4 files changed, 73 insertions, 110 deletions
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 9ce1b58ed1..f00a55bac8 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.8 2023/05/08 14:51:00 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.9 2023/05/28 05:25:24 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -272,7 +272,14 @@ struct X509_VERIFY_PARAM_st {
        int depth;              /* Verify depth */
        int security_level;     /* 'Security level', see SP800-57. */
        STACK_OF(ASN1_OBJECT) *policies;        /* Permissible policies */
-        X509_VERIFY_PARAM_ID *id;       /* opaque ID data */
+        STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
+        unsigned int hostflags;     /* Flags to control matching features */
+        char *peername;             /* Matching hostname in peer certificate */
+        char *email;                /* If not NULL email address to match */
+        size_t emaillen;
+        unsigned char *ip;          /* If not NULL IP address to match */
+        size_t iplen;               /* Length of IP address */
+        int poisoned;
 } /* X509_VERIFY_PARAM */;
 /*
@@ -368,17 +375,6 @@ struct x509_store_ctx_st {
        CRYPTO_EX_DATA ex_data;
 } /* X509_STORE_CTX */;
-struct X509_VERIFY_PARAM_ID_st {
-        STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
-        unsigned int hostflags;     /* Flags to control matching features */
-        char *peername;             /* Matching hostname in peer certificate */
-        char *email;                /* If not NULL email address to match */
-        size_t emaillen;
-        unsigned char *ip;          /* If not NULL IP address to match */
-        size_t iplen;               /* Length of IP address */
-        int poisoned;
-};
 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
 int name_cmp(const char *name, const char *cmp);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 6bc06187e1..0c2144752d 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.123 2023/05/14 20:20:40 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.124 2023/05/28 05:25:24 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -177,19 +177,19 @@ check_id_error(X509_STORE_CTX *ctx, int errcode)
 }
 static int
-check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
+check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
 {
        int i, n;
        char *name;
-        n = sk_OPENSSL_STRING_num(id->hosts);
+        n = sk_OPENSSL_STRING_num(vpm->hosts);
-        free(id->peername);
+        free(vpm->peername);
-        id->peername = NULL;
+        vpm->peername = NULL;
        for (i = 0; i < n; ++i) {
-                name = sk_OPENSSL_STRING_value(id->hosts, i);
+                name = sk_OPENSSL_STRING_value(vpm->hosts, i);
-                if (X509_check_host(x, name, strlen(name), id->hostflags,
+                if (X509_check_host(x, name, strlen(name), vpm->hostflags,
-                    &id->peername) > 0)
+                    &vpm->peername) > 0)
                        return 1;
        }
        return n == 0;
@@ -199,19 +199,18 @@ static int
 check_id(X509_STORE_CTX *ctx)
 {
        X509_VERIFY_PARAM *vpm = ctx->param;
-        X509_VERIFY_PARAM_ID *id = vpm->id;
        X509 *x = ctx->cert;
-        if (id->hosts && check_hosts(x, id) <= 0) {
+        if (vpm->hosts && check_hosts(x, vpm) <= 0) {
                if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
                        return 0;
        }
-        if (id->email != NULL && X509_check_email(x, id->email, id->emaillen, 0)
+        if (vpm->email != NULL && X509_check_email(x, vpm->email, vpm->emaillen, 0)
            <= 0) {
                if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
                        return 0;
        }
-        if (id->ip != NULL && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) {
+        if (vpm->ip != NULL && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
                if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
                        return 0;
        }
@@ -609,7 +608,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
                ctx->error = X509_V_ERR_INVALID_CALL;
                return -1;
        }
-        if (ctx->param->id->poisoned) {
+        if (ctx->param->poisoned) {
                /*
                 * This X509_STORE_CTX had failures setting
                 * up verify parameters. We can not use it.
