summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/smime.c116
1 files changed, 74 insertions, 42 deletions
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index 9b8ffc2d33..1a82d06865 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: smime.c,v 1.15 2022/01/11 15:45:00 inoguchi Exp $ */ 1/* $OpenBSD: smime.c,v 1.16 2022/01/11 16:06:48 inoguchi Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -740,46 +740,56 @@ smime_main(int argc, char **argv)
740 args = argv + argsused; 740 args = argv + argsused;
741 ret = 1; 741 ret = 1;
742 742
743 if (!(smime_config.operation & SMIME_SIGNERS) && (smime_config.skkeys != NULL || smime_config.sksigners != NULL)) { 743 if (!(smime_config.operation & SMIME_SIGNERS) &&
744 (smime_config.skkeys != NULL || smime_config.sksigners != NULL)) {
744 BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); 745 BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
745 goto argerr; 746 goto argerr;
746 } 747 }
747 if (smime_config.operation & SMIME_SIGNERS) { 748 if (smime_config.operation & SMIME_SIGNERS) {
748 /* Check to see if any final signer needs to be appended */ 749 /* Check to see if any final signer needs to be appended */
749 if (smime_config.keyfile != NULL && smime_config.signerfile == NULL) { 750 if (smime_config.keyfile != NULL &&
751 smime_config.signerfile == NULL) {
750 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 752 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
751 goto argerr; 753 goto argerr;
752 } 754 }
753 if (smime_config.signerfile != NULL) { 755 if (smime_config.signerfile != NULL) {
754 if (smime_config.sksigners == NULL) { 756 if (smime_config.sksigners == NULL) {
755 if ((smime_config.sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 757 if ((smime_config.sksigners =
758 sk_OPENSSL_STRING_new_null()) == NULL)
756 goto end; 759 goto end;
757 } 760 }
758 if (!sk_OPENSSL_STRING_push(smime_config.sksigners, smime_config.signerfile)) 761 if (!sk_OPENSSL_STRING_push(smime_config.sksigners,
762 smime_config.signerfile))
759 goto end; 763 goto end;
760 if (smime_config.skkeys == NULL) { 764 if (smime_config.skkeys == NULL) {
761 if ((smime_config.skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 765 if ((smime_config.skkeys =
766 sk_OPENSSL_STRING_new_null()) == NULL)
762 goto end; 767 goto end;
763 } 768 }
764 if (smime_config.keyfile == NULL) 769 if (smime_config.keyfile == NULL)
765 smime_config.keyfile = smime_config.signerfile; 770 smime_config.keyfile = smime_config.signerfile;
766 if (!sk_OPENSSL_STRING_push(smime_config.skkeys, smime_config.keyfile)) 771 if (!sk_OPENSSL_STRING_push(smime_config.skkeys,
772 smime_config.keyfile))
767 goto end; 773 goto end;
768 } 774 }
769 if (smime_config.sksigners == NULL) { 775 if (smime_config.sksigners == NULL) {
770 BIO_printf(bio_err, "No signer certificate specified\n"); 776 BIO_printf(bio_err,
777 "No signer certificate specified\n");
771 badarg = 1; 778 badarg = 1;
772 } 779 }
773 smime_config.signerfile = NULL; 780 smime_config.signerfile = NULL;
774 smime_config.keyfile = NULL; 781 smime_config.keyfile = NULL;
775 } else if (smime_config.operation == SMIME_DECRYPT) { 782 } else if (smime_config.operation == SMIME_DECRYPT) {
776 if (smime_config.recipfile == NULL && smime_config.keyfile == NULL) { 783 if (smime_config.recipfile == NULL &&
777 BIO_printf(bio_err, "No recipient certificate or key specified\n"); 784 smime_config.keyfile == NULL) {
785 BIO_printf(bio_err,
786 "No recipient certificate or key specified\n");
778 badarg = 1; 787 badarg = 1;
