diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:14:51 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-02-05 11:13:11 -0500 |
| commit | 895c2f84a6a083fc8b9f69f962ed19da12ce3b40 (patch) | |
| tree | 2b338ff7dc3044f48040efe9f77af3ac5bd9c1e5 /include | |
| parent | a0474357743b5cc4db1b5428ac3db85b1168d3a9 (diff) | |
| download | openssl-895c2f84a6a083fc8b9f69f962ed19da12ce3b40.tar.gz | |
Long overdue cleanup of X509 policy tree verification
Replace all magic numbers with #defined constants except in boolean
functions that return 0 for failure and 1 for success. Avoid a
couple memory leaks in error recovery code paths. Code style
improvements.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/openssl/x509_vfy.h | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index ef54208a3c..4e458d20ff 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -55,17 +55,16 @@ * [including the GNU Public Licence.] */ -#ifndef HEADER_X509_H -# include <openssl/x509.h> -/* - * openssl/x509.h ends up #include-ing this file at about the only - * appropriate moment. - */ -#endif - #ifndef HEADER_X509_VFY_H # define HEADER_X509_VFY_H +/* + * Protect against recursion, x509.h and x509_vfy.h each include the other. + */ +# ifndef HEADER_X509_H +# include <openssl/x509.h> +# endif + # include <openssl/opensslconf.h> # include <openssl/lhash.h> # include <openssl/bio.h> @@ -583,6 +582,19 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id); const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); void X509_VERIFY_PARAM_table_cleanup(void); +/* Non positive return values are errors */ +#define X509_PCY_TREE_FAILURE -2 /* Failure to satisfy explicit policy */ +#define X509_PCY_TREE_INVALID -1 /* Inconsistent or invalid extensions */ +#define X509_PCY_TREE_INTERNAL 0 /* Internal error, most likely malloc */ + +/* + * Positive return values form a bit mask, all but the first are internal to + * the library and don't appear in results from X509_policy_check(). + */ +#define X509_PCY_TREE_VALID 1 /* The policy tree is valid */ +#define X509_PCY_TREE_EMPTY 2 /* The policy tree is empty */ +#define X509_PCY_TREE_EXPLICIT 4 /* Explicit policy required */ + int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags); |