#define BSIZE 256
#define BASE_SECTION "ca"
-#define CONFIG_FILE "openssl.cnf"
#define ENV_DEFAULT_CA "default_ca"
#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
-#ifdef EFENCE
-extern int EF_PROTECT_FREE;
-extern int EF_PROTECT_BELOW;
-extern int EF_ALIGNMENT;
-#endif
-
static void lookup_fail(const char *name, const char *tag);
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
static int check_time_format(const char *str);
char *make_revocation_str(int rev_type, char *rev_arg);
int make_revoked(X509_REVOKED *rev, const char *str);
-int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
+static int old_entry_print(ASN1_OBJECT *obj, ASN1_STRING *str);
static CONF *conf = NULL;
static CONF *extconf = NULL;
STACK_OF(X509) *cert_sk = NULL;
X509_CRL *crl = NULL;
const EVP_MD *dgst = NULL;
- char *configfile = NULL, *md = NULL, *policy = NULL, *keyfile = NULL;
+ char *configfile = default_config_file;
+ char *md = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
char *extensions = NULL, *extfile = NULL, *key = NULL, *passinarg = NULL;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
int i, j, rev_type = REV_NONE, selfsign = 0;
- long crldays = 0, crlhours = 0, crlsec = 0, errorline = -1, days = 0;
+ long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, nameopt = 0, certopt = 0;
X509 *x509 = NULL, *x509p = NULL, *x = NULL;
X509_REVOKED *r = NULL;
OPTION_CHOICE o;
-#ifdef EFENCE
- EF_PROTECT_FREE = 1;
- EF_PROTECT_BELOW = 1;
- EF_ALIGNMENT = 0;
-#endif
-
conf = NULL;
section = NULL;
preserve = 0;
ret = 0;
goto end;
case OPT_IN:
+ req = 1;
infile = opt_arg();
break;
case OPT_OUT:
argc = opt_num_rest();
argv = opt_rest();
- tofree = NULL;
- if (configfile == NULL)
- configfile = getenv("OPENSSL_CONF");
- if (configfile == NULL)
- configfile = getenv("SSLEAY_CONF");
- if (configfile == NULL) {
- const char *s = X509_get_default_cert_area();
- size_t len;
-
-#ifdef OPENSSL_SYS_VMS
- len = strlen(s) + sizeof(CONFIG_FILE);
- tofree = OPENSSL_malloc(len);
- if (!tofree) {
- BIO_printf(bio_err, "Out of memory\n");
- goto end;
- }
- strcpy(tofree, s);
-#else
- len = strlen(s) + sizeof(CONFIG_FILE) + 1;
- tofree = OPENSSL_malloc(len);
- if (!tofree) {
- BIO_printf(bio_err, "Out of memory\n");
- goto end;
- }
- BUF_strlcpy(tofree, s, len);
- BUF_strlcat(tofree, "/", len);
-#endif
- BUF_strlcat(tofree, CONFIG_FILE, len);
- configfile = tofree;
- }
-
BIO_printf(bio_err, "Using configuration from %s\n", configfile);
- conf = NCONF_new(NULL);
- if (NCONF_load(conf, configfile, &errorline) <= 0) {
- if (errorline <= 0)
- BIO_printf(bio_err, "error loading the config file '%s'\n",
- configfile);
- else
- BIO_printf(bio_err, "error on line %ld of config file '%s'\n",
- errorline, configfile);
+ if ((conf = app_load_config(configfile)) == NULL)
+ goto end;
+ if (!app_load_modules(conf))
goto end;
- }
- if (tofree) {
- OPENSSL_free(tofree);
- tofree = NULL;
- }
/* Lets get the config section we are using */
if (section == NULL) {
f = NCONF_get_string(conf, section, UTF8_IN);
if (!f)
ERR_clear_error();
- else if (!strcmp(f, "yes"))
+ else if (strcmp(f, "yes") == 0)
chtype = MBSTRING_UTF8;
}
goto end;
}
default_op = 0;
- } else
+ } else {
+ nameopt = XN_FLAG_ONELINE;
ERR_clear_error();
+ }
f = NCONF_get_string(conf, section, ENV_CERTOPT);
#ifndef OPENSSL_SYS_VMS
/*
* outdir is a directory spec, but access() for VMS demands a
- * filename. In any case, stat(), below, will catch the problem if
- * outdir is not a directory spec, and the fopen() or open() will
- * catch an error if there is no write access.
