4 files changed, 29 insertions, 25 deletions
diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c
index 7e40101752..d497fed9d8 100644
--- a/src/lib/libcrypto/ts/ts_lib.c
+++ b/src/lib/libcrypto/ts/ts_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_lib.c,v 1.15 2025/01/07 14:22:19 tb Exp $ */
+/* $OpenBSD: ts_lib.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -155,7 +155,7 @@ TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
        BIO_printf(bio, "Message data:\n");
        msg = TS_MSG_IMPRINT_get_msg(a);
-        BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg),
+        BIO_dump_indent(bio, (const char *)ASN1_STRING_get0_data(msg),
            ASN1_STRING_length(msg), 4);
        return 1;
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index d35f6a7c94..b8cc7e2baf 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.36 2025/05/10 05:54:39 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.37 2025/07/31 02:02:35 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -955,28 +955,32 @@ static int
 ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
 {
        ASN1_STRING *seq = NULL;
-        unsigned char *p, *pp = NULL;
+        unsigned char *data = NULL;
-        int len;
+        int len = 0;
+        int ret = 0;
-        len = i2d_ESS_SIGNING_CERT(sc, NULL);
+        if ((len = i2d_ESS_SIGNING_CERT(sc, &data)) <= 0) {
-        if (!(pp = malloc(len))) {
+                len = 0;
-                TSerror(ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        p = pp;
-        i2d_ESS_SIGNING_CERT(sc, &p);
+        if ((seq = ASN1_STRING_new()) == NULL)
-        if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
-                TSerror(ERR_R_MALLOC_FAILURE);
                goto err;
-        }
-        free(pp);
-        pp = NULL;
-        return PKCS7_add_signed_attribute(si,
-            NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
-err:
+        ASN1_STRING_set0(seq, data, len);
+        data = NULL;
+        len = 0;
+        if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+        ret = 1;
+ err:
        ASN1_STRING_free(seq);
-        free(pp);
+        freezero(data, len);
-        return 0;
+        return ret;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index d38bb3b460..e9a778bb88 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.31 2025/05/10 05:54:39 tb Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.32 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -667,7 +667,7 @@ TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
                ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
                if (i > 0)
                        strlcat(result, "/", length);
-                strlcat(result, (const char *)ASN1_STRING_data(current), length);
+                strlcat(result, (const char *)ASN1_STRING_get0_data(current), length);
        }
        return result;
 }
@@ -771,7 +771,7 @@ TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
        /* Compare octet strings. */
        ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
-            memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
+            memcmp(imprint_a, ASN1_STRING_get0_data(b->hashed_msg), len_a) == 0;
 err:
        if (!ret)
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 23e2557308..b2b160c511 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_verify_ctx.c,v 1.15 2025/05/10 05:54:39 tb Exp $ */
+/* $OpenBSD: ts_verify_ctx.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2003.
 */
@@ -215,7 +215,7 @@ TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
        ret->imprint_len = ASN1_STRING_length(msg);
        if (!(ret->imprint = malloc(ret->imprint_len)))
                goto err;
-        memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
+        memcpy(ret->imprint, ASN1_STRING_get0_data(msg), ret->imprint_len);
        /* Setting nonce. */
        if ((nonce = TS_REQ_get_nonce(req)) != NULL) {

diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c index 7e40101752..d497fed9d8 100644 --- a/src/lib/libcrypto/ts/ts_lib.c +++ b/src/lib/libcrypto/ts/ts_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_lib.c,v 1.15 2025/01/07 14:22:19 tb Exp $ */	1	/* $OpenBSD: ts_lib.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -155,7 +155,7 @@ TS_MSG_IMPRINT_print_bio(BIO bio, TS_MSG_IMPRINT a)
155		155
156	BIO_printf(bio, "Message data:\n");	156	BIO_printf(bio, "Message data:\n");
157	msg = TS_MSG_IMPRINT_get_msg(a);	157	msg = TS_MSG_IMPRINT_get_msg(a);
158	BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg),	158	BIO_dump_indent(bio, (const char *)ASN1_STRING_get0_data(msg),
159	ASN1_STRING_length(msg), 4);	159	ASN1_STRING_length(msg), 4);
160		160
161	return 1;	161	return 1;


diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index d35f6a7c94..b8cc7e2baf 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.36 2025/05/10 05:54:39 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.37 2025/07/31 02:02:35 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -955,28 +955,32 @@ static int
955	ESS_add_signing_cert(PKCS7_SIGNER_INFO si, ESS_SIGNING_CERT sc)	955	ESS_add_signing_cert(PKCS7_SIGNER_INFO si, ESS_SIGNING_CERT sc)
956	{	956	{
957	ASN1_STRING *seq = NULL;	957	ASN1_STRING *seq = NULL;
958	unsigned char p, pp = NULL;	958	unsigned char *data = NULL;
959	int len;	959	int len = 0;
		960	int ret = 0;
960		961
961	len = i2d_ESS_SIGNING_CERT(sc, NULL);	962	if ((len = i2d_ESS_SIGNING_CERT(sc, &data)) <= 0) {
962	if (!(pp = malloc(len))) {	963	len = 0;
963	TSerror(ERR_R_MALLOC_FAILURE);
964	goto err;	964	goto err;
965	}	965	}
966	p = pp;	966
967	i2d_ESS_SIGNING_CERT(sc, &p);	967	if ((seq = ASN1_STRING_new()) == NULL)
968	if (!(seq = ASN1_STRING_new()) \|\| !ASN1_STRING_set(seq, pp, len)) {
969	TSerror(ERR_R_MALLOC_FAILURE);
970	goto err;	968	goto err;
971	}
972	free(pp);
973	pp = NULL;
974	return PKCS7_add_signed_attribute(si,
975	NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
976		969
977	err:	970	ASN1_STRING_set0(seq, data, len);
		971	data = NULL;
		972	len = 0;
		973
		974	if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
		975	V_ASN1_SEQUENCE, seq))
		976	goto err;
		977	seq = NULL;
		978
		979	ret = 1;
		980
		981	err:
978	ASN1_STRING_free(seq);	982	ASN1_STRING_free(seq);
979	free(pp);	983	freezero(data, len);
980		984
981	return 0;	985	return ret;
982	}	986	}


diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c index d38bb3b460..e9a778bb88 100644 --- a/src/lib/libcrypto/ts/ts_rsp_verify.c +++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_verify.c,v 1.31 2025/05/10 05:54:39 tb Exp $ */	1	/* $OpenBSD: ts_rsp_verify.c,v 1.32 2025/12/05 14:19:27 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -667,7 +667,7 @@ TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
667	ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);	667	ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
668	if (i > 0)	668	if (i > 0)
669	strlcat(result, "/", length);	669	strlcat(result, "/", length);
670	strlcat(result, (const char *)ASN1_STRING_data(current), length);	670	strlcat(result, (const char *)ASN1_STRING_get0_data(current), length);
671	}	671	}
672	return result;	672	return result;
673	}	673	}
@@ -771,7 +771,7 @@ TS_check_imprints(X509_ALGOR algor_a, unsigned char imprint_a, unsigned len_a,
771		771
772	/* Compare octet strings. */	772	/* Compare octet strings. */
773	ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&	773	ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
774	memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;	774	memcmp(imprint_a, ASN1_STRING_get0_data(b->hashed_msg), len_a) == 0;
775		775
776	err:	776	err:
777	if (!ret)	777	if (!ret)


diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c index 23e2557308..b2b160c511 100644 --- a/src/lib/libcrypto/ts/ts_verify_ctx.c +++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_verify_ctx.c,v 1.15 2025/05/10 05:54:39 tb Exp $ */	1	/* $OpenBSD: ts_verify_ctx.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2003.	3	* project 2003.
4	*/	4	*/
@@ -215,7 +215,7 @@ TS_REQ_to_TS_VERIFY_CTX(TS_REQ req, TS_VERIFY_CTX ctx)
215	ret->imprint_len = ASN1_STRING_length(msg);	215	ret->imprint_len = ASN1_STRING_length(msg);
216	if (!(ret->imprint = malloc(ret->imprint_len)))	216	if (!(ret->imprint = malloc(ret->imprint_len)))
217	goto err;	217	goto err;
218	memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);	218	memcpy(ret->imprint, ASN1_STRING_get0_data(msg), ret->imprint_len);
219		219
220	/* Setting nonce. */	220	/* Setting nonce. */
221	if ((nonce = TS_REQ_get_nonce(req)) != NULL) {	221	if ((nonce = TS_REQ_get_nonce(req)) != NULL) {