sync with OpenBSD -current

lib/libcrypto/ct/ct_x509v3.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */
+/*	$OpenBSD: ct_x509v3.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
  * (steve@openssl.org) for the OpenSSL project 2014.
@@ -128,59 +128,74 @@ ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
 	return s;
 }
 
-/* Handlers for X509v3/OCSP Certificate Transparency extensions */
-const X509V3_EXT_METHOD v3_ct_scts[3] = {
-	/* X509v3 extension in certificates that contains SCTs */
-	[0] = {
-		.ext_nid = NID_ct_precert_scts,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
-		.d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
-		.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-
-	/* X509v3 extension to mark a certificate as a pre-certificate */
-	[1] = {
-		.ext_nid = NID_ct_precert_poison,
-		.ext_flags = 0,
-		.it = &ASN1_NULL_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = i2s_poison,
-		.s2i = s2i_poison,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-
-	/* OCSP extension that contains SCTs */
-	[2] = {
-		.ext_nid = NID_ct_cert_scts,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
-		.d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
-		.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
+/* X509v3 extension in certificates that contains SCTs */
+static const X509V3_EXT_METHOD x509v3_ext_ct_precert_scts = {
+	.ext_nid = NID_ct_precert_scts,
+	.ext_flags = 0,
+	.it = NULL,
+	.ext_new = NULL,
+	.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
+	.d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
+	.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_precert_scts(void)
+{
+	return &x509v3_ext_ct_precert_scts;
+}
+
+/* X509v3 extension to mark a certificate as a pre-certificate */
+static const X509V3_EXT_METHOD x509v3_ext_ct_precert_poison = {
+	.ext_nid = NID_ct_precert_poison,
+	.ext_flags = 0,
+	.it = &ASN1_NULL_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = i2s_poison,
+	.s2i = s2i_poison,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_precert_poison(void)
+{
+	return &x509v3_ext_ct_precert_poison;
+}
+
+/* OCSP extension that contains SCTs */
+static const X509V3_EXT_METHOD x509v3_ext_ct_cert_scts = {
+	.ext_nid = NID_ct_cert_scts,
+	.ext_flags = 0,
+	.it = NULL,
+	.ext_new = NULL,
+	.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
+	.d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
+	.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_cert_scts(void)
+{
+	return &x509v3_ext_ct_cert_scts;
+}

lib/libcrypto/hidden/crypto_namespace.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_namespace.h,v 1.3 2024/03/30 10:09:43 tb Exp $	*/
+/*	$OpenBSD: crypto_namespace.h,v 1.4 2024/07/11 21:31:52 miod Exp $	*/
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -31,7 +31,11 @@
 				typeof(x) x asm("_lcry_"#x)
 #  define LCRYPTO_USED(x)	__attribute__((visibility("hidden")))	\
 				typeof(x) x asm("_lcry_"#x)
+#  if defined(__hppa__)
+#  define LCRYPTO_ALIAS1(pre,x)	asm("! .global "#pre#x" ! .set "#pre#x", _lcry_"#x)
+#else
 #  define LCRYPTO_ALIAS1(pre,x)	asm(".global "#pre#x"; "#pre#x" = _lcry_"#x)
+#endif
 #  define LCRYPTO_ALIAS(x)	LCRYPTO_ALIAS1(,x); LCRYPTO_ALIAS1(_libre_,x)
 #else
 #  define LCRYPTO_UNUSED(x)	typeof(x) x __attribute__((deprecated))

lib/libcrypto/ocsp/ocsp_vfy.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -168,8 +168,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
 			goto end;
 
 		x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-		if (X509_check_trust(x, NID_OCSP_sign, 0) !=
-			X509_TRUST_TRUSTED) {
+		if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) !=
+		    X509_TRUST_TRUSTED) {
 			OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
 			goto end;
 		}

lib/libcrypto/x509/x509_addr.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.92 2024/07/08 14:47:44 beck Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1714,7 +1714,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
 /*
  * OpenSSL dispatch
  */
-const X509V3_EXT_METHOD v3_addr = {
+static const X509V3_EXT_METHOD x509v3_ext_sbgp_ipAddrBlock = {
 	.ext_nid = NID_sbgp_ipAddrBlock,
 	.ext_flags = 0,
 	.it = &IPAddrBlocks_it,
@@ -1731,6 +1731,12 @@ const X509V3_EXT_METHOD v3_addr = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sbgp_ipAddrBlock(void)
+{
+	return &x509v3_ext_sbgp_ipAddrBlock;
+}
+
 /*
  * Figure out whether extension uses inheritance.
  */

lib/libcrypto/x509/x509_akey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-const X509V3_EXT_METHOD v3_akey_id = {
+static const X509V3_EXT_METHOD x509v3_ext_authority_key_identifier = {
 	.ext_nid = NID_authority_key_identifier,
 	.ext_flags = X509V3_EXT_MULTILINE,
 	.it = &AUTHORITY_KEYID_it,
@@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_akey_id = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_authority_key_identifier(void)
+{
+	return &x509v3_ext_authority_key_identifier;
+}
+
 static STACK_OF(CONF_VALUE) *
 i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid,
     STACK_OF(CONF_VALUE) *extlist)

lib/libcrypto/x509/x509_alt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.16 2023/08/30 00:49:32 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.17 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -74,57 +74,75 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
 
