From 706457b7bda7fdbab426b8dce83b318908339da4 Mon Sep 17 00:00:00 2001 From: "Dr. Matthias St. Pierre" Date: Sat, 28 Sep 2019 00:45:40 +0200 Subject: Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9333) --- crypto/x509/by_dir.c | 2 +- crypto/x509/by_file.c | 2 +- crypto/x509/pcy_cache.c | 2 +- crypto/x509/pcy_data.c | 2 +- crypto/x509/pcy_int.h | 167 ----------------------------------------------- crypto/x509/pcy_lib.c | 2 +- crypto/x509/pcy_local.h | 167 +++++++++++++++++++++++++++++++++++++++++++++++ crypto/x509/pcy_map.c | 2 +- crypto/x509/pcy_node.c | 2 +- crypto/x509/pcy_tree.c | 2 +- crypto/x509/v3_cpols.c | 2 +- crypto/x509/x509_att.c | 2 +- crypto/x509/x509_lcl.h | 147 ----------------------------------------- crypto/x509/x509_local.h | 147 +++++++++++++++++++++++++++++++++++++++++ crypto/x509/x509_lu.c | 2 +- crypto/x509/x509_meth.c | 2 +- crypto/x509/x509_set.c | 2 +- crypto/x509/x509_v3.c | 2 +- crypto/x509/x509_vfy.c | 2 +- crypto/x509/x509_vpm.c | 2 +- crypto/x509/x_attrib.c | 2 +- crypto/x509/x_crl.c | 2 +- crypto/x509/x_exten.c | 2 +- crypto/x509/x_name.c | 2 +- 24 files changed, 334 insertions(+), 334 deletions(-) delete mode 100644 crypto/x509/pcy_int.h create mode 100644 crypto/x509/pcy_local.h delete mode 100644 crypto/x509/x509_lcl.h create mode 100644 crypto/x509/x509_local.h (limited to 'crypto/x509') diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 720a4b9f55..d38080fb0c 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -20,7 +20,7 @@ #include #include "crypto/x509.h" -#include "x509_lcl.h" +#include "x509_local.h" struct lookup_dir_hashes_st { unsigned long hash; diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index 35d716b921..93a1af87c6 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -15,7 +15,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); diff --git a/crypto/x509/pcy_cache.c b/crypto/x509/pcy_cache.c index 56d3401ffb..e65931e456 100644 --- a/crypto/x509/pcy_cache.c +++ b/crypto/x509/pcy_cache.c @@ -12,7 +12,7 @@ #include #include "crypto/x509.h" -#include "pcy_int.h" +#include "pcy_local.h" static int policy_data_cmp(const X509_POLICY_DATA *const *a, const X509_POLICY_DATA *const *b); diff --git a/crypto/x509/pcy_data.c b/crypto/x509/pcy_data.c index c1d56bdcde..cc3fc201f9 100644 --- a/crypto/x509/pcy_data.c +++ b/crypto/x509/pcy_data.c @@ -11,7 +11,7 @@ #include #include -#include "pcy_int.h" +#include "pcy_local.h" /* Policy Node routines */ diff --git a/crypto/x509/pcy_int.h b/crypto/x509/pcy_int.h deleted file mode 100644 index 0deee52c1b..0000000000 --- a/crypto/x509/pcy_int.h +++ /dev/null @@ -1,167 +0,0 @@ -/* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; - -DEFINE_STACK_OF(X509_POLICY_DATA) - -/* Internal structures */ - -/* - * This structure and the field names correspond to the Policy 'node' of - * RFC3280. NB this structure contains no pointers to parent or child data: - * X509_POLICY_NODE contains that. This means that the main policy data can - * be kept static and cached with the certificate. - */ - -struct X509_POLICY_DATA_st { - unsigned int flags; - /* Policy OID and qualifiers for this data */ - ASN1_OBJECT *valid_policy; - STACK_OF(POLICYQUALINFO) *qualifier_set; - STACK_OF(ASN1_OBJECT) *expected_policy_set; -}; - -/* X509_POLICY_DATA flags values */ - -/* - * This flag indicates the structure has been mapped using a policy mapping - * extension. If policy mapping is not active its references get deleted. - */ - -#define POLICY_DATA_FLAG_MAPPED 0x1 - -/* - * This flag indicates the data doesn't correspond to a policy in Certificate - * Policies: it has been mapped to any policy. - */ - -#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 - -/* AND with flags to see if any mapping has occurred */ - -#define POLICY_DATA_FLAG_MAP_MASK 0x3 - -/* qualifiers are shared and shouldn't be freed */ - -#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 - -/* Parent node is an extra node and should be freed */ - -#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 - -/* Corresponding CertificatePolicies is critical */ - -#define POLICY_DATA_FLAG_CRITICAL 0x10 - -/* This structure is cached with a certificate */ - -struct X509_POLICY_CACHE_st { - /* anyPolicy data or NULL if no anyPolicy */ - X509_POLICY_DATA *anyPolicy; - /* other policy data */ - STACK_OF(X509_POLICY_DATA) *data; - /* If