sync with OpenBSD -current

lib/libcrypto/cms/cms_smime.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.27 2023/07/08 08:26:26 beck Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.28 2023/12/22 10:23:11 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -52,14 +52,21 @@
  * ====================================================================
  */
 
-#include "cryptlib.h"
-#include <openssl/asn1t.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/err.h>
+#include <sys/types.h>
+
+#include <stddef.h>
+
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
 #include <openssl/cms.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/pkcs7.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+
 #include "cms_local.h"
-#include "asn1/asn1_local.h"
 
 static BIO *
 cms_get_text_bio(BIO *out, unsigned int flags)

lib/libcrypto/evp/evp_enc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.74 2023/12/21 20:50:43 tb Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.79 2023/12/23 13:05:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -83,44 +83,48 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
 {
 	if (enc == -1)
 		enc = ctx->encrypt;
-	else {
-		if (enc)
-			enc = 1;
-		ctx->encrypt = enc;
-	}
-	if (cipher) {
-		/* Ensure a context left lying around from last time is cleared
-		 * (the previous check attempted to avoid this if the same
-		 * EVP_CIPHER could be used). */
-		if (ctx->cipher) {
-			unsigned long flags = ctx->flags;
-			EVP_CIPHER_CTX_cleanup(ctx);
-			/* Restore encrypt and flags */
-			ctx->encrypt = enc;
-			ctx->flags = flags;
-		}
+	if (enc != 0)
+		enc = 1;
+	ctx->encrypt = enc;
 
+	if (cipher == NULL && ctx->cipher == NULL) {
+		EVPerror(EVP_R_NO_CIPHER_SET);
+		return 0;
+	}
+
+	/*
+	 * If the ctx is reused and a cipher is passed in, reset the ctx but
+	 * remember enc and whether key wrap was enabled.
+	 */
+	if (cipher != NULL && ctx->cipher != NULL) {
+		unsigned long flags = ctx->flags;
+
+		EVP_CIPHER_CTX_cleanup(ctx);
+
+		ctx->encrypt = enc;
+		ctx->flags = flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
+	}
+
+	/* Set up cipher. Allocate cipher data and initialize if necessary. */
+	if (cipher != NULL) {
 		ctx->cipher = cipher;
-		if (ctx->cipher->ctx_size) {
+		ctx->key_len = cipher->key_len;
+		ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
+
+		if (ctx->cipher->ctx_size != 0) {
 			ctx->cipher_data = calloc(1, ctx->cipher->ctx_size);
 			if (ctx->cipher_data == NULL) {
 				EVPerror(ERR_R_MALLOC_FAILURE);
 				return 0;
 			}
-		} else {
-			ctx->cipher_data = NULL;
 		}
-		ctx->key_len = cipher->key_len;
-		ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
-		if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
+
+		if ((ctx->cipher->flags & EVP_CIPH_CTRL_INIT) != 0) {
 			if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
 				EVPerror(EVP_R_INITIALIZATION_ERROR);
 				return 0;
 			}
 		}
-	} else if (!ctx->cipher) {
-		EVPerror(EVP_R_NO_CIPHER_SET);
-		return 0;
 	}
 
 	/* Block sizes must be a power of 2 due to the use of block_mask. */
@@ -131,13 +135,13 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
 		return 0;
 	}
 
-	if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) &&
+	if ((ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) == 0 &&
 	    EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) {
 		EVPerror(EVP_R_WRAP_MODE_NOT_ALLOWED);
 		return 0;
 	}
 
-	if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
+	if ((EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV) == 0) {
 		int iv_len;
 
 		switch (EVP_CIPHER_CTX_mode(ctx)) {
@@ -181,7 +185,7 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
 		}
 	}
 
-	if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+	if (key != NULL || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT) != 0) {
 		if (!ctx->cipher->init(ctx, key, iv, enc))
 			return 0;
 	}
@@ -203,7 +207,7 @@ EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len,
 }
 
 int
-EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
+EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
 {
 	if (ctx->encrypt)
 		return EVP_EncryptFinal_ex(ctx, out, out_len);
@@ -212,7 +216,7 @@ EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
 }
 
 int
-EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
+EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
 {
 	if (ctx->encrypt)
 		return EVP_EncryptFinal_ex(ctx, out, out_len);
@@ -234,20 +238,6 @@ EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine
 	return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1);
 }
 
-int
-EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-    const unsigned char *key, const unsigned char *iv)
-{
-	return EVP_CipherInit(ctx, cipher, key, iv, 0);
-}
-
-int
-EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
-    const unsigned char *key, const unsigned char *iv)
-{
-	return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);
-}
-
 /*
  * EVP_Cipher() is an implementation detail of EVP_Cipher{Update,Final}().
  * Behavior depends on EVP_CIPH_FLAG_CUSTOM_CIPHER being set on ctx->cipher.
@@ -320,13 +310,13 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len,
 	if (partial_len == 0 && (in_len & block_mask) == 0)
 		return evp_cipher(ctx, out, out_len, in, in_len);
 
