asn1: use ASN1_STRING accessors in crypto/cmp, crypto/ct, crypto/sm2, crypto/ts

Replace direct ASN1_STRING struct member access (->data, ->length) with
public accessor functions ASN1_STRING_get0_data() and ASN1_STRING_length()
in consumer code across four subsystems.

Also fix i2d_SCT_LIST() in crypto/ct/ct_oct.c to heap-allocate
ASN1_OCTET_STRING via ASN1_OCTET_STRING_new() and ASN1_STRING_set0()
rather than stack-allocating it, since the struct is now opaque.

Removes #include <crypto/asn1.h> from all modified files except
crypto/cmp/cmp_protect.c, which retains it for ossl_X509_ALGOR_from_nid().

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:53:50 2026
(Merged from https://github.com/openssl/openssl/pull/30223)

diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index 651b3ff3245102d6f2e9457414985ebe1ebabe47..05ff81919ec9cb83e9edb8b2efa41fcf7f3295ae 100644 (file)
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -72,8 +72,8 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
         prot_part_der_len = (size_t)len;
 
         pbm_str = (ASN1_STRING *)ppval;
-        pbm_str_uc = pbm_str->data;
-        pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length);
+        pbm_str_uc = ASN1_STRING_get0_data(pbm_str);
+        pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, ASN1_STRING_length(pbm_str));
         if (pbm == NULL) {
             ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_ALGORITHM_OID);
             goto end;
@@ -81,7 +81,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
 
         if (!OSSL_CRMF_pbm_new(ctx->libctx, ctx->propq,
                 pbm, prot_part_der, prot_part_der_len,
-                ctx->secretValue->data, ctx->secretValue->length,
+                ASN1_STRING_get0_data(ctx->secretValue), ASN1_STRING_length(ctx->secretValue),
                 &protection, &sig_len))
             goto end;
 

diff --git a/crypto/ct/ct_oct.c b/crypto/ct/ct_oct.c
index e9a6c271b783137e597189352eaa59e1102b8598..a110fbd3a96db73f4bdb66bd516a30e01a74ff16 100644 (file)
--- a/crypto/ct/ct_oct.c
+++ b/crypto/ct/ct_oct.c
@@ -21,8 +21,6 @@
 
 #include "ct_local.h"
 
-#include <crypto/asn1.h>
-
 int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
 {
     size_t siglen;
@@ -382,8 +380,8 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
     if (d2i_ASN1_OCTET_STRING(&oct, &p, len) == NULL)
         return NULL;
 
-    p = oct->data;
-    if ((sk = o2i_SCT_LIST(a, &p, oct->length)) != NULL)
+    p = ASN1_STRING_get0_data(oct);
+    if ((sk = o2i_SCT_LIST(a, &p, ASN1_STRING_length(oct))) != NULL)
         *pp += len;
 
     ASN1_OCTET_STRING_free(oct);
@@ -392,14 +390,20 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
 
 int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **out)
 {
-    ASN1_OCTET_STRING oct;
+    ASN1_OCTET_STRING *oct;
+    unsigned char *data = NULL;
     int len;
 
-    oct.data = NULL;
-    if ((oct.length = i2o_SCT_LIST(a, &oct.data)) == -1)
+    if ((len = i2o_SCT_LIST(a, &data)) == -1)
         return -1;
 
-    len = i2d_ASN1_OCTET_STRING(&oct, out);
-    OPENSSL_free(oct.data);
+    oct = ASN1_OCTET_STRING_new();
+    if (oct == NULL) {
+        OPENSSL_free(data);
+        return -1;
+    }
+    ASN1_STRING_set0(oct, data, len);
+    len = i2d_ASN1_OCTET_STRING(oct, out);
+    ASN1_OCTET_STRING_free(oct);
     return len;
 }

diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
index 240abec46a84c104b1c0224d02b05e64ffbdeb5a..37993bc8c3f8a5da7fd7ecd54aca22ec18b78de1 100644 (file)
--- a/crypto/sm2/sm2_crypt.c
+++ b/crypto/sm2/sm2_crypt.c
@@ -25,8 +25,6 @@
 #include <openssl/asn1t.h>
 #include <string.h>
 
