Commit 47bbaa5b authored Jul 23, 2015 by David Woodhouse Committed by Rich Salz Sep 03, 2015

Revert "OPENSSL_NO_xxx cleanup: RFC3779"



This reverts the non-cleanup parts of commit c73ad690. We do actually
have a reasonable use case for OPENSSL_NO_RFC3779 in the EDK2 UEFI
build, since we don't have a strspn() function in our runtime environment
and we don't want the RFC3779 functionality anyway.

In addition, it changes the default behaviour of the Configure script so
that RFC3779 support isn't disabled by default. It was always disabled
from when it was first added in 2006, right up until the point where
OPENSSL_NO_RFC3779 was turned into a no-op, and the code in the
Configure script was left *trying* to disable it, but not actually
working.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>

parent 64b25758

Configure

+2 −3

Original line number	Diff line number	Diff line
		@@ -769,7 +769,7 @@ my $no_threads=0;
		my $threads=0;
		my $no_shared=0; # but "no-shared" is default
		my $zlib=1; # but "no-zlib" is default
		my $no_rfc3779=1; # but "no-rfc3779" is default
		my $no_rfc3779=0;
		my $no_asm=0;
		my $no_dso=0;
		my $no_gmp=0;
		@@ -806,7 +806,6 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental
		"jpake" => "experimental",
		"md2" => "default",
		"rc5" => "default",
		"rfc3779" => "default",
		"sctp" => "default",
		"shared" => "default",
		"ssl-trace" => "default",
		@@ -819,7 +818,7 @@ my @experimental = ();

		# This is what $depflags will look like with the above defaults
		# (we need this to see if we should advise the user to run "make depend"):
		my $default_depflags = " -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
		my $default_depflags = " -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";

		# Explicit "no-..." options will be collected in %disabled along with the defaults.
		# To remove something from %disabled, use "enable-foo" (unless it's experimental).

crypto/asn1/x_x509.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -95,8 +95,10 @@ static int x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
		ret->ex_pathlen = -1;
		ret->skid = NULL;
		ret->akid = NULL;
		#ifndef OPENSSL_NO_RFC3779
		ret->rfc3779_addr = NULL;
		ret->rfc3779_asid = NULL;
		#endif
		ret->aux = NULL;
		ret->crldp = NULL;
		CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
		@@ -116,8 +118,10 @@ static int x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
		policy_cache_free(ret->policy_cache);
		GENERAL_NAMES_free(ret->altname);
		NAME_CONSTRAINTS_free(ret->nc);
		#ifndef OPENSSL_NO_RFC3779
		sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
		ASIdentifiers_free(ret->rfc3779_asid);
		#endif
		OPENSSL_free(ret->name);
		break;

crypto/x509/x509_vfy.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -485,6 +485,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
		if (!ok)
		goto end;

		#ifndef OPENSSL_NO_RFC3779
		/* RFC 3779 path validation, now that CRL check has been done */
		ok = v3_asid_validate_path(ctx);
		if (!ok)
		@@ -492,6 +493,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
		ok = v3_addr_validate_path(ctx);
		if (!ok)
		goto end;
		#endif

		/* If we get this far evaluate policies */
		if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))

crypto/x509v3/ext_dat.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -103,8 +103,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
		#endif
		&v3_sxnet,
		&v3_info,
		#ifndef OPENSSL_NO_RFC3779
		&v3_addr,
		&v3_asid,
		#endif
		#ifndef OPENSSL_NO_OCSP
		&v3_ocsp_nonce,
		&v3_ocsp_crlid,

crypto/x509v3/v3_addr.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -69,6 +69,7 @@
		#include <openssl/buffer.h>
		#include <openssl/x509v3.h>

		#ifndef OPENSSL_NO_RFC3779

		/*
		* OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
		@@ -1339,3 +1340,5 @@ int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
		return 0;
		return v3_addr_validate_path_internal(NULL, chain, ext);
		}

		#endif /* OPENSSL_NO_RFC3779 */