4 files changed, 2 insertions, 492 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 8febfcdd4f..14a2287843 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.114 2023/04/25 18:57:57 tb Exp $
+# $OpenBSD: Makefile,v 1.115 2023/04/25 19:01:01 tb Exp $
 LIB=    crypto
 LIBREBUILD=y
@@ -692,8 +692,6 @@ SRCS+= x509_lu.c
 SRCS+= x509_ncons.c
 SRCS+= x509_obj.c
 SRCS+= x509_ocsp.c
-#SRCS+= x509_pci.c
-#SRCS+= x509_pcia.c
 SRCS+= x509_pcons.c
 SRCS+= x509_pku.c
 SRCS+= x509_pmaps.c
diff --git a/src/lib/libcrypto/x509/x509_pci.c b/src/lib/libcrypto/x509/x509_pci.c
deleted file mode 100644
index b1d31dfb44..0000000000
--- a/src/lib/libcrypto/x509/x509_pci.c
+++ /dev/null
@@ -1,311 +0,0 @@
-/* $OpenBSD: x509_pci.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */
-/* Contributed to the OpenSSL Project 2004
- * by Richard Levitte (richard@levitte.org)
- */
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
-    BIO *out, int indent);
-static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, char *str);
-const X509V3_EXT_METHOD v3_pci = {
-        .ext_nid = NID_proxyCertInfo,
-        .ext_flags = 0,
-        .it = &PROXY_CERT_INFO_EXTENSION_it,
-        .ext_new = NULL,
-        .ext_free = NULL,
-        .d2i = NULL,
-        .i2d = NULL,
-        .i2s = NULL,
-        .s2i = NULL,
-        .i2v = NULL,
-        .v2i = NULL,
-        .i2r = (X509V3_EXT_I2R)i2r_pci,
-        .r2i = (X509V3_EXT_R2I)r2i_pci,
-        .usr_data = NULL,
-};
-static int
-i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
-    int indent)
-{
-        BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
-        if (pci->pcPathLengthConstraint)
-                i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
-        else
-                BIO_printf(out, "infinite");
-        BIO_puts(out, "\n");
-        BIO_printf(out, "%*sPolicy Language: ", indent, "");
-        i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
-        BIO_puts(out, "\n");
-        if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
-                BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
-                    pci->proxyPolicy->policy->length,
-                    pci->proxyPolicy->policy->data);
-        return 1;
-}
-static int
-process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
-    ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
-{
-        int free_policy = 0;
-        if (strcmp(val->name, "language") == 0) {
-                if (*language) {
-                        X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
-                        X509V3_conf_err(val);
-                        return 0;
-                }
-                if (!(*language = OBJ_txt2obj(val->value, 0))) {
-                        X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
-                        X509V3_conf_err(val);
-                        return 0;
-                }
-        }
-        else if (strcmp(val->name, "pathlen") == 0) {
-                if (*pathlen) {
-                        X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
-                        X509V3_conf_err(val);
-                        return 0;
-                }
-                if (!X509V3_get_value_int(val, pathlen)) {
-                        X509V3error(X509V3_R_POLICY_PATH_LENGTH);
-                        X509V3_conf_err(val);
-                        return 0;
-                }
-        }
-        else if (strcmp(val->name, "policy") == 0) {
-                unsigned char *tmp_data = NULL;
-                long val_len;
-                if (!*policy) {
-                        *policy = ASN1_OCTET_STRING_new();
-                        if (!*policy) {
-                                X509V3error(ERR_R_MALLOC_FAILURE);
-                                X509V3_conf_err(val);
-                                return 0;
-                        }
-                        free_policy = 1;
-                }
-                if (strncmp(val->value, "hex:", 4) == 0) {
-                        unsigned char *tmp_data2 =
-                            string_to_hex(val->value + 4, &val_len);
-                        if (!tmp_data2) {
-                                X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
-                                X509V3_conf_err(val);
-                                goto err;
-                        }
-                        tmp_data = realloc((*policy)->data,
-                            (*policy)->length + val_len + 1);
-                        if (tmp_data) {
-                                (*policy)->data = tmp_data;
