Make the new policy code in x509_policy.c to be selectable at compile time.

The old policy codes remains the default, with the new policy code selectable by defining LIBRESSL_HAS_POLICY_DAG. ok tb@ jsing@
author: beck <> 2023-04-26 19:11:33 +0000
committer: beck <> 2023-04-26 19:11:33 +0000
commit: d2576ff178ab71d730ed11f6d244e0035b9203c2 (patch)
tree: 75b208133b3a7fbeb57237a5639552556d1bc38e /src
parent: 044e73e94f288a201e6ef15bb65075250510d821 (diff)
download: openbsd-d2576ff178ab71d730ed11f6d244e0035b9203c2.tar.gz
openbsd-d2576ff178ab71d730ed11f6d244e0035b9203c2.tar.bz2
openbsd-d2576ff178ab71d730ed11f6d244e0035b9203c2.zip
12 files changed, 106 insertions, 15 deletions
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index df66153c45..5a769abdff 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.33 2023/04/24 08:09:29 job Exp $ */
+/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -169,7 +169,9 @@ X509_CINF_free(X509_CINF *a)
 }
 /* X509 top level structure needs a bit of customisation */
+#ifndef LIBRESSL_HAS_POLICY_DAG
 extern void policy_cache_free(X509_POLICY_CACHE *cache);
+#endif
 static int
 x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
@@ -205,7 +207,9 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                ASN1_OCTET_STRING_free(ret->skid);
                AUTHORITY_KEYID_free(ret->akid);
                CRL_DIST_POINTS_free(ret->crldp);
+#ifndef LIBRESSL_HAS_POLICY_DAG
                policy_cache_free(ret->policy_cache);
+#endif
                GENERAL_NAMES_free(ret->altname);
                NAME_CONSTRAINTS_free(ret->nc);
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/pcy_cache.c b/src/lib/libcrypto/x509/pcy_cache.c
index 6424160db8..10cefd7f34 100644
--- a/src/lib/libcrypto/x509/pcy_cache.c
+++ b/src/lib/libcrypto/x509/pcy_cache.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_cache.c,v 1.3 2022/11/26 16:08:54 tb Exp $ */
+/* $OpenBSD: pcy_cache.c,v 1.4 2023/04/26 19:11:32 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -59,6 +59,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
 #include "x509_local.h"
@@ -270,3 +272,5 @@ policy_cache_set_int(long *out, ASN1_INTEGER *value)
        *out = ASN1_INTEGER_get(value);
        return 1;
 }
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/pcy_data.c b/src/lib/libcrypto/x509/pcy_data.c
index dadacb5266..f0fdfe18ef 100644
--- a/src/lib/libcrypto/x509/pcy_data.c
+++ b/src/lib/libcrypto/x509/pcy_data.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_data.c,v 1.2 2023/04/26 19:11:32 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -59,6 +59,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
 /* Policy Node routines */
@@ -127,3 +129,5 @@ err:
        ASN1_OBJECT_free(id);
        return NULL;
 }
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/pcy_int.h b/src/lib/libcrypto/x509/pcy_int.h
index b183979d87..43bd548f66 100644
--- a/src/lib/libcrypto/x509/pcy_int.h
+++ b/src/lib/libcrypto/x509/pcy_int.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_int.h,v 1.4 2023/04/25 18:53:42 tb Exp $ */
+/* $OpenBSD: pcy_int.h,v 1.5 2023/04/26 19:11:32 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -56,6 +56,8 @@
 *
 */
+#ifndef LIBRESSL_HAS_POLICY_DAG
 /* Needed to pull in the typedefs for X509_POLICY_* */
 #include "x509_local.h"
@@ -275,3 +277,5 @@ const X509_POLICY_NODE *
 __END_HIDDEN_DECLS
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/pcy_lib.c b/src/lib/libcrypto/x509/pcy_lib.c
index e4d3fd9fa8..0c8978bd70 100644
--- a/src/lib/libcrypto/x509/pcy_lib.c
+++ b/src/lib/libcrypto/x509/pcy_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_lib.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: pcy_lib.c,v 1.4 2023/04/26 19:11:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -59,6 +59,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
 /* accessor functions */
@@ -164,3 +166,5 @@ X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
