sync with OpenBSD -current

lib/libcrypto/crypto_init.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_init.c,v 1.17 2024/01/13 17:04:29 tb Exp $ */
+/*	$OpenBSD: crypto_init.c,v 1.18 2024/01/25 12:22:31 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  *
@@ -81,7 +81,6 @@ OPENSSL_cleanup(void)
 	CRYPTO_cleanup_all_ex_data();
 	EVP_cleanup();
 
-	X509V3_EXT_cleanup();
 	X509_VERIFY_PARAM_table_cleanup();
 
 	x509_issuer_cache_free();

lib/libcrypto/pkcs12/p12_add.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.22 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.23 2024/01/25 13:44:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -124,11 +124,15 @@ LCRYPTO_ALIAS(PKCS12_pack_p7data);
 STACK_OF(PKCS12_SAFEBAG) *
 PKCS12_unpack_p7data(PKCS7 *p7)
 {
+	ASN1_OCTET_STRING *aos;
+
 	if (!PKCS7_type_is_data(p7)) {
 		PKCS12error(PKCS12_R_CONTENT_TYPE_NOT_DATA);
 		return NULL;
 	}
-	return ASN1_item_unpack(p7->d.data, &PKCS12_SAFEBAGS_it);
+	if ((aos = PKCS7_get_octet_string(p7)) == NULL)
+		return NULL;
+	return ASN1_item_unpack(aos, &PKCS12_SAFEBAGS_it);
 }
 LCRYPTO_ALIAS(PKCS12_unpack_p7data);
 
@@ -182,11 +186,16 @@ LCRYPTO_ALIAS(PKCS12_pack_p7encdata);
 STACK_OF(PKCS12_SAFEBAG) *
 PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen)
 {
+	PKCS7_ENC_CONTENT *content;
+
 	if (!PKCS7_type_is_encrypted(p7))
 		return NULL;
-	return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
-	    &PKCS12_SAFEBAGS_it, pass, passlen,
-	    p7->d.encrypted->enc_data->enc_data, 1);
+	if (p7->d.encrypted == NULL)
+		return NULL;
+	if ((content = p7->d.encrypted->enc_data) == NULL)
+		return NULL;
+	return PKCS12_item_decrypt_d2i(content->algorithm, &PKCS12_SAFEBAGS_it,
+	    pass, passlen, content->enc_data, 1);
 }
 LCRYPTO_ALIAS(PKCS12_unpack_p7encdata);
 
@@ -210,11 +219,14 @@ LCRYPTO_ALIAS(PKCS12_pack_authsafes);
 STACK_OF(PKCS7) *
 PKCS12_unpack_authsafes(const PKCS12 *p12)
 {
+	ASN1_OCTET_STRING *aos;
+
 	if (!PKCS7_type_is_data(p12->authsafes)) {
 		PKCS12error(PKCS12_R_CONTENT_TYPE_NOT_DATA);
 		return NULL;
 	}
-	return ASN1_item_unpack(p12->authsafes->d.data,
-	    &PKCS12_AUTHSAFES_it);
+	if ((aos = PKCS7_get_octet_string(p12->authsafes)) == NULL)
+		return NULL;
+	return ASN1_item_unpack(aos, &PKCS12_AUTHSAFES_it);
 }
 LCRYPTO_ALIAS(PKCS12_unpack_authsafes);

lib/libcrypto/pkcs12/p12_mutl.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.35 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.36 2024/01/25 13:44:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -115,6 +115,7 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
 {
 	const EVP_MD *md_type;
 	HMAC_CTX *hmac = NULL;
+	ASN1_OCTET_STRING *aos;
 	unsigned char key[EVP_MAX_MD_SIZE], *salt;
 	int saltlen, iter;
 	int md_size;
@@ -124,6 +125,10 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
 		PKCS12error(PKCS12_R_CONTENT_TYPE_NOT_DATA);
 		goto err;
 	}
+	if ((aos = PKCS7_get_octet_string(p12->authsafes)) == NULL) {
+		PKCS12error(PKCS12_R_DECODE_ERROR);
+		goto err;
+	}
 
