Check function return value in openssl(1) x509.c

input from bcook@, ok and comments from tb@
author: inoguchi <> 2021-04-07 10:44:03 +0000
committer: inoguchi <> 2021-04-07 10:44:03 +0000
commit: 6d06ac369e451729f7eadaba6755fcf1534cf634 (patch)
tree: dbbabc69ffbd6103ad0cbfb6e327ca39cfe2d7ed /src
parent: 88100b565559b1d56606a0d129c09015e3a9ffc5 (diff)
download: openbsd-6d06ac369e451729f7eadaba6755fcf1534cf634.tar.gz
openbsd-6d06ac369e451729f7eadaba6755fcf1534cf634.tar.bz2
openbsd-6d06ac369e451729f7eadaba6755fcf1534cf634.zip
1 files changed, 71 insertions, 24 deletions
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index 4d497851ca..9a2fdd9d16 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.22 2021/04/07 10:29:58 inoguchi Exp $ */
+/* $OpenBSD: x509.c,v 1.23 2021/04/07 10:44:03 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -897,19 +897,26 @@ x509_main(int argc, char **argv)
                if (!X509_set_subject_name(x, req->req_info->subject))
                        goto end;
-                X509_gmtime_adj(X509_get_notBefore(x), 0);
+                if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
-                X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0,
+                        goto end;
-                    NULL);
+                if (X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0,
+                    NULL) == NULL)
+                        goto end;
-                pkey = X509_REQ_get_pubkey(req);
+                if ((pkey = X509_REQ_get_pubkey(req)) == NULL)
-                X509_set_pubkey(x, pkey);
+                        goto end;
+                if (!X509_set_pubkey(x, pkey)) {
+                        EVP_PKEY_free(pkey);
+                        goto end;
+                }
                EVP_PKEY_free(pkey);
-        } else
+        } else {
                x = load_cert(bio_err, x509_config.infile, x509_config.informat,
                    NULL, "Certificate");
+        }
        if (x == NULL)
                goto end;
        if (x509_config.CA_flag) {
                xca = load_cert(bio_err, x509_config.CAfile,
                    x509_config.CAformat, NULL, "CA Certificate");
@@ -933,8 +940,10 @@ x509_main(int argc, char **argv)
                        }
                }
        }
-        if (x509_config.alias != NULL)
+        if (x509_config.alias != NULL) {
-                X509_alias_set1(x, (unsigned char *) x509_config.alias, -1);
+                if (!X509_alias_set1(x, (unsigned char *)x509_config.alias, -1))
+                        goto end;
+        }
        if (x509_config.clrtrust)
                X509_trust_clear(x);
@@ -945,14 +954,16 @@ x509_main(int argc, char **argv)
                for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) {
                        x509_config.objtmp = sk_ASN1_OBJECT_value(
                            x509_config.trust, i);
-                        X509_add1_trust_object(x, x509_config.objtmp);
+                        if (!X509_add1_trust_object(x, x509_config.objtmp))
+                                goto end;
                }
        }
        if (x509_config.reject != NULL) {
                for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) {
                        x509_config.objtmp = sk_ASN1_OBJECT_value(
                            x509_config.reject, i);
-                        X509_add1_reject_object(x, x509_config.objtmp);
+                        if (!X509_add1_reject_object(x, x509_config.objtmp))
+                                goto end;
                }
        }
        if (x509_config.num) {
@@ -974,6 +985,8 @@ x509_main(int argc, char **argv)
