From: tb <tb@openbsd.org>
Date: Sat, 13 Jan 2024 19:57:38 +0000 (+0000)
Subject: Prepare for removing most of the X509_TRUST API
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=860b359f53e3ca7a3d433c170a891c3d97880625;p=openbsd

Prepare for removing most of the X509_TRUST API

X509_check_trust() is of course used by the verifier. Unfortunately
M2Crypto exposes it. The only other part of the X509_TRUST API that
are still needed are the X509_TRUST_* macros in x509.h, as they are
used via *_set_trust and indirectly via the purpose stuff. The rest
will be removed.

X509_TRUST_add() was defanged recently, in particular it no longer
hangs strdup()'ed strings off the global struct. Nothing ever cleaned
these up. TRUST_cleanup() attempted to do so, but since it checked
the dynamic/dynamic strings flags in the wrong order, that cleanup
call ended up doing nothing, so that code was removed at some point.

As a consequence, the struct can now be made const. Use a CTASSERT()
to ensure size assumptions on X509_TRUST_COUNT, X509_TRUST_MAX, and
X509_TRUST_MIN hold true.

Remove the global variable underlying X509_TRUST_set_default()'s
functionality and move its accessor down to all the other functions
that will be deleted.

Inline a few things in X509_check_trust(), so we can excise the
internals of X509_TRUST_get0(), X509_TRUST_get_by_id(). Since the
default trust function can no longer be changed, call obj_trust()
directly.

ok jsing
---

diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c
index efa648c9ebb..a6fc4d61c54 100644
--- a/lib/libcrypto/x509/x509_trs.c
+++ b/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.39 2024/01/10 21:34:53 tb Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.40 2024/01/13 19:57:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -64,6 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "crypto_internal.h"
 #include "x509_local.h"
 
 static int
@@ -129,7 +130,7 @@ trust_1oid(X509_TRUST *trust, X509 *x, int flags)
  * value to get an index into the table
  */
 
-static X509_TRUST trstandard[] = {
+static const X509_TRUST trstandard[] = {
 	{
 		.trust = X509_TRUST_COMPAT,
 		.check_trust = trust_compat,
@@ -181,27 +182,17 @@ static X509_TRUST trstandard[] = {
 
 #define X509_TRUST_COUNT	(sizeof(trstandard) / sizeof(trstandard[0]))
 
-static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
+CTASSERT(X509_TRUST_MIN == 1 && X509_TRUST_MAX == X509_TRUST_COUNT);
 
 int
-(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
-{
-	int (*oldtrust)(int , X509 *, int);
-
-	oldtrust = default_trust;
-	default_trust = trust;
-	return oldtrust;
-}
-LCRYPTO_ALIAS(X509_TRUST_set_default);
-
-int
-X509_check_trust(X509 *x, int id, int flags)
+X509_check_trust(X509 *x, int trust_id, int flags)
 {
-	X509_TRUST *pt;
+	const X509_TRUST *trust;
 	int idx;
 
-	if (id == -1)
+	if (trust_id == -1)
 		return 1;
+
 	/*
 	 * XXX beck/jsing This enables self signed certs to be trusted for
 	 * an unspecified id/trust flag value (this is NOT the
@@ -211,21 +202,36 @@ X509_check_trust(X509 *x, int id, int flags)
 	 * This should be revisited, but changing the default "not default"
 	 * may break things.
 	 */
-	if (id == 0) {
+	if (trust_id == 0) {
 		int rv;
 		rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
 		if (rv != X509_TRUST_UNTRUSTED)
 			return rv;
 		return trust_compat(NULL, x, 0);
 	}
-	idx = X509_TRUST_get_by_id(id);
-	if (idx == -1)
-		return default_trust(id, x, flags);
-	pt = X509_TRUST_get0(idx);
-	return pt->check_trust(pt, x, flags);
+
+	if (trust_id < X509_TRUST_MIN || trust_id > X509_TRUST_MAX)
+		return obj_trust(trust_id, x, flags);
+
+	idx = trust_id - X509_TRUST_MIN;
+	trust = &trstandard[idx];
+
+	return trust->check_trust((X509_TRUST *)trust, x, flags);
 }
 LCRYPTO_ALIAS(X509_check_trust);
 
+/*
+ * Remove all the functions below in the next bump.
+ */
+
+int
+(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
+{
+	X509error(ERR_R_DISABLED);
+	return NULL;
+}
+LCRYPTO_ALIAS(X509_TRUST_set_default);
+
 int
 X509_TRUST_get_count(void)
 {
@@ -236,36 +242,24 @@ LCRYPTO_ALIAS(X509_TRUST_get_count);
 X509_TRUST *
 X509_TRUST_get0(int idx)
 {
-	if (idx < 0 || (size_t)idx >= X509_TRUST_COUNT)
-		return NULL;
-
-	return &trstandard[idx];
+	X509error(ERR_R_DISABLED);
+	return NULL;
 }
 LCRYPTO_ALIAS(X509_TRUST_get0);
 
 int
 X509_TRUST_get_by_id(int id)
 {
-	/*
-	 * Ensure the trust identifier is between MIN and MAX inclusive.
-	 * If so, translate it into an index into the trstandard[] table.
-	 */
-	if (id < X509_TRUST_MIN || id > X509_TRUST_MAX)
-		return -1;
-
-	return id - X509_TRUST_MIN;
+	X509error(ERR_R_DISABLED);
+	return -1;
 }
 LCRYPTO_ALIAS(X509_TRUST_get_by_id);
 
 int
 X509_TRUST_set(int *t, int trust)
 {
-	if (X509_TRUST_get_by_id(trust) == -1) {
-		X509error(X509_R_INVALID_TRUST);
-		return 0;
-	}
-	*t = trust;
-	return 1;
+	X509error(ERR_R_DISABLED);
+	return 0;
 }
 LCRYPTO_ALIAS(X509_TRUST_set);