From 52161715bea2f55180892a27c7b1a38a564172fb Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Sun, 11 Sep 2022 17:30:13 +0000
Subject: [PATCH] Make structs in pkcs12.h opaque

ok jsing
---
 lib/libcrypto/pkcs12/p12_add.c      | 54 +---------------------
 lib/libcrypto/pkcs12/p12_utl.c      | 45 +-----------------
 lib/libcrypto/pkcs12/pkcs12.h       | 71 +++--------------------------
 lib/libcrypto/pkcs12/pkcs12_local.h | 37 ++++++++++++++-
 4 files changed, 45 insertions(+), 162 deletions(-)

diff --git a/lib/libcrypto/pkcs12/p12_add.c b/lib/libcrypto/pkcs12/p12_add.c
index d9de395c5bc..a7b8c1eaf89 100644
--- a/lib/libcrypto/pkcs12/p12_add.c
+++ b/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.19 2022/08/20 09:16:18 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.20 2022/09/11 17:30:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -91,58 +91,6 @@ PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2)
 	return safebag;
 }
 
-#if !defined(LIBRESSL_NEXT_API)
-#undef PKCS12_MAKE_KEYBAG
-#undef PKCS12_MAKE_SHKEYBAG
-/* Turn PKCS8 object into a keybag */
-
-PKCS12_SAFEBAG *
-PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
-{
-	PKCS12_SAFEBAG *bag;
-
-	if (!(bag = PKCS12_SAFEBAG_new())) {
-		PKCS12error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	bag->type = OBJ_nid2obj(NID_keyBag);
-	bag->value.keybag = p8;
-	return bag;
-}
-
-/* Turn PKCS8 object into a shrouded keybag */
-
-PKCS12_SAFEBAG *
-PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, int passlen,
-    unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
-{
-	PKCS12_SAFEBAG *bag;
-	const EVP_CIPHER *pbe_ciph;
-
-	/* Set up the safe bag */
-	if (!(bag = PKCS12_SAFEBAG_new())) {
-		PKCS12error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-
-	bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
-
-	pbe_ciph = EVP_get_cipherbynid(pbe_nid);
-
-	if (pbe_ciph)
-		pbe_nid = -1;
-
-	if (!(bag->value.shkeybag = PKCS8_encrypt(pbe_nid, pbe_ciph, pass,
-	    passlen, salt, saltlen, iter, p8))) {
-		PKCS12error(ERR_R_MALLOC_FAILURE);
-		PKCS12_SAFEBAG_free(bag);
-		return NULL;
-	}
-
-	return bag;
-}
-#endif
-
 /* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
 PKCS7 *
 PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
diff --git a/lib/libcrypto/pkcs12/p12_utl.c b/lib/libcrypto/pkcs12/p12_utl.c
index 5c15720e210..4fe557f626d 100644
--- a/lib/libcrypto/pkcs12/p12_utl.c
+++ b/lib/libcrypto/pkcs12/p12_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_utl.c,v 1.18 2022/08/20 09:16:18 tb Exp $ */
+/* $OpenBSD: p12_utl.c,v 1.19 2022/09/11 17:30:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -149,46 +149,3 @@ d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
 {
 	    return ASN1_item_d2i_fp(&PKCS12_it, fp, p12);
 }
-
-#if !defined(LIBRESSL_NEXT_API)
-#undef PKCS12_x5092certbag
-#undef PKCS12_x509crl2certbag
-#undef PKCS12_certbag2x509
-#undef PKCS12_certbag2x509crl
-
-PKCS12_SAFEBAG *
-PKCS12_x5092certbag(X509 *x509)
-{
-	return PKCS12_item_pack_safebag(x509, &X509_it,
-	    NID_x509Certificate, NID_certBag);
-}
-
-PKCS12_SAFEBAG *
-PKCS12_x509crl2certbag(X509_CRL *crl)
-{
-	return PKCS12_item_pack_safebag(crl, &X509_CRL_it,
-	    NID_x509Crl, NID_crlBag);
-}
-
-X509 *
-PKCS12_certbag2x509(PKCS12_SAFEBAG *bag)
-{
-	if (OBJ_obj2nid(bag->type) != NID_certBag)
-		return NULL;
-	if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
-		return NULL;
-	return ASN1_item_unpack(bag->value.bag->value.octet,
-	    &X509_it);
-}
-
-X509_CRL *
-PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
-{
-	if (OBJ_obj2nid(bag->type) != NID_crlBag)
-		return NULL;
-	if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
-		return NULL;
-	return ASN1_item_unpack(bag->value.bag->value.octet,
-	    &X509_CRL_it);
-}
-#endif
diff --git a/lib/libcrypto/pkcs12/pkcs12.h b/lib/libcrypto/pkcs12/pkcs12.h
index a40659fcf35..44dbb381533 100644
--- a/lib/libcrypto/pkcs12/pkcs12.h
+++ b/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.h,v 1.26 2022/08/03 20:16:06 tb Exp $ */
+/* $OpenBSD: pkcs12.h,v 1.27 2022/09/11 17:30:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -96,43 +96,16 @@ extern "C" {
 #define KEY_EX	0x10
 #define KEY_SIG 0x80
 
