Make X509_V_FLAG_NOTIFY_POLICY into a no-op All this flag does is cause verify_cb to be called with ok=2 after policy validation happens, breaking the otherwise strict 0/1 behavior of the callback. We can't quite remove the symbol because a lot of bindings libraries wrap it without realizing what it does. But no one actually uses it, because it's pretty useless. Since we now always (other than the bad_chain thing) check policies and that happens last, this flag really means "please call the verify callback an extra time at the end with ok=2". Update-Note: X509_V_FLAG_NOTIFY_POLICY is now a no-op. This is not expected to impact anyone. Change-Id: I892a872181d1c1836ef2533ac616edfb6b3b5836 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65087 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 970deb4..e7345a2 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c
@@ -1286,17 +1286,6 @@ return ctx->verify_cb(0, ctx); } - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { - ctx->current_cert = NULL; - // Verification errors need to be "sticky", a callback may have allowed - // an SSL handshake to continue despite an error, and we must then - // remain in an error state. Therefore, we MUST NOT clear earlier - // verification errors by setting the error to X509_V_OK. - if (!ctx->verify_cb(2, ctx)) { - return 0; - } - } - return 1; }
diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 1791baf..b0dc725 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h
@@ -3681,7 +3681,7 @@ #define X509_V_FLAG_INHIBIT_ANY 0x200 // Policy variable inhibit-policy-mapping #define X509_V_FLAG_INHIBIT_MAP 0x400 -// Notify callback that policy is OK +// Does nothing #define X509_V_FLAG_NOTIFY_POLICY 0x800 // Causes all verifications to fail. Extended CRL features have been removed. #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000