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 202cf7438f..1aa29abd3d 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.64 2023/05/28 05:25:24 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -105,7 +105,7 @@ DECLARE_STACK_OF(X509_LOOKUP)
 DECLARE_STACK_OF(X509_OBJECT)
 DECLARE_STACK_OF(X509_VERIFY_PARAM)
-/* unused in OpenSSL */
+/* XXX - unused in OpenSSL. Can we remove this? */
 typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID;
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 5c8c09e9fc..4ba697ead4 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.39 2023/05/24 09:15:14 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.40 2023/05/28 05:25:24 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -122,7 +122,7 @@ sk_deep_copy(void *sk_void, void *copy_func_void, void *free_func_void)
 }
 static int
-x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
+x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
    const char *name, size_t namelen)
 {
        char *copy;
@@ -135,9 +135,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
        if (name && memchr(name, '\0', namelen))
                return 0;
-        if (mode == SET_HOST && id->hosts) {
+        if (mode == SET_HOST && vpm->hosts) {
-                sk_OPENSSL_STRING_pop_free(id->hosts, str_free);
+                sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
-                id->hosts = NULL;
+                vpm->hosts = NULL;
        }
        if (name == NULL || namelen == 0)
                return 1;
@@ -145,17 +145,17 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
        if (copy == NULL)
                return 0;
-        if (id->hosts == NULL &&
+        if (vpm->hosts == NULL &&
-            (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
+            (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
                free(copy);
                return 0;
        }
-        if (!sk_OPENSSL_STRING_push(id->hosts, copy)) {
+        if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
                free(copy);
-                if (sk_OPENSSL_STRING_num(id->hosts) == 0) {
+                if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
-                        sk_OPENSSL_STRING_free(id->hosts);
+                        sk_OPENSSL_STRING_free(vpm->hosts);
-                        id->hosts = NULL;
+                        vpm->hosts = NULL;
                }
                return 0;
        }
@@ -166,9 +166,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
 static void
 x509_verify_param_zero(X509_VERIFY_PARAM *param)
 {
-        X509_VERIFY_PARAM_ID *paramid;
        if (!param)
                return;
        free(param->name);
        param->name = NULL;
        param->purpose = 0;
@@ -177,40 +177,29 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
        param->inh_flags = 0;
        param->flags = 0;
        param->depth = -1;
-        if (param->policies) {
+        sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
-                sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
+        param->policies = NULL;
-                param->policies = NULL;
+        sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
-        }
+        param->hosts = NULL;
-        paramid = param->id;
+        free(param->peername);
-        if (paramid->hosts) {
+        param->peername = NULL;
-                sk_OPENSSL_STRING_pop_free(paramid->hosts, str_free);
+        free(param->email);
-                paramid->hosts = NULL;
+        param->email = NULL;
-        }
+        param->emaillen = 0;
-        free(paramid->peername);
+        free(param->ip);
-        paramid->peername = NULL;
+        param->ip = NULL;
-        free(paramid->email);
+        param->iplen = 0;
-        paramid->email = NULL;
+        param->poisoned = 0;
-        paramid->emaillen = 0;
-        free(paramid->ip);
-        paramid->ip = NULL;
-        paramid->iplen = 0;
-        paramid->poisoned = 0;
 }
 X509_VERIFY_PARAM *
 X509_VERIFY_PARAM_new(void)
 {
        X509_VERIFY_PARAM *param;
-        X509_VERIFY_PARAM_ID *paramid;
        param = calloc(1, sizeof(X509_VERIFY_PARAM));
        if (param == NULL)
                return NULL;
-        paramid = calloc(1, sizeof(X509_VERIFY_PARAM_ID));
-        if (paramid == NULL) {
-                free(param);
-                return NULL;
-        }
-        param->id = paramid;
        x509_verify_param_zero(param);
        return param;
 }
@@ -222,7 +211,6 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
        if (param == NULL)
                return;
        x509_verify_param_zero(param);
-        free(param->id);
        free(param);
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
@@ -260,18 +248,11 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
 */
 /* Macro to test if a field should be copied from src to dest */
 #define test_x509_verify_param_copy(field, def) \
        (to_overwrite || \
                ((src->field != def) && (to_default || (dest->field == def))))
-/* As above but for ID fields */
-#define test_x509_verify_param_copy_id(idf, def) \
-        test_x509_verify_param_copy(id->idf, def)
