commit b2e57a1c132a34938ee3051d57c5dfa2ef64ff42
author David Benjamin <davidben@google.com> Wed Jan 03 13:45:15 2024 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Jan 04 18:28:58 2024 +0000
tree 0a92c8cf28db9fe3f0b0d3a9b84d21db92f009a4
parent 1749dc9a70fd9cbb3221c47ef30cffd6fda06846

Make X509_V_FLAG_NOTIFY_POLICY into a no-op

All this flag does is cause verify_cb to be called with ok=2 after
policy validation happens, breaking the otherwise strict 0/1 behavior of
the callback.

We can't quite remove the symbol because a lot of bindings libraries
wrap it without realizing what it does. But no one actually uses it,
because it's pretty useless. Since we now always (other than the
bad_chain thing) check policies and that happens last, this flag really
means "please call the verify callback an extra time at the end with
ok=2".

Update-Note: X509_V_FLAG_NOTIFY_POLICY is now a no-op. This is not
expected to impact anyone.

Change-Id: I892a872181d1c1836ef2533ac616edfb6b3b5836
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65087
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>

include/openssl/x509.h

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 1791baf..b0dc725 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -3681,7 +3681,7 @@
 #define X509_V_FLAG_INHIBIT_ANY 0x200
 // Policy variable inhibit-policy-mapping
 #define X509_V_FLAG_INHIBIT_MAP 0x400
-// Notify callback that policy is OK
+// Does nothing
 #define X509_V_FLAG_NOTIFY_POLICY 0x800
 // Causes all verifications to fail. Extended CRL features have been removed.
 #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000