summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2023-04-25 18:28:05 +0000
committertb <>2023-04-25 18:28:05 +0000
commitf93e2515680ec934d84f432f85c41fbc3d28e5bc (patch)
tree5e6300823f61fe1b218fefd7cfb03d499e067bcd
parentcd5bdbca3ae5af8f90531b86da04780bda9c9b0a (diff)
downloadopenbsd-f93e2515680ec934d84f432f85c41fbc3d28e5bc.tar.gz
openbsd-f93e2515680ec934d84f432f85c41fbc3d28e5bc.tar.bz2
openbsd-f93e2515680ec934d84f432f85c41fbc3d28e5bc.zip
Move the policy tree code to internal-only
A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/Symbols.namespace2
-rw-r--r--src/lib/libcrypto/hidden/openssl/x509_vfy.h4
-rw-r--r--src/lib/libcrypto/ossl_typ.h13
-rw-r--r--src/lib/libcrypto/x509/pcy_int.h25
-rw-r--r--src/lib/libcrypto/x509/x509_local.h14
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c16
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h46
-rw-r--r--src/lib/libcrypto/x509/x509v3.h8
8 files changed, 42 insertions, 86 deletions
diff --git a/src/lib/libcrypto/Symbols.namespace b/src/lib/libcrypto/Symbols.namespace
index 2e0a638f17..a5ac5294fb 100644
--- a/src/lib/libcrypto/Symbols.namespace
+++ b/src/lib/libcrypto/Symbols.namespace
@@ -600,8 +600,6 @@ _libre_X509_STORE_CTX_get_verify_cb
600_libre_X509_STORE_CTX_set_verify_cb 600_libre_X509_STORE_CTX_set_verify_cb
601_libre_X509_STORE_set_verify 601_libre_X509_STORE_set_verify
602_libre_X509_STORE_get_verify 602_libre_X509_STORE_get_verify
603_libre_X509_STORE_CTX_get0_policy_tree
604_libre_X509_STORE_CTX_get_explicit_policy
605_libre_X509_STORE_CTX_get_num_untrusted 603_libre_X509_STORE_CTX_get_num_untrusted
606_libre_X509_STORE_CTX_get0_param 604_libre_X509_STORE_CTX_get0_param
607_libre_X509_STORE_CTX_set0_param 605_libre_X509_STORE_CTX_set0_param
diff --git a/src/lib/libcrypto/hidden/openssl/x509_vfy.h b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
index a8e172ad2d..aae3ed1351 100644
--- a/src/lib/libcrypto/hidden/openssl/x509_vfy.h
+++ b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.h,v 1.2 2022/12/01 05:16:08 tb Exp $ */ 1/* $OpenBSD: x509_vfy.h,v 1.3 2023/04/25 18:28:05 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2022 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -114,8 +114,6 @@ LCRYPTO_USED(X509_STORE_CTX_get_verify_cb);
114LCRYPTO_USED(X509_STORE_CTX_set_verify_cb); 114LCRYPTO_USED(X509_STORE_CTX_set_verify_cb);
115LCRYPTO_USED(X509_STORE_set_verify); 115LCRYPTO_USED(X509_STORE_set_verify);
116LCRYPTO_USED(X509_STORE_get_verify); 116LCRYPTO_USED(X509_STORE_get_verify);
117LCRYPTO_USED(X509_STORE_CTX_get0_policy_tree);
118LCRYPTO_USED(X509_STORE_CTX_get_explicit_policy);
119LCRYPTO_USED(X509_STORE_CTX_get_num_untrusted); 117LCRYPTO_USED(X509_STORE_CTX_get_num_untrusted);
120LCRYPTO_USED(X509_STORE_CTX_get0_param); 118LCRYPTO_USED(X509_STORE_CTX_get0_param);
121LCRYPTO_USED(X509_STORE_CTX_set0_param); 119LCRYPTO_USED(X509_STORE_CTX_set0_param);
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index b45f546cc0..6e33f8cfbd 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ossl_typ.h,v 1.24 2023/04/25 17:59:41 tb Exp $ */ 1/* $OpenBSD: ossl_typ.h,v 1.25 2023/04/25 18:28:05 tb Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -159,17 +159,6 @@ typedef struct engine_st ENGINE;
159typedef struct ssl_st SSL; 159typedef struct ssl_st SSL;
160typedef struct ssl_ctx_st SSL_CTX; 160typedef struct ssl_ctx_st SSL_CTX;
161 161
162/*
163 * Move to x509_local.h in next major bump - x509_vfy.c needs X509_POLICY_TREE
164 * and X509_POLICY_CACHE.
165 */
166#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
167typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
168typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
169typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
170typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
171#endif
172
173typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; 162typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;
174typedef struct DIST_POINT_st DIST_POINT; 163typedef struct DIST_POINT_st DIST_POINT;
175typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; 164typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;
diff --git a/src/lib/libcrypto/x509/pcy_int.h b/src/lib/libcrypto/x509/pcy_int.h
index 5e9edcb933..e4a20d6ca9 100644
--- a/src/lib/libcrypto/x509/pcy_int.h
+++ b/src/lib/libcrypto/x509/pcy_int.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: pcy_int.h,v 1.2 2023/04/16 07:36:43 tb Exp $ */ 1/* $OpenBSD: pcy_int.h,v 1.3 2023/04/25 18:28:05 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004. 3 * project 2004.
