Unexport all low-level policy machinery.

OpenSSL has a large exported API surface for exporting the policy tree out of an X509_STORE_CTX. As far as I can tell, no one uses any of these APIs. Remove them. Update-Note: It is no longer possibly to see the policy tree after an X.509 verification. As far as we can tell, this feature is unused. Change-Id: Ieab374774805e90106555ce4e4155f8451ceb5b9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53327 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago · 0bfc9b32c4
parent b6f47e88b0
commit 0bfc9b32c4
9 changed files with 32 additions and 215 deletions
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@ -400,7 +400,6 @@ add_library(
  x509/x_x509a.c
  x509v3/pcy_cache.c
  x509v3/pcy_data.c
  x509v3/pcy_lib.c
  x509v3/pcy_map.c
  x509v3/pcy_node.c
  x509v3/pcy_tree.c
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@ -72,6 +72,9 @@ extern "C" {
 // Internal structures.
 typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
 typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
 typedef struct X509_val_st {
  ASN1_TIME *notBefore;
  ASN1_TIME *notAfter;
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -1710,6 +1710,9 @@ static int check_policy(X509_STORE_CTX *ctx) {
  if (ctx->parent) {
    return 1;
  }
  // TODO(davidben): Historically, outputs of the |X509_policy_check| were saved
  // on |ctx| and accessible via the public API. This has since been removed, so
  // remove the fields from |X509_STORE_CTX|.
  ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
                          ctx->param->policies, ctx->param->flags);
  if (ret == 0) {
@ -2406,14 +2409,6 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
  ctx->verify_cb = verify_cb;
 }
 X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) {
  return ctx->tree;
 }
 int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) {
  return ctx->explicit_policy;
 }
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
  const X509_VERIFY_PARAM *param;
  param = X509_VERIFY_PARAM_lookup(name);
--- a/crypto/x509v3/internal.h
+++ b/crypto/x509v3/internal.h
@ -65,6 +65,11 @@
 #include <openssl/stack.h>
 #include <openssl/x509v3.h>
 // TODO(davidben): Merge x509 and x509v3. This include is needed because some
 // internal typedefs are shared between the two, but the two modules depend on
 // each other circularly.
 #include "../x509/internal.h"
 #if defined(__cplusplus)
 extern "C" {
 #endif
@ -122,9 +127,6 @@ typedef struct {
 int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,
                                 STACK_OF(CONF_VALUE) **extlist);
 typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
 DEFINE_STACK_OF(X509_POLICY_DATA)
 // Internal structures
@ -133,6 +135,12 @@ DEFINE_STACK_OF(X509_POLICY_DATA)
 // X509_POLICY_NODE contains that. This means that the main policy data can
 // be kept static and cached with the certificate.
 typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
 typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
 typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
 DEFINE_STACK_OF(X509_POLICY_DATA)
 struct X509_POLICY_DATA_st {
  unsigned int flags;
  // Policy OID and qualifiers for this data
@ -199,6 +207,8 @@ struct X509_POLICY_NODE_st {
  int nchild;
 };
 DEFINE_STACK_OF(X509_POLICY_NODE)
 struct X509_POLICY_LEVEL_st {
  // Cert for this level
  X509 *cert;
@ -235,6 +245,14 @@ struct X509_POLICY_TREE_st {
 // Internal functions
 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
 int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
                      STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
                      unsigned int flags);
 void X509_policy_tree_free(X509_POLICY_TREE *tree);
 X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
                                  int crit);
 void policy_data_free(X509_POLICY_DATA *data);
--- a/crypto/x509v3/pcy_lib.c
+++ b/crypto/x509v3/pcy_lib.c
@ -1,156 +0,0 @@
 /* pcy_lib.c */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2004.
