From b518871a9ff8bd03209ba8040800275af6a05c5c Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 31 Aug 2024 10:12:23 +0000 Subject: [PATCH] Remove X509_check_trust() and some related defines Someone thought it would be a good idea to append non-standard trust information to the certs in the trust store. This API is used to inspect that depending on the intended purpose of the cert. Only M2Crypto thought it necessary to expose this. It was adjusted. ok beck jsing --- lib/libcrypto/Symbols.list | 1 - lib/libcrypto/hidden/openssl/x509.h | 3 +-- lib/libcrypto/x509/x509.h | 20 +------------------- lib/libcrypto/x509/x509_local.h | 15 ++++++++------- lib/libcrypto/x509/x509_trs.c | 7 +------ 5 files changed, 11 insertions(+), 35 deletions(-) diff --git a/lib/libcrypto/Symbols.list b/lib/libcrypto/Symbols.list index 3c14b481ad4..6b3a8e12675 100644 --- a/lib/libcrypto/Symbols.list +++ b/lib/libcrypto/Symbols.list @@ -2714,7 +2714,6 @@ X509_check_ip_asc X509_check_issued X509_check_private_key X509_check_purpose -X509_check_trust X509_cmp X509_cmp_current_time X509_cmp_time diff --git a/lib/libcrypto/hidden/openssl/x509.h b/lib/libcrypto/hidden/openssl/x509.h index d0ebe167902..03216ffeb2d 100644 --- a/lib/libcrypto/hidden/openssl/x509.h +++ b/lib/libcrypto/hidden/openssl/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.10 2024/08/28 08:41:18 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.11 2024/08/31 10:12:23 tb Exp $ */ /* * Copyright (c) 2022 Bob Beck * @@ -265,7 +265,6 @@ LCRYPTO_USED(X509_ATTRIBUTE_get0_type); LCRYPTO_USED(X509_verify_cert); LCRYPTO_USED(X509_find_by_issuer_and_serial); LCRYPTO_USED(X509_find_by_subject); -LCRYPTO_USED(X509_check_trust); LCRYPTO_USED(X509_up_ref); LCRYPTO_USED(X509_chain_up_ref); LCRYPTO_USED(ERR_load_X509_strings); diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h index 856ad19ba45..3ab35d3d919 100644 --- a/lib/libcrypto/x509/x509.h +++ b/lib/libcrypto/x509/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.113 2024/08/28 07:15:04 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.114 2024/08/31 10:12:23 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -153,11 +153,6 @@ typedef struct x509_cinf_st X509_CINF; DECLARE_STACK_OF(X509) -/* standard trust ids */ - -/* OpenSSL changed this to 0 */ -#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */ - #define X509_TRUST_COMPAT 1 #define X509_TRUST_SSL_CLIENT 2 #define X509_TRUST_SSL_SERVER 3 @@ -171,17 +166,6 @@ DECLARE_STACK_OF(X509) #define X509_TRUST_MIN 1 #define X509_TRUST_MAX 8 - -/* trust_flags values */ -#define X509_TRUST_DYNAMIC 1 -#define X509_TRUST_DYNAMIC_NAME 2 - -/* check_trust return codes */ - -#define X509_TRUST_TRUSTED 1 -#define X509_TRUST_REJECTED 2 -#define X509_TRUST_UNTRUSTED 3 - /* Flags for X509_print_ex() */ #define X509_FLAG_COMPAT 0 @@ -1013,8 +997,6 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, int ptype, int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, X509_ALGOR **pa, X509_PUBKEY *pub); -int X509_check_trust(X509 *x, int id, int flags); - int X509_up_ref(X509 *x); STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index b5a02b11464..0f0d5c1de5f 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.28 2024/08/31 10:04:50 tb Exp $ */ +/* $OpenBSD: x509_local.h,v 1.29 2024/08/31 10:12:23 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -71,14 +71,15 @@ __BEGIN_HIDDEN_DECLS #define X509_CRL_HASH_EVP EVP_sha512() #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH -/* - * Used internally instead of the confusing X509_TRUST_DEFAULT, - * which is not the default for X509_check_trust. - * XXX Make X509_check_trust internal, and move the other - * X509_TRUST values here to clean up this mess. - */ #define X509_TRUST_ACCEPT_ALL -1 +/* check_trust return codes */ +#define X509_TRUST_TRUSTED 1 +#define X509_TRUST_REJECTED 2 +#define X509_TRUST_UNTRUSTED 3 + +int X509_check_trust(X509 *x, int id, int flags); + struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c index 9ba8194ee0d..e7e42a83cde 100644 --- a/lib/libcrypto/x509/x509_trs.c +++ b/lib/libcrypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.58 2024/08/31 10:12:23 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -147,10 +147,6 @@ X509_check_trust(X509 *x, int trust_id, int flags) if (!x509v3_cache_extensions(x)) return X509_TRUST_UNTRUSTED; - /* - * XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not - * need to have the same -1 value as X509_TRUST_DEFAULT - */ if (trust_id == X509_TRUST_ACCEPT_ALL) return 1; @@ -175,4 +171,3 @@ X509_check_trust(X509 *x, int trust_id, int flags) return trust_if_self_signed(x); } } -LCRYPTO_ALIAS(X509_check_trust); -- 2.20.1