Remove X509_VERIFY_PARAM names
The getter and setter are never used, largely because named parameters
don't do anything. The field only exists for X509_VERIFY_PARAM_lookup,
where we have to cast away const because the library expects to have to
free the string.
Just replace X509_VERIFY_PARAM_lookup with a handful of strcmp calls.
As part of this, merge the pkcs7 and smime_sign entries. They were
identical.
Update-Note: Removed some unused functions.
Change-Id: If4eaad52b50d28b83335f6b545af81063e0756d7
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64135
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 68919b6..8bab23a 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -273,7 +273,6 @@
DECLARE_ASN1_ITEM(X509_CRL)
struct X509_VERIFY_PARAM_st {
- char *name;
int64_t check_time; // POSIX time to use
unsigned long inh_flags; // Inheritance flags
unsigned long flags; // Various verify flags
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index c13437d..d6fdffe 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -123,7 +123,6 @@
if (!param) {
return;
}
- param->name = NULL;
param->purpose = 0;
param->trust = 0;
// param->inh_flags = X509_VP_FLAG_DEFAULT;
@@ -335,17 +334,6 @@
return 1;
}
-int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) {
- if (param->name) {
- OPENSSL_free(param->name);
- }
- param->name = OPENSSL_strdup(name);
- if (param->name) {
- return 1;
- }
- return 0;
-}
-
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) {
param->flags |= flags;
return 1;
@@ -482,68 +470,54 @@
return param->depth;
}
-const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) {
- return param->name;
-}
+static const X509_VERIFY_PARAM kDefaultParam = {
+ /*check_time=*/0,
+ /*inh_flags=*/0,
+ /*flags=*/X509_V_FLAG_TRUSTED_FIRST,
+ /*purpose=*/0,
+ /*trust=*/0,
+ /*depth=*/100};
-#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0, 0
+static const X509_VERIFY_PARAM kSMIMESignParam = {
+ /*check_time=*/0,
+ /*inh_flags=*/0,
+ /*flags=*/0,
+ /*purpose=*/X509_PURPOSE_SMIME_SIGN,
+ /*trust=*/X509_TRUST_EMAIL,
+ /*depth=*/-1};
-// Default verify parameters: these are used for various applications and can
-// be overridden by the user specified table. NB: the 'name' field *must* be
-// in alphabetical order because it will be searched using OBJ_search.
+static const X509_VERIFY_PARAM kSSLClientParam = {
+ /*check_time=*/0,
+ /*inh_flags=*/0,
+ /*flags=*/0,
+ /*purpose=*/X509_PURPOSE_SSL_CLIENT,
+ /*trust=*/X509_TRUST_SSL_CLIENT,
+ /*depth=*/-1};
-static const X509_VERIFY_PARAM default_table[] = {
- {(char *)"default", // X509 default parameters
- 0, // Check time
- 0, // internal flags
- X509_V_FLAG_TRUSTED_FIRST, // flags
- 0, // purpose
- 0, // trust
- 100, // depth
- NULL, // policies
- vpm_empty_id},
- {(char *)"pkcs7", // S/MIME sign parameters
- 0, // Check time
- 0, // internal flags
- 0, // flags
- X509_PURPOSE_SMIME_SIGN, // purpose
- X509_TRUST_EMAIL, // trust
- -1, // depth
- NULL, // policies
- vpm_empty_id},
- {(char *)"smime_sign", // S/MIME sign parameters
- 0, // Check time
- 0, // internal flags
- 0, // flags
- X509_PURPOSE_SMIME_SIGN, // purpose
- X509_TRUST_EMAIL, // trust
- -1, // depth
- NULL, // policies
- vpm_empty_id},
- {(char *)"ssl_client", // SSL/TLS client parameters
- 0, // Check time
- 0, // internal flags
- 0, // flags
- X509_PURPOSE_SSL_CLIENT, // purpose
- X509_TRUST_SSL_CLIENT, // trust
- -1, // depth
- NULL, // policies
- vpm_empty_id},
- {(char *)"ssl_server", // SSL/TLS server parameters
- 0, // Check time
- 0, // internal flags
- 0, // flags
- X509_PURPOSE_SSL_SERVER, // purpose
- X509_TRUST_SSL_SERVER, // trust
- -1, // depth
- NULL, // policies
- vpm_empty_id}};
+static const X509_VERIFY_PARAM kSSLServerParam = {
+ /*check_time=*/0,
+ /*inh_flags=*/0,
+ /*flags=*/0,
+ /*purpose=*/X509_PURPOSE_SSL_SERVER,
+ /*trust=*/X509_TRUST_SSL_SERVER,
+ /*depth=*/-1};
const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) {
- for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(default_table); i++) {
- if (strcmp(default_table[i].name, name) == 0) {
- return &default_table[i];
- }
+ if (strcmp(name, "default") == 0) {
+ return &kDefaultParam;
+ }
+ if (strcmp(name, "pkcs7") == 0) {
+ // PKCS#7 and S/MIME signing use the same defaults.
+ return &kSMIMESignParam;
+ }
+ if (strcmp(name, "smime_sign") == 0) {
+ return &kSMIMESignParam;
+ }
+ if (strcmp(name, "ssl_client") == 0) {
+ return &kSSLClientParam;
+ }
+ if (strcmp(name, "ssl_server") == 0) {
+ return &kSSLServerParam;
}
return NULL;
}
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index d765477..83c0620 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -3146,8 +3146,6 @@
const X509_VERIFY_PARAM *from);
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
const X509_VERIFY_PARAM *from);
-OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param,
- const char *name);
OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param,
unsigned long flags);
OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
@@ -3225,9 +3223,9 @@
const char *ipasc);
OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
-OPENSSL_EXPORT const char *X509_VERIFY_PARAM_get0_name(
- const X509_VERIFY_PARAM *param);
+// X509_VERIFY_PARAM_lookup returns a pre-defined |X509_VERIFY_PARAM| named by
+// |name|, or NULL if no such name is defined.
OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(
const char *name);
