1 files changed, 35 insertions, 28 deletions
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 4b333e2a2d..19091b12aa 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.47 2025/03/12 04:58:04 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.56 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -61,12 +61,12 @@
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 /* X509_VERIFY_PARAM functions */
@@ -113,7 +113,7 @@ sk_OPENSSL_STRING_deep_copy(const STACK_OF(OPENSSL_STRING) *sk)
 }
 static int
-x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
+x509_param_set_hosts_internal(X509_VERIFY_PARAM *param, int mode,
    const char *name, size_t namelen)
 {
        char *copy;
@@ -126,9 +126,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
        if (name && memchr(name, '\0', namelen))
                return 0;
-        if (mode == SET_HOST && vpm->hosts) {
+        if (mode == SET_HOST && param->hosts) {
-                sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
+                sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
-                vpm->hosts = NULL;
+                param->hosts = NULL;
        }
        if (name == NULL || namelen == 0)
                return 1;
@@ -136,17 +136,17 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
        if (copy == NULL)
                return 0;
-        if (vpm->hosts == NULL &&
+        if (param->hosts == NULL &&
-            (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
+           (param->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
                free(copy);
                return 0;
        }
-        if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
+        if (!sk_OPENSSL_STRING_push(param->hosts, copy)) {
                free(copy);
-                if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
+                if (sk_OPENSSL_STRING_num(param->hosts) == 0) {
-                        sk_OPENSSL_STRING_free(vpm->hosts);
+                        sk_OPENSSL_STRING_free(param->hosts);
-                        vpm->hosts = NULL;
+                        param->hosts = NULL;
                }
                return 0;
        }
@@ -654,6 +654,8 @@ static const X509_VERIFY_PARAM default_table[] = {
        }
 };
+#define N_DEFAULT_VERIFY_PARAMS (sizeof(default_table) / sizeof(default_table[0]))
 static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
 static int
@@ -687,9 +689,11 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_table);
 int
 X509_VERIFY_PARAM_get_count(void)
 {
-        int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
+        int num = N_DEFAULT_VERIFY_PARAMS;
-        if (param_table)
+        if (param_table != NULL)
                num += sk_X509_VERIFY_PARAM_num(param_table);
        return num;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
@@ -697,9 +701,14 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
 const X509_VERIFY_PARAM *
 X509_VERIFY_PARAM_get0(int id)
 {
-        int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
+        int num = N_DEFAULT_VERIFY_PARAMS;
+        if (id < 0)
+                return NULL;
        if (id < num)
-                return default_table + id;
+                return &default_table[id];
        return sk_X509_VERIFY_PARAM_value(param_table, id - num);
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
@@ -707,22 +716,20 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
 const X509_VERIFY_PARAM *
 X509_VERIFY_PARAM_lookup(const char *name)
 {
-        X509_VERIFY_PARAM pm;
+        X509_VERIFY_PARAM param;
-        unsigned int i, limit;
+        size_t i;
+        int idx;
-        pm.name = (char *)name;
+        memset(&param, 0, sizeof(param));
-        if (param_table) {
+        param.name = (char *)name;
-                size_t idx;
+        if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &param)) != -1)
-                if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &pm)) != -1)
+                return sk_X509_VERIFY_PARAM_value(param_table, idx);
-                        return sk_X509_VERIFY_PARAM_value(param_table, idx);
-        }
-        limit = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
+        for (i = 0; i < N_DEFAULT_VERIFY_PARAMS; i++) {
-        for (i = 0; i < limit; i++) {
+                if (strcmp(default_table[i].name, name) == 0)
-                if (strcmp(default_table[i].name, name) == 0) {
                        return &default_table[i];
-                }
        }
        return NULL;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_lookup);

diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c index 4b333e2a2d..19091b12aa 100644 --- a/src/lib/libcrypto/x509/x509_vpm.c +++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vpm.c,v 1.47 2025/03/12 04:58:04 tb Exp $ */	1	/* $OpenBSD: x509_vpm.c,v 1.56 2025/05/10 05:54:39 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2004.	3	* project 2004.
