===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/ca.c,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- src/usr.bin/openssl/ca.c	2021/08/30 12:25:54	1.43
+++ src/usr.bin/openssl/ca.c	2021/09/02 11:07:56	1.44
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.43 2021/08/30 12:25:54 inoguchi Exp $ */
+/* $OpenBSD: ca.c,v 1.44 2021/09/02 11:07:56 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1954,106 +1954,7 @@
 		if (subject == NULL)
 			goto err;
 	}
-	if (verbose)
-		BIO_printf(bio_err,
-		    "The subject name appears to be ok, checking data base for clashes\n");
 
-	/* Build the correct Subject if no email is wanted in the subject */
-	/*
-	 * and add it later on because of the method extensions are added
-	 * (altName)
-	 */
-
-	if (email_dn)
-		dn_subject = subject;
-	else {
-		X509_NAME_ENTRY *tmpne;
-		/*
-		 * Its best to dup the subject DN and then delete any email
-		 * addresses because this retains its structure.
-		 */
-		if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
-			BIO_printf(bio_err, "Memory allocation failure\n");
-			goto err;
-		}
-		while ((i = X509_NAME_get_index_by_NID(dn_subject,
-		    NID_pkcs9_emailAddress, -1)) >= 0) {
-			tmpne = X509_NAME_get_entry(dn_subject, i);
-			if (tmpne == NULL)
-				goto err;
-			if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
-				X509_NAME_ENTRY_free(tmpne);
-				goto err;
-			}
-			X509_NAME_ENTRY_free(tmpne);
-		}
-	}
-
-	if (BN_is_zero(serial))
-		row[DB_serial] = strdup("00");
-	else
-		row[DB_serial] = BN_bn2hex(serial);
-	if (row[DB_serial] == NULL) {
-		BIO_printf(bio_err, "Memory allocation failure\n");
-		goto err;
-	}
-	if (db->attributes.unique_subject) {
-		OPENSSL_STRING *crow = row;
-
-		rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
-		if (rrow != NULL) {
-			BIO_printf(bio_err,
-			    "ERROR:There is already a certificate for %s\n",
-			    row[DB_name]);
-		}
-	}
-	if (rrow == NULL) {
-		rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
-		if (rrow != NULL) {
-			BIO_printf(bio_err,
-			    "ERROR:Serial number %s has already been issued,\n",
-			    row[DB_serial]);
-			BIO_printf(bio_err,
-			    "      check the database/serial_file for corruption\n");
-		}
-	}
-	if (rrow != NULL) {
-		BIO_printf(bio_err,
-		    "The matching entry has the following details\n");
-		if (rrow[DB_type][0] == 'E')
-			p = "Expired";
-		else if (rrow[DB_type][0] == 'R')
-			p = "Revoked";
-		else if (rrow[DB_type][0] == 'V')
-			p = "Valid";
-		else
-			p = "\ninvalid type, Data base error\n";
-		BIO_printf(bio_err, "Type	  :%s\n", p);
-		if (rrow[DB_type][0] == 'R') {
-			p = rrow[DB_exp_date];
-			if (p == NULL)
-				p = "undef";
-			BIO_printf(bio_err, "Was revoked on:%s\n", p);
-		}
-		p = rrow[DB_exp_date];
-		if (p == NULL)
-			p = "undef";
-		BIO_printf(bio_err, "Expires on    :%s\n", p);
-		p = rrow[DB_serial];
-		if (p == NULL)
-			p = "undef";
-		BIO_printf(bio_err, "Serial Number :%s\n", p);
-		p = rrow[DB_file];
-		if (p == NULL)
-			p = "undef";
-		BIO_printf(bio_err, "File name     :%s\n", p);
-		p = rrow[DB_name];
-		if (p == NULL)
-			p = "undef";
-		BIO_printf(bio_err, "Subject Name  :%s\n", p);
-		ok = -1;	/* This is now a 'bad' error. */
-		goto err;
-	}
 	/* We are now totally happy, lets make and sign the certificate */
 	if (verbose)
 		BIO_printf(bio_err,
@@ -2179,11 +2080,113 @@
 		ERR_print_errors(bio_err);
 		goto err;
 	}
-	/* Set the right value for the noemailDN option */