 	salt = p12->mac->salt->data;
 	saltlen = p12->mac->salt->length;
@@ -155,8 +160,7 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
 		goto err;
 	if (!HMAC_Init_ex(hmac, key, md_size, md_type, NULL))
 		goto err;
-	if (!HMAC_Update(hmac, p12->authsafes->d.data->data,
-	    p12->authsafes->d.data->length))
+	if (!HMAC_Update(hmac, aos->data, aos->length))
 		goto err;
 	if (!HMAC_Final(hmac, mac, maclen))
 		goto err;

lib/libcrypto/pkcs12/p12_npas.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_npas.c,v 1.18 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: p12_npas.c,v 1.27 2024/01/25 15:33:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -68,130 +68,68 @@
 
 /* PKCS#12 password change routine */
 
-static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass);
-static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass,
-    const char *newpass);
-static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
-    const char *newpass);
-static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
-
-/*
- * Change the password on a PKCS#12 structure.
- */
-
-int
-PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass)
-{
-	/* Check for NULL PKCS12 structure */
-
-	if (!p12) {
-		PKCS12error(PKCS12_R_INVALID_NULL_PKCS12_POINTER);
-		return 0;
-	}
-
-	/* Check the mac */
-
-	if (!PKCS12_verify_mac(p12, oldpass, -1)) {
-		PKCS12error(PKCS12_R_MAC_VERIFY_FAILURE);
-		return 0;
-	}
-
-	if (!newpass_p12(p12, oldpass, newpass)) {
-		PKCS12error(PKCS12_R_PARSE_ERROR);
-		return 0;
-	}
-
-	return 1;
-}
-LCRYPTO_ALIAS(PKCS12_newpass);
-
-/* Parse the outer PKCS#12 structure */
-
 static int
-newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
+alg_get(X509_ALGOR *alg, int *nid, int *iter, int *salt_len)
 {
-	STACK_OF(PKCS7) *asafes, *newsafes;
-	STACK_OF(PKCS12_SAFEBAG) *bags;
-	int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
-	PKCS7 *p7, *p7new;
-	ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
-	unsigned char mac[EVP_MAX_MD_SIZE];
-	unsigned int maclen;
+	const ASN1_OBJECT *aobj;
+	int param_type;
+	const void *param;
+	PBEPARAM *pbe = NULL;
+	int ret = 0;
 
-	if (!(asafes = PKCS12_unpack_authsafes(p12)))
-		return 0;
-	if (!(newsafes = sk_PKCS7_new_null()))
-		return 0;
-	for (i = 0; i < sk_PKCS7_num(asafes); i++) {
-		p7 = sk_PKCS7_value(asafes, i);
-		bagnid = OBJ_obj2nid(p7->type);
-		if (bagnid == NID_pkcs7_data) {
-			bags = PKCS12_unpack_p7data(p7);
-		} else if (bagnid == NID_pkcs7_encrypted) {
-			bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
-			if (!alg_get(p7->d.encrypted->enc_data->algorithm,
-			    &pbe_nid, &pbe_iter, &pbe_saltlen)) {
-				sk_PKCS12_SAFEBAG_pop_free(bags,
-				    PKCS12_SAFEBAG_free);
-				bags = NULL;
-			}
-		} else
-			continue;
-		if (bags == NULL)
-			goto err;
-		if (!newpass_bags(bags, oldpass, newpass)) {
-			sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-			goto err;
-		}
-		/* Repack bag in same form with new password */
-		if (bagnid == NID_pkcs7_data)
-			p7new = PKCS12_pack_p7data(bags);
-		else
-			p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1,
-			    NULL, pbe_saltlen, pbe_iter, bags);
-		sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-		if (p7new == NULL)
-			goto err;
-		if (sk_PKCS7_push(newsafes, p7new) == 0)
-			goto err;
-	}
-	sk_PKCS7_pop_free(asafes, PKCS7_free);
+	*nid = *iter = *salt_len = 0;
 
