=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/ca.c,v retrieving revision 1.31 retrieving revision 1.32 diff -c -r1.31 -r1.32 *** src/usr.bin/openssl/ca.c 2021/07/15 10:26:43 1.31 --- src/usr.bin/openssl/ca.c 2021/07/15 11:43:27 1.32 *************** *** 1,4 **** ! /* $OpenBSD: ca.c,v 1.31 2021/07/15 10:26:43 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * --- 1,4 ---- ! /* $OpenBSD: ca.c,v 1.32 2021/07/15 11:43:27 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * *************** *** 766,789 **** } } f = NCONF_get_string(conf, ca_config.section, STRING_MASK); ! if (!f) ERR_clear_error(); ! if (f && !ASN1_STRING_set_default_mask_asc(f)) { BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); goto err; } if (ca_config.chtype != MBSTRING_UTF8) { f = NCONF_get_string(conf, ca_config.section, UTF8_IN); ! if (!f) ERR_clear_error(); else if (!strcmp(f, "yes")) ca_config.chtype = MBSTRING_UTF8; } db_attr.unique_subject = 1; p = NCONF_get_string(conf, ca_config.section, ENV_UNIQUE_SUBJECT); ! if (p) { db_attr.unique_subject = parse_yesno(p, 1); } else ERR_clear_error(); --- 766,789 ---- } } f = NCONF_get_string(conf, ca_config.section, STRING_MASK); ! if (f == NULL) ERR_clear_error(); ! if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) { BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); goto err; } if (ca_config.chtype != MBSTRING_UTF8) { f = NCONF_get_string(conf, ca_config.section, UTF8_IN); ! if (f == NULL) ERR_clear_error(); else if (!strcmp(f, "yes")) ca_config.chtype = MBSTRING_UTF8; } db_attr.unique_subject = 1; p = NCONF_get_string(conf, ca_config.section, ENV_UNIQUE_SUBJECT); ! if (p != NULL) { db_attr.unique_subject = parse_yesno(p, 1); } else ERR_clear_error(); *************** *** 824,830 **** lookup_fail(ca_config.section, ENV_PRIVATE_KEY); goto err; } ! if (!ca_config.key) { free_key = 1; if (!app_passwd(bio_err, ca_config.passargin, NULL, &ca_config.key, NULL)) { BIO_printf(bio_err, "Error getting password\n"); --- 824,830 ---- lookup_fail(ca_config.section, ENV_PRIVATE_KEY); goto err; } ! if (ca_config.key == NULL) { free_key = 1; if (!app_passwd(bio_err, ca_config.passargin, NULL, &ca_config.key, NULL)) { BIO_printf(bio_err, "Error getting password\n"); *************** *** 832,838 **** } } pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, ca_config.key, "CA private key"); ! if (ca_config.key) explicit_bzero(ca_config.key, strlen(ca_config.key)); if (pkey == NULL) { /* load_key() has already printed an appropriate message */ --- 832,838 ---- } } pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, ca_config.key, "CA private key"); ! if (ca_config.key != NULL) explicit_bzero(ca_config.key, strlen(ca_config.key)); if (pkey == NULL) { /* load_key() has already printed an appropriate message */ *************** *** 840,846 **** } /*****************************************************************/ /* we need a certificate */ ! if (!ca_config.selfsign || ca_config.spkac_file || ca_config.ss_cert_file || ca_config.gencrl) { if ((ca_config.certfile == NULL) && ((ca_config.certfile = NCONF_get_string(conf, ca_config.section, ENV_CERTIFICATE)) == NULL)) { --- 840,846 ---- } /*****************************************************************/ /* we need a certificate */ ! if (!ca_config.selfsign || ca_config.spkac_file != NULL || ca_config.ss_cert_file != NULL || ca_config.gencrl) { if ((ca_config.certfile == NULL) && ((ca_config.certfile = NCONF_get_string(conf, ca_config.section, ENV_CERTIFICATE)) == NULL)) { *************** *** 886,892 **** f = NCONF_get_string(conf, ca_config.section, ENV_CERTOPT); ! if (f) { if (!set_cert_ex(&certopt, f)) { BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); --- 886,892 ---- f = NCONF_get_string(conf, ca_config.section, ENV_CERTOPT); ! if (f != NULL) { if (!set_cert_ex(&certopt, f)) { BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); *************** *** 898,904 **** f = NCONF_get_string(conf, ca_config.section, ENV_EXTCOPY); ! if (f) { if (!set_ext_copy(&ext_copy, f)) { BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); --- 898,904 ---- f = NCONF_get_string(conf, ca_config.section, ENV_EXTCOPY); ! if (f != NULL) { if (!set_ext_copy(&ext_copy, f)) { BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); *************** *** 1005,1011 **** } /*****************************************************************/ /* Read extentions config file */ ! if (ca_config.extfile) { extconf = NCONF_new(NULL); if (NCONF_load(extconf, ca_config.extfile, &errorline) <= 0) { if (errorline <= 0) --- 1005,1011 ---- } /*****************************************************************/ /* Read extentions config file */ ! if (ca_config.extfile != NULL) { extconf = NCONF_new(NULL); if (NCONF_load(extconf, ca_config.extfile, &errorline) <= 0) { if (errorline <= 0) *************** *** 1025,1032 **** ca_config.extfile); /* We can have sections in the ext file */ ! if (!ca_config.extensions && !