-                                memcpy(&(*policy)->data[(*policy)->length],
-                                    tmp_data2, val_len);
-                                (*policy)->length += val_len;
-                                (*policy)->data[(*policy)->length] = '\0';
-                        } else {
-                                free(tmp_data2);
-                                free((*policy)->data);
-                                (*policy)->data = NULL;
-                                (*policy)->length = 0;
-                                X509V3error(ERR_R_MALLOC_FAILURE);
-                                X509V3_conf_err(val);
-                                goto err;
-                        }
-                        free(tmp_data2);
-                }
-                else if (strncmp(val->value, "file:", 5) == 0) {
-                        unsigned char buf[2048];
-                        int n;
-                        BIO *b = BIO_new_file(val->value + 5, "r");
-                        if (!b) {
-                                X509V3error(ERR_R_BIO_LIB);
-                                X509V3_conf_err(val);
-                                goto err;
-                        }
-                        while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
-                            (n == 0 && BIO_should_retry(b))) {
-                                if (!n)
-                                        continue;
-                                tmp_data = realloc((*policy)->data,
-                                    (*policy)->length + n + 1);
-                                if (!tmp_data)
-                                        break;
-                                (*policy)->data = tmp_data;
-                                memcpy(&(*policy)->data[(*policy)->length],
-                                    buf, n);
-                                (*policy)->length += n;
-                                (*policy)->data[(*policy)->length] = '\0';
-                        }
-                        BIO_free_all(b);
-                        if (n < 0) {
-                                X509V3error(ERR_R_BIO_LIB);
-                                X509V3_conf_err(val);
-                                goto err;
-                        }
-                }
-                else if (strncmp(val->value, "text:", 5) == 0) {
-                        val_len = strlen(val->value + 5);
-                        tmp_data = realloc((*policy)->data,
-                            (*policy)->length + val_len + 1);
-                        if (tmp_data) {
-                                (*policy)->data = tmp_data;
-                                memcpy(&(*policy)->data[(*policy)->length],
-                                    val->value + 5, val_len);
-                                (*policy)->length += val_len;
-                                (*policy)->data[(*policy)->length] = '\0';
-                        } else {
-                                free((*policy)->data);
-                                (*policy)->data = NULL;
-                                (*policy)->length = 0;
-                                X509V3error(ERR_R_MALLOC_FAILURE);
-                                X509V3_conf_err(val);
-                                goto err;
-                        }
-                } else {
-                        X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
-                        X509V3_conf_err(val);
-                        goto err;
-                }
-                if (!tmp_data) {
-                        X509V3error(ERR_R_MALLOC_FAILURE);
-                        X509V3_conf_err(val);
-                        goto err;
-                }
-        }
-        return 1;
-err:
-        if (free_policy) {
-                ASN1_OCTET_STRING_free(*policy);
-                *policy = NULL;
-        }
-        return 0;
-}
-static PROXY_CERT_INFO_EXTENSION *
-r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
-{
-        PROXY_CERT_INFO_EXTENSION *pci = NULL;
-        STACK_OF(CONF_VALUE) *vals;
-        ASN1_OBJECT *language = NULL;
-        ASN1_INTEGER *pathlen = NULL;
-        ASN1_OCTET_STRING *policy = NULL;
-        int i, j;
-        vals = X509V3_parse_list(value);
-        for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
-                CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
-                if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
-                        X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
-                        X509V3_conf_err(cnf);
-                        goto err;
