diff options
| author | tb <> | 2022-02-03 17:44:04 +0000 |
|---|---|---|
| committer | tb <> | 2022-02-03 17:44:04 +0000 |
| commit | 99e959b3452e5b44dc52e0e6e87b7e4ec42147af (patch) | |
| tree | d64d65e1fd6a83904267a56b4660fb0e0411b465 | |
| parent | 355870caa2e034326f5b6b4df6b18cf93e907bc7 (diff) | |
| download | openbsd-99e959b3452e5b44dc52e0e6e87b7e4ec42147af.tar.gz openbsd-99e959b3452e5b44dc52e0e6e87b7e4ec42147af.tar.bz2 openbsd-99e959b3452e5b44dc52e0e6e87b7e4ec42147af.zip | |
Use X509_*get0_pubkey() wherever possible to simplify and clean up
the code. Also add error checking where possible.
ok jsing
| -rw-r--r-- | src/usr.bin/openssl/ca.c | 20 | ||||
| -rw-r--r-- | src/usr.bin/openssl/req.c | 32 | ||||
| -rw-r--r-- | src/usr.bin/openssl/s_client.c | 6 |
3 files changed, 22 insertions, 36 deletions
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c index c711f8b4b2..bbc5403e3c 100644 --- a/src/usr.bin/openssl/ca.c +++ b/src/usr.bin/openssl/ca.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ca.c,v 1.52 2021/11/21 22:34:30 tb Exp $ */ | 1 | /* $OpenBSD: ca.c,v 1.53 2022/02/03 17:44:04 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1633,12 +1633,11 @@ certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, | |||
| 1633 | ok = 0; | 1633 | ok = 0; |
| 1634 | goto err; | 1634 | goto err; |
| 1635 | } | 1635 | } |
| 1636 | if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) { | 1636 | if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { |
| 1637 | BIO_printf(bio_err, "error unpacking public key\n"); | 1637 | BIO_printf(bio_err, "error unpacking public key\n"); |
| 1638 | goto err; | 1638 | goto err; |
| 1639 | } | 1639 | } |
| 1640 | i = X509_REQ_verify(req, pktmp); | 1640 | i = X509_REQ_verify(req, pktmp); |
| 1641 | EVP_PKEY_free(pktmp); | ||
| 1642 | if (i < 0) { | 1641 | if (i < 0) { |
| 1643 | ok = 0; | 1642 | ok = 0; |
| 1644 | BIO_printf(bio_err, "Signature verification problems....\n"); | 1643 | BIO_printf(bio_err, "Signature verification problems....\n"); |
| @@ -1688,12 +1687,11 @@ certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, | |||
| 1688 | 1687 | ||
| 1689 | BIO_printf(bio_err, "Check that the request matches the signature\n"); | 1688 | BIO_printf(bio_err, "Check that the request matches the signature\n"); |
| 1690 | 1689 | ||
| 1691 | if ((pktmp = X509_get_pubkey(req)) == NULL) { | 1690 | if ((pktmp = X509_get0_pubkey(req)) == NULL) { |
| 1692 | BIO_printf(bio_err, "error unpacking public key\n"); | 1691 | BIO_printf(bio_err, "error unpacking public key\n"); |
| 1693 | goto err; | 1692 | goto err; |
| 1694 | } | 1693 | } |
| 1695 | i = X509_verify(req, pktmp); | 1694 | i = X509_verify(req, pktmp); |
| 1696 | EVP_PKEY_free(pktmp); | ||
| 1697 | if (i < 0) { | 1695 | if (i < 0) { |
| 1698 | ok = 0; | 1696 | ok = 0; |
| 1699 | BIO_printf(bio_err, "Signature verification problems....\n"); | 1697 | BIO_printf(bio_err, "Signature verification problems....\n"); |
| @@ -1997,13 +1995,10 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, | |||