-#include <crypto/asn1.h>
-
 typedef struct SM2_Ciphertext_st SM2_Ciphertext;
 DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext)
 
@@ -80,7 +78,7 @@ int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
         return 0;
     }
 
-    *pt_size = sm2_ctext->C2->length;
+    *pt_size = ASN1_STRING_length(sm2_ctext->C2);
     SM2_Ciphertext_free(sm2_ctext);
 
     return 1;
@@ -316,14 +314,14 @@ int ossl_sm2_decrypt(const EC_KEY *key,
         goto done;
     }
 
-    if (sm2_ctext->C3->length != hash_size) {
+    if (ASN1_STRING_length(sm2_ctext->C3) != hash_size) {
         ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
         goto done;
     }
 
-    C2 = sm2_ctext->C2->data;
-    C3 = sm2_ctext->C3->data;
-    msg_len = sm2_ctext->C2->length;
+    C2 = ASN1_STRING_get0_data(sm2_ctext->C2);
+    C3 = ASN1_STRING_get0_data(sm2_ctext->C3);
+    msg_len = ASN1_STRING_length(sm2_ctext->C2);
     if (*ptext_len < (size_t)msg_len) {
         ERR_raise(ERR_LIB_SM2, SM2_R_BUFFER_TOO_SMALL);
         goto done;

diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c
index b3995c61b49c9d4cfe8dab539865f9da8a4c0247..b44002ef2f6cdddfa0685a8b3c0070706c4c9c82 100644 (file)
--- a/crypto/ts/ts_asn1.c
+++ b/crypto/ts/ts_asn1.c
@@ -12,8 +12,6 @@
 #include <openssl/asn1t.h>
 #include "ts_local.h"
 
-#include <crypto/asn1.h>
-
 ASN1_SEQUENCE(TS_MSG_IMPRINT) = {
     ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR),
     ASN1_SIMPLE(TS_MSG_IMPRINT, hashed_msg, ASN1_OCTET_STRING)
@@ -231,6 +229,6 @@ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
         return NULL;
     }
     tst_info_der = tst_info_wrapper->value.octet_string;
-    p = tst_info_der->data;
-    return d2i_TS_TST_INFO(NULL, &p, tst_info_der->length);
+    p = ASN1_STRING_get0_data(tst_info_der);
+    return d2i_TS_TST_INFO(NULL, &p, ASN1_STRING_length(tst_info_der));
 }

diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 4ad28cc049ea902f3796ffcf7bfcb6ff59b88d85..1421275fd9fbdcfecf51974cf26f3de7d87587a3 100644 (file)
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -19,8 +19,6 @@
 #include "crypto/ess.h"
 #include "ts_local.h"
 
-#include <crypto/asn1.h>
-
 DEFINE_STACK_OF_CONST(EVP_MD)
 
 static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
@@ -489,7 +487,7 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
         return 0;
     }
     digest = msg_imprint->hashed_msg;
-    if (digest->length != md_size) {
+    if (ASN1_STRING_length(digest) != md_size) {
         TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
             "Bad message digest.");
         TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);

diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index d6e4b4fe39fb0b4b257f2c91d76001b1e086e0fc..1dc70c125bda1a70dca292460b81fc3cffc9f381 100644 (file)
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -16,8 +16,6 @@
 #include "crypto/ess.h"
 #include "ts_local.h"
 
-#include <crypto/asn1.h>
-
 static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
     X509 *signer, STACK_OF(X509) **chain);
 static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,
@@ -213,8 +211,8 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
     if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
         return NULL;
-    p = attr->value.sequence->data;
-    return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+    p = ASN1_STRING_get0_data(attr->value.sequence);
+    return d2i_ESS_SIGNING_CERT(NULL, &p, ASN1_STRING_length(attr->value.sequence));
 }
 
 static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si)
@@ -225,8 +223,8 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO
     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
     if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
         return NULL;
-    p = attr->value.sequence->data;
-    return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+    p = ASN1_STRING_get0_data(attr->value.sequence);
+    return d2i_ESS_SIGNING_CERT_V2(NULL, &p, ASN1_STRING_length(attr->value.sequence));
 }
 
 static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,