && x->ex_pathlen != -1
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 023a38a1c9f..8ed41b78673 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -296,6 +296,7 @@ int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
     return 1;
 }
 
+/* resets to default (any) purpose if |purpose| == X509_PURPOSE_DEFAULT_ANY */
 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
 {
     return X509_PURPOSE_set(&param->purpose, purpose);
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index fcbbfc4c306..221198c86b0 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -90,7 +90,7 @@ X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>.
 X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param>
 to B<purpose>. This determines the acceptable purpose of the certificate
 chain, for example B<X509_PURPOSE_SSL_CLIENT>.
-The purpose requirement is cleared if B<purpose> is 0.
+The purpose requirement is cleared if B<purpose> is X509_PURPOSE_DEFAULT_ANY.
 
 X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to
 B<trust>.
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index a0d80e2eec1..0a5650353fa 100644
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -478,6 +478,7 @@ typedef struct x509_purpose_st {
 -}
 
 
+# define X509_PURPOSE_DEFAULT_ANY        0
 # define X509_PURPOSE_SSL_CLIENT         1
 # define X509_PURPOSE_SSL_SERVER         2
 # define X509_PURPOSE_NS_SSL_SERVER      3