779 } 788 }
780 } else if (smime_config.operation == SMIME_ENCRYPT) { 789 } else if (smime_config.operation == SMIME_ENCRYPT) {
781 if (*args == NULL) { 790 if (*args == NULL) {
782 BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); 791 BIO_printf(bio_err,
792 "No recipient(s) certificate(s) specified\n");
783 badarg = 1; 793 badarg = 1;
784 } 794 }
785 } else if (!smime_config.operation) { 795 } else if (!smime_config.operation) {
@@ -840,15 +850,16 @@ smime_main(int argc, char **argv)
840 } 850 }
841 } 851 }
842 if (smime_config.certfile != NULL) { 852 if (smime_config.certfile != NULL) {
843 if ((other = load_certs(bio_err, smime_config.certfile, FORMAT_PEM, NULL, 853 if ((other = load_certs(bio_err, smime_config.certfile,
844 "certificate file")) == NULL) { 854 FORMAT_PEM, NULL, "certificate file")) == NULL) {
845 ERR_print_errors(bio_err); 855 ERR_print_errors(bio_err);
846 goto end; 856 goto end;
847 } 857 }
848 } 858 }
849 if (smime_config.recipfile != NULL && (smime_config.operation == SMIME_DECRYPT)) { 859 if (smime_config.recipfile != NULL &&
850 if ((recip = load_cert(bio_err, smime_config.recipfile, FORMAT_PEM, NULL, 860 (smime_config.operation == SMIME_DECRYPT)) {
851 "recipient certificate file")) == NULL) { 861 if ((recip = load_cert(bio_err, smime_config.recipfile,
862 FORMAT_PEM, NULL, "recipient certificate file")) == NULL) {
852 ERR_print_errors(bio_err); 863 ERR_print_errors(bio_err);
853 goto end; 864 goto end;
854 } 865 }
@@ -864,8 +875,8 @@ smime_main(int argc, char **argv)
864 } 875 }
865 876
866 if (smime_config.keyfile != NULL) { 877 if (smime_config.keyfile != NULL) {
867 key = load_key(bio_err, smime_config.keyfile, smime_config.keyform, 0, passin, 878 key = load_key(bio_err, smime_config.keyfile,
868 "signing key file"); 879 smime_config.keyform, 0, passin, "signing key file");
869 if (key == NULL) 880 if (key == NULL)
870 goto end; 881 goto end;
871 } 882 }
@@ -888,7 +899,8 @@ smime_main(int argc, char **argv)
888 else if (smime_config.informat == FORMAT_ASN1) 899 else if (smime_config.informat == FORMAT_ASN1)
889 p7 = d2i_PKCS7_bio(in, NULL); 900 p7 = d2i_PKCS7_bio(in, NULL);
890 else { 901 else {
891 BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); 902 BIO_printf(bio_err,
903 "Bad input format for PKCS#7 file\n");
892 goto end; 904 goto end;
893 } 905 }
894 906
@@ -898,8 +910,11 @@ smime_main(int argc, char **argv)
898 } 910 }
899 if (smime_config.contfile != NULL) { 911 if (smime_config.contfile != NULL) {
900 BIO_free(indata); 912 BIO_free(indata);
901 if ((indata = BIO_new_file(smime_config.contfile, "rb")) == NULL) { 913 if ((indata = BIO_new_file(smime_config.contfile,
902 BIO_printf(bio_err, "Can't read content file %s\n", smime_config.contfile); 914 "rb")) == NULL) {
915 BIO_printf(bio_err,
916 "Can't read content file %s\n",
917 smime_config.contfile);
903 goto end; 918 goto end;
904 } 919 }
905 } 920 }
@@ -907,7 +922,8 @@ smime_main(int argc, char **argv)
907 if (smime_config.outfile != NULL) { 922 if (smime_config.outfile != NULL) {
908 if ((out = BIO_new_file(smime_config.outfile, outmode)) == NULL) { 923 if ((out = BIO_new_file(smime_config.outfile, outmode)) == NULL) {
909 BIO_printf(bio_err, 924 BIO_printf(bio_err,
910 "Can't open output file %s\n", smime_config.outfile); 925 "Can't open output file %s\n",
926 smime_config.outfile);
911 goto end; 927 goto end;
912 } 928 }
913 } else { 929 } else {
@@ -916,7 +932,8 @@ smime_main(int argc, char **argv)
916 } 932 }
917 933
918 if (smime_config.operation == SMIME_VERIFY) { 934 if (smime_config.operation == SMIME_VERIFY) {
