sync with OpenBSD -current

lib/libcrypto/dh/dh_key.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */
+/* $OpenBSD: dh_key.c,v 1.42 2024/05/09 20:43:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,43 +65,6 @@
 #include "bn_local.h"
 #include "dh_local.h"
 
-static int generate_key(DH *dh);
-static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
-static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a,
-	    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-static int dh_init(DH *dh);
-static int dh_finish(DH *dh);
-
-int
-DH_generate_key(DH *dh)
-{
-	return dh->meth->generate_key(dh);
-}
-LCRYPTO_ALIAS(DH_generate_key);
-
-int
-DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-{
-	return dh->meth->compute_key(key, pub_key, dh);
-}
-LCRYPTO_ALIAS(DH_compute_key);
-
-static DH_METHOD dh_ossl = {
-	.name = "OpenSSL DH Method",
-	.generate_key = generate_key,
-	.compute_key = compute_key,
-	.bn_mod_exp = dh_bn_mod_exp,
-	.init = dh_init,
-	.finish = dh_finish,
-};
-
-const DH_METHOD *
-DH_OpenSSL(void)
-{
-	return &dh_ossl;
-}
-LCRYPTO_ALIAS(DH_OpenSSL);
-
 static int
 generate_key(DH *dh)
 {
@@ -245,3 +208,33 @@ dh_finish(DH *dh)
 	BN_MONT_CTX_free(dh->method_mont_p);
 	return 1;
 }
+
+int
+DH_generate_key(DH *dh)
+{
+	return dh->meth->generate_key(dh);
+}
+LCRYPTO_ALIAS(DH_generate_key);
+
+int
+DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+{
+	return dh->meth->compute_key(key, pub_key, dh);
+}
+LCRYPTO_ALIAS(DH_compute_key);
+
+static const DH_METHOD dh_ossl = {
+	.name = "OpenSSL DH Method",
+	.generate_key = generate_key,
+	.compute_key = compute_key,
+	.bn_mod_exp = dh_bn_mod_exp,
+	.init = dh_init,
+	.finish = dh_finish,
+};
+
+const DH_METHOD *
+DH_OpenSSL(void)
+{
+	return &dh_ossl;
+}
+LCRYPTO_ALIAS(DH_OpenSSL);

lib/libcrypto/dsa/dsa_ossl.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.53 2023/08/03 18:53:55 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.55 2024/05/09 20:57:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,30 +69,6 @@
 #include "bn_local.h"
 #include "dsa_local.h"
 
-static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-    BIGNUM **rp);
-static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
-    DSA *dsa);
-static int dsa_init(DSA *dsa);
-static int dsa_finish(DSA *dsa);
-
-static DSA_METHOD openssl_dsa_meth = {
-	.name = "OpenSSL DSA method",
-	.dsa_do_sign = dsa_do_sign,
-	.dsa_sign_setup = dsa_sign_setup,
-	.dsa_do_verify = dsa_do_verify,
-	.init = dsa_init,
-	.finish = dsa_finish,
-};
-
-const DSA_METHOD *
-DSA_OpenSSL(void)
-{
-	return &openssl_dsa_meth;
-}
-LCRYPTO_ALIAS(DSA_OpenSSL);
-
 /*
  * Since DSA parameters are entirely arbitrary and checking them to be
  * consistent is very expensive, we cannot do so on every sign operation.
@@ -436,6 +412,22 @@ dsa_finish(DSA *dsa)
 	return 1;
 }
 
+static const DSA_METHOD openssl_dsa_meth = {
+	.name = "OpenSSL DSA method",
+	.dsa_do_sign = dsa_do_sign,
+	.dsa_sign_setup = dsa_sign_setup,
+	.dsa_do_verify = dsa_do_verify,
+	.init = dsa_init,
+	.finish = dsa_finish,
+};
+
+const DSA_METHOD *
+DSA_OpenSSL(void)
+{
+	return &openssl_dsa_meth;
+}
+LCRYPTO_ALIAS(DSA_OpenSSL);
+
 DSA_SIG *
 DSA_SIG_new(void)
 {

lib/libcrypto/x509/x509_req.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.36 2024/05/08 08:20:08 tb Exp $ */
+/* $OpenBSD: x509_req.c,v 1.41 2024/05/09 14:29:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,54 +70,52 @@
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "asn1_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
 X509_REQ *
-X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
+X509_to_X509_REQ(X509 *x509, EVP_PKEY *signing_key, const EVP_MD *signing_md)
 {
-	X509_REQ *ret;
-	int i;
-	EVP_PKEY *pktmp;
+	X509_REQ *req;
+	X509_NAME *subject;
+	EVP_PKEY *public_key;
 
-	ret = X509_REQ_new();
-	if (ret == NULL) {
+	if ((req = X509_REQ_new()) == NULL) {
 		X509error(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 
-	if (!X509_REQ_set_version(ret, 0))
+	if ((subject = X509_get_subject_name(x509)) == NULL)
+		goto err;
+	if (!X509_REQ_set_subject_name(req, subject))
 		goto err;
 