 /* Macro to test and copy a field if necessary */
 #define x509_verify_param_copy(field, def) \
        if (test_x509_verify_param_copy(field, def)) \
                dest->field = src->field
@@ -281,11 +262,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
 {
        unsigned long inh_flags;
        int to_default, to_overwrite;
-        X509_VERIFY_PARAM_ID *id;
        if (!src)
                return 1;
-        id = src->id;
        inh_flags = dest->inh_flags | src->inh_flags;
        if (inh_flags & X509_VP_FLAG_ONCE)
@@ -326,30 +305,28 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
                        return 0;
        }
-        if (test_x509_verify_param_copy_id(hostflags, 0))
+        x509_verify_param_copy(hostflags, 0);
-                dest->id->hostflags = id->hostflags;
-        if (test_x509_verify_param_copy_id(hosts, NULL)) {
+        if (test_x509_verify_param_copy(hosts, NULL)) {
-                if (dest->id->hosts) {
+                if (dest->hosts) {
-                        sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free);
+                        sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
-                        dest->id->hosts = NULL;
+                        dest->hosts = NULL;
                }
-                if (id->hosts) {
+                if (src->hosts) {
-                        dest->id->hosts =
+                        dest->hosts = sk_deep_copy(src->hosts, strdup, str_free);
-                            sk_deep_copy(id->hosts, strdup, str_free);
+                        if (dest->hosts == NULL)
-                        if (dest->id->hosts == NULL)
                                return 0;
                }
        }
-        if (test_x509_verify_param_copy_id(email, NULL)) {
+        if (test_x509_verify_param_copy(email, NULL)) {
-                if (!X509_VERIFY_PARAM_set1_email(dest, id->email,
+                if (!X509_VERIFY_PARAM_set1_email(dest, src->email,
-                    id->emaillen))
+                    src->emaillen))
                        return 0;
        }
-        if (test_x509_verify_param_copy_id(ip, NULL)) {
+        if (test_x509_verify_param_copy(ip, NULL)) {
-                if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
+                if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
                        return 0;
        }
@@ -534,9 +511,9 @@ int
 X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
    const char *name, size_t namelen)
 {
-        if (x509_param_set_hosts_internal(param->id, SET_HOST, name, namelen))
+        if (x509_param_set_hosts_internal(param, SET_HOST, name, namelen))
                return 1;
-        param->id->poisoned = 1;
+        param->poisoned = 1;
        return 0;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_host);
@@ -545,9 +522,9 @@ int
 X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
    const char *name, size_t namelen)
 {
-        if (x509_param_set_hosts_internal(param->id, ADD_HOST, name, namelen))
+        if (x509_param_set_hosts_internal(param, ADD_HOST, name, namelen))
                return 1;
-        param->id->poisoned = 1;
+        param->poisoned = 1;
        return 0;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
@@ -556,20 +533,20 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
 unsigned int
 X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param)
 {
-        return param->id->hostflags;
+        return param->hostflags;
 }
 void
 X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)
 {
-        param->id->hostflags = flags;
+        param->hostflags = flags;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_hostflags);
 char *
 X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
 {
-        return param->id->peername;
+        return param->peername;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_peername);
@@ -577,10 +554,10 @@ int
 X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,  const char *email,
    size_t emaillen)
 {
-        if (x509_param_set1_internal(&param->id->email, &param->id->emaillen,
+        if (x509_param_set1_internal(&param->email, &param->emaillen,
            email, emaillen, 1))
                return 1;
-        param->id->poisoned = 1;
+        param->poisoned = 1;
        return 0;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_email);
@@ -591,11 +568,11 @@ X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,
 {
        if (iplen != 4 && iplen != 16)
                goto err;
-        if (x509_param_set1_internal((char **)&param->id->ip, &param->id->iplen,
+        if (x509_param_set1_internal((char **)&param->ip, &param->iplen,
                (char *)ip, iplen, 0))
                return 1;
 err:
-        param->id->poisoned = 1;
+        param->poisoned = 1;
        return 0;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip);
@@ -625,10 +602,6 @@ X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_name);
-static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
-#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
 /*
 * Default verify parameters: these are used for various applications and can
 * be overridden by the user specified table.