919 if ((store = setup_verify(bio_err, smime_config.CAfile, smime_config.CApath)) == NULL) 935 if ((store = setup_verify(bio_err, smime_config.CAfile,
936 smime_config.CApath)) == NULL)
920 goto end; 937 goto end;
921 X509_STORE_set_verify_cb(store, smime_cb); 938 X509_STORE_set_verify_cb(store, smime_cb);
922 if (smime_config.vpm != NULL) { 939 if (smime_config.vpm != NULL) {
@@ -929,7 +946,8 @@ smime_main(int argc, char **argv)
929 if (smime_config.operation == SMIME_ENCRYPT) { 946 if (smime_config.operation == SMIME_ENCRYPT) {
930 if (smime_config.indef) 947 if (smime_config.indef)
931 smime_config.flags |= PKCS7_STREAM; 948 smime_config.flags |= PKCS7_STREAM;
932 p7 = PKCS7_encrypt(encerts, in, smime_config.cipher, smime_config.flags); 949 p7 = PKCS7_encrypt(encerts, in, smime_config.cipher,
950 smime_config.flags);
933 } else if (smime_config.operation & SMIME_SIGNERS) { 951 } else if (smime_config.operation & SMIME_SIGNERS) {
934 int i; 952 int i;
935 /* 953 /*
@@ -944,25 +962,29 @@ smime_main(int argc, char **argv)
944 smime_config.flags |= PKCS7_STREAM; 962 smime_config.flags |= PKCS7_STREAM;
945 } 963 }
946 smime_config.flags |= PKCS7_PARTIAL; 964 smime_config.flags |= PKCS7_PARTIAL;
947 p7 = PKCS7_sign(NULL, NULL, other, in, smime_config.flags); 965 p7 = PKCS7_sign(NULL, NULL, other, in,
966 smime_config.flags);
948 if (p7 == NULL) 967 if (p7 == NULL)
949 goto end; 968 goto end;
950 } else { 969 } else {
951 smime_config.flags |= PKCS7_REUSE_DIGEST; 970 smime_config.flags |= PKCS7_REUSE_DIGEST;
952 } 971 }
953 for (i = 0; i < sk_OPENSSL_STRING_num(smime_config.sksigners); i++) { 972 for (i = 0; i < sk_OPENSSL_STRING_num(smime_config.sksigners); i++) {
954 smime_config.signerfile = sk_OPENSSL_STRING_value(smime_config.sksigners, i); 973 smime_config.signerfile =
955 smime_config.keyfile = sk_OPENSSL_STRING_value(smime_config.skkeys, i); 974 sk_OPENSSL_STRING_value(smime_config.sksigners, i);
956 signer = load_cert(bio_err, smime_config.signerfile, FORMAT_PEM, NULL, 975 smime_config.keyfile =
957 "signer certificate"); 976 sk_OPENSSL_STRING_value(smime_config.skkeys, i);
977 signer = load_cert(bio_err, smime_config.signerfile,
978 FORMAT_PEM, NULL, "signer certificate");
958 if (signer == NULL) 979 if (signer == NULL)
959 goto end; 980 goto end;
960 key = load_key(bio_err, smime_config.keyfile, smime_config.keyform, 0, passin, 981 key = load_key(bio_err, smime_config.keyfile,
982 smime_config.keyform, 0, passin,
961 "signing key file"); 983 "signing key file");
962 if (key == NULL) 984 if (key == NULL)
963 goto end; 985 goto end;
964 if (PKCS7_sign_add_signer(p7, signer, key, 986 if (PKCS7_sign_add_signer(p7, signer, key,
965 smime_config.sign_md, smime_config.flags) == NULL) 987 smime_config.sign_md, smime_config.flags) == NULL)
966 goto end; 988 goto end;
967 X509_free(signer); 989 X509_free(signer);
968 signer = NULL; 990 signer = NULL;
@@ -970,7 +992,8 @@ smime_main(int argc, char **argv)
970 key = NULL; 992 key = NULL;
971 } 993 }
972 /* If not streaming or resigning finalize structure */ 994 /* If not streaming or resigning finalize structure */
973 if ((smime_config.operation == SMIME_SIGN) && !(smime_config.flags & PKCS7_STREAM)) { 995 if ((smime_config.operation == SMIME_SIGN) &&
996 !(smime_config.flags & PKCS7_STREAM)) {
974 if (!PKCS7_final(p7, in, smime_config.flags)) 997 if (!PKCS7_final(p7, in, smime_config.flags))
975 goto end; 998 goto end;
976 } 999 }
@@ -980,20 +1003,24 @@ smime_main(int argc, char **argv)
980 goto end; 1003 goto end;
981 } 1004 }
