=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/pkcs12.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- src/usr.bin/openssl/pkcs12.c 2022/11/11 17:07:39 1.24 +++ src/usr.bin/openssl/pkcs12.c 2023/03/06 14:32:06 1.25 @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs12.c,v 1.24 2022/11/11 17:07:39 joshua Exp $ */ +/* $OpenBSD: pkcs12.c,v 1.25 2023/03/06 14:32:06 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -118,16 +118,16 @@ char *passargin; char *passargout; int twopass; -} pkcs12_config; +} cfg; static int pkcs12_opt_canames(char *arg) { - if (pkcs12_config.canames == NULL && - (pkcs12_config.canames = sk_OPENSSL_STRING_new_null()) == NULL) + if (cfg.canames == NULL && + (cfg.canames = sk_OPENSSL_STRING_new_null()) == NULL) return (1); - if (!sk_OPENSSL_STRING_push(pkcs12_config.canames, arg)) + if (!sk_OPENSSL_STRING_push(cfg.canames, arg)) return (1); return (0); @@ -136,20 +136,20 @@ static int pkcs12_opt_cert_pbe(char *arg) { - return (!set_pbe(bio_err, &pkcs12_config.cert_pbe, arg)); + return (!set_pbe(bio_err, &cfg.cert_pbe, arg)); } static int pkcs12_opt_key_pbe(char *arg) { - return (!set_pbe(bio_err, &pkcs12_config.key_pbe, arg)); + return (!set_pbe(bio_err, &cfg.key_pbe, arg)); } static int pkcs12_opt_passarg(char *arg) { - pkcs12_config.passarg = arg; - pkcs12_config.noprompt = 1; + cfg.passarg = arg; + cfg.noprompt = 1; return (0); } @@ -196,8 +196,8 @@ return (1); if (strcmp(name, "nodes") == 0) - pkcs12_config.enc = NULL; - else if ((pkcs12_config.enc = get_cipher_by_name(name)) == NULL) + cfg.enc = NULL; + else if ((cfg.enc = get_cipher_by_name(name)) == NULL) return (1); *argsused = 1; @@ -269,7 +269,7 @@ .name = "cacerts", .desc = "Only output CA certificates", .type = OPTION_VALUE_OR, - .opt.value = &pkcs12_config.options, + .opt.value = &cfg.options, .value = CACERTS, }, { @@ -277,7 +277,7 @@ .argname = "file", .desc = "PEM format file of CA certificates", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.CAfile, + .opt.arg = &cfg.CAfile, }, { .name = "caname", @@ -291,14 +291,14 @@ .argname = "directory", .desc = "PEM format directory of CA certificates", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.CApath, + .opt.arg = &cfg.CApath, }, { .name = "certfile", .argname = "file", .desc = "Add all certs in file", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.certfile, + .opt.arg = &cfg.certfile, }, { .name = "certpbe", @@ -311,13 +311,13 @@ .name = "chain", .desc = "Add certificate chain", .type = OPTION_FLAG, - .opt.flag = &pkcs12_config.chain, + .opt.flag = &cfg.chain, }, { .name = "clcerts", .desc = "Only output client certificates", .type = OPTION_VALUE_OR, - .opt.value = &pkcs12_config.options, + .opt.value = &cfg.options, .value = CLCERTS, }, { @@ -325,33 +325,33 @@ .argname = "name", .desc = "Microsoft CSP name", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.csp_name, + .opt.arg = &cfg.csp_name, }, { .name = "descert", .desc = "Encrypt PKCS#12 certificates with triple DES (default RC2-40)", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.cert_pbe, + .opt.value = &cfg.cert_pbe, .value = NID_pbe_WithSHA1And3_Key_TripleDES_CBC, }, { .name = "export", .desc = "Output PKCS#12 file", .type = OPTION_FLAG, - .opt.flag = &pkcs12_config.export_cert, + .opt.flag = &cfg.export_cert, }, { .name = "in", .argname = "file", .desc = "Input filename", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.infile, + .opt.arg = &cfg.infile, }, { .name = "info", .desc = "Give info about PKCS#12 structure", .type = OPTION_VALUE_OR, - .opt.value = &pkcs12_config.options, + .opt.value = &cfg.options, .value = INFO, }, { @@ -359,13 +359,13 @@ .argname = "file", .desc = "Private key if not infile", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.keyname, + .opt.arg = &cfg.keyname, }, { .name = "keyex", .desc = "Set MS key exchange type", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.keytype, + .opt.value = &cfg.keytype, .value = KEY_EX, }, { @@ -379,27 +379,27 @@ .name = "keysig", .desc = "Set MS key signature type", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.keytype, + .opt.value = &cfg.keytype, .value = KEY_SIG, }, { .name = "LMK", .desc = "Add local machine keyset attribute to private key", .type = OPTION_FLAG, - .opt.flag = &pkcs12_config.add_lmk, + .opt.flag = &cfg.add_lmk, }, { .name = "macalg", .argname = "alg", .desc = "Digest algorithm used in MAC (default SHA1)", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.macalg, + .opt.arg = &cfg.macalg, }, { .name = "maciter", .desc = "Use MAC iteration", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.maciter, + .opt.value = &cfg.maciter, .value = PKCS12_DEFAULT_ITER, }, { @@ -407,13 +407,13 @@ .argname = "name", .desc = "Use name as friendly name", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.name, + .opt.arg = &cfg.name, }, { .name = "nocerts", .desc = "Don't output certificates", .type = OPTION_VALUE_OR, - .opt.value = &pkcs12_config.options, + .opt.value = &cfg.options, .value = NOCERTS, }, { @@ -426,42 +426,42 @@ .name = "noiter", .desc = "Don't use encryption iteration", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.iter, + .opt.value = &cfg.iter, .value = 1, }, { .name = "nokeys", .desc = "Don't output private keys", .type = OPTION_VALUE_OR, - .opt.value = &pkcs12_config.options, + .opt.value = &cfg.options, .value = NOKEYS, }, { .name = "nomac", .desc = "Don't generate MAC", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.maciter, + .opt.value = &cfg.maciter, .value = -1, }, { .name = "nomaciter", .desc = "Don't use MAC iteration", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.maciter, + .opt.value = &cfg.maciter, .value = 1, }, { .name = "nomacver", .desc = "Don't verify MAC", .type = OPTION_VALUE, - .opt.value = &pkcs12_config.macver, + .opt.value = &cfg.macver, .value = 0, }, { .name = "noout", .desc = "Don't output anything, just verify", .type = OPTION_VALUE_OR, - .opt.value = &pkcs12_config.options, + .opt.value = &cfg.options, .value = (NOKEYS | NOCERTS), }, { @@ -469,21 +469,21 @@ .argname = "file", .desc = "Output filename", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.outfile, + .opt.arg = &cfg.outfile, }, { .name = "passin", .argname = "arg", .desc = "Input file passphrase source", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.passargin, + .opt.arg = &cfg.passargin, }, { .name = "passout", .argname = "arg", .desc = "Output file passphrase source", .type = OPTION_ARG, - .opt.arg = &pkcs12_config.passargout, + .opt.arg = &cfg.passargout, }, { .name = "password", @@ -496,7 +496,7 @@ .name = "twopass", .desc = "Separate MAC, encryption passwords", .type = OPTION_FLAG, - .opt.flag = &pkcs12_config.twopass, + .opt.flag = &cfg.twopass, }, { NULL }, }; @@ -541,73 +541,73 @@ exit(1); } - memset(&pkcs12_config, 0, sizeof(pkcs12_config)); - pkcs12_config.cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; - pkcs12_config.enc = EVP_des_ede3_cbc(); - pkcs12_config.iter = PKCS12_DEFAULT_ITER; - pkcs12_config.key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - pkcs12_config.maciter = PKCS12_DEFAULT_ITER; - pkcs12_config.macver = 1; + memset(&cfg, 0, sizeof(cfg)); + cfg.cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + cfg.enc = EVP_des_ede3_cbc(); + cfg.iter = PKCS12_DEFAULT_ITER; + cfg.key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + cfg.maciter = PKCS12_DEFAULT_ITER; + cfg.macver = 1; if (options_parse(argc, argv, pkcs12_options, NULL, NULL) != 0) { pkcs12_usage(); goto