X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fca.c;h=716df02fac998448ba7f426ad09e050273fcd231;hp=9c9641725802ee23cc8098b6a2f2e1d5364488cb;hb=9a13bb387d0e50a5dcb4f4324572687aea63b541;hpb=2fa45e6ee722078bc55311c66bdba1ca2fc69c28 diff --git a/apps/ca.c b/apps/ca.c index 9c96417258..716df02fac 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -98,25 +98,18 @@ #undef BSIZE #define BSIZE 256 -#define BASE_SECTION "ca" -#define CONFIG_FILE "openssl.cnf" +#define BASE_SECTION "ca" #define ENV_DEFAULT_CA "default_ca" -#define STRING_MASK "string_mask" +#define STRING_MASK "string_mask" #define UTF8_IN "utf8" -#define ENV_DIR "dir" -#define ENV_CERTS "certs" -#define ENV_CRL_DIR "crl_dir" -#define ENV_CA_DB "CA_DB" #define ENV_NEW_CERTS_DIR "new_certs_dir" -#define ENV_CERTIFICATE "certificate" +#define ENV_CERTIFICATE "certificate" #define ENV_SERIAL "serial" #define ENV_CRLNUMBER "crlnumber" -#define ENV_CRL "crl" #define ENV_PRIVATE_KEY "private_key" -#define ENV_RANDFILE "RANDFILE" #define ENV_DEFAULT_DAYS "default_days" #define ENV_DEFAULT_STARTDATE "default_startdate" #define ENV_DEFAULT_ENDDATE "default_enddate" @@ -216,7 +209,8 @@ OPTIONS ca_options[] = { {"name", OPT_NAME, 's', "The particular CA definition to use"}, {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, - {"create_serial", OPT_CREATE_SERIAL, '-'}, + {"create_serial", OPT_CREATE_SERIAL, '-', + "If reading serial fails, create a new random serial"}, {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', "Enable support for multivalued RDNs"}, {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"}, @@ -225,7 +219,7 @@ OPTIONS ca_options[] = { {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, - {"keyfile", OPT_KEYFILE, '<', "Private key file"}, + {"keyfile", OPT_KEYFILE, 's', "Private key"}, {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, {"passin", OPT_PASSIN, 's'}, {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, @@ -260,10 +254,13 @@ OPTIONS ca_options[] = { {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, {"crlexts", OPT_CRLEXTS, 's', "CRL extension section (override value in config file)"}, - {"crl_reason", OPT_CRL_REASON, 's'}, - {"crl_hold", OPT_CRL_HOLD, 's'}, - {"crl_compromise", OPT_CRL_COMPROMISE, 's'}, - {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's'}, + {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"}, + {"crl_hold", OPT_CRL_HOLD, 's', + "the hold instruction, an OID. Sets revocation reason to certificateHold"}, + {"crl_compromise", OPT_CRL_COMPROMISE, 's', + "sets compromise time to val and the revocation reason to keyCompromise"}, + {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's', + "sets compromise time to val and the revocation reason to CACompromise"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -285,7 +282,8 @@ int ca_main(int argc, char **argv) STACK_OF(X509) *cert_sk = NULL; X509_CRL *crl = NULL; const EVP_MD *dgst = NULL; - char *configfile = NULL, *md = NULL, *policy = NULL, *keyfile = NULL; + char *configfile = default_config_file; + char *md = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; char *extensions = NULL, *extfile = NULL, *key = NULL, *passinarg = NULL; @@ -301,7 +299,7 @@ int ca_main(int argc, char **argv) int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; int i, j, rev_type = REV_NONE, selfsign = 0; - long crldays = 0, crlhours = 0, crlsec = 0, errorline = -1, days = 0; + long crldays = 0, crlhours = 0, crlsec = 0, days = 0; unsigned long chtype = MBSTRING_ASC, nameopt = 0, certopt = 0; X509 *x509 = NULL, *x509p = NULL, *x = NULL; X509_REVOKED *r = NULL; @@ -325,6 +323,7 @@ opthelp: ret = 0; goto end; case OPT_IN: + req = 1; infile = opt_arg(); break; case OPT_OUT: @@ -482,51 +481,13 @@ end_of_options: argc = opt_num_rest(); argv = opt_rest(); - tofree = NULL; - if (configfile == NULL) - configfile = getenv("OPENSSL_CONF"); - if (configfile == NULL) - configfile = getenv("SSLEAY_CONF"); - if (configfile == NULL) { - const char *s = X509_get_default_cert_area(); - size_t len; - -#ifdef OPENSSL_SYS_VMS - len = strlen(s) + sizeof(CONFIG_FILE); - tofree = OPENSSL_malloc(len); - if (!tofree) { - BIO_printf(bio_err, "Out of memory\n"); + BIO_printf(bio_err, "Using configuration from %s\n", configfile); + /* We already loaded the default config file */ + if (configfile != default_config_file) { + if ((conf = app_load_config(configfile)) == NULL) goto end; - } - strcpy(tofree, s); -#else - len = strlen(s) + sizeof(CONFIG_FILE) + 1; - tofree = OPENSSL_malloc(len); - if (!tofree) { - BIO_printf(bio_err, "Out of memory\n"); + if (!app_load_modules(conf)) goto end; - } - BUF_strlcpy(tofree, s, len); - BUF_strlcat(tofree, "/", len); -#endif - BUF_strlcat(tofree, CONFIG_FILE, len); - configfile = tofree; - } - - BIO_printf(bio_err, "Using configuration from %s\n", configfile); - conf = NCONF_new(NULL); - if (NCONF_load(conf, configfile, &errorline) <= 0) { - if (errorline <= 0) - BIO_printf(bio_err, "error loading the config file '%s'\n", - configfile); - else - BIO_printf(bio_err, "error on line %ld of config file '%s'\n", - errorline, configfile); - goto end; - } - if (tofree) { - OPENSSL_free(tofree); - tofree = NULL; } /* Lets get the config section we are using */ @@ -581,7 +542,7 @@ end_of_options: f = NCONF_get_string(conf, section, UTF8_IN); if (!f) ERR_clear_error(); - else if (!strcmp(f, "yes")) + else if (strcmp(f, "yes") == 0) chtype = MBSTRING_UTF8; } @@ -678,8 +639,10 @@ end_of_options: goto end; } default_op = 0; - } else + } else { + nameopt = XN_FLAG_ONELINE; ERR_clear_error(); + } f = NCONF_get_string(conf, section, ENV_CERTOPT); @@ -715,24 +678,13 @@ end_of_options: #ifndef OPENSSL_SYS_VMS /* * outdir is a directory spec, but access() for VMS demands a - * filename. In any case, stat(), below, will catch the problem if - * outdir is not a directory spec, and the fopen() or open() will - * catch an error if there is no write access. - * - * Presumably, this problem could also be solved by using the DEC C - * routines to convert the directory syntax to Unixly, and give that - * to access(). However, time's too short to do that just now. + * filename. We could use the DEC C routine to convert the + * directory syntax to Unixly, and give that to app_isdir, + * but for now the fopen will catch the error if it's not a + * directory */ - if (app_access(outdir, R_OK | W_OK | X_OK) != 0) - { - BIO_printf(bio_err, "I am unable to access the %s directory\n", - outdir); - perror(outdir); - goto end; - } - if (app_isdir(outdir) <= 0) { - BIO_printf(bio_err, "%s need to be a directory\n", outdir); + BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir); perror(outdir); goto end; } @@ -779,7 +731,7 @@ end_of_options: goto end; } for ( ; *p; p++) { - if (!isxdigit(*p)) { + if (!isxdigit(_UC(*p))) { BIO_printf(bio_err, "entry %d: bad char 0%o '%c' in serial number\n", i + 1, *p, *p); @@ -823,18 +775,10 @@ end_of_options: } } - /*****************************************************************/ + /*****************************************************************/ /* Read extensions config file */ if (extfile) { - extconf = NCONF_new(NULL); - if (NCONF_load(extconf, extfile, &errorline) <= 0) { - if (errorline <= 0) - BIO_printf(bio_err, "ERROR: loading the config file '%s'\n", - extfile); - else - BIO_printf(bio_err, - "ERROR: on line %ld of config file '%s'\n", - errorline, extfile); + if ((extconf = app_load_config(extfile)) == NULL) { ret = 1; goto end; } @@ -850,9 +794,10 @@ end_of_options: extensions = "default"; } - /*****************************************************************/ + /*****************************************************************/ if (req || gencrl) { - Sout = bio_open_default(outfile, "w"); + /* FIXME: Is it really always text? */ + Sout = bio_open_default(outfile, 'w', FORMAT_TEXT); if (Sout == NULL) goto end; } @@ -864,7 +809,7 @@ end_of_options: goto end; } - if (!strcmp(md, "default")) { + if (strcmp(md, "default") == 0) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { BIO_puts(bio_err, "no default digest\n"); @@ -887,7 +832,7 @@ end_of_options: } if (verbose) BIO_printf(bio_err, "message digest is %s\n", - OBJ_nid2ln(dgst->type)); + OBJ_nid2ln(EVP_MD_type(dgst))); if ((policy == NULL) && ((policy = NCONF_get_string(conf, section, ENV_POLICY)) == @@ -1109,13 +1054,14 @@ end_of_options: if (verbose) BIO_printf(bio_err, "writing new certificates\n"); for (i = 0; i < sk_X509_num(cert_sk); i++) { + ASN1_INTEGER *serialNumber = X509_get_serialNumber(x); int k; char *n; x = sk_X509_value(cert_sk, i); - j = x->cert_info->serialNumber->length; - p = (const char *)x->cert_info->serialNumber->data; + j = ASN1_STRING_length(serialNumber); + p = (const char *)ASN1_STRING_data(serialNumber); if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) { BIO_printf(bio_err, "certificate file name too long\n"); @@ -1125,7 +1071,7 @@ end_of_options: strcpy(buf[2], outdir); #ifndef OPENSSL_SYS_VMS - BUF_strlcat(buf[2], "/", sizeof(buf[2])); + OPENSSL_strlcat(buf[2], "/", sizeof(buf[2])); #endif n = (char *)&(buf[2][strlen(buf[2])]); @@ -1223,7 +1169,7 @@ end_of_options: goto end; tmptm = ASN1_TIME_new(); - if (!tmptm) + if (tmptm == NULL) goto end; X509_gmtime_adj(tmptm, 0); X509_CRL_set_lastUpdate(crl, tmptm); @@ -1299,10 +1245,8 @@ end_of_options: if (!save_serial(crlnumberfile, "new", crlnumber, NULL)) goto end; - if (crlnumber) { - BN_free(crlnumber); - crlnumber = NULL; - } + BN_free(crlnumber); + crlnumber = NULL; if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) goto end; @@ -1343,29 +1287,24 @@ end_of_options: /*****************************************************************/ ret = 0; end: - if (tofree) - OPENSSL_free(tofree); + OPENSSL_free(tofree); BIO_free_all(Cout); BIO_free_all(Sout); BIO_free_all(out); BIO_free_all(in); - - if (cert_sk) - sk_X509_pop_free(cert_sk, X509_free); + sk_X509_pop_free(cert_sk, X509_free); if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile); - if (free_key && key) + if (free_key) OPENSSL_free(key); BN_free(serial); BN_free(crlnumber); free_index(db); - if (sigopts) - sk_OPENSSL_STRING_free(sigopts); + sk_OPENSSL_STRING_free(sigopts); EVP_PKEY_free(pkey); - if (x509) - X509_free(x509); + X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extconf); @@ -1440,8 +1379,7 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ext_copy, selfsign); end: - if (req != NULL) - X509_REQ_free(req); + X509_REQ_free(req); BIO_free(in); return (ok); } @@ -1468,12 +1406,11 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "Check that the request matches the signature\n"); - if ((pktmp = X509_get_pubkey(req)) == NULL) { + if ((pktmp = X509_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto end; } i = X509_verify(req, pktmp); - EVP_PKEY_free(pktmp); if (i < 0) { ok = 0; BIO_printf(bio_err, "Signature verification problems....