From f7b04d536b8c3d85a47ee91f996f533c7f9a2bb1 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Fri, 22 Dec 2023 13:31:35 +0000
Subject: [PATCH] Remove a bunch of function pointers from X509_STORE_CTX

These are only ever set to one particular function which is either local
to this file or part of the public API and we never added the public API
to set them to something else. Prefix the local functions touched in this
commit with x509_vfy_. More cleanup to follow.

ok joshua jsing
---
 lib/libcrypto/x509/x509_local.h |  8 +----
 lib/libcrypto/x509/x509_vfy.c   | 52 +++++++++++----------------------
 2 files changed, 18 insertions(+), 42 deletions(-)

diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h
index 81efb690dfd..0312e6cac76 100644
--- a/lib/libcrypto/x509/x509_local.h
+++ b/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_local.h,v 1.13 2023/12/22 09:40:14 tb Exp $ */
+/*	$OpenBSD: x509_local.h,v 1.14 2023/12/22 13:31:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2013.
  */
@@ -336,12 +336,6 @@ struct x509_store_ctx_st {
 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */
 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
-	int (*check_policy)(X509_STORE_CTX *ctx);
-	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
 
 	/* The following is built up */
 	int valid;		/* if 0, rebuild chain */
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 93fa2c28008..fb6c4167c10 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.129 2023/12/22 09:40:14 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.130 2023/12/22 13:31:35 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -116,6 +116,9 @@
 
 #define CRL_SCORE_TIME_DELTA	0x002
 
+static int x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);
+static int x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+
 static int null_callback(int ok, X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
@@ -123,9 +126,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
 static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_name_constraints(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
-static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth);
-static int check_policy(X509_STORE_CTX *ctx);
 
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
     unsigned int *preasons, X509_CRL *crl, X509 *x);
@@ -564,7 +565,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 	 * Check revocation status: we do this after copying parameters because
 	 * they may be needed for CRL signature verification.
 	 */
-	ok = ctx->check_revocation(ctx);
+	ok = x509_vfy_check_revocation(ctx);
 	if (!ok)
 		goto end;
 
@@ -578,7 +579,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 
 	/* If we get this far evaluate policies */
 	if (!bad_chain)
-		ok = ctx->check_policy(ctx);
+		ok = x509_vfy_check_policy(ctx);
 
  end:
 	/* Safety net, error returns must set ctx->error */
@@ -840,7 +841,7 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 	size_t i;
 
 	/* Lookup all certs with matching subject name */
-	certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
+	certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
 	if (certs == NULL)
 		return NULL;
 
@@ -863,8 +864,7 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 X509 *
 x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 {
-	if (ctx->lookup_certs == NULL || ctx->store == NULL ||
-	    ctx->store->objs == NULL)
+	if (ctx->store == NULL || ctx->store->objs == NULL)
 		return NULL;
 	return lookup_cert_match(ctx, x);
 }
@@ -930,8 +930,8 @@ x509_vfy_check_trust(X509_STORE_CTX *ctx)
 	return check_trust(ctx);
 }
 
-static int
-check_revocation(X509_STORE_CTX *ctx)
+int
+x509_vfy_check_revocation(X509_STORE_CTX *ctx)
 {
 	int i, last, ok;
 
@@ -953,12 +953,6 @@ check_revocation(X509_STORE_CTX *ctx)
 	return 1;
 }
 
-int
-x509_vfy_check_revocation(X509_STORE_CTX *ctx)
-{
-	return check_revocation(ctx);
-}
-
 static int
 check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
 {
@@ -983,15 +977,15 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
 			goto err;
 		}
 		ctx->current_crl = crl;
-		ok = ctx->check_crl(ctx, crl);
+		ok = x509_vfy_check_crl(ctx, crl);
 		if (!ok)
 			goto err;
 
 		if (dcrl) {
-			ok = ctx->check_crl(ctx, dcrl);
+			ok = x509_vfy_check_crl(ctx, dcrl);
 			if (!ok)
 				goto err;
-			ok = ctx->cert_crl(ctx, dcrl, x);
+			ok = x509_vfy_cert_crl(ctx, dcrl, x);
 			if (!ok)
 				goto err;
 		} else
@@ -999,7 +993,7 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
 
 		/* Don't look in full CRL if delta reason is removefromCRL */
 		if (ok != 2) {
-			ok = ctx->cert_crl(ctx, crl, x);
+			ok = x509_vfy_cert_crl(ctx, crl, x);
 			if (!ok)
 				goto err;
 		}
@@ -1553,7 +1547,7 @@ get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
 		goto done;
 
 	/* Lookup CRLs from store */
-	skcrl = ctx->lookup_crls(ctx, nm);
+	skcrl = X509_STORE_CTX_get1_crls(ctx, nm);
 
 	/* If no CRLs found and a near match from get_crl_sk use that */
 	if (!skcrl && crl)
@@ -1580,7 +1574,7 @@ done:
 
 /* Check CRL validity */
 static int
-check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
+x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 {
 	X509 *issuer = NULL;
 	EVP_PKEY *ikey = NULL;
@@ -1683,7 +1677,7 @@ err:
 
 /* Check certificate against CRL */
 static int
-cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
+x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 {
 	int ok;
 	X509_REVOKED *rev;
@@ -1750,12 +1744,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
 	return 1;
 }
 
-static int
-check_policy(X509_STORE_CTX *ctx)
-{
-	return x509_vfy_check_policy(ctx);
-}
-
 /*
  * Inform the verify callback of an error.
  *
@@ -2334,12 +2322,6 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf,
 
 	ctx->get_issuer = X509_STORE_CTX_get1_issuer;
 	ctx->check_issued = check_issued;
-	ctx->check_revocation = check_revocation;
-	ctx->check_crl = check_crl;
-	ctx->cert_crl = cert_crl;
-	ctx->check_policy = check_policy;
-	ctx->lookup_certs = X509_STORE_CTX_get1_certs;
-	ctx->lookup_crls = X509_STORE_CTX_get1_crls;
 
 	ctx->param = X509_VERIFY_PARAM_new();
 	if (!ctx->param) {
-- 
2.20.1