        return node->parent;
 }
 LCRYPTO_ALIAS(X509_policy_node_get0_parent);
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/pcy_map.c b/src/lib/libcrypto/x509/pcy_map.c
index fe21ba14d1..ffbc6f75f0 100644
--- a/src/lib/libcrypto/x509/pcy_map.c
+++ b/src/lib/libcrypto/x509/pcy_map.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_map.c,v 1.3 2022/11/26 16:08:54 tb Exp $ */
+/* $OpenBSD: pcy_map.c,v 1.4 2023/04/26 19:11:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -59,6 +59,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
 #include "x509_local.h"
@@ -125,3 +127,5 @@ bad_mapping:
        sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
        return ret;
 }
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/pcy_node.c b/src/lib/libcrypto/x509/pcy_node.c
index 3a0f230bb3..1daf7e2aff 100644
--- a/src/lib/libcrypto/x509/pcy_node.c
+++ b/src/lib/libcrypto/x509/pcy_node.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_node.c,v 1.2 2023/04/26 19:11:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -60,6 +60,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
 static int
@@ -198,3 +200,5 @@ policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
        }
        return 0;
 }
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/pcy_tree.c b/src/lib/libcrypto/x509/pcy_tree.c
index 56e05910cd..eb3c427a3a 100644
--- a/src/lib/libcrypto/x509/pcy_tree.c
+++ b/src/lib/libcrypto/x509/pcy_tree.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_tree.c,v 1.6 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: pcy_tree.c,v 1.7 2023/04/26 19:11:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -59,6 +59,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
 #include "x509_local.h"
@@ -771,3 +773,5 @@ error:
        return 0;
 }
 LCRYPTO_ALIAS(X509_policy_check);
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index af8f16c9b0..bac0209371 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.8 2023/04/20 18:29:08 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.9 2023/04/26 19:11:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -65,7 +65,9 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
 #include "pcy_int.h"
+#endif
 #include "x509_local.h"
 /* Certificate policies extension support: this one is a bit complex... */
@@ -766,6 +768,7 @@ print_notice(BIO *out, USERNOTICE *notice, int indent)
                    notice->exptext->length, notice->exptext->data);
 }
+#ifndef LIBRESSL_HAS_POLICY_DAG
 void
 X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
 {
@@ -783,3 +786,4 @@ X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
                BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
 }
 LCRYPTO_ALIAS(X509_POLICY_NODE_print);
+#endif
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 6f711fe3e1..1aa66d2440 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.5 2023/04/25 18:28:05 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -69,10 +69,12 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP       EVP_sha512()
 #define X509_CRL_HASH_LEN       SHA512_DIGEST_LENGTH
+#ifndef LIBRESSL_HAS_POLICY_DAG
 typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
 typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
 typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
 typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
+#endif
 struct X509_pubkey_st {
        X509_ALGOR *algor;
@@ -176,7 +178,9 @@ struct x509_st {
        unsigned long ex_nscert;
        ASN1_OCTET_STRING *skid;
        AUTHORITY_KEYID *akid;
+#ifndef LIBRESSL_HAS_POLICY_DAG
        X509_POLICY_CACHE *policy_cache;
+#endif
        STACK_OF(DIST_POINT) *crldp;
        STACK_OF(GENERAL_NAME) *altname;
        NAME_CONSTRAINTS *nc;
@@ -356,7 +360,9 @@ struct x509_store_ctx_st {
        int valid;              /* if 0, rebuild chain */
        int num_untrusted;      /* number of untrusted certs in chain */
