diff options
Diffstat (limited to 'lib')
72 files changed, 521 insertions, 451 deletions
diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile index f626c16e91f..3f4014409d1 100644 --- a/lib/libcrypto/Makefile +++ b/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.48 2021/10/31 16:51:16 tb Exp $ +# $OpenBSD: Makefile,v 1.49 2021/11/01 20:53:08 tb Exp $ LIB= crypto LIBREBUILD=y @@ -18,7 +18,7 @@ CFLAGS+= -Wall -Wundef .if ${COMPILER_VERSION:L} == "clang" CFLAGS+= -Werror .endif -CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL +CFLAGS+= -DLIBRESSL_INTERNAL .if !defined(NOPIC) CFLAGS+= -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_FUNOPEN @@ -29,7 +29,7 @@ CFLAGS+= -DOPENSSL_NO_HW_PADLOCK # XXX enable this? CFLAGS+= -I${LCRYPTO_SRC} CFLAGS+= -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/bn -I${LCRYPTO_SRC}/evp -CFLAGS+= -I${LCRYPTO_SRC}/modes +CFLAGS+= -I${LCRYPTO_SRC}/modes -I${LCRYPTO_SRC}/x509 # XXX FIXME ecdsa and ec should be merged CFLAGS+= -I${LCRYPTO_SRC}/ecdsa diff --git a/lib/libcrypto/asn1/a_strex.c b/lib/libcrypto/asn1/a_strex.c index 4e3deccfdaf..3b66ea8d36d 100644 --- a/lib/libcrypto/asn1/a_strex.c +++ b/lib/libcrypto/asn1/a_strex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_strex.c,v 1.28 2018/05/19 10:46:28 tb Exp $ */ +/* $OpenBSD: a_strex.c,v 1.29 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -513,7 +513,7 @@ do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n, int indent, else ent = X509_NAME_get_entry(n, i); if (prev != -1) { - if (prev == ent->set) { + if (prev == X509_NAME_ENTRY_set(ent)) { if (!io_ch(arg, sep_mv, sep_mv_len)) return -1; outlen += sep_mv_len; @@ -526,7 +526,7 @@ do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n, int indent, outlen += indent; } } - prev = ent->set; + prev = X509_NAME_ENTRY_set(ent); fn = X509_NAME_ENTRY_get_object(ent); val = X509_NAME_ENTRY_get_data(ent); fn_nid = OBJ_obj2nid(fn); diff --git a/lib/libcrypto/asn1/n_pkey.c b/lib/libcrypto/asn1/n_pkey.c index 6c7031677df..89adcd5b116 100644 --- a/lib/libcrypto/asn1/n_pkey.c +++ b/lib/libcrypto/asn1/n_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: n_pkey.c,v 1.32 2018/08/05 13:35:45 bcook Exp $ */ +/* $OpenBSD: n_pkey.c,v 1.33 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -69,6 +69,8 @@ #include <openssl/rsa.h> #include <openssl/x509.h> +#include "x509_lcl.h" + #ifndef OPENSSL_NO_RC4 typedef struct netscape_pkey_st { diff --git a/lib/libcrypto/asn1/p8_pkey.c b/lib/libcrypto/asn1/p8_pkey.c index d2f8e6b0557..18659a6f40e 100644 --- a/lib/libcrypto/asn1/p8_pkey.c +++ b/lib/libcrypto/asn1/p8_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p8_pkey.c,v 1.19 2018/08/24 20:17:33 tb Exp $ */ +/* $OpenBSD: p8_pkey.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,6 +62,8 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> +#include "x509_lcl.h" + /* Minor tweak to operation: zero private key data */ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) diff --git a/lib/libcrypto/asn1/t_crl.c b/lib/libcrypto/asn1/t_crl.c index 057b8fe3118..b7f94a86447 100644 --- a/lib/libcrypto/asn1/t_crl.c +++ b/lib/libcrypto/asn1/t_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_crl.c,v 1.18 2019/05/12 15:56:31 tb Exp $ */ +/* $OpenBSD: t_crl.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,6 +66,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + int X509_CRL_print_fp(FILE *fp, X509_CRL *x) { diff --git a/lib/libcrypto/asn1/t_req.c b/lib/libcrypto/asn1/t_req.c index a9b14fed73d..320eaff9c00 100644 --- a/lib/libcrypto/asn1/t_req.c +++ b/lib/libcrypto/asn1/t_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_req.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: t_req.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,6 +74,8 @@ #include <openssl/rsa.h> #endif +#include "x509_lcl.h" + int X509_REQ_print_fp(FILE *fp, X509_REQ *x) { diff --git a/lib/libcrypto/asn1/t_spki.c b/lib/libcrypto/asn1/t_spki.c index 7f1ed129cfc..56c0956ceb3 100644 --- a/lib/libcrypto/asn1/t_spki.c +++ b/lib/libcrypto/asn1/t_spki.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_spki.c,v 1.12 2021/08/24 15:23:03 tb Exp $ */ +/* $OpenBSD: t_spki.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -71,6 +71,8 @@ #include <openssl/rsa.h> #endif +#include "x509_lcl.h" + /* Print out an SPKI */ int diff --git a/lib/libcrypto/asn1/t_x509.c b/lib/libcrypto/asn1/t_x509.c index 42b00a729aa..d1655a17850 100644 --- a/lib/libcrypto/asn1/t_x509.c +++ b/lib/libcrypto/asn1/t_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509.c,v 1.34 2021/07/26 16:54:20 tb Exp $ */ +/* $OpenBSD: t_x509.c,v 1.35 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -78,6 +78,7 @@ #endif #include "asn1_locl.h" +#include "x509_lcl.h" int X509_print_fp(FILE *fp, X509 *x) diff --git a/lib/libcrypto/asn1/t_x509a.c b/lib/libcrypto/asn1/t_x509a.c index b0346fa6813..6745318b9c2 100644 --- a/lib/libcrypto/asn1/t_x509a.c +++ b/lib/libcrypto/asn1/t_x509a.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509a.c,v 1.9 2021/07/10 17:45:16 schwarze Exp $ */ +/* $OpenBSD: t_x509a.c,v 1.10 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,8 +62,9 @@ #include <openssl/evp.h> #include <openssl/x509.h> -/* X509_CERT_AUX and string set routines - */ +#include "x509_lcl.h" + +/* X509_CERT_AUX and string set routines */ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) diff --git a/lib/libcrypto/asn1/x_attrib.c b/lib/libcrypto/asn1/x_attrib.c index 04816eab770..a40edc1f1d2 100644 --- a/lib/libcrypto/asn1/x_attrib.c +++ b/lib/libcrypto/asn1/x_attrib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_attrib.c,v 1.14 2020/06/04 21:21:03 schwarze Exp $ */ +/* $OpenBSD: x_attrib.c,v 1.15 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,6 +62,8 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + /* X509_ATTRIBUTE: this has the following form: * * typedef struct x509_attributes_st diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c index bc1783dbfbc..bfc01a22848 100644 --- a/lib/libcrypto/asn1/x_crl.c +++ b/lib/libcrypto/asn1/x_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_crl.c,v 1.34 2019/03/13 20:34:00 tb Exp $ */ +/* $OpenBSD: x_crl.c,v 1.35 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,7 @@ #include <openssl/x509v3.h> #include "asn1_locl.h" +#include "x509_lcl.h" static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b); diff --git a/lib/libcrypto/asn1/x_exten.c b/lib/libcrypto/asn1/x_exten.c index bb3dffc8218..aba8973632d 100644 --- a/lib/libcrypto/asn1/x_exten.c +++ b/lib/libcrypto/asn1/x_exten.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_exten.c,v 1.16 2015/07/24 15:09:52 jsing Exp $ */ +/* $OpenBSD: x_exten.