sync with OpenBSD -current

lib/libcrypto/x509/x509_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_local.h,v 1.22 2024/03/02 10:52:24 tb Exp $ */
+/*	$OpenBSD: x509_local.h,v 1.23 2024/03/26 05:39:47 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2013.
  */
@@ -404,8 +404,6 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
     const unsigned char *salt, int saltlen);
 X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
     unsigned char *salt, int saltlen);
-X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
-    unsigned char *salt, int saltlen, unsigned char *aiv, int prf_nid);
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, const unsigned char *salt,
     int saltlen);
 X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,

lib/libcrypto/x509/x509_set.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_set.c,v 1.26 2023/06/23 08:00:28 tb Exp $ */
+/* $OpenBSD: x509_set.c,v 1.29 2024/03/26 23:21:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -83,13 +83,19 @@ int
 X509_set_version(X509 *x, long version)
 {
 	if (x == NULL)
-		return (0);
+		return 0;
+	/*
+	 * RFC 5280, 4.1: versions 1 - 3 are specified as follows.
+	 * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
+	 */
+	if (version < 0 || version > 2)
+		return 0;
 	if (x->cert_info->version == NULL) {
 		if ((x->cert_info->version = ASN1_INTEGER_new()) == NULL)
-			return (0);
+			return 0;
 	}
 	x->cert_info->enc.modified = 1;
-	return (ASN1_INTEGER_set(x->cert_info->version, version));
+	return ASN1_INTEGER_set(x->cert_info->version, version);
 }
 LCRYPTO_ALIAS(X509_set_version);
 
@@ -251,12 +257,12 @@ X509_get_X509_PUBKEY(const X509 *x)
 LCRYPTO_ALIAS(X509_get_X509_PUBKEY);
 
 void
-X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
-    const ASN1_BIT_STRING **psuid)
+X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **issuerUID,
+    const ASN1_BIT_STRING **subjectUID)
 {
-	if (piuid != NULL)
-		*piuid = x->cert_info->issuerUID;
-	if (psuid != NULL)
-		*psuid = x->cert_info->subjectUID;
+	if (issuerUID != NULL)
+		*issuerUID = x->cert_info->issuerUID;
+	if (subjectUID != NULL)
+		*subjectUID = x->cert_info->subjectUID;
 }
 LCRYPTO_ALIAS(X509_get0_uids);

lib/libcrypto/x509/x509_trs.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.54 2024/03/25 04:03:26 tb Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.55 2024/03/26 22:43:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -59,12 +59,10 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#include "crypto_internal.h"
 #include "x509_internal.h"
 #include "x509_local.h"
 

lib/libcrypto/x509/x509cset.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509cset.c,v 1.19 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509cset.c,v 1.22 2024/03/26 23:41:45 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -68,8 +68,7 @@
 int
 X509_CRL_up_ref(X509_CRL *x)
 {
-	int refs = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
-	return (refs > 1) ? 1 : 0;
+	return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL) > 1;
 }
 LCRYPTO_ALIAS(X509_CRL_up_ref);
 
@@ -77,21 +76,28 @@ int
 X509_CRL_set_version(X509_CRL *x, long version)
 {
 	if (x == NULL)
-		return (0);
+		return 0;
+	/*
+	 * RFC 5280, 4.1: versions 1 - 3 are specified as follows.
+	 * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
+	 * The only specified versions for CRLs are 1 and 2.
+	 */
+	if (version < 0 || version > 1)
+		return 0;
 	if (x->crl->version == NULL) {
 		if ((x->crl->version = ASN1_INTEGER_new()) == NULL)
-			return (0);
+			return 0;
 	}
-	return (ASN1_INTEGER_set(x->crl->version, version));
+	return ASN1_INTEGER_set(x->crl->version, version);
 }
 LCRYPTO_ALIAS(X509_CRL_set_version);
 
 int
 X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
 {
-	if ((x == NULL) || (x->crl == NULL))
-		return (0);
-	return (X509_NAME_set(&x->crl->issuer, name));
+	if (x == NULL || x->crl == NULL)
+		return 0;
+	return X509_NAME_set(&x->crl->issuer, name);
 }
 LCRYPTO_ALIAS(X509_CRL_set_issuer_name);
 
@@ -101,7 +107,7 @@ X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
 	ASN1_TIME *in;
 
 	if (x == NULL)
-		return (0);
+		return 0;
 	in = x->crl->lastUpdate;
 	if (in != tm) {
 		in = ASN1_STRING_dup(tm);
@@ -110,7 +116,7 @@ X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
 			x->crl->lastUpdate = in;
 		}
 	}
-	return (in != NULL);
+	return in != NULL;
 }
 LCRYPTO_ALIAS(X509_CRL_set_lastUpdate);
 
