From e6cf98fc7d5804d61e00338a14d47ceef0b22826 Mon Sep 17 00:00:00 2001 From: beck Date: Wed, 26 Apr 2023 19:11:32 +0000 Subject: [PATCH] Make the new policy code in x509_policy.c to be selectable at compile time. The old policy codes remains the default, with the new policy code selectable by defining LIBRESSL_HAS_POLICY_DAG. ok tb@ jsing@ --- lib/libcrypto/asn1/x_x509.c | 6 ++++- lib/libcrypto/x509/pcy_cache.c | 6 ++++- lib/libcrypto/x509/pcy_data.c | 6 ++++- lib/libcrypto/x509/pcy_int.h | 6 ++++- lib/libcrypto/x509/pcy_lib.c | 6 ++++- lib/libcrypto/x509/pcy_map.c | 6 ++++- lib/libcrypto/x509/pcy_node.c | 6 ++++- lib/libcrypto/x509/pcy_tree.c | 6 ++++- lib/libcrypto/x509/x509_cpols.c | 6 ++++- lib/libcrypto/x509/x509_local.h | 21 ++++++++++++---- lib/libcrypto/x509/x509_policy.c | 4 +++ lib/libcrypto/x509/x509_vfy.c | 42 +++++++++++++++++++++++++++++++- 12 files changed, 106 insertions(+), 15 deletions(-) diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c index df66153c455..5a769abdffb 100644 --- a/lib/libcrypto/asn1/x_x509.c +++ b/lib/libcrypto/asn1/x_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509.c,v 1.33 2023/04/24 08:09:29 job Exp $ */ +/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,7 +169,9 @@ X509_CINF_free(X509_CINF *a) } /* X509 top level structure needs a bit of customisation */ +#ifndef LIBRESSL_HAS_POLICY_DAG extern void policy_cache_free(X509_POLICY_CACHE *cache); +#endif static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -205,7 +207,9 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); +#ifndef LIBRESSL_HAS_POLICY_DAG policy_cache_free(ret->policy_cache); +#endif GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 diff --git a/lib/libcrypto/x509/pcy_cache.c b/lib/libcrypto/x509/pcy_cache.c index 6424160db88..10cefd7f34a 100644 --- a/lib/libcrypto/x509/pcy_cache.c +++ b/lib/libcrypto/x509/pcy_cache.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_cache.c,v 1.3 2022/11/26 16:08:54 tb Exp $ */ +/* $OpenBSD: pcy_cache.c,v 1.4 2023/04/26 19:11:32 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -59,6 +59,8 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG + #include "pcy_int.h" #include "x509_local.h" @@ -270,3 +272,5 @@ policy_cache_set_int(long *out, ASN1_INTEGER *value) *out = ASN1_INTEGER_get(value); return 1; } + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/pcy_data.c b/lib/libcrypto/x509/pcy_data.c index dadacb5266b..f0fdfe18ef6 100644 --- a/lib/libcrypto/x509/pcy_data.c +++ b/lib/libcrypto/x509/pcy_data.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: pcy_data.c,v 1.2 2023/04/26 19:11:32 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -59,6 +59,8 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG + #include "pcy_int.h" /* Policy Node routines */ @@ -127,3 +129,5 @@ err: ASN1_OBJECT_free(id); return NULL; } + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/pcy_int.h b/lib/libcrypto/x509/pcy_int.h index b183979d87d..43bd548f66d 100644 --- a/lib/libcrypto/x509/pcy_int.h +++ b/lib/libcrypto/x509/pcy_int.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_int.h,v 1.4 2023/04/25 18:53:42 tb Exp $ */ +/* $OpenBSD: pcy_int.h,v 1.5 2023/04/26 19:11:32 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -56,6 +56,8 @@ * */ +#ifndef LIBRESSL_HAS_POLICY_DAG + /* Needed to pull in the typedefs for X509_POLICY_* */ #include "x509_local.h" @@ -275,3 +277,5 @@ const X509_POLICY_NODE * __END_HIDDEN_DECLS + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/pcy_lib.c b/lib/libcrypto/x509/pcy_lib.c index e4d3fd9fa84..0c8978bd703 100644 --- a/lib/libcrypto/x509/pcy_lib.c +++ b/lib/libcrypto/x509/pcy_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_lib.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: pcy_lib.c,v 1.4 2023/04/26 19:11:33 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -59,6 +59,8 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG + #include "pcy_int.h" /* accessor functions */ @@ -164,3 +166,5 @@ X509_policy_node_get0_parent(const X509_POLICY_NODE *node) return node->parent; } LCRYPTO_ALIAS(X509_policy_node_get0_parent); + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/pcy_map.c b/lib/libcrypto/x509/pcy_map.c index fe21ba14d18..ffbc6f75f05 100644 --- a/lib/libcrypto/x509/pcy_map.c +++ b/lib/libcrypto/x509/pcy_map.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_map.c,v 1.3 2022/11/26 16:08:54 tb Exp $ */ +/* $OpenBSD: pcy_map.c,v 1.4 2023/04/26 19:11:33 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -59,6 +59,8 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG + #include "pcy_int.h" #include "x509_local.h" @@ -125,3 +127,5 @@ bad_mapping: sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); return ret; } + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/pcy_node.c b/lib/libcrypto/x509/pcy_node.c index 3a0f230bb3a..1daf7e2affc 100644 --- a/lib/libcrypto/x509/pcy_node.c +++ b/lib/libcrypto/x509/pcy_node.