8 files changed, 15 insertions, 197 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index b51103712c..b0ab507983 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.240 2025/07/12 20:22:40 tb Exp $
+# $OpenBSD: Makefile,v 1.241 2025/07/16 15:59:26 tb Exp $
 LIB=    crypto
 LIBREBUILD=y
@@ -150,7 +150,6 @@ SRCS+= bss_conn.c
 SRCS+= bss_dgram.c
 SRCS+= bss_fd.c
 SRCS+= bss_file.c
-SRCS+= bss_log.c
 SRCS+= bss_mem.c
 SRCS+= bss_null.c
 SRCS+= bss_sock.c
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index e259430bbf..2aae617f0a 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -308,7 +308,6 @@ BIO_s_connect
 BIO_s_datagram
 BIO_s_fd
 BIO_s_file
-BIO_s_log
 BIO_s_mem
 BIO_s_null
 BIO_s_socket
@@ -1664,9 +1663,7 @@ PEM_ASN1_write_bio
 PEM_SignFinal
 PEM_SignInit
 PEM_SignUpdate
-PEM_X509_INFO_read
 PEM_X509_INFO_read_bio
-PEM_X509_INFO_write_bio
 PEM_bytes_read_bio
 PEM_def_callback
 PEM_dek_info
@@ -2474,8 +2471,6 @@ X509_OBJECT_idx_by_subject
 X509_OBJECT_new
 X509_OBJECT_retrieve_by_subject
 X509_OBJECT_retrieve_match
-X509_PKEY_free
-X509_PKEY_new
 X509_PUBKEY_free
 X509_PUBKEY_get
 X509_PUBKEY_get0
diff --git a/src/lib/libcrypto/hidden/openssl/bio.h b/src/lib/libcrypto/hidden/openssl/bio.h
index 03da75a795..69651cf3cb 100644
--- a/src/lib/libcrypto/hidden/openssl/bio.h
+++ b/src/lib/libcrypto/hidden/openssl/bio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio.h,v 1.8 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bio.h,v 1.9 2025/07/16 15:59:26 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -103,7 +103,6 @@ LCRYPTO_USED(BIO_s_socket);
 LCRYPTO_USED(BIO_s_connect);
 LCRYPTO_USED(BIO_s_accept);
 LCRYPTO_USED(BIO_s_fd);
-LCRYPTO_USED(BIO_s_log);
 LCRYPTO_USED(BIO_s_bio);
 LCRYPTO_USED(BIO_s_null);
 LCRYPTO_USED(BIO_f_null);
diff --git a/src/lib/libcrypto/hidden/openssl/pem.h b/src/lib/libcrypto/hidden/openssl/pem.h
index 5838f07f4d..233fd8859b 100644
--- a/src/lib/libcrypto/hidden/openssl/pem.h
+++ b/src/lib/libcrypto/hidden/openssl/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.2 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: pem.h,v 1.3 2025/07/16 15:59:26 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -33,12 +33,10 @@ LCRYPTO_USED(PEM_bytes_read_bio);
 LCRYPTO_USED(PEM_ASN1_read_bio);
 LCRYPTO_USED(PEM_ASN1_write_bio);
 LCRYPTO_USED(PEM_X509_INFO_read_bio);
-LCRYPTO_USED(PEM_X509_INFO_write_bio);
 LCRYPTO_USED(PEM_read);
 LCRYPTO_USED(PEM_write);
 LCRYPTO_USED(PEM_ASN1_read);
 LCRYPTO_USED(PEM_ASN1_write);
-LCRYPTO_USED(PEM_X509_INFO_read);
 LCRYPTO_USED(PEM_SignInit);
 LCRYPTO_USED(PEM_SignUpdate);
 LCRYPTO_USED(PEM_SignFinal);
diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h
index e6104cd451..5e78f7af97 100644
--- a/src/lib/libcrypto/hidden/openssl/x509.h
+++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.15 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.16 2025/07/16 15:59:26 tb Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
 *
@@ -401,8 +401,6 @@ LCRYPTO_USED(i2d_X509_CRL);
 LCRYPTO_USED(X509_CRL_add0_revoked);
 LCRYPTO_USED(X509_CRL_get0_by_serial);
 LCRYPTO_USED(X509_CRL_get0_by_cert);
-LCRYPTO_USED(X509_PKEY_new);
-LCRYPTO_USED(X509_PKEY_free);
 LCRYPTO_USED(NETSCAPE_SPKI_new);
 LCRYPTO_USED(NETSCAPE_SPKI_free);
 LCRYPTO_USED(d2i_NETSCAPE_SPKI);
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 4fdab48bb2..709e17308b 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */
+/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -338,8 +338,6 @@ int	PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
 STACK_OF(X509_INFO) *   PEM_X509_INFO_read_bio(BIO *bp,
            STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
-int     PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-            unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
