Google Git
Sign in
boringssl/boringssl/5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac^!/.
commit
5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac
[log]
author
David Benjamin <davidben@google.com>
Tue Dec 26 01:35:36 2023 -0500
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu Feb 15 00:13:16 2024 +0000
tree
c518f056787976c2ad7b55adb226baf51d05956f
parent
ba5eb621d7d9bf2872386b4303fd5e9aa64f7230 [diff]
Remove X509_TRUST_DEFAULT

This is only used internally, for X509_PURPOSE_ANY to mark that it has
no corresponding trust value. Countrary to the name, this doesn't mean
to use the default X509_TRUST behavior, but to make it impossible to
configure via X509_STORE_CTX_set_purpose.

Since it's only used in one place, as any value that fails lookup, I've
just put a local define in v3_purp.c.

Change-Id: Id3e44c08528a303132ef09d0a94521af67cc2230
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65212
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index 5419f06..8e0548d 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c

@@ -91,6 +91,11 @@
                                         int ca);
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
 
+// X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by
+// |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and
+// cannot be used with |X509_STORE_CTX_set_purpose|.
+#define X509_TRUST_NONE (-1)
+
 static const X509_PURPOSE xstandard[] = {
     {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
      check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL},
@@ -106,7 +111,7 @@
      (char *)"smimeencrypt", NULL},
     {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign,
      (char *)"CRL signing", (char *)"crlsign", NULL},
-    {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, (char *)"Any Purpose",
+    {X509_PURPOSE_ANY, X509_TRUST_NONE, 0, no_check, (char *)"Any Purpose",
      (char *)"any", NULL},
     // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP
     // implementation relied on the caller performing EKU and KU checks.

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index c7e6919..b864809 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h

@@ -4344,10 +4344,6 @@
 
 DEFINE_STACK_OF(X509_TRUST)
 
-// standard trust ids
-
-#define X509_TRUST_DEFAULT (-1)  // Only valid in purpose settings
-
 OPENSSL_EXPORT const char *X509_get_default_cert_area(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_dir(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_file(void);