- *
- * Presumably, this problem could also be solved by using the DEC C
- * routines to convert the directory syntax to Unixly, and give that
- * to access(). However, time's too short to do that just now.
+ * filename. We could use the DEC C routine to convert the
+ * directory syntax to Unixly, and give that to app_isdir,
+ * but for now the fopen will catch the error if it's not a
+ * directory
*/
- if (app_access(outdir, R_OK | W_OK | X_OK) != 0)
- {
- BIO_printf(bio_err, "I am unable to access the %s directory\n",
- outdir);
- perror(outdir);
- goto end;
- }
-
if (app_isdir(outdir) <= 0) {
- BIO_printf(bio_err, "%s need to be a directory\n", outdir);
+ BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir);
perror(outdir);
goto end;
}
i + 1, j);
goto end;
}
- while (*p) {
- if (!(((*p >= '0') && (*p <= '9')) ||
- ((*p >= 'A') && (*p <= 'F')) ||
- ((*p >= 'a') && (*p <= 'f')))) {
+ for ( ; *p; p++) {
+ if (!isxdigit(*p)) {
BIO_printf(bio_err,
- "entry %d: bad serial number characters, char pos %ld, char is '%c'\n",
- i + 1, (long)(p - pp[DB_serial]), *p);
+ "entry %d: bad char 0%o '%c' in serial number\n",
+ i + 1, *p, *p);
goto end;
}
- p++;
}
}
if (verbose) {
}
}
- /*****************************************************************/
+ /*****************************************************************/
/* Read extensions config file */
if (extfile) {
- extconf = NCONF_new(NULL);
- if (NCONF_load(extconf, extfile, &errorline) <= 0) {
- if (errorline <= 0)
- BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
- extfile);
- else
- BIO_printf(bio_err,
- "ERROR: on line %ld of config file '%s'\n",
- errorline, extfile);
+ if ((extconf = app_load_config(extfile)) == NULL) {
ret = 1;
goto end;
}
goto end;
}
- if (!strcmp(md, "default")) {
+ if (strcmp(md, "default") == 0) {
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
BIO_puts(bio_err, "no default digest\n");
if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
goto end;
- if (crlnumber) {
- BN_free(crlnumber);
- crlnumber = NULL;
- }
+ BN_free(crlnumber);
+ crlnumber = NULL;
if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts))
goto end;
/*****************************************************************/
ret = 0;
end:
- if (tofree)
- OPENSSL_free(tofree);
+ OPENSSL_free(tofree);
BIO_free_all(Cout);
BIO_free_all(Sout);
BIO_free_all(out);
BIO_free_all(in);
-
- if (cert_sk)
- sk_X509_pop_free(cert_sk, X509_free);
+ sk_X509_pop_free(cert_sk, X509_free);
if (ret)
ERR_print_errors(bio_err);
app_RAND_write_file(randfile);
- if (free_key && key)
+ if (free_key)
OPENSSL_free(key);
BN_free(serial);
BN_free(crlnumber);
free_index(db);
- if (sigopts)
- sk_OPENSSL_STRING_free(sigopts);
+ sk_OPENSSL_STRING_free(sigopts);
EVP_PKEY_free(pkey);
- if (x509)
- X509_free(x509);
+ X509_free(x509);
X509_CRL_free(crl);
NCONF_free(conf);
NCONF_free(extconf);
ext_copy, selfsign);
end:
- if (req != NULL)
- X509_REQ_free(req);
+ X509_REQ_free(req);
BIO_free(in);
return (ok);
}
ext_copy, 0);
end:
- if (rreq != NULL)
- X509_REQ_free(rreq);
- if (req != NULL)
- X509_free(req);
+ X509_REQ_free(rreq);
+ X509_free(req);
return (ok);
}
}
if (default_op)
- old_entry_print(bio_err, obj, str);
+ old_entry_print(obj, str);
}
/* Ok, now we check the 'policy' stuff. */
if (push != NULL) {
if (!X509_NAME_add_entry(subject, push, -1, 0)) {
- if (push != NULL)
- X509_NAME_ENTRY_free(push);
+ X509_NAME_ENTRY_free(push);
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
* Its best to dup the subject DN and then delete any email addresses
* because this retains its structure.