-                }
-                if (*cnf->name == '@') {
-                        STACK_OF(CONF_VALUE) *sect;
-                        int success_p = 1;
-                        sect = X509V3_get_section(ctx, cnf->name + 1);
-                        if (!sect) {
-                                X509V3error(X509V3_R_INVALID_SECTION);
-                                X509V3_conf_err(cnf);
-                                goto err;
-                        }
-                        for (j = 0; success_p &&
-                            j < sk_CONF_VALUE_num(sect); j++) {
-                                success_p = process_pci_value(
-                                    sk_CONF_VALUE_value(sect, j),
-                                    &language, &pathlen, &policy);
-                        }
-                        X509V3_section_free(ctx, sect);
-                        if (!success_p)
-                                goto err;
-                } else {
-                        if (!process_pci_value(cnf,
-                            &language, &pathlen, &policy)) {
-                                X509V3_conf_err(cnf);
-                                goto err;
-                        }
-                }
-        }
-        /* Language is mandatory */
-        if (!language) {
-                X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
-                goto err;
-        }
-        i = OBJ_obj2nid(language);
-        if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
-                X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
-                goto err;
-        }
-        pci = PROXY_CERT_INFO_EXTENSION_new();
-        if (!pci) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        pci->proxyPolicy->policyLanguage = language;
-        language = NULL;
-        pci->proxyPolicy->policy = policy;
-        policy = NULL;
-        pci->pcPathLengthConstraint = pathlen;
-        pathlen = NULL;
-        goto end;
-err:
-        ASN1_OBJECT_free(language);
-        language = NULL;
-        ASN1_INTEGER_free(pathlen);
-        pathlen = NULL;
-        ASN1_OCTET_STRING_free(policy);
-        policy = NULL;
-end:
-        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
-        return pci;
-}
diff --git a/src/lib/libcrypto/x509/x509_pcia.c b/src/lib/libcrypto/x509/x509_pcia.c
deleted file mode 100644
index ec8d03a86b..0000000000
--- a/src/lib/libcrypto/x509/x509_pcia.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/* $OpenBSD: x509_pcia.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */
-/* Contributed to the OpenSSL Project 2004
- * by Richard Levitte (richard@levitte.org)
- */
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/x509v3.h>
-static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = {
-        {
-                .flags = 0,
-                .tag = 0,
-                .offset = offsetof(PROXY_POLICY, policyLanguage),
-                .field_name = "policyLanguage",
-                .item = &ASN1_OBJECT_it,
-        },
-        {
-                .flags = ASN1_TFLG_OPTIONAL,
-                .tag = 0,
-                .offset = offsetof(PROXY_POLICY, policy),
-                .field_name = "policy",
-                .item = &ASN1_OCTET_STRING_it,
-        },
-};
-const ASN1_ITEM PROXY_POLICY_it = {
-        .itype = ASN1_ITYPE_SEQUENCE,
-        .utype = V_ASN1_SEQUENCE,
-        .templates = PROXY_POLICY_seq_tt,
-        .tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE),
-        .funcs = NULL,
-        .size = sizeof(PROXY_POLICY),
-        .sname = "PROXY_POLICY",
-};
-PROXY_POLICY *
-d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len)
-{
-        return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-            &PROXY_POLICY_it);
-}
-LCRYPTO_ALIAS(d2i_PROXY_POLICY);
-int
-i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
-{
-        return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
-}
-LCRYPTO_ALIAS(i2d_PROXY_POLICY);
-PROXY_POLICY *
-PROXY_POLICY_new(void)
-{
-        return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
-}
-LCRYPTO_ALIAS(PROXY_POLICY_new);
-void
-PROXY_POLICY_free(PROXY_POLICY *a)
-{
-        ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
-}
-LCRYPTO_ALIAS(PROXY_POLICY_free);
-static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = {
-        {
-                .flags = ASN1_TFLG_OPTIONAL,
-                .tag = 0,
-                .offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint),
-                .field_name = "pcPathLengthConstraint",
-                .item = &ASN1_INTEGER_it,
-        },
-        {