InhibitAnyPolicy present this is its value or -1 if absent. */ - long any_skip; - /* - * If policyConstraints and requireExplicitPolicy present this is its - * value or -1 if absent. - */ - long explicit_skip; - /* - * If policyConstraints and policyMapping present this is its value or -1 - * if absent. - */ - long map_skip; -}; - -/* - * #define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL - */ - -/* This structure represents the relationship between nodes */ - -struct X509_POLICY_NODE_st { - /* node data this refers to */ - const X509_POLICY_DATA *data; - /* Parent node */ - X509_POLICY_NODE *parent; - /* Number of child nodes */ - int nchild; -}; - -struct X509_POLICY_LEVEL_st { - /* Cert for this level */ - X509 *cert; - /* nodes at this level */ - STACK_OF(X509_POLICY_NODE) *nodes; - /* anyPolicy node */ - X509_POLICY_NODE *anyPolicy; - /* Extra data */ - /* - * STACK_OF(X509_POLICY_DATA) *extra_data; - */ - unsigned int flags; -}; - -struct X509_POLICY_TREE_st { - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; - /* - * Extra policy data when additional nodes (not from the certificate) are - * required. - */ - STACK_OF(X509_POLICY_DATA) *extra_data; - /* This is the authority constrained policy set */ - STACK_OF(X509_POLICY_NODE) *auth_policies; - STACK_OF(X509_POLICY_NODE) *user_policies; - unsigned int flags; -}; - -/* Set if anyPolicy present in user policies */ -#define POLICY_FLAG_ANY_POLICY 0x2 - -/* Useful macros */ - -#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL) -#define node_critical(node) node_data_critical(node->data) - -/* Internal functions */ - -X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, - int crit); -void policy_data_free(X509_POLICY_DATA *data); - -X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id); -int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); - -STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); - -void policy_cache_init(void); - -void policy_cache_free(X509_POLICY_CACHE *cache); - -X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - const X509_POLICY_NODE *parent, - const ASN1_OBJECT *id); - -X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - const ASN1_OBJECT *id); - -X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); -void policy_node_free(X509_POLICY_NODE *node); -int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); - -const X509_POLICY_CACHE *policy_cache_set(X509 *x); diff --git a/crypto/x509/pcy_lib.c b/crypto/x509/pcy_lib.c index deee8f6c0c..b392f13b1e 100644 --- a/crypto/x509/pcy_lib.c +++ b/crypto/x509/pcy_lib.c @@ -11,7 +11,7 @@ #include #include -#include "pcy_int.h" +#include "pcy_local.h" /* accessor functions */ diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h new file mode 100644 index 0000000000..0deee52c1b --- /dev/null +++ b/crypto/x509/pcy_local.h @@ -0,0 +1,167 @@ +/* + * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; + +DEFINE_STACK_OF(X509_POLICY_DATA) + +/* Internal structures */ + +/* + * This structure and the field names correspond to the Policy 'node' of + * RFC3280. NB this structure contains no pointers to parent or child data: + * X509_POLICY_NODE contains that. This means that the main policy data can + * be kept static and cached with the certificate. + */ + +struct X509_POLICY_DATA_st { + unsigned int flags; + /* Policy OID and qualifiers for this data */ + ASN1_OBJECT *valid_policy; + STACK_OF(POLICYQUALINFO) *qualifier_set; + STACK_OF(ASN1_OBJECT) *expected_policy_set; +}; + +/* X509_POLICY_DATA flags values */ + +/* + * This flag indicates the structure has been mapped using a policy mapping + * extension. If policy mapping is not active its references get deleted. + */ + +#define POLICY_DATA_FLAG_MAPPED 0x1 + +/* + * This flag indicates the data doesn't correspond to a policy in Certificate + * Policies: it has been mapped to any policy. + */ + +#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 + +/* AND with flags to see if any mapping has occurred */ + +#define POLICY_DATA_FLAG_MAP_MASK 0x3 + +/* qualifiers are shared and shouldn't be freed */ + +#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 + +/* Parent node is an extra node and should be freed */ + +#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 + +/* Corresponding CertificatePolicies is critical */ + +#define POLICY_DATA_FLAG_CRITICAL 