4 */ 4 */
@@ -64,6 +64,7 @@ __BEGIN_HIDDEN_DECLS
64typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; 64typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
65 65
66DECLARE_STACK_OF(X509_POLICY_DATA) 66DECLARE_STACK_OF(X509_POLICY_DATA)
67DECLARE_STACK_OF(X509_POLICY_NODE)
67 68
68/* Internal structures */ 69/* Internal structures */
69 70
@@ -209,4 +210,26 @@ int policy_node_match(const X509_POLICY_LEVEL *lvl,
209 210
210const X509_POLICY_CACHE *policy_cache_set(X509 *x); 211const X509_POLICY_CACHE *policy_cache_set(X509 *x);
211 212
213int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
214X509_POLICY_LEVEL *
215 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
216
217STACK_OF(X509_POLICY_NODE) *
218 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
219
220STACK_OF(X509_POLICY_NODE) *
221 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
222
223int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
224
225X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
226
227const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
228
229STACK_OF(POLICYQUALINFO) *
230 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
231const X509_POLICY_NODE *
232 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
233
234
212__END_HIDDEN_DECLS 235__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 043fc2dacf..6f711fe3e1 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_local.h,v 1.4 2023/04/16 18:42:30 tb Exp $ */ 1/* $OpenBSD: x509_local.h,v 1.5 2023/04/25 18:28:05 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2013. 3 * project 2013.
4 */ 4 */
@@ -69,6 +69,11 @@ __BEGIN_HIDDEN_DECLS
69#define X509_CRL_HASH_EVP EVP_sha512() 69#define X509_CRL_HASH_EVP EVP_sha512()
70#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH 70#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH
71 71
72typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
73typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
74typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
75typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
76
72struct X509_pubkey_st { 77struct X509_pubkey_st {
73 X509_ALGOR *algor; 78 X509_ALGOR *algor;
74 ASN1_BIT_STRING *public_key; 79 ASN1_BIT_STRING *public_key;
@@ -385,6 +390,13 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
385 390
386int name_cmp(const char *name, const char *cmp); 391int name_cmp(const char *name, const char *cmp);
387 392
393int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
394 STACK_OF(X509) *certs,
395 STACK_OF(ASN1_OBJECT) *policy_oids,
396 unsigned int flags);
397
398void X509_policy_tree_free(X509_POLICY_TREE *tree);
399
388__END_HIDDEN_DECLS 400__END_HIDDEN_DECLS
389 401
390#endif /* !HEADER_X509_LOCAL_H */ 402#endif /* !HEADER_X509_LOCAL_H */
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index d54ba783e8..30118475d1 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.113 2023/04/16 18:48:58 tb Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.114 2023/04/25 18:28:05 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2601,20 +2601,6 @@ X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2601} 2601}
2602LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain); 2602LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain);
2603 2603
2604X509_POLICY_TREE *
2605X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2606{
2607 return ctx->tree;
2608}
2609LCRYPTO_ALIAS(X509_STORE_CTX_get0_policy_tree);
2610
2611int
2612X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2613{
2614 return ctx->explicit_policy;
2615}
2616LCRYPTO_ALIAS(X509_STORE_CTX_get_explicit_policy);
2617
2618int 2604int
2619X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) 2605X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
2620{ 2606{
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 3eb92b0f7f..cfa3533119 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.h,v 1.60 2023/04/16 08:30:21 tb Exp $ */ 1/* $OpenBSD: x509_vfy.h,v 1.61 2023/04/25 18:28:05 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -423,12 +423,6 @@ X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx);
423#define X509_STORE_set_verify_func(ctx, func) \ 423#define X509_STORE_set_verify_func(ctx, func) \
424 X509_STORE_set_verify((ctx), (func)) 424 X509_STORE_set_verify((ctx), (func))
425 425
426/* Remove in next bump. */
427#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
428X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
429int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
430#endif
431
432int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx); 426int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
433 427
434X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx); 428X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
@@ -479,44 +473,6 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
479const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); 473const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
480void X509_VERIFY_PARAM_table_cleanup(void); 474void X509_VERIFY_PARAM_table_cleanup(void);
481 475
482/* Move to x509_local.h in next bump - needed by x509_vfy.c. */
483#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
484int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
485 STACK_OF(X509) *certs,
486 STACK_OF(ASN1_OBJECT) *policy_oids,
487 unsigned int flags);
488
489void X509_policy_tree_free(X509_POLICY_TREE *tree);
490#endif
491
492/*
493 * Move these to pcy_int.h in next bump - X509_policy_tree_get0_user_policies()
494 * is actually used, the rest can be deleted.
495 */
496#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
497int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
498X509_POLICY_LEVEL *
499 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
500
501STACK_OF(X509_POLICY_NODE) *
502 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
503
504STACK_OF(X509_POLICY_NODE) *
505 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
506
507int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
508
509X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
510
511const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
512
513STACK_OF(POLICYQUALINFO) *
514 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
515const X509_POLICY_NODE *
516 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
517
518#endif
519
520#ifdef __cplusplus 476#ifdef __cplusplus
521} 477}
522#endif 478#endif
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
index 43c2a15e0f..8738b302cb 100644
--- a/src/lib/libcrypto/x509/x509v3.h
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509v3.h,v 1.21 2023/04/25 15:51:04 tb Exp $ */ 1/* $OpenBSD: x509v3.h,v 1.22 2023/04/25 18:28:05 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -847,12 +847,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc);
847int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, 847int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
848 unsigned long chtype); 848 unsigned long chtype);
849 849
850/* Move to pcy_int.h. */
851#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
852void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
853DECLARE_STACK_OF(X509_POLICY_NODE)
854#endif
855
856#ifndef OPENSSL_NO_RFC3779 850#ifndef OPENSSL_NO_RFC3779
857typedef struct ASRange_st { 851typedef struct ASRange_st {
858 ASN1_INTEGER *min; 852 ASN1_INTEGER *min;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-27 18:20:57 +0000