@@ -640,35 +613,30 @@ static const X509_VERIFY_PARAM default_table[] = {
                .flags = X509_V_FLAG_TRUSTED_FIRST,
                .depth = 100,
                .trust = 0,  /* XXX This is not the default trust value */
-                .id = vpm_empty_id
        },
        {
                .name = "pkcs7",
                .purpose = X509_PURPOSE_SMIME_SIGN,
                .trust = X509_TRUST_EMAIL,
                .depth = -1,
-                .id = vpm_empty_id
        },
        {
                .name = "smime_sign",
                .purpose = X509_PURPOSE_SMIME_SIGN,
                .trust = X509_TRUST_EMAIL,
                .depth =  -1,
-                .id = vpm_empty_id
        },
        {
                .name = "ssl_client",
                .purpose = X509_PURPOSE_SSL_CLIENT,
                .trust = X509_TRUST_SSL_CLIENT,
                .depth = -1,
-                .id = vpm_empty_id
        },
        {
                .name = "ssl_server",
                .purpose = X509_PURPOSE_SSL_SERVER,
                .trust = X509_TRUST_SSL_SERVER,
                .depth = -1,
-                .id = vpm_empty_id
        }
 };

diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h index 9ce1b58ed1..f00a55bac8 100644 --- a/src/lib/libcrypto/x509/x509_local.h +++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_local.h,v 1.8 2023/05/08 14:51:00 tb Exp $ */	1	/* $OpenBSD: x509_local.h,v 1.9 2023/05/28 05:25:24 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2013.	3	* project 2013.
4	*/	4	*/
@@ -272,7 +272,14 @@ struct X509_VERIFY_PARAM_st {
272	int depth; /* Verify depth */	272	int depth; /* Verify depth */
273	int security_level; /* 'Security level', see SP800-57. */	273	int security_level; /* 'Security level', see SP800-57. */
274	STACK_OF(ASN1_OBJECT) policies; / Permissible policies */	274	STACK_OF(ASN1_OBJECT) policies; / Permissible policies */
275	X509_VERIFY_PARAM_ID id; / opaque ID data */	275	STACK_OF(OPENSSL_STRING) hosts; / Set of acceptable names */
		276	unsigned int hostflags; /* Flags to control matching features */
		277	char peername; / Matching hostname in peer certificate */
		278	char email; / If not NULL email address to match */
		279	size_t emaillen;
		280	unsigned char ip; / If not NULL IP address to match */
		281	size_t iplen; /* Length of IP address */
		282	int poisoned;
276	} /* X509_VERIFY_PARAM */;	283	} /* X509_VERIFY_PARAM */;
277		284
278	/*	285	/*
@@ -368,17 +375,6 @@ struct x509_store_ctx_st {
368	CRYPTO_EX_DATA ex_data;	375	CRYPTO_EX_DATA ex_data;
369	} /* X509_STORE_CTX */;	376	} /* X509_STORE_CTX */;
370		377
371	struct X509_VERIFY_PARAM_ID_st {
372	STACK_OF(OPENSSL_STRING) hosts; / Set of acceptable names */
373	unsigned int hostflags; /* Flags to control matching features */
374	char peername; / Matching hostname in peer certificate */
375	char email; / If not NULL email address to match */
376	size_t emaillen;
377	unsigned char ip; / If not NULL IP address to match */
378	size_t iplen; /* Length of IP address */
379	int poisoned;
380	};
381
382	int x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet);	378	int x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet);
383		379
384	int name_cmp(const char name, const char cmp);	380	int name_cmp(const char name, const char cmp);


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 6bc06187e1..0c2144752d 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.123 2023/05/14 20:20:40 tb Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.124 2023/05/28 05:25:24 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -177,19 +177,19 @@ check_id_error(X509_STORE_CTX *ctx, int errcode)
