8 files changed, 39 insertions, 36 deletions

diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
index feb2da68f9..aa3f4ba867 100644
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ b/src/lib/libcrypto/ts/ts_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_asn1.c,v 1.15 2024/04/15 15:52:46 tb Exp $ */
+/* $OpenBSD: ts_asn1.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Nils Larsch for the OpenSSL project 2004.
  */
 /* ====================================================================
@@ -58,9 +58,9 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/ts.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 static const ASN1_TEMPLATE TS_MSG_IMPRINT_seq_tt[] = {
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
index bd499238f5..0acefa902f 100644
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_conf.c,v 1.15 2024/08/26 22:01:28 op Exp $ */
+/* $OpenBSD: ts_conf.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -63,7 +63,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/ts.h>
 
diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c
index 7e40101752..d497fed9d8 100644
--- a/src/lib/libcrypto/ts/ts_lib.c
+++ b/src/lib/libcrypto/ts/ts_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_lib.c,v 1.15 2025/01/07 14:22:19 tb Exp $ */
+/* $OpenBSD: ts_lib.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -155,7 +155,7 @@ TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
 
         BIO_printf(bio, "Message data:\n");
         msg = TS_MSG_IMPRINT_get_msg(a);
-        BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg),
+        BIO_dump_indent(bio, (const char *)ASN1_STRING_get0_data(msg),
             ASN1_STRING_length(msg), 4);
 
         return 1;
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
index d679418060..fa3123863c 100644
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ b/src/lib/libcrypto/ts/ts_req_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_req_utils.c,v 1.9 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: ts_req_utils.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ts.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 int
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index e3101340c5..b8cc7e2baf 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.37 2025/07/31 02:02:35 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -60,11 +60,11 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "ts_local.h"
 #include "x509_local.h"
@@ -955,28 +955,32 @@ static int
 ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
 {
         ASN1_STRING *seq = NULL;
-        unsigned char *p, *pp = NULL;
-        int len;
+        unsigned char *data = NULL;
+        int len = 0;
+        int ret = 0;
 
-        len = i2d_ESS_SIGNING_CERT(sc, NULL);
-        if (!(pp = malloc(len))) {
-                TSerror(ERR_R_MALLOC_FAILURE);
+        if ((len = i2d_ESS_SIGNING_CERT(sc, &data)) <= 0) {
+                len = 0;
                 goto err;
         }
-        p = pp;
-        i2d_ESS_SIGNING_CERT(sc, &p);
-        if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
-                TSerror(ERR_R_MALLOC_FAILURE);
+
+        if ((seq = ASN1_STRING_new()) == NULL)
                 goto err;
-        }
-        free(pp);
-        pp = NULL;
-        return PKCS7_add_signed_attribute(si,
-            NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
 
-err:
+        ASN1_STRING_set0(seq, data, len);
+        data = NULL;
+        len = 0;
+
+        if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+
+        ret = 1;
+
+ err:
         ASN1_STRING_free(seq);
-        free(pp);
+        freezero(data, len);
 
-        return 0;
+        return ret;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
index 34994adce8..ecdb46773f 100644
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ b/src/lib/libcrypto/ts/ts_rsp_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_utils.c,v 1.11 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: ts_rsp_utils.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 /* Function definitions. */
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 69236f68ab..e9a778bb88 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.30 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.32 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "ts_local.h"
 #include "x509_local.h"
@@ -667,7 +667,7 @@ TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
                 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
                 if (i > 0)
                         strlcat(result, "/", length);
-                strlcat(result, (const char *)ASN1_STRING_data(current), length);
+                strlcat(result, (const char *)ASN1_STRING_get0_data(current), length);
         }
         return result;
 }
@@ -771,7 +771,7 @@ TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
 
         /* Compare octet strings. */
         ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
-            memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
+            memcmp(imprint_a, ASN1_STRING_get0_data(b->hashed_msg), len_a) == 0;
 
 err:
         if (!ret)
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 5a2d95c680..b2b160c511 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_verify_ctx.c,v 1.14 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_verify_ctx.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2003.
  */
@@ -58,10 +58,10 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 TS_VERIFY_CTX *
@@ -215,7 +215,7 @@ TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
         ret->imprint_len = ASN1_STRING_length(msg);
         if (!(ret->imprint = malloc(ret->imprint_len)))
                 goto err;
-        memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
+        memcpy(ret->imprint, ASN1_STRING_get0_data(msg), ret->imprint_len);
 
         /* Setting nonce. */
         if ((nonce = TS_REQ_get_nonce(req)) != NULL) {