diff options
Diffstat (limited to 'crypto/openssl/apps')
| -rwxr-xr-x | crypto/openssl/apps/CA.pl | 2 | ||||
| -rw-r--r-- | crypto/openssl/apps/Makefile.ssl | 2 | ||||
| -rw-r--r-- | crypto/openssl/apps/apps.c | 563 | ||||
| -rw-r--r-- | crypto/openssl/apps/apps.h | 33 | ||||
| -rw-r--r-- | crypto/openssl/apps/asn1pars.c | 10 | ||||
| -rw-r--r-- | crypto/openssl/apps/ca.c | 549 | ||||
| -rw-r--r-- | crypto/openssl/apps/der_chop | 2 | ||||
| -rw-r--r-- | crypto/openssl/apps/dgst.c | 5 | ||||
| -rw-r--r-- | crypto/openssl/apps/enc.c | 6 | ||||
| -rw-r--r-- | crypto/openssl/apps/engine.c | 4 | ||||
| -rw-r--r-- | crypto/openssl/apps/ocsp.c | 46 | ||||
| -rw-r--r-- | crypto/openssl/apps/openssl.cnf | 5 | ||||
| -rw-r--r-- | crypto/openssl/apps/pkcs12.c | 4 | ||||
| -rw-r--r-- | crypto/openssl/apps/pkcs7.c | 3 | ||||
| -rw-r--r-- | crypto/openssl/apps/req.c | 42 | ||||
| -rw-r--r-- | crypto/openssl/apps/rsautl.c | 12 | ||||
| -rw-r--r-- | crypto/openssl/apps/s_socket.c | 2 | ||||
| -rw-r--r-- | crypto/openssl/apps/s_time.c | 6 | ||||
| -rw-r--r-- | crypto/openssl/apps/speed.c | 7 | ||||
| -rw-r--r-- | crypto/openssl/apps/x509.c | 86 |
20 files changed, 833 insertions, 556 deletions
diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index 669a016..8b2ce7e 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index 90e71de..7068286 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -121,7 +121,7 @@ tags: tests: links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c index 007e3e0..93a665e 100644 --- a/crypto/openssl/apps/apps.c +++ b/crypto/openssl/apps/apps.c @@ -501,7 +501,7 @@ static int ui_read(UI *ui, UI_STRING *uis) { const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password; - if (password[0] != '\0') + if (password && password[0] != '\0') { UI_set_result(ui, uis, password); return 1; @@ -525,7 +525,7 @@ static int ui_write(UI *ui, UI_STRING *uis) { const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password; - if (password[0] != '\0') + if (password && password[0] != '\0') return 1; } default: @@ -1411,14 +1411,565 @@ int load_config(BIO *err, CONF *cnf) char *make_config_name() { const char *t=X509_get_default_cert_area(); + size_t len; char *p; - p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2); - strcpy(p,t); + len=strlen(t)+strlen(OPENSSL_CONF)+2; + p=OPENSSL_malloc(len); + BUF_strlcpy(p,t,len); #ifndef OPENSSL_SYS_VMS - strcat(p,"/"); + BUF_strlcat(p,"/",len); #endif - strcat(p,OPENSSL_CONF); + BUF_strlcat(p,OPENSSL_CONF,len); return p; } + +static unsigned long index_serial_hash(const char **a) + { + const char *n; + + n=a[DB_serial]; + while (*n == '0') n++; + return(lh_strhash(n)); + } + +static int index_serial_cmp(const char **a, const char **b) + { + const char *aa,*bb; + + for (aa=a[DB_serial]; *aa == '0'; aa++); + for (bb=b[DB_serial]; *bb == '0'; bb++); + return(strcmp(aa,bb)); + } + +static int index_name_qual(char **a) + { return(a[0][0] == 'V'); } + +static unsigned long index_name_hash(const char **a) + { return(lh_strhash(a[DB_name])); } + +int index_name_cmp(const char **a, const char **b) + { return(strcmp(a[DB_name], + b[DB_name])); } + +static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) + +#undef BSIZE +#define BSIZE 256 + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) + { + BIO *in=NULL; + BIGNUM *ret=NULL; + MS_STATIC char buf[1024]; + ASN1_INTEGER *ai=NULL; + + ai=ASN1_INTEGER_new(); + if (ai == NULL) goto err; + + if ((in=BIO_new(BIO_s_file())) == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + if (BIO_read_filename(in,serialfile) <= 0) + { + if (!create) + { + perror(serialfile); + goto err; + } + else + { + ASN1_INTEGER_set(ai,1); + ret=BN_new(); + if (ret == NULL) + BIO_printf(bio_err, "Out of memory\n"); + else + BN_one(ret); + } + } + else + { + if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) + { + BIO_printf(bio_err,"unable to load number from %s\n", + serialfile); + goto err; + } + ret=ASN1_INTEGER_to_BN(ai,NULL); + if (ret == NULL) + { + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); + goto err; + } + } + + if (ret && retai) + { + *retai = ai; + ai = NULL; + } + err: + if (in != NULL) BIO_free(in); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai) + { + char buf[1][BSIZE]; + BIO *out = NULL; + int ret=0; + ASN1_INTEGER *ai=NULL; + int j; + + if (suffix == NULL) + j = strlen(serialfile); + else + j = strlen(serialfile) + strlen(suffix) + 1; + if (j >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + + if (suffix == NULL) + BUF_strlcpy(buf[0], serialfile, BSIZE); + else + { +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix); +#endif + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + out=BIO_new(BIO_s_file()); + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(serialfile); + goto err; + } + + if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) + { + BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); + goto err; + } + i2a_ASN1_INTEGER(out,ai); + BIO_puts(out,"\n"); + ret=1; + if (retai) + { + *retai = ai; + ai = NULL; + } +err: + if (out != NULL) BIO_free_all(out); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(serialfile) + strlen(old_suffix); + j = strlen(serialfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 1 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + serialfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + serialfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + serialfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + serialfile, old_suffix); +#endif + if (stat(serialfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + serialfile, buf[1]); +#endif + if (rename(serialfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + serialfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],serialfile); +#endif + if (rename(buf[0],serialfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],serialfile); + perror("reason"); + rename(buf[1],serialfile); + goto err; + } + return 1; + err: + return 0; + } + +CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) + { + CA_DB *retdb = NULL; + TXT_DB *tmpdb = NULL; + BIO *in = BIO_new(BIO_s_file()); + CONF *dbattr_conf = NULL; + char buf[1][BSIZE]; + long errorline= -1; + + if (in == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_read_filename(in,dbfile) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n",dbfile); + goto err; + } + if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) + { + if (tmpdb != NULL) TXT_DB_free(tmpdb); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); +#else + BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile); +#endif + dbattr_conf = NCONF_new(NULL); + if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0) + { + if (errorline > 0) + { + BIO_printf(bio_err, + "error on line %ld of db attribute file '%s'\n" + ,errorline,buf[0]); + goto err; + } + else + { + NCONF_free(dbattr_conf); + dbattr_conf = NULL; + } + } + + if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) + { + fprintf(stderr, "Out of memory\n"); + goto err; + } + + retdb->db = tmpdb; + tmpdb = NULL; + if (db_attr) + retdb->attributes = *db_attr; + else + { + retdb->attributes.unique_subject = 1; + } + + if (dbattr_conf) + { + char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject"); + if (p) + { + BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p); + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + retdb->attributes.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + retdb->attributes.unique_subject = 1; + break; + } + } + } + + err: + if (dbattr_conf) NCONF_free(dbattr_conf); + if (tmpdb) TXT_DB_free(tmpdb); + if (in) BIO_free_all(in); + return retdb; + } + +int index_index(CA_DB *db) + { + if (!TXT_DB_create_index(db->db, DB_serial, NULL, + LHASH_HASH_FN(index_serial_hash), + LHASH_COMP_FN(index_serial_cmp))) + { + BIO_printf(bio_err, + "error creating serial number index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + + if (db->attributes.unique_subject + && !TXT_DB_create_index(db->db, DB_name, index_name_qual, + LHASH_HASH_FN(index_name_hash), + LHASH_COMP_FN(index_name_cmp))) + { + BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + return 1; + } + +int save_index(char *dbfile, char *suffix, CA_DB *db) + { + char buf[3][BSIZE]; + BIO *out = BIO_new(BIO_s_file()); + int j; + + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + j = strlen(dbfile) + strlen(suffix); + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n", dbfile); + goto err; + } + j=TXT_DB_write(out,db->db); + if (j <= 0) goto err; + + BIO_free(out); + + out = BIO_new(BIO_s_file()); +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]); +#endif + if (BIO_write_filename(out,buf[1]) <= 0) + { + perror(buf[2]); + BIO_printf(bio_err,"unable to open '%s'\n", buf[2]); + goto err; + } + BIO_printf(out,"unique_subject = %s\n", + db->attributes.unique_subject ? "yes" : "no"); + BIO_free(out); + + return 1; + err: + return 0; + } + +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(dbfile) + strlen(old_suffix); + j = strlen(dbfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + dbfile, old_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", + dbfile, old_suffix); +#endif + if (stat(dbfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + dbfile, buf[1]); +#endif + if (rename(dbfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + dbfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],dbfile); +#endif + if (rename(buf[0],dbfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],dbfile); + perror("reason"); + rename(buf[1],dbfile); + goto err; + } + if (stat(buf[4],&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[4],buf[3]); +#endif + if (rename(buf[4],buf[3]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[4], buf[3]); + perror("reason"); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[2],buf[4]); +#endif + if (rename(buf[2],buf[4]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[2],buf[4]); + perror("reason"); + rename(buf[3],buf[4]); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + return 1; + err: + return 0; + } + +void free_index(CA_DB *db) + { + TXT_DB_free(db->db); + OPENSSL_free(db); + } diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h index c36b9d2..8a9c4ab 100644 --- a/crypto/openssl/apps/apps.h +++ b/crypto/openssl/apps/apps.h @@ -287,7 +287,38 @@ char *make_config_name(void); /* Functions defined in ca.c and also used in ocsp.c */ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str); -int make_serial_index(TXT_DB *db); + +#define DB_type 0 +#define DB_exp_date 1 +#define DB_rev_date 2 +#define DB_serial 3 /* index - unique */ +#define DB_file 4 +#define DB_name 5 /* index - unique when active and not disabled */ +#define DB_NUMBER 6 + +#define DB_TYPE_REV 'R' +#define DB_TYPE_EXP 'E' +#define DB_TYPE_VAL 'V' + +typedef struct db_attr_st + { + int unique_subject; + } DB_ATTR; +typedef