177	}	177	}
178		178
179	static int	179	static int
180	check_hosts(X509 x, X509_VERIFY_PARAM_ID id)	180	check_hosts(X509 x, X509_VERIFY_PARAM vpm)
181	{	181	{
182	int i, n;	182	int i, n;
183	char *name;	183	char *name;
184		184
185	n = sk_OPENSSL_STRING_num(id->hosts);	185	n = sk_OPENSSL_STRING_num(vpm->hosts);
186	free(id->peername);	186	free(vpm->peername);
187	id->peername = NULL;	187	vpm->peername = NULL;
188		188
189	for (i = 0; i < n; ++i) {	189	for (i = 0; i < n; ++i) {
190	name = sk_OPENSSL_STRING_value(id->hosts, i);	190	name = sk_OPENSSL_STRING_value(vpm->hosts, i);
191	if (X509_check_host(x, name, strlen(name), id->hostflags,	191	if (X509_check_host(x, name, strlen(name), vpm->hostflags,
192	&id->peername) > 0)	192	&vpm->peername) > 0)
193	return 1;	193	return 1;
194	}	194	}
195	return n == 0;	195	return n == 0;
@@ -199,19 +199,18 @@ static int
199	check_id(X509_STORE_CTX *ctx)	199	check_id(X509_STORE_CTX *ctx)
200	{	200	{
201	X509_VERIFY_PARAM *vpm = ctx->param;	201	X509_VERIFY_PARAM *vpm = ctx->param;
202	X509_VERIFY_PARAM_ID *id = vpm->id;
203	X509 *x = ctx->cert;	202	X509 *x = ctx->cert;
204		203
205	if (id->hosts && check_hosts(x, id) <= 0) {	204	if (vpm->hosts && check_hosts(x, vpm) <= 0) {
206	if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))	205	if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
207	return 0;	206	return 0;
208	}	207	}
209	if (id->email != NULL && X509_check_email(x, id->email, id->emaillen, 0)	208	if (vpm->email != NULL && X509_check_email(x, vpm->email, vpm->emaillen, 0)
210	<= 0) {	209	<= 0) {
211	if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))	210	if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
212	return 0;	211	return 0;
213	}	212	}
214	if (id->ip != NULL && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) {	213	if (vpm->ip != NULL && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
215	if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))	214	if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
216	return 0;	215	return 0;
217	}	216	}
@@ -609,7 +608,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
609	ctx->error = X509_V_ERR_INVALID_CALL;	608	ctx->error = X509_V_ERR_INVALID_CALL;
610	return -1;	609	return -1;
611	}	610	}
612	if (ctx->param->id->poisoned) {	611	if (ctx->param->poisoned) {
613	/*	612	/*
614	* This X509_STORE_CTX had failures setting	613	* This X509_STORE_CTX had failures setting
615	* up verify parameters. We can not use it.	614	* up verify parameters. We can not use it.


diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h index 202cf7438f..1aa29abd3d 100644 --- a/src/lib/libcrypto/x509/x509_vfy.h +++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */	1	/* $OpenBSD: x509_vfy.h,v 1.64 2023/05/28 05:25:24 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -105,7 +105,7 @@ DECLARE_STACK_OF(X509_LOOKUP)
105	DECLARE_STACK_OF(X509_OBJECT)	105	DECLARE_STACK_OF(X509_OBJECT)
106	DECLARE_STACK_OF(X509_VERIFY_PARAM)	106	DECLARE_STACK_OF(X509_VERIFY_PARAM)
107		107
108	/* unused in OpenSSL */	108	/* XXX - unused in OpenSSL. Can we remove this? */
109	typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID;	109	typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID;
110		110
111		111


diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c index 5c8c09e9fc..4ba697ead4 100644 --- a/src/lib/libcrypto/x509/x509_vpm.c +++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vpm.c,v 1.39 2023/05/24 09:15:14 tb Exp $ */	1	/* $OpenBSD: x509_vpm.c,v 1.40 2023/05/28 05:25:24 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2004.	3	* project 2004.