| 1997 | if (!X509_set_subject_name(ret, subject)) | 1995 | if (!X509_set_subject_name(ret, subject)) |
| 1998 | goto err; | 1996 | goto err; |
| 1999 | 1997 | ||
| 2000 | pktmp = X509_REQ_get_pubkey(req); | 1998 | if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) |
| 2001 | if (pktmp == NULL) | ||
| 2002 | goto err; | 1999 | goto err; |
| 2003 | 2000 | ||
| 2004 | i = X509_set_pubkey(ret, pktmp); | 2001 | if (!X509_set_pubkey(ret, pktmp)) |
| 2005 | EVP_PKEY_free(pktmp); | ||
| 2006 | if (!i) | ||
| 2007 | goto err; | 2002 | goto err; |
| 2008 | 2003 | ||
| 2009 | /* Lets add the extensions, if there are any */ | 2004 | /* Lets add the extensions, if there are any */ |
| @@ -2226,18 +2221,15 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, | |||
| 2226 | } | 2221 | } |
| 2227 | } | 2222 | } |
| 2228 | 2223 | ||
| 2229 | pktmp = X509_get_pubkey(ret); | 2224 | if ((pktmp = X509_get0_pubkey(ret)) == NULL) |
| 2230 | if (pktmp == NULL) | ||
| 2231 | goto err; | 2225 | goto err; |
| 2232 | 2226 | ||
| 2233 | if (EVP_PKEY_missing_parameters(pktmp) && | 2227 | if (EVP_PKEY_missing_parameters(pktmp) && |
| 2234 | !EVP_PKEY_missing_parameters(pkey)) { | 2228 | !EVP_PKEY_missing_parameters(pkey)) { |
| 2235 | if (!EVP_PKEY_copy_parameters(pktmp, pkey)) { | 2229 | if (!EVP_PKEY_copy_parameters(pktmp, pkey)) { |
| 2236 | EVP_PKEY_free(pktmp); | ||
| 2237 | goto err; | 2230 | goto err; |
| 2238 | } | 2231 | } |
| 2239 | } | 2232 | } |
| 2240 | EVP_PKEY_free(pktmp); | ||
| 2241 | 2233 | ||
| 2242 | if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts)) | 2234 | if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts)) |
| 2243 | goto err; | 2235 | goto err; |
diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c index a1190304a0..6d74ca0e36 100644 --- a/src/usr.bin/openssl/req.c +++ b/src/usr.bin/openssl/req.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: req.c,v 1.22 2021/12/12 20:42:37 tb Exp $ */ | 1 | /* $OpenBSD: req.c,v 1.23 2022/02/03 17:44:04 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -879,6 +879,7 @@ req_main(int argc, char **argv) | |||
| 879 | } | 879 | } |
| 880 | if (req_config.x509) { | 880 | if (req_config.x509) { |
| 881 | EVP_PKEY *tmppkey; | 881 | EVP_PKEY *tmppkey; |
| 882 | |||
| 882 | X509V3_CTX ext_ctx; | 883 | X509V3_CTX ext_ctx; |
| 883 | if ((x509ss = X509_new()) == NULL) | 884 | if ((x509ss = X509_new()) == NULL) |
| 884 | goto end; | 885 | goto end; |
| @@ -904,10 +905,10 @@ req_main(int argc, char **argv) | |||
| 904 | goto end; | 905 | goto end; |
| 905 | if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) | 906 | if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) |
| 906 | goto end; | 907 | goto end; |
| 907 | tmppkey = X509_REQ_get_pubkey(req); | 908 | if ((tmppkey = X509_REQ_get0_pubkey(req)) == NULL) |
| 908 | if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) | 909 | goto end; |
| 910 | if (!X509_set_pubkey(x509ss, tmppkey)) | ||
| 909 | goto end; | 911 | goto end; |
| 910 | EVP_PKEY_free(tmppkey); | ||
