-/* $OpenBSD: x_x509.c,v 1.33 2023/04/24 08:09:29 job Exp $ */
+/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
/* X509 top level structure needs a bit of customisation */
+#ifndef LIBRESSL_HAS_POLICY_DAG
extern void policy_cache_free(X509_POLICY_CACHE *cache);
+#endif
static int
x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
CRL_DIST_POINTS_free(ret->crldp);
+#ifndef LIBRESSL_HAS_POLICY_DAG
policy_cache_free(ret->policy_cache);
+#endif
GENERAL_NAMES_free(ret->altname);
NAME_CONSTRAINTS_free(ret->nc);
#ifndef OPENSSL_NO_RFC3779
-/* $OpenBSD: pcy_cache.c,v 1.3 2022/11/26 16:08:54 tb Exp $ */
+/* $OpenBSD: pcy_cache.c,v 1.4 2023/04/26 19:11:32 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
#include "pcy_int.h"
#include "x509_local.h"
*out = ASN1_INTEGER_get(value);
return 1;
}
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_data.c,v 1.2 2023/04/26 19:11:32 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
#include "pcy_int.h"
/* Policy Node routines */
ASN1_OBJECT_free(id);
return NULL;
}
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: pcy_int.h,v 1.4 2023/04/25 18:53:42 tb Exp $ */
+/* $OpenBSD: pcy_int.h,v 1.5 2023/04/26 19:11:32 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
*
*/
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
/* Needed to pull in the typedefs for X509_POLICY_* */
#include "x509_local.h"
__END_HIDDEN_DECLS
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: pcy_lib.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: pcy_lib.c,v 1.4 2023/04/26 19:11:33 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
#include "pcy_int.h"
/* accessor functions */
return node->parent;
}
LCRYPTO_ALIAS(X509_policy_node_get0_parent);
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: pcy_map.c,v 1.3 2022/11/26 16:08:54 tb Exp $ */
+/* $OpenBSD: pcy_map.c,v 1.4 2023/04/26 19:11:33 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
#include "pcy_int.h"
#include "x509_local.h"
sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
return ret;
}
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_node.c,v 1.2 2023/04/26 19:11:33 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
#include "pcy_int.h"
static int
}
return 0;
}
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: pcy_tree.c,v 1.6 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: pcy_tree.c,v 1.7 2023/04/26 19:11:33 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
+
#include "pcy_int.h"
#include "x509_local.h"
return 0;
}
LCRYPTO_ALIAS(X509_policy_check);
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: x509_cpols.c,v 1.8 2023/04/20 18:29:08 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.9 2023/04/26 19:11:33 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
#include <openssl/err.h>
#include <openssl/x509v3.h>
+#ifndef LIBRESSL_HAS_POLICY_DAG
#include "pcy_int.h"
+#endif
#include "x509_local.h"
/* Certificate policies extension support: this one is a bit complex... */
notice->exptext->length, notice->exptext->data);
}
+#ifndef LIBRESSL_HAS_POLICY_DAG
void
X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
{
BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
}
LCRYPTO_ALIAS(X509_POLICY_NODE_print);
+#endif
-/* $OpenBSD: x509_local.h,v 1.5 2023/04/25 18:28:05 tb Exp $ */
+/* $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2013.
*/
#define X509_CRL_HASH_EVP EVP_sha512()
#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH
+#ifndef LIBRESSL_HAS_POLICY_DAG
typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
+#endif
struct X509_pubkey_st {
X509_ALGOR *algor;
unsigned long ex_nscert;
ASN1_OCTET_STRING *skid;
AUTHORITY_KEYID *akid;
+#ifndef LIBRESSL_HAS_POLICY_DAG
X509_POLICY_CACHE *policy_cache;
+#endif
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
int valid; /* if 0, rebuild chain */
int num_untrusted; /* number of untrusted certs in chain */
STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
- X509_POLICY_TREE *tree; /* Valid policy tree */
+#ifndef LIBRESSL_HAS_POLICY_DAG
+ X509_POLICY_TREE *tree; /* Valid policy tree */
+#endif
int explicit_policy; /* Require explicit policy value */
int name_cmp(const char *name, const char *cmp);
+#ifdef LIBRESSL_HAS_POLICY_DAG
+int X509_policy_check(const STACK_OF(X509) *certs,
+ const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags,
+ X509 **out_current_cert);
+#else
int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
- STACK_OF(X509) *certs,
- STACK_OF(ASN1_OBJECT) *policy_oids,
- unsigned int flags);
+ STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
+ unsigned int flags);
void X509_policy_tree_free(X509_POLICY_TREE *tree);
+#endif
__END_HIDDEN_DECLS
#include "x509_internal.h"
#include "x509_local.h"
+#ifdef LIBRESSL_HAS_POLICY_DAG
+
/* XXX move to proper place */
#define X509_R_INVALID_POLICY_EXTENSION 201
sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
return ret;
}
+
+#endif /* LIBRESSL_HAS_POLICY_DAG */
-/* $OpenBSD: x509_vfy.c,v 1.115 2023/04/25 18:37:56 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
return 1;
}
+
+#ifdef LIBRESSL_HAS_POLICY_DAG
+int
+x509_vfy_check_policy(X509_STORE_CTX *ctx)
+{
+ X509 *current_cert = NULL;
+ int ret;
+
+ if (ctx->parent != NULL)
+ return 1;
+
+ ret = X509_policy_check(ctx->chain, ctx->param->policies,
+ ctx->param->flags, ¤t_cert);
+ if (ret != X509_V_OK) {
+ ctx->current_cert = current_cert;
+ ctx->error = ret;
+ if (ret == X509_V_ERR_OUT_OF_MEM)
+ return 0;
+ return ctx->verify_cb(0, ctx);
+ }
+
+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
+ ctx->current_cert = NULL;
+ /*
+ * Verification errors need to be "sticky", a callback may have
+ * allowed an SSL handshake to continue despite an error, and
+ * we must then remain in an error state. Therefore, we MUST
+ * NOT clear earlier verification errors by setting the error
+ * to X509_V_OK.
+ */
+ if (!ctx->verify_cb(2, ctx))
+ return 0;
+ }
+
+ return 1;
+}
+#else
int
x509_vfy_check_policy(X509_STORE_CTX *ctx)
{
return 1;
}
+#endif
static int
check_policy(X509_STORE_CTX *ctx)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param = NULL;
}
+#ifndef LIBRESSL_HAS_POLICY_DAG
if (ctx->tree != NULL) {
X509_policy_tree_free(ctx->tree);
ctx->tree = NULL;
}
+#endif
if (ctx->chain != NULL) {
sk_X509_pop_free(ctx->chain, X509_free);
ctx->chain = NULL;
projects / openbsd / commitdiff