Move the policy tree code to internal-only

A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
author: tb <> 2023-04-25 18:28:05 +0000
committer: tb <> 2023-04-25 18:28:05 +0000
commit: 1e19be2bbd27af0df9ea06c8c0a46f5ab687d976 (patch)
tree: 5e6300823f61fe1b218fefd7cfb03d499e067bcd
parent: cab021af4c7b73bac13f4b68c8b8360639242879 (diff)
download: openbsd-1e19be2bbd27af0df9ea06c8c0a46f5ab687d976.tar.gz
openbsd-1e19be2bbd27af0df9ea06c8c0a46f5ab687d976.tar.bz2
openbsd-1e19be2bbd27af0df9ea06c8c0a46f5ab687d976.zip
8 files changed, 42 insertions, 86 deletions
diff --git a/src/lib/libcrypto/Symbols.namespace b/src/lib/libcrypto/Symbols.namespace
index 2e0a638f17..a5ac5294fb 100644
--- a/src/lib/libcrypto/Symbols.namespace
+++ b/src/lib/libcrypto/Symbols.namespace
@@ -600,8 +600,6 @@ _libre_X509_STORE_CTX_get_verify_cb
 _libre_X509_STORE_CTX_set_verify_cb
 _libre_X509_STORE_set_verify
 _libre_X509_STORE_get_verify
-_libre_X509_STORE_CTX_get0_policy_tree
-_libre_X509_STORE_CTX_get_explicit_policy
 _libre_X509_STORE_CTX_get_num_untrusted
 _libre_X509_STORE_CTX_get0_param
 _libre_X509_STORE_CTX_set0_param
diff --git a/src/lib/libcrypto/hidden/openssl/x509_vfy.h b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
index a8e172ad2d..aae3ed1351 100644
--- a/src/lib/libcrypto/hidden/openssl/x509_vfy.h
+++ b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.2 2022/12/01 05:16:08 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.3 2023/04/25 18:28:05 tb Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
 *
@@ -114,8 +114,6 @@ LCRYPTO_USED(X509_STORE_CTX_get_verify_cb);
 LCRYPTO_USED(X509_STORE_CTX_set_verify_cb);
 LCRYPTO_USED(X509_STORE_set_verify);
 LCRYPTO_USED(X509_STORE_get_verify);
-LCRYPTO_USED(X509_STORE_CTX_get0_policy_tree);
-LCRYPTO_USED(X509_STORE_CTX_get_explicit_policy);
 LCRYPTO_USED(X509_STORE_CTX_get_num_untrusted);
 LCRYPTO_USED(X509_STORE_CTX_get0_param);
 LCRYPTO_USED(X509_STORE_CTX_set0_param);
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index b45f546cc0..6e33f8cfbd 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ossl_typ.h,v 1.24 2023/04/25 17:59:41 tb Exp $ */
+/* $OpenBSD: ossl_typ.h,v 1.25 2023/04/25 18:28:05 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
@@ -159,17 +159,6 @@ typedef struct engine_st ENGINE;
 typedef struct ssl_st SSL;
 typedef struct ssl_ctx_st SSL_CTX;
-/*
- * Move to x509_local.h in next major bump - x509_vfy.c needs X509_POLICY_TREE
- * and X509_POLICY_CACHE.