-typedef struct {
-	X509_SIG *dinfo;
-	ASN1_OCTET_STRING *salt;
-	ASN1_INTEGER *iter;	/* defaults to 1 */
-} PKCS12_MAC_DATA;
-
-typedef struct {
-	ASN1_INTEGER *version;
-	PKCS12_MAC_DATA *mac;
-	PKCS7 *authsafes;
-} PKCS12;
-
-typedef struct {
-	ASN1_OBJECT *type;
-	union {
-	struct pkcs12_bag_st *bag; /* secret, crl and certbag */
-	struct pkcs8_priv_key_info_st	*keybag; /* keybag */
-	X509_SIG *shkeybag; /* shrouded key bag */
-		STACK_OF(PKCS12_SAFEBAG) *safes;
-		ASN1_TYPE *other;
-	} value;
-	STACK_OF(X509_ATTRIBUTE) *attrib;
-} PKCS12_SAFEBAG;
+typedef struct PKCS12_MAC_DATA_st PKCS12_MAC_DATA;
+
+typedef struct PKCS12_st PKCS12;
+
+typedef struct PKCS12_SAFEBAG_st PKCS12_SAFEBAG;
 
 DECLARE_STACK_OF(PKCS12_SAFEBAG)
 DECLARE_PKCS12_STACK_OF(PKCS12_SAFEBAG)
 
-typedef struct pkcs12_bag_st {
-	ASN1_OBJECT *type;
-	union {
-		ASN1_OCTET_STRING *x509cert;
-		ASN1_OCTET_STRING *x509crl;
-		ASN1_OCTET_STRING *octet;
-		ASN1_IA5STRING *sdsicert;
-		ASN1_TYPE *other; /* Secret or other bag */
-	} value;
-} PKCS12_BAGS;
+typedef struct pkcs12_bag_st PKCS12_BAGS;
 
 #define PKCS12_ERROR	0
 #define PKCS12_OK	1
@@ -155,16 +128,8 @@ typedef struct pkcs12_bag_st {
 #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey
 #define M_PKCS8_decrypt PKCS8_decrypt
 
-#if !defined(LIBRESSL_NEXT_API)
-#define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type)
-#define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type)
-#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
-#endif
-
 #endif /* !LIBRESSL_INTERNAL */
 
-#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
-
 #define M_PKCS12_bag_type	PKCS12_bag_type
 #define M_PKCS12_cert_bag_type	PKCS12_cert_bag_type
 #define M_PKCS12_crl_bag_type	PKCS12_cert_bag_type
@@ -210,28 +175,6 @@ const STACK_OF(PKCS12_SAFEBAG) *
     PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag);
 const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag);
 
-#else /* !LIBRESSL_NEXT_API && !LIBRESSL_INTERNAL*/
-
-#define PKCS12_get_attr(bag, attr_nid) \
-			 PKCS12_get_attr_gen(bag->attrib, attr_nid)
-
-#define PKCS8_get_attr(p8, attr_nid) \
-		PKCS12_get_attr_gen(p8->attributes, attr_nid)
-
-#define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
-
-PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509);
-PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl);
-X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag);
-X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag);
-
-PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
-PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
-    int passlen, unsigned char *salt, int saltlen, int iter,
-    PKCS8_PRIV_KEY_INFO *p8);
-
-#endif /* !LIBRESSL_NEXT_API && !LIBRESSL_INTERNAL */
-
 PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
     int nid1, int nid2);
 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass,
diff --git a/lib/libcrypto/pkcs12/pkcs12_local.h b/lib/libcrypto/pkcs12/pkcs12_local.h
index c5a0de36c94..8723fdb2e43 100644
--- a/lib/libcrypto/pkcs12/pkcs12_local.h
+++ b/lib/libcrypto/pkcs12/pkcs12_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12_local.h,v 1.1 2022/08/20 09:16:18 tb Exp $ */
+/* $OpenBSD: pkcs12_local.h,v 1.2 2022/09/11 17:30:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,6 +61,41 @@
 
 __BEGIN_HIDDEN_DECLS
 
+struct PKCS12_MAC_DATA_st {
+	X509_SIG *dinfo;
+	ASN1_OCTET_STRING *salt;
+	ASN1_INTEGER *iter;	/* defaults to 1 */
+};
+
+struct PKCS12_st {
+	ASN1_INTEGER *version;
+	PKCS12_MAC_DATA *mac;
+	PKCS7 *authsafes;
+};
+
+struct PKCS12_SAFEBAG_st {
+	ASN1_OBJECT *type;
+	union {
+	struct pkcs12_bag_st *bag; /* secret, crl and certbag */
+	struct pkcs8_priv_key_info_st	*keybag; /* keybag */
+	X509_SIG *shkeybag; /* shrouded key bag */
+		STACK_OF(PKCS12_SAFEBAG) *safes;
+		ASN1_TYPE *other;
+	} value;
+	STACK_OF(X509_ATTRIBUTE) *attrib;
+};
+
+struct pkcs12_bag_st {
+	ASN1_OBJECT *type;
+	union {
+		ASN1_OCTET_STRING *x509cert;
+		ASN1_OCTET_STRING *x509crl;
+		ASN1_OCTET_STRING *octet;
+		ASN1_IA5STRING *sdsicert;
+		ASN1_TYPE *other; /* Secret or other bag */
+	} value;
+};
+
 __END_HIDDEN_DECLS
 
 #endif /* HEADER_PKCS12_LOCAL_H */
-- 
2.20.1