Take the old policy code behind the barn

It can go play in the fields with all the other exponential time policy "code". discussed with jsing ok & commit message beck
author: tb <> 2023-04-28 16:21:57 +0000
committer: tb <> 2023-04-28 16:21:57 +0000
commit: 0f7876e466fed4dad77a738f0bdb63846092d5ef (patch)
tree: ab7bf11dbba9e8b630f9ced2d33ff8be0eb6049a /src/lib/libcrypto/x509/pcy_cache.c
parent: 1059b2a4a3d9eb72ad6073bbadee2edc0fd7f990 (diff)
download: openbsd-0f7876e466fed4dad77a738f0bdb63846092d5ef.tar.gz
openbsd-0f7876e466fed4dad77a738f0bdb63846092d5ef.tar.bz2
openbsd-0f7876e466fed4dad77a738f0bdb63846092d5ef.zip
1 files changed, 0 insertions, 276 deletions
diff --git a/src/lib/libcrypto/x509/pcy_cache.c b/src/lib/libcrypto/x509/pcy_cache.c
deleted file mode 100644
index 10cefd7f34..0000000000
--- a/src/lib/libcrypto/x509/pcy_cache.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/* $OpenBSD: pcy_cache.c,v 1.4 2023/04/26 19:11:32 beck Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#ifndef LIBRESSL_HAS_POLICY_DAG
-#include "pcy_int.h"
-#include "x509_local.h"
-static int policy_data_cmp(const X509_POLICY_DATA * const *a,
-    const X509_POLICY_DATA * const *b);
-static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
-/* Set cache entry according to CertificatePolicies extension.
- * Note: this destroys the passed CERTIFICATEPOLICIES structure.
- */
-static int
-policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
-{
-        int i;
-        int ret = 0;
-        X509_POLICY_CACHE *cache = x->policy_cache;
-        X509_POLICY_DATA *data = NULL;
-        POLICYINFO *policy;
-        if (sk_POLICYINFO_num(policies) == 0)
-                goto bad_policy;
-        cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
-        if (!cache->data)
-                goto bad_policy;
-        for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
-                policy = sk_POLICYINFO_value(policies, i);
-                data = policy_data_new(policy, NULL, crit);
-                if (!data)
-                        goto bad_policy;
-                /* Duplicate policy OIDs are illegal: reject if matches
-                 * found.
-                 */
-                if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-                        if (cache->anyPolicy) {
-                                ret = -1;
-                                goto bad_policy;
-                        }
-                        cache->anyPolicy = data;
-                } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
-                        ret = -1;
-                        goto bad_policy;
-                } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
-                        goto bad_policy;
-                data = NULL;
-        }
-        ret = 1;
-bad_policy:
-        if (ret == -1)
-                x->ex_flags |= EXFLAG_INVALID_POLICY;
-        if (data)
-                policy_data_free(data);
-        sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
-        if (ret <= 0) {
-                sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
-                cache->data = NULL;
-        }
-        return ret;
-}
-static int
-policy_cache_new(X509 *x)
-{
-        X509_POLICY_CACHE *cache;
-        ASN1_INTEGER *ext_any = NULL;
-        POLICY_CONSTRAINTS *ext_pcons = NULL;
-        CERTIFICATEPOLICIES *ext_cpols = NULL;
-        POLICY_MAPPINGS *ext_pmaps = NULL;
-        int i;
-        cache = malloc(sizeof(X509_POLICY_CACHE));
-        if (!cache)
-                return 0;
-        cache->anyPolicy = NULL;
-        cache->data = NULL;
-        cache->any_skip = -1;
-        cache->explicit_skip = -1;
-        cache->map_skip = -1;
-        x->policy_cache = cache;
-        /* Handle requireExplicitPolicy *first*. Need to process this
-         * even if we don't have any policies.
-         */
-        ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
-        if (!ext_pcons) {
-                if (i != -1)
-                        goto bad_cache;
-        } else {
-                if (!ext_pcons->requireExplicitPolicy &&
-                    !ext_pcons->inhibitPolicyMapping)
-                        goto bad_cache;
-                if (!policy_cache_set_int(&cache->explicit_skip,
-                    ext_pcons->requireExplicitPolicy))
-                        goto bad_cache;
-                if (!policy_cache_set_int(&cache->map_skip,
-                    ext_pcons->inhibitPolicyMapping))
-                        goto bad_cache;
-        }
-        /* Process CertificatePolicies */
-        ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
-        /* If no CertificatePolicies extension or problem decoding then
-         * there is no point continuing because the valid policies will be
-         * NULL.
