From 47bbaa5b607f592009ed40f5678fde21c10a873c Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu, 23 Jul 2015 17:30:06 +0100
Subject: Revert "OPENSSL_NO_xxx cleanup: RFC3779"

This reverts the non-cleanup parts of commit c73ad69017. We do actually
have a reasonable use case for OPENSSL_NO_RFC3779 in the EDK2 UEFI
build, since we don't have a strspn() function in our runtime environment
and we don't want the RFC3779 functionality anyway.

In addition, it changes the default behaviour of the Configure script so
that RFC3779 support isn't disabled by default. It was always disabled
from when it was first added in 2006, right up until the point where
OPENSSL_NO_RFC3779 was turned into a no-op, and the code in the
Configure script was left *trying* to disable it, but not actually
working.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 crypto/asn1/x_x509.c    | 4 ++++
 crypto/x509/x509_vfy.c  | 2 ++
 crypto/x509v3/ext_dat.h | 2 ++
 crypto/x509v3/v3_addr.c | 3 +++
 crypto/x509v3/v3_asid.c | 3 +++
 crypto/x509v3/v3_purp.c | 4 ++++
 6 files changed, 18 insertions(+)

(limited to 'crypto')

diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index 17bbb913f6..6e7850cc05 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -95,8 +95,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         ret->ex_pathlen = -1;
         ret->skid = NULL;
         ret->akid = NULL;
+#ifndef OPENSSL_NO_RFC3779
         ret->rfc3779_addr = NULL;
         ret->rfc3779_asid = NULL;
+#endif
         ret->aux = NULL;
         ret->crldp = NULL;
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
@@ -116,8 +118,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         policy_cache_free(ret->policy_cache);
         GENERAL_NAMES_free(ret->altname);
         NAME_CONSTRAINTS_free(ret->nc);
+#ifndef OPENSSL_NO_RFC3779
         sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
         ASIdentifiers_free(ret->rfc3779_asid);
+#endif
         OPENSSL_free(ret->name);
         break;
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index bc48b8a334..6169db1e1c 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -485,6 +485,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
     if (!ok)
         goto end;
 
+#ifndef OPENSSL_NO_RFC3779
     /* RFC 3779 path validation, now that CRL check has been done */
     ok = v3_asid_validate_path(ctx);
     if (!ok)
@@ -492,6 +493,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
     ok = v3_addr_validate_path(ctx);
     if (!ok)
         goto end;
+#endif
 
     /* If we get this far evaluate policies */
     if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index d43c86c65f..9c3529b1ce 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -103,8 +103,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
 #endif
     &v3_sxnet,
     &v3_info,
+#ifndef OPENSSL_NO_RFC3779
     &v3_addr,
     &v3_asid,
+#endif
 #ifndef OPENSSL_NO_OCSP
     &v3_ocsp_nonce,
     &v3_ocsp_crlid,
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index 5c22c6d882..c1c38a0c88 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -69,6 +69,7 @@
 #include <openssl/buffer.h>
 #include <openssl/x509v3.h>
 
+#ifndef OPENSSL_NO_RFC3779
 
 /*
  * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
@@ -1339,3 +1340,5 @@ int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
         return 0;
     return v3_addr_validate_path_internal(NULL, chain, ext);
 }
+
+#endif                          /* OPENSSL_NO_RFC3779 */
diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
index f390c2d019..d40279a5d0 100644
--- a/crypto/x509v3/v3_asid.c
+++ b/crypto/x509v3/v3_asid.c
@@ -69,6 +69,7 @@
 #include <openssl/x509.h>
 #include <openssl/bn.h>
 
+#ifndef OPENSSL_NO_RFC3779
 
 /*
  * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
@@ -893,3 +894,5 @@ int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
         return 0;
     return v3_asid_validate_path_internal(NULL, chain, ext);
 }
+
+#endif                          /* OPENSSL_NO_RFC3779 */
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index b03c323dfc..61d97726dc 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -322,8 +322,10 @@ int X509_supported_extension(X509_EXTENSION *ex)
         NID_basic_constraints,  /* 87 */
         NID_certificate_policies, /* 89 */
         NID_ext_key_usage,      /* 126 */
+#ifndef OPENSSL_NO_RFC3779
         NID_sbgp_ipAddrBlock,   /* 290 */
         NID_sbgp_autonomousSysNum, /* 291 */
+#endif
         NID_policy_constraints, /* 401 */
         NID_proxyCertInfo,      /* 663 */
         NID_name_constraints,   /* 666 */
@@ -503,9 +505,11 @@ static void x509v3_cache_extensions(X509 *x)
         x->ex_flags |= EXFLAG_INVALID;
     setup_crldp(x);
 
+#ifndef OPENSSL_NO_RFC3779
     x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
     x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
                                        NULL, NULL);
+#endif
     for (i = 0; i < X509_get_ext_count(x); i++) {
         ex = X509_get_ext(x, i);
         if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
-- 
cgit v1.2.3