8 files changed, 78 insertions, 137 deletions
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 4fdab48bb2..709e17308b 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */
+/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -338,8 +338,6 @@ int	PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
 STACK_OF(X509_INFO) *   PEM_X509_INFO_read_bio(BIO *bp,
            STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
-int     PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-            unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
 #endif
 int     PEM_read(FILE *fp, char **name, char **header,
@@ -351,8 +349,6 @@ void *  PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
 int     PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
            void *x, const EVP_CIPHER *enc, unsigned char *kstr,
            int klen, pem_password_cb *callback, void *u);
-STACK_OF(X509_INFO) *   PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
-            pem_password_cb *cb, void *u);
 int    PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
 int    PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index b979c79b33..26061f6f08 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.27 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,43 +57,81 @@
 */
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <openssl/opensslconf.h>
-#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
-#ifndef OPENSSL_NO_DSA
-#include <openssl/dsa.h>
-#endif
-#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
-#endif
+#include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
-STACK_OF(X509_INFO) *
+X509_PKEY *
-PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
+X509_PKEY_new(void)
-    void *u)
+{
+        X509_PKEY *x_pkey;
+        if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
+                ASN1error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        return x_pkey;
+}
+void
+X509_PKEY_free(X509_PKEY *x_pkey)
+{
+        if (x_pkey == NULL)
+                return;
+        EVP_PKEY_free(x_pkey->dec_pkey);
+        free(x_pkey);
+}
+X509_INFO *
+X509_INFO_new(void)
 {
-        BIO *b;
+        X509_INFO *ret;
-        STACK_OF(X509_INFO) *ret;
-        if ((b = BIO_new(BIO_s_file())) == NULL) {
+        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
-                PEMerror(ERR_R_BUF_LIB);
+                ASN1error(ERR_R_MALLOC_FAILURE);
-                return (0);
+                return NULL;
        }
-        BIO_set_fp(b, fp, BIO_NOCLOSE);
+        ret->references = 1;
-        ret = PEM_X509_INFO_read_bio(b, sk, cb, u);
-        BIO_free(b);
+        return ret;
-        return (ret);
+}
+LCRYPTO_ALIAS(X509_INFO_new);
+void
+X509_INFO_free(X509_INFO *x)
+{
+        if (x == NULL)
+                return;
+        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
+                return;
+        X509_free(x->x509);
+        X509_CRL_free(x->crl);
+        X509_PKEY_free(x->x_pkey);
+        free(x->enc_data);
+        free(x);
 }
-LCRYPTO_ALIAS(PEM_X509_INFO_read);
+LCRYPTO_ALIAS(X509_INFO_free);
 STACK_OF(X509_INFO) *
 PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
@@ -290,98 +328,3 @@ err:
        return ret;
 }
 LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
-/* A TJH addition */
-int
-PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-    unsigned char *kstr, int klen, pem_password_cb *cb, void *u)
-{
-        EVP_CIPHER_CTX ctx;
-        int i, ret = 0;
-        unsigned char *data = NULL;
-        const char *objstr = NULL;
-        char buf[PEM_BUFSIZE];
-        unsigned char *iv = NULL;
-        if (enc != NULL) {
-                objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-                if (objstr == NULL) {
-                        PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                        goto err;
-                }
-        }