-                .flags = 0,
-                .tag = 0,
-                .offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy),
-                .field_name = "proxyPolicy",
-                .item = &PROXY_POLICY_it,
-        },
-};
-const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = {
-        .itype = ASN1_ITYPE_SEQUENCE,
-        .utype = V_ASN1_SEQUENCE,
-        .templates = PROXY_CERT_INFO_EXTENSION_seq_tt,
-        .tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE),
-        .funcs = NULL,
-        .size = sizeof(PROXY_CERT_INFO_EXTENSION),
-        .sname = "PROXY_CERT_INFO_EXTENSION",
-};
-PROXY_CERT_INFO_EXTENSION *
-d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len)
-{
-        return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-            &PROXY_CERT_INFO_EXTENSION_it);
-}
-LCRYPTO_ALIAS(d2i_PROXY_CERT_INFO_EXTENSION);
-int
-i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
-{
-        return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
-}
-LCRYPTO_ALIAS(i2d_PROXY_CERT_INFO_EXTENSION);
-PROXY_CERT_INFO_EXTENSION *
-PROXY_CERT_INFO_EXTENSION_new(void)
-{
-        return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
-}
-LCRYPTO_ALIAS(PROXY_CERT_INFO_EXTENSION_new);
-void
-PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
-{
-        ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
-}
-LCRYPTO_ALIAS(PROXY_CERT_INFO_EXTENSION_free);
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
index d7a0ef0165..74dbf8d63f 100644
--- a/src/lib/libcrypto/x509/x509v3.h
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.23 2023/04/25 18:48:32 tb Exp $ */
+/* $OpenBSD: x509v3.h,v 1.24 2023/04/25 19:01:01 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -319,30 +319,6 @@ typedef struct POLICY_CONSTRAINTS_st {
        ASN1_INTEGER *inhibitPolicyMapping;
 } POLICY_CONSTRAINTS;
-#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-/* Proxy certificate structures, see RFC 3820 */
-typedef struct PROXY_POLICY_st {
-        ASN1_OBJECT *policyLanguage;
-        ASN1_OCTET_STRING *policy;
-} PROXY_POLICY;
-typedef struct PROXY_CERT_INFO_EXTENSION_st {
-        ASN1_INTEGER *pcPathLengthConstraint;
-        PROXY_POLICY *proxyPolicy;
-} PROXY_CERT_INFO_EXTENSION;
-PROXY_POLICY *PROXY_POLICY_new(void);
-void PROXY_POLICY_free(PROXY_POLICY *a);
-PROXY_POLICY *d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len);
-int i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out);
-extern const ASN1_ITEM PROXY_POLICY_it;
-PROXY_CERT_INFO_EXTENSION *PROXY_CERT_INFO_EXTENSION_new(void);
-void PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a);
-PROXY_CERT_INFO_EXTENSION *d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len);
-int i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out);
-extern const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it;
-#endif /* !LIBRESSL_NEXT_API || LIBRESSL_INTERNAL */
 struct ISSUING_DIST_POINT_st {
        DIST_POINT_NAME *distpoint;
        int onlyuser;

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile index 8febfcdd4f..14a2287843 100644 --- a/src/lib/libcrypto/Makefile +++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.114 2023/04/25 18:57:57 tb Exp $	1	# $OpenBSD: Makefile,v 1.115 2023/04/25 19:01:01 tb Exp $
2		2
3	LIB= crypto	3	LIB= crypto
4	LIBREBUILD=y	4	LIBREBUILD=y
@@ -692,8 +692,6 @@ SRCS+= x509_lu.c
692	SRCS+= x509_ncons.c	692	SRCS+= x509_ncons.c
693	SRCS+= x509_obj.c	693	SRCS+= x509_obj.c
694	SRCS+= x509_ocsp.c	694	SRCS+= x509_ocsp.c
695	#SRCS+= x509_pci.c
696	#SRCS+= x509_pcia.c
697	SRCS+= x509_pcons.c	695	SRCS+= x509_pcons.c
698	SRCS+= x509_pku.c	696	SRCS+= x509_pku.c
699	SRCS+= x509_pmaps.c	697	SRCS+= x509_pmaps.c


diff --git a/src/lib/libcrypto/x509/x509_pci.c b/src/lib/libcrypto/x509/x509_pci.c deleted file mode 100644 index b1d31dfb44..0000000000 --- a/src/lib/libcrypto/x509/x509_pci.c +++ /dev/null
@@ -1,311 +0,0 @@
1	/* $OpenBSD: x509_pci.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */
2	/* Contributed to the OpenSSL Project 2004
3	* by Richard Levitte (richard@levitte.org)
4	*/
5	/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6	* (Royal Institute of Technology, Stockholm, Sweden).
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	*
13	* 1. Redistributions of source code must retain the above copyright
14	* notice, this list of conditions and the following disclaimer.
15	*
16	* 2. Redistributions in binary form must reproduce the above copyright
17	* notice, this list of conditions and the following disclaimer in the
18	* documentation and/or other materials provided with the distribution.