-	/* XXX - check that block_size > partial_len. */
-	if (block_size > sizeof(ctx->buf)) {
+	if (partial_len < 0 || partial_len >= block_size ||
+	    block_size > sizeof(ctx->buf)) {
 		EVPerror(EVP_R_BAD_BLOCK_LENGTH);
 		return 0;
 	}
 
-	if (partial_len != 0) {
+	if (partial_len > 0) {
 		int partial_needed;
 
 		if ((partial_needed = block_size - partial_len) > in_len) {
@@ -369,9 +359,8 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len,
 		total_len += len;
 	}
 
-	if (partial_len != 0)
+	if ((ctx->partial_len = partial_len) > 0)
 		memcpy(ctx->buf, &in[in_len], partial_len);
-	ctx->partial_len = partial_len;
 
 	*out_len = total_len;
 
@@ -396,8 +385,8 @@ EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
 	if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0)
 		return evp_cipher(ctx, out, out_len, NULL, 0);
 
-	/* XXX - check that block_size > partial_len. */
-	if (block_size > sizeof(ctx->buf)) {
+	if (partial_len < 0 || partial_len >= block_size ||
+	    block_size > sizeof(ctx->buf)) {
 		EVPerror(EVP_R_BAD_BLOCK_LENGTH);
 		return 0;
 	}
@@ -418,6 +407,20 @@ EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len)
 	return evp_cipher(ctx, out, out_len, ctx->buf, block_size);
 }
 
+int
+EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+    const unsigned char *key, const unsigned char *iv)
+{
+	return EVP_CipherInit(ctx, cipher, key, iv, 0);
+}
+
+int
+EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
+    const unsigned char *key, const unsigned char *iv)
+{
+	return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);
+}
+
 int
 EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len,
     const unsigned char *in, int in_len)

lib/libcrypto/evp/evp_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_local.h,v 1.8 2023/12/20 14:10:03 tb Exp $ */
+/* $OpenBSD: evp_local.h,v 1.9 2023/12/22 17:25:47 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -170,8 +170,8 @@ struct evp_cipher_ctx_st {
 	int encrypt;		/* encrypt or decrypt */
 	int partial_len;	/* number of bytes written to buf */
 
-	unsigned char  oiv[EVP_MAX_IV_LENGTH];	/* original iv */
-	unsigned char  iv[EVP_MAX_IV_LENGTH];	/* working iv */
+	unsigned char oiv[EVP_MAX_IV_LENGTH];	/* original iv */
+	unsigned char iv[EVP_MAX_IV_LENGTH];	/* working iv */
 	unsigned char buf[EVP_MAX_BLOCK_LENGTH];/* saved partial block */
 	int num;				/* used by cfb/ofb/ctr mode */
 

lib/libcrypto/x509/x509_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_local.h,v 1.11 2023/11/01 20:37:42 tb Exp $ */
+/*	$OpenBSD: x509_local.h,v 1.14 2023/12/22 13:31:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2013.
  */
@@ -299,15 +299,7 @@ struct x509_store_st {
 	/* Callbacks for various operations */
 	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
-	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
-	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	int (*cleanup)(X509_STORE_CTX *ctx);
 
 	CRYPTO_EX_DATA ex_data;
 	int references;
@@ -344,14 +336,6 @@ struct x509_store_ctx_st {
 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */
 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
-	int (*check_policy)(X509_STORE_CTX *ctx);
-	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	int (*cleanup)(X509_STORE_CTX *ctx);
 
 	/* The following is built up */
 	int valid;		/* if 0, rebuild chain */

lib/libcrypto/x509/x509_vfy.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.127 2023/11/27 00:51:12 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.135 2023/12/23 00:52:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -116,16 +116,15 @@
 
 #define CRL_SCORE_TIME_DELTA	0x002
 
+static int x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);
+static int x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+
 static int null_callback(int ok, X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
     int allow_expired);
-static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_name_constraints(X509_STORE_CTX *ctx);
-static int check_trust(X509_STORE_CTX *ctx);
-static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth);
-static int check_policy(X509_STORE_CTX *ctx);
 
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
     unsigned int *preasons, X509_CRL *crl, X509 *x);
@@ -144,7 +143,6 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time,
     int clamp_notafter);
 
 static int internal_verify(X509_STORE_CTX *ctx);
-static int get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
 static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err);
 