-        /* now for the fun part ... if we have a private key then
-         * we have to be able to handle a not-yet-decrypted key
-         * being written out correctly ... if it is decrypted or
-         * it is non-encrypted then we use the base code
-         */
-        if (xi->x_pkey != NULL) {
-                if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
-                        if (enc == NULL) {
-                                PEMerror(PEM_R_CIPHER_IS_NULL);
-                                goto err;
-                        }
-                        /* copy from weirdo names into more normal things */
-                        iv = xi->enc_cipher.iv;
-                        data = (unsigned char *)xi->enc_data;
-                        i = xi->enc_len;
-                        /* we take the encryption data from the
-                         * internal stuff rather than what the
-                         * user has passed us ... as we have to
-                         * match exactly for some strange reason
-                         */
-                        objstr = OBJ_nid2sn(
-                            EVP_CIPHER_nid(xi->enc_cipher.cipher));
-                        if (objstr == NULL) {
-                                PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                                goto err;
-                        }
-                        /* create the right magic header stuff */
-                        if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
-                            sizeof buf) {
-                                PEMerror(ASN1_R_BUFFER_TOO_SMALL);
-                                goto err;
-                        }
-                        buf[0] = '\0';
-                        PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-                        PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
-                        /* use the normal code to write things out */
-                        i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
-                        if (i <= 0)
-                                goto err;
-                } else {
-                        /* Add DSA/DH */
-#ifndef OPENSSL_NO_RSA
-                        /* normal optionally encrypted stuff */
-                        if (PEM_write_bio_RSAPrivateKey(bp,
-                            xi->x_pkey->dec_pkey->pkey.rsa,
-                            enc, kstr, klen, cb, u) <= 0)
-                                goto err;
-#endif
-                }
-        }
-        /* if we have a certificate then write it out now */
-        if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
-                goto err;
-        /* we are ignoring anything else that is loaded into the X509_INFO
-         * structure for the moment ... as I don't need it so I'm not
-         * coding it here and Eric can do it when this makes it into the
-         * base library --tjh
-         */
-        ret = 1;
-err:
-        explicit_bzero((char *)&ctx, sizeof(ctx));
-        explicit_bzero(buf, PEM_BUFSIZE);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 30db092c3e..7c7f776cae 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.56 2024/02/18 15:44:10 tb Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.57 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,7 +64,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -76,6 +75,7 @@
 #endif
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #define MIN_LENGTH      4
diff --git a/src/lib/libcrypto/pem/pem_oth.c b/src/lib/libcrypto/pem/pem_oth.c
index 2dca978efd..d466179ad7 100644
--- a/src/lib/libcrypto/pem/pem_oth.c
+++ b/src/lib/libcrypto/pem/pem_oth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_oth.c,v 1.9 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_oth.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,12 +59,13 @@
 #include <stdio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 /* Handle 'other' PEMs: not private keys */
