diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-05-12 10:54:00 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-05-12 10:54:00 +0000 |
| commit | 79a4003c49866ee2e5a5a783433ea2eefe7e3caa (patch) | |
| tree | 613e0fe310df07b2ac67d626897997ffb8811a03 /usr.sbin/rpki-client/validate.c | |
| parent | 4a81e82500bc14fcdefb77e5ab30aed747698a9d (diff) | |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client/validate.c')
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 66 |
1 files changed, 1 insertions, 65 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 5c3b5d34bc4..5b71609341b 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.34 2022/05/12 10:50:12 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.35 2022/05/12 10:53:59 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -347,67 +347,6 @@ valid_origin(const char *uri, const char *proto) } /* - * Callback for X509_verify_cert() to handle critical extensions in old - * LibreSSL libraries or OpenSSL libs without RFC3779 support. - */ -static int -verify_cb(int ok, X509_STORE_CTX *store_ctx) -{ - X509 *cert; - const STACK_OF(X509_EXTENSION) *exts; - X509_EXTENSION *ext; - ASN1_OBJECT *obj; - char *file; - int depth, error, i, nid; - - error = X509_STORE_CTX_get_error(store_ctx); - depth = X509_STORE_CTX_get_error_depth(store_ctx); - - if (error != X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) - return ok; - - if ((file = X509_STORE_CTX_get_app_data(store_ctx)) == NULL) - cryptoerrx("X509_STORE_CTX_get_app_data"); - - if ((cert = X509_STORE_CTX_get_current_cert(store_ctx)) == NULL) { - warnx("%s: got no current cert", file); - return 0; - } - if ((exts = X509_get0_extensions(cert)) == NULL) { - warnx("%s: got no cert extensions", file); - return 0; - } - - for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { - ext = sk_X509_EXTENSION_value(exts, i); - - /* skip over non-critical and known extensions */ - if (!X509_EXTENSION_get_critical(ext)) - continue; - if (X509_supported_extension(ext)) - continue; - - if ((obj = X509_EXTENSION_get_object(ext)) == NULL) { - warnx("%s: got no extension object", file); - return 0; - } - - nid = OBJ_obj2nid(obj); - switch (nid) { - case NID_sbgp_ipAddrBlock: - case NID_sbgp_autonomousSysNum: - continue; - default: - warnx("%s: depth %d: unknown extension: nid %d", - file, depth, nid); - return 0; - } - } - - return 1; -} - -/* * Walk the certificate tree to the root and build a certificate * chain from cert->x509. All certs in the tree are validated and * can be loaded as trusted stack into the validator. @@ -476,9 +415,6 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid)) cryptoerrx("X509_VERIFY_PARAM_add0_policy"); - X509_STORE_CTX_set_verify_cb(store_ctx, verify_cb); - if (!X509_STORE_CTX_set_app_data(store_ctx, file)) - cryptoerrx("X509_STORE_CTX_set_app_data"); flags = X509_V_FLAG_CRL_CHECK; flags |= X509_V_FLAG_EXPLICIT_POLICY; flags |= X509_V_FLAG_INHIBIT_MAP; |