diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 80752d116..0af3ea7df 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -400,7 +400,6 @@ add_library( x509/x_x509a.c x509v3/pcy_cache.c x509v3/pcy_data.c - x509v3/pcy_lib.c x509v3/pcy_map.c x509v3/pcy_node.c x509v3/pcy_tree.c diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h index 77f2d976c..790435630 100644 --- a/crypto/x509/internal.h +++ b/crypto/x509/internal.h @@ -72,6 +72,9 @@ extern "C" { // Internal structures. +typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; +typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; + typedef struct X509_val_st { ASN1_TIME *notBefore; ASN1_TIME *notAfter; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 5a9735398..b45797af0 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1710,6 +1710,9 @@ static int check_policy(X509_STORE_CTX *ctx) { if (ctx->parent) { return 1; } + // TODO(davidben): Historically, outputs of the |X509_policy_check| were saved + // on |ctx| and accessible via the public API. This has since been removed, so + // remove the fields from |X509_STORE_CTX|. ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); if (ret == 0) { @@ -2406,14 +2409,6 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, ctx->verify_cb = verify_cb; } -X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) { - return ctx->tree; -} - -int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) { - return ctx->explicit_policy; -} - int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { const X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_lookup(name); diff --git a/crypto/x509v3/internal.h b/crypto/x509v3/internal.h index abace33fd..9c9c42540 100644 --- a/crypto/x509v3/internal.h +++ b/crypto/x509v3/internal.h @@ -65,6 +65,11 @@ #include #include +// TODO(davidben): Merge x509 and x509v3. This include is needed because some +// internal typedefs are shared between the two, but the two modules depend on +// each other circularly. +#include "../x509/internal.h" + #if defined(__cplusplus) extern "C" { #endif @@ -122,9 +127,6 @@ typedef struct { int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, STACK_OF(CONF_VALUE) **extlist); -typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; - -DEFINE_STACK_OF(X509_POLICY_DATA) // Internal structures @@ -133,6 +135,12 @@ DEFINE_STACK_OF(X509_POLICY_DATA) // X509_POLICY_NODE contains that. This means that the main policy data can // be kept static and cached with the certificate. +typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; +typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; +typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; + +DEFINE_STACK_OF(X509_POLICY_DATA) + struct X509_POLICY_DATA_st { unsigned int flags; // Policy OID and qualifiers for this data @@ -199,6 +207,8 @@ struct X509_POLICY_NODE_st { int nchild; }; +DEFINE_STACK_OF(X509_POLICY_NODE) + struct X509_POLICY_LEVEL_st { // Cert for this level X509 *cert; @@ -235,6 +245,14 @@ struct X509_POLICY_TREE_st { // Internal functions +void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); + +int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, + STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, + unsigned int flags); + +void X509_policy_tree_free(X509_POLICY_TREE *tree); + X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, int crit); void policy_data_free(X509_POLICY_DATA *data); diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c deleted file mode 100644 index 9a629a382..000000000 --- a/crypto/x509v3/pcy_lib.c +++ /dev/null @@ -1,156 +0,0 @@ -/* pcy_lib.c */ -/* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). */ - -#include -#include - -#include "internal.h" - -// accessor functions - -// X509_POLICY_TREE stuff - -int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) { - if (!tree) { - return 0; - } - return tree->nlevel; -} - -X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, - int i) { - if (!tree || (i < 0) || (i >= tree->nlevel)) { - return NULL; - } - return tree->levels + i; -} - -STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies( - const X509_POLICY_TREE *tree) { - if (!tree) { - return NULL; - } - return tree->auth_policies; -} - -STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies( - const X509_POLICY_TREE *tree) { - if (!tree) { - return NULL; - } - if (tree->flags & POLICY_FLAG_ANY_POLICY) { - return tree->auth_policies; - } else { - return tree->user_policies; - } -} - -// X509_POLICY_LEVEL stuff - -int X509_policy_level_node_count(X509_POLICY_LEVEL *level) { - int n; - if (!level) { - return 0; - } - if (level->anyPolicy) { - n = 1; - } else { - n = 0; - } - if (level->nodes) { - n += sk_X509_POLICY_NODE_num(level->nodes); - } - return n; -} - -X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) { - if (!level) { - return NULL; - } - if (level->anyPolicy) { - if (i == 0) { - return level->anyPolicy; - } - i--; - } - return sk_X509_POLICY_NODE_value(level->nodes, i); -} - -// X509_POLICY_NODE stuff - -const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) { - if (!node) { - return NULL; - } - return node->data->valid_policy; -} - -STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers( - const X509_POLICY_NODE *node) { - if (!node) { - return NULL; - } - return node->data->qualifier_set; -} - -const X509_POLICY_NODE *X509_policy_node_get0_parent( - const X509_POLICY_NODE *node) { - if (!node) { - return NULL; - } - return node->parent; -} diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 673c615ba..44ade30c5 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -811,7 +811,11 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, } if (*pexplicit_policy) { - nodes = X509_policy_tree_get0_user_policies(tree); + if (tree->flags & POLICY_FLAG_ANY_POLICY) { + nodes = tree->auth_policies; + } else { + nodes = tree->user_policies; + } if (sk_X509_POLICY_NODE_num(nodes) <= 0) { return -2; } @@ -820,8 +824,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, return 1; error: - X509_policy_tree_free(tree); - return 0; } diff --git a/include/openssl/base.h b/include/openssl/base.h index 7e58f0038..b74e66fa7 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -364,10 +364,6 @@ typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; typedef struct Netscape_spkac_st NETSCAPE_SPKAC; typedef struct Netscape_spki_st NETSCAPE_SPKI; typedef struct RIPEMD160state_st RIPEMD160_CTX; -typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; -typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; -typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; -typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM; typedef struct X509_algor_st X509_ALGOR; typedef struct X509_crl_st X509_CRL; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 34eb840a3..acb20f44e 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -2660,10 +2660,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); -OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); - OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( X509_STORE_CTX *ctx); OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, @@ -2729,37 +2725,6 @@ OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup( const char *name); OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void); -OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree, - int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); - -OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree); - -OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); -OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level( - const X509_POLICY_TREE *tree, int i); - -OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies( - const X509_POLICY_TREE *tree); - -OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies( - const X509_POLICY_TREE *tree); - -OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level); - -OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node( - X509_POLICY_LEVEL *level, int i); - -OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy( - const X509_POLICY_NODE *node); - -OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers( - const X509_POLICY_NODE *node); -OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent( - const X509_POLICY_NODE *node); - #if defined(__cplusplus) } // extern C @@ -2784,7 +2749,6 @@ BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free) BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free) BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free) BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free) -BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free) BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free) BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free) BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free) diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 0ae96137d..38c72cd2b 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -906,10 +906,6 @@ OPENSSL_EXPORT int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk, unsigned long chtype); -OPENSSL_EXPORT void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, - int indent); -DEFINE_STACK_OF(X509_POLICY_NODE) - // BEGIN ERROR CODES // The following lines are auto generated by the script mkerr.pl. Any changes // made after this point may be overwritten when the script is next run.