                                BIGNUM *bnser;
                                ASN1_INTEGER *ser;
                                ser = X509_get_serialNumber(x);
+                                if (ser == NULL)
+                                        goto end;
                                bnser = ASN1_INTEGER_to_BN(ser, NULL);
                                if (bnser == NULL)
                                        goto end;
@@ -1075,14 +1088,21 @@ x509_main(int argc, char **argv)
                                char *m;
                                int y, z;
-                                X509_NAME_oneline(X509_get_subject_name(x),
+                                m = X509_NAME_oneline(X509_get_subject_name(x),
                                    buf, sizeof buf);
+                                if (m == NULL)
+                                        goto end;
                                BIO_printf(STDout, "/* subject:%s */\n", buf);
                                m = X509_NAME_oneline(X509_get_issuer_name(x),
                                    buf, sizeof buf);
+                                if (m == NULL)
+                                        goto end;
                                BIO_printf(STDout, "/* issuer :%s */\n", buf);
                                z = i2d_X509(x, NULL);
+                                if (z < 0)
+                                        goto end;
                                m = malloc(z);
                                if (m == NULL) {
                                        BIO_printf(bio_err, "out of mem\n");
@@ -1091,6 +1111,10 @@ x509_main(int argc, char **argv)
                                d = (unsigned char *) m;
                                z = i2d_X509_NAME(X509_get_subject_name(x), &d);
+                                if (z < 0) {
+                                        free(m);
+                                        goto end;
+                                }
                                BIO_printf(STDout,
                                    "unsigned char XXX_subject_name[%d]={\n", z);
                                d = (unsigned char *) m;
@@ -1104,6 +1128,10 @@ x509_main(int argc, char **argv)
                                BIO_printf(STDout, "};\n");
                                z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
+                                if (z < 0) {
+                                        free(m);
+                                        goto end;
+                                }
                                BIO_printf(STDout,
                                    "unsigned char XXX_public_key[%d]={\n", z);
                                d = (unsigned char *) m;
@@ -1117,6 +1145,10 @@ x509_main(int argc, char **argv)
                                BIO_printf(STDout, "};\n");
                                z = i2d_X509(x, &d);
+                                if (z < 0) {
+                                        free(m);
+                                        goto end;
+                                }
                                BIO_printf(STDout,
                                    "unsigned char XXX_certificate[%d]={\n", z);
                                d = (unsigned char *) m;
@@ -1131,8 +1163,9 @@ x509_main(int argc, char **argv)
                                free(m);
                        } else if (x509_config.text == i) {
-                                X509_print_ex(STDout, x, x509_config.nmflag,
+                                if(!X509_print_ex(STDout, x, x509_config.nmflag,
-                                    x509_config.certflag);
