grpc 1.61.3 → 1.62.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c

@@ -60,25 +60,34 @@
 #include <openssl/mem.h>
 #include <openssl/thread.h>
 #include <openssl/x509.h>
-#include <openssl/x509v3.h>
 
 #include "../internal.h"
 #include "internal.h"
 
-X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) {
-  X509_LOOKUP *ret;
 
-  ret = (X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
+static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+                                      X509_NAME *name);
+static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
+                                                    int type, X509_NAME *name);
+static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
+                                               X509_OBJECT *x);
+static int X509_OBJECT_up_ref_count(X509_OBJECT *a);
+
+static X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method,
+                                    X509_STORE *store);
+static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
+                                  X509_OBJECT *ret);
+
+static X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method,
+                                    X509_STORE *store) {
+  X509_LOOKUP *ret = OPENSSL_zalloc(sizeof(X509_LOOKUP));
   if (ret == NULL) {
     return NULL;
   }
 
-  ret->init = 0;
-  ret->skip = 0;
   ret->method = method;
-  ret->method_data = NULL;
-  ret->store_ctx = NULL;
-  if ((method->new_item != NULL) && !method->new_item(ret)) {
+  ret->store_ctx = store;
+  if (method->new_item != NULL && !method->new_item(ret)) {
     OPENSSL_free(ret);
     return NULL;
   }
@@ -89,34 +98,12 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) {
   if (ctx == NULL) {
     return;
   }
-  if ((ctx->method != NULL) && (ctx->method->free != NULL)) {
+  if (ctx->method != NULL && ctx->method->free != NULL) {
     (*ctx->method->free)(ctx);
   }
   OPENSSL_free(ctx);
 }
 
-int X509_LOOKUP_init(X509_LOOKUP *ctx) {
-  if (ctx->method == NULL) {
-    return 0;
-  }
-  if (ctx->method->init != NULL) {
-    return ctx->method->init(ctx);
-  } else {
-    return 1;
-  }
-}
-
-int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) {
-  if (ctx->method == NULL) {
-    return 0;
-  }
-  if (ctx->method->shutdown != NULL) {
-    return ctx->method->shutdown(ctx);
-  } else {
-    return 1;
-  }
-}
-
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
                      char **ret) {
   if (ctx->method == NULL) {
@@ -129,14 +116,15 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
   }
 }
 
-int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
-                           X509_OBJECT *ret) {
-  if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) {
-    return 0;
-  }
-  if (ctx->skip) {
+static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
+                                  X509_OBJECT *ret) {
+  if (ctx->method == NULL || ctx->method->get_by_subject == NULL) {
     return 0;
   }
+  // Note |get_by_subject| leaves |ret| in an inconsistent state. It has
+  // pointers to an |X509| or |X509_CRL|, but has not bumped the refcount yet.
+  // For now, the caller is expected to fix this, but ideally we'd fix the
+  // |X509_LOOKUP| convention itself.
   return ctx->method->get_by_subject(ctx, type, name, ret) > 0;
 }
 
@@ -162,43 +150,24 @@ static int x509_object_cmp_sk(const X509_OBJECT *const *a,
 }
 
 X509_STORE *X509_STORE_new(void) {
-  X509_STORE *ret;
-
-  if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) {
+  X509_STORE *ret = OPENSSL_zalloc(sizeof(X509_STORE));
+  if (ret == NULL) {
     return NULL;
   }
-  OPENSSL_memset(ret, 0, sizeof(*ret));
+
+  ret->references = 1;
   CRYPTO_MUTEX_init(&ret->objs_lock);
   ret->objs = sk_X509_OBJECT_new(x509_object_cmp_sk);
-  if (ret->objs == NULL) {
-    goto err;
-  }
   ret->get_cert_methods = sk_X509_LOOKUP_new_null();
-  if (ret->get_cert_methods == NULL) {
-    goto err;
-  }
   ret->param = X509_VERIFY_PARAM_new();
-  if (ret->param == NULL) {
-    goto err;
+  if (ret->objs == NULL ||
+      ret->get_cert_methods == NULL ||
+      ret->param == NULL) {
+    X509_STORE_free(ret);
+    return NULL;
   }
 
