diff options
| author | tb <> | 2024-01-06 17:37:23 +0000 |
|---|---|---|
| committer | tb <> | 2024-01-06 17:37:23 +0000 |
| commit | ce013cb97fcfce766becec4de468e051cfe769c2 (patch) | |
| tree | 52cdbf9594229dc56ff439ea477e9bdeecbdb1a2 /src | |
| parent | ca00b1e55ab503cc77058c62611b0b6ec94882f2 (diff) | |
| download | openbsd-ce013cb97fcfce766becec4de468e051cfe769c2.tar.gz openbsd-ce013cb97fcfce766becec4de468e051cfe769c2.tar.bz2 openbsd-ce013cb97fcfce766becec4de468e051cfe769c2.zip | |
Remove X509_CRL_METHOD internals
Another complication of dubious value that nobody's ever used. crl_init(),
crl_free() and the meth_data are dead weight, as are their accessors.
Inline def_crl_verify() in X509_CRL_verify() so that the latter becomes
the trivial wrapper of ASN1_item_verify() that one would expect it to be.
It is quite unclear what kind of customization would make sense here...
def_crl_lookup() is renamed into crl_lookup() and its two callers,
X509_CRL_lookup_by_{serial,cert}(), are moved below it so that we
don't need a prototype.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/asn1/asn1_local.h | 11 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/x_crl.c | 102 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_local.h | 4 |
3 files changed, 25 insertions, 92 deletions
diff --git a/src/lib/libcrypto/asn1/asn1_local.h b/src/lib/libcrypto/asn1/asn1_local.h index c1dfa6f68c..a8cc53221f 100644 --- a/src/lib/libcrypto/asn1/asn1_local.h +++ b/src/lib/libcrypto/asn1/asn1_local.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: asn1_local.h,v 1.5 2023/12/29 10:59:00 tb Exp $ */ | 1 | /* $OpenBSD: asn1_local.h,v 1.6 2024/01/06 17:37:23 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2006. | 3 | * project 2006. |
| 4 | */ | 4 | */ |
| @@ -98,15 +98,6 @@ struct asn1_pctx_st { | |||
| 98 | 98 | ||
| 99 | #define X509_CRL_METHOD_DYNAMIC 1 | 99 | #define X509_CRL_METHOD_DYNAMIC 1 |
| 100 | 100 | ||
| 101 | struct x509_crl_method_st { | ||
| 102 | int flags; | ||
| 103 | int (*crl_init)(X509_CRL *crl); | ||
| 104 | int (*crl_free)(X509_CRL *crl); | ||
| 105 | int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, | ||
| 106 | ASN1_INTEGER *ser, X509_NAME *issuer); | ||
| 107 | int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk); | ||
| 108 | }; | ||
| 109 | |||
| 110 | int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it); | 101 | int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it); |
| 111 | int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it); | 102 | int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it); |
| 112 | 103 | ||
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c index b33ae6e032..b58d88833c 100644 --- a/src/lib/libcrypto/asn1/x_crl.c +++ b/src/lib/libcrypto/asn1/x_crl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x_crl.c,v 1.41 2023/07/07 19:37:52 beck Exp $ */ | 1 | /* $OpenBSD: x_crl.c,v 1.42 2024/01/06 17:37:23 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -100,17 +100,6 @@ const ASN1_ITEM X509_REVOKED_it = { | |||
| 100 | .sname = "X509_REVOKED", | 100 | .sname = "X509_REVOKED", |
| 101 | }; | 101 | }; |
| 102 | 102 | ||
| 103 | static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r); | ||
| 104 | static int def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret, | ||
| 105 | ASN1_INTEGER *serial, X509_NAME *issuer); | ||
| 106 | |||
| 107 | static X509_CRL_METHOD int_crl_meth = { | ||
| 108 | .crl_lookup = def_crl_lookup, | ||
| 109 | .crl_verify = def_crl_verify | ||
| 110 | }; | ||
| 111 | |||
| 112 | static const X509_CRL_METHOD *default_crl_method = &int_crl_meth; | ||
| 113 | |||
| 114 | /* The X509_CRL_INFO structure needs a bit of customisation. | 103 | /* The X509_CRL_INFO structure needs a bit of customisation. |
| 115 | * Since we cache the original encoding the signature wont be affected by | 104 | * Since we cache the original encoding the signature wont be affected by |