@@ -177,7 +175,7 @@ check_id_error(X509_STORE_CTX *ctx, int errcode)
 }
 
 static int
-check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
+x509_vfy_check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
 {
 	int i, n;
 	char *name;
@@ -195,13 +193,13 @@ check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
 	return n == 0;
 }
 
-static int
-check_id(X509_STORE_CTX *ctx)
+int
+x509_vfy_check_id(X509_STORE_CTX *ctx)
 {
 	X509_VERIFY_PARAM *vpm = ctx->param;
 	X509 *x = ctx->cert;
 
-	if (vpm->hosts && check_hosts(x, vpm) <= 0) {
+	if (vpm->hosts && x509_vfy_check_hosts(x, vpm) <= 0) {
 		if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
 			return 0;
 	}
@@ -217,11 +215,6 @@ check_id(X509_STORE_CTX *ctx)
 	return 1;
 }
 
-int
-x509_vfy_check_id(X509_STORE_CTX *ctx) {
-	return check_id(ctx);
-}
-
 /*
  * This is the effectively broken legacy OpenSSL chain builder. It
  * might find an unvalidated chain and leave it sitting in
@@ -430,7 +423,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
 		}
 
 		/* we now have our chain, lets check it... */
-		trust = check_trust(ctx);
+		trust = x509_vfy_check_trust(ctx);
 
 		/* If explicitly rejected error */
 		if (trust == X509_TRUST_REJECTED) {
@@ -532,7 +525,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 		goto end;
 
 	/* We have the chain complete: now we need to check its purpose */
-	ok = check_chain_extensions(ctx);
+	ok = x509_vfy_check_chain_extensions(ctx);
 	if (!ok)
 		goto end;
 
@@ -556,7 +549,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 		goto end;
 #endif
 
-	ok = check_id(ctx);
+	ok = x509_vfy_check_id(ctx);
 	if (!ok)
 		goto end;
 
@@ -564,7 +557,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 	 * Check revocation status: we do this after copying parameters because
 	 * they may be needed for CRL signature verification.
 	 */
-	ok = ctx->check_revocation(ctx);
+	ok = x509_vfy_check_revocation(ctx);
 	if (!ok)
 		goto end;
 
@@ -578,7 +571,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 
 	/* If we get this far evaluate policies */
 	if (!bad_chain)
-		ok = ctx->check_policy(ctx);
+		ok = x509_vfy_check_policy(ctx);
 
  end:
 	/* Safety net, error returns must set ctx->error */
@@ -696,7 +689,7 @@ check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer)
 /* Alternative lookup method: look from a STACK stored in ctx->trusted */
 
 static int
-get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+x509_vfy_get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 {
 	*issuer = find_issuer(ctx, ctx->trusted, x, 1);
 	if (*issuer) {
@@ -813,11 +806,6 @@ end:
 #endif
 }
 
-static int
-check_chain_extensions(X509_STORE_CTX *ctx) {
-	return x509_vfy_check_chain_extensions(ctx);
-}
-
 static int
 check_name_constraints(X509_STORE_CTX *ctx)
 {
@@ -840,7 +828,7 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 	size_t i;
 
 	/* Lookup all certs with matching subject name */
-	certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
+	certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
 	if (certs == NULL)
 		return NULL;
 
@@ -863,14 +851,13 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 X509 *
 x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 {
-	if (ctx->lookup_certs == NULL || ctx->store == NULL ||
-	    ctx->store->objs == NULL)
+	if (ctx->store == NULL || ctx->store->objs == NULL)
 		return NULL;
 	return lookup_cert_match(ctx, x);
 }
 
-static int
-check_trust(X509_STORE_CTX *ctx)
+int
+x509_vfy_check_trust(X509_STORE_CTX *ctx)
 {
 	size_t i;
 	int ok;
@@ -925,13 +912,7 @@ check_trust(X509_STORE_CTX *ctx)
 }
 
 int
-x509_vfy_check_trust(X509_STORE_CTX *ctx)
-{
-	return check_trust(ctx);
-}
-
-static int
-check_revocation(X509_STORE_CTX *ctx)
+x509_vfy_check_revocation(X509_STORE_CTX *ctx)
 {
 	int i, last, ok;
 
