Remove custom CONF methods from X509V3_CTX.
Nothing external ever defines X509V3_CONF_METHOD. Removing this allows
us to remove X509V3_section_free altogether because the returned
sections are always owned by the CONF object anyway.
For ease of review, I've split out some of the const-correctness to a
follow-up CL.
Update-Note: X509V3_CONF_METHOD is removed. Code search says no one uses
this.
Change-Id: I66ed6e978b85d40c6849e9f4f45e1bcbf9a0f6a9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56026
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/asn1_gen.c b/crypto/x509/asn1_gen.c
index 8107995..7f48435 100644
--- a/crypto/x509/asn1_gen.c
+++ b/crypto/x509/asn1_gen.c
@@ -448,7 +448,7 @@
int depth, int *perr) {
ASN1_TYPE *ret = NULL;
STACK_OF(ASN1_TYPE) *sk = NULL;
- STACK_OF(CONF_VALUE) *sect = NULL;
+ const STACK_OF(CONF_VALUE) *sect = NULL;
unsigned char *der = NULL;
int derlen;
size_t i;
@@ -506,7 +506,6 @@
bad:
OPENSSL_free(der);
sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
- X509V3_section_free(cnf, sect);
return ret;
}
diff --git a/crypto/x509v3/internal.h b/crypto/x509v3/internal.h
index fea5c9c..a1f3cee 100644
--- a/crypto/x509v3/internal.h
+++ b/crypto/x509v3/internal.h
@@ -137,7 +137,6 @@
int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
-void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to
// |*extlist|. It returns one on success and zero on error. If |*extlist| is
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 6123ac3..31b87f1 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -613,12 +613,11 @@
static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) {
int ret = 0;
- STACK_OF(CONF_VALUE) *sk = NULL;
X509_NAME *nm = X509_NAME_new();
if (nm == NULL) {
goto err;
}
- sk = X509V3_get_section(ctx, value);
+ const STACK_OF(CONF_VALUE) *sk = X509V3_get_section(ctx, value);
if (sk == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
ERR_add_error_data(2, "section=", value);
@@ -635,6 +634,5 @@
if (!ret) {
X509_NAME_free(nm);
}
- X509V3_section_free(ctx, sk);
return ret;
}
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index 043d6ce..b5a760d 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -160,7 +160,7 @@
return NULL;
}
} else if (method->r2i) {
- if (!ctx->db || !ctx->db_meth) {
+ if (!ctx->db) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_CONFIG_DATABASE);
return NULL;
}
@@ -394,45 +394,17 @@
// Config database functions
+// TODO(davidben): This function and |NCONF_get_section| should return const
+// pointers.
STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section) {
- if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
+ if (ctx->db == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);
return NULL;
}
- if (ctx->db_meth->get_section) {
- return ctx->db_meth->get_section(ctx->db, section);
- }
- return NULL;
+ return NCONF_get_section(ctx->db, section);
}
-void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section) {
- if (!section) {
- return;
- }
- if (ctx->db_meth->free_section) {
- ctx->db_meth->free_section(ctx->db, section);
- }
-}
-
-static char *nconf_get_string(void *db, const char *section,
- const char *value) {
- // TODO(fork): This returns a non-const pointer because |X509V3_CONF_METHOD|
- // allows |get_string| to return caller-owned pointers, provided they're
- // freed by |free_string|. |nconf_method| leaves |free_string| NULL, and
- // there are no other implementations of |X509V3_CONF_METHOD|, so this can
- // be simplified if we make it private.