| 116 | * reordering of the revoked field. | 105 | * reordering of the revoked field. |
| @@ -280,8 +269,6 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) | |||
| 280 | crl->flags = 0; | 269 | crl->flags = 0; |
| 281 | crl->idp_flags = 0; | 270 | crl->idp_flags = 0; |
| 282 | crl->idp_reasons = CRLDP_ALL_REASONS; | 271 | crl->idp_reasons = CRLDP_ALL_REASONS; |
| 283 | crl->meth = default_crl_method; | ||
| 284 | crl->meth_data = NULL; | ||
| 285 | crl->issuers = NULL; | 272 | crl->issuers = NULL; |
| 286 | crl->crl_number = NULL; | 273 | crl->crl_number = NULL; |
| 287 | crl->base_crl_number = NULL; | 274 | crl->base_crl_number = NULL; |
| @@ -335,18 +322,9 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) | |||
| 335 | 322 | ||
| 336 | if (!crl_set_issuers(crl)) | 323 | if (!crl_set_issuers(crl)) |
| 337 | return 0; | 324 | return 0; |
| 338 | |||
| 339 | if (crl->meth->crl_init) { | ||
| 340 | if (crl->meth->crl_init(crl) == 0) | ||
| 341 | return 0; | ||
| 342 | } | ||
| 343 | break; | 325 | break; |
| 344 | 326 | ||
| 345 | case ASN1_OP_FREE_POST: | 327 | case ASN1_OP_FREE_POST: |
| 346 | if (crl->meth->crl_free) { | ||
| 347 | if (!crl->meth->crl_free(crl)) | ||
| 348 | rc = 0; | ||
| 349 | } | ||
| 350 | if (crl->akid) | 328 | if (crl->akid) |
| 351 | AUTHORITY_KEYID_free(crl->akid); | 329 | AUTHORITY_KEYID_free(crl->akid); |
| 352 | if (crl->idp) | 330 | if (crl->idp) |
| @@ -546,36 +524,10 @@ X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) | |||
| 546 | } | 524 | } |
| 547 | 525 | ||
| 548 | int | 526 | int |
| 549 | X509_CRL_verify(X509_CRL *crl, EVP_PKEY *r) | 527 | X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey) |
| 550 | { | ||
| 551 | if (crl->meth->crl_verify) | ||
| 552 | return crl->meth->crl_verify(crl, r); | ||
| 553 | return 0; | ||
| 554 | } | ||
| 555 | |||
| 556 | int | ||
| 557 | X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, | ||
| 558 | ASN1_INTEGER *serial) | ||
| 559 | { | ||
| 560 | if (crl->meth->crl_lookup) | ||
| 561 | return crl->meth->crl_lookup(crl, ret, serial, NULL); | ||
| 562 | return 0; | ||
| 563 | } | ||
| 564 | |||
| 565 | int | ||
| 566 | X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) | ||
| 567 | { | ||
| 568 | if (crl->meth->crl_lookup) | ||
| 569 | return crl->meth->crl_lookup(crl, ret, | ||
| 570 | X509_get_serialNumber(x), X509_get_issuer_name(x)); | ||
| 571 | return 0; | ||
| 572 | } | ||
| 573 | |||
| 574 | static int | ||
| 575 | def_crl_verify(X509_CRL *crl, EVP_PKEY *r) | ||
| 576 | { | 528 | { |
| 577 | return(ASN1_item_verify(&X509_CRL_INFO_it, | 529 | return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature, |
| 578 | crl->sig_alg, crl->signature, crl->crl, r)); | 530 | crl->crl, pkey); |
| 579 | } | 531 | } |
| 580 | 532 | ||
| 581 | static int | 533 | static int |
| @@ -606,16 +558,13 @@ crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, X509_REVOKED *rev) | |||
| 606 | } | 558 | } |
| 607 | 559 | ||
| 608 | static int | 560 | static int |
| 609 | def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, | 561 | crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, |
| 610 | X509_NAME *issuer) | 562 | X509_NAME *issuer) |
| 611 | { | 563 | { |
| 612 | X509_REVOKED rtmp, *rev; | 564 | X509_REVOKED rtmp, *rev; |
| 613 | int idx; | 565 | int idx; |
| 614 | 566 | ||
| 615 | rtmp.serialNumber = serial; | 567 | rtmp.serialNumber = serial; |
| 616 | /* Sort revoked into serial number order if not already sorted. | ||
| 617 | * Do this under a lock to avoid race condition. | ||
| 618 | */ | ||
| 619 | if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) { | 568 | if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) { |
| 620 | CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); | 569 | CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); |