struct ca_db_st + { + DB_ATTR attributes; + TXT_DB *db; + } CA_DB; + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); +int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); +int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix); +CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); +int index_index(CA_DB *db); +int save_index(char *dbfile, char *suffix, CA_DB *db); +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix); +void free_index(CA_DB *db); +int index_name_cmp(const char **a, const char **b); X509_NAME *do_subject(char *str, long chtype); diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c index 8367415..7db40ad 100644 --- a/crypto/openssl/apps/asn1pars.c +++ b/crypto/openssl/apps/asn1pars.c @@ -304,7 +304,15 @@ bad: num=tmplen; } - if (length == 0) length=(unsigned int)num; + if (offset >= num) + { + BIO_printf(bio_err, "Error: offset too large\n"); + goto end; + } + + num -= offset; + + if ((length == 0) || ((long)length > num)) length=(unsigned int)num; if(derout) { if(BIO_write(derout, str + offset, length) != (int)length) { BIO_printf(bio_err, "Error writing output\n"); diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 7ed60c7..2db61b1 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -122,6 +122,7 @@ #define ENV_NEW_CERTS_DIR "new_certs_dir" #define ENV_CERTIFICATE "certificate" #define ENV_SERIAL "serial" +#define ENV_CRLNUMBER "crlnumber" #define ENV_CRL "crl" #define ENV_PRIVATE_KEY "private_key" #define ENV_RANDFILE "RANDFILE" @@ -143,18 +144,6 @@ #define ENV_DATABASE "database" -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - /* Additional revocation information types */ #define REV_NONE 0 /* No addditional information */ @@ -211,43 +200,36 @@ extern int EF_ALIGNMENT; #endif static void lookup_fail(char *name,char *tag); -static unsigned long index_serial_hash(const char **a); -static int index_serial_cmp(const char **a, const char **b); -static unsigned long index_name_hash(const char **a); -static int index_name_qual(char **a); -static int index_name_cmp(const char **a,const char **b); -static BIGNUM *load_serial(char *serialfile); -static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, + const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, + CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *subj, int email_dn, + CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); -static int get_certificate_status(const char *ser_status, TXT_DB *db); -static int do_updatedb(TXT_DB *db); +static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); +static int get_certificate_status(const char *ser_status, CA_DB *db); +static int do_updatedb(CA_DB *db); static int check_time_format(char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, char *str); @@ -259,11 +241,6 @@ static char *section=NULL; static int preserve=0; static int msie_hack=0; -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) - int MAIN(int, char **); @@ -300,6 +277,7 @@ int MAIN(int argc, char **argv) char *outfile=NULL; char *outdir=NULL; char *serialfile=NULL; + char *crlnumberfile=NULL; char *extensions=NULL; char *extfile=NULL; char *subj=NULL; @@ -308,6 +286,7 @@ int MAIN(int argc, char **argv) int rev_type = REV_NONE; char *rev_arg = NULL; BIGNUM *serial=NULL; + BIGNUM *crlnumber=NULL; char *startdate=NULL; char *enddate=NULL; long days=0; @@ -320,14 +299,13 @@ int MAIN(int argc, char **argv) X509 *x=NULL; BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; char *dbfile=NULL; - TXT_DB *db=NULL; + CA_DB *db=NULL; X509_CRL *crl=NULL; X509_REVOKED *r=NULL; ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; char **pp,*p,*f; int i,j; - long l; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(X509) *cert_sk=NULL; @@ -339,6 +317,7 @@ int MAIN(int argc, char **argv) char *engine = NULL; #endif char *tofree=NULL; + DB_ATTR db_attr; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -579,16 +558,19 @@ bad: if (configfile == NULL) { const char *s=X509_get_default_cert_area(); + size_t len; #ifdef OPENSSL_SYS_VMS - tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)); + len = strlen(s)+sizeof(CONFIG_FILE); + tofree=OPENSSL_malloc(len); strcpy(tofree,s); #else - tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1); - strcpy(tofree,s); - strcat(tofree,"/"); + len = strlen(s)+sizeof(CONFIG_FILE)+1; + tofree=OPENSSL_malloc(len); + BUF_strlcpy(tofree,s,len); + BUF_strlcat(tofree,"/",len); #endif - strcat(tofree,CONFIG_FILE); + BUF_strlcat(tofree,CONFIG_FILE,len); configfile=tofree; } @@ -659,6 +641,39 @@ bad: if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); + + db_attr.unique_subject = 1; + p = NCONF_get_string(conf, section, "unique_subject"); + if (p) + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p); +#endif + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + db_attr.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + db_attr.unique_subject = 1; + break; + } + } +#ifdef RL_DEBUG + else + BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", + db_attr.unique_subject); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); @@ -679,17 +694,10 @@ bad: lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile,&db_attr); if (db == NULL) goto err; - if (!make_serial_index(db)) - goto err; + if (!index_index(db)) goto err; if (get_certificate_status(ser_status,db) != 1) BIO_printf(bio_err,"Error verifying serial %s!