-	/* Repack safe: save old safe in case of error */
-
-	p12_data_tmp = p12->authsafes->d.data;
-	if (!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) {
-		p12->authsafes->d.data = p12_data_tmp;
+	X509_ALGOR_get0(&aobj, &param_type, &param, alg);
+	if (param_type != V_ASN1_SEQUENCE)
+		goto err;
+	if ((pbe = ASN1_item_unpack(param, &PBEPARAM_it)) == NULL)
 		goto err;
-	}
-	if (!PKCS12_pack_authsafes(p12, newsafes))
-		goto saferr;
 
-	if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
-		goto saferr;
-	if (!(macnew = ASN1_OCTET_STRING_new()))
-		goto saferr;
-	if (!ASN1_OCTET_STRING_set(macnew, mac, maclen))
-		goto saferr;
-	ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
-	p12->mac->dinfo->digest = macnew;
-	ASN1_OCTET_STRING_free(p12_data_tmp);
+	/* XXX - can we validate these somehow? */
+	*nid = OBJ_obj2nid(alg->algorithm);
+	*iter = ASN1_INTEGER_get(pbe->iter);
+	*salt_len = pbe->salt->length;
 
-	return 1;
+	ret = 1;
 
-saferr:
-	/* Restore old safe */
-	ASN1_OCTET_STRING_free(p12->authsafes->d.data);
-	ASN1_OCTET_STRING_free(macnew);
-	p12->authsafes->d.data = p12_data_tmp;
-	return 0;
+ err:
+	PBEPARAM_free(pbe);
 
-err:
-	sk_PKCS7_pop_free(asafes, PKCS7_free);
-	sk_PKCS7_pop_free(newsafes, PKCS7_free);
-	return 0;
+	return ret;
 }
 
+/* Change password of safebag: only needs handle shrouded keybags */
+static int
+newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, const char *newpass)
+{
+	PKCS8_PRIV_KEY_INFO *p8 = NULL;
+	X509_SIG *keybag;
+	int nid, salt_len, iter;
+	int ret = 0;
+
+	if (OBJ_obj2nid(bag->type) != NID_pkcs8ShroudedKeyBag)
+		goto done;
+
+	if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL)
+		goto err;
+	if (!alg_get(bag->value.shkeybag->algor, &nid, &iter, &salt_len))
+		goto err;
+
+	if ((keybag = PKCS8_encrypt(nid, NULL, newpass, -1, NULL, salt_len,
+	    iter, p8)) == NULL)
+		goto err;
+
+	X509_SIG_free(bag->value.shkeybag);
+	bag->value.shkeybag = keybag;
+
+ done:
+	ret = 1;
+
+ err:
+	PKCS8_PRIV_KEY_INFO_free(p8);
+
+	return ret;
+}
 
 static int
 newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass,
@@ -200,50 +138,163 @@ newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass,
 	int i;
 
 	for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
-		if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i),
-		    oldpass, newpass))
+		PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
+
+		if (!newpass_bag(bag, oldpass, newpass))
 			return 0;
 	}
-	return 1;
-}
 
-/* Change password of safebag: only needs handle shrouded keybags */
-
-static int
-newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, const char *newpass)
-{
-	PKCS8_PRIV_KEY_INFO *p8;
-	X509_SIG *p8new;
-	int p8_nid, p8_saltlen, p8_iter;
-
-	if (OBJ_obj2nid(bag->type) != NID_pkcs8ShroudedKeyBag)
-		return 1;
-
-	if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)))
-		return 0;
-	if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter,
-	    &p8_saltlen))
-		return 0;
-	if (!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
-	    p8_iter, p8))) return 0;
-	X509_SIG_free(bag->value.shkeybag);
-	bag->value.shkeybag = p8new;
 	return 1;
 }
 
 static int
-alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
+pkcs7_repack_data(PKCS7 *pkcs7, STACK_OF(PKCS7) *safes, const char *oldpass,
+    const char *newpass)
 {
-	PBEPARAM *pbe;
-	const unsigned char *p;
+	STACK_OF(PKCS12_SAFEBAG) *bags;
+	PKCS7 *data = NULL;
+	int ret = 0;
 