@@ -953,12 +934,6 @@ check_revocation(X509_STORE_CTX *ctx)
 	return 1;
 }
 
-int
-x509_vfy_check_revocation(X509_STORE_CTX *ctx)
-{
-	return check_revocation(ctx);
-}
-
 static int
 check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
 {
@@ -976,28 +951,22 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
 	while (ctx->current_reasons != CRLDP_ALL_REASONS) {
 		last_reasons = ctx->current_reasons;
 		/* Try to retrieve relevant CRL */
-		if (ctx->get_crl)
-			ok = ctx->get_crl(ctx, &crl, x);
-		else
-			ok = get_crl_delta(ctx, &crl, &dcrl, x);
-		/* If error looking up CRL, nothing we can do except
-		 * notify callback
-		 */
+		ok = get_crl_delta(ctx, &crl, &dcrl, x);
 		if (!ok) {
 			ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
 			ok = ctx->verify_cb(0, ctx);
 			goto err;
 		}
 		ctx->current_crl = crl;
-		ok = ctx->check_crl(ctx, crl);
+		ok = x509_vfy_check_crl(ctx, crl);
 		if (!ok)
 			goto err;
 
 		if (dcrl) {
-			ok = ctx->check_crl(ctx, dcrl);
+			ok = x509_vfy_check_crl(ctx, dcrl);
 			if (!ok)
 				goto err;
-			ok = ctx->cert_crl(ctx, dcrl, x);
+			ok = x509_vfy_cert_crl(ctx, dcrl, x);
 			if (!ok)
 				goto err;
 		} else
@@ -1005,7 +974,7 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
 
 		/* Don't look in full CRL if delta reason is removefromCRL */
 		if (ok != 2) {
-			ok = ctx->cert_crl(ctx, crl, x);
+			ok = x509_vfy_cert_crl(ctx, crl, x);
 			if (!ok)
 				goto err;
 		}
@@ -1559,7 +1528,7 @@ get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
 		goto done;
 
 	/* Lookup CRLs from store */
-	skcrl = ctx->lookup_crls(ctx, nm);
+	skcrl = X509_STORE_CTX_get1_crls(ctx, nm);
 
 	/* If no CRLs found and a near match from get_crl_sk use that */
 	if (!skcrl && crl)
@@ -1586,7 +1555,7 @@ done:
 
 /* Check CRL validity */
 static int
-check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
+x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 {
 	X509 *issuer = NULL;
 	EVP_PKEY *ikey = NULL;
@@ -1689,7 +1658,7 @@ err:
 
 /* Check certificate against CRL */
 static int
-cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
+x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 {
 	int ok;
 	X509_REVOKED *rev;
@@ -1756,12 +1725,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
 	return 1;
 }
 
-static int
-check_policy(X509_STORE_CTX *ctx)
-{
-	return x509_vfy_check_policy(ctx);
-}
-
 /*
  * Inform the verify callback of an error.
  *
@@ -2338,52 +2301,8 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf,
 	else
 		ctx->verify_cb = null_callback;
 
-	if (store && store->get_issuer)
-		ctx->get_issuer = store->get_issuer;
-	else
-		ctx->get_issuer = X509_STORE_CTX_get1_issuer;
-
-	if (store && store->check_issued)
-		ctx->check_issued = store->check_issued;
-	else
-		ctx->check_issued = check_issued;
-
-	if (store && store->check_revocation)
-		ctx->check_revocation = store->check_revocation;
-	else
-		ctx->check_revocation = check_revocation;
-
-	if (store && store->get_crl)
-		ctx->get_crl = store->get_crl;
-	else
-		ctx->get_crl = NULL;
-
-	if (store && store->check_crl)
-		ctx->check_crl = store->check_crl;
-	else
-		ctx->check_crl = check_crl;
-
-	if (store && store->cert_crl)
-		ctx->cert_crl = store->cert_crl;
-	else
-		ctx->cert_crl = cert_crl;
-
-	ctx->check_policy = check_policy;
-
-	if (store && store->lookup_certs)
-		ctx->lookup_certs = store->lookup_certs;
-	else
-		ctx->lookup_certs = X509_STORE_CTX_get1_certs;
-
-	if (store && store->lookup_crls)
-		ctx->lookup_crls = store->lookup_crls;
-	else
-		ctx->lookup_crls = X509_STORE_CTX_get1_crls;
-
-	if (store && store->cleanup)
-		ctx->cleanup = store->cleanup;
-	else
-		ctx->cleanup = NULL;
+	ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+	ctx->check_issued = check_issued;
 
 	ctx->param = X509_VERIFY_PARAM_new();
 	if (!ctx->param) {
@@ -2432,15 +2351,13 @@ void
 X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted)
 {
 	ctx->trusted = trusted;
-	ctx->get_issuer = get_trusted_issuer;
+	ctx->get_issuer = x509_vfy_get_trusted_issuer;
 }
 LCRYPTO_ALIAS(X509_STORE_CTX_set0_trusted_stack);
 
 void
 X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 {
-	if (ctx->cleanup)
-		ctx->cleanup(ctx);
 	if (ctx->param != NULL) {
 		if (ctx->parent == NULL)
 			X509_VERIFY_PARAM_free(ctx->param);