0x10 + +/* This structure is cached with a certificate */ + +struct X509_POLICY_CACHE_st { + /* anyPolicy data or NULL if no anyPolicy */ + X509_POLICY_DATA *anyPolicy; + /* other policy data */ + STACK_OF(X509_POLICY_DATA) *data; + /* If InhibitAnyPolicy present this is its value or -1 if absent. */ + long any_skip; + /* + * If policyConstraints and requireExplicitPolicy present this is its + * value or -1 if absent. + */ + long explicit_skip; + /* + * If policyConstraints and policyMapping present this is its value or -1 + * if absent. + */ + long map_skip; +}; + +/* + * #define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL + */ + +/* This structure represents the relationship between nodes */ + +struct X509_POLICY_NODE_st { + /* node data this refers to */ + const X509_POLICY_DATA *data; + /* Parent node */ + X509_POLICY_NODE *parent; + /* Number of child nodes */ + int nchild; +}; + +struct X509_POLICY_LEVEL_st { + /* Cert for this level */ + X509 *cert; + /* nodes at this level */ + STACK_OF(X509_POLICY_NODE) *nodes; + /* anyPolicy node */ + X509_POLICY_NODE *anyPolicy; + /* Extra data */ + /* + * STACK_OF(X509_POLICY_DATA) *extra_data; + */ + unsigned int flags; +}; + +struct X509_POLICY_TREE_st { + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; + /* + * Extra policy data when additional nodes (not from the certificate) are + * required. + */ + STACK_OF(X509_POLICY_DATA) *extra_data; + /* This is the authority constrained policy set */ + STACK_OF(X509_POLICY_NODE) *auth_policies; + STACK_OF(X509_POLICY_NODE) *user_policies; + unsigned int flags; +}; + +/* Set if anyPolicy present in user policies */ +#define POLICY_FLAG_ANY_POLICY 0x2 + +/* Useful macros */ + +#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL) +#define node_critical(node) node_data_critical(node->data) + +/* Internal functions */ + +X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, + int crit); +void policy_data_free(X509_POLICY_DATA *data); + +X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, + const ASN1_OBJECT *id); +int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); + +STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); + +void policy_cache_init(void); + +void policy_cache_free(X509_POLICY_CACHE *cache); + +X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + const X509_POLICY_NODE *parent, + const ASN1_OBJECT *id); + +X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + const ASN1_OBJECT *id); + +X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, + X509_POLICY_TREE *tree); +void policy_node_free(X509_POLICY_NODE *node); +int policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); + +const X509_POLICY_CACHE *policy_cache_set(X509 *x); diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c index ec72dbd33b..258792be6f 100644 --- a/crypto/x509/pcy_map.c +++ b/crypto/x509/pcy_map.c @@ -12,7 +12,7 @@ #include #include "crypto/x509.h" -#include "pcy_int.h" +#include "pcy_local.h" /* * Set policy mapping entries in cache. Note: this modifies the passed diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c index 005d1de7e3..fc06a31c51 100644 --- a/crypto/x509/pcy_node.c +++ b/crypto/x509/pcy_node.c @@ -12,7 +12,7 @@ #include #include -#include "pcy_int.h" +#include "pcy_local.h" static int node_cmp(const X509_POLICY_NODE *const *a, const X509_POLICY_NODE *const *b) diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c index 5d4c6bd839..8ab0914373 100644 --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -12,7 +12,7 @@ #include #include -#include "pcy_int.h" +#include "pcy_local.h" static void expected_print(BIO *channel, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, diff --git a/crypto/x509/v3_cpols.c b/crypto/x509/v3_cpols.c index 595de62361..f9a239b6f2 100644 --- a/crypto/x509/v3_cpols.c +++ b/crypto/x509/v3_cpols.c @@ -14,7 +14,7 @@ #include #include -#include "pcy_int.h" +#include "pcy_local.h" #include "ext_dat.h" /* Certificate policies extension support: this one is a bit complex... */ diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index 317a45a4fa..c8b2d0f8a8 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -15,7 +15,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) { diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h deleted file mode 100644 index a8d8bafe4d..0000000000 --- a/crypto/x509/x509_lcl.h +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include "internal/refcount.h" - -/* - * This structure holds all parameters associated with a verify operation by - * including an X509_VERIFY_PARAM structure in related structures the - * parameters used can be customized - */ - -struct X509_VERIFY_PARAM_st { - char *name; - time_t check_time; /* Time to use */ - uint32_t inh_flags; /* Inheritance flags */ - unsigned long flags; /* Various verify flags */ - int purpose; /* purpose to check untrusted certificates */ - int trust; /* trust setting to check */ - int depth; /* Verify depth */ - int auth_level; /* Security level for chain verification */ - STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ - /* Peer identity details */ - STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ - unsigned int hostflags; /* Flags to control matching features */ - char *peername; /* Matching hostname in peer certificate */ - char *email; /* If not NULL email address to match */ - size_t emaillen; - unsigned char *ip; /* If not NULL IP address to match */ - size_t iplen; /* Length of IP address */ -}; - -/* No error callback if depth < 0 */ -int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth); - -/* a sequence of these are used */ -struct x509_attributes_st { - ASN1_OBJECT *object; - STACK_OF(ASN1_TYPE) *set; -}; - -struct X509_extension_st { - ASN1_OBJECT *object; - ASN1_BOOLEAN critical; - ASN1_OCTET_STRING value; -}; - -/* - * Method to handle CRL access. In general a CRL could be very large (several - * Mb) and can consume large amounts of resources if stored in memory by - * multiple processes. This method allows general CRL operations to be - * redirected to more efficient callbacks: for example a CRL entry database. - */ - -#define X509_CRL_METHOD_DYNAMIC 1 - -struct x509_crl_method_st { - int flags; - int (*crl_init) (X509_CRL *crl); - int (*crl_free) (X509_CRL *crl); - int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret, - ASN1_INTEGER *ser, X509_NAME *issuer); - int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk); -}; - -struct x509_lookup_method_st { - char *name; - int (*new_item) (X509_LOOKUP *ctx); - void (*free) (X509_LOOKUP *ctx); - int (*init) (X509_LOOKUP *ctx); - int (*shutdown) (X509_LOOKUP *ctx); - int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret); - int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - X509_NAME *name, X509_OBJECT *ret); - int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - X509_NAME *name, ASN1_INTEGER *serial, - X509_OBJECT *ret); - int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const unsigned char *bytes, int len, - X509_OBJECT *ret); - int (*get_by_alias) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const char *str, int len, X509_OBJECT *ret); -}; - -/* This is the functions plus an instance of the local variables. */ -struct x509_lookup_st { - int init; /* have we been started */ - int skip; /* don't use us. */ - X509_LOOKUP_METHOD *method; /* the functions */ - void *method_data; /* method data */ - X509_STORE *store_ctx; /* who owns us */ -}; - -/* - * This is used to hold everything. It is used for all certificate - * validation. Once we have a certificate chain, the 'verify' function is - * then called to actually check the cert chain. - */ -struct x509_store_st { - /* The following is a cache of trusted certs */ - int cache; /* if true, stash any hits */ - STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ - /* These are external lookup methods */ - STACK_OF(X509_LOOKUP) *get_cert_methods; - X509_VERIFY_PARAM *param; - /* Callbacks for various operations */ - /* called to verify a certificate */ - int (*verify) (X509_STORE_CTX *ctx); - /* error callback */ - int (*verify_cb) (int ok, X509_STORE_CTX *ctx); - /* get issuers cert from ctx */ - int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x); - /* check issued */ - int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer); - /* Check revocation status of chain */ - int (*check_revocation) (X509_STORE_CTX *ctx); - /* retrieve CRL */ - int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); - /* Check CRL validity */ - int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl); - /* Check certificate against CRL */ - int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); - /* Check