(ca_config.extensions = NCONF_get_string(extconf, ! "default", "extensions"))) ca_config.extensions = "default"; } /*****************************************************************/ --- 1025,1032 ---- ca_config.extfile); /* We can have sections in the ext file */ ! if (ca_config.extensions == NULL && (ca_config.extensions = NCONF_get_string(extconf, ! "default", "extensions")) == NULL) ca_config.extensions = "default"; } /*****************************************************************/ *************** *** 1080,1097 **** lookup_fail(ca_config.section, ENV_SERIAL); goto err; } ! if (!extconf) { /* * no '-extfile' option, so we look for extensions in * the main configuration file */ ! if (!ca_config.extensions) { ca_config.extensions = NCONF_get_string(conf, ca_config.section, ENV_EXTENSIONS); ! if (!ca_config.extensions) ERR_clear_error(); } ! if (ca_config.extensions) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); --- 1080,1097 ---- lookup_fail(ca_config.section, ENV_SERIAL); goto err; } ! if (extconf == NULL) { /* * no '-extfile' option, so we look for extensions in * the main configuration file */ ! if (ca_config.extensions == NULL) { ca_config.extensions = NCONF_get_string(conf, ca_config.section, ENV_EXTENSIONS); ! if (ca_config.extensions == NULL) ERR_clear_error(); } ! if (ca_config.extensions != NULL) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); *************** *** 1177,1183 **** "Memory allocation failure\n"); goto err; } ! if (ca_config.outfile) { output_der = 1; ca_config.batch = 1; } --- 1177,1183 ---- "Memory allocation failure\n"); goto err; } ! if (ca_config.outfile != NULL) { output_der = 1; ca_config.batch = 1; } *************** *** 1257,1263 **** BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total); (void) BIO_flush(bio_err); ! if (!fgets(answer, sizeof answer - 1, stdin)) { BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); ret = 0; goto err; --- 1257,1263 ---- BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total); (void) BIO_flush(bio_err); ! if (fgets(answer, sizeof answer - 1, stdin) == NULL) { BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); ret = 0; goto err; *************** *** 1292,1298 **** serialstr = bin2hex(data, j); else serialstr = strdup("00"); ! if (serialstr) { k = snprintf(pempath, sizeof(pempath), "%s/%s.pem", ca_config.outdir, serialstr); free(serialstr); --- 1292,1298 ---- serialstr = bin2hex(data, j); else serialstr = strdup("00"); ! if (serialstr != NULL) { k = snprintf(pempath, sizeof(pempath), "%s/%s.pem", ca_config.outdir, serialstr); free(serialstr); *************** *** 1331,1342 **** /*****************************************************************/ if (ca_config.gencrl) { int crl_v2 = 0; ! if (!ca_config.crl_ext) { ca_config.crl_ext = NCONF_get_string(conf, ca_config.section, ENV_CRLEXT); ! if (!ca_config.crl_ext) ERR_clear_error(); } ! if (ca_config.crl_ext) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); --- 1331,1342 ---- /*****************************************************************/ if (ca_config.gencrl) { int crl_v2 = 0; ! if (ca_config.crl_ext == NULL) { ca_config.crl_ext = NCONF_get_string(conf, ca_config.section, ENV_CRLEXT); ! if (ca_config.crl_ext == NULL) ERR_clear_error(); } ! if (ca_config.crl_ext != NULL) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); *************** *** 1378,1389 **** goto err; tmptm = ASN1_TIME_new(); ! if (!tmptm) goto err; X509_gmtime_adj(tmptm, 0); X509_CRL_set_lastUpdate(crl, tmptm); ! if (!X509_time_adj_ex(tmptm, ca_config.crldays, ! ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL)) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); goto err; } --- 1378,1389 ---- goto err; tmptm = ASN1_TIME_new(); ! if (tmptm == NULL) goto err; X509_gmtime_adj(tmptm, 0); X509_CRL_set_lastUpdate(crl, tmptm); ! if (X509_time_adj_ex(tmptm, ca_config.crldays, ! ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == NULL) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); goto err; } *************** *** 1406,1412 **** tmpserial = BN_to_ASN1_INTEGER(serial, NULL); BN_free(serial); serial = NULL; ! if (!tmpserial) goto err; X509_REVOKED_set_serialNumber(r, tmpserial); ASN1_INTEGER_free(tmpserial); --- 1406,1412 ---- tmpserial = BN_to_ASN1_INTEGER(serial, NULL); BN_free(serial); serial = NULL; ! if (tmpserial == NULL) goto err; X509_REVOKED_set_serialNumber(r, tmpserial); ASN1_INTEGER_free(tmpserial); *************** *** 1425,1442 **** /* Add any extensions asked for */ ! if (ca_config.crl_ext || crlnumberfile != NULL) { X509V3_CTX crlctx; X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); ! if (ca_config.crl_ext) if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, ca_config.crl_ext, crl)) goto err; if (crlnumberfile != NULL) { tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL); ! if (!tmpserial) goto err; X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpserial, 0, 0); --- 1425,1442 ---- /* Add any extensions asked for */ ! if (ca_config.crl_ext != NULL || crlnumberfile != NULL) { X509V3_CTX crlctx; X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); ! if (ca_config.crl_ext != NULL) if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, ca_config.crl_ext, crl)) goto err; if (crlnumberfile != NULL) { tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL); ! if (tmpserial == NULL) goto err; X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpserial, 0, 0); *************** *** 1446,1452 **** goto err; } } ! if (ca_config.crl_ext || crl_v2) { if (!X509_CRL_set_version(crl, 1)) goto err; /* version 2 CRL */ } --- 1446,1452 ---- goto err; } } ! if (ca_config.crl_ext != NULL || crl_v2) { if (!X509_CRL_set_version(crl, 1)) goto err; /* version 2 CRL */ } *************** *** 1455,1461 **** if (!save_serial(crlnumberfile, "new", crlnumber, NULL)) goto err; ! if (crlnumber) { BN_free(crlnumber); crlnumber = NULL; } --- 1455,1461 ---- if (!save_serial(crlnumberfile, "new", crlnumber, NULL)) goto err; ! if (crlnumber != NULL) { BN_free(crlnumber); crlnumber = NULL; } *************** *** 1692,1701 **** for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; ! if (subj) { X509_NAME *n = parse_name(subj, chtype, multirdn); ! if (!n) { ERR_print_errors(bio_err); goto err; } --- 1692,1701 ---- for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; ! if (subj != NULL) { X509_NAME *n = parse_name(subj, chtype, multirdn); ! if (n == NULL) { ERR_print_errors(bio_err); goto err; } *************** *** 1870,1876 **** * Its best to dup the subject DN and then delete any email * addresses because this retains its structure. */ ! if (!(dn_subject = X509_NAME_dup(subject))) { BIO_printf(bio_err, "Memory allocation failure\n"); goto err; } --- 1870,1876 ---- * Its best to dup the subject DN and then delete any email * addresses because this retains its structure. */ ! if ((dn_subject = X509_NAME_dup(subject)) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); goto err; } *************** *** 1997,2003 **** goto err; /* Lets add the extensions, if there are any */ ! if (ext_sect) { X509V3_CTX ctx; if (ci->version == NULL) if ((ci->version = ASN1_INTEGER_new()) == NULL) --- 1997,2003 ---- goto err; /* Lets add the extensions, if there are any */ ! if (ext_sect != NULL) { X509V3_CTX ctx; if (ci->version == NULL) if ((ci->version = ASN1_INTEGER_new()) == NULL) *************** *** 2020,2026 **** else X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); ! if (extconf) { if (verbose) BIO_printf(bio_err, "Extra configuration file found\n"); --- 2020,2026 ---- else X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); ! if (extconf != NULL) { if (verbose) BIO_printf(bio_err, "Extra configuration file found\n"); *************** *** 2042,2048 **** } if (verbose) BIO_printf(bio_err, "Successfully added extensions from file.\n"); ! } else if (ext_sect) { /* We found extensions to be set from config file */ X509V3_set_nconf(&ctx, lconf); --- 2042,2048 ---- } if (verbose) BIO_printf(bio_err, "Successfully added extensions from file.\n"); ! } else if (ext_sect != NULL) { /* We found extensions to be set from config file */ X509V3_set_nconf(&ctx, lconf); *************** *** 2343,2349 **** row[i] = NULL; row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); ! if (!bn) goto err; if (BN_is_zero(bn)) row[DB_serial] = strdup("00"); --- 2343,2349 ---- row[i] = NULL; row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); ! if (bn == NULL) goto err; if (BN_is_zero(bn)) row[DB_serial] = strdup("00"); *************** *** 2425,2431 **** BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); rev_str = make_revocation_str(type, value); ! if (!rev_str) { BIO_printf(bio_err, "Error in revocation arguments\n"); goto err; } --- 2425,2431 ---- BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); rev_str = make_revocation_str(type, value); ! if (rev_str == NULL) { BIO_printf(bio_err, "Error in revocation arguments\n"); goto err; } *************** *** 2696,2717 **** if (i == 0) goto err; ! if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) goto err; ! if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); ! if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto err; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto err; } ! if (rev && comp_time) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) goto err; } ! if (rev && hold) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) goto err; --- 2696,2717 ---- if (i == 0) goto err; ! if (rev != NULL && !X509_REVOKED_set_revocationDate(rev, revDate)) goto err; ! if (rev != NULL && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); ! if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto err; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto err; } ! if (rev != NULL && comp_time != NULL) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) goto err; } ! if (rev != NULL && hold != NULL) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) goto err; *************** *** 2792,2808 **** p = strchr(tmp, ','); rtime_str = tmp; ! if (p) { *p = '\0'; p++; reason_str = p; p = strchr(p, ','); ! if (p) { *p = '\0'; arg_str = p + 1; } } ! if (prevtm) { *prevtm = ASN1_UTCTIME_new(); if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { BIO_printf(bio_err, "invalid revocation date %s\n", --- 2792,2808 ---- p = strchr(tmp, ','); rtime_str = tmp; ! if (p != NULL) { *p = '\0'; p++; reason_str = p; p = strchr(p, ','); ! if (p != NULL) { *p = '\0'; arg_str = p + 1; } } ! if (prevtm != NULL) { *prevtm = ASN1_UTCTIME_new(); if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { BIO_printf(bio_err, "invalid revocation date %s\n", *************** *** 2810,2816 **** goto err; } } ! if (reason_str) { for (i = 0; i < NUM_REASONS; i++) { if (!strcasecmp(reason_str, crl_reasons[i])) { reason_code = i; --- 2810,2816 ---- goto err; } } ! if (reason_str != NULL) { for (i = 0; i < NUM_REASONS; i++) { if (!strcasecmp(reason_str, crl_reasons[i])) { reason_code = i; *************** *** 2825,2831 **** if (reason_code == 7) reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; else if (reason_code == 8) { /* Hold instruction */ ! if (!arg_str) { BIO_printf(bio_err, "missing hold instruction\n"); goto err; --- 2825,2831 ---- if (reason_code == 7) reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; else if (reason_code == 8) { /* Hold instruction */ ! if (arg_str == NULL) { BIO_printf(bio_err, "missing hold instruction\n"); goto err; *************** *** 2833,2847 **** reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; hold = OBJ_txt2obj(arg_str, 0); ! if (!hold) { BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); goto err; } ! if (phold) *phold = hold; } else if ((reason_code == 9) || (reason_code == 10)) { ! if (!arg_str) { BIO_printf(bio_err, "missing compromised time\n"); goto err; --- 2833,2847 ---- reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; hold = OBJ_txt2obj(arg_str, 0); ! if (hold == NULL) { BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); goto err; } ! if (phold != NULL) *phold = hold; } else if ((reason_code == 9) || (reason_code == 10)) { ! if (arg_str == NULL) { BIO_printf(bio_err, "missing compromised time\n"); goto err; *************** *** 2859,2867 **** reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; } } ! if (preason) *preason = reason_code; ! if (pinvtm) *pinvtm = comp_time; else ASN1_GENERALIZEDTIME_free(comp_time); --- 2859,2867 ---- reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; } } ! if (preason != NULL) *preason = reason_code; ! if (pinvtm != NULL) *pinvtm = comp_time; else ASN1_GENERALIZEDTIME_free(comp_time); *************** *** 2871,2879 **** err: free(tmp); ! if (!phold) ASN1_OBJECT_free(hold); ! if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time); return ret; --- 2871,2879 ---- err: free(tmp); ! if (phold == NULL) ASN1_OBJECT_free(hold); ! if (pinvtm == NULL) ASN1_GENERALIZEDTIME_free(comp_time); return ret; *************** *** 2886,2892 **** char hex[] = "0123456789ABCDEF"; int i; ! if ((ret = malloc(len * 2 + 1))) { for (i = 0; i < len; i++) { ret[i * 2 + 0] = hex[data[i] >> 4]; ret[i * 2 + 1] = hex[data[i] & 0x0F]; --- 2886,2892 ---- char hex[] = "0123456789ABCDEF"; int i; ! if ((ret = malloc(len * 2 + 1)) != NULL) { for (i = 0; i < len; i++) { ret[i * 2 + 0] = hex[data[i] >> 4]; ret[i * 2 + 1] = hex[data[i] & 0x0F];