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,6 +61,8 @@ #include <openssl/asn1.h> #include <openssl/asn1t.h> +#include "x509_lcl.h" + static const ASN1_TEMPLATE X509_EXTENSION_seq_tt[] = { { .offset = offsetof(X509_EXTENSION, object), diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c index 0961ee33ebb..4563a513483 100644 --- a/lib/libcrypto/asn1/x_name.c +++ b/lib/libcrypto/asn1/x_name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_name.c,v 1.35 2021/07/04 11:38:37 schwarze Exp $ */ +/* $OpenBSD: x_name.c,v 1.36 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,6 +65,7 @@ #include <openssl/x509.h> #include "asn1_locl.h" +#include "x509_lcl.h" typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) diff --git a/lib/libcrypto/asn1/x_pubkey.c b/lib/libcrypto/asn1/x_pubkey.c index ea67419cb20..cb16d03301d 100644 --- a/lib/libcrypto/asn1/x_pubkey.c +++ b/lib/libcrypto/asn1/x_pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_pubkey.c,v 1.27 2018/03/17 14:55:39 jsing Exp $ */ +/* $OpenBSD: x_pubkey.c,v 1.28 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -72,6 +72,7 @@ #endif #include "asn1_locl.h" +#include "x509_lcl.h" /* Minor tweak to operation: free up EVP_PKEY */ static int diff --git a/lib/libcrypto/asn1/x_req.c b/lib/libcrypto/asn1/x_req.c index eb5210aef6c..38e3790bf4e 100644 --- a/lib/libcrypto/asn1/x_req.c +++ b/lib/libcrypto/asn1/x_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_req.c,v 1.17 2018/02/22 16:50:30 jsing Exp $ */ +/* $OpenBSD: x_req.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,6 +61,8 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> +#include "x509_lcl.h" + /* X509_REQ_INFO is handled in an unusual way to get round * invalid encodings. Some broken certificate requests don't * encode the attributes field if it is empty. This is in diff --git a/lib/libcrypto/asn1/x_sig.c b/lib/libcrypto/asn1/x_sig.c index dc3af45f6d1..6a842da5f0e 100644 --- a/lib/libcrypto/asn1/x_sig.c +++ b/lib/libcrypto/asn1/x_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_sig.c,v 1.12 2021/10/23 11:41:50 tb Exp $ */ +/* $OpenBSD: x_sig.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,6 +61,8 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> +#include "x509_lcl.h" + static const ASN1_TEMPLATE X509_SIG_seq_tt[] = { { .offset = offsetof(X509_SIG, algor), diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c index ebe09a6099f..713ffbbb11e 100644 --- a/lib/libcrypto/asn1/x_x509.c +++ b/lib/libcrypto/asn1/x_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509.c,v 1.28 2021/10/23 11:56:10 tb Exp $ */ +/* $OpenBSD: x_x509.c,v 1.29 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,6 +65,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static const ASN1_AUX X509_CINF_aux = { .flags = ASN1_AFLG_ENCODING, .enc_offset = offsetof(X509_CINF, enc), diff --git a/lib/libcrypto/asn1/x_x509a.c b/lib/libcrypto/asn1/x_x509a.c index d5364cb07ba..572178157a6 100644 --- a/lib/libcrypto/asn1/x_x509a.c +++ b/lib/libcrypto/asn1/x_x509a.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509a.c,v 1.16 2021/10/31 16:28:50 tb Exp $ */ +/* $OpenBSD: x_x509a.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,6 +62,8 @@ #include <openssl/evp.h> #include <openssl/x509.h> +#include "x509_lcl.h" + /* X509_CERT_AUX routines. These are used to encode additional * user modifiable data about a certificate. This data is * appended to the X509 encoding when the *_X509_AUX routines diff --git a/lib/libcrypto/cms/cms_lib.c b/lib/libcrypto/cms/cms_lib.c index b6580dd6f5f..21adef7aec3 100644 --- a/lib/libcrypto/cms/cms_lib.c +++ b/lib/libcrypto/cms/cms_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_lib.c,v 1.14 2019/08/12 18:13:13 jsing Exp $ */ +/* $OpenBSD: cms_lib.c,v 1.15 2021/11/01 20:53:08 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -59,8 +59,9 @@ #include <openssl/bio.h> #include <openssl/asn1.h> #include <openssl/cms.h> -#include "cms_lcl.h" +#include "cms_lcl.h" +#include "x509_lcl.h" CMS_ContentInfo * d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len) diff --git a/lib/libcrypto/ocsp/ocsp_cl.c b/lib/libcrypto/ocsp/ocsp_cl.c index 677a1b35ddd..da4b5ad04c1 100644 --- a/lib/libcrypto/ocsp/ocsp_cl.c +++ b/lib/libcrypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.18 2021/10/24 13:50:14 tb Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL * project. */ @@ -136,7 +136,7 @@ OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) if (!sk_X509_push(sig->certs, cert)) return 0; - CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(cert); return 1; } diff --git a/lib/libcrypto/ocsp/ocsp_ext.c b/lib/libcrypto/ocsp/ocsp_ext.c index eb51cfbff5a..c48843492dc 100644 --- a/lib/libcrypto/ocsp/ocsp_ext.c +++ b/lib/libcrypto/ocsp/ocsp_ext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_ext.c,v 1.18 2018/05/14 23:47:10 tb Exp $ */ +/* $OpenBSD: ocsp_ext.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL * project. */ @@ -70,6 +70,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + /* Standard wrapper functions for extensions */ /* OCSP request extensions */ diff --git a/lib/libcrypto/ocsp/ocsp_srv.c b/lib/libcrypto/ocsp/ocsp_srv.c index a9e0aaab2f1..5c9ac4d807e 100644 --- a/lib/libcrypto/ocsp/ocsp_srv.c +++ b/lib/libcrypto/ocsp/ocsp_srv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_srv.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ocsp_srv.c,v 1.11 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -213,7 +213,7 @@ OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) if (!sk_X509_push(resp->certs, cert)) return 0; - CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(cert); return 1; } diff --git a/lib/libcrypto/ocsp/ocsp_vfy.c b/lib/libcrypto/ocsp/ocsp_vfy.c index e92b5d73262..67d45605ffe 100644 --- a/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/lib/libcrypto/ocsp/ocsp_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_vfy.c,v 1.16 2021/10/24 13:50:14 tb Exp $ */ +/* $OpenBSD: ocsp_vfy.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -60,6 +60,8 @@ #include <openssl/err.h> #include <string.h> +#include "x509_lcl.h" + static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); diff --git a/lib/libcrypto/opensslfeatures.h b/lib/libcrypto/opensslfeatures.h index f16e25e782f..49a5f15b597 100644 --- a/lib/libcrypto/opensslfeatures.h +++ b/lib/libcrypto/opensslfeatures.h @@ -6,8 +6,6 @@ #define LIBRESSL_HAS_TLS1_3 #define LIBRESSL_HAS_DTLS1_2 -#define LIBRESSL_OPAQUE_X509 - #define OPENSSL_THREADS #define OPENSSL_NO_BUF_FREELISTS diff --git a/lib/libcrypto/ossl_typ.h b/lib/libcrypto/ossl_typ.h index 234fdca1ea8..99f120644f3 100644 --- a/lib/libcrypto/ossl_typ.h +++ b/lib/libcrypto/ossl_typ.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ossl_typ.h,v 1.13 2015/09/30 04:10:07 doug Exp $ */ +/* $OpenBSD: ossl_typ.h,v 1.14 2021/11/01 20:53:08 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * @@ -127,6 +127,11 @@ typedef struct X509_pubkey_st X509_PUBKEY; typedef struct x509_store_st X509_STORE; typedef struct x509_store_ctx_st X509_STORE_CTX; +typedef struct x509_object_st X509_OBJECT; +typedef struct x509_lookup_st X509_LOOKUP; +typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; +typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM; + typedef struct pkcs8_priv_key_info_st PKCS8_PRIV_KEY_INFO; typedef struct v3_ext_ctx X509V3_CTX; diff --git a/lib/libcrypto/pkcs12/p12_attr.c b/lib/libcrypto/pkcs12/p12_attr.c index e8e340a2e2a..dc38b7c897c 100644 --- a/lib/libcrypto/pkcs12/p12_attr.c +++ b/lib/libcrypto/pkcs12/p12_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_attr.c,v 1.13 2021/07/09 14:07:59 tb Exp $ */ +/* $OpenBSD: p12_attr.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -60,6 +60,8 @@ #include <openssl/pkcs12.h> +#include "x509_lcl.h" + /* Add a local keyid to a safebag */ int diff --git a/lib/libcrypto/pkcs12/p12_mutl.c b/lib/libcrypto/pkcs12/p12_mutl.c index d45ab078fd9..14ded8532d0 100644 --- a/lib/libcrypto/pkcs12/p12_mutl.c +++ b/lib/libcrypto/pkcs12/p12_mutl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_mutl.c,v 1.24 2021/07/09 14:08:00 tb Exp $ */ +/* $OpenBSD: p12_mutl.