-const X509V3_EXT_METHOD v3_alt[] = {
-	{
-		.ext_nid = NID_subject_alt_name,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = (X509V3_EXT_V2I)v2i_subject_alt,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_issuer_alt_name,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_certificate_issuer,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
+static const X509V3_EXT_METHOD x509v3_ext_subject_alt_name = {
+	.ext_nid = NID_subject_alt_name,
+	.ext_flags = 0,
+	.it = &GENERAL_NAMES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+	.v2i = (X509V3_EXT_V2I)v2i_subject_alt,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_subject_alt_name(void)
+{
+	return &x509v3_ext_subject_alt_name;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_issuer_alt_name = {
+	.ext_nid = NID_issuer_alt_name,
+	.ext_flags = 0,
+	.it = &GENERAL_NAMES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+	.v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_issuer_alt_name(void)
+{
+	return &x509v3_ext_issuer_alt_name;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_certificate_issuer = {
+	.ext_nid = NID_certificate_issuer,
+	.ext_flags = 0,
+	.it = &GENERAL_NAMES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_certificate_issuer(void)
+{
+	return &x509v3_ext_certificate_issuer;
+}
+
 STACK_OF(CONF_VALUE) *
 i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
     STACK_OF(CONF_VALUE) *ret)

lib/libcrypto/x509/x509_asid.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_asid.c,v 1.44 2024/07/08 14:47:44 beck Exp $ */
+/*	$OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -946,7 +946,7 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
 /*
  * OpenSSL dispatch.
  */
-const X509V3_EXT_METHOD v3_asid = {
+static const X509V3_EXT_METHOD x509v3_ext_sbgp_autonomousSysNum = {
 	.ext_nid = NID_sbgp_autonomousSysNum,
 	.ext_flags = 0,
 	.it = &ASIdentifiers_it,
@@ -963,6 +963,12 @@ const X509V3_EXT_METHOD v3_asid = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sbgp_autonomousSysNum(void)
+{
+	return &x509v3_ext_sbgp_autonomousSysNum;
+}
+
 /*
  * Figure out whether extension uses inheritance.
  */

lib/libcrypto/x509/x509_bcons.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
 static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-const X509V3_EXT_METHOD v3_bcons = {
+static const X509V3_EXT_METHOD x509v3_ext_basic_constraints = {
 	.ext_nid = NID_basic_constraints,
 	.ext_flags = 0,
 	.it = &BASIC_CONSTRAINTS_it,
@@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_bcons = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_basic_constraints(void)
+{
+	return &x509v3_ext_basic_constraints;
+}
+
 static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
 	{
 		.flags = ASN1_TFLG_OPTIONAL,

lib/libcrypto/x509/x509_bitst.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.5 2024/06/18 08:29:40 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -102,7 +102,7 @@ static BIT_STRING_BITNAME crl_reasons[] = {
 	{-1, NULL, NULL}
 };
 
-const X509V3_EXT_METHOD v3_nscert = {
+static const X509V3_EXT_METHOD x509v3_ext_netscape_cert_type = {
 	.ext_nid = NID_netscape_cert_type,
 	.ext_flags = 0,
 	.it = &ASN1_BIT_STRING_it,
@@ -119,7 +119,13 @@ const X509V3_EXT_METHOD v3_nscert = {
 	.usr_data = ns_cert_type_table,
 };
 
-const X509V3_EXT_METHOD v3_key_usage = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_cert_type(void)
+{
+	return &x509v3_ext_netscape_cert_type;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_key_usage = {
 	.ext_nid = NID_key_usage,
 	.ext_flags = 0,
 	.it = &ASN1_BIT_STRING_it,
@@ -136,7 +142,13 @@ const X509V3_EXT_METHOD v3_key_usage = {
 	.usr_data = key_usage_type_table,
 };
 
-const X509V3_EXT_METHOD v3_crl_reason = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_key_usage(void)
+{
+	return &x509v3_ext_key_usage;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_crl_reason = {
 	.ext_nid = NID_crl_reason,
 	.ext_flags = 0,
 	.it = &ASN1_ENUMERATED_it,
@@ -153,6 +165,12 @@ const X509V3_EXT_METHOD v3_crl_reason = {
 	.usr_data = crl_reasons,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_reason(void)
+{
+	return &x509v3_ext_crl_reason;
+}
+
 STACK_OF(CONF_VALUE) *
 i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
     STACK_OF(CONF_VALUE) *ret)

lib/libcrypto/x509/x509_cpols.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.12 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.13 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -82,7 +82,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
     STACK_OF(CONF_VALUE) *unot, int ia5org);
 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
 
-const X509V3_EXT_METHOD v3_cpols = {
+static const X509V3_EXT_METHOD x509v3_ext_certificate_policies = {
 	.ext_nid = NID_certificate_policies,
 	.ext_flags = 0,
 	.it = &CERTIFICATEPOLICIES_it,
@@ -99,6 +99,12 @@ const X509V3_EXT_METHOD v3_cpols = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_certificate_policies(void)
+{
+	return &x509v3_ext_certificate_policies;
+}
+
 static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
 	.flags = ASN1_TFLG_SEQUENCE_OF,
 	.tag = 0,

lib/libcrypto/x509/x509_crld.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.6 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -72,7 +72,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
     int indent);
 
-const X509V3_EXT_METHOD v3_crld = {
+static const X509V3_EXT_METHOD x509v3_ext_crl_distribution_points = {
 	.ext_nid = NID_crl_distribution_points,
 	.ext_flags = 0,
 	.it = &CRL_DIST_POINTS_it,
@@ -89,7 +89,13 @@ const X509V3_EXT_METHOD v3_crld = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_freshest_crl = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_distribution_points(void)
+{
+	return &x509v3_ext_crl_distribution_points;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_freshest_crl = {
 	.ext_nid = NID_freshest_crl,
 	.ext_flags = 0,
 	.it = &CRL_DIST_POINTS_it,
@@ -106,6 +112,12 @@ const X509V3_EXT_METHOD v3_freshest_crl = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_freshest_crl(void)
+{
+	return &x509v3_ext_freshest_crl;
+}
+
 static STACK_OF(GENERAL_NAME) *
 gnames_from_sectname(X509V3_CTX *ctx, char *sect)
 {
@@ -655,17 +667,29 @@ static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
 static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
     STACK_OF(CONF_VALUE) *nval);
 
-const X509V3_EXT_METHOD v3_idp = {
-	NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
-	&ISSUING_DIST_POINT_it,
-	0, 0, 0, 0,
-	0, 0,
-	0,
-	v2i_idp,
-	i2r_idp, 0,
-	NULL
+static const X509V3_EXT_METHOD x509v3_ext_issuing_distribution_point = {
+	.ext_nid = NID_issuing_distribution_point,
+	.ext_flags = X509V3_EXT_MULTILINE,
+	.it = &ISSUING_DIST_POINT_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = v2i_idp,
+	.i2r = i2r_idp,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_issuing_distribution_point(void)
+{
+	return &x509v3_ext_issuing_distribution_point;
+}
+
 static void *
 v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
     STACK_OF(CONF_VALUE) *nval)

lib/libcrypto/x509/x509_extku.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
     const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
 