+                                    x509_config.certflag))
+                                        goto end;
                        } else if (x509_config.startdate == i) {
                                ASN1_TIME *nB = X509_get_notBefore(x);
                                BIO_puts(STDout, "notBefore=");
@@ -1235,12 +1268,15 @@ x509_main(int argc, char **argv)
                                        goto end;
                                }
                                if (!x509_config.noout) {
-                                        X509_REQ_print(out, rq);
+                                        if (!X509_REQ_print(out, rq))
-                                        PEM_write_bio_X509_REQ(out, rq);
+                                                goto end;
+                                        if (!PEM_write_bio_X509_REQ(out, rq))
+                                                goto end;
                                }
                                x509_config.noout = 1;
                        } else if (x509_config.ocspid == i) {
-                                X509_ocspid_print(out, x);
+                                if (!X509_ocspid_print(out, x))
+                                        goto end;
                        }
                }
        }
@@ -1369,6 +1405,8 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
        EVP_PKEY *upkey;
        upkey = X509_get_pubkey(xca);
+        if (upkey == NULL)
+                goto end;
        EVP_PKEY_copy_parameters(upkey, pkey);
        EVP_PKEY_free(upkey);
@@ -1410,12 +1448,15 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
                goto end;
        if (clrext) {
-                while (X509_get_ext_count(x) > 0)
+                while (X509_get_ext_count(x) > 0) {
-                        X509_delete_ext(x, 0);
+                        if (X509_delete_ext(x, 0) == NULL)
+                                goto end;
+                }
        }
        if (conf != NULL) {
                X509V3_CTX ctx2;
-                X509_set_version(x, 2); /* version 3 certificate */
+                if (!X509_set_version(x, 2))    /* version 3 certificate */
+                        goto end;
                X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
                X509V3_set_nconf(&ctx2, conf);
                if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1423,6 +1464,7 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
        }
        if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))
                goto end;
        ret = 1;
 end:
        X509_STORE_CTX_cleanup(&xsc);
@@ -1476,6 +1518,8 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
        EVP_PKEY *pktmp;
        pktmp = X509_get_pubkey(x);
+        if (pktmp == NULL)
+                goto err;
        EVP_PKEY_copy_parameters(pktmp, pkey);
        EVP_PKEY_save_parameters(pktmp, 1);
        EVP_PKEY_free(pktmp);
@@ -1496,12 +1540,15 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
        if (!X509_set_pubkey(x, pkey))
                goto err;
        if (clrext) {
-                while (X509_get_ext_count(x) > 0)
+                while (X509_get_ext_count(x) > 0) {
-                        X509_delete_ext(x, 0);
+                        if (X509_delete_ext(x, 0) == NULL)
+                                goto err;
+                }
        }
        if (conf != NULL) {
                X509V3_CTX ctx;
-                X509_set_version(x, 2); /* version 3 certificate */
+                if (!X509_set_version(x, 2))    /* version 3 certificate */
+                        goto err;
                X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