-	if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
+	if ((public_key = X509_get0_pubkey(x509)) == NULL)
+		goto err;
+	if (!X509_REQ_set_pubkey(req, public_key))
 		goto err;
 
-	if ((pktmp = X509_get_pubkey(x)) == NULL)
-		goto err;
-
-	i = X509_REQ_set_pubkey(ret, pktmp);
-	EVP_PKEY_free(pktmp);
-	if (!i)
-		goto err;
-
-	if (pkey != NULL) {
-		if (!X509_REQ_sign(ret, pkey, md))
+	if (signing_key != NULL) {
+		if (!X509_REQ_sign(req, signing_key, signing_md))
 			goto err;
 	}
-	return (ret);
 
-err:
-	X509_REQ_free(ret);
-	return (NULL);
+	return req;
+
+ err:
+	X509_REQ_free(req);
+
+	return NULL;
 }
 LCRYPTO_ALIAS(X509_to_X509_REQ);
 
 EVP_PKEY *
 X509_REQ_get_pubkey(X509_REQ *req)
 {
-	if ((req == NULL) || (req->req_info == NULL))
-		return (NULL);
-	return (X509_PUBKEY_get(req->req_info->pubkey));
+	if (req == NULL || req->req_info == NULL)
+		return NULL;
+	return X509_PUBKEY_get(req->req_info->pubkey);
 }
 LCRYPTO_ALIAS(X509_REQ_get_pubkey);
 
@@ -131,42 +129,43 @@ X509_REQ_get0_pubkey(X509_REQ *req)
 LCRYPTO_ALIAS(X509_REQ_get0_pubkey);
 
 int
-X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
+X509_REQ_check_private_key(X509_REQ *req, EVP_PKEY *pkey)
 {
-	EVP_PKEY *xk = NULL;
-	int ok = 0;
+	EVP_PKEY *req_pubkey = NULL;
+	int ret;
 
-	if ((xk = X509_REQ_get0_pubkey(x)) == NULL)
+	if ((req_pubkey = X509_REQ_get0_pubkey(req)) == NULL)
 		return 0;
 
-	switch (EVP_PKEY_cmp(xk, k)) {
-	case 1:
-		ok = 1;
-		break;
+	if ((ret = EVP_PKEY_cmp(req_pubkey, pkey)) == 1)
+		return 1;
+
+	switch (ret) {
 	case 0:
 		X509error(X509_R_KEY_VALUES_MISMATCH);
-		break;
+		return 0;
 	case -1:
 		X509error(X509_R_KEY_TYPE_MISMATCH);
-		break;
+		return 0;
 	case -2:
 #ifndef OPENSSL_NO_EC
-		if (k->type == EVP_PKEY_EC) {
+		if (pkey->type == EVP_PKEY_EC) {
 			X509error(ERR_R_EC_LIB);
-			break;
+			return 0;
 		}
 #endif
 #ifndef OPENSSL_NO_DH
-		if (k->type == EVP_PKEY_DH) {
+		if (pkey->type == EVP_PKEY_DH) {
 			/* No idea */
 			X509error(X509_R_CANT_CHECK_DH_KEY);
-			break;
+			return 0;
 		}
 #endif
 		X509error(X509_R_UNKNOWN_KEY_TYPE);
+		return 0;
 	}
 
-	return (ok);
+	return 0;
 }
 LCRYPTO_ALIAS(X509_REQ_check_private_key);
 
@@ -183,7 +182,6 @@ X509_REQ_get_extensions(X509_REQ *req)
 	X509_ATTRIBUTE *attr;
 	ASN1_TYPE *ext = NULL;
 	int idx;
-	const unsigned char *p;
 
 	if (req == NULL || req->req_info == NULL)
 		return NULL;
@@ -197,10 +195,8 @@ X509_REQ_get_extensions(X509_REQ *req)
 		return NULL;
 	if ((ext = X509_ATTRIBUTE_get0_type(attr, 0)) == NULL)
 		return NULL;
-	if (ext->type != V_ASN1_SEQUENCE)
-		return NULL;
-	p = ext->value.sequence->data;
-	return d2i_X509_EXTENSIONS(NULL, &p, ext->value.sequence->length);
+
+	return ASN1_TYPE_unpack_sequence(&X509_EXTENSIONS_it, ext);
 }
 LCRYPTO_ALIAS(X509_REQ_get_extensions);
 
@@ -215,16 +211,15 @@ X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
 {
 	unsigned char *ext = NULL;
 	int extlen;
-	int rv;
+	int ret;
 
-	extlen = i2d_X509_EXTENSIONS(exts, &ext);
-	if (extlen <= 0)
+	if ((extlen = i2d_X509_EXTENSIONS(exts, &ext)) <= 0)
 		return 0;
 
-	rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen);
+	ret = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen);
 	free(ext);
 
-	return rv;
+	return ret;
 }
 LCRYPTO_ALIAS(X509_REQ_add_extensions_nid);