From 8bf270ba7892de922c88e4db0857edca6f8f9f4e Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 28 Apr 2023 16:30:14 +0000 Subject: [PATCH] Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile with beck --- lib/libcrypto/Makefile | 3 +- lib/libcrypto/asn1/x_x509.c | 9 +---- lib/libcrypto/x509/x509_local.h | 23 +----------- lib/libcrypto/x509/x509_policy.c | 6 +--- lib/libcrypto/x509/x509_vfy.c | 62 +------------------------------- 5 files changed, 5 insertions(+), 98 deletions(-) diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile index 110ec3fb97a..4238e6df95c 100644 --- a/lib/libcrypto/Makefile +++ b/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.124 2023/04/28 16:21:57 tb Exp $ +# $OpenBSD: Makefile,v 1.125 2023/04/28 16:30:14 tb Exp $ LIB= crypto LIBREBUILD=y @@ -19,7 +19,6 @@ CFLAGS+= -Wall -Wundef CFLAGS+= -Werror .endif CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL -CFLAGS+= -DLIBRESSL_HAS_POLICY_DAG .ifdef NAMESPACE CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE .endif diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c index 5a769abdffb..0c10bec4c86 100644 --- a/lib/libcrypto/asn1/x_x509.c +++ b/lib/libcrypto/asn1/x_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */ +/* $OpenBSD: x_x509.c,v 1.35 2023/04/28 16:30:14 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,10 +169,6 @@ X509_CINF_free(X509_CINF *a) } /* X509 top level structure needs a bit of customisation */ -#ifndef LIBRESSL_HAS_POLICY_DAG -extern void policy_cache_free(X509_POLICY_CACHE *cache); -#endif - static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { @@ -207,9 +203,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); -#ifndef LIBRESSL_HAS_POLICY_DAG - policy_cache_free(ret->policy_cache); -#endif GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index 1aa66d2440b..374cba3d58a 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: x509_local.h,v 1.7 2023/04/28 16:30:14 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -69,13 +69,6 @@ __BEGIN_HIDDEN_DECLS #define X509_CRL_HASH_EVP EVP_sha512() #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH -#ifndef LIBRESSL_HAS_POLICY_DAG -typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; -typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; -typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; -typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; -#endif - struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; @@ -178,9 +171,6 @@ struct x509_st { unsigned long ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; -#ifndef LIBRESSL_HAS_POLICY_DAG - X509_POLICY_CACHE *policy_cache; -#endif STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; @@ -360,9 +350,6 @@ struct x509_store_ctx_st { int valid; /* if 0, rebuild chain */ int num_untrusted; /* number of untrusted certs in chain */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ -#ifndef LIBRESSL_HAS_POLICY_DAG - X509_POLICY_TREE *tree; /* Valid policy tree */ -#endif int explicit_policy; /* Require explicit policy value */ @@ -396,17 +383,9 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); int name_cmp(const char *name, const char *cmp); -#ifdef LIBRESSL_HAS_POLICY_DAG int X509_policy_check(const STACK_OF(X509) *certs, const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, X509 **out_current_cert); -#else -int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); - -void X509_policy_tree_free(X509_POLICY_TREE *tree); -#endif __END_HIDDEN_DECLS diff --git a/lib/libcrypto/x509/x509_policy.c b/lib/libcrypto/x509/x509_policy.c index e51e193085a..73f7154f513 100644 --- a/lib/libcrypto/x509/x509_policy.c +++ b/lib/libcrypto/x509/x509_policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_policy.c,v 1.24 2023/04/28 15:57:38 tb Exp $ */ +/* $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */ /* * Copyright (c) 2022, Google Inc. * @@ -26,8 +26,6 @@ #include "x509_internal.h" #include "x509_local.h" -#ifdef LIBRESSL_HAS_POLICY_DAG - /* XXX move to proper place */ #define X509_R_INVALID_POLICY_EXTENSION 201 @@ -1019,5 +1017,3 @@ err: sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free); return ret; } - -#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 76847e72241..93dc06ed05d 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1744,7 +1744,6 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) } -#ifdef LIBRESSL_HAS_POLICY_DAG int x509_vfy_check_policy(X509_STORE_CTX *ctx) { @@ -1779,59 +1778,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx) return 1; } -#else -int -x509_vfy_check_policy(X509_STORE_CTX *ctx) -{ - int ret; - - if (ctx->parent) - return 1; - - /* X509_policy_check always allocates a new tree. */ - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - - ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, - ctx->param->policies, ctx->param->flags); - if (ret == 0) { - X509error(ERR_R_MALLOC_FAILURE); - return 0; - } - /* Invalid or inconsistent extensions */ - if (ret == -1) { - /* Locate certificates with bad extensions and notify - * callback. - */ - X509 *x; - int i; - for (i = 1; i < sk_X509_num(ctx->chain); i++) { - x = sk_X509_value(ctx->chain, i); - if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) - continue; - ctx->current_cert = x; - ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - return 1; - } - if (ret == -2) { - ctx->current_cert = NULL; - ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; - return ctx->verify_cb(0, ctx); - } - - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { - ctx->current_cert = NULL; - ctx->error = X509_V_OK; - if (!ctx->verify_cb(2, ctx)) - return 0; - } - - return 1; -} -#endif static int check_policy(X509_STORE_CTX *ctx) @@ -2524,12 +2470,6 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } -#ifndef LIBRESSL_HAS_POLICY_DAG - if (ctx->tree != NULL) { - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - } -#endif if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain, X509_free); ctx->chain = NULL; -- 2.20.1