                X509V3_set_nconf(&ctx, conf);
                if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
author	inoguchi <>	2021-04-07 10:44:03 +0000
committer	inoguchi <>	2021-04-07 10:44:03 +0000
commit	6d06ac369e451729f7eadaba6755fcf1534cf634 (patch)
tree	dbbabc69ffbd6103ad0cbfb6e327ca39cfe2d7ed /src
parent	88100b565559b1d56606a0d129c09015e3a9ffc5 (diff)
download	openbsd-6d06ac369e451729f7eadaba6755fcf1534cf634.tar.gz openbsd-6d06ac369e451729f7eadaba6755fcf1534cf634.tar.bz2 openbsd-6d06ac369e451729f7eadaba6755fcf1534cf634.zip

diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c index 4d497851ca..9a2fdd9d16 100644 --- a/src/usr.bin/openssl/x509.c +++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509.c,v 1.22 2021/04/07 10:29:58 inoguchi Exp $ */	1	/* $OpenBSD: x509.c,v 1.23 2021/04/07 10:44:03 inoguchi Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -897,19 +897,26 @@ x509_main(int argc, char **argv)
897	if (!X509_set_subject_name(x, req->req_info->subject))	897	if (!X509_set_subject_name(x, req->req_info->subject))
898	goto end;	898	goto end;
899		899
900	X509_gmtime_adj(X509_get_notBefore(x), 0);	900	if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
901	X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0,	901	goto end;
902	NULL);	902	if (X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0,
		903	NULL) == NULL)
		904	goto end;
903		905
904	pkey = X509_REQ_get_pubkey(req);	906	if ((pkey = X509_REQ_get_pubkey(req)) == NULL)
905	X509_set_pubkey(x, pkey);	907	goto end;
		908	if (!X509_set_pubkey(x, pkey)) {
		909	EVP_PKEY_free(pkey);
		910	goto end;
		911	}
906	EVP_PKEY_free(pkey);	912	EVP_PKEY_free(pkey);
907	} else	913	} else {
908	x = load_cert(bio_err, x509_config.infile, x509_config.informat,	914	x = load_cert(bio_err, x509_config.infile, x509_config.informat,
909	NULL, "Certificate");	915	NULL, "Certificate");
910		916	}
911	if (x == NULL)	917	if (x == NULL)
912	goto end;	918	goto end;
		919
913	if (x509_config.CA_flag) {	920	if (x509_config.CA_flag) {
914	xca = load_cert(bio_err, x509_config.CAfile,	921	xca = load_cert(bio_err, x509_config.CAfile,
915	x509_config.CAformat, NULL, "CA Certificate");	922	x509_config.CAformat, NULL, "CA Certificate");
@@ -933,8 +940,10 @@ x509_main(int argc, char **argv)
933	}	940	}
934	}	941	}
935	}	942	}
936	if (x509_config.alias != NULL)	943	if (x509_config.alias != NULL) {
937	X509_alias_set1(x, (unsigned char *) x509_config.alias, -1);	944	if (!X509_alias_set1(x, (unsigned char *)x509_config.alias, -1))
		945	goto end;
		946	}
938		947
939	if (x509_config.clrtrust)	948	if (x509_config.clrtrust)
940	X509_trust_clear(x);	949	X509_trust_clear(x);
@@ -945,14 +954,16 @@ x509_main(int argc, char **argv)
945	for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) {	954	for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) {
946	x509_config.objtmp = sk_ASN1_OBJECT_value(	955	x509_config.objtmp = sk_ASN1_OBJECT_value(
947	x509_config.trust, i);	956	x509_config.trust, i);
948	X509_add1_trust_object(x, x509_config.objtmp);	957	if (!X509_add1_trust_object(x, x509_config.objtmp))
		958	goto end;
949	}	959	}
950	}	960	}
951	if (x509_config.reject != NULL) {	961	if (x509_config.reject != NULL) {
952	for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) {	962	for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) {
953	x509_config.objtmp = sk_ASN1_OBJECT_value(	963	x509_config.objtmp = sk_ASN1_OBJECT_value(
954	x509_config.reject, i);	964	x509_config.reject, i);
955	X509_add1_reject_object(x, x509_config.objtmp);	965	if (!X509_add1_reject_object(x, x509_config.objtmp))
		966	goto end;
956	}	967	}