-	if (email_dn == 0) {
+
+	if (verbose)
+		BIO_printf(bio_err,
+		    "The subject name appears to be ok, checking data base for clashes\n");
+
+	/* Build the correct Subject if no email is wanted in the subject */
+	if (!email_dn) {
+		X509_NAME_ENTRY *tmpne;
+		/*
+		 * Its best to dup the subject DN and then delete any email
+		 * addresses because this retains its structure.
+		 */
+		if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
+			BIO_printf(bio_err, "Memory allocation failure\n");
+			goto err;
+		}
+		while ((i = X509_NAME_get_index_by_NID(dn_subject,
+		    NID_pkcs9_emailAddress, -1)) >= 0) {
+			tmpne = X509_NAME_get_entry(dn_subject, i);
+			if (tmpne == NULL)
+				goto err;
+			if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
+				X509_NAME_ENTRY_free(tmpne);
+				goto err;
+			}
+			X509_NAME_ENTRY_free(tmpne);
+		}
+
 		if (!X509_set_subject_name(ret, dn_subject))
 			goto err;
+
+		X509_NAME_free(dn_subject);
+		dn_subject = NULL;
 	}
+
+	row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
+	if (row[DB_name] == NULL) {
+		BIO_printf(bio_err, "Memory allocation failure\n");
+		goto err;
+	}
+
+	if (BN_is_zero(serial))
+		row[DB_serial] = strdup("00");
+	else
+		row[DB_serial] = BN_bn2hex(serial);
+	if (row[DB_serial] == NULL) {
+		BIO_printf(bio_err, "Memory allocation failure\n");
+		goto err;
+	}
+	if (db->attributes.unique_subject) {
+		OPENSSL_STRING *crow = row;
+
+		rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
+		if (rrow != NULL) {
+			BIO_printf(bio_err,
+			    "ERROR:There is already a certificate for %s\n",
+			    row[DB_name]);
+		}
+	}
+	if (rrow == NULL) {
+		rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+		if (rrow != NULL) {
+			BIO_printf(bio_err,
+			    "ERROR:Serial number %s has already been issued,\n",
+			    row[DB_serial]);
+			BIO_printf(bio_err,
+			    "      check the database/serial_file for corruption\n");
+		}
+	}
+	if (rrow != NULL) {
+		BIO_printf(bio_err,
+		    "The matching entry has the following details\n");
+		if (rrow[DB_type][0] == 'E')
+			p = "Expired";
+		else if (rrow[DB_type][0] == 'R')
+			p = "Revoked";
+		else if (rrow[DB_type][0] == 'V')
+			p = "Valid";
+		else
+			p = "\ninvalid type, Data base error\n";
+		BIO_printf(bio_err, "Type	  :%s\n", p);
+		if (rrow[DB_type][0] == 'R') {
+			p = rrow[DB_exp_date];
+			if (p == NULL)
+				p = "undef";
+			BIO_printf(bio_err, "Was revoked on:%s\n", p);
+		}
+		p = rrow[DB_exp_date];
+		if (p == NULL)
+			p = "undef";
+		BIO_printf(bio_err, "Expires on    :%s\n", p);
+		p = rrow[DB_serial];
+		if (p == NULL)
+			p = "undef";
+		BIO_printf(bio_err, "Serial Number :%s\n", p);
+		p = rrow[DB_file];
+		if (p == NULL)
+			p = "undef";
+		BIO_printf(bio_err, "File name     :%s\n", p);
+		p = rrow[DB_name];
+		if (p == NULL)
+			p = "undef";
+		BIO_printf(bio_err, "Subject Name  :%s\n", p);
+		ok = -1;	/* This is now a 'bad' error. */
+		goto err;
+	}
+
 	if (!default_op) {
 		BIO_printf(bio_err, "Certificate Details:\n");
 		/*
@@ -2250,7 +2253,6 @@
 
 	/* row[DB_serial] done already */
 	row[DB_file] = malloc(8);
-	row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
 
 	if ((row[DB_type] == NULL) || (row[DB_file] == NULL) ||
 	    (row[DB_name] == NULL)) {
@@ -2288,8 +2290,7 @@
 
 	X509_NAME_free(CAname);
 	X509_NAME_free(subject);
-	if (!email_dn)
-		X509_NAME_free(dn_subject);
+	X509_NAME_free(dn_subject);
 	ASN1_UTCTIME_free(tmptm);
 	X509_free(ret);