| 911 | 912 | ||
| 912 | /* Set up V3 context struct */ | 913 | /* Set up V3 context struct */ |
| 913 | 914 | ||
| @@ -984,19 +985,13 @@ req_main(int argc, char **argv) | |||
| 984 | } | 985 | } |
| 985 | } | 986 | } |
| 986 | if (req_config.verify && !req_config.x509) { | 987 | if (req_config.verify && !req_config.x509) { |
| 987 | int tmp = 0; | 988 | EVP_PKEY *pubkey = pkey; |
| 988 | 989 | ||
| 989 | if (pkey == NULL) { | 990 | if (pubkey == NULL) |
| 990 | pkey = X509_REQ_get_pubkey(req); | 991 | pubkey = X509_REQ_get0_pubkey(req); |
| 991 | tmp = 1; | 992 | if (pubkey == NULL) |
| 992 | if (pkey == NULL) | 993 | goto end; |
| 993 | goto end; | 994 | i = X509_REQ_verify(req, pubkey); |
| 994 | } | ||
| 995 | i = X509_REQ_verify(req, pkey); | ||
| 996 | if (tmp) { | ||
| 997 | EVP_PKEY_free(pkey); | ||
| 998 | pkey = NULL; | ||
| 999 | } | ||
| 1000 | if (i < 0) { | 995 | if (i < 0) { |
| 1001 | goto end; | 996 | goto end; |
| 1002 | } else if (i == 0) { | 997 | } else if (i == 0) { |
| @@ -1024,14 +1019,13 @@ req_main(int argc, char **argv) | |||
| 1024 | 1019 | ||
| 1025 | if (req_config.pubkey) { | 1020 | if (req_config.pubkey) { |
| 1026 | EVP_PKEY *tpubkey; | 1021 | EVP_PKEY *tpubkey; |
| 1027 | tpubkey = X509_REQ_get_pubkey(req); | 1022 | |
| 1028 | if (tpubkey == NULL) { | 1023 | if ((tpubkey = X509_REQ_get0_pubkey(req)) == NULL) { |
| 1029 | BIO_printf(bio_err, "Error getting public key\n"); | 1024 | BIO_printf(bio_err, "Error getting public key\n"); |
| 1030 | ERR_print_errors(bio_err); | 1025 | ERR_print_errors(bio_err); |
| 1031 | goto end; | 1026 | goto end; |
| 1032 | } | 1027 | } |
| 1033 | PEM_write_bio_PUBKEY(out, tpubkey); | 1028 | PEM_write_bio_PUBKEY(out, tpubkey); |
| 1034 | EVP_PKEY_free(tpubkey); | ||
| 1035 | } | 1029 | } |
| 1036 | if (req_config.text) { | 1030 | if (req_config.text) { |
| 1037 | if (req_config.x509) | 1031 | if (req_config.x509) |
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index da6ef088b8..15ebb0c0a7 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */ | 1 | /* $OpenBSD: s_client.c,v 1.58 2022/02/03 17:44:04 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1772,10 +1772,10 @@ print_stuff(BIO *bio, SSL *s, int full) | |||
| 1772 | SSL_CIPHER_get_name(c)); | 1772 | SSL_CIPHER_get_name(c)); |
| 1773 | if (peer != NULL) { | 1773 | if (peer != NULL) { |
| 1774 | EVP_PKEY *pktmp; | 1774 | EVP_PKEY *pktmp; |
| 1775 | pktmp = X509_get_pubkey(peer); | 1775 | |
| 1776 | pktmp = X509_get0_pubkey(peer); | ||
| 1776 | BIO_printf(bio, "Server public key is %d bit\n", | 1777 | BIO_printf(bio, "Server public key is %d bit\n", |
| 1777 | EVP_PKEY_bits(pktmp)); | 1778 | EVP_PKEY_bits(pktmp)); |
| 1778 | EVP_PKEY_free(pktmp); | ||
| 1779 | } | 1779 | } |
| 1780 | BIO_printf(bio, "Secure Renegotiation IS%s supported\n", | 1780 | BIO_printf(bio, "Secure Renegotiation IS%s supported\n", |
| 1781 | SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); | 1781 | SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); |