-         */
-        if (!ext_cpols) {
-                /* If not absent some problem with extension */
-                if (i != -1)
-                        goto bad_cache;
-                return 1;
-        }
-        i = policy_cache_create(x, ext_cpols, i);
-        /* NB: ext_cpols freed by policy_cache_set_policies */
-        if (i <= 0)
-                return i;
-        ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
-        if (!ext_pmaps) {
-                /* If not absent some problem with extension */
-                if (i != -1)
-                        goto bad_cache;
-        } else {
-                i = policy_cache_set_mapping(x, ext_pmaps);
-                if (i <= 0)
-                        goto bad_cache;
-        }
-        ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
-        if (!ext_any) {
-                if (i != -1)
-                        goto bad_cache;
-        } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
-                goto bad_cache;
-        if (0) {
-bad_cache:
-                x->ex_flags |= EXFLAG_INVALID_POLICY;
-        }
-        if (ext_pcons)
-                POLICY_CONSTRAINTS_free(ext_pcons);
-        if (ext_any)
-                ASN1_INTEGER_free(ext_any);
-        return 1;
-}
-void
-policy_cache_free(X509_POLICY_CACHE *cache)
-{
-        if (!cache)
-                return;
-        if (cache->anyPolicy)
-                policy_data_free(cache->anyPolicy);
-        if (cache->data)
-                sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
-        free(cache);
-}
-const X509_POLICY_CACHE *
-policy_cache_set(X509 *x)
-{
-        if (x->policy_cache == NULL) {
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
-                policy_cache_new(x);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
-        return x->policy_cache;
-}
-X509_POLICY_DATA *
-policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
-{
-        int idx;
-        X509_POLICY_DATA tmp;
-        tmp.valid_policy = (ASN1_OBJECT *)id;
-        idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
-        if (idx == -1)
-                return NULL;
-        return sk_X509_POLICY_DATA_value(cache->data, idx);
-}
-static int
-policy_data_cmp(const X509_POLICY_DATA * const *a,
-    const X509_POLICY_DATA * const *b)
-{
-        return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
-}
-static int
-policy_cache_set_int(long *out, ASN1_INTEGER *value)
-{
-        if (value == NULL)
-                return 1;
-        if (value->type == V_ASN1_NEG_INTEGER)
-                return 0;
-        *out = ASN1_INTEGER_get(value);
-        return 1;
-}
-#endif /* LIBRESSL_HAS_POLICY_DAG */
author	tb <>	2023-04-28 16:21:57 +0000
committer	tb <>	2023-04-28 16:21:57 +0000
commit	0f7876e466fed4dad77a738f0bdb63846092d5ef (patch)
tree	ab7bf11dbba9e8b630f9ced2d33ff8be0eb6049a /src/lib/libcrypto/x509/pcy_cache.c
parent	1059b2a4a3d9eb72ad6073bbadee2edc0fd7f990 (diff)
download	openbsd-0f7876e466fed4dad77a738f0bdb63846092d5ef.tar.gz openbsd-0f7876e466fed4dad77a738f0bdb63846092d5ef.tar.bz2 openbsd-0f7876e466fed4dad77a738f0bdb63846092d5ef.zip

diff --git a/src/lib/libcrypto/x509/pcy_cache.c b/src/lib/libcrypto/x509/pcy_cache.c deleted file mode 100644 index 10cefd7f34..0000000000 --- a/src/lib/libcrypto/x509/pcy_cache.c +++ /dev/null
@@ -1,276 +0,0 @@
1	/* $OpenBSD: pcy_cache.c,v 1.4 2023/04/26 19:11:32 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2004.
4	*/
5	/* ====================================================================
6	* Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* licensing@OpenSSL.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <openssl/x509.h>
60	#include <openssl/x509v3.h>
61
62	#ifndef LIBRESSL_HAS_POLICY_DAG
63
64	#include "pcy_int.h"
65	#include "x509_local.h"
66
67	static int policy_data_cmp(const X509_POLICY_DATA * const *a,
68	const X509_POLICY_DATA * const *b);
69	static int policy_cache_set_int(long out, ASN1_INTEGER value);
70
71	/* Set cache entry according to CertificatePolicies extension.
72	* Note: this destroys the passed CERTIFICATEPOLICIES structure.
73	*/
74
75	static int
76	policy_cache_create(X509 x, CERTIFICATEPOLICIES policies, int crit)
77	{
78	int i;
79	int ret = 0;
80	X509_POLICY_CACHE *cache = x->policy_cache;
81	X509_POLICY_DATA *data = NULL;
82	POLICYINFO *policy;
83
84	if (sk_POLICYINFO_num(policies) == 0)
85	goto bad_policy;
86	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
87	if (!cache->data)
88	goto bad_policy;
89	for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
90	policy = sk_POLICYINFO_value(policies, i);
91	data = policy_data_new(policy, NULL, crit);
92	if (!data)
93	goto bad_policy;
94	/* Duplicate policy OIDs are illegal: reject if matches
95	* found.