4	*/	4	*/
@@ -122,7 +122,7 @@ sk_deep_copy(void sk_void, void copy_func_void, void *free_func_void)
122	}	122	}
123		123
124	static int	124	static int
125	x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,	125	x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
126	const char *name, size_t namelen)	126	const char *name, size_t namelen)
127	{	127	{
128	char *copy;	128	char *copy;
@@ -135,9 +135,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
135	if (name && memchr(name, '\0', namelen))	135	if (name && memchr(name, '\0', namelen))
136	return 0;	136	return 0;
137		137
138	if (mode == SET_HOST && id->hosts) {	138	if (mode == SET_HOST && vpm->hosts) {
139	sk_OPENSSL_STRING_pop_free(id->hosts, str_free);	139	sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
140	id->hosts = NULL;	140	vpm->hosts = NULL;
141	}	141	}
142	if (name == NULL \|\| namelen == 0)	142	if (name == NULL \|\| namelen == 0)
143	return 1;	143	return 1;
@@ -145,17 +145,17 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
145	if (copy == NULL)	145	if (copy == NULL)
146	return 0;	146	return 0;
147		147
148	if (id->hosts == NULL &&	148	if (vpm->hosts == NULL &&
149	(id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {	149	(vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
150	free(copy);	150	free(copy);
151	return 0;	151	return 0;
152	}	152	}
153		153
154	if (!sk_OPENSSL_STRING_push(id->hosts, copy)) {	154	if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
155	free(copy);	155	free(copy);
156	if (sk_OPENSSL_STRING_num(id->hosts) == 0) {	156	if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
157	sk_OPENSSL_STRING_free(id->hosts);	157	sk_OPENSSL_STRING_free(vpm->hosts);
158	id->hosts = NULL;	158	vpm->hosts = NULL;
159	}	159	}
160	return 0;	160	return 0;
161	}	161	}
@@ -166,9 +166,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
166	static void	166	static void
167	x509_verify_param_zero(X509_VERIFY_PARAM *param)	167	x509_verify_param_zero(X509_VERIFY_PARAM *param)
168	{	168	{
169	X509_VERIFY_PARAM_ID *paramid;
170	if (!param)	169	if (!param)
171	return;	170	return;
		171
172	free(param->name);	172	free(param->name);
173	param->name = NULL;	173	param->name = NULL;
174	param->purpose = 0;	174	param->purpose = 0;
@@ -177,40 +177,29 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
177	param->inh_flags = 0;	177	param->inh_flags = 0;
178	param->flags = 0;	178	param->flags = 0;
179	param->depth = -1;	179	param->depth = -1;
180	if (param->policies) {	180	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
181	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);	181	param->policies = NULL;
182	param->policies = NULL;	182	sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
183	}	183	param->hosts = NULL;
184	paramid = param->id;	184	free(param->peername);
185	if (paramid->hosts) {	185	param->peername = NULL;
186	sk_OPENSSL_STRING_pop_free(paramid->hosts, str_free);	186	free(param->email);
187	paramid->hosts = NULL;	187	param->email = NULL;
188	}	188	param->emaillen = 0;
189	free(paramid->peername);	189	free(param->ip);
190	paramid->peername = NULL;	190	param->ip = NULL;
191	free(paramid->email);	191	param->iplen = 0;
192	paramid->email = NULL;	192	param->poisoned = 0;
193	paramid->emaillen = 0;
194	free(paramid->ip);
195	paramid->ip = NULL;
196	paramid->iplen = 0;
197	paramid->poisoned = 0;
198	}	193	}
199		194
200	X509_VERIFY_PARAM *	195	X509_VERIFY_PARAM *
201	X509_VERIFY_PARAM_new(void)	196	X509_VERIFY_PARAM_new(void)
202	{	197	{
203	X509_VERIFY_PARAM *param;	198	X509_VERIFY_PARAM *param;
204	X509_VERIFY_PARAM_ID *paramid;	199
205	param = calloc(1, sizeof(X509_VERIFY_PARAM));	200	param = calloc(1, sizeof(X509_VERIFY_PARAM));
206	if (param == NULL)	201	if (param == NULL)
207	return NULL;	202	return NULL;
208	paramid = calloc(1, sizeof(X509_VERIFY_PARAM_ID));
209	if (paramid == NULL) {
210	free(param);
211	return NULL;
212	}
213	param->id = paramid;
214	x509_verify_param_zero(param);	203	x509_verify_param_zero(param);
215	return param;	204	return param;
216	}	205	}
@@ -222,7 +211,6 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
222	if (param == NULL)	211	if (param == NULL)
223	return;	212	return;
224	x509_verify_param_zero(param);	213	x509_verify_param_zero(param);
225	free(param->id);
226	free(param);	214	free(param);
227	}	215	}
228	LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);	216	LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