\n", @@ -849,19 +857,13 @@ bad: lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile, &db_attr); if (db == NULL) goto err; /* Lets check some fields */ - for (i=0; i<sk_num(db->data); i++) + for (i=0; i<sk_num(db->db->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { @@ -912,23 +914,13 @@ bad: out = BIO_push(tmpbio, out); } #endif - TXT_DB_write(out,db); + TXT_DB_write(out,db->db); BIO_printf(bio_err,"%d entries loaded from the database\n", - db->data->num); + db->db->data->num); BIO_printf(bio_err,"generating index\n"); } - if (!make_serial_index(db)) - goto err; - - if (!TXT_DB_create_index(db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) - { - BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - goto err; - } + if (!index_index(db)) goto err; /*****************************************************************/ /* Update the db file for expired certificates */ @@ -951,62 +943,9 @@ bad: } else { - out = BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile); -#else - j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile); -#endif - if (j < 0 || j >= sizeof buf[0]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n", - dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - - BIO_free(out); - out = NULL; -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile); -#else - j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile); -#endif - if (j < 0 || j >= sizeof buf[1]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } + if (!save_index(dbfile,"new",db)) goto err; + + if (!rotate_index(dbfile,"new","old")) goto err; if (verbose) BIO_printf(bio_err, "Done. %d entries marked as expired\n",i); @@ -1167,7 +1106,7 @@ bad: goto err; } - if ((serial=load_serial(serialfile)) == NULL) + if ((serial=load_serial(serialfile, 0, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; @@ -1301,38 +1240,9 @@ bad: BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk)); - if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"file name too long\n"); - goto err; - } - - strcpy(buf[0],serialfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[0],"-new"); -#else - strcat(buf[0],".new"); -#endif - - if (!save_serial(buf[0],serial)) goto err; + if (!save_serial(serialfile,"new",serial,NULL)) goto err; - strcpy(buf[1],dbfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[1],"-new"); -#else - strcat(buf[1],".new"); -#endif - - if (BIO_write_filename(out,buf[1]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - l=TXT_DB_write(out,db); - if (l <= 0) goto err; + if (!save_index(dbfile, "new", db)) goto err; } if (verbose) @@ -1340,7 +1250,7 @@ bad: for (i=0; i<sk_X509_num(cert_sk); i++) { int k; - unsigned char *n; + char *n; x=sk_X509_value(cert_sk,i); @@ -1356,15 +1266,19 @@ bad: strcpy(buf[2],outdir); #ifndef OPENSSL_SYS_VMS - strcat(buf[2],"/"); + BUF_strlcat(buf[2],"/",sizeof(buf[2])); #endif - n=(unsigned char *)&(buf[2][strlen(buf[2])]); + n=(char *)&(buf[2][strlen(buf[2])]); if (j > 0) { for (k=0; k<j; k++) { - sprintf((char *)n,"%02X",(unsigned char)*(p++)); + if (n >= &(buf[2][sizeof(buf[2])])) + break; + BIO_snprintf(n, + &buf[2][0] + sizeof(buf[2]) - n, + "%02X",(unsigned char)*(p++)); n+=2; } } @@ -1390,59 +1304,10 @@ bad: if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ - strncpy(buf[2],serialfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; + if (!rotate_serial(serialfile,"new","old")) goto err; -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif + if (!rotate_index(dbfile,"new","old")) goto err; - BIO_free(in); - BIO_free_all(out); - in=NULL; - out=NULL; - if (rename(serialfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - serialfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[0],serialfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[0],serialfile); - perror("reason"); - rename(buf[2],serialfile); - goto err; - } - - strncpy(buf[2],dbfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; - -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif - - if (rename(dbfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - dbfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[1],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[1],dbfile); - perror("reason"); - rename(buf[2],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } @@ -1473,6 +1338,14 @@ bad: } } + if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER)) + != NULL) + if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL) + { + BIO_printf(bio_err,"error while loading CRL number\n"); + goto err; + } + if (!crldays && !crlhours) { if (!NCONF_get_number(conf,section, @@ -1501,9 +1374,9 @@ bad: ASN1_TIME_free(tmptm); - for (i=0; i<sk_num(db->data); i++) + for (i=0; i<sk_num(db->db->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; @@ -1549,14 +1422,24 @@ bad: /* Add any extensions asked for */ - if (crl_ext) + if (crl_ext || crlnumberfile != NULL) { X509V3_CTX crlctx; X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); - if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, - crl_ext, crl)) goto err; + if (crl_ext) + if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, + crl_ext, crl)) goto err; + if (crlnumberfile != NULL) + { + tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); + if (!tmpser) goto err; + X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0); + ASN1_INTEGER_free(tmpser); + crl_v2 = 1; + if (!BN_add_word(crlnumber,1)) goto err; + } } if (crl_ext || crl_v2) { @@ -1564,9 +1447,17 @@ bad: goto