-const X509V3_EXT_METHOD v3_ext_ku = {
+static const X509V3_EXT_METHOD x509v3_ext_ext_key_usage = {
 	.ext_nid = NID_ext_key_usage,
 	.ext_flags = 0,
 	.it = &EXTENDED_KEY_USAGE_it,
@@ -85,8 +85,14 @@ const X509V3_EXT_METHOD v3_ext_ku = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ext_key_usage(void)
+{
+	return &x509v3_ext_ext_key_usage;
+}
+
 /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
-const X509V3_EXT_METHOD v3_ocsp_accresp = {
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_acceptableResponses = {
 	.ext_nid = NID_id_pkix_OCSP_acceptableResponses,
 	.ext_flags = 0,
 	.it = &EXTENDED_KEY_USAGE_it,
@@ -103,6 +109,12 @@ const X509V3_EXT_METHOD v3_ocsp_accresp = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_acceptableResponses;
+}
+
 static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
 	.flags = ASN1_TFLG_SEQUENCE_OF,
 	.tag = 0,

lib/libcrypto/x509/x509_ia5.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -68,137 +68,167 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
 
-const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
-	{
-		.ext_nid = NID_netscape_base_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_revocation_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ca_revocation_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_renewal_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ca_policy_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ssl_server_name,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_comment,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = -1,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
+static const X509V3_EXT_METHOD x509v3_ext_netscape_base_url = {
+	.ext_nid = NID_netscape_base_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_base_url(void)
+{
+	return &x509v3_ext_netscape_base_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_revocation_url = {
+	.ext_nid = NID_netscape_revocation_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_revocation_url(void)
+{
+	return &x509v3_ext_netscape_revocation_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_revocation_url = {
+	.ext_nid = NID_netscape_ca_revocation_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ca_revocation_url(void)
+{
+	return &x509v3_ext_netscape_ca_revocation_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_renewal_url = {
+	.ext_nid = NID_netscape_renewal_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_renewal_url(void)
+{
+	return &x509v3_ext_netscape_renewal_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_policy_url = {
+	.ext_nid = NID_netscape_ca_policy_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ca_policy_url(void)
+{
+	return &x509v3_ext_netscape_ca_policy_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ssl_server_name = {
+	.ext_nid = NID_netscape_ssl_server_name,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ssl_server_name(void)
+{
+	return &x509v3_ext_netscape_ssl_server_name;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_comment = {
+	.ext_nid = NID_netscape_comment,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_comment(void)
+{
+	return &x509v3_ext_netscape_comment;
+}
+
 static char *
 i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
 {

lib/libcrypto/x509/x509_info.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -71,7 +71,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
 static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
     X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
-const X509V3_EXT_METHOD v3_info = {
+static const X509V3_EXT_METHOD x509v3_ext_info_access = {
 	.ext_nid = NID_info_access,
 	.ext_flags = X509V3_EXT_MULTILINE,
 	.it = &AUTHORITY_INFO_ACCESS_it,
@@ -88,7 +88,13 @@ const X509V3_EXT_METHOD v3_info = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_sinfo = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_info_access(void)
+{
+	return &x509v3_ext_info_access;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_sinfo_access = {
 	.ext_nid = NID_sinfo_access,
 	.ext_flags = X509V3_EXT_MULTILINE,
 	.it = &AUTHORITY_INFO_ACCESS_it,
@@ -105,6 +111,12 @@ const X509V3_EXT_METHOD v3_sinfo = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sinfo_access(void)
+{
+	return &x509v3_ext_sinfo_access;
+}
+
 static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
 	{
 		.flags = 0,

lib/libcrypto/x509/x509_int.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_int.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,7 +60,7 @@
 
 #include <openssl/x509v3.h>
 
-const X509V3_EXT_METHOD v3_crl_num = {
+static const X509V3_EXT_METHOD x509v3_ext_crl_number = {
 	.ext_nid = NID_crl_number,
 	.ext_flags = 0,
 	.it = &ASN1_INTEGER_it,
@@ -77,7 +77,13 @@ const X509V3_EXT_METHOD v3_crl_num = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_delta_crl = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_number(void)
+{
+	return &x509v3_ext_crl_number;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_delta_crl = {
 	.ext_nid = NID_delta_crl,
 	.ext_flags = 0,
 	.it = &ASN1_INTEGER_it,
@@ -94,17 +100,37 @@ const X509V3_EXT_METHOD v3_delta_crl = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_delta_crl(void)
+{
+	return &x509v3_ext_delta_crl;
+}
+
 static void *
 s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
 {
 	return s2i_ASN1_INTEGER(meth, value);
 }
 
-const X509V3_EXT_METHOD v3_inhibit_anyp = {
-	NID_inhibit_any_policy, 0, &ASN1_INTEGER_it,
-	0, 0, 0, 0,
-	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-	(X509V3_EXT_S2I)s2i_asn1_int,
-	0, 0, 0, 0,
-	NULL
+static const X509V3_EXT_METHOD x509v3_ext_inhibit_any_policy = {
+	.ext_nid = NID_inhibit_any_policy,
+	.ext_flags = 0,
+	.it = &ASN1_INTEGER_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	.s2i = (X509V3_EXT_S2I)s2i_asn1_int,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_inhibit_any_policy(void)
+{
+	return &x509v3_ext_inhibit_any_policy;
+}

lib/libcrypto/x509/x509_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,89 +65,104 @@
 
 #include "x509_local.h"
 
-extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
-extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
-extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
-extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern const X509V3_EXT_METHOD v3_crl_hold;
-extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
-extern const X509V3_EXT_METHOD v3_addr, v3_asid;
-extern const X509V3_EXT_METHOD v3_ct_scts[3];
-
-static const X509V3_EXT_METHOD *standard_exts[] = {
-	&v3_nscert,
-	&v3_ns_ia5_list[0],
-	&v3_ns_ia5_list[1],
-	&v3_ns_ia5_list[2],
-	&v3_ns_ia5_list[3],
-	&v3_ns_ia5_list[4],
-	&v3_ns_ia5_list[5],
-	&v3_ns_ia5_list[6],
-	&v3_skey_id,
-	&v3_key_usage,
-	&v3_pkey_usage_period,
-	&v3_alt[0],
-	&v3_alt[1],
-	&v3_bcons,
-	&v3_crl_num,
-	&v3_cpols,
-	&v3_akey_id,
-	&v3_crld,
-	&v3_ext_ku,
-	&v3_delta_crl,
-	&v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
-	&v3_crl_invdate,
-#endif
-	&v3_info,
-#ifndef OPENSSL_NO_RFC3779
-	&v3_addr,
-	&v3_asid,
-#endif
-#ifndef OPENSSL_NO_OCSP
-	&v3_ocsp_nonce,
-	&v3_ocsp_crlid,
-	&v3_ocsp_accresp,
-	&v3_ocsp_nocheck,
-	&v3_ocsp_acutoff,
-	&v3_ocsp_serviceloc,
-#endif
-	&v3_sinfo,
-	&v3_policy_constraints,
-#ifndef OPENSSL_NO_OCSP
-	&v3_crl_hold,
-#endif
-	&v3_name_constraints,
-	&v3_policy_mappings,
-	&v3_inhibit_anyp,
-	&v3_idp,
-	&v3_alt[2],
-	&v3_freshest_crl,
-#ifndef OPENSSL_NO_CT
-	&v3_ct_scts[0],
-	&v3_ct_scts[1],
-	&v3_ct_scts[2],
-#endif
-};
-
-#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
-
 const X509V3_EXT_METHOD *
 X509V3_EXT_get_nid(int nid)
 {
-	size_t i;
-
-	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
-		if (standard_exts[i]->ext_nid == nid)
-			return standard_exts[i];
+	switch (nid) {
+	case NID_authority_key_identifier:
+		return x509v3_ext_method_authority_key_identifier();
+	case NID_basic_constraints:
+		return x509v3_ext_method_basic_constraints();
+	case NID_certificate_issuer:
+		return x509v3_ext_method_certificate_issuer();
+	case NID_certificate_policies:
+		return x509v3_ext_method_certificate_policies();
+	case NID_crl_distribution_points:
+		return x509v3_ext_method_crl_distribution_points();
+	case NID_crl_number:
+		return x509v3_ext_method_crl_number();
+	case NID_crl_reason:
+		return x509v3_ext_method_crl_reason();
+#ifndef OPENSSL_NO_CT
+	case NID_ct_cert_scts:
+		return x509v3_ext_method_ct_cert_scts();
+	case NID_ct_precert_poison:
+		return x509v3_ext_method_ct_precert_poison();
+	case NID_ct_precert_scts:
+		return x509v3_ext_method_ct_precert_scts();
+#endif
+	case NID_delta_crl:
+		return x509v3_ext_method_delta_crl();
+	case NID_ext_key_usage:
+		return x509v3_ext_method_ext_key_usage();
+	case NID_freshest_crl:
+		return x509v3_ext_method_freshest_crl();
+#ifndef OPENSSL_NO_OCSP
+	case NID_hold_instruction_code:
+		return x509v3_ext_method_hold_instruction_code();
+	case NID_id_pkix_OCSP_CrlID:
+		return x509v3_ext_method_id_pkix_OCSP_CrlID();
+	case NID_id_pkix_OCSP_Nonce:
+		return x509v3_ext_method_id_pkix_OCSP_Nonce();
+	case NID_id_pkix_OCSP_acceptableResponses:
+		return x509v3_ext_method_id_pkix_OCSP_acceptableResponses();
+	case NID_id_pkix_OCSP_archiveCutoff:
+		return x509v3_ext_method_id_pkix_OCSP_archiveCutoff();
+	case NID_id_pkix_OCSP_serviceLocator:
+		return x509v3_ext_method_id_pkix_OCSP_serviceLocator();
+#endif
+	case NID_info_access:
+		return x509v3_ext_method_info_access();
+	case NID_inhibit_any_policy:
+		return x509v3_ext_method_inhibit_any_policy();
+	case NID_invalidity_date:
+		return x509v3_ext_method_invalidity_date();
+	case NID_issuer_alt_name:
+		return x509v3_ext_method_issuer_alt_name();
+	case NID_issuing_distribution_point:
+		return x509v3_ext_method_issuing_distribution_point();
+	case NID_key_usage:
+		return x509v3_ext_method_key_usage();
+	case NID_name_constraints:
+		return x509v3_ext_method_name_constraints();
+	case NID_netscape_base_url:
+		return x509v3_ext_method_netscape_base_url();
+	case NID_netscape_ca_policy_url:
+		return x509v3_ext_method_netscape_ca_policy_url();
+	case NID_netscape_ca_revocation_url:
+		return x509v3_ext_method_netscape_ca_revocation_url();
+	case NID_netscape_cert_type:
+		return x509v3_ext_method_netscape_cert_type();
+	case NID_netscape_comment:
+		return x509v3_ext_method_netscape_comment();
+	case NID_netscape_renewal_url:
+		return x509v3_ext_method_netscape_renewal_url();
+	case NID_netscape_revocation_url:
+		return x509v3_ext_method_netscape_revocation_url();
+	case NID_netscape_ssl_server_name:
+		return x509v3_ext_method_netscape_ssl_server_name();
+	case NID_policy_constraints:
+		return x509v3_ext_method_policy_constraints();
+	case NID_policy_mappings:
+		return x509v3_ext_method_policy_mappings();
+	case NID_private_key_usage_period:
+		return x509v3_ext_method_private_key_usage_period();
+#ifndef OPENSSL_NO_RFC3779
+	case NID_sbgp_ipAddrBlock:
+		return x509v3_ext_method_sbgp_ipAddrBlock();
+	case NID_sbgp_autonomousSysNum:
+		return x509v3_ext_method_sbgp_autonomousSysNum();
+#endif
+	case NID_sinfo_access:
+		return x509v3_ext_method_sinfo_access();
+	case NID_subject_alt_name:
+		return x509v3_ext_method_subject_alt_name();
+	case NID_subject_key_identifier:
+		return x509v3_ext_method_subject_key_identifier();
+	default:
+		return NULL;
 	}
-
-	return NULL;
-}
+};
 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
 
