From: tb Date: Tue, 25 Apr 2023 18:28:05 +0000 (+0000) Subject: Move the policy tree code to internal-only X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0f3cdff27b5b24bcbc4858865642c369c2fc6e3d;p=openbsd Move the policy tree code to internal-only A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained. --- diff --git a/lib/libcrypto/Symbols.namespace b/lib/libcrypto/Symbols.namespace index 2e0a638f177..a5ac5294fbd 100644 --- a/lib/libcrypto/Symbols.namespace +++ b/lib/libcrypto/Symbols.namespace @@ -600,8 +600,6 @@ _libre_X509_STORE_CTX_get_verify_cb _libre_X509_STORE_CTX_set_verify_cb _libre_X509_STORE_set_verify _libre_X509_STORE_get_verify -_libre_X509_STORE_CTX_get0_policy_tree -_libre_X509_STORE_CTX_get_explicit_policy _libre_X509_STORE_CTX_get_num_untrusted _libre_X509_STORE_CTX_get0_param _libre_X509_STORE_CTX_set0_param diff --git a/lib/libcrypto/hidden/openssl/x509_vfy.h b/lib/libcrypto/hidden/openssl/x509_vfy.h index a8e172ad2d2..aae3ed1351a 100644 --- a/lib/libcrypto/hidden/openssl/x509_vfy.h +++ b/lib/libcrypto/hidden/openssl/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.2 2022/12/01 05:16:08 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.3 2023/04/25 18:28:05 tb Exp $ */ /* * Copyright (c) 2022 Bob Beck * @@ -114,8 +114,6 @@ LCRYPTO_USED(X509_STORE_CTX_get_verify_cb); LCRYPTO_USED(X509_STORE_CTX_set_verify_cb); LCRYPTO_USED(X509_STORE_set_verify); LCRYPTO_USED(X509_STORE_get_verify); -LCRYPTO_USED(X509_STORE_CTX_get0_policy_tree); -LCRYPTO_USED(X509_STORE_CTX_get_explicit_policy); LCRYPTO_USED(X509_STORE_CTX_get_num_untrusted); LCRYPTO_USED(X509_STORE_CTX_get0_param); LCRYPTO_USED(X509_STORE_CTX_set0_param); diff --git a/lib/libcrypto/ossl_typ.h b/lib/libcrypto/ossl_typ.h index b45f546cc07..6e33f8cfbdf 100644 --- a/lib/libcrypto/ossl_typ.h +++ b/lib/libcrypto/ossl_typ.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ossl_typ.h,v 1.24 2023/04/25 17:59:41 tb Exp $ */ +/* $OpenBSD: ossl_typ.h,v 1.25 2023/04/25 18:28:05 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * @@ -159,17 +159,6 @@ typedef struct engine_st ENGINE; typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; -/* - * Move to x509_local.h in next major bump - x509_vfy.c needs X509_POLICY_TREE - * and X509_POLICY_CACHE. - */ -#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL) -typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; -typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; -typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; -typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; -#endif - typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct DIST_POINT_st DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; diff --git a/lib/libcrypto/x509/pcy_int.h b/lib/libcrypto/x509/pcy_int.h index 5e9edcb9334..e4a20d6ca9c 100644 --- a/lib/libcrypto/x509/pcy_int.h +++ b/lib/libcrypto/x509/pcy_int.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_int.h,v 1.2 2023/04/16 07:36:43 tb Exp $ */ +/* $OpenBSD: pcy_int.h,v 1.3 2023/04/25 18:28:05 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -64,6 +64,7 @@ __BEGIN_HIDDEN_DECLS typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; DECLARE_STACK_OF(X509_POLICY_DATA) +DECLARE_STACK_OF(X509_POLICY_NODE) /* Internal structures */ @@ -209,4 +210,26 @@ int policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_CACHE *policy_cache_set(X509 *x); +int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); +X509_POLICY_LEVEL * + X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i); + +STACK_OF(X509_POLICY_NODE) * + X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree); + +STACK_OF(X509_POLICY_NODE) * + X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree); + +int X509_policy_level_node_count(X509_POLICY_LEVEL *level); + +X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i); + +const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node); + +STACK_OF(POLICYQUALINFO) * + X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); +const X509_POLICY_NODE * + X509_policy_node_get0_parent(const X509_POLICY_NODE *node); + + __END_HIDDEN_DECLS diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index 043fc2dacf2..6f711fe3e17 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.4 2023/04/16 18:42:30 tb Exp $ */ +/* $OpenBSD: x509_local.h,v 1.5 2023/04/25 18:28:05 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -69,6 +69,11 @@ __BEGIN_HIDDEN_DECLS #define X509_CRL_HASH_EVP