policy status of the chain */ - int (*check_policy) (X509_STORE_CTX *ctx); - STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm); - STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm); - int (*cleanup) (X509_STORE_CTX *ctx); - CRYPTO_EX_DATA ex_data; - CRYPTO_REF_COUNT references; - CRYPTO_RWLOCK *lock; -}; - -typedef struct lookup_dir_hashes_st BY_DIR_HASH; -typedef struct lookup_dir_entry_st BY_DIR_ENTRY; -DEFINE_STACK_OF(BY_DIR_HASH) -DEFINE_STACK_OF(BY_DIR_ENTRY) -typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; -DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) - -void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg, - const ASN1_STRING *sig); diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h new file mode 100644 index 0000000000..a8d8bafe4d --- /dev/null +++ b/crypto/x509/x509_local.h @@ -0,0 +1,147 @@ +/* + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/refcount.h" + +/* + * This structure holds all parameters associated with a verify operation by + * including an X509_VERIFY_PARAM structure in related structures the + * parameters used can be customized + */ + +struct X509_VERIFY_PARAM_st { + char *name; + time_t check_time; /* Time to use */ + uint32_t inh_flags; /* Inheritance flags */ + unsigned long flags; /* Various verify flags */ + int purpose; /* purpose to check untrusted certificates */ + int trust; /* trust setting to check */ + int depth; /* Verify depth */ + int auth_level; /* Security level for chain verification */ + STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ + /* Peer identity details */ + STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ + unsigned int hostflags; /* Flags to control matching features */ + char *peername; /* Matching hostname in peer certificate */ + char *email; /* If not NULL email address to match */ + size_t emaillen; + unsigned char *ip; /* If not NULL IP address to match */ + size_t iplen; /* Length of IP address */ +}; + +/* No error callback if depth < 0 */ +int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth); + +/* a sequence of these are used */ +struct x509_attributes_st { + ASN1_OBJECT *object; + STACK_OF(ASN1_TYPE) *set; +}; + +struct X509_extension_st { + ASN1_OBJECT *object; + ASN1_BOOLEAN critical; + ASN1_OCTET_STRING value; +}; + +/* + * Method to handle CRL access. In general a CRL could be very large (several + * Mb) and can consume large amounts of resources if stored in memory by + * multiple processes. This method allows general CRL operations to be + * redirected to more efficient callbacks: for example a CRL entry database. + */ + +#define X509_CRL_METHOD_DYNAMIC 1 + +struct x509_crl_method_st { + int flags; + int (*crl_init) (X509_CRL *crl); + int (*crl_free) (X509_CRL *crl); + int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret, + ASN1_INTEGER *ser, X509_NAME *issuer); + int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk); +}; + +struct x509_lookup_method_st { + char *name; + int (*new_item) (X509_LOOKUP *ctx); + void (*free) (X509_LOOKUP *ctx); + int (*init) (X509_LOOKUP *ctx); + int (*shutdown) (X509_LOOKUP *ctx); + int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl, + char **ret); + int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + X509_NAME *name, X509_OBJECT *ret); + int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + X509_NAME *name, ASN1_INTEGER *serial, + X509_OBJECT *ret); + int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + const unsigned char *bytes, int len, + X509_OBJECT *ret); + int (*get_by_alias) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + const char *str, int len, X509_OBJECT *ret); +}; + +/* This is the functions plus an instance of the local variables. */ +struct x509_lookup_st { + int init; /* have we been started */ + int skip; /* don't use us. */ + X509_LOOKUP_METHOD *method; /* the functions */ + void *method_data; /* method data */ + X509_STORE *store_ctx; /* who owns us */ +}; + +/* + * This is used to hold everything. It is used for all certificate + * validation. Once we have a certificate chain, the 'verify' function is + * then called to actually check the cert chain. + */ +struct x509_store_st { + /* The following is a cache of trusted certs */ + int cache; /* if true, stash any hits */ + STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ + /* These