982 ret = 4; 1005 ret = 4;
1006
983 if (smime_config.operation == SMIME_DECRYPT) { 1007 if (smime_config.operation == SMIME_DECRYPT) {
984 if (!PKCS7_decrypt(p7, key, recip, out, smime_config.flags)) { 1008 if (!PKCS7_decrypt(p7, key, recip, out, smime_config.flags)) {
985 BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n"); 1009 BIO_printf(bio_err,
1010 "Error decrypting PKCS#7 structure\n");
986 goto end; 1011 goto end;
987 } 1012 }
988 } else if (smime_config.operation == SMIME_VERIFY) { 1013 } else if (smime_config.operation == SMIME_VERIFY) {
989 STACK_OF(X509) *signers; 1014 STACK_OF(X509) *signers;
990 if (PKCS7_verify(p7, other, store, indata, out, smime_config.flags)) { 1015 if (PKCS7_verify(p7, other, store, indata, out,
1016 smime_config.flags)) {
991 BIO_printf(bio_err, "Verification successful\n"); 1017 BIO_printf(bio_err, "Verification successful\n");
992 } else { 1018 } else {
993 BIO_printf(bio_err, "Verification failure\n"); 1019 BIO_printf(bio_err, "Verification failure\n");
994 goto end; 1020 goto end;
995 } 1021 }
996 if ((signers = PKCS7_get0_signers(p7, other, smime_config.flags)) == NULL) 1022 if ((signers = PKCS7_get0_signers(p7, other,
1023 smime_config.flags)) == NULL)
997 goto end; 1024 goto end;
998 if (!save_certs(smime_config.signerfile, signers)) { 1025 if (!save_certs(smime_config.signerfile, signers)) {
999 BIO_printf(bio_err, "Error writing signers to %s\n", 1026 BIO_printf(bio_err, "Error writing signers to %s\n",
@@ -1013,20 +1040,25 @@ smime_main(int argc, char **argv)
1013 BIO_printf(out, "Subject: %s\n", smime_config.subject); 1040 BIO_printf(out, "Subject: %s\n", smime_config.subject);
1014 if (smime_config.outformat == FORMAT_SMIME) { 1041 if (smime_config.outformat == FORMAT_SMIME) {
1015 if (smime_config.operation == SMIME_RESIGN) { 1042 if (smime_config.operation == SMIME_RESIGN) {
1016 if (!SMIME_write_PKCS7(out, p7, indata, smime_config.flags)) 1043 if (!SMIME_write_PKCS7(out, p7, indata,
1044 smime_config.flags))
1017 goto end; 1045 goto end;
1018 } else { 1046 } else {
1019 if (!SMIME_write_PKCS7(out, p7, in, smime_config.flags)) 1047 if (!SMIME_write_PKCS7(out, p7, in,
1048 smime_config.flags))
1020 goto end; 1049 goto end;
1021 } 1050 }
1022 } else if (smime_config.outformat == FORMAT_PEM) { 1051 } else if (smime_config.outformat == FORMAT_PEM) {
1023 if (!PEM_write_bio_PKCS7_stream(out, p7, in, smime_config.flags)) 1052 if (!PEM_write_bio_PKCS7_stream(out, p7, in,
1053 smime_config.flags))
1024 goto end; 1054 goto end;
1025 } else if (smime_config.outformat == FORMAT_ASN1) { 1055 } else if (smime_config.outformat == FORMAT_ASN1) {
1026 if (!i2d_PKCS7_bio_stream(out, p7, in, smime_config.flags)) 1056 if (!i2d_PKCS7_bio_stream(out, p7, in,
1057 smime_config.flags))
1027 goto end; 1058 goto end;
1028 } else { 1059 } else {
1029 BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); 1060 BIO_printf(bio_err,
1061 "Bad output format for PKCS#7 file\n");
1030 goto end; 1062 goto end;
1031 } 1063 }
1032 } 1064 }
@@ -1081,8 +1113,8 @@ smime_cb(int ok, X509_STORE_CTX *ctx)
1081 1113
1082 error = X509_STORE_CTX_get_error(ctx); 1114 error = X509_STORE_CTX_get_error(ctx);
1083 1115
1084 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) 1116 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
1085 && ((error != X509_V_OK) || (ok != 2))) 1117 ((error != X509_V_OK) || (ok != 2)))
1086 return ok; 1118 return ok;
1087 1119
1088 policies_print(NULL, ctx); 1120 policies_print(NULL, ctx);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-01 07:50:23 +0000