ssltest: initial pass of dropping proxy cert goo

author: tb <> 2023-04-15 16:17:57 +0000
committer: tb <> 2023-04-15 16:17:57 +0000
commit: 8221e1f6e1937082adf9adf85edcd0232abe3aa6 (patch)
tree: 4e3a78626337d2fb6ba2c90a7dc768625925b3d0 /src
parent: 3b4d26b23409ee18799326c55ef9f56697d14b96 (diff)
download: openbsd-8221e1f6e1937082adf9adf85edcd0232abe3aa6.tar.gz
openbsd-8221e1f6e1937082adf9adf85edcd0232abe3aa6.tar.bz2
openbsd-8221e1f6e1937082adf9adf85edcd0232abe3aa6.zip
1 files changed, 1 insertions, 89 deletions
diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c
index 8aae99018c..7ecea2620c 100644
--- a/src/regress/lib/libssl/ssl/ssltest.c
+++ b/src/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssltest.c,v 1.37 2023/02/02 12:37:14 anton Exp $ */
+/*      $OpenBSD: ssltest.c,v 1.38 2023/04/15 16:17:57 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1436,94 +1436,6 @@ verify_callback(int ok, X509_STORE_CTX *ctx)
                }
        }
-        if (ok == 1) {
-                if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
-                        unsigned int *letters =
-                            X509_STORE_CTX_get_ex_data(ctx,
-                            get_proxy_auth_ex_data_idx());
-                        if (letters) {
-                                int found_any = 0;
-                                int i;
-                                PROXY_CERT_INFO_EXTENSION *pci =
-                                    X509_get_ext_d2i(xs, NID_proxyCertInfo,
-                                    NULL, NULL);
-                                switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
-                                case NID_Independent:
-                                        /* Completely meaningless in this
-                                           program, as there's no way to
-                                           grant explicit rights to a
-                                           specific PrC.  Basically, using
-                                           id-ppl-Independent is the perfect
-                                           way to grant no rights at all. */
-                                        fprintf(stderr, "  Independent proxy certificate");
-                                        for (i = 0; i < 26; i++)
-                                                letters[i] = 0;
-                                        break;
-                                case NID_id_ppl_inheritAll:
-                                        /* This is basically a NOP, we
-                                           simply let the current rights
-                                           stand as they are. */
-                                        fprintf(stderr, "  Proxy certificate inherits all");
-                                        break;
-                                default:
-                                        s = (char *)
-                                        pci->proxyPolicy->policy->data;
-                                        i = pci->proxyPolicy->policy->length;
-                                        /* The algorithm works as follows:
-                                           it is assumed that previous
-                                           iterations or the initial granted
-                                           rights has already set some elements
-                                           of `letters'.  What we need to do is
-                                           to clear those that weren't granted
-                                           by the current PrC as well.  The
-                                           easiest way to do this is to add 1
-                                           to all the elements whose letters
-                                           are given with the current policy.
-                                           That way, all elements that are set
-                                           by the current policy and were
-                                           already set by earlier policies and
-                                           through the original grant of rights
-                                           will get the value 2 or higher.
