summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-04-15 16:17:58 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-04-15 16:17:58 +0000
commitd4dce65cb6bc563e94ab42bbde106493b6c97a00 (patch)
tree79ce9d185a52474ddabf908048409692397d737f
parent931134df51919d51f8f6399f150d03336f019860 (diff)
ssltest: initial pass of dropping proxy cert goo
-rw-r--r--regress/lib/libssl/ssl/ssltest.c90
1 files changed, 1 insertions, 89 deletions
diff --git a/regress/lib/libssl/ssl/ssltest.c b/regress/lib/libssl/ssl/ssltest.c
index 8aae99018c1..7ecea2620c2 100644
--- a/regress/lib/libssl/ssl/ssltest.c
+++ b/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssltest.c,v 1.37 2023/02/02 12:37:14 anton Exp $ */
+/* $OpenBSD: ssltest.c,v 1.38 2023/04/15 16:17:57 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1436,94 +1436,6 @@ verify_callback(int ok, X509_STORE_CTX *ctx)
}
}
- if (ok == 1) {
- if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
- unsigned int *letters =
- X509_STORE_CTX_get_ex_data(ctx,
- get_proxy_auth_ex_data_idx());
-
- if (letters) {
- int found_any = 0;
- int i;
- PROXY_CERT_INFO_EXTENSION *pci =
- X509_get_ext_d2i(xs, NID_proxyCertInfo,
- NULL, NULL);
-
- switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
- case NID_Independent:
- /* Completely meaningless in this
- program, as there's no way to
- grant explicit rights to a
- specific PrC. Basically, using
- id-ppl-Independent is the perfect
- way to grant no rights at all. */
- fprintf(stderr, " Independent proxy certificate");
- for (i = 0; i < 26; i++)
- letters[i] = 0;
- break;
- case NID_id_ppl_inheritAll:
- /* This is basically a NOP, we
- simply let the current rights
- stand as they are. */
- fprintf(stderr, " Proxy certificate inherits all");
- break;
- default:
- s = (char *)
- pci->proxyPolicy->policy->data;
- i = pci->proxyPolicy->policy->length;
-
- /* The algorithm works as follows:
- it is assumed that previous
- iterations or the initial granted
- rights has already set some elements
- of `letters'. What we need to do is
- to clear those that weren't granted
- by the current PrC as well. The
- easiest way to do this is to add 1
- to all the elements whose letters
- are given with the current policy.
- That way, all elements that are set
- by the current policy and were
- already set by earlier policies and
- through the original grant of rights
- will get the value 2 or higher.
- The last thing to do is to sweep
- through `letters' and keep the
- elements having the value 2 as set,
- and clear all the others. */
-
- fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
- while (i-- > 0) {
- int c = *s++;
- if (isascii(c) && isalpha(c)) {
- if (islower(c))
- c = toupper(c);
- letters[c - 'A']++;
- }
- }
- for (i = 0; i < 26; i++)
- if (letters[i] < 2)
- letters[i] = 0;
- else
- letters[i] = 1;
- }
-
- found_any = 0;
- fprintf(stderr, ", resulting proxy rights = ");
- for (i = 0; i < 26; i++)
- if (letters[i]) {
- fprintf(stderr, "%c", i + 'A');
- found_any = 1;
- }
- if (!found_any)
- fprintf(stderr, "none");
- fprintf(stderr, "\n");
-
- PROXY_CERT_INFO_EXTENSION_free(pci);
- }
- }
- }
-
return (ok);
}