| 621 | sk_X509_REVOKED_sort(crl->crl->revoked); | 570 | sk_X509_REVOKED_sort(crl->crl->revoked); |
| @@ -640,13 +589,23 @@ def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, | |||
| 640 | return 0; | 589 | return 0; |
| 641 | } | 590 | } |
| 642 | 591 | ||
| 592 | int | ||
| 593 | X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, | ||
| 594 | ASN1_INTEGER *serial) | ||
| 595 | { | ||
| 596 | return crl_lookup(crl, ret, serial, NULL); | ||
| 597 | } | ||
| 598 | |||
| 599 | int | ||
| 600 | X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) | ||
| 601 | { | ||
| 602 | return crl_lookup(crl, ret, X509_get_serialNumber(x), | ||
| 603 | X509_get_issuer_name(x)); | ||
| 604 | } | ||
| 605 | |||
| 643 | void | 606 | void |
| 644 | X509_CRL_set_default_method(const X509_CRL_METHOD *meth) | 607 | X509_CRL_set_default_method(const X509_CRL_METHOD *meth) |
| 645 | { | 608 | { |
| 646 | if (meth == NULL) | ||
| 647 | default_crl_method = &int_crl_meth; | ||
| 648 | else | ||
| 649 | default_crl_method = meth; | ||
| 650 | } | 609 | } |
| 651 | 610 | ||
| 652 | X509_CRL_METHOD * | 611 | X509_CRL_METHOD * |
| @@ -656,40 +615,25 @@ X509_CRL_METHOD_new(int (*crl_init)(X509_CRL *crl), | |||
| 656 | ASN1_INTEGER *ser, X509_NAME *issuer), | 615 | ASN1_INTEGER *ser, X509_NAME *issuer), |
| 657 | int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk)) | 616 | int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk)) |
| 658 | { | 617 | { |
| 659 | X509_CRL_METHOD *m; | 618 | X509error(ERR_R_DISABLED); |
| 660 | 619 | return NULL; | |
| 661 | if ((m = calloc(1, sizeof(X509_CRL_METHOD))) == NULL) | ||
| 662 | return NULL; | ||
| 663 | |||
| 664 | m->crl_init = crl_init; | ||
| 665 | m->crl_free = crl_free; | ||
| 666 | m->crl_lookup = crl_lookup; | ||
| 667 | m->crl_verify = crl_verify; | ||
| 668 | m->flags = X509_CRL_METHOD_DYNAMIC; | ||
| 669 | |||
| 670 | return m; | ||
| 671 | } | 620 | } |
| 672 | 621 | ||
| 673 | void | 622 | void |
| 674 | X509_CRL_METHOD_free(X509_CRL_METHOD *m) | 623 | X509_CRL_METHOD_free(X509_CRL_METHOD *m) |
| 675 | { | 624 | { |
| 676 | if (m == NULL) | ||
| 677 | return; | ||
| 678 | if (!(m->flags & X509_CRL_METHOD_DYNAMIC)) | ||
| 679 | return; | ||
| 680 | free(m); | ||
| 681 | } | 625 | } |
| 682 | 626 | ||
| 683 | void | 627 | void |
| 684 | X509_CRL_set_meth_data(X509_CRL *crl, void *dat) | 628 | X509_CRL_set_meth_data(X509_CRL *crl, void *dat) |
| 685 | { | 629 | { |
| 686 | crl->meth_data = dat; | ||
| 687 | } | 630 | } |
| 688 | 631 | ||
| 689 | void * | 632 | void * |
| 690 | X509_CRL_get_meth_data(X509_CRL *crl) | 633 | X509_CRL_get_meth_data(X509_CRL *crl) |
| 691 | { | 634 | { |
| 692 | return crl->meth_data; | 635 | X509error(ERR_R_DISABLED); |
| 636 | return NULL; | ||
| 693 | } | 637 | } |
| 694 | 638 | ||
| 695 | int | 639 | int |
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h index 6285370b2d..f62f5ad57d 100644 --- a/src/lib/libcrypto/x509/x509_local.h +++ b/src/lib/libcrypto/x509/x509_local.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_local.h,v 1.17 2023/12/29 05:33:32 tb Exp $ */ | 1 | /* $OpenBSD: x509_local.h,v 1.18 2024/01/06 17:37:23 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2013. | 3 | * project 2013. |
| 4 | */ | 4 | */ |
| @@ -224,8 +224,6 @@ struct X509_crl_st { | |||
| 224 | ASN1_INTEGER *base_crl_number; | 224 | ASN1_INTEGER *base_crl_number; |
| 225 | unsigned char hash[X509_CRL_HASH_LEN]; | 225 | unsigned char hash[X509_CRL_HASH_LEN]; |
| 226 | STACK_OF(GENERAL_NAMES) *issuers; | 226 | STACK_OF(GENERAL_NAMES) *issuers; |
| 227 | const X509_CRL_METHOD *meth; | ||
| 228 | void *meth_data; | ||
| 229 | } /* X509_CRL */; | 227 | } /* X509_CRL */; |
| 230 | 228 | ||
| 231 | struct pkcs8_priv_key_info_st { | 229 | struct pkcs8_priv_key_info_st { |