 const X509V3_EXT_METHOD *

lib/libcrypto/x509/x509_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */
+/*	$OpenBSD: x509_local.h,v 1.26 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2013.
  */
@@ -71,6 +71,14 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP	EVP_sha512()
 #define X509_CRL_HASH_LEN	SHA512_DIGEST_LENGTH
 
+/*
+ * Used internally instead of the confusing X509_TRUST_DEFAULT,
+ * which is not the default for X509_check_trust.
+ * XXX Make X509_check_trust internal, and move the other
+ * X509_TRUST values here to clean up this mess.
+ */
+#define X509_TRUST_ACCEPT_ALL	-1
+
 struct X509_pubkey_st {
 	X509_ALGOR *algor;
 	ASN1_BIT_STRING *public_key;
@@ -410,6 +418,49 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
 int X509_PURPOSE_get_by_id(int id);
 int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
 
+const X509V3_EXT_METHOD *x509v3_ext_method_authority_key_identifier(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_basic_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_certificate_issuer(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_certificate_policies(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_distribution_points(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_number(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_reason(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_cert_scts(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_poison(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_scts(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_delta_crl(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ext_key_usage(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_freshest_crl(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_hold_instruction_code(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_CrlID(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_Nonce(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_serviceLocator(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_info_access(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_inhibit_any_policy(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_invalidity_date(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_issuer_alt_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_issuing_distribution_point(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_key_usage(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_name_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_base_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_policy_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_revocation_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_cert_type(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_comment(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_renewal_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_revocation_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ssl_server_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_policy_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_policy_mappings(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_private_key_usage_period(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_ipAddrBlock(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_autonomousSysNum(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sinfo_access(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_subject_alt_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_subject_key_identifier(void);
+
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_X509_LOCAL_H */

lib/libcrypto/x509/x509_ncons.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.10 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -81,7 +81,7 @@ static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
 static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
 static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
 
-const X509V3_EXT_METHOD v3_name_constraints = {
+static const X509V3_EXT_METHOD x509v3_ext_name_constraints = {
 	.ext_nid = NID_name_constraints,
 	.ext_flags = 0,
 	.it = &NAME_CONSTRAINTS_it,
@@ -98,6 +98,12 @@ const X509V3_EXT_METHOD v3_name_constraints = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_name_constraints(void)
+{
+	return &x509v3_ext_name_constraints;
+}
+
 static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
 	{
 		.flags = 0,

lib/libcrypto/x509/x509_ocsp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.2 2022/01/07 09:45:52 tb Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.3 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -95,7 +95,7 @@ static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
 static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
     BIO *bp, int ind);
 
-const X509V3_EXT_METHOD v3_ocsp_crlid = {
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_CrlID = {
 	.ext_nid = NID_id_pkix_OCSP_CrlID,
 	.ext_flags = 0,
 	.it = &OCSP_CRLID_it,
@@ -112,7 +112,13 @@ const X509V3_EXT_METHOD v3_ocsp_crlid = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_acutoff = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_CrlID(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_CrlID;
+}
+
+const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_archiveCutoff = {
 	.ext_nid = NID_id_pkix_OCSP_archiveCutoff,
 	.ext_flags = 0,
 	.it = &ASN1_GENERALIZEDTIME_it,
@@ -129,7 +135,13 @@ const X509V3_EXT_METHOD v3_ocsp_acutoff = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_crl_invdate = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_archiveCutoff;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_invalidity_date = {
 	.ext_nid = NID_invalidity_date,
 	.ext_flags = 0,
 	.it = &ASN1_GENERALIZEDTIME_it,
@@ -146,7 +158,13 @@ const X509V3_EXT_METHOD v3_crl_invdate = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_crl_hold = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_invalidity_date(void)
+{
+	return &x509v3_ext_invalidity_date;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_hold_instruction_code = {
 	.ext_nid = NID_hold_instruction_code,
 	.ext_flags = 0,
 	.it = &ASN1_OBJECT_it,
@@ -163,7 +181,13 @@ const X509V3_EXT_METHOD v3_crl_hold = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_nonce = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_hold_instruction_code(void)
+{
+	return &x509v3_ext_hold_instruction_code;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_Nonce = {
 	.ext_nid = NID_id_pkix_OCSP_Nonce,
 	.ext_flags = 0,
 	.it = NULL,
@@ -180,7 +204,13 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_nocheck = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_Nonce(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_Nonce;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_noCheck = {
 	.ext_nid = NID_id_pkix_OCSP_noCheck,
 	.ext_flags = 0,
 	.it = &ASN1_NULL_it,
@@ -197,7 +227,13 @@ const X509V3_EXT_METHOD v3_ocsp_nocheck = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_noCheck(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_noCheck;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_serviceLocator = {
 	.ext_nid = NID_id_pkix_OCSP_serviceLocator,
 	.ext_flags = 0,
 	.it = &OCSP_SERVICELOC_it,
@@ -214,6 +250,12 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_serviceLocator(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_serviceLocator;
+}
+
 static int
 i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
 {

lib/libcrypto/x509/x509_pcons.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -71,7 +71,7 @@ i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
 static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-const X509V3_EXT_METHOD v3_policy_constraints = {
+static const X509V3_EXT_METHOD x509v3_ext_policy_constraints = {
 	.ext_nid = NID_policy_constraints,
 	.ext_flags = 0,
 	.it = &POLICY_CONSTRAINTS_it,
@@ -88,6 +88,12 @@ const X509V3_EXT_METHOD v3_policy_constraints = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_policy_constraints(void)
+{
+	return &x509v3_ext_policy_constraints;
+}
+
 static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
 	{
 		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,

lib/libcrypto/x509/x509_pku.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,7 +65,7 @@
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
     PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
 
