Start making ts opaque

Move the not yet exposed EssCertIDv2 struct internals to ts_local.h and move
the ASN.1 function prototypes that we don't want to expose with them.

Include ts_local.h where necessary or where it will be needed soon.

ok jsing

10 files changed, 134 insertions, 50 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 81755cc369..423fba5f58 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.76 2022/07/13 06:32:54 tb Exp $
+# $OpenBSD: Makefile,v 1.77 2022/07/24 08:16:47 tb Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -44,6 +44,7 @@ CFLAGS+= -I${LCRYPTO_SRC}/kdf
 CFLAGS+= -I${LCRYPTO_SRC}/modes
 CFLAGS+= -I${LCRYPTO_SRC}/ocsp
 CFLAGS+= -I${LCRYPTO_SRC}/rsa
+CFLAGS+= -I${LCRYPTO_SRC}/ts
 CFLAGS+= -I${LCRYPTO_SRC}/x509
 
 VERSION_SCRIPT= Symbols.map
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index bfcf9dfe8f..31b916983e 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.14 2022/07/23 07:13:03 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.15 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
  * project 2002, 2003, 2004.
  */
@@ -265,32 +265,10 @@ typedef struct ESS_signing_cert {
 } ESS_SIGNING_CERT;
 
 #ifdef LIBRESSL_INTERNAL
-/*
- * ESSCertIDv2 ::=  SEQUENCE {
- *     hashAlgorithm           AlgorithmIdentifier
- *            DEFAULT {algorithm id-sha256},
- *     certHash                 Hash,
- *     issuerSerial             IssuerSerial OPTIONAL }
- */
-
-typedef struct ESS_cert_id_v2 {
-        X509_ALGOR *hash_alg;   /* Default SHA-256. */
-        ASN1_OCTET_STRING *hash;
-        ESS_ISSUER_SERIAL *issuer_serial;
-} ESS_CERT_ID_V2;
-
+typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
 DECLARE_STACK_OF(ESS_CERT_ID_V2)
 
-/*
- * SigningCertificateV2 ::=  SEQUENCE {
- *     certs        SEQUENCE OF ESSCertIDv2,
- *     policies     SEQUENCE OF PolicyInformation OPTIONAL }
- */
-
-typedef struct ESS_signing_cert_v2 {
-        STACK_OF(ESS_CERT_ID_V2) *cert_ids;
-        STACK_OF(POLICYINFO) *policy_info;
-} ESS_SIGNING_CERT_V2;
+typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
 #endif /* LIBRESSL_INTERNAL */
 
 TS_REQ  *TS_REQ_new(void);
@@ -379,23 +357,6 @@ ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
                     const unsigned char **pp, long length);
 ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
 
-#ifdef LIBRESSL_INTERNAL
-ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
-void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
-int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
-ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp,
-    long length);
-ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
-
-ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
-void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
-int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a,
-    unsigned char **pp);
-ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
-    const unsigned char **pp, long length);
-ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
-#endif /* LIBRESSL_INTERNAL */
-
 int TS_REQ_set_version(TS_REQ *a, long version);
 long TS_REQ_get_version(const TS_REQ *a);
 
diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
index c4316d13f8..6537f1c85a 100644
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ b/src/lib/libcrypto/ts/ts_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_asn1.c,v 1.12 2022/07/16 18:36:36 kn Exp $ */
+/* $OpenBSD: ts_asn1.c,v 1.13 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Nils Larsch for the OpenSSL project 2004.
  */
 /* ====================================================================
@@ -61,6 +61,8 @@
 #include <openssl/err.h>
 #include <openssl/asn1t.h>
 
+#include "ts_local.h"
+
 static const ASN1_TEMPLATE TS_MSG_IMPRINT_seq_tt[] = {
         {
                 .flags = 0,
diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h
new file mode 100644
index 0000000000..01d26de127
--- /dev/null
+++ b/src/lib/libcrypto/ts/ts_local.h
@@ -0,0 +1,110 @@
+/* $OpenBSD: ts_local.h,v 1.1 2022/07/24 08:16:47 tb Exp $ */
+/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
+ * project 2002, 2003, 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_TS_LOCAL_H
+#define HEADER_TS_LOCAL_H
+
+__BEGIN_HIDDEN_DECLS
+
+/*
+ * ESSCertIDv2 ::=  SEQUENCE {
+ *     hashAlgorithm           AlgorithmIdentifier
+ *            DEFAULT {algorithm id-sha256},
+ *     certHash                 Hash,
+ *     issuerSerial             IssuerSerial OPTIONAL }
+ */
+
+struct ESS_cert_id_v2 {
+        X509_ALGOR *hash_alg;   /* Default SHA-256. */
+        ASN1_OCTET_STRING *hash;
+        ESS_ISSUER_SERIAL *issuer_serial;
+};
+
+/*
+ * SigningCertificateV2 ::=  SEQUENCE {
+ *     certs        SEQUENCE OF ESSCertIDv2,
+ *     policies     SEQUENCE OF PolicyInformation OPTIONAL }
+ */
+
+struct ESS_signing_cert_v2 {
+        STACK_OF(ESS_CERT_ID_V2) *cert_ids;
+        STACK_OF(POLICYINFO) *policy_info;
+};
+
+/*
+ * Public OpenSSL API that we do not currently want to expose.
+ */
+
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
+void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
+int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
+ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp,
+    long length);
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
+void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
+int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a,
+    unsigned char **pp);
+ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
+    const unsigned char **pp, long length);
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
+
+__END_HIDDEN_DECLS
+
+#endif /* HEADER_TS_LOCAL_H */
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
index 6b9c13f39b..8d9d6f3e61 100644
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ b/src/lib/libcrypto/ts/ts_req_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_req_utils.c,v 1.6 2018/05/13 15:04:05 tb Exp $ */
+/* $OpenBSD: ts_req_utils.c,v 1.7 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -63,6 +63,8 @@
 #include <openssl/ts.h>
 #include <openssl/x509v3.h>
 
+#include "ts_local.h"
+
 int
 TS_REQ_set_version(TS_REQ *a, long version)
 {
diff --git a/src/lib/libcrypto/ts/ts_rsp_print.c b/src/lib/libcrypto/ts/ts_rsp_print.c
index c442b71646..cfff955cd6 100644
--- a/src/lib/libcrypto/ts/ts_rsp_print.c
+++ b/src/lib/libcrypto/ts/ts_rsp_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_print.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: ts_rsp_print.c,v 1.6 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -63,6 +63,8 @@
 #include <openssl/ts.h>
 #include <openssl/x509v3.h>
 
+#include "ts_local.h"
+
 struct status_map_st {
         int bit;
         const char *text;
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 55738875db..665dc1cec4 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.27 2022/07/16 16:42:58 kn Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.28 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -66,6 +66,7 @@
 #include <openssl/ts.h>
 
 #include "evp_locl.h"
+#include "ts_local.h"
 #include "x509_lcl.h"
 
 /* Private function declarations. */
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
index 233df867ac..995dbb8035 100644
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ b/src/lib/libcrypto/ts/ts_rsp_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_utils.c,v 1.7 2018/05/13 15:35:46 tb Exp $ */
+/* $OpenBSD: ts_rsp_utils.c,v 1.8 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -63,6 +63,8 @@
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "ts_local.h"
+
 /* Function definitions. */
 
 int
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 816d7000f3..a5829b35ca 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.27 2022/07/17 19:40:38 kn Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.28 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -65,6 +65,7 @@
 #include <openssl/ts.h>
 
 #include "evp_locl.h"
+#include "ts_local.h"
 #include "x509_lcl.h"
 
 /* Private function declarations. */
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 7608a7d109..83ef54a894 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_verify_ctx.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ts_verify_ctx.c,v 1.10 2022/07/24 08:16:47 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2003.
  */
@@ -62,6 +62,8 @@
 #include <openssl/objects.h>
 #include <openssl/ts.h>
 
+#include "ts_local.h"
+
 TS_VERIFY_CTX *
 TS_VERIFY_CTX_new(void)
 {