-	p = alg->parameter->value.sequence->data;
-	pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
-	if (!pbe)
-		return 0;
-	*pnid = OBJ_obj2nid(alg->algorithm);
-	*piter = ASN1_INTEGER_get(pbe->iter);
-	*psaltlen = pbe->salt->length;
-	PBEPARAM_free(pbe);
-	return 1;
+	if ((bags = PKCS12_unpack_p7data(pkcs7)) == NULL)
+		goto err;
+	if (!newpass_bags(bags, oldpass, newpass))
+		goto err;
+	if ((data = PKCS12_pack_p7data(bags)) == NULL)
+		goto err;
+	if (sk_PKCS7_push(safes, data) == 0)
+		goto err;
+	data = NULL;
+
+	ret = 1;
+
+ err:
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	PKCS7_free(data);
+
+	return ret;
 }
+
+static int
+pkcs7_repack_encdata(PKCS7 *pkcs7, STACK_OF(PKCS7) *safes, const char *oldpass,
+    const char *newpass)
+{
+	STACK_OF(PKCS12_SAFEBAG) *bags;
+	int nid, iter, salt_len;
+	PKCS7 *data = NULL;
+	int ret = 0;
+
+	if ((bags = PKCS12_unpack_p7encdata(pkcs7, oldpass, -1)) == NULL)
+		goto err;
+	if (!alg_get(pkcs7->d.encrypted->enc_data->algorithm, &nid,
+	    &iter, &salt_len))
+		goto err;
+	if (!newpass_bags(bags, oldpass, newpass))
+		goto err;
+	if ((data = PKCS12_pack_p7encdata(nid, newpass, -1, NULL, salt_len,
+	    iter, bags)) == NULL)
+		goto err;
+	if (!sk_PKCS7_push(safes, data))
+		goto err;
+	data = NULL;
+
+	ret = 1;
+
+ err:
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	PKCS7_free(data);
+
+	return ret;
+}
+
+static int
+pkcs12_repack_authsafes(PKCS12 *pkcs12, STACK_OF(PKCS7) *safes,
+    const char *newpass)
+{
+	ASN1_OCTET_STRING *old_data;
+	ASN1_OCTET_STRING *new_mac = NULL;
+	unsigned char mac[EVP_MAX_MD_SIZE];
+	unsigned int mac_len;
+	int ret = 0;
+
+	if ((old_data = pkcs12->authsafes->d.data) == NULL)
+		goto err;
+	if ((pkcs12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL)
+		goto err;
+	if (!PKCS12_pack_authsafes(pkcs12, safes))
+		goto err;
+	if (!PKCS12_gen_mac(pkcs12, newpass, -1, mac, &mac_len))
+		goto err;
+	if ((new_mac = ASN1_OCTET_STRING_new()) == NULL)
+		goto err;
+	if (!ASN1_OCTET_STRING_set(new_mac, mac, mac_len))
+		goto err;
+
+	ASN1_OCTET_STRING_free(pkcs12->mac->dinfo->digest);
+	pkcs12->mac->dinfo->digest = new_mac;
+	new_mac = NULL;
+
+	ASN1_OCTET_STRING_free(old_data);
+	old_data = NULL;
+
+	ret = 1;
+
+ err:
+	if (old_data != NULL) {
+		ASN1_OCTET_STRING_free(pkcs12->authsafes->d.data);
+		pkcs12->authsafes->d.data = old_data;
+	}
+	explicit_bzero(mac, sizeof(mac));
+	ASN1_OCTET_STRING_free(new_mac);
+
+	return ret;
+}
+
+int
+PKCS12_newpass(PKCS12 *pkcs12, const char *oldpass, const char *newpass)
+{
+	STACK_OF(PKCS7) *authsafes = NULL, *safes = NULL;
+	int i;
+	int ret = 0;
+
+	if (pkcs12 == NULL) {
+		PKCS12error(PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+		goto err;
+	}
+
+	if (!PKCS12_verify_mac(pkcs12, oldpass, -1)) {
+		PKCS12error(PKCS12_R_MAC_VERIFY_FAILURE);
+		goto err;
+	}
+
+	if ((authsafes = PKCS12_unpack_authsafes(pkcs12)) == NULL)
+		goto err;
+	if ((safes = sk_PKCS7_new_null()) == NULL)
+		goto err;
+
+	for (i = 0; i < sk_PKCS7_num(authsafes); i++) {
+		PKCS7 *pkcs7 = sk_PKCS7_value(authsafes, i);
+
+		switch (OBJ_obj2nid(pkcs7->type)) {
+		case NID_pkcs7_data:
+			if (pkcs7_repack_data(pkcs7, safes, oldpass, newpass))
+				goto err;
+			break;
+		case NID_pkcs7_encrypted:
+			if (pkcs7_repack_encdata(pkcs7, safes, oldpass, newpass))
+				goto err;
+			break;
+		}
+	}
+
+	if (!pkcs12_repack_authsafes(pkcs12, safes, newpass))
+		goto err;
+
+	ret = 1;
+
+ err:
+	sk_PKCS7_pop_free(authsafes, PKCS7_free);
+	sk_PKCS7_pop_free(safes, PKCS7_free);
+
+	return ret;
+}
+LCRYPTO_ALIAS(PKCS12_newpass);

