3 files changed, 25 insertions, 92 deletions
diff --git a/src/lib/libcrypto/asn1/asn1_local.h b/src/lib/libcrypto/asn1/asn1_local.h
index c1dfa6f68c..a8cc53221f 100644
--- a/src/lib/libcrypto/asn1/asn1_local.h
+++ b/src/lib/libcrypto/asn1/asn1_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_local.h,v 1.5 2023/12/29 10:59:00 tb Exp $ */
+/* $OpenBSD: asn1_local.h,v 1.6 2024/01/06 17:37:23 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -98,15 +98,6 @@ struct asn1_pctx_st {
 #define X509_CRL_METHOD_DYNAMIC         1
-struct x509_crl_method_st {
-        int flags;
-        int (*crl_init)(X509_CRL *crl);
-        int (*crl_free)(X509_CRL *crl);
-        int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,
-            ASN1_INTEGER *ser, X509_NAME *issuer);
-        int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk);
-};
 int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
 int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index b33ae6e032..b58d88833c 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.41 2023/07/07 19:37:52 beck Exp $ */
+/* $OpenBSD: x_crl.c,v 1.42 2024/01/06 17:37:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -100,17 +100,6 @@ const ASN1_ITEM X509_REVOKED_it = {
        .sname = "X509_REVOKED",
 };
-static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r);
-static int def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret,
-    ASN1_INTEGER *serial, X509_NAME *issuer);
-static X509_CRL_METHOD int_crl_meth = {
-        .crl_lookup = def_crl_lookup,
-        .crl_verify = def_crl_verify
-};
-static const X509_CRL_METHOD *default_crl_method = &int_crl_meth;
 /* The X509_CRL_INFO structure needs a bit of customisation.
 * Since we cache the original encoding the signature wont be affected by
 * reordering of the revoked field.
@@ -280,8 +269,6 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                crl->flags = 0;
                crl->idp_flags = 0;
                crl->idp_reasons = CRLDP_ALL_REASONS;
-                crl->meth = default_crl_method;
-                crl->meth_data = NULL;
                crl->issuers = NULL;
                crl->crl_number = NULL;
                crl->base_crl_number = NULL;
@@ -335,18 +322,9 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                if (!crl_set_issuers(crl))
                        return 0;
-                if (crl->meth->crl_init) {
-                        if (crl->meth->crl_init(crl) == 0)
-                                return 0;
-                }
                break;
        case ASN1_OP_FREE_POST:
-                if (crl->meth->crl_free) {
-                        if (!crl->meth->crl_free(crl))
-                                rc = 0;
-                }
                if (crl->akid)
                        AUTHORITY_KEYID_free(crl->akid);
                if (crl->idp)
@@ -546,36 +524,10 @@ X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 }
 int
-X509_CRL_verify(X509_CRL *crl, EVP_PKEY *r)
+X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
-{
-        if (crl->meth->crl_verify)
-                return crl->meth->crl_verify(crl, r);
-        return 0;
-}
-int
-X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret,
-    ASN1_INTEGER *serial)
-{
-        if (crl->meth->crl_lookup)
-                return crl->meth->crl_lookup(crl, ret, serial, NULL);
-        return 0;
-}
-int
-X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
-{
-        if (crl->meth->crl_lookup)
-                return crl->meth->crl_lookup(crl, ret,
-                    X509_get_serialNumber(x), X509_get_issuer_name(x));
-        return 0;
-}
-static int
-def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
-        return(ASN1_item_verify(&X509_CRL_INFO_it,
+        return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
-            crl->sig_alg, crl->signature, crl->crl, r));
+            crl->crl, pkey);
 }
 static int
@@ -606,16 +558,13 @@ crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, X509_REVOKED *rev)
 }
 static int
-def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial,
+crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial,
    X509_NAME *issuer)
 {
        X509_REVOKED rtmp, *rev;
        int idx;
        rtmp.serialNumber = serial;
-        /* Sort revoked into serial number order if not already sorted.
-         * Do this under a lock to avoid race condition.