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,6 +68,8 @@ #include <openssl/hmac.h> #include <openssl/pkcs12.h> +#include "x509_lcl.h" + /* Generate a MAC */ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, diff --git a/lib/libcrypto/pkcs12/p12_npas.c b/lib/libcrypto/pkcs12/p12_npas.c index d6b12edab3d..62ec368af7c 100644 --- a/lib/libcrypto/pkcs12/p12_npas.c +++ b/lib/libcrypto/pkcs12/p12_npas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_npas.c,v 1.13 2018/05/13 14:22:34 tb Exp $ */ +/* $OpenBSD: p12_npas.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -63,6 +63,8 @@ #include <openssl/err.h> #include <openssl/pkcs12.h> +#include "x509_lcl.h" + /* PKCS#12 password change routine */ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass); diff --git a/lib/libcrypto/pkcs12/p12_p8d.c b/lib/libcrypto/pkcs12/p12_p8d.c index 0286d4acf54..ce1b28bc290 100644 --- a/lib/libcrypto/pkcs12/p12_p8d.c +++ b/lib/libcrypto/pkcs12/p12_p8d.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_p8d.c,v 1.7 2018/05/13 14:28:14 tb Exp $ */ +/* $OpenBSD: p12_p8d.c,v 1.8 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -60,6 +60,8 @@ #include <openssl/pkcs12.h> +#include "x509_lcl.h" + PKCS8_PRIV_KEY_INFO * PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen) { diff --git a/lib/libcrypto/pkcs12/p12_p8e.c b/lib/libcrypto/pkcs12/p12_p8e.c index 5e3fc6486a8..7f5f61d69f1 100644 --- a/lib/libcrypto/pkcs12/p12_p8e.c +++ b/lib/libcrypto/pkcs12/p12_p8e.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_p8e.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_p8e.c,v 1.9 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -61,6 +61,8 @@ #include <openssl/err.h> #include <openssl/pkcs12.h> +#include "x509_lcl.h" + X509_SIG * PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, int passlen, unsigned char *salt, int saltlen, int iter, diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c index 81a72f6815a..6d921e5cff2 100644 --- a/lib/libcrypto/pkcs7/pk7_doit.c +++ b/lib/libcrypto/pkcs7/pk7_doit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_doit.c,v 1.44 2019/10/04 18:03:55 tb Exp $ */ +/* $OpenBSD: pk7_doit.c,v 1.45 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,6 +65,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value); static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c index afcc179240f..24cb0fe4c64 100644 --- a/lib/libcrypto/pkcs7/pk7_lib.c +++ b/lib/libcrypto/pkcs7/pk7_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_lib.c,v 1.21 2020/01/21 10:18:52 inoguchi Exp $ */ +/* $OpenBSD: pk7_lib.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,6 +63,7 @@ #include <openssl/x509.h> #include "asn1_locl.h" +#include "x509_lcl.h" long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg) diff --git a/lib/libcrypto/pkcs7/pk7_smime.c b/lib/libcrypto/pkcs7/pk7_smime.c index bf9f2dd82a4..f11d23e30d7 100644 --- a/lib/libcrypto/pkcs7/pk7_smime.c +++ b/lib/libcrypto/pkcs7/pk7_smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_smime.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pk7_smime.c,v 1.23 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -64,6 +64,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si); PKCS7 * diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c index d205046bd35..9ee61a381c4 100644 --- a/lib/libcrypto/rsa/rsa_sign.c +++ b/lib/libcrypto/rsa/rsa_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_sign.c,v 1.32 2021/05/14 18:03:42 tb Exp $ */ +/* $OpenBSD: rsa_sign.c,v 1.33 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,7 @@ #include <openssl/x509.h> #include "rsa_locl.h" +#include "x509_lcl.h" /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 diff --git a/lib/libcrypto/ts/ts_lib.c b/lib/libcrypto/ts/ts_lib.c index 293564118fd..cdfa9db3510 100644 --- a/lib/libcrypto/ts/ts_lib.c +++ b/lib/libcrypto/ts/ts_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_lib.c,v 1.10 2015/09/10 14:29:22 jsing Exp $ */ +/* $OpenBSD: ts_lib.c,v 1.11 2021/11/01 20:53:08 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -64,6 +64,8 @@ #include <openssl/ts.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + /* Local function declarations. */ /* Function definitions. */ diff --git a/lib/libcrypto/ts/ts_rsp_sign.c b/lib/libcrypto/ts/ts_rsp_sign.c index 6125fdd4be4..828407aa4b8 100644 --- a/lib/libcrypto/ts/ts_rsp_sign.c +++ b/lib/libcrypto/ts/ts_rsp_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_sign.c,v 1.23 2019/07/03 03:24:04 deraadt Exp $ */ +/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -65,6 +65,8 @@ #include <openssl/pkcs7.h> #include <openssl/ts.h> +#include "x509_lcl.h" + /* Private function declarations. */ static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *); diff --git a/lib/libcrypto/ts/ts_rsp_verify.c b/lib/libcrypto/ts/ts_rsp_verify.c index 46704dfd2be..2e72ff47aef 100644 --- a/lib/libcrypto/ts/ts_rsp_verify.c +++ b/lib/libcrypto/ts/ts_rsp_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_verify.c,v 1.21 2021/07/02 11:15:08 schwarze Exp $ */ +/* $OpenBSD: ts_rsp_verify.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -64,6 +64,8 @@ #include <openssl/pkcs7.h> #include <openssl/ts.h> +#include "x509_lcl.h" + /* Private function declarations. */ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, diff --git a/lib/libcrypto/x509/by_dir.c b/lib/libcrypto/x509/by_dir.c index 04eada8ad05..0ff60644f5e 100644 --- a/lib/libcrypto/x509/by_dir.c +++ b/lib/libcrypto/x509/by_dir.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_dir.c,v 1.39 2018/08/05 14:17:12 bcook Exp $ */ +/* $OpenBSD: by_dir.c,v 1.40 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include <sys/stat.h> #include <sys/types.h> #include <errno.h> @@ -70,7 +71,7 @@ #include <openssl/lhash.h> #include <openssl/x509.h> -# include <sys/stat.h> +#include "x509_lcl.h" typedef struct lookup_dir_hashes_st { unsigned long hash; diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c index b2c8ef6cfaf..f719636412e 100644 --- a/lib/libcrypto/x509/by_file.c +++ b/lib/libcrypto/x509/by_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_file.c,v 1.21 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: by_file.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -67,6 +67,8 @@ #include <openssl/lhash.h> #include <openssl/x509.h> +#include "x509_lcl.h" + static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); diff --git a/lib/libcrypto/x509/by_mem.c b/lib/libcrypto/x509/by_mem.c index 34d4040d848..272877f843f 100644 --- a/lib/libcrypto/x509/by_mem.c +++ b/lib/libcrypto/x509/by_mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_mem.c,v 1.4 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: by_mem.c,v 1.5 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,6 +68,8 @@ #include <openssl/lhash.h> #include <openssl/x509.h> +#include "x509_lcl.h" + static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); static X509_LOOKUP_METHOD x509_mem_lookup = { diff --git a/lib/libcrypto/x509/pcy_cache.c b/lib/libcrypto/x509/pcy_cache.c index 896ba7d59ef..debca302863 100644 --- a/lib/libcrypto/x509/pcy_cache.c +++ b/lib/libcrypto/x509/pcy_cache.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_cache.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: pcy_cache.