-  ret->references = 1;
   return ret;
-err:
-  if (ret) {
-    CRYPTO_MUTEX_cleanup(&ret->objs_lock);
-    if (ret->param) {
-      X509_VERIFY_PARAM_free(ret->param);
-    }
-    if (ret->get_cert_methods) {
-      sk_X509_LOOKUP_free(ret->get_cert_methods);
-    }
-    if (ret->objs) {
-      sk_X509_OBJECT_free(ret->objs);
-    }
-    OPENSSL_free(ret);
-  }
-  return NULL;
 }
 
 int X509_STORE_up_ref(X509_STORE *store) {
@@ -206,26 +175,7 @@ int X509_STORE_up_ref(X509_STORE *store) {
   return 1;
 }
 
-static void cleanup(X509_OBJECT *a) {
-  if (a == NULL) {
-    return;
-  }
-  if (a->type == X509_LU_X509) {
-    X509_free(a->data.x509);
-  } else if (a->type == X509_LU_CRL) {
-    X509_CRL_free(a->data.crl);
-  } else {
-    // abort();
-  }
-
-  OPENSSL_free(a);
-}
-
 void X509_STORE_free(X509_STORE *vfy) {
-  size_t j;
-  STACK_OF(X509_LOOKUP) *sk;
-  X509_LOOKUP *lu;
-
   if (vfy == NULL) {
     return;
   }
@@ -235,63 +185,41 @@ void X509_STORE_free(X509_STORE *vfy) {
   }
 
   CRYPTO_MUTEX_cleanup(&vfy->objs_lock);
-
-  sk = vfy->get_cert_methods;
-  for (j = 0; j < sk_X509_LOOKUP_num(sk); j++) {
-    lu = sk_X509_LOOKUP_value(sk, j);
-    X509_LOOKUP_shutdown(lu);
-    X509_LOOKUP_free(lu);
-  }
-  sk_X509_LOOKUP_free(sk);
-  sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
-
-  if (vfy->param) {
-    X509_VERIFY_PARAM_free(vfy->param);
-  }
+  sk_X509_LOOKUP_pop_free(vfy->get_cert_methods, X509_LOOKUP_free);
+  sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free);
+  X509_VERIFY_PARAM_free(vfy->param);
   OPENSSL_free(vfy);
 }
 
-X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) {
-  size_t i;
-  STACK_OF(X509_LOOKUP) *sk;
-  X509_LOOKUP *lu;
-
-  sk = v->get_cert_methods;
-  for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
-    lu = sk_X509_LOOKUP_value(sk, i);
+X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, const X509_LOOKUP_METHOD *m) {
+  STACK_OF(X509_LOOKUP) *sk = v->get_cert_methods;
+  for (size_t i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
+    X509_LOOKUP *lu = sk_X509_LOOKUP_value(sk, i);
     if (m == lu->method) {
       return lu;
     }
   }
-  // a new one
-  lu = X509_LOOKUP_new(m);
-  if (lu == NULL) {
+
+  X509_LOOKUP *lu = X509_LOOKUP_new(m, v);
+  if (lu == NULL || !sk_X509_LOOKUP_push(v->get_cert_methods, lu)) {
+    X509_LOOKUP_free(lu);
     return NULL;
-  } else {
-    lu->store_ctx = v;
-    if (sk_X509_LOOKUP_push(v->get_cert_methods, lu)) {
-      return lu;
-    } else {
-      X509_LOOKUP_free(lu);
-      return NULL;
-    }
   }
+
+  return lu;
 }
 
