Remove X509_check_trust() and some related defines

Someone thought it would be a good idea to append non-standard trust information to the certs in the trust store. This API is used to inspect that depending on the intended purpose of the cert. Only M2Crypto thought it necessary to expose this. It was adjusted. ok beck jsing
author: tb <> 2024-08-31 10:12:23 +0000
committer: tb <> 2024-08-31 10:12:23 +0000
commit: 1bfe42304abd279bc2acdd729257c0be64042977 (patch)
tree: 5ad4736711eb813207541e6898526bde4640e2e7
parent: 7031212164b5493a716d2d9cd97186e6adf787b9 (diff)
download: openbsd-1bfe42304abd279bc2acdd729257c0be64042977.tar.gz
openbsd-1bfe42304abd279bc2acdd729257c0be64042977.tar.bz2
openbsd-1bfe42304abd279bc2acdd729257c0be64042977.zip
5 files changed, 11 insertions, 35 deletions
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index 3c14b481ad..6b3a8e1267 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -2714,7 +2714,6 @@ X509_check_ip_asc
 X509_check_issued
 X509_check_private_key
 X509_check_purpose
-X509_check_trust
 X509_cmp
 X509_cmp_current_time
 X509_cmp_time
diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h
index d0ebe16790..03216ffeb2 100644
--- a/src/lib/libcrypto/hidden/openssl/x509.h
+++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.10 2024/08/28 08:41:18 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.11 2024/08/31 10:12:23 tb Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
 *
@@ -265,7 +265,6 @@ LCRYPTO_USED(X509_ATTRIBUTE_get0_type);
 LCRYPTO_USED(X509_verify_cert);
 LCRYPTO_USED(X509_find_by_issuer_and_serial);
 LCRYPTO_USED(X509_find_by_subject);
-LCRYPTO_USED(X509_check_trust);
 LCRYPTO_USED(X509_up_ref);
 LCRYPTO_USED(X509_chain_up_ref);
 LCRYPTO_USED(ERR_load_X509_strings);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 856ad19ba4..3ab35d3d91 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.113 2024/08/28 07:15:04 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.114 2024/08/31 10:12:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -153,11 +153,6 @@ typedef struct x509_cinf_st X509_CINF;
 DECLARE_STACK_OF(X509)
-/* standard trust ids */
-/* OpenSSL changed this to 0 */
-#define X509_TRUST_DEFAULT      -1      /* Only valid in purpose settings */
 #define X509_TRUST_COMPAT       1
 #define X509_TRUST_SSL_CLIENT   2
 #define X509_TRUST_SSL_SERVER   3
@@ -171,17 +166,6 @@ DECLARE_STACK_OF(X509)
 #define X509_TRUST_MIN          1
 #define X509_TRUST_MAX          8
-/* trust_flags values */
-#define X509_TRUST_DYNAMIC      1
-#define X509_TRUST_DYNAMIC_NAME 2
-/* check_trust return codes */
-#define X509_TRUST_TRUSTED      1
-#define X509_TRUST_REJECTED     2
-#define X509_TRUST_UNTRUSTED    3
 /* Flags for X509_print_ex() */
 #define X509_FLAG_COMPAT                0
@@ -1013,8 +997,6 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, int ptype,
 int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk,
    int *ppklen, X509_ALGOR **pa, X509_PUBKEY *pub);
-int X509_check_trust(X509 *x, int id, int flags);
 int X509_up_ref(X509 *x);
 STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index b5a02b1146..0f0d5c1de5 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.28 2024/08/31 10:04:50 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.29 2024/08/31 10:12:23 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -71,14 +71,15 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP       EVP_sha512()
 #define X509_CRL_HASH_LEN       SHA512_DIGEST_LENGTH
-/*
- * Used internally instead of the confusing X509_TRUST_DEFAULT,
- * which is not the default for X509_check_trust.
- * XXX Make X509_check_trust internal, and move the other
- * X509_TRUST values here to clean up this mess.
- */
 #define X509_TRUST_ACCEPT_ALL   -1
+/* check_trust return codes */
+#define X509_TRUST_TRUSTED      1
+#define X509_TRUST_REJECTED     2
+#define X509_TRUST_UNTRUSTED    3
+int X509_check_trust(X509 *x, int id, int flags);
 struct X509_pubkey_st {
        X509_ALGOR *algor;
        ASN1_BIT_STRING *public_key;
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 9ba8194ee0..e7e42a83cd 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.58 2024/08/31 10:12:23 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -147,10 +147,6 @@ X509_check_trust(X509 *x, int trust_id, int flags)
        if (!x509v3_cache_extensions(x))
                return X509_TRUST_UNTRUSTED;
-        /*
-         * XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not
-         * need to have the same -1 value as X509_TRUST_DEFAULT
-         */
        if (trust_id == X509_TRUST_ACCEPT_ALL)
                return 1;
@@ -175,4 +171,3 @@ X509_check_trust(X509 *x, int trust_id, int flags)
                return trust_if_self_signed(x);
        }
 }
-LCRYPTO_ALIAS(X509_check_trust);
author	tb <>	2024-08-31 10:12:23 +0000
committer	tb <>	2024-08-31 10:12:23 +0000
commit	1bfe42304abd279bc2acdd729257c0be64042977 (patch)
tree	5ad4736711eb813207541e6898526bde4640e2e7
parent	7031212164b5493a716d2d9cd97186e6adf787b9 (diff)
download	openbsd-1bfe42304abd279bc2acdd729257c0be64042977.tar.gz openbsd-1bfe42304abd279bc2acdd729257c0be64042977.tar.bz2 openbsd-1bfe42304abd279bc2acdd729257c0be64042977.zip