Fix to the -revoke option in ca. It was leaking memory, crashing and just
plain not working :-( Also fix some memory leaks in the new X509_NAME code. Fix so new app_rand code doesn't crash 'x509' and move #include so it compiles under Win32.
This commit is contained in:
parent
ce1b4fe146
commit
a0ad17bb6c
4
CHANGES
4
CHANGES
@ -4,6 +4,10 @@
|
||||
|
||||
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
|
||||
|
||||
*) Fix the -revoke option in ca. It was freeing up memory twice,
|
||||
leaking and not finding already revoked certificates.
|
||||
[Steve Henson]
|
||||
|
||||
*) Extensive changes to support certificate auxiliary information.
|
||||
This involves the use of X509_CERT_AUX structure and X509_AUX
|
||||
functions. An X509_AUX function such as PEM_read_X509_AUX()
|
||||
|
@ -109,10 +109,10 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
#include "apps.h"
|
||||
|
||||
static int seeded = 0;
|
||||
|
||||
|
54
apps/ca.c
54
apps/ca.c
@ -1169,13 +1169,6 @@ bad:
|
||||
/*****************************************************************/
|
||||
if (dorevoke)
|
||||
{
|
||||
in=BIO_new(BIO_s_file());
|
||||
out=BIO_new(BIO_s_file());
|
||||
if ((in == NULL) || (out == NULL))
|
||||
{
|
||||
ERR_print_errors(bio_err);
|
||||
goto err;
|
||||
}
|
||||
if (infile == NULL)
|
||||
{
|
||||
BIO_printf(bio_err,"no input files\n");
|
||||
@ -1183,19 +1176,22 @@ bad:
|
||||
}
|
||||
else
|
||||
{
|
||||
X509 *revcert;
|
||||
if (BIO_read_filename(in,infile) <= 0)
|
||||
{
|
||||
perror(infile);
|
||||
BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
|
||||
goto err;
|
||||
}
|
||||
x509=PEM_read_bio_X509(in,NULL,NULL,NULL);
|
||||
if (x509 == NULL)
|
||||
revcert=PEM_read_bio_X509(in,NULL,NULL,NULL);
|
||||
if (revcert == NULL)
|
||||
{
|
||||
BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
|
||||
goto err;
|
||||
}
|
||||
j=do_revoke(x509,db);
|
||||
j=do_revoke(revcert,db);
|
||||
if (j <= 0) goto err;
|
||||
X509_free(revcert);
|
||||
|
||||
strncpy(buf[0],dbfile,BSIZE-4);
|
||||
strcat(buf[0],".new");
|
||||
@ -1207,10 +1203,6 @@ bad:
|
||||
}
|
||||
j=TXT_DB_write(out,db);
|
||||
if (j <= 0) goto err;
|
||||
BIO_free(in);
|
||||
BIO_free(out);
|
||||
in=NULL;
|
||||
out=NULL;
|
||||
strncpy(buf[1],dbfile,BSIZE-4);
|
||||
strcat(buf[1],".old");
|
||||
if (rename(dbfile,buf[1]) < 0)
|
||||
@ -2143,20 +2135,26 @@ static int add_oid_section(LHASH *hconf)
|
||||
|
||||
static int do_revoke(X509 *x509, TXT_DB *db)
|
||||
{
|
||||
ASN1_UTCTIME *tm=NULL;
|
||||
ASN1_UTCTIME *tm=NULL, *revtm=NULL;
|
||||
char *row[DB_NUMBER],**rrow,**irow;
|
||||
BIGNUM *bn = NULL;
|
||||
int ok=-1,i;
|
||||
|
||||
for (i=0; i<DB_NUMBER; i++)
|
||||
row[i]=NULL;
|
||||
row[DB_name]=X509_NAME_oneline(x509->cert_info->subject,NULL,0);
|
||||
row[DB_serial]=BN_bn2hex(ASN1_INTEGER_to_BN(x509->cert_info->serialNumber,NULL));
|
||||
row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
|
||||
bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
|
||||
row[DB_serial]=BN_bn2hex(bn);
|
||||
BN_free(bn);
|
||||
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
|
||||
{
|
||||
BIO_printf(bio_err,"Malloc failure\n");
|
||||
goto err;
|
||||
}
|
||||