\n"); @@ -1486,7 +1423,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, } else BIO_printf(bio_err, "Signature ok\n"); - if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) + if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) goto end; ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, @@ -1495,10 +1432,8 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ext_copy, 0); end: - if (rreq != NULL) - X509_REQ_free(rreq); - if (req != NULL) - X509_free(req); + X509_REQ_free(rreq); + X509_free(req); return (ok); } @@ -1517,7 +1452,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, ASN1_STRING *str, *str2; ASN1_OBJECT *obj; X509 *ret = NULL; - X509_CINF *ci; X509_NAME_ENTRY *ne; X509_NAME_ENTRY *tne, *push; EVP_PKEY *pktmp; @@ -1546,7 +1480,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } X509_REQ_set_subject_name(req, n); - req->req_info->enc.modified = 1; X509_NAME_free(n); } @@ -1614,7 +1547,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (selfsign) CAname = X509_NAME_dup(name); else - CAname = X509_NAME_dup(x509->cert_info->subject); + CAname = X509_NAME_dup(X509_get_subject_name(x509)); if (CAname == NULL) goto end; str = str2 = NULL; @@ -1700,8 +1633,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (push != NULL) { if (!X509_NAME_add_entry(subject, push, -1, 0)) { - if (push != NULL) - X509_NAME_ENTRY_free(push); + X509_NAME_ENTRY_free(push); BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } @@ -1737,7 +1669,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, * Its best to dup the subject DN and then delete any email addresses * because this retains its structure. */ - if (!(dn_subject = X509_NAME_dup(subject))) { + if ((dn_subject = X509_NAME_dup(subject)) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } @@ -1751,7 +1683,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } if (BN_is_zero(serial)) - row[DB_serial] = BUF_strdup("00"); + row[DB_serial] = OPENSSL_strdup("00"); else row[DB_serial] = BN_bn2hex(serial); if (row[DB_serial] == NULL) { @@ -1824,7 +1756,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((ret = X509_new()) == NULL) goto end; - ci = ret->cert_info; #ifdef X509_V3 /* Make it an X509 v3 certificate. */ @@ -1832,7 +1763,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; #endif - if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL) + if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) goto end; if (selfsign) { if (!X509_set_issuer_name(ret, subject)) @@ -1868,18 +1799,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; - if (ci->version == NULL) - if ((ci->version = ASN1_INTEGER_new()) == NULL) - goto end; - ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */ - - /* - * Free the current entries if any, there should not be any I believe - */ - if (ci->extensions != NULL) - sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); - - ci->extensions = NULL; + X509_set_version(ret, 2); /* Initialize the context structure */ if (selfsign) @@ -1973,27 +1893,22 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } } - pktmp = X509_get_pubkey(ret); + pktmp = X509_get0_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); if (!do_X509_sign(ret, pkey, dgst, sigopts)) goto end; /* We now just add it to the database */ - row[DB_type] = OPENSSL_malloc(2); - + row[DB_type] = OPENSSL_strdup("V"); tm = X509_get_notAfter(ret); - row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); + row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; - row[DB_rev_date] = NULL; - - /* row[DB_serial] done already */ - row[DB_file] = OPENSSL_malloc(8); + row[DB_file] = OPENSSL_strdup("unknown"); row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || @@ -2001,15 +1916,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } - BUF_strlcpy(row[DB_file], "unknown", 8); - row[DB_type][0] = 'V'; - row[DB_type][1] = '\0'; - - if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } + irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space"); for (i = 0; i < DB_NUMBER; i++) { irow[i] = row[i]; row[i] = NULL; @@ -2024,22 +1932,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, ok = 1; end: for (i = 0; i < DB_NUMBER; i++) - if (row[i] != NULL) - OPENSSL_free(row[i]); + OPENSSL_free(row[i]); - if (CAname != NULL) - X509_NAME_free(CAname); - if (subject != NULL) - X509_NAME_free(subject); - if ((dn_subject != NULL) && !email_dn) + X509_NAME_free(CAname); + X509_NAME_free(subject); + if (dn_subject != subject) X509_NAME_free(dn_subject); - if (tmptm != NULL) - ASN1_UTCTIME_free(tmptm); - if (ok <= 0) { - if (ret != NULL) - X509_free(ret); - ret = NULL; - } else + ASN1_UTCTIME_free(tmptm); + if (ok <= 0) + X509_free(ret); + else *xret = ret; return (ok); } @@ -2072,7 +1974,6 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509_REQ *req = NULL; CONF_VALUE *cv = NULL; NETSCAPE_SPKI *spki = NULL; - X509_REQ_INFO *ri; char *type, *buf; EVP_PKEY *pktmp = NULL; X509_NAME *n = NULL; @@ -2116,8 +2017,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, /* * Build up the subject name set. */ - ri = req->req_info; - n = ri->subject; + n = X509_REQ_get_subject_name(req); for (i = 0;; i++) { if (sk_CONF_VALUE_num(sk) <= i) @@ -2187,14 +2087,10 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, verbose, req, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); end: - if (req != NULL) - X509_REQ_free(req); - if (parms != NULL) - CONF_free(parms); - if (spki != NULL) - NETSCAPE_SPKI_free(spki); - if (ne != NULL) - X509_NAME_ENTRY_free(ne); + X509_REQ_free(req); + CONF_free(parms); + NETSCAPE_SPKI_free(spki); + X509_NAME_ENTRY_free(ne); return (ok); } @@ -2219,7 +2115,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) if (!bn) goto end; if (BN_is_zero(bn)) - row[DB_serial] = BUF_strdup("00"); + row[DB_serial] = OPENSSL_strdup("00"); else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); @@ -2238,34 +2134,15 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[DB_serial], row[DB_name]); /* We now just add it to the database */ - row[DB_type] = OPENSSL_malloc(2); - + row[DB_type] = OPENSSL_strdup("V"); tm = X509_get_notAfter(x509); - row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); + row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; - row[DB_rev_date] = NULL; + row[DB_file] = OPENSSL_strdup("unknown"); - /* row[DB_serial] done already */ - row[DB_file] = OPENSSL_malloc(8); - - /* row[DB_name] done already */ - - if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || - (row[DB_file] == NULL)) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } - BUF_strlcpy(row[DB_file], "unknown", 8); - row[DB_type][0] = 'V'; - row[DB_type][1] = '\0'; - - if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } - + irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr"); for (i = 0; i < DB_NUMBER; i++) { irow[i] = row[i]; row[i] = NULL; @@ -2311,8 +2188,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) ok = 1; end: for (i = 0; i < DB_NUMBER; i++) { - if (row[i] != NULL) - OPENSSL_free(row[i]); + OPENSSL_free(row[i]); } return (ok); } @@ -2327,11 +2203,7 @@ static int get_certificate_status(const char *serial, CA_DB *db) row[i] = NULL; /* Malloc needed char spaces */ - row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2); - if (row[DB_serial] == NULL) { - BIO_printf(bio_err, "Malloc failure\n"); - goto end; - } + row[DB_serial] = app_malloc(strlen(serial) + 2, "row serial#"); if (strlen(serial) % 2) { /* @@ -2383,8 +2255,7 @@ static int get_certificate_status(const char *serial, CA_DB *db) } end: for (i = 0; i < DB_NUMBER; i++) { - if (row[i] != NULL) - OPENSSL_free(row[i]); + OPENSSL_free(row[i]); } return (ok); } @@ -2397,14 +2268,12 @@ static int do_updatedb(CA_DB *db) char **rrow, *a_tm_s; a_tm = ASN1_UTCTIME_new(); + if (a_tm == NULL) + return -1; /* get actual time and make a string */ a_tm = X509_gmtime_adj(a_tm, 0); - a_tm_s = OPENSSL_malloc(a_tm->length + 1); - if (a_tm_s == NULL) { - cnt = -1; - goto end; - } + a_tm_s = (char *)app_malloc(a_tm->length + 1, "time string"); memcpy(a_tm_s, a_tm->data, a_tm->length); a_tm_s[a_tm->length] = '\0'; @@ -2444,11 +2313,8 @@ static int do_updatedb(CA_DB *db) } } - end: - ASN1_UTCTIME_free(a_tm); OPENSSL_free(a_tm_s); - return (cnt); } @@ -2468,7 +2334,7 @@ static const char *crl_reasons[] = { "CAkeyTime" }; -#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *)) +#define NUM_REASONS OSSL_NELEM(crl_reasons) /* * Given revocation information convert to a DB string. The format of the @@ -2490,7 +2356,7 @@ char *make_revocation_str(int rev_type, char *rev_arg) case REV_CRL_REASON: for (i = 0; i < 8; i++) { - if (!strcasecmp(rev_arg, crl_reasons[i])) { + if (strcasecmp(rev_arg, crl_reasons[i]) == 0) { reason = crl_reasons[i]; break; } @@ -2548,19 +2414,15 @@ char *make_revocation_str(int rev_type, char *rev_arg) if (other) i += strlen(other) + 1; - str = OPENSSL_malloc(i); - - if (!str) - return NULL; - - BUF_strlcpy(str, (char *)revtm->data, i); + str = app_malloc(i, "revocation reason"); + OPENSSL_strlcpy(str, (char *)revtm->data, i); if (reason) { - BUF_strlcat(str, ",", i); - BUF_strlcat(str, reason, i); + OPENSSL_strlcat(str, ",", i); + OPENSSL_strlcat(str, reason, i); } if (other) { - BUF_strlcat(str, ",", i); - BUF_strlcat(str, other, i); + OPENSSL_strlcat(str, ",", i); + OPENSSL_strlcat(str, other, i); } ASN1_UTCTIME_free(revtm); return str; @@ -2595,7 +2457,7 @@ int make_revoked(X509_REVOKED *rev, const char *str) if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); - if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) + if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto end; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto end; @@ -2619,8 +2481,7 @@ int make_revoked(X509_REVOKED *rev, const char *str) end: - if (tmp) - OPENSSL_free(tmp); + OPENSSL_free(tmp); ASN1_OBJECT_free(hold); ASN1_GENERALIZEDTIME_free(comp_time); ASN1_ENUMERATED_free(rtmp); @@ -2679,7 +2540,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_OBJECT *hold = NULL; ASN1_GENERALIZEDTIME *comp_time = NULL; - tmp = BUF_strdup(str); + tmp = OPENSSL_strdup(str); if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); goto end; @@ -2702,7 +2563,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (prevtm) { *prevtm = ASN1_UTCTIME_new(); - if (!*prevtm) { + if (*prevtm == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto end; } @@ -2713,7 +2574,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, } if (reason_str) { for (i = 0; i < NUM_REASONS; i++) { - if (!strcasecmp(reason_str, crl_reasons[i])) { + if (strcasecmp(reason_str, crl_reasons[i]) == 0) { reason_code = i; break; } @@ -2740,13 +2601,15 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, } if (phold) *phold = hold; + else + ASN1_OBJECT_free(hold); } else if ((reason_code == 9) || (reason_code == 10)) { if (!arg_str) { BIO_printf(bio_err, "missing compromised time\n"); goto end; } comp_time = ASN1_GENERALIZEDTIME_new(); - if (!comp_time) { + if (comp_time == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto end; } @@ -2763,21 +2626,17 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (preason) *preason = reason_code; - if (pinvtm) + if (pinvtm) { *pinvtm = comp_time; - else - ASN1_GENERALIZEDTIME_free(comp_time); + comp_time = NULL; + } ret = 1; end: - if (tmp) - OPENSSL_free(tmp); - if (!phold) - ASN1_OBJECT_free(hold); - if (!pinvtm) - ASN1_GENERALIZEDTIME_free(comp_time); + OPENSSL_free(tmp); + ASN1_GENERALIZEDTIME_free(comp_time); return ret; }