 */
 /* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com). */
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "internal.h"
 // accessor functions
 // X509_POLICY_TREE stuff
 int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) {
  if (!tree) {
    return 0;
  }
  return tree->nlevel;
 }
 X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree,
                                               int i) {
  if (!tree || (i < 0) || (i >= tree->nlevel)) {
    return NULL;
  }
  return tree->levels + i;
 }
 STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
    const X509_POLICY_TREE *tree) {
  if (!tree) {
    return NULL;
  }
  return tree->auth_policies;
 }
 STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
    const X509_POLICY_TREE *tree) {
  if (!tree) {
    return NULL;
  }
  if (tree->flags & POLICY_FLAG_ANY_POLICY) {
    return tree->auth_policies;
  } else {
    return tree->user_policies;
  }
 }
 // X509_POLICY_LEVEL stuff
 int X509_policy_level_node_count(X509_POLICY_LEVEL *level) {
  int n;
  if (!level) {
    return 0;
  }
  if (level->anyPolicy) {
    n = 1;
  } else {
    n = 0;
  }
  if (level->nodes) {
    n += sk_X509_POLICY_NODE_num(level->nodes);
  }
  return n;
 }
 X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) {
  if (!level) {
    return NULL;
  }
  if (level->anyPolicy) {
    if (i == 0) {
      return level->anyPolicy;
    }
    i--;
  }
  return sk_X509_POLICY_NODE_value(level->nodes, i);
 }
 // X509_POLICY_NODE stuff
 const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) {
  if (!node) {
    return NULL;
  }
  return node->data->valid_policy;
 }
 STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
    const X509_POLICY_NODE *node) {
  if (!node) {
    return NULL;
  }
  return node->data->qualifier_set;
 }
 const X509_POLICY_NODE *X509_policy_node_get0_parent(
    const X509_POLICY_NODE *node) {
  if (!node) {
    return NULL;
  }
  return node->parent;
 }
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@ -811,7 +811,11 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
  }
  if (*pexplicit_policy) {
-    nodes = X509_policy_tree_get0_user_policies(tree);
+    if (tree->flags & POLICY_FLAG_ANY_POLICY) {
      nodes = tree->auth_policies;
    } else {
      nodes = tree->user_policies;
    }
    if (sk_X509_POLICY_NODE_num(nodes) <= 0) {
      return -2;
    }
@ -820,8 +824,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
  return 1;
 error:
  X509_policy_tree_free(tree);
  return 0;
 }
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@ -364,10 +364,6 @@ typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS;
 typedef struct Netscape_spkac_st NETSCAPE_SPKAC;
 typedef struct Netscape_spki_st NETSCAPE_SPKI;
 typedef struct RIPEMD160state_st RIPEMD160_CTX;
 typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
 typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
 typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
 typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
 typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
 typedef struct X509_algor_st X509_ALGOR;
 typedef struct X509_crl_st X509_CRL;
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -2660,10 +2660,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx,
 OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(
    X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *));
 OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(
    X509_STORE_CTX *ctx);
 OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
 OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(
    X509_STORE_CTX *ctx);
 OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx,
@ -2729,37 +2725,6 @@ OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(
    const char *name);
 OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void);
 OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree,
                                     int *pexplicit_policy,
                                     STACK_OF(X509) *certs,
                                     STACK_OF(ASN1_OBJECT) *policy_oids,
                                     unsigned int flags);
 OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree);
 OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
 OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level(
    const X509_POLICY_TREE *tree, int i);
 OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
    const X509_POLICY_TREE *tree);
 OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
    const X509_POLICY_TREE *tree);
 OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
 OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node(
    X509_POLICY_LEVEL *level, int i);
 OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy(
    const X509_POLICY_NODE *node);
 OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
    const X509_POLICY_NODE *node);
 OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent(
    const X509_POLICY_NODE *node);
 #if defined(__cplusplus)
 }  // extern C
@ -2784,7 +2749,6 @@ BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)
 BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free)
 BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)
 BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free)
 BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free)
 BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)
 BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)
 BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@ -906,10 +906,6 @@ OPENSSL_EXPORT int X509V3_NAME_from_section(X509_NAME *nm,
                                            STACK_OF(CONF_VALUE) *dn_sk,
                                            unsigned long chtype);
 OPENSSL_EXPORT void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node,
                                           int indent);
 DEFINE_STACK_OF(X509_POLICY_NODE)
 // BEGIN ERROR CODES
 // The following lines are auto generated by the script mkerr.pl. Any changes
 // made after this point may be overwritten when the script is next run.