-int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
-                              X509_OBJECT *ret) {
+int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+                                  X509_OBJECT *ret) {
   X509_STORE *ctx = vs->ctx;
-  X509_LOOKUP *lu;
-  X509_OBJECT stmp, *tmp;
-  int i;
-
+  X509_OBJECT stmp;
   CRYPTO_MUTEX_lock_write(&ctx->objs_lock);
-  tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
+  X509_OBJECT *tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
   CRYPTO_MUTEX_unlock_write(&ctx->objs_lock);
 
   if (tmp == NULL || type == X509_LU_CRL) {
-    for (i = 0; i < (int)sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
-      lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);
+    for (size_t i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
+      X509_LOOKUP *lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);
       if (X509_LOOKUP_by_subject(lu, type, name, &stmp)) {
         tmp = &stmp;
         break;
@@ -317,7 +245,7 @@ static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) {
     return 0;
   }
 
-  X509_OBJECT *const obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+  X509_OBJECT *const obj = X509_OBJECT_new();
   if (obj == NULL) {
     return 0;
   }
@@ -343,8 +271,7 @@ static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) {
   CRYPTO_MUTEX_unlock_write(&ctx->objs_lock);
 
   if (!added) {
-    X509_OBJECT_free_contents(obj);
-    OPENSSL_free(obj);
+    X509_OBJECT_free(obj);
   }
 
   return ret;
@@ -358,7 +285,19 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) {
   return x509_store_add(ctx, x, /*is_crl=*/1);
 }
 
-int X509_OBJECT_up_ref_count(X509_OBJECT *a) {
+X509_OBJECT *X509_OBJECT_new(void) {
+  return OPENSSL_zalloc(sizeof(X509_OBJECT));
+}
+
+void X509_OBJECT_free(X509_OBJECT *obj) {
+  if (obj == NULL) {
+    return;
+  }
+  X509_OBJECT_free_contents(obj);
+  OPENSSL_free(obj);
+}
+
+static int X509_OBJECT_up_ref_count(X509_OBJECT *a) {
   switch (a->type) {
     case X509_LU_X509:
       X509_up_ref(a->data.x509);
@@ -379,6 +318,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a) {
       X509_CRL_free(a->data.crl);
       break;
   }
+
+  OPENSSL_memset(a, 0, sizeof(X509_OBJECT));
 }
 
 int X509_OBJECT_get_type(const X509_OBJECT *a) { return a->type; }
@@ -435,13 +376,13 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
   return (int)idx;
 }
 
-int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
-                               X509_NAME *name) {
+static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+                                      X509_NAME *name) {
   return x509_object_idx_cnt(h, type, name, NULL);
 }
 
-X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
-                                             X509_NAME *name) {
+static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
+                                                    int type, X509_NAME *name) {
   int idx;
   idx = X509_OBJECT_idx_by_subject(h, type, name);
   if (idx == -1) {
@@ -454,23 +395,20 @@ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st) {
   return st->objs;
 }
 
-STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) {
-  int i, idx, cnt;
-  STACK_OF(X509) *sk;
-  X509 *x;
-  X509_OBJECT *obj;
-  sk = sk_X509_new_null();
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) {
+  int cnt;
+  STACK_OF(X509) *sk = sk_X509_new_null();
   if (sk == NULL) {
     return NULL;
   }
   CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);
-  idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
+  int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
   if (idx < 0) {
     // Nothing found in cache: do lookup to possibly add new objects to
     // cache
     X509_OBJECT xobj;
     CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);
-    if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
+    if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
       sk_X509_free(sk);
       return NULL;
     }
@@ -483,9 +421,9 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) {
       return NULL;
     }
   }
-  for (i = 0; i < cnt; i++, idx++) {
-    obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
-    x = obj->data.x509;
+  for (int i = 0; i < cnt; i++, idx++) {
+    X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
+    X509 *x = obj->data.x509;
     if (!sk_X509_push(sk, x)) {
       CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);
       sk_X509_pop_free(sk, X509_free);
@@ -497,33 +435,32 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) {
   return sk;
 }
 
-STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) {
-  int i, idx, cnt;
-  STACK_OF(X509_CRL) *sk;
-  X509_CRL *x;
-  X509_OBJECT *obj, xobj;
-  sk = sk_X509_CRL_new_null();
+STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx,
+                                             X509_NAME *nm) {
+  int cnt;
+  X509_OBJECT xobj;
+  STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
   if (sk == NULL) {
     return NULL;
   }
 