19	*
20	* 3. Neither the name of the Institute nor the names of its contributors
21	* may be used to endorse or promote products derived from this software
22	* without specific prior written permission.
23	*
24	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34	* SUCH DAMAGE.
35	*/
36
37	#include <stdio.h>
38	#include <string.h>
39
40	#include <openssl/conf.h>
41	#include <openssl/err.h>
42	#include <openssl/x509v3.h>
43
44	static int i2r_pci(X509V3_EXT_METHOD method, PROXY_CERT_INFO_EXTENSION ext,
45	BIO *out, int indent);
46	static PROXY_CERT_INFO_EXTENSION r2i_pci(X509V3_EXT_METHOD method,
47	X509V3_CTX ctx, char str);
48
49	const X509V3_EXT_METHOD v3_pci = {
50	.ext_nid = NID_proxyCertInfo,
51	.ext_flags = 0,
52	.it = &PROXY_CERT_INFO_EXTENSION_it,
53	.ext_new = NULL,
54	.ext_free = NULL,
55	.d2i = NULL,
56	.i2d = NULL,
57	.i2s = NULL,
58	.s2i = NULL,
59	.i2v = NULL,
60	.v2i = NULL,
61	.i2r = (X509V3_EXT_I2R)i2r_pci,
62	.r2i = (X509V3_EXT_R2I)r2i_pci,
63	.usr_data = NULL,
64	};
65
66	static int
67	i2r_pci(X509V3_EXT_METHOD method, PROXY_CERT_INFO_EXTENSION pci, BIO *out,
68	int indent)
69	{
70	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
71	if (pci->pcPathLengthConstraint)
72	i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
73	else
74	BIO_printf(out, "infinite");
75	BIO_puts(out, "\n");
76	BIO_printf(out, "%*sPolicy Language: ", indent, "");
77	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
78	BIO_puts(out, "\n");
79	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
80	BIO_printf(out, "%sPolicy Text: %.s\n", indent, "",
81	pci->proxyPolicy->policy->length,
82	pci->proxyPolicy->policy->data);
83	return 1;
84	}
85
86	static int
87	process_pci_value(CONF_VALUE val, ASN1_OBJECT *language,
88	ASN1_INTEGER pathlen, ASN1_OCTET_STRING policy)
89	{
90	int free_policy = 0;
91
92	if (strcmp(val->name, "language") == 0) {
93	if (*language) {
94	X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
95	X509V3_conf_err(val);
96	return 0;
97	}
98	if (!(*language = OBJ_txt2obj(val->value, 0))) {
99	X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
100	X509V3_conf_err(val);
101	return 0;
102	}
103	}
104	else if (strcmp(val->name, "pathlen") == 0) {
105	if (*pathlen) {
106	X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
107	X509V3_conf_err(val);
108	return 0;
109	}
110	if (!X509V3_get_value_int(val, pathlen)) {
111	X509V3error(X509V3_R_POLICY_PATH_LENGTH);
112	X509V3_conf_err(val);
113	return 0;
114	}
115	}
116	else if (strcmp(val->name, "policy") == 0) {
117	unsigned char *tmp_data = NULL;
118	long val_len;
119	if (!*policy) {
120	*policy = ASN1_OCTET_STRING_new();
121	if (!*policy) {
122	X509V3error(ERR_R_MALLOC_FAILURE);
123	X509V3_conf_err(val);
124	return 0;
125	}
126	free_policy = 1;
127	}
128	if (strncmp(val->value, "hex:", 4) == 0) {
129	unsigned char *tmp_data2 =
130	string_to_hex(val->value + 4, &val_len);
131
132	if (!tmp_data2) {
133	X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
134	X509V3_conf_err(val);
135	goto err;
136	}
137
138	tmp_data = realloc((*policy)->data,
139	(*policy)->length + val_len + 1);
140	if (tmp_data) {
141	(*policy)->data = tmp_data;
142	memcpy(&(policy)->data[(policy)->length],
143	tmp_data2, val_len);
144	(*policy)->length += val_len;
145	(policy)->data[(policy)->length] = '\0';
146	} else {
147	free(tmp_data2);
148	free((*policy)->data);
149	(*policy)->data = NULL;
150	(*policy)->length = 0;
