diff options
| author | David Benjamin <davidben@google.com> | 2023-12-26 01:35:36 -0500 |
|---|---|---|
| committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2024-02-15 00:13:16 +0000 |
| commit | 5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac (patch) | |
| tree | c518f056787976c2ad7b55adb226baf51d05956f | |
| parent | ba5eb621d7d9bf2872386b4303fd5e9aa64f7230 (diff) | |
| download | boringssl-5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac.zip boringssl-5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac.tar.gz boringssl-5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac.tar.bz2 | |
Remove X509_TRUST_DEFAULT
This is only used internally, for X509_PURPOSE_ANY to mark that it has
no corresponding trust value. Countrary to the name, this doesn't mean
to use the default X509_TRUST behavior, but to make it impossible to
configure via X509_STORE_CTX_set_purpose.
Since it's only used in one place, as any value that fails lookup, I've
just put a local define in v3_purp.c.
Change-Id: Id3e44c08528a303132ef09d0a94521af67cc2230
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65212
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
| -rw-r--r-- | crypto/x509/v3_purp.c | 7 | ||||
| -rw-r--r-- | include/openssl/x509.h | 4 |
2 files changed, 6 insertions, 5 deletions
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 5419f06..8e0548d 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -91,6 +91,11 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); +// X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by +// |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and +// cannot be used with |X509_STORE_CTX_set_purpose|. +#define X509_TRUST_NONE (-1) + static const X509_PURPOSE xstandard[] = { {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL}, @@ -106,7 +111,7 @@ static const X509_PURPOSE xstandard[] = { (char *)"smimeencrypt", NULL}, {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, (char *)"CRL signing", (char *)"crlsign", NULL}, - {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, (char *)"Any Purpose", + {X509_PURPOSE_ANY, X509_TRUST_NONE, 0, no_check, (char *)"Any Purpose", (char *)"any", NULL}, // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP // implementation relied on the caller performing EKU and KU checks. diff --git a/include/openssl/x509.h b/include/openssl/x509.h index c7e6919..b864809 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -4344,10 +4344,6 @@ struct x509_trust_st { DEFINE_STACK_OF(X509_TRUST) -// standard trust ids - -#define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings - OPENSSL_EXPORT const char *X509_get_default_cert_area(void); OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); OPENSSL_EXPORT const char *X509_get_default_cert_file(void); |