Added restrictions on the use of proxy certificates, as they may pose

a security threat on unexpecting applications.  Document and test.

3 files changed, 28 insertions, 8 deletions

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 247e7e178a..7dd2b761d9 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -128,6 +128,8 @@ const char *X509_verify_cert_error_string(long n)
 		return ("path length constraint exceeded");
 	case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
 		return("proxy path length constraint exceeded");
+	case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+		return("proxy cerificates not allowed, please set the appropriate flag");
 	case X509_V_ERR_INVALID_PURPOSE:
 		return ("unsupported certificate purpose");
 	case X509_V_ERR_CERT_UNTRUSTED:
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 431a620618..3da2490fea 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -391,6 +391,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 	int (*cb)(int ok,X509_STORE_CTX *ctx);
 	int proxy_path_length = 0;
 	cb=ctx->verify_cb;
+	int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 
 	/* must_be_ca can have 1 of 3 values:
 	   -1: we accept both CA and non-CA certificates, to allow direct
@@ -401,6 +402,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 	       all certificates in the chain except the leaf certificate.
 	*/
 	must_be_ca = -1;
+
+	/* A hack to keep people who don't want to modify their software
+	   happy */
+	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+		allow_proxy_certs = 1;
+
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->last_untrusted; i++)
 		{
@@ -415,6 +422,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
+		if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
+			{
+			ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if (!ok) goto end;
+			}
 		ret = X509_check_ca(x);
 		switch(must_be_ca)
 			{
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 33ace72671..85bd6406bb 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -292,7 +292,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define		X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY	6
 #define		X509_V_ERR_CERT_SIGNATURE_FAILURE		7
 #define		X509_V_ERR_CRL_SIGNATURE_FAILURE		8
-#define		X509_V_ERR_CERT_NOT_YET_VALID			9	
+#define		X509_V_ERR_CERT_NOT_YET_VALID			9
 #define		X509_V_ERR_CERT_HAS_EXPIRED			10
 #define		X509_V_ERR_CRL_NOT_YET_VALID			11
 #define		X509_V_ERR_CRL_HAS_EXPIRED			12
@@ -325,10 +325,11 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define		X509_V_ERR_INVALID_NON_CA			37
 #define		X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED		38
 #define		X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE	39
+#define		X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED	40
 
-#define		X509_V_ERR_INVALID_EXTENSION			40
-#define		X509_V_ERR_INVALID_POLICY_EXTENSION		41
-#define		X509_V_ERR_NO_EXPLICIT_POLICY			42
+#define		X509_V_ERR_INVALID_EXTENSION			41
+#define		X509_V_ERR_INVALID_POLICY_EXTENSION		42
+#define		X509_V_ERR_NO_EXPLICIT_POLICY			43
 
 
 /* The application is not happy */
@@ -348,14 +349,16 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define	X509_V_FLAG_IGNORE_CRITICAL		0x10
 /* Disable workarounds for broken certificates */
 #define	X509_V_FLAG_X509_STRICT			0x20
+/* Enable proxy certificate validation */
+#define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40
 /* Enable policy checking */
-#define X509_V_FLAG_POLICY_CHECK		0x40
+#define X509_V_FLAG_POLICY_CHECK		0x80
 /* Policy variable require-explicit-policy */
-#define X509_V_FLAG_EXPLICIT_POLICY		0x80
+#define X509_V_FLAG_EXPLICIT_POLICY		0x100
 /* Policy variable inhibit-any-policy */
-#define	X509_V_FLAG_INHIBIT_ANY			0x100
+#define	X509_V_FLAG_INHIBIT_ANY			0x200
 /* Policy variable inhibit-policy-mapping */
-#define X509_V_FLAG_INHIBIT_MAP			0x200
+#define X509_V_FLAG_INHIBIT_MAP			0x400
 /* Notify callback that policy is OK */
 #define X509_V_FLAG_NOTIFY_POLICY		0x800