-const X509V3_EXT_METHOD v3_pkey_usage_period = {
+static const X509V3_EXT_METHOD x509v3_ext_private_key_usage_period = {
 	.ext_nid = NID_private_key_usage_period,
 	.ext_flags = 0,
 	.it = &PKEY_USAGE_PERIOD_it,
@@ -82,6 +82,12 @@ const X509V3_EXT_METHOD v3_pkey_usage_period = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_private_key_usage_period(void)
+{
+	return &x509v3_ext_private_key_usage_period;
+}
+
 static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
 	{
 		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,

lib/libcrypto/x509/x509_pmaps.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -69,7 +69,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
     const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
 
-const X509V3_EXT_METHOD v3_policy_mappings = {
+static const X509V3_EXT_METHOD x509v3_ext_policy_mappings = {
 	.ext_nid = NID_policy_mappings,
 	.ext_flags = 0,
 	.it = &POLICY_MAPPINGS_it,
@@ -86,6 +86,12 @@ const X509V3_EXT_METHOD v3_policy_mappings = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_policy_mappings(void)
+{
+	return &x509v3_ext_policy_mappings;
+}
+
 static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
 	{
 		.flags = 0,

lib/libcrypto/x509/x509_purp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.42 2024/05/15 18:10:03 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -150,7 +150,7 @@ static const X509_PURPOSE xstandard[] = {
 	},
 	{
 		.purpose = X509_PURPOSE_ANY,
-		.trust = X509_TRUST_DEFAULT,
+		.trust = X509_TRUST_ACCEPT_ALL,
 		.check_purpose = no_check,
 		.name = "Any Purpose",
 		.sname = "any",

lib/libcrypto/x509/x509_skey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -67,7 +67,7 @@
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
 
-const X509V3_EXT_METHOD v3_skey_id = {
+static const X509V3_EXT_METHOD x509v3_ext_subject_key_identifier = {
 	.ext_nid = NID_subject_key_identifier,
 	.ext_flags = 0,
 	.it = &ASN1_OCTET_STRING_it,
@@ -84,6 +84,12 @@ const X509V3_EXT_METHOD v3_skey_id = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_subject_key_identifier(void)
+{
+	return &x509v3_ext_subject_key_identifier;
+}
+
 char *
 i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
 {

lib/libcrypto/x509/x509_trs.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.55 2024/03/26 22:43:42 tb Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -66,6 +66,23 @@
 #include "x509_internal.h"
 #include "x509_local.h"
 
+static int
+trust_if_self_signed(const X509 *x)
+{
+	/* Extensions already cached in X509_check_trust(). */
+	if ((x->ex_flags & EXFLAG_SS) != 0)
+		return X509_TRUST_TRUSTED;
+
+	return X509_TRUST_UNTRUSTED;
+}
+
+static int
+trust_was_set(const X509 *x)
+{
+	return x->aux != NULL && (x->aux->trust != NULL ||
+	    x->aux->reject != NULL);
+}
+
 static int
 obj_trust(int id, const X509 *x)
 {
@@ -94,33 +111,31 @@ obj_trust(int id, const X509 *x)
 }
 
 static int
-trust_compat(int nid, const X509 *x)
+nid_from_trust_id(int trust_id)
 {
-	/* Extensions already cached in X509_check_trust(). */
-	if ((x->ex_flags & EXFLAG_SS) != 0)
-		return X509_TRUST_TRUSTED;
+	OPENSSL_assert(trust_id == 0 ||
+	    (trust_id >= X509_TRUST_MIN && trust_id <= X509_TRUST_MAX));
 
-	return X509_TRUST_UNTRUSTED;
-}
-
-static int
-trust_1oidany(int nid, const X509 *x)
-{
-	/* Inspect the certificate's trust settings if there are any. */
-	if (x->aux != NULL && (x->aux->trust != NULL || x->aux->reject != NULL))
-		return obj_trust(nid, x);
-
-	/* For compatibility we return trusted if the cert is self signed. */
-	return trust_compat(NID_undef, x);
-}
-
-static int
-trust_1oid(int nid, const X509 *x)
-{
-	if (x->aux != NULL)
-		return obj_trust(nid, x);
-
-	return X509_TRUST_UNTRUSTED;
+	switch (trust_id) {
+	case X509_TRUST_COMPAT:
+		return NID_undef;
+	case X509_TRUST_SSL_CLIENT:
+		return NID_client_auth;
+	case X509_TRUST_SSL_SERVER:
+		return NID_server_auth;
+	case X509_TRUST_EMAIL:
+		return NID_email_protect;
+	case X509_TRUST_OBJECT_SIGN:
+		return NID_code_sign;
+	case X509_TRUST_OCSP_SIGN:
+		return NID_OCSP_sign;
+	case X509_TRUST_OCSP_REQUEST:
+		return NID_ad_OCSP;
+	case X509_TRUST_TSA:
+		return NID_time_stamp;
+	default:
+		return NID_undef;
+	}
 }
 
 int
@@ -128,46 +143,36 @@ X509_check_trust(X509 *x, int trust_id, int flags)
 {
 	int rv;
 
-	if (trust_id == -1)
-		return 1;
-
 	/* Call early so the trust handlers don't need to modify the certs. */
 	if (!x509v3_cache_extensions(x))
 		return X509_TRUST_UNTRUSTED;
 