- */
-#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
-typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
-typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
-typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
-#endif
 typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;
 typedef struct DIST_POINT_st DIST_POINT;
 typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;
diff --git a/src/lib/libcrypto/x509/pcy_int.h b/src/lib/libcrypto/x509/pcy_int.h
index 5e9edcb933..e4a20d6ca9 100644
--- a/src/lib/libcrypto/x509/pcy_int.h
+++ b/src/lib/libcrypto/x509/pcy_int.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_int.h,v 1.2 2023/04/16 07:36:43 tb Exp $ */
+/* $OpenBSD: pcy_int.h,v 1.3 2023/04/25 18:28:05 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -64,6 +64,7 @@ __BEGIN_HIDDEN_DECLS
 typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
 DECLARE_STACK_OF(X509_POLICY_DATA)
+DECLARE_STACK_OF(X509_POLICY_NODE)
 /* Internal structures */
@@ -209,4 +210,26 @@ int policy_node_match(const X509_POLICY_LEVEL *lvl,
 const X509_POLICY_CACHE *policy_cache_set(X509 *x);
+int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
+X509_POLICY_LEVEL *
+        X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
+STACK_OF(X509_POLICY_NODE) *
+        X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
+STACK_OF(X509_POLICY_NODE) *
+        X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
+int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
+X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
+const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
+STACK_OF(POLICYQUALINFO) *
+        X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
+const X509_POLICY_NODE *
+        X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 043fc2dacf..6f711fe3e1 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.4 2023/04/16 18:42:30 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.5 2023/04/25 18:28:05 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -69,6 +69,11 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP       EVP_sha512()
 #define X509_CRL_HASH_LEN       SHA512_DIGEST_LENGTH
+typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
+typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
+typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
+typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
 struct X509_pubkey_st {
        X509_ALGOR *algor;
        ASN1_BIT_STRING *public_key;
@@ -385,6 +390,13 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
 int name_cmp(const char *name, const char *cmp);
+int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+                        STACK_OF(X509) *certs,
+                        STACK_OF(ASN1_OBJECT) *policy_oids,
+                        unsigned int flags);
+void X509_policy_tree_free(X509_POLICY_TREE *tree);
 __END_HIDDEN_DECLS
 #endif /* !HEADER_X509_LOCAL_H */
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index d54ba783e8..30118475d1 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.113 2023/04/16 18:48:58 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.114 2023/04/25 18:28:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2601,20 +2601,6 @@ X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 }
 LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain);
-X509_POLICY_TREE *
-X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
-{
-        return ctx->tree;
-}
-LCRYPTO_ALIAS(X509_STORE_CTX_get0_policy_tree);
-int
-X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
-{
-        return ctx->explicit_policy;
-}
-LCRYPTO_ALIAS(X509_STORE_CTX_get_explicit_policy);
 int
 X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
 {
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 3eb92b0f7f..cfa3533119 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.60 2023/04/16 08:30:21 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.61 2023/04/25 18:28:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -423,12 +423,6 @@ X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx);
 #define X509_STORE_set_verify_func(ctx, func) \
    X509_STORE_set_verify((ctx), (func))
-/* Remove in next bump. */
-#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
-#endif
 int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
@@ -479,44 +473,6 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
 void X509_VERIFY_PARAM_table_cleanup(void);
-/* Move to x509_local.h in next bump - needed by x509_vfy.c. */
-#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
-                        STACK_OF(X509) *certs,
-                        STACK_OF(ASN1_OBJECT) *policy_oids,
-                        unsigned int flags);
-void X509_policy_tree_free(X509_POLICY_TREE *tree);
-#endif
-/*
- * Move these to pcy_int.h in next bump - X509_policy_tree_get0_user_policies()
- * is actually used, the rest can be deleted.
- */
-#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
-X509_POLICY_LEVEL *
-        X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
-STACK_OF(X509_POLICY_NODE) *
-        X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
-STACK_OF(X509_POLICY_NODE) *
-        X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
-int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
-X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
-const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
-STACK_OF(POLICYQUALINFO) *
-        X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
-const X509_POLICY_NODE *
-        X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
-#endif
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
index 43c2a15e0f..8738b302cb 100644
--- a/src/lib/libcrypto/x509/x509v3.h
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.21 2023/04/25 15:51:04 tb Exp $ */
+/* $OpenBSD: x509v3.h,v 1.22 2023/04/25 18:28:05 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -847,12 +847,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc);
 int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
                                                unsigned long chtype);
-/* Move to pcy_int.h. */
-#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
-DECLARE_STACK_OF(X509_POLICY_NODE)
-#endif
 #ifndef OPENSSL_NO_RFC3779
 typedef struct ASRange_st {
        ASN1_INTEGER *min;
author	tb <>	2023-04-25 18:28:05 +0000
committer	tb <>	2023-04-25 18:28:05 +0000
commit	1e19be2bbd27af0df9ea06c8c0a46f5ab687d976 (patch)
tree	5e6300823f61fe1b218fefd7cfb03d499e067bcd
parent	cab021af4c7b73bac13f4b68c8b8360639242879 (diff)
download	openbsd-1e19be2bbd27af0df9ea06c8c0a46f5ab687d976.tar.gz openbsd-1e19be2bbd27af0df9ea06c8c0a46f5ab687d976.tar.bz2 openbsd-1e19be2bbd27af0df9ea06c8c0a46f5ab687d976.zip