-# $OpenBSD: Makefile,v 1.124 2023/04/28 16:21:57 tb Exp $
+# $OpenBSD: Makefile,v 1.125 2023/04/28 16:30:14 tb Exp $
LIB= crypto
LIBREBUILD=y
CFLAGS+= -Werror
.endif
CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL
-CFLAGS+= -DLIBRESSL_HAS_POLICY_DAG
.ifdef NAMESPACE
CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
.endif
-/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */
+/* $OpenBSD: x_x509.c,v 1.35 2023/04/28 16:30:14 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
/* X509 top level structure needs a bit of customisation */
-#ifndef LIBRESSL_HAS_POLICY_DAG
-extern void policy_cache_free(X509_POLICY_CACHE *cache);
-#endif
-
static int
x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
{
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
CRL_DIST_POINTS_free(ret->crldp);
-#ifndef LIBRESSL_HAS_POLICY_DAG
- policy_cache_free(ret->policy_cache);
-#endif
GENERAL_NAMES_free(ret->altname);
NAME_CONSTRAINTS_free(ret->nc);
#ifndef OPENSSL_NO_RFC3779
-/* $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */
+/* $OpenBSD: x509_local.h,v 1.7 2023/04/28 16:30:14 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2013.
*/
#define X509_CRL_HASH_EVP EVP_sha512()
#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH
-#ifndef LIBRESSL_HAS_POLICY_DAG
-typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
-typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
-typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
-typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
-#endif
-
struct X509_pubkey_st {
X509_ALGOR *algor;
ASN1_BIT_STRING *public_key;
unsigned long ex_nscert;
ASN1_OCTET_STRING *skid;
AUTHORITY_KEYID *akid;
-#ifndef LIBRESSL_HAS_POLICY_DAG
- X509_POLICY_CACHE *policy_cache;
-#endif
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
int valid; /* if 0, rebuild chain */
int num_untrusted; /* number of untrusted certs in chain */
STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
-#ifndef LIBRESSL_HAS_POLICY_DAG
- X509_POLICY_TREE *tree; /* Valid policy tree */
-#endif
int explicit_policy; /* Require explicit policy value */
int name_cmp(const char *name, const char *cmp);
-#ifdef LIBRESSL_HAS_POLICY_DAG
int X509_policy_check(const STACK_OF(X509) *certs,
const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags,
X509 **out_current_cert);
-#else
-int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
- STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
- unsigned int flags);
-
-void X509_policy_tree_free(X509_POLICY_TREE *tree);
-#endif
__END_HIDDEN_DECLS
-/* $OpenBSD: x509_policy.c,v 1.24 2023/04/28 15:57:38 tb Exp $ */
+/* $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */
/*
* Copyright (c) 2022, Google Inc.
*
#include "x509_internal.h"
#include "x509_local.h"
-#ifdef LIBRESSL_HAS_POLICY_DAG
-
/* XXX move to proper place */
#define X509_R_INVALID_POLICY_EXTENSION 201
sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
return ret;
}
-
-#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
-#ifdef LIBRESSL_HAS_POLICY_DAG
int
x509_vfy_check_policy(X509_STORE_CTX *ctx)
{
return 1;
}
-#else
-int
-x509_vfy_check_policy(X509_STORE_CTX *ctx)
-{
- int ret;
-
- if (ctx->parent)
- return 1;
-
- /* X509_policy_check always allocates a new tree. */
- X509_policy_tree_free(ctx->tree);
- ctx->tree = NULL;
-
- ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
- ctx->param->policies, ctx->param->flags);
- if (ret == 0) {
- X509error(ERR_R_MALLOC_FAILURE);
- return 0;
- }
- /* Invalid or inconsistent extensions */
- if (ret == -1) {
- /* Locate certificates with bad extensions and notify
- * callback.
- */
- X509 *x;
- int i;
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
- x = sk_X509_value(ctx->chain, i);
- if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
- continue;
- ctx->current_cert = x;
- ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
- if (!ctx->verify_cb(0, ctx))
- return 0;
- }
- return 1;
- }
- if (ret == -2) {
- ctx->current_cert = NULL;
- ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
- return ctx->verify_cb(0, ctx);
- }
-
- if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
- ctx->current_cert = NULL;
- ctx->error = X509_V_OK;
- if (!ctx->verify_cb(2, ctx))
- return 0;
- }
-
- return 1;
-}
-#endif
static int
check_policy(X509_STORE_CTX *ctx)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param = NULL;
}
-#ifndef LIBRESSL_HAS_POLICY_DAG
- if (ctx->tree != NULL) {
- X509_policy_tree_free(ctx->tree);
- ctx->tree = NULL;
- }
-#endif
if (ctx->chain != NULL) {
sk_X509_pop_free(ctx->chain, X509_free);
ctx->chain = NULL;
projects / openbsd / commitdiff