*/
- if (!(dn_subject = X509_NAME_dup(subject))) {
+ if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
/*
* Free the current entries if any, there should not be any I believe
*/
- if (ci->extensions != NULL)
- sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
+ sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
ci->extensions = NULL;
goto end;
/* We now just add it to the database */
- row[DB_type] = (char *)OPENSSL_malloc(2);
+ row[DB_type] = app_malloc(2, "row db type");
tm = X509_get_notAfter(ret);
- row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+ row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
/* row[DB_serial] done already */
- row[DB_file] = (char *)OPENSSL_malloc(8);
+ row[DB_file] = app_malloc(8, "row file");
row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
row[DB_type][0] = 'V';
row[DB_type][1] = '\0';
- if ((irow =
- (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
-
+ irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space");
for (i = 0; i < DB_NUMBER; i++) {
irow[i] = row[i];
row[i] = NULL;
ok = 1;
end:
for (i = 0; i < DB_NUMBER; i++)
- if (row[i] != NULL)
- OPENSSL_free(row[i]);
+ OPENSSL_free(row[i]);
- if (CAname != NULL)
- X509_NAME_free(CAname);
- if (subject != NULL)
- X509_NAME_free(subject);
- if ((dn_subject != NULL) && !email_dn)
+ X509_NAME_free(CAname);
+ X509_NAME_free(subject);
+ if (dn_subject != subject)
X509_NAME_free(dn_subject);
- if (tmptm != NULL)
- ASN1_UTCTIME_free(tmptm);
- if (ok <= 0) {
- if (ret != NULL)
- X509_free(ret);
- ret = NULL;
- } else
+ ASN1_UTCTIME_free(tmptm);
+ if (ok <= 0)
+ X509_free(ret);
+ else
*xret = ret;
return (ok);
}
verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
ext_copy, 0);
end:
- if (req != NULL)
- X509_REQ_free(req);
- if (parms != NULL)
- CONF_free(parms);
- if (spki != NULL)
- NETSCAPE_SPKI_free(spki);
- if (ne != NULL)
- X509_NAME_ENTRY_free(ne);
+ X509_REQ_free(req);
+ CONF_free(parms);
+ NETSCAPE_SPKI_free(spki);
+ X509_NAME_ENTRY_free(ne);
return (ok);
}
row[DB_serial], row[DB_name]);
/* We now just add it to the database */
- row[DB_type] = (char *)OPENSSL_malloc(2);
+ row[DB_type] = app_malloc(2, "row type");
tm = X509_get_notAfter(x509);
- row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+ row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
/* row[DB_serial] done already */
- row[DB_file] = (char *)OPENSSL_malloc(8);
+ row[DB_file] = app_malloc(8, "row filename");
/* row[DB_name] done already */
- if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
- (row[DB_file] == NULL)) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
BUF_strlcpy(row[DB_file], "unknown", 8);
row[DB_type][0] = 'V';
row[DB_type][1] = '\0';
- if ((irow =
- (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) ==
- NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
-
+ irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr");
for (i = 0; i < DB_NUMBER; i++) {
irow[i] = row[i];
row[i] = NULL;
ok = 1;
end:
for (i = 0; i < DB_NUMBER; i++) {
- if (row[i] != NULL)
- OPENSSL_free(row[i]);
+ OPENSSL_free(row[i]);
}
return (ok);
}
row[i] = NULL;
/* Malloc needed char spaces */
- row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
- if (row[DB_serial] == NULL) {
- BIO_printf(bio_err, "Malloc failure\n");
- goto end;
- }
+ row[DB_serial] = app_malloc(strlen(serial) + 2, "row serial#");