err; /* version 2 CRL */ } + + if (crlnumberfile != NULL) /* we have a CRL number that need updating */ + if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; + if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); + + if (crlnumberfile != NULL) /* Rename the crlnumber file */ + if (!rotate_serial(crlnumberfile,"new","old")) goto err; + } /*****************************************************************/ if (dorevoke) @@ -1587,50 +1478,10 @@ bad: if (j <= 0) goto err; X509_free(revcert); - if(strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"filename too long\n"); - goto err; - } + if (!save_index(dbfile, "new", db)) goto err; + + if (!rotate_index(dbfile, "new", "old")) goto err; - strcpy(buf[0],dbfile); -#ifndef OPENSSL_SYS_VMS - strcat(buf[0],".new"); -#else - strcat(buf[0],"-new"); -#endif - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - BIO_free_all(out); - out = NULL; - BIO_free_all(in); - in = NULL; - strncpy(buf[1],dbfile,BSIZE-4); - buf[1][BSIZE-4]='\0'; -#ifndef OPENSSL_SYS_VMS - strcat(buf[1],".old"); -#else - strcat(buf[1],"-old"); -#endif - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } @@ -1652,7 +1503,7 @@ err: if (free_key && key) OPENSSL_free(key); BN_free(serial); - TXT_DB_free(db); + free_index(db); EVP_PKEY_free(pkey); X509_free(x509); X509_CRL_free(crl); @@ -1667,106 +1518,8 @@ static void lookup_fail(char *name, char *tag) BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static unsigned long index_serial_hash(const char **a) - { - const char *n; - - n=a[DB_serial]; - while (*n == '0') n++; - return(lh_strhash(n)); - } - -static int index_serial_cmp(const char **a, const char **b) - { - const char *aa,*bb; - - for (aa=a[DB_serial]; *aa == '0'; aa++); - for (bb=b[DB_serial]; *bb == '0'; bb++); - return(strcmp(aa,bb)); - } - -static unsigned long index_name_hash(const char **a) - { return(lh_strhash(a[DB_name])); } - -static int index_name_qual(char **a) - { return(a[0][0] == 'V'); } - -static int index_name_cmp(const char **a, const char **b) - { return(strcmp(a[DB_name], - b[DB_name])); } - -static BIGNUM *load_serial(char *serialfile) - { - BIO *in=NULL; - BIGNUM *ret=NULL; - MS_STATIC char buf[1024]; - ASN1_INTEGER *ai=NULL; - - if ((in=BIO_new(BIO_s_file())) == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - - if (BIO_read_filename(in,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - ai=ASN1_INTEGER_new(); - if (ai == NULL) goto err; - if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) - { - BIO_printf(bio_err,"unable to load number from %s\n", - serialfile); - goto err; - } - ret=ASN1_INTEGER_to_BN(ai,NULL); - if (ret == NULL) - { - BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); - goto err; - } -err: - if (in != NULL) BIO_free(in); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - -static int save_serial(char *serialfile, BIGNUM *serial) - { - BIO *out; - int ret=0; - ASN1_INTEGER *ai=NULL; - - out=BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - if (BIO_write_filename(out,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - - if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) - { - BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); - goto err; - } - i2a_ASN1_INTEGER(out,ai); - BIO_puts(out,"\n"); - ret=1; -err: - if (out != NULL) BIO_free_all(out); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1828,7 +1581,7 @@ err: } static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1882,7 +1635,7 @@ err: } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1900,7 +1653,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int ok= -1,i,j,last,nid; char *p; CONF_VALUE *cv; - char *row[DB_NUMBER],**rrow,**irow=NULL; + char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); @@ -2137,15 +1890,19 @@ again2: goto err; } - rrow=TXT_DB_get_by_index(db,DB_name,row); - if (rrow != NULL) + if (db->attributes.unique_subject) { - BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n", - row[DB_name]); + rrow=TXT_DB_get_by_index(db->db,DB_name,row); + if (rrow != NULL) + { + BIO_printf(bio_err, + "ERROR:There is already a certificate for %s\n", + row[DB_name]); + } } - else + if (rrow == NULL) { - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow != NULL) { BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n", @@ -2352,7 +2109,7 @@ again2: BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - strcpy(row[DB_file],"unknown"); + BUF_strlcpy(row[DB_file],"unknown",8); row[DB_type][0]='V'; row[DB_type][1]='\0'; @@ -2369,10 +2126,10 @@ again2: } irow[DB_NUMBER]=NULL; - if (!TXT_DB_insert(db,irow)) + if (!TXT_DB_insert(db->db,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } ok=1; @@ -2423,7 +2180,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) @@ -2602,7 +2359,7 @@ static int check_time_format(char *str) return(ASN1_UTCTIME_check(&tm)); } -static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) +static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) { ASN1_UTCTIME *tm=NULL; char *row[DB_NUMBER],**rrow,**irow; @@ -2627,10 +2384,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) /* We have to lookup by serial number because name lookup * skips revoked certs */ - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow == NULL) { - BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]); + BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]); /* We now just add it to the database */ row[DB_type]=(char *)OPENSSL_malloc(2); @@ -2653,7 +2410,7 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - strcpy(row[DB_file],"unknown"); + BUF_strlcpy(row[DB_file],"unknown",8); row[DB_type][0]='V'; row[DB_type][1]='\0'; @@ -2670,10 +2427,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) } irow[DB_NUMBER]=NULL; - if (!TXT_DB_insert(db,irow)) + if (!TXT_DB_insert(db->db,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } @@ -2718,7 +2475,7 @@ err: return(ok); } -static int get_certificate_status(const char *serial, TXT_DB *db) +static int get_certificate_status(const char *serial, CA_DB *db) { char *row[DB_NUMBER],**rrow; int ok=-1,i; @@ -2759,7 +2516,7 @@ static int get_certificate_status(const char *serial, TXT_DB *db) ok=1; /* Search for the certificate */ - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow == NULL) { BIO_printf(bio_err,"Serial %s not present in db.\n", @@ -2806,7 +2563,7 @@ err: return(ok); } -static int do_updatedb (TXT_DB *db) +static int do_updatedb (CA_DB *db) { ASN1_UTCTIME *a_tm = NULL; int i, cnt = 0; @@ -2832,9 +2589,9 @@ static int do_updatedb (TXT_DB *db) else a_y2k = 0; - for (i = 0; i < sk_num(db->data); i++) + for (i = 0; i < sk_num(db->db->data); i++) { - rrow = (char **) sk_value(db->data, i); + rrow = (char **) sk_value(db->db->data, i); if (rrow[DB_type][0] == 'V') { @@ -2977,16 +2734,16 @@ char *make_revocation_str(int rev_type, char *rev_arg) if (!str) return NULL; - strcpy(str, (char *)revtm->data); + BUF_strlcpy(str, (char *)revtm->data, i); if (reason) { - strcat(str, ","); - strcat(str, reason); + BUF_strlcat(str, ",", i); + BUF_strlcat(str, reason, i); } if (other) { - strcat(str, ","); - strcat(str, other); + BUF_strlcat(str, ",", i); + BUF_strlcat(str, other, i); } ASN1_UTCTIME_free(revtm); return str; @@ -3321,17 +3078,3 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_G return ret; } - -int make_serial_index(TXT_DB *db) - { - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - return 0; - } - return 1; - } diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop index 2ee9d6b..9070b03 100644 --- a/crypto/openssl/apps/der_chop +++ b/crypto/openssl/apps/der_chop @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c index 47d1309..be25daf 100644 --- a/crypto/openssl/apps/dgst.c +++ b/crypto/openssl/apps/dgst.c @@ -347,8 +347,9 @@ int MAIN(int argc, char **argv) } if(!out_bin) { - tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5); - sprintf(tmp,"%s(%s)= ",name,argv[i]); + size_t len = strlen(name)+strlen(argv[i])+5; + tmp=tofree=OPENSSL_malloc(len); + BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]); } else tmp=""; diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 0a9f731..30378a9 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -373,9 +373,9 @@ bad: { char buf[200]; - sprintf(buf,"enter %s %s password:", - OBJ_nid2ln(EVP_CIPHER_nid(cipher)), - (enc)?"encryption":"decryption"); + BIO_snprintf(buf,sizeof buf,"enter %s %s password:", + OBJ_nid2ln(EVP_CIPHER_nid(cipher)), + (enc)?"encryption":"decryption"); strbuf[0]='\0'; i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc); if (i == 0) diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c index c3e1e8d..12283d0 100644 --- a/crypto/openssl/apps/engine.c +++ b/crypto/openssl/apps/engine.c @@ -122,8 +122,8 @@ static int append_buf(char **buf, const char *s, int *size, int step) return 0; if (**buf != '\0') - strcat(*buf, ", "); - strcat(*buf, s); + BUF_strlcat(*buf, ", ", *size); + BUF_strlcat(*buf, s, *size); return 1; } diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index e5f186f..856b797 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -68,19 +68,6 @@ /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -/* CA index.txt definitions */ -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, @@ -89,12 +76,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage); -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays); -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser); +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); @@ -143,7 +130,7 @@ int MAIN(int argc, char **argv) X509 *rca_cert = NULL; char *ridx_filename = NULL; char *rca_filename = NULL; - TXT_DB *rdb = NULL; + CA_DB *rdb = NULL; int nmin = 0, ndays = -1; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -700,22 +687,9 @@ int MAIN(int argc, char **argv) if (ridx_filename && !rdb) { - BIO *db_bio = NULL; - db_bio = BIO_new_file(ridx_filename, "r"); - if (!db_bio) - { - BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename); - goto end; - } - rdb = TXT_DB_read(db_bio, DB_NUMBER); - BIO_free(db_bio); - if (!rdb) - { - BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename); - goto end; - } - if (!make_serial_index(rdb)) - goto end; + rdb = load_index(ridx_filename, NULL); + if (!rdb) goto end; + if (!index_index(rdb)) goto end; } if (rdb) @@ -899,7 +873,7 @@ end: X509_free(cert); X509_free(rsigner); X509_free(rca_cert); - TXT_DB_free(rdb); + free_index(rdb); BIO_free_all(cbio); BIO_free_all(acbio); BIO_free(out); @@ -1041,7 +1015,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, } -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays) @@ -1133,7 +1107,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d } -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) { int i; BIGNUM *bn = NULL; @@ -1146,7 +1120,7 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) itmp = BN_bn2hex(bn); row[DB_serial] = itmp; BN_free(bn); - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); OPENSSL_free(itmp); return rrow; } diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf index eca51c3..854d1f1 100644 --- a/crypto/openssl/apps/openssl.cnf +++ b/crypto/openssl/apps/openssl.cnf @@ -38,10 +38,14 @@ dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number +#crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file @@ -58,6 +62,7 @@ cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index 5136acd..71192bd 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -557,7 +557,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "Can't read Password\n"); goto export_end; } - if (!twopass) strcpy(macpass, pass); + if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); /* Turn certbags into encrypted authsafe */ authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0, iter, bags); @@ -658,7 +658,7 @@ int MAIN(int argc, char **argv) CRYPTO_pop_info(); #endif - if (!twopass) strcpy(macpass, pass); + if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); if(macver) { diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index 6c58c67..da4dbe7 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -102,6 +102,9 @@ int MAIN(int argc, char **argv) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (!load_config(bio_err, NULL)) + goto end; + infile=NULL; outfile=NULL; informat=FORMAT_PEM; diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index 5f6ec3d..1a3d1d0 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -824,7 +824,7 @@ loop: if ((x509ss=X509_new()) == NULL) goto end; /* Set version to V3 */ - if(!X509_set_version(x509ss, 2)) goto end; + if(extensions && !X509_set_version(x509ss, 2)) goto end; if (serial) { if (!X509_set_serialNumber(x509ss, serial)) goto end; @@ -1223,34 +1223,34 @@ start: for (;;) } /* If OBJ not recognised ignore it */ if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; - - if(strlen(v->name) > sizeof buf-9) + if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name) + >= sizeof buf) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; } - sprintf(buf,"%s_default",v->name); if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); def=""; } - sprintf(buf,"%s_value",v->name); + + BIO_snprintf(buf,sizeof buf,"%s_value",v->name); if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); value=NULL; } - sprintf(buf,"%s_min",v->name); + BIO_snprintf(buf,sizeof buf,"%s_min",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min)) { ERR_clear_error(); n_min = -1; } - sprintf(buf,"%s_max",v->name); + BIO_snprintf(buf,sizeof buf,"%s_max",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max)) { ERR_clear_error(); @@ -1288,13 +1288,13 @@ start2: for (;;) if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start2; - if(strlen(v->name) > sizeof buf-9) + if (BIO_snprintf(buf,sizeof buf,"%s_default",type) + >= sizeof buf) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; } - sprintf(buf,"%s_default",type); if ((def=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) { @@ -1303,7 +1303,7 @@ start2: for (;;) } - sprintf(buf,"%s_value",type); + BIO_snprintf(buf,sizeof buf,"%s_value",type); if ((value=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) { @@ -1311,11 +1311,11 @@ start2: for (;;) value=NULL; } - sprintf(buf,"%s_min",type); + BIO_snprintf(buf,sizeof buf,"%s_min",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) n_min = -1; - sprintf(buf,"%s_max",type); + BIO_snprintf(buf,sizeof buf,"%s_max",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) n_max = -1; @@ -1397,9 +1397,8 @@ start: (void)BIO_flush(bio_err); if(value != NULL) { - OPENSSL_assert(strlen(value) < sizeof buf-2); - strcpy(buf,value); - strcat(buf,"\n"); + BUF_strlcpy(buf,value,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); BIO_printf(bio_err,"%s\n",value); } else @@ -1421,8 +1420,8 @@ start: { if ((def == NULL) || (def[0] == '\0')) return(1); - strcpy(buf,def); - strcat(buf,"\n"); + BUF_strlcpy(buf,def,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); } else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); @@ -1456,9 +1455,8 @@ start: (void)BIO_flush(bio_err); if (value != NULL) { - OPENSSL_assert(strlen(value) < sizeof buf-2); - strcpy(buf,value); - strcat(buf,"\n"); + BUF_strlcpy(buf,value,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); BIO_printf(bio_err,"%s\n",value); } else @@ -1480,8 +1478,8 @@ start: { if ((def == NULL) || (def[0] == '\0')) return(1); - strcpy(buf,def); - strcat(buf,"\n"); + BUF_strlcpy(buf,def,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); } else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c index 5a6fd11..5db6fe7 100644 --- a/crypto/openssl/apps/rsautl.c +++ b/crypto/openssl/apps/rsautl.c @@ -97,6 +97,7 @@ int MAIN(int argc, char **argv) EVP_PKEY *pkey = NULL; RSA *rsa = NULL; unsigned char *rsa_in = NULL, *rsa_out = NULL, pad; + char *passargin = NULL, *passin = NULL; int rsa_inlen, rsa_outlen = 0; int keysize; @@ -124,6 +125,9 @@ int MAIN(int argc, char **argv) } else if(!strcmp(*argv, "-inkey")) { if (--argc < 1) badarg = 1; keyfile = *(++argv); + } else if (!strcmp(*argv,"-passin")) { + if (--argc < 1) badarg = 1; + passargin= *(++argv); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) badarg = 1; keyform=str2fmt(*(++argv)); @@ -169,6 +173,10 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif + if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } /* FIXME: seed PRNG only if needed */ app_RAND_load_file(NULL, bio_err, 0); @@ -176,7 +184,7 @@ int MAIN(int argc, char **argv) switch(key_type) { case KEY_PRIVKEY: pkey = load_key(bio_err, keyfile, keyform, 0, - NULL, e, "Private Key"); + passin, e, "Private Key"); break; case KEY_PUBKEY: @@ -290,6 +298,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if(rsa_in) OPENSSL_free(rsa_in); if(rsa_out) OPENSSL_free(rsa_out); + if(passin) OPENSSL_free(passin); return ret; } @@ -313,6 +322,7 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); + BIO_printf (bio_err, "-passin arg pass phrase source\n"); #endif } diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c index a88de6c..1867890 100644 --- a/crypto/openssl/apps/s_socket.c +++ b/crypto/openssl/apps/s_socket.c @@ -389,7 +389,7 @@ redoit: perror("OPENSSL_malloc"); return(0); } - strcpy(*host,h1->h_name); + BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); h2=GetHostByName(*host); if (h2 == NULL) diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c index 1ad16cd..7d47057 100644 --- a/crypto/openssl/apps/s_time.c +++ b/crypto/openssl/apps/s_time.c @@ -502,7 +502,7 @@ int MAIN(int argc, char **argv) if (s_www_path != NULL) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while ((i=SSL_read(scon,buf,sizeof(buf))) > 0) bytes_read+=i; @@ -557,7 +557,7 @@ next: if (s_www_path != NULL) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while (SSL_read(scon,buf,sizeof(buf)) > 0) ; @@ -595,7 +595,7 @@ next: if (s_www_path) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while ((i=SSL_read(scon,buf,sizeof(buf))) > 0) bytes_read+=i; diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index ec55b41..2412200 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -773,6 +773,7 @@ int MAIN(int argc, char **argv) { dsa_doit[R_DSA_512]=1; dsa_doit[R_DSA_1024]=1; + dsa_doit[R_DSA_2048]=1; } else #endif @@ -1006,6 +1007,9 @@ int MAIN(int argc, char **argv) c[D_CBC_RC5][0]=count; c[D_CBC_BF][0]=count; c[D_CBC_CAST][0]=count; + c[D_CBC_128_AES][0]=count; + c[D_CBC_192_AES][0]=count; + c[D_CBC_256_AES][0]=count; for (i=1; i<SIZE_NUM; i++) { @@ -1031,6 +1035,9 @@ int MAIN(int argc, char **argv) c[D_CBC_RC5][i]=c[D_CBC_RC5][i-1]*l0/l1; c[D_CBC_BF][i]=c[D_CBC_BF][i-1]*l0/l1; c[D_CBC_CAST][i]=c[D_CBC_CAST][i-1]*l0/l1; + c[D_CBC_128_AES][i]=c[D_CBC_128_AES][i-1]*l0/l1; + c[D_CBC_192_AES][i]=c[D_CBC_192_AES][i-1]*l0/l1; + c[D_CBC_256_AES][i]=c[D_CBC_256_AES][i-1]*l0/l1; } #ifndef OPENSSL_NO_RSA rsa_c[R_RSA_512][0]=count/2000; diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index 2020b51..9b95f7b 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -1022,31 +1022,31 @@ end: OPENSSL_EXIT(ret); } -static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) +static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) { char *buf = NULL, *p; - MS_STATIC char buf2[1024]; - ASN1_INTEGER *bs = NULL, *bs2 = NULL; - BIO *io = NULL; + ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; + size_t len; - buf=OPENSSL_malloc( ((serialfile == NULL) - ?(strlen(CAfile)+strlen(POSTFIX)+1) - :(strlen(serialfile)))+1); + len = ((serialfile == NULL) + ?(strlen(CAfile)+strlen(POSTFIX)+1) + :(strlen(serialfile)))+1; + buf=OPENSSL_malloc(len); if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; } if (serialfile == NULL) { - strcpy(buf,CAfile); + BUF_strlcpy(buf,CAfile,len); for (p=buf; *p; p++) if (*p == '.') { *p='\0'; break; } - strcat(buf,POSTFIX); + BUF_strlcat(buf,POSTFIX,len); } else - strcpy(buf,serialfile); + BUF_strlcpy(buf,serialfile,len); serial=BN_new(); bs=ASN1_INTEGER_new(); if ((serial == NULL) || (bs == NULL)) @@ -1055,72 +1055,18 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) goto end; } - io=BIO_new(BIO_s_file()); - if (io == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (BIO_read_filename(io,buf) <= 0) - { - if (!create) - { - perror(buf); - goto end; - } - else - { - ASN1_INTEGER_set(bs,1); - BN_one(serial); - } - } - else - { - if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2)) - { - BIO_printf(bio_err,"unable to load serial number from %s\n",buf); - ERR_print_errors(bio_err); - goto end; - } - else - { - serial=BN_bin2bn(bs->data,bs->length,serial); - if (serial == NULL) - { - BIO_printf(bio_err,"error converting bin 2 bn"); - goto end; - } - } - } + serial = load_serial(buf, create, NULL); + if (serial == NULL) goto end; if (!BN_add_word(serial,1)) { BIO_printf(bio_err,"add_word failure\n"); goto end; } - if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL))) - { BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; } - if (BIO_write_filename(io,buf) <= 0) - { - BIO_printf(bio_err,"error attempting to write serial number file\n"); - perror(buf); - goto end; - } - i2a_ASN1_INTEGER(io,bs2); - BIO_puts(io,"\n"); - BIO_free(io); - if (buf) OPENSSL_free(buf); - ASN1_INTEGER_free(bs2); - BN_free(serial); - io=NULL; - return bs; + if (!save_serial(buf, NULL, serial, &bs)) goto end; - end: + end: if (buf) OPENSSL_free(buf); - BIO_free(io); - ASN1_INTEGER_free(bs); BN_free(serial); - return NULL; - + return bs; } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, @@ -1142,7 +1088,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; } if (sno) bs = sno; - else if (!(bs = load_serial(CAfile, serialfile, create))) + else if (!(bs = x509_load_serial(CAfile, serialfile, create))) goto end; /* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ |
