From c984dda7d7e71c4385cc26a89a7d61f6e9c3e444 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 25 Jan 2024 12:20:17 +0000
Subject: [PATCH] Remove the custom X509v3 extensions stack

This is essentially unused. The only consumer, www/kore,-acme is in the
process of being fixed. It is also incomplete: in particular, the verifier
doesn't learn about extensions added to the list, making the entire
exercise rather pointless. So let's ditch that crap.

This was the last consumer of the horror that is OBJ_bsearch_().
The even worse OBJ_bsearch_ex_() is still being "used" by M2Crypto...

This prepares the removal of X509V3_EXT_{add{,_list,_alias},cleanup}().
and removes another piece of thread-unsafe global state.

ok jsing
---
 lib/libcrypto/x509/x509_lib.c | 147 ++++++++++------------------------
 1 file changed, 42 insertions(+), 105 deletions(-)

diff --git a/lib/libcrypto/x509/x509_lib.c b/lib/libcrypto/x509/x509_lib.c
index 93f8dc207b7..c78b600677e 100644
--- a/lib/libcrypto/x509/x509_lib.c
+++ b/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.14 2023/04/25 10:56:58 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.15 2024/01/25 12:20:17 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,8 +65,6 @@
 
 #include "x509_local.h"
 
-static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
-
 extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
 extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
@@ -142,62 +140,17 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
 
 #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
 
-static int
-ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
-{
-	return ((*a)->ext_nid - (*b)->ext_nid);
-}
-
-int
-X509V3_EXT_add(X509V3_EXT_METHOD *ext)
-{
-	if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	return 1;
-}
-LCRYPTO_ALIAS(X509V3_EXT_add);
-
-static int
-ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
-{
-	const X509V3_EXT_METHOD * const *a = a_;
-	const X509V3_EXT_METHOD * const *b = b_;
-	return ext_cmp(a, b);
-}
-
-static const X509V3_EXT_METHOD **
-OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
-    const X509V3_EXT_METHOD *const *base, int num)
-{
-	return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
-	    sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
-}
-
 const X509V3_EXT_METHOD *
 X509V3_EXT_get_nid(int nid)
 {
-	X509V3_EXT_METHOD tmp;
-	const X509V3_EXT_METHOD *t = &tmp, * const *ret;
-	int idx;
+	size_t i;
 
-	if (nid < 0)
-		return NULL;
-	tmp.ext_nid = nid;
-	ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
-	if (ret)
-		return *ret;
-	if (!ext_list)
-		return NULL;
-	idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
-	if (idx == -1)
-		return NULL;
-	return sk_X509V3_EXT_METHOD_value(ext_list, idx);
+	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
+		if (standard_exts[i]->ext_nid == nid)
+			return standard_exts[i];
+	}
+
+	return NULL;
 }
 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
 
@@ -212,56 +165,6 @@ X509V3_EXT_get(X509_EXTENSION *ext)
 }
 LCRYPTO_ALIAS(X509V3_EXT_get);
 
-int
-X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
-{
-	for (; extlist->ext_nid!=-1; extlist++)
-		if (!X509V3_EXT_add(extlist))
-			return 0;
-	return 1;
-}
-LCRYPTO_ALIAS(X509V3_EXT_add_list);
-
-int
-X509V3_EXT_add_alias(int nid_to, int nid_from)
-{
-	const X509V3_EXT_METHOD *ext;
-	X509V3_EXT_METHOD *tmpext;
-
-	if (!(ext = X509V3_EXT_get_nid(nid_from))) {
-		X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
-		return 0;
-	}
-	if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	*tmpext = *ext;
-	tmpext->ext_nid = nid_to;
-	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
-	if (!X509V3_EXT_add(tmpext)) {
-		free(tmpext);
-		return 0;
-	}
-	return 1;
-}
-LCRYPTO_ALIAS(X509V3_EXT_add_alias);
-
-static void
-ext_list_free(X509V3_EXT_METHOD *ext)
-{
-	if (ext->ext_flags & X509V3_EXT_DYNAMIC)
-		free(ext);
-}
-
-void
-X509V3_EXT_cleanup(void)
-{
-	sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
-	ext_list = NULL;
-}
-LCRYPTO_ALIAS(X509V3_EXT_cleanup);
-
 int
 X509V3_add_standard_extensions(void)
 {
@@ -434,3 +337,37 @@ err:
 	return 0;
 }
 LCRYPTO_ALIAS(X509V3_add1_i2d);
+
+/*
+ * XXX - remove all the functions below in the next major bump.
+ */
+
+int
+X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+	X509V3error(ERR_R_DISABLED);
+	return 0;
+}
+LCRYPTO_ALIAS(X509V3_EXT_add);
+
+int
+X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+	X509V3error(ERR_R_DISABLED);
+	return 0;
+}
+LCRYPTO_ALIAS(X509V3_EXT_add_list);
+
+int
+X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+	X509V3error(ERR_R_DISABLED);
+	return 0;
+}
+LCRYPTO_ALIAS(X509V3_EXT_add_alias);
+
+void
+X509V3_EXT_cleanup(void)
+{
+}
+LCRYPTO_ALIAS(X509V3_EXT_cleanup);
-- 
2.20.1