=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/ca.c,v retrieving revision 1.35 retrieving revision 1.36 diff -c -r1.35 -r1.36 *** src/usr.bin/openssl/ca.c 2021/07/24 13:21:04 1.35 --- src/usr.bin/openssl/ca.c 2021/08/28 02:11:18 1.36 *************** *** 1,4 **** ! /* $OpenBSD: ca.c,v 1.35 2021/07/24 13:21:04 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * --- 1,4 ---- ! /* $OpenBSD: ca.c,v 1.36 2021/08/28 02:11:18 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * *************** *** 141,147 **** unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); ! static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, --- 141,147 ---- unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); ! static int write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, *************** *** 1065,1070 **** --- 1065,1072 ---- goto err; } ca_config.md = (char *) OBJ_nid2sn(def_nid); + if (ca_config.md == NULL) + goto err; } if ((dgst = EVP_get_digestbyname(ca_config.md)) == NULL) { BIO_printf(bio_err, *************** *** 1350,1358 **** perror(pempath); goto err; } ! write_new_certificate(Cout, x, 0, ca_config.notext); ! write_new_certificate(Sout, x, output_der, ! ca_config.notext); } if (sk_X509_num(cert_sk)) { --- 1352,1363 ---- perror(pempath); goto err; } ! if (!write_new_certificate(Cout, x, 0, ! ca_config.notext)) ! goto err; ! if (!write_new_certificate(Sout, x, output_der, ! ca_config.notext)) ! goto err; } if (sk_X509_num(cert_sk)) { *************** *** 1423,1438 **** tmptm = ASN1_TIME_new(); if (tmptm == NULL) goto err; ! X509_gmtime_adj(tmptm, 0); ! X509_CRL_set_lastUpdate(crl, tmptm); if (X509_time_adj_ex(tmptm, ca_config.crldays, ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == NULL) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); goto err; } ! X509_CRL_set_nextUpdate(crl, tmptm); ! ASN1_TIME_free(tmptm); for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { --- 1428,1452 ---- tmptm = ASN1_TIME_new(); if (tmptm == NULL) goto err; ! if (X509_gmtime_adj(tmptm, 0) == NULL) { ! ASN1_TIME_free(tmptm); ! goto err; ! } ! if (!X509_CRL_set_lastUpdate(crl, tmptm)) { ! ASN1_TIME_free(tmptm); ! goto err; ! } if (X509_time_adj_ex(tmptm, ca_config.crldays, ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == NULL) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); + ASN1_TIME_free(tmptm); goto err; } ! if (!X509_CRL_set_nextUpdate(crl, tmptm)) { ! ASN1_TIME_free(tmptm); ! goto err; ! } ASN1_TIME_free(tmptm); for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { *************** *** 1452,1460 **** serial = NULL; if (tmpserial == NULL) goto err; ! X509_REVOKED_set_serialNumber(r, tmpserial); ASN1_INTEGER_free(tmpserial); ! X509_CRL_add0_revoked(crl, r); } } --- 1466,1478 ---- serial = NULL; if (tmpserial == NULL) goto err; ! if (!X509_REVOKED_set_serialNumber(r, tmpserial)) { ! ASN1_INTEGER_free(tmpserial); ! goto err; ! } ASN1_INTEGER_free(tmpserial); ! if (!X509_CRL_add0_revoked(crl, r)) ! goto err; } } *************** *** 1482,1489 **** tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL); if (tmpserial == NULL) goto err; ! X509_CRL_add1_ext_i2d(crl, NID_crl_number, ! tmpserial, 0, 0); ASN1_INTEGER_free(tmpserial); crl_v2 = 1; if (!BN_add_word(crlnumber, 1)) --- 1500,1510 ---- tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL); if (tmpserial == NULL) goto err; ! if (!X509_CRL_add1_ext_i2d(crl, NID_crl_number, ! tmpserial, 0, 0)) { ! ASN1_INTEGER_free(tmpserial); ! goto err; ! } ASN1_INTEGER_free(tmpserial); crl_v2 = 1; if (!BN_add_word(crlnumber, 1)) *************** *** 1507,1513 **** ca_config.sigopts)) goto err; ! PEM_write_bio_X509_CRL(Sout, crl); if (crlnumberfile != NULL) /* Rename the crlnumber file */ if (!rotate_serial(crlnumberfile, "new", "old")) --- 1528,1535 ---- ca_config.sigopts)) goto err; ! if (!PEM_write_bio_X509_CRL(Sout, crl)) ! goto err; if (crlnumberfile != NULL) /* Rename the crlnumber file */ if (!rotate_serial(crlnumberfile, "new", "old")) *************** *** 1605,1612 **** infile); goto err; } ! if (verbose) ! X509_REQ_print(bio_err, req); BIO_printf(bio_err, "Check that the request matches the signature\n"); --- 1627,1636 ---- infile); goto err; } ! if (verbose) { ! if (!X509_REQ_print(bio_err, req)) ! goto err; ! } BIO_printf(bio_err, "Check that the request matches the signature\n"); *************** *** 1665,1672 **** if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, infile)) == NULL) goto err; ! if (verbose) ! X509_print(bio_err, req); BIO_printf(bio_err, "Check that the request matches the signature\n"); --- 1689,1698 ---- if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, infile)) == NULL) goto err; ! if (verbose) { ! if (!X509_print(bio_err, req)) ! goto err; ! } BIO_printf(bio_err, "Check that the request matches the signature\n"); *************** *** 1746,1752 **** ERR_print_errors(bio_err); goto err; } ! X509_REQ_set_subject_name(req, n); req->req_info->enc.modified = 1; X509_NAME_free(n); } --- 1772,1781 ---- ERR_print_errors(bio_err); goto err; } ! if (!X509_REQ_set_subject_name(req, n)) { ! X509_NAME_free(n); ! goto err; ! } req->req_info->enc.modified = 1; X509_NAME_free(n); } *************** *** 1757,1768 **** --- 1786,1805 ---- name = X509_REQ_get_subject_name(req); for (i = 0; i < X509_NAME_entry_count(name); i++) { ne = X509_NAME_get_entry(name, i); + if (ne == NULL) + goto err; str = X509_NAME_ENTRY_get_data(ne); + if (str == NULL) + goto err; obj = X509_NAME_ENTRY_get_object(ne); + if (obj == NULL) + goto err; if (ca_config.msie_hack) { /* assume all type should be strings */ nid = OBJ_obj2nid(ne->object); + if (nid == NID_undef) + goto err; if (str->type == V_ASN1_UNIVERSALSTRING) ASN1_UNIVERSALSTRING_to_string(str); *************** *** 1825,1830 **** --- 1862,1869 ---- goto err; } obj = OBJ_nid2obj(j); + if (obj == NULL) + goto err; last = -1; for (;;) { *************** *** 1836,1841 **** --- 1875,1882 ---- tne = NULL; } else { tne = X509_NAME_get_entry(name, j); + if (tne == NULL) + goto err; } last = j; *************** *** 1874,1881 **** --- 1915,1928 ---- } if (j >= 0) { push = X509_NAME_get_entry(CAname, j); + if (push == NULL) + goto err; str = X509_NAME_ENTRY_get_data(tne); + if (str == NULL) + goto err; str2 = X509_NAME_ENTRY_get_data(push); + if (str2 == NULL) + goto err; last2 = j; if (ASN1_STRING_cmp(str, str2) != 0) goto again2; *************** *** 1943,1949 **** while ((i = X509_NAME_get_index_by_NID(dn_subject, NID_pkcs9_emailAddress, -1)) >= 0) { tmpne = X509_NAME_get_entry(dn_subject, i); ! X509_NAME_delete_entry(dn_subject, i); X509_NAME_ENTRY_free(tmpne); } } --- 1990,2001 ---- while ((i = X509_NAME_get_index_by_NID(dn_subject, NID_pkcs9_emailAddress, -1)) >= 0) { tmpne = X509_NAME_get_entry(dn_subject, i); ! if (tmpne == NULL) ! goto err; ! if (X509_NAME_delete_entry(dn_subject, i) == NULL) { ! X509_NAME_ENTRY_free(tmpne); ! goto err; ! } X509_NAME_ENTRY_free(tmpne); } } *************** *** 2039,2055 **** goto err; } ! if (strcmp(startdate, "today") == 0) ! X509_gmtime_adj(X509_get_notBefore(ret), 0); ! else if (setCertificateTime(X509_get_notBefore(ret), startdate) == -1) { BIO_printf(bio_err, "Invalid start date %s\n", startdate); goto err; } ! if (enddate == NULL) ! X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL); ! else if (setCertificateTime(X509_get_notAfter(ret), enddate) == -1) { BIO_printf(bio_err, "Invalid end date %s\n", enddate); goto err; --- 2091,2110 ---- goto err; } ! if (strcmp(startdate, "today") == 0) { ! if (X509_gmtime_adj(X509_get_notBefore(ret), 0) == NULL) ! goto err; ! } else if (setCertificateTime(X509_get_notBefore(ret), startdate) == -1) { BIO_printf(bio_err, "Invalid start date %s\n", startdate); goto err; } ! if (enddate == NULL) { ! if (X509_time_adj_ex(X509_get_notAfter(ret), days, 0, ! NULL) == NULL) ! goto err; ! } else if (setCertificateTime(X509_get_notAfter(ret), enddate) == -1) { BIO_printf(bio_err, "Invalid end date %s\n", enddate); goto err; *************** *** 2059,2064 **** --- 2114,2122 ---- goto err; pktmp = X509_REQ_get_pubkey(req); + if (pktmp == NULL) + goto err; + i = X509_set_pubkey(ret, pktmp); EVP_PKEY_free(pktmp); if (!i) *************** *** 2070,2077 **** if (ci->version == NULL) if ((ci->version = ASN1_INTEGER_new()) == NULL) goto err; - ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */ /* * Free the current entries if any, there should not be any I * believe --- 2128,2138 ---- if (ci->version == NULL) if ((ci->version = ASN1_INTEGER_new()) == NULL) goto err; + /* version 3 certificate */ + if (!ASN1_INTEGER_set(ci->version, 2)) + goto err; + /* * Free the current entries if any, there should not be any I * believe *************** *** 2146,2152 **** * present */ certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; ! X509_print_ex(bio_err, ret, nameopt, certopt); } BIO_printf(bio_err, "Certificate is to be certified until "); ASN1_TIME_print(bio_err, X509_get_notAfter(ret)); --- 2207,2214 ---- * present */ certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; ! if (!X509_print_ex(bio_err, ret, nameopt, certopt)) ! goto err; } BIO_printf(bio_err, "Certificate is to be certified until "); ASN1_TIME_print(bio_err, X509_get_notAfter(ret)); *************** *** 2172,2181 **** goto err; } } pktmp = X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && ! !EVP_PKEY_missing_parameters(pkey)) ! EVP_PKEY_copy_parameters(pktmp, pkey); EVP_PKEY_free(pktmp); if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts)) --- 2234,2251 ---- goto err; } } + pktmp = X509_get_pubkey(ret); + if (pktmp == NULL) + goto err; + if (EVP_PKEY_missing_parameters(pktmp) && ! !EVP_PKEY_missing_parameters(pkey)) { ! if (!EVP_PKEY_copy_parameters(pktmp, pkey)) { ! EVP_PKEY_free(pktmp); ! goto err; ! } ! } EVP_PKEY_free(pktmp); if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts)) *************** *** 2247,2262 **** return (ok); } ! static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) { if (output_der) { ! (void) i2d_X509_bio(bp, x); ! return; } ! if (!notext) ! X509_print(bp, x); ! PEM_write_bio_X509(bp, x); } static int --- 2317,2335 ---- return (ok); } ! static int write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) { if (output_der) { ! if (!i2d_X509_bio(bp, x)) ! return (0); } ! if (!notext) { ! if (!X509_print(bp, x)) ! return (0); ! } ! ! return PEM_write_bio_X509(bp, x); } static int *************** *** 2377,2383 **** } BIO_printf(bio_err, "Signature ok\n"); ! X509_REQ_set_pubkey(req, pktmp); EVP_PKEY_free(pktmp); ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, 1, --- 2450,2459 ---- } BIO_printf(bio_err, "Signature ok\n"); ! if (!X509_REQ_set_pubkey(req, pktmp)) { ! EVP_PKEY_free(pktmp); ! goto err; ! } EVP_PKEY_free(pktmp); ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, 1, *************** *** 2591,2602 **** ASN1_UTCTIME *a_tm = NULL; int i, cnt = 0; int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ ! char **rrow, *a_tm_s; a_tm = ASN1_UTCTIME_new(); /* get actual time and make a string */ a_tm = X509_gmtime_adj(a_tm, 0); a_tm_s = malloc(a_tm->length + 1); if (a_tm_s == NULL) { cnt = -1; --- 2667,2686 ---- ASN1_UTCTIME *a_tm = NULL; int i, cnt = 0; int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ ! char **rrow, *a_tm_s = NULL; a_tm = ASN1_UTCTIME_new(); + if (a_tm == NULL) { + cnt = -1; + goto err; + } /* get actual time and make a string */ a_tm = X509_gmtime_adj(a_tm, 0); + if (a_tm == NULL) { + cnt = -1; + goto err; + } a_tm_s = malloc(a_tm->length + 1); if (a_tm_s == NULL) { cnt = -1; *************** *** 2701,2707 **** case REV_HOLD: /* Argument is an OID */ - otmp = OBJ_txt2obj(rev_arg, 0); ASN1_OBJECT_free(otmp); --- 2785,2790 ---- *************** *** 2716,2722 **** case REV_KEY_COMPROMISE: case REV_CA_COMPROMISE: - /* Argument is the key compromise time */ if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { BIO_printf(bio_err, --- 2799,2804 ---- *************** *** 2731,2745 **** reason = "CAkeyTime"; break; - } revtm = X509_gmtime_adj(NULL, 0); if (asprintf(&str, "%s%s%s%s%s", revtm->data, reason ? "," : "", reason ? reason : "", other ? "," : "", other ? other : "") == -1) str = NULL; ASN1_UTCTIME_free(revtm); return str; } --- 2813,2831 ---- reason = "CAkeyTime"; break; } revtm = X509_gmtime_adj(NULL, 0); + if (revtm == NULL) + return NULL; + if (asprintf(&str, "%s%s%s%s%s", revtm->data, reason ? "," : "", reason ? reason : "", other ? "," : "", other ? other : "") == -1) str = NULL; + ASN1_UTCTIME_free(revtm); + return str; }