-         */
        if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) {
                CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
                sk_X509_REVOKED_sort(crl->crl->revoked);
@@ -640,13 +589,23 @@ def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial,
        return 0;
 }
+int
+X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret,
+    ASN1_INTEGER *serial)
+{
+        return crl_lookup(crl, ret, serial, NULL);
+}
+int
+X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
+{
+        return crl_lookup(crl, ret, X509_get_serialNumber(x),
+            X509_get_issuer_name(x));
+}
 void
 X509_CRL_set_default_method(const X509_CRL_METHOD *meth)
 {
-        if (meth == NULL)
-                default_crl_method = &int_crl_meth;
-        else
-                default_crl_method = meth;
 }
 X509_CRL_METHOD *
@@ -656,40 +615,25 @@ X509_CRL_METHOD_new(int (*crl_init)(X509_CRL *crl),
    ASN1_INTEGER *ser, X509_NAME *issuer),
    int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk))
 {
-        X509_CRL_METHOD *m;
+        X509error(ERR_R_DISABLED);
+        return NULL;
-        if ((m = calloc(1, sizeof(X509_CRL_METHOD))) == NULL)
-                return NULL;
-        m->crl_init = crl_init;
-        m->crl_free = crl_free;
-        m->crl_lookup = crl_lookup;
-        m->crl_verify = crl_verify;
-        m->flags = X509_CRL_METHOD_DYNAMIC;
-        return m;
 }
 void
 X509_CRL_METHOD_free(X509_CRL_METHOD *m)
 {
-        if (m == NULL)
-                return;
-        if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
-                return;
-        free(m);
 }
 void
 X509_CRL_set_meth_data(X509_CRL *crl, void *dat)
 {
-        crl->meth_data = dat;
 }
 void *
 X509_CRL_get_meth_data(X509_CRL *crl)
 {
-        return crl->meth_data;
+        X509error(ERR_R_DISABLED);
+        return NULL;
 }
 int
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 6285370b2d..f62f5ad57d 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.17 2023/12/29 05:33:32 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.18 2024/01/06 17:37:23 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -224,8 +224,6 @@ struct X509_crl_st {
        ASN1_INTEGER *base_crl_number;
        unsigned char hash[X509_CRL_HASH_LEN];
        STACK_OF(GENERAL_NAMES) *issuers;
-        const X509_CRL_METHOD *meth;
-        void *meth_data;
 } /* X509_CRL */;
 struct pkcs8_priv_key_info_st {

diff --git a/src/lib/libcrypto/asn1/asn1_local.h b/src/lib/libcrypto/asn1/asn1_local.h index c1dfa6f68c..a8cc53221f 100644 --- a/src/lib/libcrypto/asn1/asn1_local.h +++ b/src/lib/libcrypto/asn1/asn1_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: asn1_local.h,v 1.5 2023/12/29 10:59:00 tb Exp $ */	1	/* $OpenBSD: asn1_local.h,v 1.6 2024/01/06 17:37:23 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -98,15 +98,6 @@ struct asn1_pctx_st {
98		98
99	#define X509_CRL_METHOD_DYNAMIC 1	99	#define X509_CRL_METHOD_DYNAMIC 1
100		100
101	struct x509_crl_method_st {
102	int flags;
103	int (crl_init)(X509_CRL crl);
104	int (crl_free)(X509_CRL crl);
105	int (crl_lookup)(X509_CRL crl, X509_REVOKED **ret,
106	ASN1_INTEGER ser, X509_NAME issuer);
107	int (crl_verify)(X509_CRL crl, EVP_PKEY *pk);
108	};
109
110	int asn1_get_choice_selector(ASN1_VALUE *pval, const ASN1_ITEM it);	101	int asn1_get_choice_selector(ASN1_VALUE *pval, const ASN1_ITEM it);
111	int asn1_set_choice_selector(ASN1_VALUE *pval, int value, const ASN1_ITEM it);	102	int asn1_set_choice_selector(ASN1_VALUE *pval, int value, const ASN1_ITEM it);
112		103


diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c index b33ae6e032..b58d88833c 100644 --- a/src/lib/libcrypto/asn1/x_crl.c +++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x_crl.c,v 1.41 2023/07/07 19:37:52 beck Exp $ */	1	/* $OpenBSD: x_crl.c,v 1.42 2024/01/06 17:37:23 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -100,17 +100,6 @@ const ASN1_ITEM X509_REVOKED_it = {
100	.sname = "X509_REVOKED",	100	.sname = "X509_REVOKED",
101	};	101	};
102		102
103	static int def_crl_verify(X509_CRL crl, EVP_PKEY r);
104	static int def_crl_lookup(X509_CRL crl, X509_REVOKED *ret,
105	ASN1_INTEGER serial, X509_NAME issuer);
106
107	static X509_CRL_METHOD int_crl_meth = {
108	.crl_lookup = def_crl_lookup,
109	.crl_verify = def_crl_verify
110	};
111
112	static const X509_CRL_METHOD *default_crl_method = &int_crl_meth;
113
114	/* The X509_CRL_INFO structure needs a bit of customisation.	103	/* The X509_CRL_INFO structure needs a bit of customisation.