@@ -260,18 +248,11 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
260	*/	248	*/
261		249
262	/* Macro to test if a field should be copied from src to dest */	250	/* Macro to test if a field should be copied from src to dest */
263
264	#define test_x509_verify_param_copy(field, def) \	251	#define test_x509_verify_param_copy(field, def) \
265	(to_overwrite \|\| \	252	(to_overwrite \|\| \
266	((src->field != def) && (to_default \|\| (dest->field == def))))	253	((src->field != def) && (to_default \|\| (dest->field == def))))
267		254
268	/* As above but for ID fields */
269
270	#define test_x509_verify_param_copy_id(idf, def) \
271	test_x509_verify_param_copy(id->idf, def)
272
273	/* Macro to test and copy a field if necessary */	255	/* Macro to test and copy a field if necessary */
274
275	#define x509_verify_param_copy(field, def) \	256	#define x509_verify_param_copy(field, def) \
276	if (test_x509_verify_param_copy(field, def)) \	257	if (test_x509_verify_param_copy(field, def)) \
277	dest->field = src->field	258	dest->field = src->field
@@ -281,11 +262,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM dest, const X509_VERIFY_PARAM src)
281	{	262	{
282	unsigned long inh_flags;	263	unsigned long inh_flags;
283	int to_default, to_overwrite;	264	int to_default, to_overwrite;
284	X509_VERIFY_PARAM_ID *id;
285		265
286	if (!src)	266	if (!src)
287	return 1;	267	return 1;
288	id = src->id;
289	inh_flags = dest->inh_flags \| src->inh_flags;	268	inh_flags = dest->inh_flags \| src->inh_flags;
290		269
291	if (inh_flags & X509_VP_FLAG_ONCE)	270	if (inh_flags & X509_VP_FLAG_ONCE)
@@ -326,30 +305,28 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM dest, const X509_VERIFY_PARAM src)
326	return 0;	305	return 0;
327	}	306	}
328		307
329	if (test_x509_verify_param_copy_id(hostflags, 0))	308	x509_verify_param_copy(hostflags, 0);
330	dest->id->hostflags = id->hostflags;
331		309
332	if (test_x509_verify_param_copy_id(hosts, NULL)) {	310	if (test_x509_verify_param_copy(hosts, NULL)) {
333	if (dest->id->hosts) {	311	if (dest->hosts) {
334	sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free);	312	sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
335	dest->id->hosts = NULL;	313	dest->hosts = NULL;
336	}	314	}
337	if (id->hosts) {	315	if (src->hosts) {
338	dest->id->hosts =	316	dest->hosts = sk_deep_copy(src->hosts, strdup, str_free);
339	sk_deep_copy(id->hosts, strdup, str_free);	317	if (dest->hosts == NULL)
340	if (dest->id->hosts == NULL)
341	return 0;	318	return 0;
342	}	319	}
343	}	320	}
344		321
345	if (test_x509_verify_param_copy_id(email, NULL)) {	322	if (test_x509_verify_param_copy(email, NULL)) {
346	if (!X509_VERIFY_PARAM_set1_email(dest, id->email,	323	if (!X509_VERIFY_PARAM_set1_email(dest, src->email,
347	id->emaillen))	324	src->emaillen))
348	return 0;	325	return 0;
349	}	326	}
350		327
351	if (test_x509_verify_param_copy_id(ip, NULL)) {	328	if (test_x509_verify_param_copy(ip, NULL)) {
352	if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))	329	if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
353	return 0;	330	return 0;
354	}	331	}
355		332
@@ -534,9 +511,9 @@ int
534	X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,	511	X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
535	const char *name, size_t namelen)	512	const char *name, size_t namelen)
536	{	513	{
537	if (x509_param_set_hosts_internal(param->id, SET_HOST, name, namelen))	514	if (x509_param_set_hosts_internal(param, SET_HOST, name, namelen))
538	return 1;	515	return 1;
539	param->id->poisoned = 1;	516	param->poisoned = 1;
540	return 0;	517	return 0;
541	}	518	}
542	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_host);	519	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_host);
@@ -545,9 +522,9 @@ int
545	X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,	522	X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
546	const char *name, size_t namelen)	523	const char *name, size_t namelen)
547	{	524	{
548	if (x509_param_set_hosts_internal(param->id, ADD_HOST, name, namelen))	525	if (x509_param_set_hosts_internal(param, ADD_HOST, name, namelen))
549	return 1;	526	return 1;
550	param->id->poisoned = 1;	527	param->poisoned = 1;
551	return 0;	528	return 0;
552	}	529	}
553	LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);	530	LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
@@ -556,20 +533,20 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
556	unsigned int	533	unsigned int