151	X509V3error(ERR_R_MALLOC_FAILURE);
152	X509V3_conf_err(val);
153	goto err;
154	}
155	free(tmp_data2);
156	}
157	else if (strncmp(val->value, "file:", 5) == 0) {
158	unsigned char buf[2048];
159	int n;
160	BIO *b = BIO_new_file(val->value + 5, "r");
161	if (!b) {
162	X509V3error(ERR_R_BIO_LIB);
163	X509V3_conf_err(val);
164	goto err;
165	}
166	while ((n = BIO_read(b, buf, sizeof(buf))) > 0 \|\|
167	(n == 0 && BIO_should_retry(b))) {
168	if (!n)
169	continue;
170
171	tmp_data = realloc((*policy)->data,
172	(*policy)->length + n + 1);
173
174	if (!tmp_data)
175	break;
176
177	(*policy)->data = tmp_data;
178	memcpy(&(policy)->data[(policy)->length],
179	buf, n);
180	(*policy)->length += n;
181	(policy)->data[(policy)->length] = '\0';
182	}
183	BIO_free_all(b);
184
185	if (n < 0) {
186	X509V3error(ERR_R_BIO_LIB);
187	X509V3_conf_err(val);
188	goto err;
189	}
190	}
191	else if (strncmp(val->value, "text:", 5) == 0) {
192	val_len = strlen(val->value + 5);
193	tmp_data = realloc((*policy)->data,
194	(*policy)->length + val_len + 1);
195	if (tmp_data) {
196	(*policy)->data = tmp_data;
197	memcpy(&(policy)->data[(policy)->length],
198	val->value + 5, val_len);
199	(*policy)->length += val_len;
200	(policy)->data[(policy)->length] = '\0';
201	} else {
202	free((*policy)->data);
203	(*policy)->data = NULL;
204	(*policy)->length = 0;
205	X509V3error(ERR_R_MALLOC_FAILURE);
206	X509V3_conf_err(val);
207	goto err;
208	}
209	} else {
210	X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
211	X509V3_conf_err(val);
212	goto err;
213	}
214	if (!tmp_data) {
215	X509V3error(ERR_R_MALLOC_FAILURE);
216	X509V3_conf_err(val);
217	goto err;
218	}
219	}
220	return 1;
221
222	err:
223	if (free_policy) {
224	ASN1_OCTET_STRING_free(*policy);
225	*policy = NULL;
226	}
227	return 0;
228	}
229
230	static PROXY_CERT_INFO_EXTENSION *
231	r2i_pci(X509V3_EXT_METHOD method, X509V3_CTX ctx, char *value)
232	{
233	PROXY_CERT_INFO_EXTENSION *pci = NULL;
234	STACK_OF(CONF_VALUE) *vals;
235	ASN1_OBJECT *language = NULL;
236	ASN1_INTEGER *pathlen = NULL;
237	ASN1_OCTET_STRING *policy = NULL;
238	int i, j;
239
240	vals = X509V3_parse_list(value);
241	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
242	CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
243	if (!cnf->name \|\| (*cnf->name != '@' && !cnf->value)) {
244	X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
245	X509V3_conf_err(cnf);
246	goto err;
247	}
248	if (*cnf->name == '@') {
249	STACK_OF(CONF_VALUE) *sect;
250	int success_p = 1;
251
252	sect = X509V3_get_section(ctx, cnf->name + 1);
253	if (!sect) {
254	X509V3error(X509V3_R_INVALID_SECTION);
255	X509V3_conf_err(cnf);
256	goto err;
257	}
258	for (j = 0; success_p &&
259	j < sk_CONF_VALUE_num(sect); j++) {
260	success_p = process_pci_value(
261	sk_CONF_VALUE_value(sect, j),
262	&language, &pathlen, &policy);
263	}
264	X509V3_section_free(ctx, sect);
265	if (!success_p)
266	goto err;
267	} else {
268	if (!process_pci_value(cnf,
269	&language, &pathlen, &policy)) {
270	X509V3_conf_err(cnf);
271	goto err;
272	}
273	}
274	}
275
276	/* Language is mandatory */
277	if (!language) {
278	X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
279	goto err;
280	}
281	i = OBJ_obj2nid(language);
282	if ((i == NID_Independent \|\| i == NID_id_ppl_inheritAll) && policy) {
283	X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
284	goto err;
285	}
286
287	pci = PROXY_CERT_INFO_EXTENSION_new();