115	* Since we cache the original encoding the signature wont be affected by	104	* Since we cache the original encoding the signature wont be affected by
116	* reordering of the revoked field.	105	* reordering of the revoked field.
@@ -280,8 +269,6 @@ crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it, void *exarg)
280	crl->flags = 0;	269	crl->flags = 0;
281	crl->idp_flags = 0;	270	crl->idp_flags = 0;
282	crl->idp_reasons = CRLDP_ALL_REASONS;	271	crl->idp_reasons = CRLDP_ALL_REASONS;
283	crl->meth = default_crl_method;
284	crl->meth_data = NULL;
285	crl->issuers = NULL;	272	crl->issuers = NULL;
286	crl->crl_number = NULL;	273	crl->crl_number = NULL;
287	crl->base_crl_number = NULL;	274	crl->base_crl_number = NULL;
@@ -335,18 +322,9 @@ crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it, void *exarg)
335		322
336	if (!crl_set_issuers(crl))	323	if (!crl_set_issuers(crl))
337	return 0;	324	return 0;
338
339	if (crl->meth->crl_init) {
340	if (crl->meth->crl_init(crl) == 0)
341	return 0;
342	}
343	break;	325	break;
344		326
345	case ASN1_OP_FREE_POST:	327	case ASN1_OP_FREE_POST:
346	if (crl->meth->crl_free) {
347	if (!crl->meth->crl_free(crl))
348	rc = 0;
349	}
350	if (crl->akid)	328	if (crl->akid)
351	AUTHORITY_KEYID_free(crl->akid);	329	AUTHORITY_KEYID_free(crl->akid);
352	if (crl->idp)	330	if (crl->idp)
@@ -546,36 +524,10 @@ X509_CRL_add0_revoked(X509_CRL crl, X509_REVOKED rev)
546	}	524	}
547		525
548	int	526	int
549	X509_CRL_verify(X509_CRL crl, EVP_PKEY r)	527	X509_CRL_verify(X509_CRL crl, EVP_PKEY pkey)
550	{
551	if (crl->meth->crl_verify)
552	return crl->meth->crl_verify(crl, r);
553	return 0;
554	}
555
556	int
557	X509_CRL_get0_by_serial(X509_CRL crl, X509_REVOKED *ret,
558	ASN1_INTEGER *serial)
559	{
560	if (crl->meth->crl_lookup)
561	return crl->meth->crl_lookup(crl, ret, serial, NULL);
562	return 0;
563	}
564
565	int
566	X509_CRL_get0_by_cert(X509_CRL crl, X509_REVOKED ret, X509 x)
567	{
568	if (crl->meth->crl_lookup)
569	return crl->meth->crl_lookup(crl, ret,
570	X509_get_serialNumber(x), X509_get_issuer_name(x));
571	return 0;
572	}
573
574	static int
575	def_crl_verify(X509_CRL crl, EVP_PKEY r)
576	{	528	{
577	return(ASN1_item_verify(&X509_CRL_INFO_it,	529	return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
578	crl->sig_alg, crl->signature, crl->crl, r));	530	crl->crl, pkey);
579	}	531	}
580		532
581	static int	533	static int
@@ -606,16 +558,13 @@ crl_revoked_issuer_match(X509_CRL crl, X509_NAME nm, X509_REVOKED *rev)
606	}	558	}
607		559
608	static int	560	static int
609	def_crl_lookup(X509_CRL crl, X509_REVOKED ret, ASN1_INTEGER serial,	561	crl_lookup(X509_CRL crl, X509_REVOKED ret, ASN1_INTEGER serial,
610	X509_NAME *issuer)	562	X509_NAME *issuer)
611	{	563	{
612	X509_REVOKED rtmp, *rev;	564	X509_REVOKED rtmp, *rev;
613	int idx;	565	int idx;
614		566
615	rtmp.serialNumber = serial;	567	rtmp.serialNumber = serial;
616	/* Sort revoked into serial number order if not already sorted.