   // Always do lookup to possibly add new CRLs to cache.
-  if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
+  if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
     sk_X509_CRL_free(sk);
     return NULL;
   }
   X509_OBJECT_free_contents(&xobj);
   CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);
-  idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
+  int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
   if (idx < 0) {
     CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);
     sk_X509_CRL_free(sk);
     return NULL;
   }
 
-  for (i = 0; i < cnt; i++, idx++) {
-    obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
-    x = obj->data.crl;
+  for (int i = 0; i < cnt; i++, idx++) {
+    X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
+    X509_CRL *x = obj->data.crl;
     X509_CRL_up_ref(x);
     if (!sk_X509_CRL_push(sk, x)) {
       CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);
@@ -536,8 +473,8 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) {
   return sk;
 }
 
-X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
-                                        X509_OBJECT *x) {
+static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
+                                               X509_OBJECT *x) {
   sk_X509_OBJECT_sort(h);
   size_t idx;
   if (!sk_X509_OBJECT_find(h, &idx, x)) {
@@ -566,28 +503,25 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
   return NULL;
 }
 
-// Try to get issuer certificate from store. Due to limitations of the API
-// this can only retrieve a single certificate matching a given subject name.
-// However it will fill the cache with all matching certificates, so we can
-// examine the cache for all matches. Return values are: 1 lookup
-// successful.  0 certificate not found. -1 some other error.
-int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
+int X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx,
+                               X509 *x) {
   X509_NAME *xn;
   X509_OBJECT obj, *pobj;
   int idx, ret;
   size_t i;
   xn = X509_get_issuer_name(x);
-  if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj)) {
+  if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, &obj)) {
     return 0;
   }
   // If certificate matches all OK
-  if (ctx->check_issued(ctx, x, obj.data.x509)) {
-    *issuer = obj.data.x509;
+  if (x509_check_issued_with_callback(ctx, x, obj.data.x509)) {
+    *out_issuer = obj.data.x509;
     return 1;
   }
   X509_OBJECT_free_contents(&obj);
 
-  // Else find index of first cert accepted by 'check_issued'
+  // Else find index of first cert accepted by
+  // |x509_check_issued_with_callback|.
   ret = 0;
   CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);
   idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
@@ -603,8 +537,8 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
       if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) {
         break;
       }
-      if (ctx->check_issued(ctx, x, pobj->data.x509)) {
-        *issuer = pobj->data.x509;
+      if (x509_check_issued_with_callback(ctx, x, pobj->data.x509)) {
+        *out_issuer = pobj->data.x509;
         X509_OBJECT_up_ref_count(pobj);
         ret = 1;
         break;
@@ -632,109 +566,27 @@ int X509_STORE_set_trust(X509_STORE *ctx, int trust) {
   return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
 }
 
-int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) {
+int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param) {
   return X509_VERIFY_PARAM_set1(ctx->param, param);
 }
 
 X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) { return ctx->param; }
 
-void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) {
-  ctx->verify = verify;
-}
-
-X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) {
-  return ctx->verify;
-}
-
 void X509_STORE_set_verify_cb(X509_STORE *ctx,
                               X509_STORE_CTX_verify_cb verify_cb) {
   ctx->verify_cb = verify_cb;
 }
 
-X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) {
-  return ctx->verify_cb;
-}
-
-void X509_STORE_set_get_issuer(X509_STORE *ctx,
-                               X509_STORE_CTX_get_issuer_fn get_issuer) {
-  ctx->get_issuer = get_issuer;
-}
-
-X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) {
-  return ctx->get_issuer;
-}
-
-void X509_STORE_set_check_issued(X509_STORE *ctx,
-                                 X509_STORE_CTX_check_issued_fn check_issued) {
-  ctx->check_issued = check_issued;
-}
-
-X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) {
-  return ctx->check_issued;
-}
-
-void X509_STORE_set_check_revocation(
-    X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation) {
-  ctx->check_revocation = check_revocation;
-}
-
-X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(
-    X509_STORE *ctx) {
-  return ctx->check_revocation;
-}
-
 void X509_STORE_set_get_crl(X509_STORE *ctx,
                             X509_STORE_CTX_get_crl_fn get_crl) {
   ctx->get_crl = get_crl;
 }
 