288	if (!pci) {
289	X509V3error(ERR_R_MALLOC_FAILURE);
290	goto err;
291	}
292
293	pci->proxyPolicy->policyLanguage = language;
294	language = NULL;
295	pci->proxyPolicy->policy = policy;
296	policy = NULL;
297	pci->pcPathLengthConstraint = pathlen;
298	pathlen = NULL;
299	goto end;
300
301	err:
302	ASN1_OBJECT_free(language);
303	language = NULL;
304	ASN1_INTEGER_free(pathlen);
305	pathlen = NULL;
306	ASN1_OCTET_STRING_free(policy);
307	policy = NULL;
308	end:
309	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
310	return pci;
311	}


diff --git a/src/lib/libcrypto/x509/x509_pcia.c b/src/lib/libcrypto/x509/x509_pcia.c deleted file mode 100644 index ec8d03a86b..0000000000 --- a/src/lib/libcrypto/x509/x509_pcia.c +++ /dev/null
@@ -1,153 +0,0 @@
1	/* $OpenBSD: x509_pcia.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */
2	/* Contributed to the OpenSSL Project 2004
3	* by Richard Levitte (richard@levitte.org)
4	*/
5	/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6	* (Royal Institute of Technology, Stockholm, Sweden).
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	*
13	* 1. Redistributions of source code must retain the above copyright
14	* notice, this list of conditions and the following disclaimer.
15	*
16	* 2. Redistributions in binary form must reproduce the above copyright
17	* notice, this list of conditions and the following disclaimer in the
18	* documentation and/or other materials provided with the distribution.
19	*
20	* 3. Neither the name of the Institute nor the names of its contributors
21	* may be used to endorse or promote products derived from this software
22	* without specific prior written permission.
23	*
24	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34	* SUCH DAMAGE.
35	*/
36
37	#include <openssl/asn1.h>
38	#include <openssl/asn1t.h>
39	#include <openssl/x509v3.h>
40
41	static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = {
42	{
43	.flags = 0,
44	.tag = 0,
45	.offset = offsetof(PROXY_POLICY, policyLanguage),
46	.field_name = "policyLanguage",
47	.item = &ASN1_OBJECT_it,
48	},
49	{
50	.flags = ASN1_TFLG_OPTIONAL,
51	.tag = 0,
52	.offset = offsetof(PROXY_POLICY, policy),
53	.field_name = "policy",
54	.item = &ASN1_OCTET_STRING_it,
55	},
56	};
57
58	const ASN1_ITEM PROXY_POLICY_it = {
59	.itype = ASN1_ITYPE_SEQUENCE,
60	.utype = V_ASN1_SEQUENCE,
61	.templates = PROXY_POLICY_seq_tt,
62	.tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE),
63	.funcs = NULL,
64	.size = sizeof(PROXY_POLICY),
65	.sname = "PROXY_POLICY",
66	};
67
68
69	PROXY_POLICY *
70	d2i_PROXY_POLICY(PROXY_POLICY a, const unsigned char in, long len)
71	{
72	return (PROXY_POLICY )ASN1_item_d2i((ASN1_VALUE *)a, in, len,
73	&PROXY_POLICY_it);
74	}
75	LCRYPTO_ALIAS(d2i_PROXY_POLICY);
76
77	int
78	i2d_PROXY_POLICY(PROXY_POLICY a, unsigned char *out)
79	{
80	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
81	}
82	LCRYPTO_ALIAS(i2d_PROXY_POLICY);
83
84	PROXY_POLICY *
85	PROXY_POLICY_new(void)
86	{
87	return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
88	}
89	LCRYPTO_ALIAS(PROXY_POLICY_new);
90
91	void
92	PROXY_POLICY_free(PROXY_POLICY *a)
93	{
94	ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
95	}
96	LCRYPTO_ALIAS(PROXY_POLICY_free);
97
98	static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = {
99	{
100	.flags = ASN1_TFLG_OPTIONAL,
101	.tag = 0,
102	.offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint),