957	}	968	}
958	if (x509_config.num) {	969	if (x509_config.num) {
@@ -974,6 +985,8 @@ x509_main(int argc, char **argv)
974	BIGNUM *bnser;	985	BIGNUM *bnser;
975	ASN1_INTEGER *ser;	986	ASN1_INTEGER *ser;
976	ser = X509_get_serialNumber(x);	987	ser = X509_get_serialNumber(x);
		988	if (ser == NULL)
		989	goto end;
977	bnser = ASN1_INTEGER_to_BN(ser, NULL);	990	bnser = ASN1_INTEGER_to_BN(ser, NULL);
978	if (bnser == NULL)	991	if (bnser == NULL)
979	goto end;	992	goto end;
@@ -1075,14 +1088,21 @@ x509_main(int argc, char **argv)
1075	char *m;	1088	char *m;
1076	int y, z;	1089	int y, z;
1077		1090
1078	X509_NAME_oneline(X509_get_subject_name(x),	1091	m = X509_NAME_oneline(X509_get_subject_name(x),
1079	buf, sizeof buf);	1092	buf, sizeof buf);
		1093	if (m == NULL)
		1094	goto end;
1080	BIO_printf(STDout, "/* subject:%s */\n", buf);	1095	BIO_printf(STDout, "/* subject:%s */\n", buf);
1081	m = X509_NAME_oneline(X509_get_issuer_name(x),	1096	m = X509_NAME_oneline(X509_get_issuer_name(x),
1082	buf, sizeof buf);	1097	buf, sizeof buf);
		1098	if (m == NULL)
		1099	goto end;
1083	BIO_printf(STDout, "/* issuer :%s */\n", buf);	1100	BIO_printf(STDout, "/* issuer :%s */\n", buf);
1084		1101
1085	z = i2d_X509(x, NULL);	1102	z = i2d_X509(x, NULL);
		1103	if (z < 0)
		1104	goto end;
		1105
1086	m = malloc(z);	1106	m = malloc(z);
1087	if (m == NULL) {	1107	if (m == NULL) {
1088	BIO_printf(bio_err, "out of mem\n");	1108	BIO_printf(bio_err, "out of mem\n");
@@ -1091,6 +1111,10 @@ x509_main(int argc, char **argv)
1091		1111
1092	d = (unsigned char *) m;	1112	d = (unsigned char *) m;
1093	z = i2d_X509_NAME(X509_get_subject_name(x), &d);	1113	z = i2d_X509_NAME(X509_get_subject_name(x), &d);
		1114	if (z < 0) {
		1115	free(m);
		1116	goto end;
		1117	}
1094	BIO_printf(STDout,	1118	BIO_printf(STDout,
1095	"unsigned char XXX_subject_name[%d]={\n", z);	1119	"unsigned char XXX_subject_name[%d]={\n", z);
1096	d = (unsigned char *) m;	1120	d = (unsigned char *) m;
@@ -1104,6 +1128,10 @@ x509_main(int argc, char **argv)
1104	BIO_printf(STDout, "};\n");	1128	BIO_printf(STDout, "};\n");
1105		1129
1106	z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);	1130	z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
		1131	if (z < 0) {
		1132	free(m);
		1133	goto end;
		1134	}
1107	BIO_printf(STDout,	1135	BIO_printf(STDout,
1108	"unsigned char XXX_public_key[%d]={\n", z);	1136	"unsigned char XXX_public_key[%d]={\n", z);
1109	d = (unsigned char *) m;	1137	d = (unsigned char *) m;
@@ -1117,6 +1145,10 @@ x509_main(int argc, char **argv)
1117	BIO_printf(STDout, "};\n");	1145	BIO_printf(STDout, "};\n");
1118		1146
1119	z = i2d_X509(x, &d);	1147	z = i2d_X509(x, &d);
		1148	if (z < 0) {
		1149	free(m);
		1150	goto end;
		1151	}
1120	BIO_printf(STDout,	1152	BIO_printf(STDout,
1121	"unsigned char XXX_certificate[%d]={\n", z);	1153	"unsigned char XXX_certificate[%d]={\n", z);
1122	d = (unsigned char *) m;	1154	d = (unsigned char *) m;
@@ -1131,8 +1163,9 @@ x509_main(int argc, char **argv)
1131		1163
1132	free(m);	1164	free(m);
1133	} else if (x509_config.text == i) {	1165	} else if (x509_config.text == i) {
1134	X509_print_ex(STDout, x, x509_config.nmflag,	1166	if(!X509_print_ex(STDout, x, x509_config.nmflag,
1135	x509_config.certflag);	1167	x509_config.certflag))
		1168	goto end;
1136	} else if (x509_config.startdate == i) {	1169	} else if (x509_config.startdate == i) {
1137	ASN1_TIME *nB = X509_get_notBefore(x);	1170	ASN1_TIME *nB = X509_get_notBefore(x);
1138	BIO_puts(STDout, "notBefore=");	1171	BIO_puts(STDout, "notBefore=");
@@ -1235,12 +1268,15 @@ x509_main(int argc, char **argv)
1235	goto end;	1268	goto end;
1236	}	1269	}