96	*/
97	if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
98	if (cache->anyPolicy) {
99	ret = -1;
100	goto bad_policy;
101	}
102	cache->anyPolicy = data;
103	} else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
104	ret = -1;
105	goto bad_policy;
106	} else if (!sk_X509_POLICY_DATA_push(cache->data, data))
107	goto bad_policy;
108	data = NULL;
109	}
110	ret = 1;
111
112	bad_policy:
113	if (ret == -1)
114	x->ex_flags \|= EXFLAG_INVALID_POLICY;
115	if (data)
116	policy_data_free(data);
117	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
118	if (ret <= 0) {
119	sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
120	cache->data = NULL;
121	}
122	return ret;
123	}
124
125	static int
126	policy_cache_new(X509 *x)
127	{
128	X509_POLICY_CACHE *cache;
129	ASN1_INTEGER *ext_any = NULL;
130	POLICY_CONSTRAINTS *ext_pcons = NULL;
131	CERTIFICATEPOLICIES *ext_cpols = NULL;
132	POLICY_MAPPINGS *ext_pmaps = NULL;
133	int i;
134
135	cache = malloc(sizeof(X509_POLICY_CACHE));
136	if (!cache)
137	return 0;
138	cache->anyPolicy = NULL;
139	cache->data = NULL;
140	cache->any_skip = -1;
141	cache->explicit_skip = -1;
142	cache->map_skip = -1;
143
144	x->policy_cache = cache;
145
146	/* Handle requireExplicitPolicy first. Need to process this
147	* even if we don't have any policies.
148	*/
149	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
150
151	if (!ext_pcons) {
152	if (i != -1)
153	goto bad_cache;
154	} else {
155	if (!ext_pcons->requireExplicitPolicy &&
156	!ext_pcons->inhibitPolicyMapping)
157	goto bad_cache;
158	if (!policy_cache_set_int(&cache->explicit_skip,
159	ext_pcons->requireExplicitPolicy))
160	goto bad_cache;
161	if (!policy_cache_set_int(&cache->map_skip,
162	ext_pcons->inhibitPolicyMapping))
163	goto bad_cache;
164	}
165
166	/* Process CertificatePolicies */
167
168	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
169	/* If no CertificatePolicies extension or problem decoding then
170	* there is no point continuing because the valid policies will be
171	* NULL.
172	*/
173	if (!ext_cpols) {
174	/* If not absent some problem with extension */
175	if (i != -1)
176	goto bad_cache;
177	return 1;
178	}
179
180	i = policy_cache_create(x, ext_cpols, i);
181
182	/* NB: ext_cpols freed by policy_cache_set_policies */
183
184	if (i <= 0)
185	return i;
186
187	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
188
189	if (!ext_pmaps) {
190	/* If not absent some problem with extension */
191	if (i != -1)
192	goto bad_cache;
193	} else {
194	i = policy_cache_set_mapping(x, ext_pmaps);
195	if (i <= 0)
196	goto bad_cache;
197	}
198
199	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
200
201	if (!ext_any) {
202	if (i != -1)
203	goto bad_cache;
204	} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
205	goto bad_cache;
206
207	if (0) {
208	bad_cache:
209	x->ex_flags \|= EXFLAG_INVALID_POLICY;
210	}
211
212	if (ext_pcons)
213	POLICY_CONSTRAINTS_free(ext_pcons);
214
215	if (ext_any)
216	ASN1_INTEGER_free(ext_any);
217
218	return 1;
219	}
220
221	void
222	policy_cache_free(X509_POLICY_CACHE *cache)
223	{
224	if (!cache)
225	return;
226	if (cache->anyPolicy)
227	policy_data_free(cache->anyPolicy);
228	if (cache->data)
229	sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
230	free(cache);
231	}
232
233	const X509_POLICY_CACHE *
234	policy_cache_set(X509 *x)
235	{
236	if (x->policy_cache == NULL) {
237	CRYPTO_w_lock(CRYPTO_LOCK_X509);
238	policy_cache_new(x);
239	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
240	}
241
242	return x->policy_cache;
243	}
244
245	X509_POLICY_DATA *
246	policy_cache_find_data(const X509_POLICY_CACHE cache, const ASN1_OBJECT id)
247	{
248	int idx;
249	X509_POLICY_DATA tmp;
250
251	tmp.valid_policy = (ASN1_OBJECT *)id;
252	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
253	if (idx == -1)
254	return NULL;
255	return sk_X509_POLICY_DATA_value(cache->data, idx);
256	}
257
258	static int
259	policy_data_cmp(const X509_POLICY_DATA * const *a,
260	const X509_POLICY_DATA * const *b)
261	{
262	return OBJ_cmp((a)->valid_policy, (b)->valid_policy);
263	}
264
265	static int
266	policy_cache_set_int(long out, ASN1_INTEGER value)
267	{
268	if (value == NULL)
269	return 1;
270	if (value->type == V_ASN1_NEG_INTEGER)
271	return 0;
272	*out = ASN1_INTEGER_get(value);
273	return 1;
274	}
275
276	#endif /* LIBRESSL_HAS_POLICY_DAG */