+	/*
+	 * XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not
+	 * need to have the same -1 value as X509_TRUST_DEFAULT
+	 */
+	if (trust_id == X509_TRUST_ACCEPT_ALL)
+		return 1;
+
 	switch (trust_id) {
-	case 0:
-		/*
-		 * XXX beck/jsing This enables self signed certs to be trusted
-		 * for an unspecified id/trust flag value (this is NOT the
-		 * X509_TRUST_DEFAULT), which was the longstanding openssl
-		 * behaviour. boringssl does not have this behaviour.
-		 *
-		 * This should be revisited, but changing the default
-		 * "not default" may break things.
-		 */
+	case X509_TRUST_COMPAT:
+		return trust_if_self_signed(x);
+	case X509_TRUST_EMAIL:
+	case X509_TRUST_OBJECT_SIGN:
+	case X509_TRUST_SSL_SERVER:
+	case X509_TRUST_SSL_CLIENT:
+	case X509_TRUST_TSA:
+		if (trust_was_set(x))
+			return obj_trust(nid_from_trust_id(trust_id), x);
+		return trust_if_self_signed(x);
+	case X509_TRUST_OCSP_SIGN:
+	case X509_TRUST_OCSP_REQUEST:
+		return obj_trust(nid_from_trust_id(trust_id), x);
+	default:
 		rv = obj_trust(NID_anyExtendedKeyUsage, x);
 		if (rv != X509_TRUST_UNTRUSTED)
 			return rv;
-		return trust_compat(NID_undef, x);
-	case X509_TRUST_COMPAT:
-		return trust_compat(NID_undef, x);
-	case X509_TRUST_SSL_CLIENT:
-		return trust_1oidany(NID_client_auth, x);
-	case X509_TRUST_SSL_SERVER:
-		return trust_1oidany(NID_server_auth, x);
-	case X509_TRUST_EMAIL:
-		return trust_1oidany(NID_email_protect, x);
-	case X509_TRUST_OBJECT_SIGN:
-		return trust_1oidany(NID_code_sign, x);
-	case X509_TRUST_OCSP_SIGN:
-		return trust_1oid(NID_OCSP_sign, x);
-	case X509_TRUST_OCSP_REQUEST:
-		return trust_1oid(NID_ad_OCSP, x);
-	case X509_TRUST_TSA:
-		return trust_1oidany(NID_time_stamp, x);
-	default:
-		return obj_trust(trust_id, x);
+		return trust_if_self_signed(x);
 	}
 }
 LCRYPTO_ALIAS(X509_check_trust);

lib/libcrypto/x509/x509_v3.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.30 2024/05/23 02:00:38 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,7 +60,6 @@
 
 #include <openssl/asn1.h>
 #include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
@@ -69,182 +68,165 @@
 #include "x509_local.h"
 
 int
-X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *sk)
+X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *exts)
 {
-	if (sk == NULL)
+	if (exts == NULL)
 		return 0;
 
-	return sk_X509_EXTENSION_num(sk);
+	return sk_X509_EXTENSION_num(exts);
 }
 LCRYPTO_ALIAS(X509v3_get_ext_count);
 
 int
-X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *sk, int nid, int lastpos)
+X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *exts, int nid, int lastpos)
 {
 	const ASN1_OBJECT *obj;
 
 	if ((obj = OBJ_nid2obj(nid)) == NULL)
 		return -2;
 
-	return X509v3_get_ext_by_OBJ(sk, obj, lastpos);
+	return X509v3_get_ext_by_OBJ(exts, obj, lastpos);
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_NID);
 
 int
-X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk,
+X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *exts,
     const ASN1_OBJECT *obj, int lastpos)
 {
-	int n;
-	X509_EXTENSION *ext;
-
-	if (sk == NULL)
-		return -1;
-	lastpos++;
-	if (lastpos < 0)
+	if (++lastpos < 0)
 		lastpos = 0;
-	n = sk_X509_EXTENSION_num(sk);
-	for (; lastpos < n; lastpos++) {
-		ext = sk_X509_EXTENSION_value(sk, lastpos);
+
+	for (; lastpos < X509v3_get_ext_count(exts); lastpos++) {
+		const X509_EXTENSION *ext = X509v3_get_ext(exts, lastpos);
+
 		if (OBJ_cmp(ext->object, obj) == 0)
 			return lastpos;
 	}
+
 	return -1;
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_OBJ);
 
 int
-X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
+X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *exts, int critical,
     int lastpos)
 {
-	int n;
-	X509_EXTENSION *ext;
+	critical = (critical != 0);
 
-	if (sk == NULL)
-		return -1;
-	lastpos++;
-	if (lastpos < 0)
+	if (++lastpos < 0)
 		lastpos = 0;
-	n = sk_X509_EXTENSION_num(sk);
-	for (; lastpos < n; lastpos++) {
-		ext = sk_X509_EXTENSION_value(sk, lastpos);
-		if ((ext->critical > 0 && crit) ||
-		    (ext->critical <= 0 && !crit))
+
+	for (; lastpos < X509v3_get_ext_count(exts); lastpos++) {
+		const X509_EXTENSION *ext = X509v3_get_ext(exts, lastpos);
+
+		if (X509_EXTENSION_get_critical(ext) == critical)
 			return lastpos;
 	}
+
 	return -1;
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_critical);
 
 X509_EXTENSION *
-X509v3_get_ext(const STACK_OF(X509_EXTENSION) *sk, int loc)
+X509v3_get_ext(const STACK_OF(X509_EXTENSION) *exts, int loc)
 {
-	if (sk == NULL || sk_X509_EXTENSION_num(sk) <= loc || loc < 0)
-		return NULL;
-
-	return sk_X509_EXTENSION_value(sk, loc);
+	return sk_X509_EXTENSION_value(exts, loc);
 }
 LCRYPTO_ALIAS(X509v3_get_ext);
 
 X509_EXTENSION *
-X509v3_delete_ext(STACK_OF(X509_EXTENSION) *sk, int loc)
+X509v3_delete_ext(STACK_OF(X509_EXTENSION) *exts, int loc)
 {
-	if (sk == NULL || sk_X509_EXTENSION_num(sk) <= loc || loc < 0)
-		return NULL;
-
-	return sk_X509_EXTENSION_delete(sk, loc);
+	return sk_X509_EXTENSION_delete(exts, loc);
 }
 LCRYPTO_ALIAS(X509v3_delete_ext);
 