 void *
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
index 6d0c0cbd57..16bde39a7e 100644
--- a/src/lib/libcrypto/pem/pem_pk8.c
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pk8.c,v 1.14 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_pk8.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,13 +60,13 @@
 #include <string.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid,
    const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u);
 static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder, int nid,
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index d7001c83cc..df8ebaa036 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.28 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -70,6 +69,7 @@
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 int pem_check_suffix(const char *pem_str, const char *suffix);
diff --git a/src/lib/libcrypto/pem/pem_sign.c b/src/lib/libcrypto/pem/pem_sign.c
index 461f957445..878be01b70 100644
--- a/src/lib/libcrypto/pem/pem_sign.c
+++ b/src/lib/libcrypto/pem/pem_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_sign.c,v 1.15 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_sign.c,v 1.16 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,12 +58,13 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 int
 PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
 {
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 40c9feefe5..395fd9df83 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.28 2024/02/18 15:45:42 tb Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.30 2025/06/07 09:32:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -66,7 +66,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
@@ -75,6 +74,7 @@
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
@@ -803,8 +803,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 err:
        EVP_CIPHER_CTX_free(cctx);
-        if (enctmp && saltlen)
+        free(enctmp);
-                free(enctmp);
        return ret;
 }

diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h index 4fdab48bb2..709e17308b 100644 --- a/src/lib/libcrypto/pem/pem.h +++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */	1	/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
2	/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -338,8 +338,6 @@ int PEM_ASN1_write_bio(i2d_of_void i2d, const char name, BIO bp, void x,
338		338
339	STACK_OF(X509_INFO) * PEM_X509_INFO_read_bio(BIO *bp,	339	STACK_OF(X509_INFO) * PEM_X509_INFO_read_bio(BIO *bp,
340	STACK_OF(X509_INFO) sk, pem_password_cb cb, void *u);	340	STACK_OF(X509_INFO) sk, pem_password_cb cb, void *u);
341	int PEM_X509_INFO_write_bio(BIO bp, X509_INFO xi, EVP_CIPHER *enc,
342	unsigned char kstr, int klen, pem_password_cb cd, void *u);
343	#endif	341	#endif
344		342
345	int PEM_read(FILE fp, char name, char *header,	343	int PEM_read(FILE fp, char name, char *header,
@@ -351,8 +349,6 @@ void * PEM_ASN1_read(d2i_of_void d2i, const char name, FILE fp, void *x,
351	int PEM_ASN1_write(i2d_of_void i2d, const char name, FILE *fp,	349	int PEM_ASN1_write(i2d_of_void i2d, const char name, FILE *fp,
352	void x, const EVP_CIPHER enc, unsigned char *kstr,	350	void x, const EVP_CIPHER enc, unsigned char *kstr,
353	int klen, pem_password_cb callback, void u);	351	int klen, pem_password_cb callback, void u);
354	STACK_OF(X509_INFO) * PEM_X509_INFO_read(FILE fp, STACK_OF(X509_INFO) sk,
355	pem_password_cb cb, void u);
356		352
357	int PEM_SignInit(EVP_MD_CTX ctx, EVP_MD type);	353	int PEM_SignInit(EVP_MD_CTX ctx, EVP_MD type);
358	int PEM_SignUpdate(EVP_MD_CTX ctx, unsigned char d, unsigned int cnt);	354	int PEM_SignUpdate(EVP_MD_CTX ctx, unsigned char d, unsigned int cnt);


diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c index b979c79b33..26061f6f08 100644 --- a/src/lib/libcrypto/pem/pem_info.c +++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_info.c,v 1.27 2023/07/07 13:40:44 beck Exp $ */	1	/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -57,43 +57,81 @@