-X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) {
-  return ctx->get_crl;
-}
-
 void X509_STORE_set_check_crl(X509_STORE *ctx,
                               X509_STORE_CTX_check_crl_fn check_crl) {
   ctx->check_crl = check_crl;
 }
 
-X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) {
-  return ctx->check_crl;
-}
-
-void X509_STORE_set_cert_crl(X509_STORE *ctx,
-                             X509_STORE_CTX_cert_crl_fn cert_crl) {
-  ctx->cert_crl = cert_crl;
-}
-
-X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) {
-  return ctx->cert_crl;
+X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx) {
+  return ctx->ctx;
 }
-
-void X509_STORE_set_lookup_certs(X509_STORE *ctx,
-                                 X509_STORE_CTX_lookup_certs_fn lookup_certs) {
-  ctx->lookup_certs = lookup_certs;
-}
-
-X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) {
-  return ctx->lookup_certs;
-}
-
-void X509_STORE_set_lookup_crls(X509_STORE *ctx,
-                                X509_STORE_CTX_lookup_crls_fn lookup_crls) {
-  ctx->lookup_crls = lookup_crls;
-}
-
-X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) {
-  return ctx->lookup_crls;
-}
-
-void X509_STORE_set_cleanup(X509_STORE *ctx,
-                            X509_STORE_CTX_cleanup_fn ctx_cleanup) {
-  ctx->cleanup = ctx_cleanup;
-}
-
-X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) {
-  return ctx->cleanup;
-}
-
-X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) { return ctx->ctx; }

data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c

@@ -76,45 +76,55 @@ X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req) {
   return req->req_info->subject;
 }
 
-EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) {
-  if ((req == NULL) || (req->req_info == NULL)) {
+EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req) {
+  if (req == NULL) {
     return NULL;
   }
-  return (X509_PUBKEY_get(req->req_info->pubkey));
+  return X509_PUBKEY_get(req->req_info->pubkey);
 }
 
-int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) {
-  EVP_PKEY *xk = NULL;
-  int ok = 0;
+EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req) {
+  if (req == NULL) {
+    return NULL;
+  }
+  return X509_PUBKEY_get0(req->req_info->pubkey);
+}
+
+int X509_REQ_check_private_key(const X509_REQ *x, const EVP_PKEY *k) {
+  const EVP_PKEY *xk = X509_REQ_get0_pubkey(x);
+  if (xk == NULL) {
+    return 0;
+  }
+
+  int ret = EVP_PKEY_cmp(xk, k);
+  if (ret > 0) {
+    return 1;
+  }
 
-  xk = X509_REQ_get_pubkey(x);
-  switch (EVP_PKEY_cmp(xk, k)) {
-    case 1:
-      ok = 1;
-      break;
+  switch (ret) {
     case 0:
       OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);
-      break;
+      return 0;
     case -1:
       OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);
-      break;
+      return 0;
     case -2:
       if (EVP_PKEY_id(k) == EVP_PKEY_EC) {
         OPENSSL_PUT_ERROR(X509, ERR_R_EC_LIB);
-        break;
+      } else {
+        OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
       }
-      OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
+      return 0;
   }
 
-  EVP_PKEY_free(xk);
-  return ok;
+  return 0;
 }
 
 int X509_REQ_extension_nid(int req_nid) {
   return req_nid == NID_ext_req || req_nid == NID_ms_ext_req;
 }
 
-STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) {
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req) {
   if (req == NULL || req->req_info == NULL) {
     return NULL;
   }
@@ -127,8 +137,10 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) {
     return NULL;
   }
 
-  X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);
-  ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type(attr, 0);
+  const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);
+  // TODO(davidben): |X509_ATTRIBUTE_get0_type| is not const-correct. It should
+  // take and return a const pointer.
+  const ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE *)attr, 0);
   if (!ext || ext->type != V_ASN1_SEQUENCE) {
     return NULL;
   }