557	X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param)	534	X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param)
558	{	535	{
559	return param->id->hostflags;	536	return param->hostflags;
560	}	537	}
561		538
562	void	539	void
563	X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)	540	X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)
564	{	541	{
565	param->id->hostflags = flags;	542	param->hostflags = flags;
566	}	543	}
567	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_hostflags);	544	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_hostflags);
568		545
569	char *	546	char *
570	X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)	547	X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
571	{	548	{
572	return param->id->peername;	549	return param->peername;
573	}	550	}
574	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_peername);	551	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_peername);
575		552
@@ -577,10 +554,10 @@ int
577	X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM param, const char email,	554	X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM param, const char email,
578	size_t emaillen)	555	size_t emaillen)
579	{	556	{
580	if (x509_param_set1_internal(&param->id->email, &param->id->emaillen,	557	if (x509_param_set1_internal(&param->email, &param->emaillen,
581	email, emaillen, 1))	558	email, emaillen, 1))
582	return 1;	559	return 1;
583	param->id->poisoned = 1;	560	param->poisoned = 1;
584	return 0;	561	return 0;
585	}	562	}
586	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_email);	563	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_email);
@@ -591,11 +568,11 @@ X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM param, const unsigned char ip,
591	{	568	{
592	if (iplen != 4 && iplen != 16)	569	if (iplen != 4 && iplen != 16)
593	goto err;	570	goto err;
594	if (x509_param_set1_internal((char **)&param->id->ip, &param->id->iplen,	571	if (x509_param_set1_internal((char **)&param->ip, &param->iplen,
595	(char *)ip, iplen, 0))	572	(char *)ip, iplen, 0))
596	return 1;	573	return 1;
597	err:	574	err:
598	param->id->poisoned = 1;	575	param->poisoned = 1;
599	return 0;	576	return 0;
600	}	577	}
601	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip);	578	LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip);
@@ -625,10 +602,6 @@ X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
625	}	602	}
626	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_name);	603	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_name);
627		604
628	static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
629
630	#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
631
632	/*	605	/*
633	* Default verify parameters: these are used for various applications and can	606	* Default verify parameters: these are used for various applications and can
634	* be overridden by the user specified table.	607	* be overridden by the user specified table.
@@ -640,35 +613,30 @@ static const X509_VERIFY_PARAM default_table[] = {
640	.flags = X509_V_FLAG_TRUSTED_FIRST,	613	.flags = X509_V_FLAG_TRUSTED_FIRST,
641	.depth = 100,	614	.depth = 100,
642	.trust = 0, /* XXX This is not the default trust value */	615	.trust = 0, /* XXX This is not the default trust value */
643	.id = vpm_empty_id
644	},	616	},
645	{	617	{
646	.name = "pkcs7",	618	.name = "pkcs7",
647	.purpose = X509_PURPOSE_SMIME_SIGN,	619	.purpose = X509_PURPOSE_SMIME_SIGN,
648	.trust = X509_TRUST_EMAIL,	620	.trust = X509_TRUST_EMAIL,
649	.depth = -1,	621	.depth = -1,
650	.id = vpm_empty_id
651	},	622	},
652	{	623	{
653	.name = "smime_sign",	624	.name = "smime_sign",
654	.purpose = X509_PURPOSE_SMIME_SIGN,	625	.purpose = X509_PURPOSE_SMIME_SIGN,
655	.trust = X509_TRUST_EMAIL,	626	.trust = X509_TRUST_EMAIL,
656	.depth = -1,	627	.depth = -1,
657	.id = vpm_empty_id
658	},	628	},
659	{	629	{
660	.name = "ssl_client",	630	.name = "ssl_client",
661	.purpose = X509_PURPOSE_SSL_CLIENT,	631	.purpose = X509_PURPOSE_SSL_CLIENT,
662	.trust = X509_TRUST_SSL_CLIENT,	632	.trust = X509_TRUST_SSL_CLIENT,
663	.depth = -1,	633	.depth = -1,
664	.id = vpm_empty_id
665	},	634	},
666	{	635	{
667	.name = "ssl_server",	636	.name = "ssl_server",
668	.purpose = X509_PURPOSE_SSL_SERVER,	637	.purpose = X509_PURPOSE_SSL_SERVER,
669	.trust = X509_TRUST_SSL_SERVER,	638	.trust = X509_TRUST_SSL_SERVER,
670	.depth = -1,	639	.depth = -1,
671	.id = vpm_empty_id
672	}	640	}
673	};	641	};
674		642