- return (char *)NCONF_get_string(db, section, value);
-}
-
-static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, const char *section) {
- return NCONF_get_section(db, section);
-}
-
-static const X509V3_CONF_METHOD nconf_method = {nconf_get_string,
- nconf_get_section, NULL, NULL};
-
-void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) {
- ctx->db_meth = &nconf_method;
+void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf) {
ctx->db = conf;
}
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index 5d781c0..c2bc885 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -180,8 +180,7 @@
ia5org = 1;
continue;
} else if (*pstr == '@') {
- STACK_OF(CONF_VALUE) *polsect;
- polsect = X509V3_get_section(ctx, pstr + 1);
+ STACK_OF(CONF_VALUE) *polsect = X509V3_get_section(ctx, pstr + 1);
if (!polsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);
@@ -189,7 +188,6 @@
goto err;
}
pol = policy_section(ctx, polsect, ia5org);
- X509V3_section_free(ctx, polsect);
if (!pol) {
goto err;
}
@@ -264,13 +262,12 @@
goto merr;
}
} else if (x509v3_conf_name_matches(cnf->name, "userNotice")) {
- STACK_OF(CONF_VALUE) *unot;
if (*cnf->value != '@') {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXPECTED_A_SECTION_NAME);
X509V3_conf_err(cnf);
goto err;
}
- unot = X509V3_get_section(ctx, cnf->value + 1);
+ STACK_OF(CONF_VALUE) *unot = X509V3_get_section(ctx, cnf->value + 1);
if (!unot) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);
@@ -278,7 +275,6 @@
goto err;
}
qual = notice_section(ctx, unot, ia5org);
- X509V3_section_free(ctx, unot);
if (!qual) {
goto err;
}
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index 68ab343..4093d7b 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -123,9 +123,7 @@
return NULL;
}
gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
- if (*sect == '@') {
- X509V3_section_free(ctx, gnsect);
- } else {
+ if (*sect != '@') {
sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
}
return gens;
@@ -142,19 +140,17 @@
}
} else if (!strcmp(cnf->name, "relativename")) {
int ret;
- STACK_OF(CONF_VALUE) *dnsect;
X509_NAME *nm;
nm = X509_NAME_new();
if (!nm) {
return -1;
}
- dnsect = X509V3_get_section(ctx, cnf->value);
+ const STACK_OF(CONF_VALUE) *dnsect = X509V3_get_section(ctx, cnf->value);
if (!dnsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
return -1;
}
ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
- X509V3_section_free(ctx, dnsect);
rnm = nm->entries;
nm->entries = NULL;
X509_NAME_free(nm);
@@ -322,13 +318,11 @@
DIST_POINT *point;
cnf = sk_CONF_VALUE_value(nval, i);
if (!cnf->value) {
- STACK_OF(CONF_VALUE) *dpsect;
- dpsect = X509V3_get_section(ctx, cnf->name);
+ STACK_OF(CONF_VALUE) *dpsect = X509V3_get_section(ctx, cnf->name);
if (!dpsect) {
goto err;
}
point = crldp_from_section(ctx, dpsect);
- X509V3_section_free(ctx, dpsect);
if (!point) {
goto err;
}
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index cafb40c..ccbc885 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -202,11 +202,10 @@
ASN1_OBJECT *language = NULL;
ASN1_INTEGER *pathlen = NULL;
ASN1_OCTET_STRING *policy = NULL;
- size_t i, j;
int nid;
vals = X509V3_parse_list(value);
- for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+ for (size_t i = 0; i < sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_PROXY_POLICY_SETTING);
@@ -214,22 +213,17 @@
goto err;
}
if (*cnf->name == '@') {
- STACK_OF(CONF_VALUE) *sect;
- int success_p = 1;
-
- sect = X509V3_get_section(ctx, cnf->name + 1);
+ const STACK_OF(CONF_VALUE) *sect = X509V3_get_section(ctx, cnf->name + 1);
if (!sect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);
X509V3_conf_err(cnf);
goto err;
}
- for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) {
- success_p = process_pci_value(sk_CONF_VALUE_value(sect, j), &language,
- &pathlen, &policy);
- }
- X509V3_section_free(ctx, sect);
- if (!success_p) {
- goto err;
+ for (size_t j = 0; j < sk_CONF_VALUE_num(sect); j++) {
+ if (!process_pci_value(sk_CONF_VALUE_value(sect, j), &language,
+ &pathlen, &policy)) {
+ goto err;
+ }
}
} else {
if (!process_pci_value(cnf, &language, &pathlen, &policy)) {
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 59a4d8d..ec2427d 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -126,13 +126,6 @@
void *usr_data; // Any extension specific data
};
-typedef struct X509V3_CONF_METHOD_st {
- char *(*get_string)(void *db, const char *section, const char *value);
- STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section);
- void (*free_string)(void *db, char *string);
- void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
-} X509V3_CONF_METHOD;
-
// Context specific info
struct v3_ext_ctx {
#define CTX_TEST 0x1
@@ -141,9 +134,7 @@
X509 *subject_cert;
X509_REQ *subject_req;
X509_CRL *crl;
- const X509V3_CONF_METHOD *db_meth;
- void *db;
- // Maybe more here
+ const CONF *db;
};
DEFINE_STACK_OF(X509V3_EXT_METHOD)
@@ -590,7 +581,7 @@
OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx,
const char *section, X509_CRL *crl);
-OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
+OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf);
OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
X509_REQ *req, X509_CRL *crl, int flags);