@@ -127,7 +133,7 @@ X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
 	ASN1_TIME *in;
 
 	if (x == NULL)
-		return (0);
+		return 0;
 	in = x->crl->nextUpdate;
 	if (in != tm) {
 		in = ASN1_STRING_dup(tm);
@@ -136,7 +142,7 @@ X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
 			x->crl->nextUpdate = in;
 		}
 	}
-	return (in != NULL);
+	return in != NULL;
 }
 LCRYPTO_ALIAS(X509_CRL_set_nextUpdate);
 
@@ -150,11 +156,10 @@ LCRYPTO_ALIAS(X509_CRL_set1_nextUpdate);
 int
 X509_CRL_sort(X509_CRL *c)
 {
-	int i;
 	X509_REVOKED *r;
+	int i;
 
-	/* sort the data so it will be written in serial
-	 * number order */
+	/* Sort the data so it will be written in serial number order */
 	sk_X509_REVOKED_sort(c->crl->revoked);
 	for (i = 0; i < sk_X509_REVOKED_num(c->crl->revoked); i++) {
 		r = sk_X509_REVOKED_value(c->crl->revoked, i);
@@ -192,7 +197,7 @@ X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
 	ASN1_TIME *in;
 
 	if (x == NULL)
-		return (0);
+		return 0;
 	in = x->revocationDate;
 	if (in != tm) {
 		in = ASN1_STRING_dup(tm);
@@ -201,7 +206,7 @@ X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
 			x->revocationDate = in;
 		}
 	}
-	return (in != NULL);
+	return in != NULL;
 }
 LCRYPTO_ALIAS(X509_REVOKED_set_revocationDate);
 
@@ -211,7 +216,7 @@ X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
 	ASN1_INTEGER *in;
 
 	if (x == NULL)
-		return (0);
+		return 0;
 	in = x->serialNumber;
 	if (in != serial) {
 		in = ASN1_INTEGER_dup(serial);
@@ -220,7 +225,7 @@ X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
 			x->serialNumber = in;
 		}
 	}
-	return (in != NULL);
+	return in != NULL;
 }
 LCRYPTO_ALIAS(X509_REVOKED_set_serialNumber);
 

lib/libcrypto/x509/x509rset.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509rset.c,v 1.14 2024/03/25 12:10:57 jsing Exp $ */
+/* $OpenBSD: x509rset.c,v 1.16 2024/03/26 23:45:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,9 +69,12 @@ int
 X509_REQ_set_version(X509_REQ *x, long version)
 {
 	if (x == NULL)
-		return (0);
+		return 0;
+	/* RFC 2986 section 4.1 only specifies version 1, encoded as a 0. */
+	if (version != 0)
+		return 0;
 	x->req_info->enc.modified = 1;
-	return (ASN1_INTEGER_set(x->req_info->version, version));
+	return ASN1_INTEGER_set(x->req_info->version, version);
 }
 LCRYPTO_ALIAS(X509_REQ_set_version);
 
@@ -85,10 +88,10 @@ LCRYPTO_ALIAS(X509_REQ_get_version);
 int
 X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
 {
-	if ((x == NULL) || (x->req_info == NULL))
-		return (0);
+	if (x == NULL || x->req_info == NULL)
+		return 0;
 	x->req_info->enc.modified = 1;
-	return (X509_NAME_set(&x->req_info->subject, name));
+	return X509_NAME_set(&x->req_info->subject, name);
 }
 LCRYPTO_ALIAS(X509_REQ_set_subject_name);
 
@@ -102,9 +105,9 @@ LCRYPTO_ALIAS(X509_REQ_get_subject_name);
 int
 X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
 {
-	if ((x == NULL) || (x->req_info == NULL))
-		return (0);
+	if (x == NULL || x->req_info == NULL)
+		return 0;
 	x->req_info->enc.modified = 1;
-	return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));
+	return X509_PUBKEY_set(&x->req_info->pubkey, pkey);
 }
 LCRYPTO_ALIAS(X509_REQ_set_pubkey);

lib/libcrypto/x509/x_all.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.30 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.31 2024/03/27 01:22:30 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -535,7 +535,6 @@ LCRYPTO_ALIAS(X509_NAME_digest);
 int
 X509_up_ref(X509 *x)
 {
-	int i = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-	return i > 1 ? 1 : 0;
+	return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509) > 1;
 }
 LCRYPTO_ALIAS(X509_up_ref);