57	*/	57	*/
58		58
59	#include <stdio.h>	59	#include <stdio.h>
		60	#include <stdlib.h>
60	#include <string.h>	61	#include <string.h>
61		62
62	#include <openssl/opensslconf.h>	63	#include <openssl/opensslconf.h>
63		64
64	#include <openssl/buffer.h>	65	#include <openssl/asn1.h>
		66	#include <openssl/bio.h>
		67	#include <openssl/crypto.h>
		68	#include <openssl/dsa.h>
		69	#include <openssl/ec.h>
65	#include <openssl/err.h>	70	#include <openssl/err.h>
66	#include <openssl/evp.h>	71	#include <openssl/evp.h>
67	#include <openssl/objects.h>	72	#include <openssl/objects.h>
68	#include <openssl/pem.h>	73	#include <openssl/pem.h>
69	#include <openssl/x509.h>
70
71	#ifndef OPENSSL_NO_DSA
72	#include <openssl/dsa.h>
73	#endif
74	#ifndef OPENSSL_NO_RSA
75	#include <openssl/rsa.h>	74	#include <openssl/rsa.h>
76	#endif	75	#include <openssl/x509.h>
77		76
		77	#include "err_local.h"
78	#include "evp_local.h"	78	#include "evp_local.h"
79		79
80	STACK_OF(X509_INFO) *	80	X509_PKEY *
81	PEM_X509_INFO_read(FILE fp, STACK_OF(X509_INFO) sk, pem_password_cb *cb,	81	X509_PKEY_new(void)
82	void *u)	82	{
		83	X509_PKEY *x_pkey;
		84
		85	if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
		86	ASN1error(ERR_R_MALLOC_FAILURE);
		87	return NULL;
		88	}
		89
		90	return x_pkey;
		91	}
		92
		93	void
		94	X509_PKEY_free(X509_PKEY *x_pkey)
		95	{
		96	if (x_pkey == NULL)
		97	return;
		98
		99	EVP_PKEY_free(x_pkey->dec_pkey);
		100	free(x_pkey);
		101	}
		102
		103	X509_INFO *
		104	X509_INFO_new(void)
83	{	105	{
84	BIO *b;	106	X509_INFO *ret;
85	STACK_OF(X509_INFO) *ret;
86		107
87	if ((b = BIO_new(BIO_s_file())) == NULL) {	108	if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
88	PEMerror(ERR_R_BUF_LIB);	109	ASN1error(ERR_R_MALLOC_FAILURE);
89	return (0);	110	return NULL;
90	}	111	}
91	BIO_set_fp(b, fp, BIO_NOCLOSE);	112	ret->references = 1;
92	ret = PEM_X509_INFO_read_bio(b, sk, cb, u);	113
93	BIO_free(b);	114	return ret;
94	return (ret);	115	}
		116	LCRYPTO_ALIAS(X509_INFO_new);
		117
		118	void
		119	X509_INFO_free(X509_INFO *x)
		120	{
		121	if (x == NULL)
		122	return;
		123
		124	if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
		125	return;
		126
		127	X509_free(x->x509);
		128	X509_CRL_free(x->crl);
		129	X509_PKEY_free(x->x_pkey);
		130	free(x->enc_data);
		131
		132	free(x);
95	}	133	}
96	LCRYPTO_ALIAS(PEM_X509_INFO_read);	134	LCRYPTO_ALIAS(X509_INFO_free);
97		135
98	STACK_OF(X509_INFO) *	136	STACK_OF(X509_INFO) *
99	PEM_X509_INFO_read_bio(BIO bp, STACK_OF(X509_INFO) sk, pem_password_cb *cb,	137	PEM_X509_INFO_read_bio(BIO bp, STACK_OF(X509_INFO) sk, pem_password_cb *cb,
@@ -290,98 +328,3 @@ err:
290	return ret;	328	return ret;
291	}	329	}
292	LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);	330	LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
293
294
295	/* A TJH addition */
296	int
297	PEM_X509_INFO_write_bio(BIO bp, X509_INFO xi, EVP_CIPHER *enc,
298	unsigned char kstr, int klen, pem_password_cb cb, void *u)
299	{
300	EVP_CIPHER_CTX ctx;
301	int i, ret = 0;
302	unsigned char *data = NULL;
303	const char *objstr = NULL;
304	char buf[PEM_BUFSIZE];
305	unsigned char *iv = NULL;
306
307	if (enc != NULL) {
308	objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
309	if (objstr == NULL) {
310	PEMerror(PEM_R_UNSUPPORTED_CIPHER);
311	goto err;
312	}
313	}
314
315	/* now for the fun part ... if we have a private key then
316	* we have to be able to handle a not-yet-decrypted key
317	* being written out correctly ... if it is decrypted or
318	* it is non-encrypted then we use the base code
319	*/
320	if (xi->x_pkey != NULL) {
321	if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
322	if (enc == NULL) {
323	PEMerror(PEM_R_CIPHER_IS_NULL);
324	goto err;
325	}
326
327	/* copy from weirdo names into more normal things */
328	iv = xi->enc_cipher.iv;