lib/libcrypto/pkcs12/pkcs12_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12_local.h,v 1.3 2022/11/26 17:23:18 tb Exp $ */
+/* $OpenBSD: pkcs12_local.h,v 1.4 2024/01/25 13:44:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -96,6 +96,9 @@ struct pkcs12_bag_st {
 	} value;
 };
 
+/* XXX - should go into pkcs7_local.h. */
+ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7);
+
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_PKCS12_LOCAL_H */

lib/libcrypto/pkcs7/pk7_doit.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.54 2023/11/15 00:55:43 tb Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.55 2024/01/25 13:44:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -92,7 +92,7 @@ PKCS7_type_is_other(PKCS7* p7)
 
 }
 
-static ASN1_OCTET_STRING *
+ASN1_OCTET_STRING *
 PKCS7_get_octet_string(PKCS7 *p7)
 {
 	if (PKCS7_type_is_data(p7))

lib/libcrypto/pkcs7/pk7_mime.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_mime.c,v 1.19 2023/05/02 09:56:12 tb Exp $ */
+/* $OpenBSD: pk7_mime.c,v 1.20 2024/01/25 13:44:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -89,8 +89,11 @@ SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 	STACK_OF(X509_ALGOR) *mdalgs = NULL;
 	int ctype_nid;
 
-	if ((ctype_nid = OBJ_obj2nid(p7->type)) == NID_pkcs7_signed)
+	if ((ctype_nid = OBJ_obj2nid(p7->type)) == NID_pkcs7_signed) {
+		if (p7->d.sign == NULL)
+			return 0;
 		mdalgs = p7->d.sign->md_algs;
+	}
 
 	flags ^= SMIME_OLDMIME;
 

lib/libcrypto/x509/x509_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.14 2023/04/25 10:56:58 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.16 2024/01/25 15:09:22 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,8 +65,6 @@
 
 #include "x509_local.h"
 
-static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
-
 extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
 extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
@@ -80,10 +78,6 @@ extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
 extern const X509V3_EXT_METHOD v3_ct_scts[3];
 
-/*
- * This table needs to be sorted by increasing ext_nid values for OBJ_bsearch_.
- */
-
 static const X509V3_EXT_METHOD *standard_exts[] = {
 	&v3_nscert,
 	&v3_ns_ia5_list[0],
@@ -142,62 +136,17 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
 
