From 88204d1b49bfe45fc06cace782cd8183e4abc17a Mon Sep 17 00:00:00 2001 From: tb <> Date: Fri, 28 Apr 2023 16:30:14 +0000 Subject: Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile with beck --- src/lib/libcrypto/x509/x509_local.h | 23 +------------ src/lib/libcrypto/x509/x509_policy.c | 6 +--- src/lib/libcrypto/x509/x509_vfy.c | 62 +----------------------------------- 3 files changed, 3 insertions(+), 88 deletions(-) (limited to 'src/lib/libcrypto/x509') diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h index 1aa66d2440..374cba3d58 100644 --- a/src/lib/libcrypto/x509/x509_local.h +++ b/src/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: x509_local.h,v 1.7 2023/04/28 16:30:14 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -69,13 +69,6 @@ __BEGIN_HIDDEN_DECLS #define X509_CRL_HASH_EVP EVP_sha512() #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH -#ifndef LIBRESSL_HAS_POLICY_DAG -typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; -typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; -typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; -typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; -#endif - struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; @@ -178,9 +171,6 @@ struct x509_st { unsigned long ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; -#ifndef LIBRESSL_HAS_POLICY_DAG - X509_POLICY_CACHE *policy_cache; -#endif STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; @@ -360,9 +350,6 @@ struct x509_store_ctx_st { int valid; /* if 0, rebuild chain */ int num_untrusted; /* number of untrusted certs in chain */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ -#ifndef LIBRESSL_HAS_POLICY_DAG - X509_POLICY_TREE *tree; /* Valid policy tree */ -#endif int explicit_policy; /* Require explicit policy value */ @@ -396,17 +383,9 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); int name_cmp(const char *name, const char *cmp); -#ifdef LIBRESSL_HAS_POLICY_DAG int X509_policy_check(const STACK_OF(X509) *certs, const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, X509 **out_current_cert); -#else -int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); - -void X509_policy_tree_free(X509_POLICY_TREE *tree); -#endif __END_HIDDEN_DECLS diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c index e51e193085..73f7154f51 100644 --- a/src/lib/libcrypto/x509/x509_policy.c +++ b/src/lib/libcrypto/x509/x509_policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_policy.c,v 1.24 2023/04/28 15:57:38 tb Exp $ */ +/* $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */ /* * Copyright (c) 2022, Google Inc. * @@ -26,8 +26,6 @@ #include "x509_internal.h" #include "x509_local.h" -#ifdef LIBRESSL_HAS_POLICY_DAG - /* XXX move to proper place */ #define X509_R_INVALID_POLICY_EXTENSION 201 @@ -1019,5 +1017,3 @@ err: sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free); return ret; } - -#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 76847e7224..93dc06ed05 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1744,7 +1744,6 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) } -#ifdef LIBRESSL_HAS_POLICY_DAG int x509_vfy_check_policy(X509_STORE_CTX *ctx) { @@ -1779,59 +1778,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx) return 1; } -#else -int -x509_vfy_check_policy(X509_STORE_CTX *ctx) -{ - int ret; - - if (ctx->parent) - return 1; - - /* X509_policy_check always allocates a new tree. */ - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - - ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, - ctx->param->policies, ctx->param->flags); - if (ret == 0) { - X509error(ERR_R_MALLOC_FAILURE); - return 0; - } - /* Invalid or inconsistent extensions */ - if (ret == -1) { - /* Locate certificates with bad extensions and notify - * callback. - */ - X509 *x; - int i; - for (i = 1; i < sk_X509_num(ctx->chain); i++) { - x = sk_X509_value(ctx->chain, i); - if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) - continue; - ctx->current_cert = x; - ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - return 1; - } - if (ret == -2) { - ctx->current_cert = NULL; - ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; - return ctx->verify_cb(0, ctx); - } - - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { - ctx->current_cert = NULL; - ctx->error = X509_V_OK; - if (!ctx->verify_cb(2, ctx)) - return 0; - } - - return 1; -} -#endif static int check_policy(X509_STORE_CTX *ctx) @@ -2524,12 +2470,6 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } -#ifndef LIBRESSL_HAS_POLICY_DAG - if (ctx->tree != NULL) { - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - } -#endif if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain, X509_free); ctx->chain = NULL; -- cgit v1.2.3-55-g6feb