EVP_sha512() #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH +typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; +typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; +typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; +typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; + struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; @@ -385,6 +390,13 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); int name_cmp(const char *name, const char *cmp); +int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, + STACK_OF(X509) *certs, + STACK_OF(ASN1_OBJECT) *policy_oids, + unsigned int flags); + +void X509_policy_tree_free(X509_POLICY_TREE *tree); + __END_HIDDEN_DECLS #endif /* !HEADER_X509_LOCAL_H */ diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index d54ba783e8d..30118475d13 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.113 2023/04/16 18:48:58 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.114 2023/04/25 18:28:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2601,20 +2601,6 @@ X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) } LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain); -X509_POLICY_TREE * -X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) -{ - return ctx->tree; -} -LCRYPTO_ALIAS(X509_STORE_CTX_get0_policy_tree); - -int -X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) -{ - return ctx->explicit_policy; -} -LCRYPTO_ALIAS(X509_STORE_CTX_get_explicit_policy); - int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) { diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h index 3eb92b0f7fd..cfa35331195 100644 --- a/lib/libcrypto/x509/x509_vfy.h +++ b/lib/libcrypto/x509/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.60 2023/04/16 08:30:21 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.61 2023/04/25 18:28:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -423,12 +423,6 @@ X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); #define X509_STORE_set_verify_func(ctx, func) \ X509_STORE_set_verify((ctx), (func)) -/* Remove in next bump. */ -#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL) -X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx); -int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); -#endif - int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx); X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx); @@ -479,44 +473,6 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); void X509_VERIFY_PARAM_table_cleanup(void); -/* Move to x509_local.h in next bump - needed by x509_vfy.c. */ -#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL) -int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); - -void X509_policy_tree_free(X509_POLICY_TREE *tree); -#endif - -/* - * Move these to pcy_int.h in next bump - X509_policy_tree_get0_user_policies() - * is actually used, the rest can be deleted. - */ -#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL) -int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); -X509_POLICY_LEVEL * - X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i); - -STACK_OF(X509_POLICY_NODE) * - X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree); - -STACK_OF(X509_POLICY_NODE) * - X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree); - -int X509_policy_level_node_count(X509_POLICY_LEVEL *level); - -X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i); - -const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node); - -STACK_OF(POLICYQUALINFO) * - X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); -const X509_POLICY_NODE * - X509_policy_node_get0_parent(const X509_POLICY_NODE *node); - -#endif - #ifdef __cplusplus } #endif diff --git a/lib/libcrypto/x509/x509v3.h b/lib/libcrypto/x509/x509v3.h index 43c2a15e0f2..8738b302cb6 100644 --- a/lib/libcrypto/x509/x509v3.h +++ b/lib/libcrypto/x509/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.21 2023/04/25 15:51:04 tb Exp $ */ +/* $OpenBSD: x509v3.h,v 1.22 2023/04/25 18:28:05 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -847,12 +847,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc); int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, unsigned long chtype); -/* Move to pcy_int.h. */ -#if !defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL) -void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); -DECLARE_STACK_OF(X509_POLICY_NODE) -#endif - #ifndef OPENSSL_NO_RFC3779 typedef struct ASRange_st { ASN1_INTEGER *min;