103	.field_name = "pcPathLengthConstraint",
104	.item = &ASN1_INTEGER_it,
105	},
106	{
107	.flags = 0,
108	.tag = 0,
109	.offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy),
110	.field_name = "proxyPolicy",
111	.item = &PROXY_POLICY_it,
112	},
113	};
114
115	const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = {
116	.itype = ASN1_ITYPE_SEQUENCE,
117	.utype = V_ASN1_SEQUENCE,
118	.templates = PROXY_CERT_INFO_EXTENSION_seq_tt,
119	.tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE),
120	.funcs = NULL,
121	.size = sizeof(PROXY_CERT_INFO_EXTENSION),
122	.sname = "PROXY_CERT_INFO_EXTENSION",
123	};
124
125
126	PROXY_CERT_INFO_EXTENSION *
127	d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION a, const unsigned char in, long len)
128	{
129	return (PROXY_CERT_INFO_EXTENSION )ASN1_item_d2i((ASN1_VALUE *)a, in, len,
130	&PROXY_CERT_INFO_EXTENSION_it);
131	}
132	LCRYPTO_ALIAS(d2i_PROXY_CERT_INFO_EXTENSION);
133
134	int
135	i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION a, unsigned char *out)
136	{
137	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
138	}
139	LCRYPTO_ALIAS(i2d_PROXY_CERT_INFO_EXTENSION);
140
141	PROXY_CERT_INFO_EXTENSION *
142	PROXY_CERT_INFO_EXTENSION_new(void)
143	{
144	return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
145	}
146	LCRYPTO_ALIAS(PROXY_CERT_INFO_EXTENSION_new);
147
148	void
149	PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
150	{
151	ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
152	}
153	LCRYPTO_ALIAS(PROXY_CERT_INFO_EXTENSION_free);


diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h index d7a0ef0165..74dbf8d63f 100644 --- a/src/lib/libcrypto/x509/x509v3.h +++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509v3.h,v 1.23 2023/04/25 18:48:32 tb Exp $ */	1	/* $OpenBSD: x509v3.h,v 1.24 2023/04/25 19:01:01 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -319,30 +319,6 @@ typedef struct POLICY_CONSTRAINTS_st {
319	ASN1_INTEGER *inhibitPolicyMapping;	319	ASN1_INTEGER *inhibitPolicyMapping;
320	} POLICY_CONSTRAINTS;	320	} POLICY_CONSTRAINTS;
321		321
322	#if !defined(LIBRESSL_NEXT_API) \|\| defined(LIBRESSL_INTERNAL)
323	/* Proxy certificate structures, see RFC 3820 */
324	typedef struct PROXY_POLICY_st {
325	ASN1_OBJECT *policyLanguage;
326	ASN1_OCTET_STRING *policy;
327	} PROXY_POLICY;
328
329	typedef struct PROXY_CERT_INFO_EXTENSION_st {
330	ASN1_INTEGER *pcPathLengthConstraint;
331	PROXY_POLICY *proxyPolicy;
332	} PROXY_CERT_INFO_EXTENSION;
333
334	PROXY_POLICY *PROXY_POLICY_new(void);
335	void PROXY_POLICY_free(PROXY_POLICY *a);
336	PROXY_POLICY d2i_PROXY_POLICY(PROXY_POLICY a, const unsigned char *in, long len);
337	int i2d_PROXY_POLICY(PROXY_POLICY a, unsigned char *out);
338	extern const ASN1_ITEM PROXY_POLICY_it;
339	PROXY_CERT_INFO_EXTENSION *PROXY_CERT_INFO_EXTENSION_new(void);
340	void PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a);
341	PROXY_CERT_INFO_EXTENSION d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION a, const unsigned char *in, long len);
342	int i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION a, unsigned char *out);
343	extern const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it;
344	#endif /* !LIBRESSL_NEXT_API \|\| LIBRESSL_INTERNAL */
345
346	struct ISSUING_DIST_POINT_st {	322	struct ISSUING_DIST_POINT_st {
347	DIST_POINT_NAME *distpoint;	323	DIST_POINT_NAME *distpoint;
348	int onlyuser;	324	int onlyuser;