rrow=TXT_DB_get_by_index(db,DB_name,row);
|
||||
/* We have to lookup by serial number because name lookup
|
||||
* skips revoked certs
|
||||
*/
|
||||
rrow=TXT_DB_get_by_index(db,DB_serial,row);
|
||||
if (rrow == NULL)
|
||||
{
|
||||
BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
|
||||
@ -2207,16 +2205,15 @@ static int do_revoke(X509 *x509, TXT_DB *db)
|
||||
}
|
||||
|
||||
/* Revoke Certificate */
|
||||
do_revoke(x509,db);
|
||||
ok = do_revoke(x509,db);
|
||||
|
||||
ok=1;
|
||||
goto err;
|
||||
|
||||
}
|
||||
else if (index_serial_cmp(row,rrow))
|
||||
else if (index_name_cmp(row,rrow))
|
||||
{
|
||||
BIO_printf(bio_err,"ERROR:no same serial number %s\n",
|
||||
row[DB_serial]);
|
||||
BIO_printf(bio_err,"ERROR:name does not match %s\n",
|
||||
row[DB_name]);
|
||||
goto err;
|
||||
}
|
||||
else if (rrow[DB_type][0]=='R')
|
||||
@ -2228,12 +2225,14 @@ static int do_revoke(X509 *x509, TXT_DB *db)
|
||||
else
|
||||
{
|
||||
BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
|
||||
tm=X509_gmtime_adj(tm,0);
|
||||
revtm = ASN1_UTCTIME_new();
|
||||
revtm=X509_gmtime_adj(revtm,0);
|
||||
rrow[DB_type][0]='R';
|
||||
rrow[DB_type][1]='\0';
|
||||
rrow[DB_rev_date]=(char *)Malloc(tm->length+1);
|
||||
memcpy(rrow[DB_rev_date],tm->data,tm->length);
|
||||
rrow[DB_rev_date][tm->length]='\0';
|
||||
rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
|
||||
memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
|
||||
rrow[DB_rev_date][revtm->length]='\0';
|
||||
ASN1_UTCTIME_free(revtm);
|
||||
}
|
||||
ok=1;
|
||||
err:
|
||||
@ -2242,7 +2241,6 @@ err:
|
||||
if (row[i] != NULL)
|
||||
Free(row[i]);
|
||||
}
|
||||
ASN1_UTCTIME_free(tm);
|
||||
return(ok);
|
||||
}
|
||||
|
||||
|
@ -845,6 +845,7 @@ end:
|
||||
X509_free(x509ss);
|
||||
X509V3_EXT_cleanup();
|
||||
OBJ_cleanup();
|
||||
ASN1_STRING_TABLE_cleanup();
|
||||
#ifndef NO_DSA
|
||||
if (dsa_params != NULL) DSA_free(dsa_params);
|
||||
#endif
|
||||
|
@ -268,6 +268,7 @@ int MAIN(int argc, char **argv)
|
||||
if (--argc < 1) goto bad;
|
||||
CAfile= *(++argv);
|
||||
CA_flag= ++num;
|
||||
need_rand = 1;
|
||||
}
|
||||
else if (strcmp(*argv,"-CAkey") == 0)
|
||||
{
|
||||
|
@ -188,6 +188,7 @@ void ASN1_STRING_TABLE_cleanup(void)
|
||||
{
|
||||
STACK_OF(ASN1_STRING_TABLE) *tmp;
|
||||
tmp = stable;
|
||||
if(!tmp) return;
|
||||
stable = NULL;
|
||||
sk_ASN1_STRING_TABLE_pop_free(tmp, st_free);
|
||||
}
|
||||
|
@ -117,6 +117,7 @@ void X509_CERT_AUX_free(X509_CERT_AUX *a)
|
||||
sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free);
|
||||
ASN1_UTF8STRING_free(a->alias);
|
||||
ASN1_TYPE_free(a->other);
|
||||
Free((char *)a);
|
||||
}
|
||||
|
||||
int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
|
||||
|
@ -175,27 +175,36 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
|
||||
unsigned char *bytes, int len, int loc, int set)
|
||||
{
|
||||
X509_NAME_ENTRY *ne;
|
||||
int ret;
|
||||
ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
|
||||
if(!ne) return 0;
|
||||
return X509_NAME_add_entry(name, ne, loc, set);
|
||||
ret = X509_NAME_add_entry(name, ne, loc, set);
|
||||
X509_NAME_ENTRY_free(ne);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
|
||||
unsigned char *bytes, int len, int loc, int set)
|
||||
{
|
||||
X509_NAME_ENTRY *ne;
|
||||
int ret;
|
||||
ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
|
||||
if(!ne) return 0;
|
||||
return X509_NAME_add_entry(name, ne, loc, set);
|
||||
ret = X509_NAME_add_entry(name, ne, loc, set);
|
||||
X509_NAME_ENTRY_free(ne);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
|
||||
unsigned char *bytes, int len, int loc, int set)
|
||||
{
|
||||
X509_NAME_ENTRY *ne;
|
||||
int ret;
|
||||
ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
|
||||
if(!ne) return 0;
|
||||
return X509_NAME_add_entry(name, ne, loc, set);
|
||||
ret = X509_NAME_add_entry(name, ne, loc, set);
|
||||
X509_NAME_ENTRY_free(ne);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* if set is -1, append to previous set, 0 'a new one', and 1,
|
||||
@ -267,6 +276,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
|
||||
char *field, int type, unsigned char *bytes, int len)
|
||||
{
|
||||
ASN1_OBJECT *obj;
|
||||
X509_NAME_ENTRY *nentry;
|
||||
|
||||
obj=OBJ_txt2obj(field, 0);
|
||||
if (obj == NULL)
|
||||
@ -275,13 +285,16 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
|
||||
X509_R_INVALID_FIELD_NAME);
|
||||
return(NULL);
|
||||
}
|
||||
return(X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len));
|
||||
nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
|
||||
ASN1_OBJECT_free(obj);
|
||||
return nentry;
|
||||
}
|
||||
|
||||
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
|
||||
int type, unsigned char *bytes, int len)
|
||||
{
|
||||
ASN1_OBJECT *obj;
|
||||
X509_NAME_ENTRY *nentry;
|
||||
|
||||
obj=OBJ_nid2obj(nid);
|
||||
if (obj == NULL)
|
||||
@ -289,7 +302,9 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
|
||||
X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
|
||||
return(NULL);
|
||||
}
|
||||
return(X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len));
|
||||
nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
|
||||
ASN1_OBJECT_free(obj);
|
||||
return nentry;
|
||||
}
|
||||
|
||||
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
|
||||
|
@ -14,7 +14,6 @@
|
||||
#include <arpa/inet.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "rsa.h" /* SSLeay stuff */
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
|
@ -1998,3 +1998,25 @@ X509_NAME_add_entry_by_txt 2022
|
||||
X509_NAME_add_entry_by_NID 2023
|
||||
X509_NAME_add_entry_by_OBJ 2024
|
||||
X509_NAME_ENTRY_create_by_txt 2025
|
||||
PEM_read_X509_AUX 2026
|
||||
X509_CERT_AUX_free 2027
|
||||
X509_alias_set 2028
|
||||
PEM_read_bio_X509_AUX 2029
|
||||
X509_trust_set_bit_asc 2030
|
||||
d2i_X509_AUX 2031
|
||||
X509_CERT_AUX_print 2032
|
||||
ASN1_BIT_STRING_num_asc 2033
|
||||
X509_CERT_AUX_new 2034
|
||||
ASN1_BIT_STRING_set_asc 2035
|
||||
i2d_X509_CERT_AUX 2036
|
||||
PEM_write_X509_AUX 2037
|
||||
X509_notrust_set_bit 2038
|
||||
X509_add_notrust_object 2039
|
||||
PEM_write_bio_X509_AUX 2040
|
||||
X509_alias_get 2041
|
||||
X509_trust_set_bit 2042
|
||||
d2i_X509_CERT_AUX 2043
|
||||
X509_notrust_set_bit_asc 2044
|
||||
i2d_X509_AUX 2045
|
||||
ASN1_BIT_STRING_name_print 2046
|
||||
X509_add_trust_object 2047
|
||||
|
Loading…
x
Reference in New Issue
Block a user