Commit a5057a18aa for openssl.org
commit a5057a18aa73d114f5ec146324867d9e25aa60d1
Author: Hamzah M. Yamani <hamzah.yamani125@gmail.com>
Date: Sun Mar 1 15:21:08 2026 -0500
asn1: use ASN1_STRING accessors in crypto/cmp, crypto/ct, crypto/sm2, crypto/ts
Replace direct ASN1_STRING struct member access (->data, ->length) with
public accessor functions ASN1_STRING_get0_data() and ASN1_STRING_length()
in consumer code across four subsystems.
Also fix i2d_SCT_LIST() in crypto/ct/ct_oct.c to heap-allocate
ASN1_OCTET_STRING via ASN1_OCTET_STRING_new() and ASN1_STRING_set0()
rather than stack-allocating it, since the struct is now opaque.
Removes #include <crypto/asn1.h> from all modified files except
crypto/cmp/cmp_protect.c, which retains it for ossl_X509_ALGOR_from_nid().
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:53:07 2026
(Merged from https://github.com/openssl/openssl/pull/30223)
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index 651b3ff324..05ff81919e 100644
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -72,8 +72,8 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
prot_part_der_len = (size_t)len;
pbm_str = (ASN1_STRING *)ppval;
- pbm_str_uc = pbm_str->data;
- pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length);
+ pbm_str_uc = ASN1_STRING_get0_data(pbm_str);
+ pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, ASN1_STRING_length(pbm_str));
if (pbm == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_ALGORITHM_OID);
goto end;
@@ -81,7 +81,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
if (!OSSL_CRMF_pbm_new(ctx->libctx, ctx->propq,
pbm, prot_part_der, prot_part_der_len,
- ctx->secretValue->data, ctx->secretValue->length,
+ ASN1_STRING_get0_data(ctx->secretValue), ASN1_STRING_length(ctx->secretValue),
&protection, &sig_len))
goto end;
diff --git a/crypto/ct/ct_oct.c b/crypto/ct/ct_oct.c
index e9a6c271b7..a110fbd3a9 100644
--- a/crypto/ct/ct_oct.c
+++ b/crypto/ct/ct_oct.c
@@ -21,8 +21,6 @@
#include "ct_local.h"
-#include <crypto/asn1.h>
-
int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
{
size_t siglen;
@@ -382,8 +380,8 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
if (d2i_ASN1_OCTET_STRING(&oct, &p, len) == NULL)
return NULL;
- p = oct->data;
- if ((sk = o2i_SCT_LIST(a, &p, oct->length)) != NULL)
+ p = ASN1_STRING_get0_data(oct);
+ if ((sk = o2i_SCT_LIST(a, &p, ASN1_STRING_length(oct))) != NULL)
*pp += len;
ASN1_OCTET_STRING_free(oct);
@@ -392,14 +390,20 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **out)
{
- ASN1_OCTET_STRING oct;
+ ASN1_OCTET_STRING *oct;
+ unsigned char *data = NULL;
int len;
- oct.data = NULL;
- if ((oct.length = i2o_SCT_LIST(a, &oct.data)) == -1)
+ if ((len = i2o_SCT_LIST(a, &data)) == -1)
return -1;
- len = i2d_ASN1_OCTET_STRING(&oct, out);
- OPENSSL_free(oct.data);
+ oct = ASN1_OCTET_STRING_new();
+ if (oct == NULL) {
+ OPENSSL_free(data);
+ return -1;
+ }
+ ASN1_STRING_set0(oct, data, len);
+ len = i2d_ASN1_OCTET_STRING(oct, out);
+ ASN1_OCTET_STRING_free(oct);
return len;
}
diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
index 240abec46a..37993bc8c3 100644
--- a/crypto/sm2/sm2_crypt.c
+++ b/crypto/sm2/sm2_crypt.c
@@ -25,8 +25,6 @@
#include <openssl/asn1t.h>
#include <string.h>
-#include <crypto/asn1.h>
-
typedef struct SM2_Ciphertext_st SM2_Ciphertext;
DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext)
@@ -80,7 +78,7 @@ int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
return 0;
}
- *pt_size = sm2_ctext->C2->length;
+ *pt_size = ASN1_STRING_length(sm2_ctext->C2);
SM2_Ciphertext_free(sm2_ctext);
return 1;
@@ -316,14 +314,14 @@ int ossl_sm2_decrypt(const EC_KEY *key,
goto done;
}
- if (sm2_ctext->C3->length != hash_size) {
+ if (ASN1_STRING_length(sm2_ctext->C3) != hash_size) {
ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
goto done;
}
- C2 = sm2_ctext->C2->data;
- C3 = sm2_ctext->C3->data;
- msg_len = sm2_ctext->C2->length;
+ C2 = ASN1_STRING_get0_data(sm2_ctext->C2);
+ C3 = ASN1_STRING_get0_data(sm2_ctext->C3);
+ msg_len = ASN1_STRING_length(sm2_ctext->C2);
if (*ptext_len < (size_t)msg_len) {
ERR_raise(ERR_LIB_SM2, SM2_R_BUFFER_TOO_SMALL);
goto done;
diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c
index b3995c61b4..b44002ef2f 100644
--- a/crypto/ts/ts_asn1.c
+++ b/crypto/ts/ts_asn1.c
@@ -12,8 +12,6 @@
#include <openssl/asn1t.h>
#include "ts_local.h"
-#include <crypto/asn1.h>
-
ASN1_SEQUENCE(TS_MSG_IMPRINT) = {
ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR),
ASN1_SIMPLE(TS_MSG_IMPRINT, hashed_msg, ASN1_OCTET_STRING)
@@ -231,6 +229,6 @@ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
return NULL;
}
tst_info_der = tst_info_wrapper->value.octet_string;
- p = tst_info_der->data;
- return d2i_TS_TST_INFO(NULL, &p, tst_info_der->length);
+ p = ASN1_STRING_get0_data(tst_info_der);
+ return d2i_TS_TST_INFO(NULL, &p, ASN1_STRING_length(tst_info_der));
}
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 4ad28cc049..1421275fd9 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -19,8 +19,6 @@
#include "crypto/ess.h"
#include "ts_local.h"
-#include <crypto/asn1.h>
-
DEFINE_STACK_OF_CONST(EVP_MD)
static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
@@ -489,7 +487,7 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
return 0;
}
digest = msg_imprint->hashed_msg;
- if (digest->length != md_size) {
+ if (ASN1_STRING_length(digest) != md_size) {
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Bad message digest.");
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index d6e4b4fe39..1dc70c125b 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -16,8 +16,6 @@
#include "crypto/ess.h"
#include "ts_local.h"
-#include <crypto/asn1.h>
-
static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509 *signer, STACK_OF(X509) **chain);
static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,
@@ -213,8 +211,8 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
return NULL;
- p = attr->value.sequence->data;
- return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+ p = ASN1_STRING_get0_data(attr->value.sequence);
+ return d2i_ESS_SIGNING_CERT(NULL, &p, ASN1_STRING_length(attr->value.sequence));
}
static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si)
@@ -225,8 +223,8 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO
attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
return NULL;
- p = attr->value.sequence->data;
- return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+ p = ASN1_STRING_get0_data(attr->value.sequence);
+ return d2i_ESS_SIGNING_CERT_V2(NULL, &p, ASN1_STRING_length(attr->value.sequence));
}
static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,