are external lookup methods */ + STACK_OF(X509_LOOKUP) *get_cert_methods; + X509_VERIFY_PARAM *param; + /* Callbacks for various operations */ + /* called to verify a certificate */ + int (*verify) (X509_STORE_CTX *ctx); + /* error callback */ + int (*verify_cb) (int ok, X509_STORE_CTX *ctx); + /* get issuers cert from ctx */ + int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + /* check issued */ + int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + /* Check revocation status of chain */ + int (*check_revocation) (X509_STORE_CTX *ctx); + /* retrieve CRL */ + int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); + /* Check CRL validity */ + int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl); + /* Check certificate against CRL */ + int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); + /* Check policy status of the chain */ + int (*check_policy) (X509_STORE_CTX *ctx); + STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm); + STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm); + int (*cleanup) (X509_STORE_CTX *ctx); + CRYPTO_EX_DATA ex_data; + CRYPTO_REF_COUNT references; + CRYPTO_RWLOCK *lock; +}; + +typedef struct lookup_dir_hashes_st BY_DIR_HASH; +typedef struct lookup_dir_entry_st BY_DIR_ENTRY; +DEFINE_STACK_OF(BY_DIR_HASH) +DEFINE_STACK_OF(BY_DIR_ENTRY) +typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; +DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) + +void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig); diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index f6404d59e9..016b4b304f 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -13,7 +13,7 @@ #include #include "crypto/x509.h" #include -#include "x509_lcl.h" +#include "x509_local.h" X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { diff --git a/crypto/x509/x509_meth.c b/crypto/x509/x509_meth.c index 631cc8f03d..71db99590b 100644 --- a/crypto/x509/x509_meth.c +++ b/crypto/x509/x509_meth.c @@ -15,7 +15,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name) { diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index 66cf91fc3b..e325a57b29 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -17,7 +17,7 @@ #include #include "crypto/asn1.h" #include "crypto/x509.h" -#include "x509_lcl.h" +#include "x509_local.h" int X509_set_version(X509 *x, long version) { diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index 68da09b806..715c3594d4 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -15,7 +15,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) { diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 0dd9772c10..126df99142 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -23,7 +23,7 @@ #include #include "internal/dane.h" #include "crypto/x509.h" -#include "x509_lcl.h" +#include "x509_local.h" /* CRL score values */ diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index c681dbaa65..81a0ec997e 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -16,7 +16,7 @@ #include #include "crypto/x509.h" -#include "x509_lcl.h" +#include "x509_local.h" /* X509_VERIFY_PARAM functions */ diff --git a/crypto/x509/x_attrib.c b/crypto/x509/x_attrib.c index e39429f275..b30234112f 100644 --- a/crypto/x509/x_attrib.c +++ b/crypto/x509/x_attrib.c @@ -12,7 +12,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" /*- * X509_ATTRIBUTE: this has the following form: diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index d06eb69a5b..fdc059123f 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -13,7 +13,7 @@ #include #include "crypto/x509.h" #include -#include "x509_lcl.h" +#include "x509_local.h" static int X509_REVOKED_cmp(const X509_REVOKED *const *a, const X509_REVOKED *const *b); diff --git a/crypto/x509/x_exten.c b/crypto/x509/x_exten.c index 6ed363d3b0..4e63b50caa 100644 --- a/crypto/x509/x_exten.c +++ b/crypto/x509/x_exten.c @@ -11,7 +11,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" ASN1_SEQUENCE(X509_EXTENSION) = { ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT), diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index 93ba9555be..33faacf5dd 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -14,7 +14,7 @@ #include #include "crypto/x509.h" #include "crypto/asn1.h" -#include "x509_lcl.h" +#include "x509_local.h" /* * Maximum length of X509_NAME: much larger than anything we should -- cgit v1.2.3