From 99e959b3452e5b44dc52e0e6e87b7e4ec42147af Mon Sep 17 00:00:00 2001 From: tb <> Date: Thu, 3 Feb 2022 17:44:04 +0000 Subject: Use X509_*get0_pubkey() wherever possible to simplify and clean up the code. Also add error checking where possible. ok jsing --- src/usr.bin/openssl/ca.c | 20 ++++++-------------- src/usr.bin/openssl/req.c | 32 +++++++++++++------------------- src/usr.bin/openssl/s_client.c | 6 +++--- 3 files changed, 22 insertions(+), 36 deletions(-) diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c index c711f8b4b2..bbc5403e3c 100644 --- a/src/usr.bin/openssl/ca.c +++ b/src/usr.bin/openssl/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.52 2021/11/21 22:34:30 tb Exp $ */ +/* $OpenBSD: ca.c,v 1.53 2022/02/03 17:44:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1633,12 +1633,11 @@ certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ok = 0; goto err; } - if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) { + if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto err; } i = X509_REQ_verify(req, pktmp); - EVP_PKEY_free(pktmp); if (i < 0) { ok = 0; BIO_printf(bio_err, "Signature verification problems....\n"); @@ -1688,12 +1687,11 @@ certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "Check that the request matches the signature\n"); - if ((pktmp = X509_get_pubkey(req)) == NULL) { + if ((pktmp = X509_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto err; } i = X509_verify(req, pktmp); - EVP_PKEY_free(pktmp); if (i < 0) { ok = 0; BIO_printf(bio_err, "Signature verification problems....\n"); @@ -1997,13 +1995,10 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, if (!X509_set_subject_name(ret, subject)) goto err; - pktmp = X509_REQ_get_pubkey(req); - if (pktmp == NULL) + if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) goto err; - i = X509_set_pubkey(ret, pktmp); - EVP_PKEY_free(pktmp); - if (!i) + if (!X509_set_pubkey(ret, pktmp)) goto err; /* Lets add the extensions, if there are any */ @@ -2226,18 +2221,15 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, } } - pktmp = X509_get_pubkey(ret); - if (pktmp == NULL) + if ((pktmp = X509_get0_pubkey(ret)) == NULL) goto err; if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) { if (!EVP_PKEY_copy_parameters(pktmp, pkey)) { - EVP_PKEY_free(pktmp); goto err; } } - EVP_PKEY_free(pktmp); if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts)) goto err; diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c index a1190304a0..6d74ca0e36 100644 --- a/src/usr.bin/openssl/req.c +++ b/src/usr.bin/openssl/req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: req.c,v 1.22 2021/12/12 20:42:37 tb Exp $ */ +/* $OpenBSD: req.c,v 1.23 2022/02/03 17:44:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -879,6 +879,7 @@ req_main(int argc, char **argv) } if (req_config.x509) { EVP_PKEY *tmppkey; + X509V3_CTX ext_ctx; if ((x509ss = X509_new()) == NULL) goto end; @@ -904,10 +905,10 @@ req_main(int argc, char **argv) goto end; if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; - tmppkey = X509_REQ_get_pubkey(req); - if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) + if ((tmppkey = X509_REQ_get0_pubkey(req)) == NULL) + goto end; + if (!X509_set_pubkey(x509ss, tmppkey)) goto end; - EVP_PKEY_free(tmppkey); /* Set up V3 context struct */ @@ -984,19 +985,13 @@ req_main(int argc, char **argv) } } if (req_config.verify && !req_config.x509) { - int tmp = 0; + EVP_PKEY *pubkey = pkey; - if (pkey == NULL) { - pkey = X509_REQ_get_pubkey(req); - tmp = 1; - if (pkey == NULL) - goto end; - } - i = X509_REQ_verify(req, pkey); - if (tmp) { - EVP_PKEY_free(pkey); - pkey = NULL; - } + if (pubkey == NULL) + pubkey = X509_REQ_get0_pubkey(req); + if (pubkey == NULL) + goto end; + i = X509_REQ_verify(req, pubkey); if (i < 0) { goto end; } else if (i == 0) { @@ -1024,14 +1019,13 @@ req_main(int argc, char **argv) if (req_config.pubkey) { EVP_PKEY *tpubkey; - tpubkey = X509_REQ_get_pubkey(req); - if (tpubkey == NULL) { + + if ((tpubkey = X509_REQ_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, tpubkey); - EVP_PKEY_free(tpubkey); } if (req_config.text) { if (req_config.x509) diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index da6ef088b8..15ebb0c0a7 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */ +/* $OpenBSD: s_client.c,v 1.58 2022/02/03 17:44:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1772,10 +1772,10 @@ print_stuff(BIO *bio, SSL *s, int full) SSL_CIPHER_get_name(c)); if (peer != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(peer); + + pktmp = X509_get0_pubkey(peer); BIO_printf(bio, "Server public key is %d bit\n", EVP_PKEY_bits(pktmp)); - EVP_PKEY_free(pktmp); } BIO_printf(bio, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); -- cgit v1.2.3-55-g6feb