-                                           The last thing to do is to sweep
-                                           through `letters' and keep the
-                                           elements having the value 2 as set,
-                                           and clear all the others. */
-                                        fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
-                                        while (i-- > 0) {
-                                                int c = *s++;
-                                                if (isascii(c) && isalpha(c)) {
-                                                        if (islower(c))
-                                                                c = toupper(c);
-                                                        letters[c - 'A']++;
-                                                }
-                                        }
-                                        for (i = 0; i < 26; i++)
-                                                if (letters[i] < 2)
-                                                        letters[i] = 0;
-                                        else
-                                                letters[i] = 1;
-                                }
-                                found_any = 0;
-                                fprintf(stderr, ", resulting proxy rights = ");
-                                for (i = 0; i < 26; i++)
-                                        if (letters[i]) {
-                                        fprintf(stderr, "%c", i + 'A');
-                                        found_any = 1;
-                                }
-                                if (!found_any)
-                                        fprintf(stderr, "none");
-                                fprintf(stderr, "\n");
-                                PROXY_CERT_INFO_EXTENSION_free(pci);
-                        }
-                }
-        }
        return (ok);
 }
author	tb <>	2023-04-15 16:17:57 +0000
committer	tb <>	2023-04-15 16:17:57 +0000
commit	8221e1f6e1937082adf9adf85edcd0232abe3aa6 (patch)
tree	4e3a78626337d2fb6ba2c90a7dc768625925b3d0 /src
parent	3b4d26b23409ee18799326c55ef9f56697d14b96 (diff)
download	openbsd-8221e1f6e1937082adf9adf85edcd0232abe3aa6.tar.gz openbsd-8221e1f6e1937082adf9adf85edcd0232abe3aa6.tar.bz2 openbsd-8221e1f6e1937082adf9adf85edcd0232abe3aa6.zip

diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c index 8aae99018c..7ecea2620c 100644 --- a/src/regress/lib/libssl/ssl/ssltest.c +++ b/src/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssltest.c,v 1.37 2023/02/02 12:37:14 anton Exp $ */	1	/* $OpenBSD: ssltest.c,v 1.38 2023/04/15 16:17:57 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1436,94 +1436,6 @@ verify_callback(int ok, X509_STORE_CTX *ctx)
1436	}	1436	}
1437	}	1437	}
1438		1438
1439	if (ok == 1) {
1440	if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
1441	unsigned int *letters =
1442	X509_STORE_CTX_get_ex_data(ctx,
1443	get_proxy_auth_ex_data_idx());
1444
1445	if (letters) {
1446	int found_any = 0;
1447	int i;
1448	PROXY_CERT_INFO_EXTENSION *pci =
1449	X509_get_ext_d2i(xs, NID_proxyCertInfo,
1450	NULL, NULL);
1451
1452	switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
1453	case NID_Independent:
1454	/* Completely meaningless in this
1455	program, as there's no way to
1456	grant explicit rights to a
1457	specific PrC. Basically, using
1458	id-ppl-Independent is the perfect
1459	way to grant no rights at all. */
1460	fprintf(stderr, " Independent proxy certificate");
1461	for (i = 0; i < 26; i++)
1462	letters[i] = 0;
1463	break;
1464	case NID_id_ppl_inheritAll:
1465	/* This is basically a NOP, we
1466	simply let the current rights
1467	stand as they are. */
1468	fprintf(stderr, " Proxy certificate inherits all");
1469	break;
1470	default:
1471	s = (char *)
1472	pci->proxyPolicy->policy->data;
1473	i = pci->proxyPolicy->policy->length;
1474
1475	/* The algorithm works as follows:
1476	it is assumed that previous
1477	iterations or the initial granted
1478	rights has already set some elements
1479	of `letters'. What we need to do is
1480	to clear those that weren't granted
1481	by the current PrC as well. The
1482	easiest way to do this is to add 1
1483	to all the elements whose letters
1484	are given with the current policy.
1485	That way, all elements that are set
1486	by the current policy and were
1487	already set by earlier policies and
1488	through the original grant of rights
1489	will get the value 2 or higher.
1490	The last thing to do is to sweep
1491	through `letters' and keep the
1492	elements having the value 2 as set,
1493	and clear all the others. */
1494
1495	fprintf(stderr, " Certificate proxy rights = %.s", i, i, s);
1496	while (i-- > 0) {
1497	int c = *s++;
1498	if (isascii(c) && isalpha(c)) {
1499	if (islower(c))
1500	c = toupper(c);
1501	letters[c - 'A']++;
1502	}
1503	}
1504	for (i = 0; i < 26; i++)
1505	if (letters[i] < 2)
1506	letters[i] = 0;
1507	else
1508	letters[i] = 1;
1509	}
1510
1511	found_any = 0;
1512	fprintf(stderr, ", resulting proxy rights = ");
1513	for (i = 0; i < 26; i++)
1514	if (letters[i]) {
1515	fprintf(stderr, "%c", i + 'A');
1516	found_any = 1;
1517	}
1518	if (!found_any)
1519	fprintf(stderr, "none");
1520	fprintf(stderr, "\n");
1521
1522	PROXY_CERT_INFO_EXTENSION_free(pci);
1523	}
1524	}
1525	}
1526
1527	return (ok);	1439	return (ok);
1528	}	1440	}
1529		1441