617	* Do this under a lock to avoid race condition.
618	*/
619	if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) {	568	if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) {
620	CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);	569	CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
621	sk_X509_REVOKED_sort(crl->crl->revoked);	570	sk_X509_REVOKED_sort(crl->crl->revoked);
@@ -640,13 +589,23 @@ def_crl_lookup(X509_CRL crl, X509_REVOKED ret, ASN1_INTEGER serial,
640	return 0;	589	return 0;
641	}	590	}
642		591
		592	int
		593	X509_CRL_get0_by_serial(X509_CRL crl, X509_REVOKED *ret,
		594	ASN1_INTEGER *serial)
		595	{
		596	return crl_lookup(crl, ret, serial, NULL);
		597	}
		598
		599	int
		600	X509_CRL_get0_by_cert(X509_CRL crl, X509_REVOKED ret, X509 x)
		601	{
		602	return crl_lookup(crl, ret, X509_get_serialNumber(x),
		603	X509_get_issuer_name(x));
		604	}
		605
643	void	606	void
644	X509_CRL_set_default_method(const X509_CRL_METHOD *meth)	607	X509_CRL_set_default_method(const X509_CRL_METHOD *meth)
645	{	608	{
646	if (meth == NULL)
647	default_crl_method = &int_crl_meth;
648	else
649	default_crl_method = meth;
650	}	609	}
651		610
652	X509_CRL_METHOD *	611	X509_CRL_METHOD *
@@ -656,40 +615,25 @@ X509_CRL_METHOD_new(int (crl_init)(X509_CRL crl),
656	ASN1_INTEGER ser, X509_NAME issuer),	615	ASN1_INTEGER ser, X509_NAME issuer),
657	int (crl_verify)(X509_CRL crl, EVP_PKEY *pk))	616	int (crl_verify)(X509_CRL crl, EVP_PKEY *pk))
658	{	617	{
659	X509_CRL_METHOD *m;	618	X509error(ERR_R_DISABLED);
660		619	return NULL;
661	if ((m = calloc(1, sizeof(X509_CRL_METHOD))) == NULL)
662	return NULL;
663
664	m->crl_init = crl_init;
665	m->crl_free = crl_free;
666	m->crl_lookup = crl_lookup;
667	m->crl_verify = crl_verify;
668	m->flags = X509_CRL_METHOD_DYNAMIC;
669
670	return m;
671	}	620	}
672		621
673	void	622	void
674	X509_CRL_METHOD_free(X509_CRL_METHOD *m)	623	X509_CRL_METHOD_free(X509_CRL_METHOD *m)
675	{	624	{
676	if (m == NULL)
677	return;
678	if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
679	return;
680	free(m);
681	}	625	}
682		626
683	void	627	void
684	X509_CRL_set_meth_data(X509_CRL crl, void dat)	628	X509_CRL_set_meth_data(X509_CRL crl, void dat)
685	{	629	{
686	crl->meth_data = dat;
687	}	630	}
688		631
689	void *	632	void *
690	X509_CRL_get_meth_data(X509_CRL *crl)	633	X509_CRL_get_meth_data(X509_CRL *crl)
691	{	634	{
692	return crl->meth_data;	635	X509error(ERR_R_DISABLED);
		636	return NULL;
693	}	637	}
694		638
695	int	639	int


diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h index 6285370b2d..f62f5ad57d 100644 --- a/src/lib/libcrypto/x509/x509_local.h +++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_local.h,v 1.17 2023/12/29 05:33:32 tb Exp $ */	1	/* $OpenBSD: x509_local.h,v 1.18 2024/01/06 17:37:23 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2013.	3	* project 2013.
4	*/	4	*/
@@ -224,8 +224,6 @@ struct X509_crl_st {
224	ASN1_INTEGER *base_crl_number;	224	ASN1_INTEGER *base_crl_number;
225	unsigned char hash[X509_CRL_HASH_LEN];	225	unsigned char hash[X509_CRL_HASH_LEN];
226	STACK_OF(GENERAL_NAMES) *issuers;	226	STACK_OF(GENERAL_NAMES) *issuers;
227	const X509_CRL_METHOD *meth;
228	void *meth_data;
229	} /* X509_CRL */;	227	} /* X509_CRL */;
230		228
231	struct pkcs8_priv_key_info_st {	229	struct pkcs8_priv_key_info_st {