        STACK_OF(X509) *chain;          /* chain of X509s - built up and trusted */
-        X509_POLICY_TREE *tree; /* Valid policy tree */
+#ifndef LIBRESSL_HAS_POLICY_DAG
+        X509_POLICY_TREE *tree; /* Valid policy tree */
+#endif
        int explicit_policy;    /* Require explicit policy value */
@@ -390,12 +396,17 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
 int name_cmp(const char *name, const char *cmp);
+#ifdef LIBRESSL_HAS_POLICY_DAG
+int X509_policy_check(const STACK_OF(X509) *certs,
+    const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags,
+    X509 **out_current_cert);
+#else
 int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
-                        STACK_OF(X509) *certs,
+    STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
-                        STACK_OF(ASN1_OBJECT) *policy_oids,
+    unsigned int flags);
-                        unsigned int flags);
 void X509_policy_tree_free(X509_POLICY_TREE *tree);
+#endif
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index c9618dbf23..d49d86856c 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -25,6 +25,8 @@
 #include "x509_internal.h"
 #include "x509_local.h"
+#ifdef LIBRESSL_HAS_POLICY_DAG
 /* XXX move to proper place */
 #define X509_R_INVALID_POLICY_EXTENSION 201
@@ -856,3 +858,5 @@ err:
  sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
  return ret;
 }
+#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 4b042e0b26..76847e7224 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.115 2023/04/25 18:37:56 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1743,6 +1743,43 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
        return 1;
 }
+#ifdef LIBRESSL_HAS_POLICY_DAG
+int
+x509_vfy_check_policy(X509_STORE_CTX *ctx)
+{
+        X509 *current_cert = NULL;
+        int ret;
+        if (ctx->parent != NULL)
+                return 1;
+        ret = X509_policy_check(ctx->chain, ctx->param->policies,
+            ctx->param->flags, &current_cert);
+        if (ret != X509_V_OK) {
+                ctx->current_cert = current_cert;
+                ctx->error = ret;
+                if (ret == X509_V_ERR_OUT_OF_MEM)
+                        return 0;
+                return ctx->verify_cb(0, ctx);
+        }
+        if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
+                ctx->current_cert = NULL;
+                /*
+                 * Verification errors need to be "sticky", a callback may have
+                 * allowed an SSL handshake to continue despite an error, and
+                 * we must then remain in an error state.  Therefore, we MUST
+                 * NOT clear earlier verification errors by setting the error
+                 * to X509_V_OK.
+                 */
+                if (!ctx->verify_cb(2, ctx))
+                        return 0;
+        }
+        return 1;
+}
+#else
 int
 x509_vfy_check_policy(X509_STORE_CTX *ctx)
 {
@@ -1794,6 +1831,7 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
        return 1;
 }
+#endif
 static int
 check_policy(X509_STORE_CTX *ctx)
@@ -2486,10 +2524,12 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
                        X509_VERIFY_PARAM_free(ctx->param);
                ctx->param = NULL;
        }
+#ifndef LIBRESSL_HAS_POLICY_DAG
        if (ctx->tree != NULL) {
                X509_policy_tree_free(ctx->tree);
                ctx->tree = NULL;
        }
+#endif
        if (ctx->chain != NULL) {
                sk_X509_pop_free(ctx->chain, X509_free);
                ctx->chain = NULL;
author	beck <>	2023-04-26 19:11:33 +0000
committer	beck <>	2023-04-26 19:11:33 +0000
commit	d2576ff178ab71d730ed11f6d244e0035b9203c2 (patch)
tree	75b208133b3a7fbeb57237a5639552556d1bc38e /src
parent	044e73e94f288a201e6ef15bb65075250510d821 (diff)
download	openbsd-d2576ff178ab71d730ed11f6d244e0035b9203c2.tar.gz openbsd-d2576ff178ab71d730ed11f6d244e0035b9203c2.tar.bz2 openbsd-d2576ff178ab71d730ed11f6d244e0035b9203c2.zip