if (strlen(serial) % 2) {
/*
}
end:
for (i = 0; i < DB_NUMBER; i++) {
- if (row[i] != NULL)
- OPENSSL_free(row[i]);
+ OPENSSL_free(row[i]);
}
return (ok);
}
/* get actual time and make a string */
a_tm = X509_gmtime_adj(a_tm, 0);
a_tm_s = (char *)OPENSSL_malloc(a_tm->length + 1);
- if (a_tm_s == NULL) {
- cnt = -1;
- goto end;
- }
memcpy(a_tm_s, a_tm->data, a_tm->length);
a_tm_s[a_tm->length] = '\0';
}
}
- end:
-
ASN1_UTCTIME_free(a_tm);
OPENSSL_free(a_tm_s);
-
return (cnt);
}
"CAkeyTime"
};
-#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
+#define NUM_REASONS OSSL_NELEM(crl_reasons)
/*
* Given revocation information convert to a DB string. The format of the
case REV_CRL_REASON:
for (i = 0; i < 8; i++) {
- if (!strcasecmp(rev_arg, crl_reasons[i])) {
+ if (strcasecmp(rev_arg, crl_reasons[i]) == 0) {
reason = crl_reasons[i];
break;
}
if (other)
i += strlen(other) + 1;
- str = OPENSSL_malloc(i);
-
- if (!str)
- return NULL;
-
+ str = app_malloc(i, "revocation reason");
BUF_strlcpy(str, (char *)revtm->data, i);
if (reason) {
BUF_strlcat(str, ",", i);
end:
- if (tmp)
- OPENSSL_free(tmp);
+ OPENSSL_free(tmp);
ASN1_OBJECT_free(hold);
ASN1_GENERALIZEDTIME_free(comp_time);
ASN1_ENUMERATED_free(rtmp);
return ret;
}
-int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
+static int old_entry_print(ASN1_OBJECT *obj, ASN1_STRING *str)
{
char buf[25], *pbuf, *p;
int j;
- j = i2a_ASN1_OBJECT(bp, obj);
+ j = i2a_ASN1_OBJECT(bio_err, obj);
pbuf = buf;
for (j = 22 - j; j > 0; j--)
*(pbuf++) = ' ';
*(pbuf++) = ':';
*(pbuf++) = '\0';
- BIO_puts(bp, buf);
+ BIO_puts(bio_err, buf);
if (str->type == V_ASN1_PRINTABLESTRING)
- BIO_printf(bp, "PRINTABLE:'");
+ BIO_printf(bio_err, "PRINTABLE:'");
else if (str->type == V_ASN1_T61STRING)
- BIO_printf(bp, "T61STRING:'");
+ BIO_printf(bio_err, "T61STRING:'");
else if (str->type == V_ASN1_IA5STRING)
- BIO_printf(bp, "IA5STRING:'");
+ BIO_printf(bio_err, "IA5STRING:'");
else if (str->type == V_ASN1_UNIVERSALSTRING)
- BIO_printf(bp, "UNIVERSALSTRING:'");
+ BIO_printf(bio_err, "UNIVERSALSTRING:'");
else
- BIO_printf(bp, "ASN.1 %2d:'", str->type);
+ BIO_printf(bio_err, "ASN.1 %2d:'", str->type);
p = (char *)str->data;
for (j = str->length; j > 0; j--) {
if ((*p >= ' ') && (*p <= '~'))
- BIO_printf(bp, "%c", *p);
+ BIO_printf(bio_err, "%c", *p);
else if (*p & 0x80)
- BIO_printf(bp, "\\0x%02X", *p);
+ BIO_printf(bio_err, "\\0x%02X", *p);
else if ((unsigned char)*p == 0xf7)
- BIO_printf(bp, "^?");
+ BIO_printf(bio_err, "^?");
else
- BIO_printf(bp, "^%c", *p + '@');
+ BIO_printf(bio_err, "^%c", *p + '@');
p++;
}
- BIO_printf(bp, "'\n");
+ BIO_printf(bio_err, "'\n");
return 1;
}
}
if (reason_str) {
for (i = 0; i < NUM_REASONS; i++) {
- if (!strcasecmp(reason_str, crl_reasons[i])) {
+ if (strcasecmp(reason_str, crl_reasons[i]) == 0) {
reason_code = i;
break;
}
}
if (phold)
*phold = hold;
+ else
+ ASN1_OBJECT_free(hold);
} else if ((reason_code == 9) || (reason_code == 10)) {
if (!arg_str) {
BIO_printf(bio_err, "missing compromised time\n");
if (preason)
*preason = reason_code;
- if (pinvtm)
+ if (pinvtm) {
*pinvtm = comp_time;
- else
- ASN1_GENERALIZEDTIME_free(comp_time);
+ comp_time = NULL;
+ }
ret = 1;
end:
- if (tmp)
- OPENSSL_free(tmp);
- if (!phold)
- ASN1_OBJECT_free(hold);
- if (!pinvtm)
- ASN1_GENERALIZEDTIME_free(comp_time);
+ OPENSSL_free(tmp);
+ ASN1_GENERALIZEDTIME_free(comp_time);
return ret;
}