329	data = (unsigned char *)xi->enc_data;
330	i = xi->enc_len;
331
332	/* we take the encryption data from the
333	* internal stuff rather than what the
334	* user has passed us ... as we have to
335	* match exactly for some strange reason
336	*/
337	objstr = OBJ_nid2sn(
338	EVP_CIPHER_nid(xi->enc_cipher.cipher));
339	if (objstr == NULL) {
340	PEMerror(PEM_R_UNSUPPORTED_CIPHER);
341	goto err;
342	}
343
344	/* create the right magic header stuff */
345	if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
346	sizeof buf) {
347	PEMerror(ASN1_R_BUFFER_TOO_SMALL);
348	goto err;
349	}
350	buf[0] = '\0';
351	PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
352	PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
353
354	/* use the normal code to write things out */
355	i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
356	if (i <= 0)
357	goto err;
358	} else {
359	/* Add DSA/DH */
360	#ifndef OPENSSL_NO_RSA
361	/* normal optionally encrypted stuff */
362	if (PEM_write_bio_RSAPrivateKey(bp,
363	xi->x_pkey->dec_pkey->pkey.rsa,
364	enc, kstr, klen, cb, u) <= 0)
365	goto err;
366	#endif
367	}
368	}
369
370	/* if we have a certificate then write it out now */
371	if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
372	goto err;
373
374	/* we are ignoring anything else that is loaded into the X509_INFO
375	* structure for the moment ... as I don't need it so I'm not
376	* coding it here and Eric can do it when this makes it into the
377	* base library --tjh
378	*/
379
380	ret = 1;
381
382	err:
383	explicit_bzero((char *)&ctx, sizeof(ctx));
384	explicit_bzero(buf, PEM_BUFSIZE);
385	return (ret);
386	}
387	LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);


diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c index 30db092c3e..7c7f776cae 100644 --- a/src/lib/libcrypto/pem/pem_lib.c +++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_lib.c,v 1.56 2024/02/18 15:44:10 tb Exp $ */	1	/* $OpenBSD: pem_lib.c,v 1.57 2025/05/10 05:54:38 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -64,7 +64,6 @@
64	#include <openssl/opensslconf.h>	64	#include <openssl/opensslconf.h>
65		65
66	#include <openssl/buffer.h>	66	#include <openssl/buffer.h>
67	#include <openssl/err.h>
68	#include <openssl/evp.h>	67	#include <openssl/evp.h>
69	#include <openssl/objects.h>	68	#include <openssl/objects.h>
70	#include <openssl/pem.h>	69	#include <openssl/pem.h>
@@ -76,6 +75,7 @@
76	#endif	75	#endif
77		76
78	#include "asn1_local.h"	77	#include "asn1_local.h"
		78	#include "err_local.h"
79	#include "evp_local.h"	79	#include "evp_local.h"
80		80
81	#define MIN_LENGTH 4	81	#define MIN_LENGTH 4


diff --git a/src/lib/libcrypto/pem/pem_oth.c b/src/lib/libcrypto/pem/pem_oth.c index 2dca978efd..d466179ad7 100644 --- a/src/lib/libcrypto/pem/pem_oth.c +++ b/src/lib/libcrypto/pem/pem_oth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_oth.c,v 1.9 2023/07/07 13:40:44 beck Exp $ */	1	/* $OpenBSD: pem_oth.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -59,12 +59,13 @@
59	#include <stdio.h>	59	#include <stdio.h>
60		60
61	#include <openssl/buffer.h>	61	#include <openssl/buffer.h>
62	#include <openssl/err.h>
63	#include <openssl/evp.h>	62	#include <openssl/evp.h>
64	#include <openssl/objects.h>	63	#include <openssl/objects.h>
65	#include <openssl/pem.h>	64	#include <openssl/pem.h>
66	#include <openssl/x509.h>	65	#include <openssl/x509.h>
67		66
		67	#include "err_local.h"
		68
68	/* Handle 'other' PEMs: not private keys */	69	/* Handle 'other' PEMs: not private keys */
69		70
70	void *	71	void *


diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c index 6d0c0cbd57..16bde39a7e 100644 --- a/src/lib/libcrypto/pem/pem_pk8.c +++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_pk8.c,v 1.14 2023/07/07 13:40:44 beck Exp $ */	1	/* $OpenBSD: pem_pk8.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -60,13 +60,13 @@
60	#include <string.h>	60	#include <string.h>
61		61
62	#include <openssl/buffer.h>	62	#include <openssl/buffer.h>