4	*/	4	*/
@@ -61,12 +61,12 @@
61		61
62	#include <openssl/buffer.h>	62	#include <openssl/buffer.h>
63	#include <openssl/crypto.h>	63	#include <openssl/crypto.h>
64	#include <openssl/err.h>
65	#include <openssl/lhash.h>	64	#include <openssl/lhash.h>
66	#include <openssl/stack.h>	65	#include <openssl/stack.h>
67	#include <openssl/x509.h>	66	#include <openssl/x509.h>
68	#include <openssl/x509v3.h>	67	#include <openssl/x509v3.h>
69		68
		69	#include "err_local.h"
70	#include "x509_local.h"	70	#include "x509_local.h"
71		71
72	/* X509_VERIFY_PARAM functions */	72	/* X509_VERIFY_PARAM functions */
@@ -113,7 +113,7 @@ sk_OPENSSL_STRING_deep_copy(const STACK_OF(OPENSSL_STRING) *sk)
113	}	113	}
114		114
115	static int	115	static int
116	x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,	116	x509_param_set_hosts_internal(X509_VERIFY_PARAM *param, int mode,
117	const char *name, size_t namelen)	117	const char *name, size_t namelen)
118	{	118	{
119	char *copy;	119	char *copy;
@@ -126,9 +126,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
126	if (name && memchr(name, '\0', namelen))	126	if (name && memchr(name, '\0', namelen))
127	return 0;	127	return 0;
128		128
129	if (mode == SET_HOST && vpm->hosts) {	129	if (mode == SET_HOST && param->hosts) {
130	sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);	130	sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
131	vpm->hosts = NULL;	131	param->hosts = NULL;
132	}	132	}
133	if (name == NULL \|\| namelen == 0)	133	if (name == NULL \|\| namelen == 0)
134	return 1;	134	return 1;
@@ -136,17 +136,17 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
136	if (copy == NULL)	136	if (copy == NULL)
137	return 0;	137	return 0;
138		138
139	if (vpm->hosts == NULL &&	139	if (param->hosts == NULL &&
140	(vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {	140	(param->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
141	free(copy);	141	free(copy);
142	return 0;	142	return 0;
143	}	143	}
144		144
145	if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {	145	if (!sk_OPENSSL_STRING_push(param->hosts, copy)) {
146	free(copy);	146	free(copy);
147	if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {	147	if (sk_OPENSSL_STRING_num(param->hosts) == 0) {
148	sk_OPENSSL_STRING_free(vpm->hosts);	148	sk_OPENSSL_STRING_free(param->hosts);
149	vpm->hosts = NULL;	149	param->hosts = NULL;
150	}	150	}
151	return 0;	151	return 0;
152	}	152	}
@@ -654,6 +654,8 @@ static const X509_VERIFY_PARAM default_table[] = {
654	}	654	}
655	};	655	};
656		656
		657	#define N_DEFAULT_VERIFY_PARAMS (sizeof(default_table) / sizeof(default_table[0]))
		658
657	static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;	659	static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
658		660
659	static int	661	static int
@@ -687,9 +689,11 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_table);
687	int	689	int
688	X509_VERIFY_PARAM_get_count(void)	690	X509_VERIFY_PARAM_get_count(void)
689	{	691	{
690	int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);	692	int num = N_DEFAULT_VERIFY_PARAMS;
691	if (param_table)	693
		694	if (param_table != NULL)
692	num += sk_X509_VERIFY_PARAM_num(param_table);	695	num += sk_X509_VERIFY_PARAM_num(param_table);
		696
693	return num;	697	return num;
694	}	698	}
695	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);	699	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
@@ -697,9 +701,14 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
697	const X509_VERIFY_PARAM *	701	const X509_VERIFY_PARAM *
698	X509_VERIFY_PARAM_get0(int id)	702	X509_VERIFY_PARAM_get0(int id)
699	{	703	{
700	int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);	704	int num = N_DEFAULT_VERIFY_PARAMS;
		705
		706	if (id < 0)
		707	return NULL;
		708
701	if (id < num)	709	if (id < num)
702	return default_table + id;	710	return &default_table[id];
		711
703	return sk_X509_VERIFY_PARAM_value(param_table, id - num);	712	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
704	}	713	}
705	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);	714	LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
@@ -707,22 +716,20 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
707	const X509_VERIFY_PARAM *	716	const X509_VERIFY_PARAM *
708	X509_VERIFY_PARAM_lookup(const char *name)	717	X509_VERIFY_PARAM_lookup(const char *name)
709	{	718	{
710	X509_VERIFY_PARAM pm;	719	X509_VERIFY_PARAM param;
711	unsigned int i, limit;	720	size_t i;
		721	int idx;
712		722
713	pm.name = (char *)name;	723	memset(&param, 0, sizeof(param));
714	if (param_table) {	724	param.name = (char *)name;
715	size_t idx;	725	if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &param)) != -1)
716	if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &pm)) != -1)	726	return sk_X509_VERIFY_PARAM_value(param_table, idx);
717	return sk_X509_VERIFY_PARAM_value(param_table, idx);
718	}
719		727
720	limit = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);	728	for (i = 0; i < N_DEFAULT_VERIFY_PARAMS; i++) {
721	for (i = 0; i < limit; i++) {	729	if (strcmp(default_table[i].name, name) == 0)
722	if (strcmp(default_table[i].name, name) == 0) {
723	return &default_table[i];	730	return &default_table[i];
724	}
725	}	731	}
		732
726	return NULL;	733	return NULL;
727	}	734	}
728	LCRYPTO_ALIAS(X509_VERIFY_PARAM_lookup);	735	LCRYPTO_ALIAS(X509_VERIFY_PARAM_lookup);