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -60,6 +60,7 @@ #include <openssl/x509v3.h> #include "pcy_int.h" +#include "x509_lcl.h" static int policy_data_cmp(const X509_POLICY_DATA * const *a, const X509_POLICY_DATA * const *b); diff --git a/lib/libcrypto/x509/pcy_map.c b/lib/libcrypto/x509/pcy_map.c index 287a430c2c0..f2e5d325524 100644 --- a/lib/libcrypto/x509/pcy_map.c +++ b/lib/libcrypto/x509/pcy_map.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_map.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: pcy_map.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -60,6 +60,7 @@ #include <openssl/x509v3.h> #include "pcy_int.h" +#include "x509_lcl.h" /* Set policy mapping entries in cache. * Note: this modifies the passed POLICY_MAPPINGS structure diff --git a/lib/libcrypto/x509/pcy_tree.c b/lib/libcrypto/x509/pcy_tree.c index d0f7cd1adac..284c08e66a1 100644 --- a/lib/libcrypto/x509/pcy_tree.c +++ b/lib/libcrypto/x509/pcy_tree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_tree.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: pcy_tree.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -60,6 +60,7 @@ #include <openssl/x509v3.h> #include "pcy_int.h" +#include "x509_lcl.h" /* Enable this to print out the complete policy tree at various point during * evaluation. diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h index 9a44bf30aa2..4624628bf83 100644 --- a/lib/libcrypto/x509/x509.h +++ b/lib/libcrypto/x509/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.86 2021/11/01 08:14:36 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.87 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -139,171 +139,33 @@ typedef struct X509_val_st { ASN1_TIME *notAfter; } X509_VAL; -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -struct X509_pubkey_st { - X509_ALGOR *algor; - ASN1_BIT_STRING *public_key; - EVP_PKEY *pkey; -}; - -typedef struct X509_sig_st { - X509_ALGOR *algor; - ASN1_OCTET_STRING *digest; -} X509_SIG; - -typedef struct X509_name_entry_st { - ASN1_OBJECT *object; - ASN1_STRING *value; - int set; - int size; /* temp variable */ -} X509_NAME_ENTRY; -#else typedef struct X509_sig_st X509_SIG; + typedef struct X509_name_entry_st X509_NAME_ENTRY; -#endif DECLARE_STACK_OF(X509_NAME_ENTRY) -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -/* we always keep X509_NAMEs in 2 forms. */ -struct X509_name_st { - STACK_OF(X509_NAME_ENTRY) *entries; - int modified; /* true if 'bytes' needs to be built */ -#ifndef OPENSSL_NO_BUFFER - BUF_MEM *bytes; -#else - char *bytes; -#endif -/* unsigned long hash; Keep the hash around for lookups */ - unsigned char *canon_enc; - int canon_enclen; -} /* X509_NAME */; -#endif - DECLARE_STACK_OF(X509_NAME) #define X509_EX_V_NETSCAPE_HACK 0x8000 #define X509_EX_V_INIT 0x0001 -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -typedef struct X509_extension_st { - ASN1_OBJECT *object; - ASN1_BOOLEAN critical; - ASN1_OCTET_STRING *value; -} X509_EXTENSION; -#else typedef struct X509_extension_st X509_EXTENSION; -#endif typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; DECLARE_STACK_OF(X509_EXTENSION) -/* a sequence of these are used */ -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -typedef struct x509_attributes_st { - ASN1_OBJECT *object; - int single; /* 0 for a set, 1 for a single item (which is wrong) */ - union { - char *ptr; -/* 0 */ STACK_OF(ASN1_TYPE) *set; -/* 1 */ ASN1_TYPE *single; - } value; -} X509_ATTRIBUTE; -#else typedef struct x509_attributes_st X509_ATTRIBUTE; -#endif DECLARE_STACK_OF(X509_ATTRIBUTE) - -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -typedef struct X509_req_info_st { - ASN1_ENCODING enc; - ASN1_INTEGER *version; - X509_NAME *subject; - X509_PUBKEY *pubkey; - /* d=2 hl=2 l= 0 cons: cont: 00 */ - STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ -} X509_REQ_INFO; - -typedef struct X509_req_st { - X509_REQ_INFO *req_info; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - int references; -} X509_REQ; - -typedef struct x509_cinf_st { - ASN1_INTEGER *version; /* [ 0 ] default of v1 */ - ASN1_INTEGER *serialNumber; - X509_ALGOR *signature; - X509_NAME *issuer; - X509_VAL *validity; - X509_NAME *subject; - X509_PUBKEY *key; - ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ - ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ - STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ - ASN1_ENCODING enc; -} X509_CINF; -#else typedef struct X509_req_info_st X509_REQ_INFO; -typedef struct X509_req_st X509_REQ; -typedef struct x509_cinf_st X509_CINF; -#endif -/* This stuff is certificate "auxiliary info" - * it contains details which are useful in certificate - * stores and databases. When used this is tagged onto - * the end of the certificate itself - */ +typedef struct X509_req_st X509_REQ; -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -typedef struct x509_cert_aux_st { - STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ - STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ - ASN1_UTF8STRING *alias; /* "friendly name" */ - ASN1_OCTET_STRING *keyid; /* key id of private key */ - STACK_OF(X509_ALGOR) *other; /* other unspecified info */ -} X509_CERT_AUX; -#else typedef struct x509_cert_aux_st X509_CERT_AUX; -#endif -struct x509_st; - -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -struct x509_st { - X509_CINF *cert_info; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - int valid; - int references; - char *name; - CRYPTO_EX_DATA ex_data; - /* These contain copies of various extension values */ - long ex_pathlen; - long ex_pcpathlen; - unsigned long ex_flags; - unsigned long ex_kusage; - unsigned long ex_xkusage; - unsigned long ex_nscert; - ASN1_OCTET_STRING *skid; - AUTHORITY_KEYID *akid; - X509_POLICY_CACHE *policy_cache; - STACK_OF(DIST_POINT) *crldp; - STACK_OF(GENERAL_NAME) *altname; - NAME_CONSTRAINTS *nc; -#ifndef OPENSSL_NO_RFC3779 - STACK_OF(IPAddressFamily) *rfc3779_addr; - struct ASIdentifiers_st *rfc3779_asid; -#endif -#ifndef OPENSSL_NO_SHA - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; -#endif - X509_CERT_AUX *aux; -} /* X509 */; -#endif +typedef struct x509_cinf_st X509_CINF; DECLARE_STACK_OF(X509) @@ -322,6 +184,7 @@ DECLARE_STACK_OF(X509_TRUST) /* standard trust ids */ +/* OpenSSL changed this to 0 */ #define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */ #define X509_TRUST_COMPAT 1 @@ -422,66 +285,13 @@ DECLARE_STACK_OF(X509_TRUST) XN_FLAG_FN_LN | \ XN_FLAG_FN_ALIGN) -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -struct x509_revoked_st { - ASN1_INTEGER *serialNumber; - ASN1_TIME *revocationDate; - STACK_OF(X509_EXTENSION) /* optional */ *extensions; - /* Set up if indirect CRL */ - STACK_OF(GENERAL_NAME) *issuer; - /* Revocation reason */ - int reason; - int sequence; /* load sequence */ -}; -#endif - DECLARE_STACK_OF(X509_REVOKED) -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -typedef struct X509_crl_info_st { - ASN1_INTEGER *version; - X509_ALGOR *sig_alg; - X509_NAME *issuer; - ASN1_TIME *lastUpdate; - ASN1_TIME *nextUpdate; - STACK_OF(X509_REVOKED) *revoked; - STACK_OF(X509_EXTENSION) /* [0] */ *extensions; - ASN1_ENCODING enc; -} X509_CRL_INFO; -#else typedef struct X509_crl_info_st X509_CRL_INFO; -#endif - -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -struct X509_crl_st { - /* actual signature */ - X509_CRL_INFO *crl; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - int references; - int flags; - /* Copies of various extensions */ - AUTHORITY_KEYID *akid; - ISSUING_DIST_POINT *idp; - /* Convenient breakdown of IDP */ - int idp_flags; - int idp_reasons; - /* CRL and base CRL numbers for delta processing */ - ASN1_INTEGER *crl_number; - ASN1_INTEGER *base_crl_number; -#ifndef OPENSSL_NO_SHA - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; -#endif - STACK_OF(GENERAL_NAMES) *issuers; - const X509_CRL_METHOD *meth; - void *meth_data; -} /* X509_CRL */; -#endif DECLARE_STACK_OF(X509_CRL) -typedef struct private_key_st - { +typedef struct private_key_st { int version; /* The PKCS#8 data types */ X509_ALGOR *enc_algor; @@ -499,7 +309,7 @@ typedef struct private_key_st EVP_CIPHER_INFO cipher; int references; - } X509_PKEY; +} X509_PKEY; #ifndef OPENSSL_NO_EVP typedef struct X509_info_st { @@ -561,18 +371,6 @@ typedef struct PBKDF2PARAM_st { X509_ALGOR *prf; } PBKDF2PARAM; - -/* PKCS#8 private key info structure */ - -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -struct pkcs8_priv_key_info_st { - ASN1_INTEGER *version; - X509_ALGOR *pkeyalg; - ASN1_OCTET_STRING *pkey; - STACK_OF(X509_ATTRIBUTE) *attributes; -}; -#endif - #ifdef __cplusplus } #endif diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 313896167b7..ddb0e4af124 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.18 2021/10/25 11:55:27 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ /* * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. * @@ -24,6 +24,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + #ifndef OPENSSL_NO_RFC3779 /* diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c index d990bc01587..d2247e09c1f 100644 --- a/lib/libcrypto/x509/x509_asid.c +++ b/lib/libcrypto/x509/x509_asid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_asid.c,v 1.18 2021/10/25 11:55:27 tb Exp $ */ +/* $OpenBSD: x509_asid.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ /* * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * @@ -26,6 +26,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + #ifndef OPENSSL_NO_RFC3779 static const ASN1_TEMPLATE ASRange_seq_tt[] = { diff --git a/lib/libcrypto/x509/x509_att.c b/lib/libcrypto/x509/x509_att.c index 1479b918c76..38aa0631432 100644 --- a/lib/libcrypto/x509/x509_att.c +++ b/lib/libcrypto/x509/x509_att.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_att.c,v 1.17 2018/05/18 19:21:33 tb Exp $ */ +/* $OpenBSD: x509_att.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) { diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c index 6d6e8408994..134a0827302 100644 --- a/lib/libcrypto/x509/x509_cmp.c +++ b/lib/libcrypto/x509/x509_cmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cmp.c,v 1.35 2019/03/13 20:34:00 tb Exp $ */ +/* $OpenBSD: x509_cmp.c,v 1.36 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,6 +68,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) { diff --git a/lib/libcrypto/x509/x509_conf.c b/lib/libcrypto/x509/x509_conf.c index 8bf2d10b9f5..cd703fc1563 100644 --- a/lib/libcrypto/x509/x509_conf.c +++ b/lib/libcrypto/x509/x509_conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_conf.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_conf.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,6 +66,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static int v3_check_critical(const char **value); static int v3_check_generic(const char **value); static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, diff --git a/lib/libcrypto/x509/x509_crld.c b/lib/libcrypto/x509/x509_crld.c index ff60a880fad..6b6f7953787 100644 --- a/lib/libcrypto/x509/x509_crld.c +++ b/lib/libcrypto/x509/x509_crld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_crld.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_crld.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,6 +65,8 @@ #include <openssl/err.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static void *v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, diff --git a/lib/libcrypto/x509/x509_ext.c b/lib/libcrypto/x509/x509_ext.c index 21374a26e20..14459511993 100644 --- a/lib/libcrypto/x509/x509_ext.c +++ b/lib/libcrypto/x509/x509_ext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ext.c,v 1.12 2018/05/18 19:28:27 tb Exp $ */ +/* $OpenBSD: x509_ext.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,6 +65,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + int X509_CRL_get_ext_count(const X509_CRL *x) { diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h index 90fafccae0f..7ca67a853b6 100644 --- a/lib/libcrypto/x509/x509_internal.h +++ b/lib/libcrypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.13 2021/10/26 09:09:53 beck Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.14 2021/11/01 20:53:08 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck <beck@openbsd.org> * @@ -22,6 +22,8 @@ #include <openssl/x509_verify.h> +#include "x509_lcl.h" + /* Hard limits on structure size and number of signature checks. */ #define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ #define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ diff --git a/lib/libcrypto/x509/x509_lcl.h b/lib/libcrypto/x509/x509_lcl.h index 3e83b66dd61..1b352aee787 100644 --- a/lib/libcrypto/x509/x509_lcl.h +++ b/lib/libcrypto/x509/x509_lcl.h @@ -56,8 +56,325 @@ * */ +#ifndef HEADER_X509_LCL_H +#define HEADER_X509_LCL_H + __BEGIN_HIDDEN_DECLS +struct X509_pubkey_st { + X509_ALGOR *algor; + ASN1_BIT_STRING *public_key; + EVP_PKEY *pkey; +}; + +struct X509_sig_st { + X509_ALGOR *algor; + ASN1_OCTET_STRING *digest; +} /* X509_SIG */; + +struct X509_name_entry_st { + ASN1_OBJECT *object; + ASN1_STRING *value; + int set; + int size; /* temp variable */ +} /* X509_NAME_ENTRY */; + +/* we always keep X509_NAMEs in 2 forms. */ +struct X509_name_st { + STACK_OF(X509_NAME_ENTRY) *entries; + int modified; /* true if 'bytes' needs to be built */ +#ifndef OPENSSL_NO_BUFFER + BUF_MEM *bytes; +#else + char *bytes; +#endif +/* unsigned long hash; Keep the hash around for lookups */ + unsigned char *canon_enc; + int canon_enclen; +} /* X509_NAME */; + +struct X509_extension_st { + ASN1_OBJECT *object; + ASN1_BOOLEAN critical; + ASN1_OCTET_STRING *value; +} /* X509_EXTENSION */; + +struct x509_attributes_st { + ASN1_OBJECT *object; + int single; /* 0 for a set, 1 for a single item (which is wrong) */ + union { + char *ptr; +/* 0 */ STACK_OF(ASN1_TYPE) *set; +/* 1 */ ASN1_TYPE *single; + } value; +} /* X509_ATTRIBUTE */; + +struct X509_req_info_st { + ASN1_ENCODING enc; + ASN1_INTEGER *version; + X509_NAME *subject; + X509_PUBKEY *pubkey; + /* d=2 hl=2 l= 0 cons: cont: 00 */ + STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ +} /* X509_REQ_INFO */; + +struct X509_req_st { + X509_REQ_INFO *req_info; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + int references; +} /* X509_REQ */; + +/* + * This stuff is certificate "auxiliary info" it contains details which are + * useful in certificate stores and databases. When used this is tagged onto + * the end of the certificate itself. + */ +struct x509_cert_aux_st { + STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ + STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ + ASN1_UTF8STRING *alias; /* "friendly name" */ + ASN1_OCTET_STRING *keyid; /* key id of private key */ + STACK_OF(X509_ALGOR) *other; /* other unspecified info */ +} /* X509_CERT_AUX */; + +struct x509_cinf_st { + ASN1_INTEGER *version; /* [ 0 ] default of v1 */ + ASN1_INTEGER *serialNumber; + X509_ALGOR *signature; + X509_NAME *issuer; + X509_VAL *validity; + X509_NAME *subject; + X509_PUBKEY *key; + ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ + ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ + STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ + ASN1_ENCODING enc; +} /* X509_CINF */; + +struct x509_st { + X509_CINF *cert_info; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + int valid; + int references; + char *name; + CRYPTO_EX_DATA ex_data; + /* These contain copies of various extension values */ + long ex_pathlen; + long ex_pcpathlen; + unsigned long ex_flags; + unsigned long ex_kusage; + unsigned long ex_xkusage; + unsigned long ex_nscert; + ASN1_OCTET_STRING *skid; + AUTHORITY_KEYID *akid; + X509_POLICY_CACHE *policy_cache; + STACK_OF(DIST_POINT) *crldp; + STACK_OF(GENERAL_NAME) *altname; + NAME_CONSTRAINTS *nc; +#ifndef OPENSSL_NO_RFC3779 + STACK_OF(IPAddressFamily) *rfc3779_addr; + struct ASIdentifiers_st *rfc3779_asid; +#endif +#ifndef OPENSSL_NO_SHA + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; +#endif + X509_CERT_AUX *aux; +} /* X509 */; + +struct x509_revoked_st { + ASN1_INTEGER *serialNumber; + ASN1_TIME *revocationDate; + STACK_OF(X509_EXTENSION) /* optional */ *extensions; + /* Set up if indirect CRL */ + STACK_OF(GENERAL_NAME) *issuer; + /* Revocation reason */ + int reason; + int sequence; /* load sequence */ +}; + +struct X509_crl_info_st { + ASN1_INTEGER *version; + X509_ALGOR *sig_alg; + X509_NAME *issuer; + ASN1_TIME *lastUpdate; + ASN1_TIME *nextUpdate; + STACK_OF(X509_REVOKED) *revoked; + STACK_OF(X509_EXTENSION) /* [0] */ *extensions; + ASN1_ENCODING enc; +} /* X509_CRL_INFO */; + +struct X509_crl_st { + /* actual signature */ + X509_CRL_INFO *crl; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + int references; + int flags; + /* Copies of various extensions */ + AUTHORITY_KEYID *akid; + ISSUING_DIST_POINT *idp; + /* Convenient breakdown of IDP */ + int idp_flags; + int idp_reasons; + /* CRL and base CRL numbers for delta processing */ + ASN1_INTEGER *crl_number; + ASN1_INTEGER *base_crl_number; +#ifndef OPENSSL_NO_SHA + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; +#endif + STACK_OF(GENERAL_NAMES) *issuers; + const X509_CRL_METHOD *meth; + void *meth_data; +} /* X509_CRL */; + +struct pkcs8_priv_key_info_st { + ASN1_INTEGER *version; + X509_ALGOR *pkeyalg; + ASN1_OCTET_STRING *pkey; + STACK_OF(X509_ATTRIBUTE) *attributes; +}; + +struct x509_object_st { + /* one of the above types */ + int type; + union { + char *ptr; + X509 *x509; + X509_CRL *crl; + EVP_PKEY *pkey; + } data; +} /* X509_OBJECT */; + +struct x509_lookup_method_st { + const char *name; + int (*new_item)(X509_LOOKUP *ctx); + void (*free)(X509_LOOKUP *ctx); + int (*init)(X509_LOOKUP *ctx); + int (*shutdown)(X509_LOOKUP *ctx); + int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, + char **ret); + int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, + ASN1_INTEGER *serial,X509_OBJECT *ret); + int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, + const unsigned char *bytes, int len, X509_OBJECT *ret); + int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str, + int len, X509_OBJECT *ret); +} /* X509_LOOKUP_METHOD */; + +struct X509_VERIFY_PARAM_st { + char *name; + time_t check_time; /* Time to use */ + unsigned long inh_flags; /* Inheritance flags */ + unsigned long flags; /* Various verify flags */ + int purpose; /* purpose to check untrusted certificates */ + int trust; /* trust setting to check */ + int depth; /* Verify depth */ + STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ + X509_VERIFY_PARAM_ID *id; /* opaque ID data */ +} /* X509_VERIFY_PARAM */; + +/* + * This is used to hold everything. It is used for all certificate + * validation. Once we have a certificate chain, the 'verify' + * function is then called to actually check the cert chain. + */ +struct x509_store_st { + /* The following is a cache of trusted certs */ + int cache; /* if true, stash any hits */ + STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ + + /* These are external lookup methods */ + STACK_OF(X509_LOOKUP) *get_cert_methods; + + X509_VERIFY_PARAM *param; + + /* Callbacks for various operations */ + int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ + int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ + int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ + int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ + int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ + int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ + int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ + int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ + STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); + STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); + int (*cleanup)(X509_STORE_CTX *ctx); + + CRYPTO_EX_DATA ex_data; + int references; +} /* X509_STORE */; + +/* This is the functions plus an instance of the local variables. */ +struct x509_lookup_st { + int init; /* have we been started */ + int skip; /* don't use us. */ + X509_LOOKUP_METHOD *method; /* the functions */ + char *method_data; /* method data */ + + X509_STORE *store_ctx; /* who owns us */ +} /* X509_LOOKUP */; + +/* + * This is used when verifying cert chains. Since the gathering of the cert + * chain can take some time (and has to be 'retried'), this needs to be kept + * and passed around. + */ +struct x509_store_ctx_st { + X509_STORE *ctx; + int current_method; /* used when looking up certs */ + + /* The following are set by the caller */ + X509 *cert; /* The cert to check */ + STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ + STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ + + X509_VERIFY_PARAM *param; + void *other_ctx; /* Other info for use with get_issuer() */ + + /* Callbacks for various operations */ + int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ + int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ + int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ + int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ + int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ + int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ + int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ + int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ + int (*check_policy)(X509_STORE_CTX *ctx); + STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); + STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); + int (*cleanup)(X509_STORE_CTX *ctx); + + /* The following is built up */ + int valid; /* if 0, rebuild chain */ + int last_untrusted; /* XXX: number of untrusted certs in chain!!! */ + STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ + X509_POLICY_TREE *tree; /* Valid policy tree */ + + int explicit_policy; /* Require explicit policy value */ + + /* When something goes wrong, this is why */ + int error_depth; + int error; + X509 *current_cert; + X509 *current_issuer; /* cert currently being tested as valid issuer */ + X509_CRL *current_crl; /* current CRL */ + + int current_crl_score; /* score of current CRL */ + unsigned int current_reasons; /* Reason mask */ + + X509_STORE_CTX *parent; /* For CRL path validation: parent context */ + + CRYPTO_EX_DATA ex_data; +} /* X509_STORE_CTX */; + int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); __END_HIDDEN_DECLS + +#endif /* !HEADER_X509_LCL_H */ diff --git a/lib/libcrypto/x509/x509_lib.c b/lib/libcrypto/x509/x509_lib.c index 211d0adfeec..a518d5b950d 100644 --- a/lib/libcrypto/x509/x509_lib.c +++ b/lib/libcrypto/x509/x509_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lib.c,v 1.2 2020/09/14 11:35:32 beck Exp $ */ +/* $OpenBSD: x509_lib.c,v 1.3 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -64,6 +64,7 @@ #include <openssl/x509v3.h> #include "ext_dat.h" +#include "x509_lcl.h" static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; diff --git a/lib/libcrypto/x509/x509_ncons.c b/lib/libcrypto/x509/x509_ncons.c index 1621f986171..613527005a5 100644 --- a/lib/libcrypto/x509/x509_ncons.c +++ b/lib/libcrypto/x509/x509_ncons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ncons.c,v 1.4 2020/09/16 18:12:06 beck Exp $ */ +/* $OpenBSD: x509_ncons.c,v 1.5 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -64,6 +64,8 @@ #include <openssl/err.