diff options
| author | tb <> | 2024-05-08 08:20:08 +0000 |
|---|---|---|
| committer | tb <> | 2024-05-08 08:20:08 +0000 |
| commit | 3064d328febdb0dffc9cd69259663580fd1133b4 (patch) | |
| tree | d7f8ba21cb647b42fe65ff27d943962a818d966a | |
| parent | c46d931e06126b69de6000e5b24e54d9e8779194 (diff) | |
| download | openbsd-3064d328febdb0dffc9cd69259663580fd1133b4.tar.gz openbsd-3064d328febdb0dffc9cd69259663580fd1133b4.tar.bz2 openbsd-3064d328febdb0dffc9cd69259663580fd1133b4.zip | |
Simplify X509_REQ_get_extensions()
Now that we know the two OIDs we need to look for when checking for the
extension list attribute in a certification request, we can simplify this
quite a bit. There is one change of behavior. Attribute value sets are not
supposed to be empty and it makes no sense to return an empty stack of
extensions in that case, return NULL instead, matching BoringSSL.
This removes last use of ext_nids and ext_nid_list[], so these two bits
of unprotected global mutable state can now join the party in the attic.
ok jsing
| -rw-r--r-- | src/lib/libcrypto/x509/x509_req.c | 35 |
1 files changed, 13 insertions, 22 deletions
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c index 1497b1ec16..34e052341d 100644 --- a/src/lib/libcrypto/x509/x509_req.c +++ b/src/lib/libcrypto/x509/x509_req.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_req.c,v 1.35 2024/05/08 08:11:50 tb Exp $ */ | 1 | /* $OpenBSD: x509_req.c,v 1.36 2024/05/08 08:20:08 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -170,15 +170,6 @@ X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) | |||
| 170 | } | 170 | } |
| 171 | LCRYPTO_ALIAS(X509_REQ_check_private_key); | 171 | LCRYPTO_ALIAS(X509_REQ_check_private_key); |
| 172 | 172 | ||
| 173 | /* It seems several organisations had the same idea of including a list of | ||
| 174 | * extensions in a certificate request. There are at least two OIDs that are | ||
| 175 | * used and there may be more: so the list is configurable. | ||
| 176 | */ | ||
| 177 | |||
| 178 | static int ext_nid_list[] = {NID_ext_req, NID_ms_ext_req, NID_undef}; | ||
| 179 | |||
| 180 | static int *ext_nids = ext_nid_list; | ||
| 181 | |||
| 182 | int | 173 | int |
| 183 | X509_REQ_extension_nid(int nid) | 174 | X509_REQ_extension_nid(int nid) |
| 184 | { | 175 | { |
| @@ -191,21 +182,21 @@ X509_REQ_get_extensions(X509_REQ *req) | |||
| 191 | { | 182 | { |
| 192 | X509_ATTRIBUTE *attr; | 183 | X509_ATTRIBUTE *attr; |
| 193 | ASN1_TYPE *ext = NULL; | 184 | ASN1_TYPE *ext = NULL; |
| 194 | int idx, *pnid; | 185 | int idx; |
| 195 | const unsigned char *p; | 186 | const unsigned char *p; |
| 196 | 187 | ||
| 197 | if (req == NULL || req->req_info == NULL || ext_nids == NULL) | 188 | if (req == NULL || req->req_info == NULL) |
| 189 | return NULL; | ||
| 190 | |||
| 191 | if ((idx = X509_REQ_get_attr_by_NID(req, NID_ext_req, -1)) == -1) | ||
| 192 | idx = X509_REQ_get_attr_by_NID(req, NID_ms_ext_req, -1); | ||
| 193 | if (idx == -1) | ||
| 194 | return NULL; | ||
| 195 | |||
| 196 | if ((attr = X509_REQ_get_attr(req, idx)) == NULL) | ||
| 197 | return NULL; | ||
| 198 | if ((ext = X509_ATTRIBUTE_get0_type(attr, 0)) == NULL) | ||
| 198 | return NULL; | 199 | return NULL; |
| 199 | for (pnid = ext_nids; *pnid != NID_undef; pnid++) { | ||
| 200 | idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); | ||
| 201 | if (idx == -1) | ||
| 202 | continue; | ||
| 203 | attr = X509_REQ_get_attr(req, idx); | ||
| 204 | ext = X509_ATTRIBUTE_get0_type(attr, 0); | ||
| 205 | break; | ||
| 206 | } | ||
| 207 | if (ext == NULL) | ||
| 208 | return sk_X509_EXTENSION_new_null(); | ||
| 209 | if (ext->type != V_ASN1_SEQUENCE) | 200 | if (ext->type != V_ASN1_SEQUENCE) |
| 210 | return NULL; | 201 | return NULL; |
| 211 | p = ext->value.sequence->data; | 202 | p = ext->value.sequence->data; |