 #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
 
-static int
-ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
-{
-	return ((*a)->ext_nid - (*b)->ext_nid);
-}
-
-int
-X509V3_EXT_add(X509V3_EXT_METHOD *ext)
-{
-	if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	return 1;
-}
-LCRYPTO_ALIAS(X509V3_EXT_add);
-
-static int
-ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
-{
-	const X509V3_EXT_METHOD * const *a = a_;
-	const X509V3_EXT_METHOD * const *b = b_;
-	return ext_cmp(a, b);
-}
-
-static const X509V3_EXT_METHOD **
-OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
-    const X509V3_EXT_METHOD *const *base, int num)
-{
-	return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
-	    sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
-}
-
 const X509V3_EXT_METHOD *
 X509V3_EXT_get_nid(int nid)
 {
-	X509V3_EXT_METHOD tmp;
-	const X509V3_EXT_METHOD *t = &tmp, * const *ret;
-	int idx;
+	size_t i;
 
-	if (nid < 0)
-		return NULL;
-	tmp.ext_nid = nid;
-	ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
-	if (ret)
-		return *ret;
-	if (!ext_list)
-		return NULL;
-	idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
-	if (idx == -1)
-		return NULL;
-	return sk_X509V3_EXT_METHOD_value(ext_list, idx);
+	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
+		if (standard_exts[i]->ext_nid == nid)
+			return standard_exts[i];
+	}
+
+	return NULL;
 }
 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
 
@@ -212,56 +161,6 @@ X509V3_EXT_get(X509_EXTENSION *ext)
 }
 LCRYPTO_ALIAS(X509V3_EXT_get);
 
-int
-X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
-{
-	for (; extlist->ext_nid!=-1; extlist++)
-		if (!X509V3_EXT_add(extlist))
-			return 0;
-	return 1;
-}
-LCRYPTO_ALIAS(X509V3_EXT_add_list);
-
-int
-X509V3_EXT_add_alias(int nid_to, int nid_from)
-{
-	const X509V3_EXT_METHOD *ext;
-	X509V3_EXT_METHOD *tmpext;
-
-	if (!(ext = X509V3_EXT_get_nid(nid_from))) {
-		X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
-		return 0;
-	}
-	if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	*tmpext = *ext;
-	tmpext->ext_nid = nid_to;
-	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
-	if (!X509V3_EXT_add(tmpext)) {
-		free(tmpext);
-		return 0;
-	}
-	return 1;
-}
-LCRYPTO_ALIAS(X509V3_EXT_add_alias);
-
-static void
-ext_list_free(X509V3_EXT_METHOD *ext)
-{
-	if (ext->ext_flags & X509V3_EXT_DYNAMIC)
-		free(ext);
-}
-
-void
-X509V3_EXT_cleanup(void)
-{
-	sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
-	ext_list = NULL;
-}
-LCRYPTO_ALIAS(X509V3_EXT_cleanup);
-
 int
 X509V3_add_standard_extensions(void)
 {
@@ -434,3 +333,37 @@ err:
 	return 0;
 }
 LCRYPTO_ALIAS(X509V3_add1_i2d);
+
+/*
+ * XXX - remove all the functions below in the next major bump.
+ */
+
+int
+X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+	X509V3error(ERR_R_DISABLED);
+	return 0;
+}
+LCRYPTO_ALIAS(X509V3_EXT_add);
+
+int
+X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+	X509V3error(ERR_R_DISABLED);
+	return 0;
+}
+LCRYPTO_ALIAS(X509V3_EXT_add_list);
+
+int
+X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+	X509V3error(ERR_R_DISABLED);
+	return 0;
+}
+LCRYPTO_ALIAS(X509V3_EXT_add_alias);
+
+void
+X509V3_EXT_cleanup(void)
+{
+}
+LCRYPTO_ALIAS(X509V3_EXT_cleanup);