 STACK_OF(X509_EXTENSION) *
-X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ext, int loc)
+X509v3_add_ext(STACK_OF(X509_EXTENSION) **out_exts, X509_EXTENSION *ext, int loc)
 {
+	STACK_OF(X509_EXTENSION) *exts = NULL;
 	X509_EXTENSION *new_ext = NULL;
-	int n;
-	STACK_OF(X509_EXTENSION) *sk = NULL;
 
-	if (x == NULL) {
+	/*
+	 * XXX - Nonsense from the poorly reviewed OpenSSL c755c5fd8ba (2005).
+	 * This check should have been joined with the next check, i.e., if no
+	 * stack was passed in, a new one should be created and returned.
+	 */
+	if (out_exts == NULL) {
 		X509error(ERR_R_PASSED_NULL_PARAMETER);
-		goto err2;
+		goto err;
 	}
 
-	if (*x == NULL) {
-		if ((sk = sk_X509_EXTENSION_new_null()) == NULL)
-			goto err;
-	} else
-		sk= *x;
-
-	n = sk_X509_EXTENSION_num(sk);
-	if (loc > n)
-		loc = n;
-	else if (loc < 0)
-		loc = n;
+	if ((exts = *out_exts) == NULL)
+		exts = sk_X509_EXTENSION_new_null();
+	if (exts == NULL) {
+		X509error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 
 	if ((new_ext = X509_EXTENSION_dup(ext)) == NULL)
-		goto err2;
-	if (!sk_X509_EXTENSION_insert(sk, new_ext, loc))
 		goto err;
-	if (*x == NULL)
-		*x = sk;
-	return sk;
+	if (!sk_X509_EXTENSION_insert(exts, new_ext, loc))
+		goto err;
+	new_ext = NULL;
+
+	*out_exts = exts;
+
+	return exts;
 
  err:
-	X509error(ERR_R_MALLOC_FAILURE);
- err2:
-	if (new_ext != NULL)
-		X509_EXTENSION_free(new_ext);
-	if (sk != NULL && x != NULL && sk != *x)
-		sk_X509_EXTENSION_free(sk);
+	X509_EXTENSION_free(new_ext);
+	if (out_exts != NULL && exts != *out_exts)
+		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+
 	return NULL;
 }
 LCRYPTO_ALIAS(X509v3_add_ext);
 
 X509_EXTENSION *
-X509_EXTENSION_create_by_NID(X509_EXTENSION **ext, int nid, int crit,
+X509_EXTENSION_create_by_NID(X509_EXTENSION **out_ext, int nid, int critical,
     ASN1_OCTET_STRING *data)
 {
-	ASN1_OBJECT *obj;
-	X509_EXTENSION *ret;
+	const ASN1_OBJECT *obj;
 
-	obj = OBJ_nid2obj(nid);
-	if (obj == NULL) {
+	if ((obj = OBJ_nid2obj(nid)) == NULL) {
 		X509error(X509_R_UNKNOWN_NID);
 		return NULL;
 	}
-	ret = X509_EXTENSION_create_by_OBJ(ext, obj, crit, data);
-	if (ret == NULL)
-		ASN1_OBJECT_free(obj);
-	return ret;
+
+	return X509_EXTENSION_create_by_OBJ(out_ext, obj, critical, data);
 }
 LCRYPTO_ALIAS(X509_EXTENSION_create_by_NID);
 
 X509_EXTENSION *
-X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ext, const ASN1_OBJECT *obj,
-    int crit, ASN1_OCTET_STRING *data)
+X509_EXTENSION_create_by_OBJ(X509_EXTENSION **out_ext, const ASN1_OBJECT *obj,
+    int critical, ASN1_OCTET_STRING *data)
 {
-	X509_EXTENSION *ret;
+	X509_EXTENSION *ext;
 
-	if (ext == NULL || *ext == NULL) {
-		if ((ret = X509_EXTENSION_new()) == NULL) {
-			X509error(ERR_R_MALLOC_FAILURE);
-			return NULL;
-		}
-	} else
-		ret= *ext;
+	if (out_ext == NULL || (ext = *out_ext) == NULL)
+		ext = X509_EXTENSION_new();
+	if (ext == NULL) {
+		X509error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 
-	if (!X509_EXTENSION_set_object(ret, obj))
+	if (!X509_EXTENSION_set_object(ext, obj))
 		goto err;
-	if (!X509_EXTENSION_set_critical(ret, crit))
+	if (!X509_EXTENSION_set_critical(ext, critical))
 		goto err;
-	if (!X509_EXTENSION_set_data(ret, data))
+	if (!X509_EXTENSION_set_data(ext, data))
 		goto err;
 
-	if (ext != NULL && *ext == NULL)
-		*ext = ret;
-	return ret;
+	if (out_ext != NULL)
+		*out_ext = ext;
+
+	return ext;
 
  err:
-	if (ext == NULL || ret != *ext)
-		X509_EXTENSION_free(ret);
+	if (out_ext == NULL || ext != *out_ext)
+		X509_EXTENSION_free(ext);
+
 	return NULL;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_create_by_OBJ);
@@ -256,19 +238,17 @@ X509_EXTENSION_set_object(X509_EXTENSION *ext, const ASN1_OBJECT *obj)
 		return 0;
 
 	ASN1_OBJECT_free(ext->object);
-	ext->object = OBJ_dup(obj);
-
-	return ext->object != NULL;
+	return (ext->object = OBJ_dup(obj)) != NULL;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_set_object);
 
 int
-X509_EXTENSION_set_critical(X509_EXTENSION *ext, int crit)
+X509_EXTENSION_set_critical(X509_EXTENSION *ext, int critical)
 {
 	if (ext == NULL)
 		return 0;
 
-	ext->critical = crit ? 0xFF : -1;
+	ext->critical = critical ? 0xFF : -1;
 
 	return 1;
 }
@@ -309,8 +289,7 @@ X509_EXTENSION_get_critical(const X509_EXTENSION *ext)
 {
 	if (ext == NULL)
 		return 0;
-	if (ext->critical > 0)
-		return 1;
-	return 0;
+
+	return ext->critical > 0;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_get_critical);