end; } - if (pkcs12_config.passarg != NULL) { - if (pkcs12_config.export_cert) - pkcs12_config.passargout = pkcs12_config.passarg; + if (cfg.passarg != NULL) { + if (cfg.export_cert) + cfg.passargout = cfg.passarg; else - pkcs12_config.passargin = pkcs12_config.passarg; + cfg.passargin = cfg.passarg; } - if (!app_passwd(bio_err, pkcs12_config.passargin, - pkcs12_config.passargout, &passin, &passout)) { + if (!app_passwd(bio_err, cfg.passargin, + cfg.passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if (cpass == NULL) { - if (pkcs12_config.export_cert) + if (cfg.export_cert) cpass = passout; else cpass = passin; } if (cpass != NULL) { mpass = cpass; - pkcs12_config.noprompt = 1; + cfg.noprompt = 1; } else { cpass = pass; mpass = macpass; } - if (pkcs12_config.infile == NULL) + if (cfg.infile == NULL) in = BIO_new_fp(stdin, BIO_NOCLOSE); else - in = BIO_new_file(pkcs12_config.infile, "rb"); + in = BIO_new_file(cfg.infile, "rb"); if (in == NULL) { BIO_printf(bio_err, "Error opening input file %s\n", - pkcs12_config.infile ? pkcs12_config.infile : ""); - perror(pkcs12_config.infile); + cfg.infile ? cfg.infile : ""); + perror(cfg.infile); goto end; } - if (pkcs12_config.outfile == NULL) { + if (cfg.outfile == NULL) { out = BIO_new_fp(stdout, BIO_NOCLOSE); } else - out = BIO_new_file(pkcs12_config.outfile, "wb"); + out = BIO_new_file(cfg.outfile, "wb"); if (out == NULL) { BIO_printf(bio_err, "Error opening output file %s\n", - pkcs12_config.outfile ? pkcs12_config.outfile : ""); - perror(pkcs12_config.outfile); + cfg.outfile ? cfg.outfile : ""); + perror(cfg.outfile); goto end; } - if (pkcs12_config.twopass) { + if (cfg.twopass) { if (EVP_read_pw_string(macpass, sizeof macpass, - "Enter MAC Password:", pkcs12_config.export_cert)) { + "Enter MAC Password:", cfg.export_cert)) { BIO_printf(bio_err, "Can't read Password\n"); goto end; } } - if (pkcs12_config.export_cert) { + if (cfg.export_cert) { EVP_PKEY *key = NULL; X509 *ucert = NULL, *x = NULL; STACK_OF(X509) *certs = NULL; @@ -615,25 +615,25 @@ unsigned char *catmp = NULL; int i; - if ((pkcs12_config.options & (NOCERTS | NOKEYS)) == + if ((cfg.options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { BIO_printf(bio_err, "Nothing to do!\n"); goto export_end; } - if (pkcs12_config.options & NOCERTS) - pkcs12_config.chain = 0; + if (cfg.options & NOCERTS) + cfg.chain = 0; - if (!(pkcs12_config.options & NOKEYS)) { - key = load_key(bio_err, pkcs12_config.keyname ? - pkcs12_config.keyname : pkcs12_config.infile, + if (!(cfg.options & NOKEYS)) { + key = load_key(bio_err, cfg.keyname ? + cfg.keyname : cfg.infile, FORMAT_PEM, 1, passin, "private key"); if (!key) goto export_end; } /* Load in all certs in input file */ - if (!(pkcs12_config.options & NOCERTS)) { - certs = load_certs(bio_err, pkcs12_config.infile, + if (!(cfg.options & NOCERTS)) { + certs = load_certs(bio_err, cfg.infile, FORMAT_PEM, NULL, "certificates"); if (certs == NULL) goto export_end; @@ -661,10 +661,10 @@ } /* Add any more certificates asked for */ - if (pkcs12_config.certfile != NULL) { + if (cfg.certfile != NULL) { STACK_OF(X509) *morecerts = NULL; if ((morecerts = load_certs(bio_err, - pkcs12_config.certfile, FORMAT_PEM, NULL, + cfg.certfile, FORMAT_PEM, NULL, "certificates from certfile")) == NULL) goto export_end; while (sk_X509_num(morecerts) > 0) @@ -674,7 +674,7 @@ /* If chaining get chain from user cert */ - if (pkcs12_config.chain) { + if (cfg.chain) { int vret; STACK_OF(X509) *chain2; X509_STORE *store = X509_STORE_new(); @@ -684,7 +684,7 @@ goto export_end; } if (!X509_STORE_load_locations(store, - pkcs12_config.CAfile, pkcs12_config.CApath)) + cfg.CAfile, cfg.CApath)) X509_STORE_set_default_paths(store); vret = get_cert_chain(ucert, store, &chain2); @@ -711,51 +711,51 @@ } /* Add any CA names */ - for (i = 0; i < sk_OPENSSL_STRING_num(pkcs12_config.canames); + for (i = 0; i < sk_OPENSSL_STRING_num(cfg.canames); i++) { catmp = (unsigned char *) sk_OPENSSL_STRING_value( - pkcs12_config.canames, i); + cfg.canames, i); X509_alias_set1(sk_X509_value(certs, i), catmp, -1); } - if (pkcs12_config.csp_name != NULL && key != NULL) + if (cfg.csp_name != NULL && key != NULL) EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, MBSTRING_ASC, - (unsigned char *) pkcs12_config.csp_name, -1); + (unsigned char *) cfg.csp_name, -1); - if (pkcs12_config.add_lmk && key != NULL) + if (cfg.add_lmk && key != NULL) EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); - if (!pkcs12_config.noprompt && + if (!cfg.noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) { BIO_printf(bio_err, "Can't read Password\n"); goto export_end; } - if (!pkcs12_config.twopass) + if (!cfg.twopass) strlcpy(macpass, pass, sizeof macpass); - p12 = PKCS12_create(cpass, pkcs12_config.name, key, ucert, - certs, pkcs12_config.key_pbe, pkcs12_config.cert_pbe, - pkcs12_config.iter, -1, pkcs12_config.keytype); + p12 = PKCS12_create(cpass, cfg.name, key, ucert, + certs, cfg.key_pbe, cfg.cert_pbe, + cfg.iter, -1, cfg.keytype); if (p12 == NULL) { ERR_print_errors(bio_err); goto export_end; } - if (pkcs12_config.macalg != NULL) { - macmd = EVP_get_digestbyname(pkcs12_config.macalg); + if (cfg.macalg != NULL) { + macmd = EVP_get_digestbyname(cfg.macalg); if (macmd == NULL) { BIO_printf(bio_err, "Unknown digest algorithm %s\n", - pkcs12_config.macalg); + cfg.macalg); } } - if (pkcs12_config.maciter != -1) + if (cfg.maciter != -1) PKCS12_set_mac(p12, mpass, -1, NULL, 0, - pkcs12_config.maciter, macmd); + cfg.maciter, macmd); i2d_PKCS12_bio(out, p12); @@ -773,27 +773,27 @@ ERR_print_errors(bio_err); goto end; } - if (!pkcs12_config.noprompt && EVP_read_pw_string(pass, sizeof pass, + if (!cfg.noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) { BIO_printf(bio_err, "Can't read Password\n"); goto end; } - if (!pkcs12_config.twopass) + if (!cfg.twopass) strlcpy(macpass, pass, sizeof macpass); - if ((pkcs12_config.options & INFO) != 0 && PKCS12_mac_present(p12)) { + if ((cfg.options & INFO) != 0 && PKCS12_mac_present(p12)) { const ASN1_INTEGER *iter; PKCS12_get0_mac(NULL, NULL, NULL, &iter, p12); BIO_printf(bio_err, "MAC Iteration %ld\n", iter != NULL ? ASN1_INTEGER_get(iter) : 1); } - if (pkcs12_config.macver) { + if (cfg.macver) { /* If we enter empty password try no password first */ if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ - if (!pkcs12_config.twopass) + if (!cfg.twopass) cpass = NULL; } else if (!PKCS12_verify_mac(p12, mpass, -1)) { BIO_printf(bio_err, @@ -803,7 +803,7 @@ } BIO_printf(bio_err, "MAC verified OK\n"); } - if (!dump_certs_keys_p12(out, p12, cpass, -1, pkcs12_config.options, + if (!dump_certs_keys_p12(out, p12, cpass, -1, cfg.options, passout)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors(bio_err); @@ -814,7 +814,7 @@ PKCS12_free(p12); BIO_free(in); BIO_free_all(out); - sk_OPENSSL_STRING_free(pkcs12_config.canames); + sk_OPENSSL_STRING_free(cfg.canames); free(passin); free(passout); @@ -907,7 +907,7 @@ if ((pkey = EVP_PKCS82PKEY(p8)) == NULL) return 0; print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes"); - PEM_write_bio_PrivateKey(out, pkey, pkcs12_config.enc, NULL, 0, + PEM_write_bio_PrivateKey(out, pkey, cfg.enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; @@ -938,7 +938,7 @@ } print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes"); PKCS8_PRIV_KEY_INFO_free(p8); - PEM_write_bio_PrivateKey(out, pkey, pkcs12_config.enc, NULL, 0, + PEM_write_bio_PrivateKey(out, pkey, cfg.enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break;