1237	if (!x509_config.noout) {	1270	if (!x509_config.noout) {
1238	X509_REQ_print(out, rq);	1271	if (!X509_REQ_print(out, rq))
1239	PEM_write_bio_X509_REQ(out, rq);	1272	goto end;
		1273	if (!PEM_write_bio_X509_REQ(out, rq))
		1274	goto end;
1240	}	1275	}
1241	x509_config.noout = 1;	1276	x509_config.noout = 1;
1242	} else if (x509_config.ocspid == i) {	1277	} else if (x509_config.ocspid == i) {
1243	X509_ocspid_print(out, x);	1278	if (!X509_ocspid_print(out, x))
		1279	goto end;
1244	}	1280	}
1245	}	1281	}
1246	}	1282	}
@@ -1369,6 +1405,8 @@ x509_certify(X509_STORE ctx, char CAfile, const EVP_MD digest, X509 x,
1369	EVP_PKEY *upkey;	1405	EVP_PKEY *upkey;
1370		1406
1371	upkey = X509_get_pubkey(xca);	1407	upkey = X509_get_pubkey(xca);
		1408	if (upkey == NULL)
		1409	goto end;
1372	EVP_PKEY_copy_parameters(upkey, pkey);	1410	EVP_PKEY_copy_parameters(upkey, pkey);
1373	EVP_PKEY_free(upkey);	1411	EVP_PKEY_free(upkey);
1374		1412
@@ -1410,12 +1448,15 @@ x509_certify(X509_STORE ctx, char CAfile, const EVP_MD digest, X509 x,
1410	goto end;	1448	goto end;
1411		1449
1412	if (clrext) {	1450	if (clrext) {
1413	while (X509_get_ext_count(x) > 0)	1451	while (X509_get_ext_count(x) > 0) {
1414	X509_delete_ext(x, 0);	1452	if (X509_delete_ext(x, 0) == NULL)
		1453	goto end;
		1454	}
1415	}	1455	}
1416	if (conf != NULL) {	1456	if (conf != NULL) {
1417	X509V3_CTX ctx2;	1457	X509V3_CTX ctx2;
1418	X509_set_version(x, 2); /* version 3 certificate */	1458	if (!X509_set_version(x, 2)) /* version 3 certificate */
		1459	goto end;
1419	X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);	1460	X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
1420	X509V3_set_nconf(&ctx2, conf);	1461	X509V3_set_nconf(&ctx2, conf);
1421	if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))	1462	if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1423,6 +1464,7 @@ x509_certify(X509_STORE ctx, char CAfile, const EVP_MD digest, X509 x,
1423	}	1464	}
1424	if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))	1465	if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))
1425	goto end;	1466	goto end;
		1467
1426	ret = 1;	1468	ret = 1;
1427	end:	1469	end:
1428	X509_STORE_CTX_cleanup(&xsc);	1470	X509_STORE_CTX_cleanup(&xsc);
@@ -1476,6 +1518,8 @@ sign(X509 x, EVP_PKEY pkey, int days, int clrext, const EVP_MD *digest,
1476	EVP_PKEY *pktmp;	1518	EVP_PKEY *pktmp;
1477		1519
1478	pktmp = X509_get_pubkey(x);	1520	pktmp = X509_get_pubkey(x);
		1521	if (pktmp == NULL)
		1522	goto err;
1479	EVP_PKEY_copy_parameters(pktmp, pkey);	1523	EVP_PKEY_copy_parameters(pktmp, pkey);
1480	EVP_PKEY_save_parameters(pktmp, 1);	1524	EVP_PKEY_save_parameters(pktmp, 1);
1481	EVP_PKEY_free(pktmp);	1525	EVP_PKEY_free(pktmp);
@@ -1496,12 +1540,15 @@ sign(X509 x, EVP_PKEY pkey, int days, int clrext, const EVP_MD *digest,
1496	if (!X509_set_pubkey(x, pkey))	1540	if (!X509_set_pubkey(x, pkey))
1497	goto err;	1541	goto err;
1498	if (clrext) {	1542	if (clrext) {
1499	while (X509_get_ext_count(x) > 0)	1543	while (X509_get_ext_count(x) > 0) {
1500	X509_delete_ext(x, 0);	1544	if (X509_delete_ext(x, 0) == NULL)
		1545	goto err;
		1546	}
1501	}	1547	}
1502	if (conf != NULL) {	1548	if (conf != NULL) {
1503	X509V3_CTX ctx;	1549	X509V3_CTX ctx;
1504	X509_set_version(x, 2); /* version 3 certificate */	1550	if (!X509_set_version(x, 2)) /* version 3 certificate */
		1551	goto err;
1505	X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);	1552	X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
1506	X509V3_set_nconf(&ctx, conf);	1553	X509V3_set_nconf(&ctx, conf);
1507	if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))	1554	if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))