Fix five bugs in X509_REQ_to_X509(3):

* memory leak in X509_set_subject_name(ret, X509_NAME_dup(xn));
* memory leak in X509_set_issuer_name(ret, X509_NAME_dup(xn));
* memory leak in X509_set_pubkey(ret, X509_REQ_get_pubkey(r));
* missing return value check of X509_REQ_get_pubkey(r);
* missing return value check of X509_set_pubkey(...);
Some of these bugs have survived for twenty-five years.

I noticed the first two bugs while documenting the function,
then found that a commit in the OpenSSL 1.1.1 branch, which is
still under a free license, fixed all of them in 2016.

In the function X509_REQ_to_X509(3), merge everything worth merging
from OpenSSL 1.1.1, in particular the relevant parts of:
* 222561fe Apr 30 17:33:59 2015 -0400 (err: label cleanup)
* 0517538d Mar 17 00:15:48 2016 +0100 (the bugfix)
* c5137473 Apr 3  23:37:32 2016 +0200 (code simplification)

While here, delete some commented out code that is wrong in
multiple ways and untouched since the SSLeay era.

One code tweak for readability by tb@, and OK tb@.

1 files changed, 12 insertions, 11 deletions

diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index 143d0f1aa0..b3b8aa75ed 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_r2x.c,v 1.12 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: x509_r2x.c,v 1.13 2021/11/03 14:36:21 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,6 +74,7 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
         X509 *ret = NULL;
         X509_CINF *xi = NULL;
         X509_NAME *xn;
+        EVP_PKEY *pubkey;
 
         if ((ret = X509_new()) == NULL) {
                 X509error(ERR_R_MALLOC_FAILURE);
@@ -88,14 +89,12 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
                         goto err;
                 if (!ASN1_INTEGER_set(xi->version, 2))
                         goto err;
-/*              xi->extensions=ri->attributes; <- bad, should not ever be done
-                ri->attributes=NULL; */
         }
 
         xn = X509_REQ_get_subject_name(r);
-        if (X509_set_subject_name(ret, X509_NAME_dup(xn)) == 0)
+        if (X509_set_subject_name(ret, xn) == 0)
                 goto err;
-        if (X509_set_issuer_name(ret, X509_NAME_dup(xn)) == 0)
+        if (X509_set_issuer_name(ret, xn) == 0)
                 goto err;
 
         if (X509_gmtime_adj(xi->validity->notBefore, 0) == NULL)
@@ -104,14 +103,16 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
             (long)60 * 60 * 24 * days) == NULL)
                 goto err;
 
-        X509_set_pubkey(ret, X509_REQ_get_pubkey(r));
+        if ((pubkey = X509_REQ_get0_pubkey(r)) == NULL)
+                goto err;
+        if (!X509_set_pubkey(ret, pubkey))
+                goto err;
 
         if (!X509_sign(ret, pkey, EVP_md5()))
                 goto err;
-        if (0) {
+        return ret;
+
 err:
-                X509_free(ret);
-                ret = NULL;
-        }
-        return (ret);
+        X509_free(ret);
+        return NULL;
 }