 #endif
 int     PEM_read(FILE *fp, char **name, char **header,
@@ -351,8 +349,6 @@ void *  PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
 int     PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
            void *x, const EVP_CIPHER *enc, unsigned char *kstr,
            int klen, pem_password_cb *callback, void *u);
-STACK_OF(X509_INFO) *   PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
-            pem_password_cb *cb, void *u);
 int    PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
 int    PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index 4f2be892d1..26061f6f08 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.32 2025/07/12 20:22:40 tb Exp $ */
+/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -80,60 +80,25 @@
 X509_PKEY *
 X509_PKEY_new(void)
 {
-        X509_PKEY *ret = NULL;
+        X509_PKEY *x_pkey;
-        if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {
+        if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
+                return NULL;
-        }
-        ret->version = 0;
-        if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
        }
-        ret->dec_pkey = NULL;
-        ret->key_length = 0;
-        ret->key_data = NULL;
-        ret->key_free = 0;
-        ret->cipher.cipher = NULL;
-        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
-        ret->references = 1;
-        return (ret);
- err:
+        return x_pkey;
-        if (ret) {
-                X509_ALGOR_free(ret->enc_algor);
-                free(ret);
-        }
-        return NULL;
 }
-LCRYPTO_ALIAS(X509_PKEY_new);
 void
-X509_PKEY_free(X509_PKEY *x)
+X509_PKEY_free(X509_PKEY *x_pkey)
 {
-        int i;
+        if (x_pkey == NULL)
-        if (x == NULL)
                return;
-        i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
+        EVP_PKEY_free(x_pkey->dec_pkey);
-        if (i > 0)
+        free(x_pkey);
-                return;
-        if (x->enc_algor != NULL)
-                X509_ALGOR_free(x->enc_algor);
-        ASN1_OCTET_STRING_free(x->enc_pkey);
-        EVP_PKEY_free(x->dec_pkey);
-        if ((x->key_data != NULL) && (x->key_free))
-                free(x->key_data);
-        free(x);
 }
-LCRYPTO_ALIAS(X509_PKEY_free);
 X509_INFO *
 X509_INFO_new(void)
@@ -169,24 +134,6 @@ X509_INFO_free(X509_INFO *x)
 LCRYPTO_ALIAS(X509_INFO_free);
 STACK_OF(X509_INFO) *
-PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
-    void *u)
-{
-        BIO *b;
-        STACK_OF(X509_INFO) *ret;
-        if ((b = BIO_new(BIO_s_file())) == NULL) {
-                PEMerror(ERR_R_BUF_LIB);
-                return (0);
-        }
-        BIO_set_fp(b, fp, BIO_NOCLOSE);
-        ret = PEM_X509_INFO_read_bio(b, sk, cb, u);
-        BIO_free(b);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_read);
-STACK_OF(X509_INFO) *
 PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
    void *u)
 {
@@ -381,98 +328,3 @@ err:
        return ret;
 }
 LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
-/* A TJH addition */
-int
-PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-    unsigned char *kstr, int klen, pem_password_cb *cb, void *u)
-{
-        EVP_CIPHER_CTX ctx;
-        int i, ret = 0;
-        unsigned char *data = NULL;
-        const char *objstr = NULL;
-        char buf[PEM_BUFSIZE];
-        unsigned char *iv = NULL;
-        if (enc != NULL) {
-                objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-                if (objstr == NULL) {
-                        PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                        goto err;
-                }
-        }
-        /* now for the fun part ... if we have a private key then
-         * we have to be able to handle a not-yet-decrypted key
-         * being written out correctly ... if it is decrypted or
-         * it is non-encrypted then we use the base code
-         */
-        if (xi->x_pkey != NULL) {
-                if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
-                        if (enc == NULL) {
-                                PEMerror(PEM_R_CIPHER_IS_NULL);
-                                goto err;
-                        }
-                        /* copy from weirdo names into more normal things */
-                        iv = xi->enc_cipher.iv;
-                        data = (unsigned char *)xi->enc_data;
-                        i = xi->enc_len;
-                        /* we take the encryption data from the
-                         * internal stuff rather than what the
-                         * user has passed us ... as we have to
-                         * match exactly for some strange reason
-                         */
-                        objstr = OBJ_nid2sn(
-                            EVP_CIPHER_nid(xi->enc_cipher.cipher));
-                        if (objstr == NULL) {
-                                PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                                goto err;
-                        }
-                        /* create the right magic header stuff */
-                        if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
-                            sizeof buf) {
-                                PEMerror(ASN1_R_BUFFER_TOO_SMALL);
-                                goto err;
-                        }
-                        buf[0] = '\0';
-                        PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-                        PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
-                        /* use the normal code to write things out */
-                        i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
-                        if (i <= 0)
-                                goto err;
-                } else {
-                        /* Add DSA/DH */
-#ifndef OPENSSL_NO_RSA
-                        /* normal optionally encrypted stuff */
-                        if (PEM_write_bio_RSAPrivateKey(bp,
-                            xi->x_pkey->dec_pkey->pkey.rsa,
-                            enc, kstr, klen, cb, u) <= 0)
-                                goto err;
-#endif
-                }
-        }
-        /* if we have a certificate then write it out now */
-        if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
-                goto err;
-        /* we are ignoring anything else that is loaded into the X509_INFO
-         * structure for the moment ... as I don't need it so I'm not
-         * coding it here and Eric can do it when this makes it into the
-         * base library --tjh
-         */
-        ret = 1;
-err:
-        explicit_bzero((char *)&ctx, sizeof(ctx));
-        explicit_bzero(buf, PEM_BUFSIZE);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index e779dfb6a9..729a06d0ed 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.122 2025/07/01 06:35:16 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.123 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -245,23 +245,7 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
 DECLARE_STACK_OF(X509_CRL)
 typedef struct private_key_st {
-        int version;
-        /* The PKCS#8 data types */
-        X509_ALGOR *enc_algor;
-        ASN1_OCTET_STRING *enc_pkey;    /* encrypted pub key */
-        /* When decrypted, the following will not be NULL */
        EVP_PKEY *dec_pkey;
-        /* used to encrypt and decrypt */
-        int key_length;
-        char *key_data;
-        int key_free;   /* true if we should auto free key_data */
-        /* expanded version of 'enc_algor' */
-        EVP_CIPHER_INFO cipher;
-        int references;
 } X509_PKEY;
 #ifndef OPENSSL_NO_EVP
@@ -647,9 +631,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
                X509_REVOKED **ret, ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
-X509_PKEY *     X509_PKEY_new(void );
-void            X509_PKEY_free(X509_PKEY *a);
 NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
 void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
 NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, const unsigned char **in, long len);

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile index b51103712c..b0ab507983 100644 --- a/src/lib/libcrypto/Makefile +++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.240 2025/07/12 20:22:40 tb Exp $	1	# $OpenBSD: Makefile,v 1.241 2025/07/16 15:59:26 tb Exp $
2		2
3	LIB= crypto	3	LIB= crypto
4	LIBREBUILD=y	4	LIBREBUILD=y
@@ -150,7 +150,6 @@ SRCS+= bss_conn.c
150	SRCS+= bss_dgram.c	150	SRCS+= bss_dgram.c
151	SRCS+= bss_fd.c	151	SRCS+= bss_fd.c
152	SRCS+= bss_file.c	152	SRCS+= bss_file.c
153	SRCS+= bss_log.c
154	SRCS+= bss_mem.c	153	SRCS+= bss_mem.c
155	SRCS+= bss_null.c	154	SRCS+= bss_null.c
156	SRCS+= bss_sock.c	155	SRCS+= bss_sock.c


diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list index e259430bbf..2aae617f0a 100644 --- a/src/lib/libcrypto/Symbols.list +++ b/src/lib/libcrypto/Symbols.list
@@ -308,7 +308,6 @@ BIO_s_connect
308	BIO_s_datagram	308	BIO_s_datagram
309	BIO_s_fd	309	BIO_s_fd
310	BIO_s_file	310	BIO_s_file
311	BIO_s_log
312	BIO_s_mem	311	BIO_s_mem
313	BIO_s_null	312	BIO_s_null
314	BIO_s_socket	313	BIO_s_socket
@@ -1664,9 +1663,7 @@ PEM_ASN1_write_bio
1664	PEM_SignFinal	1663	PEM_SignFinal
1665	PEM_SignInit	1664	PEM_SignInit
1666	PEM_SignUpdate	1665	PEM_SignUpdate
1667	PEM_X509_INFO_read
1668	PEM_X509_INFO_read_bio	1666	PEM_X509_INFO_read_bio
1669	PEM_X509_INFO_write_bio
1670	PEM_bytes_read_bio	1667	PEM_bytes_read_bio
1671	PEM_def_callback	1668	PEM_def_callback
1672	PEM_dek_info	1669	PEM_dek_info
@@ -2474,8 +2471,6 @@ X509_OBJECT_idx_by_subject
2474	X509_OBJECT_new	2471	X509_OBJECT_new
2475	X509_OBJECT_retrieve_by_subject	2472	X509_OBJECT_retrieve_by_subject
2476	X509_OBJECT_retrieve_match	2473	X509_OBJECT_retrieve_match
2477	X509_PKEY_free
2478	X509_PKEY_new
2479	X509_PUBKEY_free	2474	X509_PUBKEY_free
2480	X509_PUBKEY_get	2475	X509_PUBKEY_get
2481	X509_PUBKEY_get0	2476	X509_PUBKEY_get0


diff --git a/src/lib/libcrypto/hidden/openssl/bio.h b/src/lib/libcrypto/hidden/openssl/bio.h index 03da75a795..69651cf3cb 100644 --- a/src/lib/libcrypto/hidden/openssl/bio.h +++ b/src/lib/libcrypto/hidden/openssl/bio.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bio.h,v 1.8 2024/07/09 06:14:59 beck Exp $ */	1	/* $OpenBSD: bio.h,v 1.9 2025/07/16 15:59:26 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2023 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2023 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -103,7 +103,6 @@ LCRYPTO_USED(BIO_s_socket);
103	LCRYPTO_USED(BIO_s_connect);	103	LCRYPTO_USED(BIO_s_connect);
104	LCRYPTO_USED(BIO_s_accept);	104	LCRYPTO_USED(BIO_s_accept);
105	LCRYPTO_USED(BIO_s_fd);	105	LCRYPTO_USED(BIO_s_fd);
106	LCRYPTO_USED(BIO_s_log);
107	LCRYPTO_USED(BIO_s_bio);	106	LCRYPTO_USED(BIO_s_bio);
108	LCRYPTO_USED(BIO_s_null);	107	LCRYPTO_USED(BIO_s_null);
109	LCRYPTO_USED(BIO_f_null);	108	LCRYPTO_USED(BIO_f_null);


diff --git a/src/lib/libcrypto/hidden/openssl/pem.h b/src/lib/libcrypto/hidden/openssl/pem.h index 5838f07f4d..233fd8859b 100644 --- a/src/lib/libcrypto/hidden/openssl/pem.h +++ b/src/lib/libcrypto/hidden/openssl/pem.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem.h,v 1.2 2023/07/07 19:37:54 beck Exp $ */	1	/* $OpenBSD: pem.h,v 1.3 2025/07/16 15:59:26 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2023 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2023 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -33,12 +33,10 @@ LCRYPTO_USED(PEM_bytes_read_bio);
33	LCRYPTO_USED(PEM_ASN1_read_bio);	33	LCRYPTO_USED(PEM_ASN1_read_bio);
34	LCRYPTO_USED(PEM_ASN1_write_bio);	34	LCRYPTO_USED(PEM_ASN1_write_bio);
35	LCRYPTO_USED(PEM_X509_INFO_read_bio);	35	LCRYPTO_USED(PEM_X509_INFO_read_bio);
36	LCRYPTO_USED(PEM_X509_INFO_write_bio);
37	LCRYPTO_USED(PEM_read);	36	LCRYPTO_USED(PEM_read);
38	LCRYPTO_USED(PEM_write);	37	LCRYPTO_USED(PEM_write);
39	LCRYPTO_USED(PEM_ASN1_read);	38	LCRYPTO_USED(PEM_ASN1_read);
40	LCRYPTO_USED(PEM_ASN1_write);	39	LCRYPTO_USED(PEM_ASN1_write);
41	LCRYPTO_USED(PEM_X509_INFO_read);
42	LCRYPTO_USED(PEM_SignInit);	40	LCRYPTO_USED(PEM_SignInit);
43	LCRYPTO_USED(PEM_SignUpdate);	41	LCRYPTO_USED(PEM_SignUpdate);
44	LCRYPTO_USED(PEM_SignFinal);	42	LCRYPTO_USED(PEM_SignFinal);


diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h index e6104cd451..5e78f7af97 100644 --- a/src/lib/libcrypto/hidden/openssl/x509.h +++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509.h,v 1.15 2025/03/09 15:17:22 tb Exp $ */	1	/* $OpenBSD: x509.h,v 1.16 2025/07/16 15:59:26 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2022 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2022 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -401,8 +401,6 @@ LCRYPTO_USED(i2d_X509_CRL);
401	LCRYPTO_USED(X509_CRL_add0_revoked);	401	LCRYPTO_USED(X509_CRL_add0_revoked);
402	LCRYPTO_USED(X509_CRL_get0_by_serial);	402	LCRYPTO_USED(X509_CRL_get0_by_serial);
403	LCRYPTO_USED(X509_CRL_get0_by_cert);	403	LCRYPTO_USED(X509_CRL_get0_by_cert);
404	LCRYPTO_USED(X509_PKEY_new);
405	LCRYPTO_USED(X509_PKEY_free);
406	LCRYPTO_USED(NETSCAPE_SPKI_new);	404	LCRYPTO_USED(NETSCAPE_SPKI_new);
407	LCRYPTO_USED(NETSCAPE_SPKI_free);	405	LCRYPTO_USED(NETSCAPE_SPKI_free);
408	LCRYPTO_USED(d2i_NETSCAPE_SPKI);	406	LCRYPTO_USED(d2i_NETSCAPE_SPKI);


diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h index 4fdab48bb2..709e17308b 100644 --- a/src/lib/libcrypto/pem/pem.h +++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */	1	/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
2	/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -338,8 +338,6 @@ int PEM_ASN1_write_bio(i2d_of_void i2d, const char name, BIO bp, void x,
338		338
339	STACK_OF(X509_INFO) * PEM_X509_INFO_read_bio(BIO *bp,	339	STACK_OF(X509_INFO) * PEM_X509_INFO_read_bio(BIO *bp,
340	STACK_OF(X509_INFO) sk, pem_password_cb cb, void *u);	340	STACK_OF(X509_INFO) sk, pem_password_cb cb, void *u);
341	int PEM_X509_INFO_write_bio(BIO bp, X509_INFO xi, EVP_CIPHER *enc,
342	unsigned char kstr, int klen, pem_password_cb cd, void *u);
343	#endif	341	#endif
344		342
345	int PEM_read(FILE fp, char name, char *header,	343	int PEM_read(FILE fp, char name, char *header,
@@ -351,8 +349,6 @@ void * PEM_ASN1_read(d2i_of_void d2i, const char name, FILE fp, void *x,
351	int PEM_ASN1_write(i2d_of_void i2d, const char name, FILE *fp,	349	int PEM_ASN1_write(i2d_of_void i2d, const char name, FILE *fp,
352	void x, const EVP_CIPHER enc, unsigned char *kstr,	350	void x, const EVP_CIPHER enc, unsigned char *kstr,
353	int klen, pem_password_cb callback, void u);	351	int klen, pem_password_cb callback, void u);
354	STACK_OF(X509_INFO) * PEM_X509_INFO_read(FILE fp, STACK_OF(X509_INFO) sk,
355	pem_password_cb cb, void u);
356		352
357	int PEM_SignInit(EVP_MD_CTX ctx, EVP_MD type);	353	int PEM_SignInit(EVP_MD_CTX ctx, EVP_MD type);
358	int PEM_SignUpdate(EVP_MD_CTX ctx, unsigned char d, unsigned int cnt);	354	int PEM_SignUpdate(EVP_MD_CTX ctx, unsigned char d, unsigned int cnt);


diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c index 4f2be892d1..26061f6f08 100644 --- a/src/lib/libcrypto/pem/pem_info.c +++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pem_info.c,v 1.32 2025/07/12 20:22:40 tb Exp $ */	1	/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -80,60 +80,25 @@
80	X509_PKEY *	80	X509_PKEY *
81	X509_PKEY_new(void)	81	X509_PKEY_new(void)
82	{	82	{
83	X509_PKEY *ret = NULL;	83	X509_PKEY *x_pkey;
84		84
85	if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {	85	if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
86	ASN1error(ERR_R_MALLOC_FAILURE);	86	ASN1error(ERR_R_MALLOC_FAILURE);
87	goto err;	87	return NULL;
88	}
89	ret->version = 0;
90	if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
91	ASN1error(ERR_R_MALLOC_FAILURE);
92	goto err;
93	}
94	if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
95	ASN1error(ERR_R_MALLOC_FAILURE);
96	goto err;
97	}	88	}
98	ret->dec_pkey = NULL;
99	ret->key_length = 0;
100	ret->key_data = NULL;
101	ret->key_free = 0;
102	ret->cipher.cipher = NULL;
103	memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
104	ret->references = 1;
105	return (ret);
106		89
107	err:	90	return x_pkey;
108	if (ret) {
109	X509_ALGOR_free(ret->enc_algor);
110	free(ret);
111	}
112	return NULL;
113	}	91	}
114	LCRYPTO_ALIAS(X509_PKEY_new);
115		92
116	void	93	void
117	X509_PKEY_free(X509_PKEY *x)	94	X509_PKEY_free(X509_PKEY *x_pkey)
118	{	95	{
119	int i;	96	if (x_pkey == NULL)
120
121	if (x == NULL)
122	return;	97	return;
123		98
124	i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);	99	EVP_PKEY_free(x_pkey->dec_pkey);
125	if (i > 0)	100	free(x_pkey);
126	return;
127
128	if (x->enc_algor != NULL)
129	X509_ALGOR_free(x->enc_algor);
130	ASN1_OCTET_STRING_free(x->enc_pkey);
131	EVP_PKEY_free(x->dec_pkey);
132	if ((x->key_data != NULL) && (x->key_free))
133	free(x->key_data);
134	free(x);
135	}	101	}
136	LCRYPTO_ALIAS(X509_PKEY_free);
137		102
138	X509_INFO *	103	X509_INFO *
139	X509_INFO_new(void)	104	X509_INFO_new(void)
@@ -169,24 +134,6 @@ X509_INFO_free(X509_INFO *x)
169	LCRYPTO_ALIAS(X509_INFO_free);	134	LCRYPTO_ALIAS(X509_INFO_free);
170		135
171	STACK_OF(X509_INFO) *	136	STACK_OF(X509_INFO) *
172	PEM_X509_INFO_read(FILE fp, STACK_OF(X509_INFO) sk, pem_password_cb *cb,
173	void *u)
174	{
175	BIO *b;
176	STACK_OF(X509_INFO) *ret;
177
178	if ((b = BIO_new(BIO_s_file())) == NULL) {
179	PEMerror(ERR_R_BUF_LIB);
180	return (0);
181	}
182	BIO_set_fp(b, fp, BIO_NOCLOSE);
183	ret = PEM_X509_INFO_read_bio(b, sk, cb, u);
184	BIO_free(b);
185	return (ret);
186	}
187	LCRYPTO_ALIAS(PEM_X509_INFO_read);
188
189	STACK_OF(X509_INFO) *
190	PEM_X509_INFO_read_bio(BIO bp, STACK_OF(X509_INFO) sk, pem_password_cb *cb,	137	PEM_X509_INFO_read_bio(BIO bp, STACK_OF(X509_INFO) sk, pem_password_cb *cb,
191	void *u)	138	void *u)
192	{	139	{
@@ -381,98 +328,3 @@ err:
381	return ret;	328	return ret;
382	}	329	}
383	LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);	330	LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
384
385
386	/* A TJH addition */
387	int
388	PEM_X509_INFO_write_bio(BIO bp, X509_INFO xi, EVP_CIPHER *enc,
389	unsigned char kstr, int klen, pem_password_cb cb, void *u)
390	{
391	EVP_CIPHER_CTX ctx;
392	int i, ret = 0;
393	unsigned char *data = NULL;
394	const char *objstr = NULL;
395	char buf[PEM_BUFSIZE];
396	unsigned char *iv = NULL;
397
398	if (enc != NULL) {
399	objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
400	if (objstr == NULL) {
401	PEMerror(PEM_R_UNSUPPORTED_CIPHER);
402	goto err;
403	}
404	}
405
406	/* now for the fun part ... if we have a private key then
407	* we have to be able to handle a not-yet-decrypted key
408	* being written out correctly ... if it is decrypted or
409	* it is non-encrypted then we use the base code
410	*/
411	if (xi->x_pkey != NULL) {
412	if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
