3 files changed, 26 insertions, 41 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index 4ce6cd1e85..cb80005075 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.23 2022/11/26 16:08:54 tb Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.24 2023/01/20 22:00:47 job Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -94,7 +94,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx);
 int x509_vfy_check_trust(X509_STORE_CTX *ctx);
 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
 int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);
-void x509v3_cache_extensions(X509 *x);
+int x509v3_cache_extensions(X509 *x);
 X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
 time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 4faf83b975..7ec986062f 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.18 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.19 2023/01/20 22:00:47 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -76,8 +76,6 @@
 #define ns_reject(x, usage) \
        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-void x509v3_cache_extensions(X509 *x);
 static int check_ssl_ca(const X509 *x);
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
    int ca);
@@ -131,13 +129,9 @@ X509_check_purpose(X509 *x, int id, int ca)
        int idx;
        const X509_PURPOSE *pt;
-        if (!(x->ex_flags & EXFLAG_SET)) {
+        if (!x509v3_cache_extensions(x))
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                return -1;
-                x509v3_cache_extensions(x);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-                if (x->ex_flags & EXFLAG_INVALID)
-                        return -1;
-        }
        if (id == -1)
                return 1;
        idx = X509_PURPOSE_get_by_id(id);
@@ -449,8 +443,8 @@ setup_crldp(X509 *x)
                setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
 }
-void
+static void
-x509v3_cache_extensions(X509 *x)
+x509v3_cache_extensions_internal(X509 *x)
 {
        BASIC_CONSTRAINTS *bs;
        PROXY_CERT_INFO_EXTENSION *pci;
@@ -640,6 +634,18 @@ x509v3_cache_extensions(X509 *x)
        x->ex_flags |= EXFLAG_SET;
 }
+int
+x509v3_cache_extensions(X509 *x)
+{
+        if ((x->ex_flags & EXFLAG_SET) == 0) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions_internal(x);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
+        return (x->ex_flags & EXFLAG_INVALID) == 0;
+}
 /* CA checks common to all purposes
 * return codes:
 * 0 not a CA
@@ -680,11 +686,7 @@ check_ca(const X509 *x)
 int
 X509_check_ca(X509 *x)
 {
-        if (!(x->ex_flags & EXFLAG_SET)) {
+        x509v3_cache_extensions(x);
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
-                x509v3_cache_extensions(x);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
        return check_ca(x);
 }
@@ -895,19 +897,10 @@ X509_check_issued(X509 *issuer, X509 *subject)
        if (X509_NAME_cmp(X509_get_subject_name(issuer),
            X509_get_issuer_name(subject)))
                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
-        if (!(issuer->ex_flags & EXFLAG_SET)) {
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+        if (!x509v3_cache_extensions(issuer))
-                x509v3_cache_extensions(issuer);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
-        if (issuer->ex_flags & EXFLAG_INVALID)
                return X509_V_ERR_UNSPECIFIED;
-        if (!(subject->ex_flags & EXFLAG_SET)) {
+        if (!x509v3_cache_extensions(subject))
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
-                x509v3_cache_extensions(subject);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
-        if (subject->ex_flags & EXFLAG_INVALID)
                return X509_V_ERR_UNSPECIFIED;
        if (subject->akid) {
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 5891bd8df3..c60bdf743f 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.62 2023/01/17 23:49:28 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.63 2023/01/20 22:00:47 job Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -241,15 +241,7 @@ x509_verify_ctx_clear(struct x509_verify_ctx *ctx)
 static int
 x509_verify_cert_cache_extensions(X509 *cert)
 {
-        if (!(cert->ex_flags & EXFLAG_SET)) {
+        return x509v3_cache_extensions(cert);
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
-                x509v3_cache_extensions(cert);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
-        if (cert->ex_flags & EXFLAG_INVALID)
-                return 0;
-        return (cert->ex_flags & EXFLAG_SET);
 }
 static int

diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index 4ce6cd1e85..cb80005075 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_internal.h,v 1.23 2022/11/26 16:08:54 tb Exp $ */	1	/* $OpenBSD: x509_internal.h,v 1.24 2023/01/20 22:00:47 job Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -94,7 +94,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx);
94	int x509_vfy_check_trust(X509_STORE_CTX *ctx);	94	int x509_vfy_check_trust(X509_STORE_CTX *ctx);
95	int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);	95	int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
96	int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);	96	int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);
97	void x509v3_cache_extensions(X509 *x);	97	int x509v3_cache_extensions(X509 *x);
98	X509 x509_vfy_lookup_cert_match(X509_STORE_CTX ctx, X509 *x);	98	X509 x509_vfy_lookup_cert_match(X509_STORE_CTX ctx, X509 *x);
99		99
100	time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);	100	time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);


diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 4faf83b975..7ec986062f 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_purp.c,v 1.18 2022/11/26 16:08:55 tb Exp $ */	1	/* $OpenBSD: x509_purp.c,v 1.19 2023/01/20 22:00:47 job Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -76,8 +76,6 @@
76	#define ns_reject(x, usage) \	76	#define ns_reject(x, usage) \
77	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))	77	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
78		78
79	void x509v3_cache_extensions(X509 *x);
80
81	static int check_ssl_ca(const X509 *x);	79	static int check_ssl_ca(const X509 *x);
82	static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x,	80	static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x,
83	int ca);	81	int ca);
@@ -131,13 +129,9 @@ X509_check_purpose(X509 *x, int id, int ca)
131	int idx;	129	int idx;
132	const X509_PURPOSE *pt;	130	const X509_PURPOSE *pt;
133		131
134	if (!(x->ex_flags & EXFLAG_SET)) {	132	if (!x509v3_cache_extensions(x))
135	CRYPTO_w_lock(CRYPTO_LOCK_X509);	133	return -1;
136	x509v3_cache_extensions(x);	134
137	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
138	if (x->ex_flags & EXFLAG_INVALID)
139	return -1;
140	}
141	if (id == -1)	135	if (id == -1)
142	return 1;	136	return 1;
143	idx = X509_PURPOSE_get_by_id(id);	137	idx = X509_PURPOSE_get_by_id(id);
@@ -449,8 +443,8 @@ setup_crldp(X509 *x)
449	setup_dp(x, sk_DIST_POINT_value(x->crldp, i));	443	setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
450	}	444	}
451		445
452	void	446	static void
453	x509v3_cache_extensions(X509 *x)	447	x509v3_cache_extensions_internal(X509 *x)
454	{	448	{
455	BASIC_CONSTRAINTS *bs;	449	BASIC_CONSTRAINTS *bs;
456	PROXY_CERT_INFO_EXTENSION *pci;	450	PROXY_CERT_INFO_EXTENSION *pci;
@@ -640,6 +634,18 @@ x509v3_cache_extensions(X509 *x)
640	x->ex_flags \|= EXFLAG_SET;	634	x->ex_flags \|= EXFLAG_SET;
641	}	635	}
642		636
		637	int
		638	x509v3_cache_extensions(X509 *x)
		639	{
		640	if ((x->ex_flags & EXFLAG_SET) == 0) {
		641	CRYPTO_w_lock(CRYPTO_LOCK_X509);
		642	x509v3_cache_extensions_internal(x);
		643	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
		644	}
		645
		646	return (x->ex_flags & EXFLAG_INVALID) == 0;
		647	}
		648
643	/* CA checks common to all purposes	649	/* CA checks common to all purposes
644	* return codes:	650	* return codes:
645	* 0 not a CA	651	* 0 not a CA
@@ -680,11 +686,7 @@ check_ca(const X509 *x)
680	int	686	int
681	X509_check_ca(X509 *x)	687	X509_check_ca(X509 *x)
682	{	688	{
683	if (!(x->ex_flags & EXFLAG_SET)) {	689	x509v3_cache_extensions(x);
684	CRYPTO_w_lock(CRYPTO_LOCK_X509);
685	x509v3_cache_extensions(x);
686	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
687	}
688		690
689	return check_ca(x);	691	return check_ca(x);
690	}	692	}
@@ -895,19 +897,10 @@ X509_check_issued(X509 issuer, X509 subject)
895	if (X509_NAME_cmp(X509_get_subject_name(issuer),	897	if (X509_NAME_cmp(X509_get_subject_name(issuer),
896	X509_get_issuer_name(subject)))	898	X509_get_issuer_name(subject)))
897	return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;	899	return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
898	if (!(issuer->ex_flags & EXFLAG_SET)) {	900
899	CRYPTO_w_lock(CRYPTO_LOCK_X509);	901	if (!x509v3_cache_extensions(issuer))
900	x509v3_cache_extensions(issuer);
901	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
902	}
903	if (issuer->ex_flags & EXFLAG_INVALID)
904	return X509_V_ERR_UNSPECIFIED;	902	return X509_V_ERR_UNSPECIFIED;
905	if (!(subject->ex_flags & EXFLAG_SET)) {	903	if (!x509v3_cache_extensions(subject))
906	CRYPTO_w_lock(CRYPTO_LOCK_X509);
907	x509v3_cache_extensions(subject);
908	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
909	}
910	if (subject->ex_flags & EXFLAG_INVALID)
911	return X509_V_ERR_UNSPECIFIED;	904	return X509_V_ERR_UNSPECIFIED;
912		905
913	if (subject->akid) {	906	if (subject->akid) {


diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 5891bd8df3..c60bdf743f 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.62 2023/01/17 23:49:28 beck Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.63 2023/01/20 22:00:47 job Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -241,15 +241,7 @@ x509_verify_ctx_clear(struct x509_verify_ctx *ctx)
241	static int	241	static int
242	x509_verify_cert_cache_extensions(X509 *cert)	242	x509_verify_cert_cache_extensions(X509 *cert)
243	{	243	{
244	if (!(cert->ex_flags & EXFLAG_SET)) {	244	return x509v3_cache_extensions(cert);
245	CRYPTO_w_lock(CRYPTO_LOCK_X509);
246	x509v3_cache_extensions(cert);
247	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
248	}
249	if (cert->ex_flags & EXFLAG_INVALID)
250	return 0;
251
252	return (cert->ex_flags & EXFLAG_SET);
253	}	245	}
254		246
255	static int	247	static int