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: pcy_node.c,v 1.2 2023/04/26 19:11:33 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -60,6 +60,8 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG + #include "pcy_int.h" static int @@ -198,3 +200,5 @@ policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node, } return 0; } + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/pcy_tree.c b/lib/libcrypto/x509/pcy_tree.c index 56e05910cd6..eb3c427a3a1 100644 --- a/lib/libcrypto/x509/pcy_tree.c +++ b/lib/libcrypto/x509/pcy_tree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_tree.c,v 1.6 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: pcy_tree.c,v 1.7 2023/04/26 19:11:33 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -59,6 +59,8 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG + #include "pcy_int.h" #include "x509_local.h" @@ -771,3 +773,5 @@ error: return 0; } LCRYPTO_ALIAS(X509_policy_check); + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c index af8f16c9b09..bac02093710 100644 --- a/lib/libcrypto/x509/x509_cpols.c +++ b/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.8 2023/04/20 18:29:08 tb Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.9 2023/04/26 19:11:33 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,7 +65,9 @@ #include #include +#ifndef LIBRESSL_HAS_POLICY_DAG #include "pcy_int.h" +#endif #include "x509_local.h" /* Certificate policies extension support: this one is a bit complex... */ @@ -766,6 +768,7 @@ print_notice(BIO *out, USERNOTICE *notice, int indent) notice->exptext->length, notice->exptext->data); } +#ifndef LIBRESSL_HAS_POLICY_DAG void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) { @@ -783,3 +786,4 @@ X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); } LCRYPTO_ALIAS(X509_POLICY_NODE_print); +#endif diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index 6f711fe3e17..1aa66d2440b 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.5 2023/04/25 18:28:05 tb Exp $ */ +/* $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -69,10 +69,12 @@ __BEGIN_HIDDEN_DECLS #define X509_CRL_HASH_EVP EVP_sha512() #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH +#ifndef LIBRESSL_HAS_POLICY_DAG typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; +#endif struct X509_pubkey_st { X509_ALGOR *algor; @@ -176,7 +178,9 @@ struct x509_st { unsigned long ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; +#ifndef LIBRESSL_HAS_POLICY_DAG X509_POLICY_CACHE *policy_cache; +#endif STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; @@ -356,7 +360,9 @@ struct x509_store_ctx_st { int valid; /* if 0, rebuild chain */ int num_untrusted; /* number of untrusted certs in chain */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ - X509_POLICY_TREE *tree; /* Valid policy tree */ +#ifndef LIBRESSL_HAS_POLICY_DAG + X509_POLICY_TREE *tree; /* Valid policy tree */ +#endif int explicit_policy; /* Require explicit policy value */ @@ -390,12 +396,17 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); int name_cmp(const char *name, const char *cmp); +#ifdef LIBRESSL_HAS_POLICY_DAG +int X509_policy_check(const STACK_OF(X509) *certs, + const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, + X509 **out_current_cert); +#else int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); + STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, + unsigned int flags); void X509_policy_tree_free(X509_POLICY_TREE *tree); +#endif __END_HIDDEN_DECLS diff --git a/lib/libcrypto/x509/x509_policy.c b/lib/libcrypto/x509/x509_policy.c index c9618dbf230..d49d86856c9 100644 --- a/lib/libcrypto/x509/x509_policy.c +++ b/lib/libcrypto/x509/x509_policy.c @@ -25,6 +25,8 @@ #include "x509_internal.h" #include "x509_local.h" +#ifdef LIBRESSL_HAS_POLICY_DAG + /* XXX move to proper place */ #define X509_R_INVALID_POLICY_EXTENSION 201 @@ -856,3 +858,5 @@ err: sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free); return ret; } + +#endif /* LIBRESSL_HAS_POLICY_DAG */ diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 4b042e0b267..76847e72241 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.115 2023/04/25 18:37:56 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1743,6 +1743,43 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } + +#ifdef LIBRESSL_HAS_POLICY_DAG +int +x509_vfy_check_policy(X509_STORE_CTX *ctx) +{ + X509 *current_cert = NULL; + int ret; + + if (ctx->parent != NULL) + return 1; + + ret = X509_policy_check(ctx->chain, ctx->param->policies, + ctx->param->flags, ¤t_cert); + if (ret != X509_V_OK) { + ctx->current_cert = current_cert; + ctx->error = ret; + if (ret == X509_V_ERR_OUT_OF_MEM) + return 0; + return ctx->verify_cb(0, ctx); + } + + if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { + ctx->current_cert = NULL; + /* + * Verification errors need to be "sticky", a callback may have + * allowed an SSL handshake to continue despite an error, and + * we must then remain in an error state. Therefore, we MUST + * NOT clear earlier verification errors by setting the error + * to X509_V_OK. + */ + if (!ctx->verify_cb(2, ctx)) + return 0; + } + + return 1; +} +#else int x509_vfy_check_policy(X509_STORE_CTX *ctx) { @@ -1794,6 +1831,7 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx) return 1; } +#endif static int check_policy(X509_STORE_CTX *ctx) @@ -2486,10 +2524,12 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } +#ifndef LIBRESSL_HAS_POLICY_DAG if (ctx->tree != NULL) { X509_policy_tree_free(ctx->tree); ctx->tree = NULL; } +#endif if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain, X509_free); ctx->chain = NULL; -- 2.20.1