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, diff --git a/lib/libcrypto/x509/x509_obj.c b/lib/libcrypto/x509/x509_obj.c index 5c537990206..58ffa3a2f25 100644 --- a/lib/libcrypto/x509/x509_obj.c +++ b/lib/libcrypto/x509/x509_obj.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_obj.c,v 1.18 2018/05/18 18:19:31 tb Exp $ */ +/* $OpenBSD: x509_obj.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,6 +65,8 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + char * X509_NAME_oneline(const X509_NAME *a, char *buf, int len) { diff --git a/lib/libcrypto/x509/x509_prn.c b/lib/libcrypto/x509/x509_prn.c index 5c15cc390fc..4977051d4a9 100644 --- a/lib/libcrypto/x509/x509_prn.c +++ b/lib/libcrypto/x509/x509_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_prn.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ +/* $OpenBSD: x509_prn.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,6 +62,8 @@ #include <openssl/conf.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + /* Extension printing routines */ static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index 8a5f6704a24..67a7b51fb15 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.11 2021/10/29 12:11:13 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.12 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -65,6 +65,8 @@ #include <openssl/x509v3.h> #include <openssl/x509_vfy.h> +#include "x509_lcl.h" + #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) diff --git a/lib/libcrypto/x509/x509_r2x.c b/lib/libcrypto/x509/x509_r2x.c index 525163bc3e5..143d0f1aa09 100644 --- a/lib/libcrypto/x509/x509_r2x.c +++ b/lib/libcrypto/x509/x509_r2x.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_r2x.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_r2x.c,v 1.12 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + X509 * X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) { diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c index c81fe4a3a9c..556e32b317b 100644 --- a/lib/libcrypto/x509/x509_req.c +++ b/lib/libcrypto/x509/x509_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_req.c,v 1.23 2021/10/23 11:56:10 tb Exp $ */ +/* $OpenBSD: x509_req.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,6 +70,8 @@ #include <openssl/pem.h> #include <openssl/x509.h> +#include "x509_lcl.h" + X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c index c4ce8e5674d..5784f2203e0 100644 --- a/lib/libcrypto/x509/x509_set.c +++ b/lib/libcrypto/x509/x509_set.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_set.c,v 1.19 2021/11/01 08:14:36 tb Exp $ */ +/* $OpenBSD: x509_set.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,6 +63,8 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509 *x) { diff --git a/lib/libcrypto/x509/x509_skey.c b/lib/libcrypto/x509/x509_skey.c index a9064273788..58bb66bc059 100644 --- a/lib/libcrypto/x509/x509_skey.c +++ b/lib/libcrypto/x509/x509_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_skey.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ +/* $OpenBSD: x509_skey.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,6 +62,8 @@ #include <openssl/err.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c index 1a60e5a3cf4..72d616a1066 100644 --- a/lib/libcrypto/x509/x509_trs.c +++ b/lib/libcrypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.24 2021/07/23 20:50:28 schwarze Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,6 +62,8 @@ #include <openssl/err.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b); static void trtable_free(X509_TRUST *p); diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c index 524d5511ed2..9aefb8d99df 100644 --- a/lib/libcrypto/x509/x509_v3.c +++ b/lib/libcrypto/x509/x509_v3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_v3.c,v 1.17 2018/05/19 10:54:40 tb Exp $ */ +/* $OpenBSD: x509_v3.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" + int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) { diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 4c3fe7f3e3e..664474139cd 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.92 2021/10/26 15:14:18 job Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.93 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,8 +76,6 @@ #include "asn1_locl.h" #include "vpm_int.h" #include "x509_internal.h" -#include "x509_lcl.h" -#include "x509_internal.h" /* CRL score values */ diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h index 61ea11b71ac..133ffda337e 100644 --- a/lib/libcrypto/x509/x509_vfy.h +++ b/lib/libcrypto/x509/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.45 2021/11/01 08:14:36 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.46 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -100,173 +100,17 @@ typedef enum { X509_LU_CRL, } X509_LOOKUP_TYPE; -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -typedef struct x509_object_st { - /* one of the above types */ - int type; - union { - char *ptr; - X509 *x509; - X509_CRL *crl; - EVP_PKEY *pkey; - } data; -} X509_OBJECT; -#else -typedef struct x509_object_st X509_OBJECT; -#endif - -typedef struct x509_lookup_st X509_LOOKUP; DECLARE_STACK_OF(X509_LOOKUP) DECLARE_STACK_OF(X509_OBJECT) +DECLARE_STACK_OF(X509_VERIFY_PARAM) -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -/* This is a static that defines the function interface */ -typedef struct x509_lookup_method_st { - const char *name; - int (*new_item)(X509_LOOKUP *ctx); - void (*free)(X509_LOOKUP *ctx); - int (*init)(X509_LOOKUP *ctx); - int (*shutdown)(X509_LOOKUP *ctx); - int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret); - int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, - X509_OBJECT *ret); - int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, - ASN1_INTEGER *serial,X509_OBJECT *ret); - int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, - const unsigned char *bytes, int len, X509_OBJECT *ret); - int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str, - int len, X509_OBJECT *ret); -} X509_LOOKUP_METHOD; - +/* unused in OpenSSL */ typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID; -/* This structure hold all parameters associated with a verify operation - * by including an X509_VERIFY_PARAM structure in related structures the - * parameters used can be customized - */ - -typedef struct X509_VERIFY_PARAM_st { - char *name; - time_t