413	if (enc == NULL) {
414	PEMerror(PEM_R_CIPHER_IS_NULL);
415	goto err;
416	}
417
418	/* copy from weirdo names into more normal things */
419	iv = xi->enc_cipher.iv;
420	data = (unsigned char *)xi->enc_data;
421	i = xi->enc_len;
422
423	/* we take the encryption data from the
424	* internal stuff rather than what the
425	* user has passed us ... as we have to
426	* match exactly for some strange reason
427	*/
428	objstr = OBJ_nid2sn(
429	EVP_CIPHER_nid(xi->enc_cipher.cipher));
430	if (objstr == NULL) {
431	PEMerror(PEM_R_UNSUPPORTED_CIPHER);
432	goto err;
433	}
434
435	/* create the right magic header stuff */
436	if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
437	sizeof buf) {
438	PEMerror(ASN1_R_BUFFER_TOO_SMALL);
439	goto err;
440	}
441	buf[0] = '\0';
442	PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
443	PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
444
445	/* use the normal code to write things out */
446	i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
447	if (i <= 0)
448	goto err;
449	} else {
450	/* Add DSA/DH */
451	#ifndef OPENSSL_NO_RSA
452	/* normal optionally encrypted stuff */
453	if (PEM_write_bio_RSAPrivateKey(bp,
454	xi->x_pkey->dec_pkey->pkey.rsa,
455	enc, kstr, klen, cb, u) <= 0)
456	goto err;
457	#endif
458	}
459	}
460
461	/* if we have a certificate then write it out now */
462	if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
463	goto err;
464
465	/* we are ignoring anything else that is loaded into the X509_INFO
466	* structure for the moment ... as I don't need it so I'm not
467	* coding it here and Eric can do it when this makes it into the
468	* base library --tjh
469	*/
470
471	ret = 1;
472
473	err:
474	explicit_bzero((char *)&ctx, sizeof(ctx));
475	explicit_bzero(buf, PEM_BUFSIZE);
476	return (ret);
477	}
478	LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);


diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h index e779dfb6a9..729a06d0ed 100644 --- a/src/lib/libcrypto/x509/x509.h +++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509.h,v 1.122 2025/07/01 06:35:16 tb Exp $ */	1	/* $OpenBSD: x509.h,v 1.123 2025/07/16 15:59:26 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -245,23 +245,7 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
245	DECLARE_STACK_OF(X509_CRL)	245	DECLARE_STACK_OF(X509_CRL)
246		246
247	typedef struct private_key_st {	247	typedef struct private_key_st {
248	int version;
249	/* The PKCS#8 data types */
250	X509_ALGOR *enc_algor;
251	ASN1_OCTET_STRING enc_pkey; / encrypted pub key */
252
253	/* When decrypted, the following will not be NULL */
254	EVP_PKEY *dec_pkey;	248	EVP_PKEY *dec_pkey;
255
256	/* used to encrypt and decrypt */
257	int key_length;
258	char *key_data;
259	int key_free; /* true if we should auto free key_data */
260
261	/* expanded version of 'enc_algor' */
262	EVP_CIPHER_INFO cipher;
263
264	int references;
265	} X509_PKEY;	249	} X509_PKEY;
266		250
267	#ifndef OPENSSL_NO_EVP	251	#ifndef OPENSSL_NO_EVP
@@ -647,9 +631,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
647	X509_REVOKED *ret, ASN1_INTEGER serial);	631	X509_REVOKED *ret, ASN1_INTEGER serial);
648	int X509_CRL_get0_by_cert(X509_CRL crl, X509_REVOKED ret, X509 x);	632	int X509_CRL_get0_by_cert(X509_CRL crl, X509_REVOKED ret, X509 x);
649		633
650	X509_PKEY * X509_PKEY_new(void );
651	void X509_PKEY_free(X509_PKEY *a);
652
653	NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);	634	NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
654	void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);	635	void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
655	NETSCAPE_SPKI d2i_NETSCAPE_SPKI(NETSCAPE_SPKI a, const unsigned char *in, long len);	636	NETSCAPE_SPKI d2i_NETSCAPE_SPKI(NETSCAPE_SPKI a, const unsigned char *in, long len);