Make X509_V_FLAG_NOTIFY_POLICY into a no-op
All this flag does is cause verify_cb to be called with ok=2 after
policy validation happens, breaking the otherwise strict 0/1 behavior of
the callback.
We can't quite remove the symbol because a lot of bindings libraries
wrap it without realizing what it does. But no one actually uses it,
because it's pretty useless. Since we now always (other than the
bad_chain thing) check policies and that happens last, this flag really
means "please call the verify callback an extra time at the end with
ok=2".
Update-Note: X509_V_FLAG_NOTIFY_POLICY is now a no-op. This is not
expected to impact anyone.
Change-Id: I892a872181d1c1836ef2533ac616edfb6b3b5836
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65087
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 970deb4..e7345a2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1286,17 +1286,6 @@
return ctx->verify_cb(0, ctx);
}
- if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
- ctx->current_cert = NULL;
- // Verification errors need to be "sticky", a callback may have allowed
- // an SSL handshake to continue despite an error, and we must then
- // remain in an error state. Therefore, we MUST NOT clear earlier
- // verification errors by setting the error to X509_V_OK.
- if (!ctx->verify_cb(2, ctx)) {
- return 0;
- }
- }
-
return 1;
}
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 1791baf..b0dc725 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -3681,7 +3681,7 @@
#define X509_V_FLAG_INHIBIT_ANY 0x200
// Policy variable inhibit-policy-mapping
#define X509_V_FLAG_INHIBIT_MAP 0x400
-// Notify callback that policy is OK
+// Does nothing
#define X509_V_FLAG_NOTIFY_POLICY 0x800
// Causes all verifications to fail. Extended CRL features have been removed.
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