check_time; /* Time to use */ - unsigned long inh_flags; /* Inheritance flags */ - unsigned long flags; /* Various verify flags */ - int purpose; /* purpose to check untrusted certificates */ - int trust; /* trust setting to check */ - int depth; /* Verify depth */ - STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ - X509_VERIFY_PARAM_ID *id; /* opaque ID data */ -} X509_VERIFY_PARAM; -#else -typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; -typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM; -#endif - -DECLARE_STACK_OF(X509_VERIFY_PARAM) - -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -/* - * This is used to hold everything. It is used for all certificate - * validation. Once we have a certificate chain, the 'verify' - * function is then called to actually check the cert chain. - */ -struct x509_store_st { - /* The following is a cache of trusted certs */ - int cache; /* if true, stash any hits */ - STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ - - /* These are external lookup methods */ - STACK_OF(X509_LOOKUP) *get_cert_methods; - - X509_VERIFY_PARAM *param; - - /* Callbacks for various operations */ - int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ - int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ - int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ - int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ - int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ - int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ - int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ - int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ - STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); - STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); - int (*cleanup)(X509_STORE_CTX *ctx); - - CRYPTO_EX_DATA ex_data; - int references; -} /* X509_STORE */; -#endif int X509_STORE_set_depth(X509_STORE *store, int depth); -#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509) -/* This is the functions plus an instance of the local variables. */ -struct x509_lookup_st { - int init; /* have we been started */ - int skip; /* don't use us. */ - X509_LOOKUP_METHOD *method; /* the functions */ - char *method_data; /* method data */ - - X509_STORE *store_ctx; /* who owns us */ -} /* X509_LOOKUP */; - -/* - * This is used when verifying cert chains. Since the gathering of the cert - * chain can take some time (and has to be 'retried'), this needs to be kept - * and passed around. - */ -struct x509_store_ctx_st { - X509_STORE *ctx; - int current_method; /* used when looking up certs */ - - /* The following are set by the caller */ - X509 *cert; /* The cert to check */ - STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ - STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ - - X509_VERIFY_PARAM *param; - void *other_ctx; /* Other info for use with get_issuer() */ - - /* Callbacks for various operations */ - int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ - int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ - int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ - int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ - int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ - int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ - int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ - int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ - int (*check_policy)(X509_STORE_CTX *ctx); - STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); - STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); - int (*cleanup)(X509_STORE_CTX *ctx); - - /* The following is built up */ - int valid; /* if 0, rebuild chain */ - int last_untrusted; /* XXX: number of untrusted certs in chain!!! */ - STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ - X509_POLICY_TREE *tree; /* Valid policy tree */ - - int explicit_policy; /* Require explicit policy value */ - - /* When something goes wrong, this is why */ - int error_depth; - int error; - X509 *current_cert; - X509 *current_issuer; /* cert currently being tested as valid issuer */ - X509_CRL *current_crl; /* current CRL */ - - int current_crl_score; /* score of current CRL */ - unsigned int current_reasons; /* Reason mask */ - - X509_STORE_CTX *parent; /* For CRL path validation: parent context */ - - CRYPTO_EX_DATA ex_data; -} /* X509_STORE_CTX */; -#endif - void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_STORE_CTX_set_app_data(ctx,data) \ diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c index 42ea6e72c95..13171e40f5c 100644 --- a/lib/libcrypto/x509/x509_vpm.c +++ b/lib/libcrypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.28 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -67,6 +67,7 @@ #include <openssl/x509v3.h> #include "vpm_int.h" +#include "x509_lcl.h" /* X509_VERIFY_PARAM functions */ diff --git a/lib/libcrypto/x509/x509cset.c b/lib/libcrypto/x509/x509cset.c index 98fbdc2025c..b3af77d90e5 100644 --- a/lib/libcrypto/x509/x509cset.c +++ b/lib/libcrypto/x509/x509cset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509cset.c,v 1.15 2021/10/23 11:56:10 tb Exp $ */ +/* $OpenBSD: x509cset.c,v 1.16 2021/11/01 20:53:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -63,8 +63,10 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + int -X509_CRL_up_ref(X509_CRL *x) +X509_CRL_up_ref(X509_CRL *x) { int refs = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); return (refs > 1) ? 1 : 0; diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c index 3649d6ab7cd..878d7878461 100644 --- a/lib/libcrypto/x509/x509name.c +++ b/lib/libcrypto/x509/x509name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509name.c,v 1.26 2018/05/30 15:35:45 tb Exp $ */ +/* $OpenBSD: x509name.c,v 1.27 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include <openssl/stack.h> #include <openssl/x509.h> +#include "x509_lcl.h" + int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) { diff --git a/lib/libcrypto/x509/x509rset.c b/lib/libcrypto/x509/x509rset.c index dabeda2a64e..a2dd9e4cd2b 100644 --- a/lib/libcrypto/x509/x509rset.c +++ b/lib/libcrypto/x509/x509rset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509rset.c,v 1.8 2021/10/21 16:47:01 tb Exp $ */ +/* $OpenBSD: x509rset.c,v 1.9 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,6 +63,8 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + int X509_REQ_set_version(X509_REQ *x, long version) { diff --git a/lib/libcrypto/x509/x509type.c b/lib/libcrypto/x509/x509type.c index 315a5c2326f..1748ee5110b 100644 --- a/lib/libcrypto/x509/x509type.c +++ b/lib/libcrypto/x509/x509type.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509type.c,v 1.13 2018/05/30 15:59:33 tb Exp $ */ +/* $OpenBSD: x509type.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,6 +62,8 @@ #include <openssl/objects.h> #include <openssl/x509.h> +#include "x509_lcl.h" + int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) { diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c index 36c12b80e5e..c06e74c9157 100644 --- a/lib/libcrypto/x509/x_all.c +++ b/lib/libcrypto/x509/x_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_all.c,v 1.23 2016/12/30 15:24:51 jsing Exp $ */ +/* $OpenBSD: x_all.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,6 +73,8 @@ #include <openssl/rsa.h> #endif +#include "x509_lcl.h" + X509 * d2i_X509_bio(BIO *bp, X509 **x509) { |