63	#include <openssl/err.h>
64	#include <openssl/evp.h>
65	#include <openssl/objects.h>	63	#include <openssl/objects.h>
66	#include <openssl/pem.h>	64	#include <openssl/pem.h>
67	#include <openssl/pkcs12.h>	65	#include <openssl/pkcs12.h>
68	#include <openssl/x509.h>	66	#include <openssl/x509.h>
69		67
		68	#include "err_local.h"
		69
70	static int do_pk8pkey(BIO bp, EVP_PKEY x, int isder, int nid,	70	static int do_pk8pkey(BIO bp, EVP_PKEY x, int isder, int nid,
71	const EVP_CIPHER enc, char kstr, int klen, pem_password_cb cb, void u);	71	const EVP_CIPHER enc, char kstr, int klen, pem_password_cb cb, void u);
72	static int do_pk8pkey_fp(FILE bp, EVP_PKEY x, int isder, int nid,	72	static int do_pk8pkey_fp(FILE bp, EVP_PKEY x, int isder, int nid,


diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c index d7001c83cc..df8ebaa036 100644 --- a/src/lib/libcrypto/pem/pem_pkey.c +++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_pkey.c,v 1.28 2023/11/19 15:46:10 tb Exp $ */	1	/* $OpenBSD: pem_pkey.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -62,7 +62,6 @@
62	#include <openssl/opensslconf.h>	62	#include <openssl/opensslconf.h>
63		63
64	#include <openssl/buffer.h>	64	#include <openssl/buffer.h>
65	#include <openssl/err.h>
66	#include <openssl/evp.h>	65	#include <openssl/evp.h>
67	#include <openssl/objects.h>	66	#include <openssl/objects.h>
68	#include <openssl/pem.h>	67	#include <openssl/pem.h>
@@ -70,6 +69,7 @@
70	#include <openssl/x509.h>	69	#include <openssl/x509.h>
71		70
72	#include "asn1_local.h"	71	#include "asn1_local.h"
		72	#include "err_local.h"
73	#include "evp_local.h"	73	#include "evp_local.h"
74		74
75	int pem_check_suffix(const char pem_str, const char suffix);	75	int pem_check_suffix(const char pem_str, const char suffix);


diff --git a/src/lib/libcrypto/pem/pem_sign.c b/src/lib/libcrypto/pem/pem_sign.c index 461f957445..878be01b70 100644 --- a/src/lib/libcrypto/pem/pem_sign.c +++ b/src/lib/libcrypto/pem/pem_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_sign.c,v 1.15 2023/07/07 13:40:44 beck Exp $ */	1	/* $OpenBSD: pem_sign.c,v 1.16 2025/05/10 05:54:38 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -58,12 +58,13 @@
58		58
59	#include <stdio.h>	59	#include <stdio.h>
60		60
61	#include <openssl/err.h>
62	#include <openssl/evp.h>	61	#include <openssl/evp.h>
63	#include <openssl/objects.h>	62	#include <openssl/objects.h>
64	#include <openssl/pem.h>	63	#include <openssl/pem.h>
65	#include <openssl/x509.h>	64	#include <openssl/x509.h>
66		65
		66	#include "err_local.h"
		67
67	int	68	int
68	PEM_SignInit(EVP_MD_CTX ctx, EVP_MD type)	69	PEM_SignInit(EVP_MD_CTX ctx, EVP_MD type)
69	{	70	{


diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c index 40c9feefe5..395fd9df83 100644 --- a/src/lib/libcrypto/pem/pvkfmt.c +++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pvkfmt.c,v 1.28 2024/02/18 15:45:42 tb Exp $ */	1	/* $OpenBSD: pvkfmt.c,v 1.30 2025/06/07 09:32:35 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2005.	3	* project 2005.
4	*/	4	*/
@@ -66,7 +66,6 @@
66	#include <openssl/opensslconf.h>	66	#include <openssl/opensslconf.h>
67		67
68	#include <openssl/bn.h>	68	#include <openssl/bn.h>
69	#include <openssl/err.h>
70	#include <openssl/pem.h>	69	#include <openssl/pem.h>
71		70
72	#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)	71	#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
@@ -75,6 +74,7 @@
75		74
76	#include "bn_local.h"	75	#include "bn_local.h"
77	#include "dsa_local.h"	76	#include "dsa_local.h"
		77	#include "err_local.h"
78	#include "evp_local.h"	78	#include "evp_local.h"
79	#include "rsa_local.h"	79	#include "rsa_local.h"
80		80
@@ -803,8 +803,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
803		803
804	err:	804	err:
805	EVP_CIPHER_CTX_free(cctx);	805	EVP_CIPHER_CTX_free(cctx);
806	if (enctmp && saltlen)	806	free(enctmp);
807	free(enctmp);	807
808	return ret;	808	return ret;
809	}	809	}
810		810