From: FdaSilvaYY Date: Mon, 16 Oct 2017 19:46:50 +0000 (-0400) Subject: Some cleanups to apps/ca.c X-Git-Tag: OpenSSL_1_1_1-pre1~539 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b5895815abad1b108902a55525daad7bdca02721;p=oweals%2Fopenssl.git Some cleanups to apps/ca.c Few code format fixup Fix limit computation; was too strict by 2 bytes. Simplify computation of buffer limits Checking is strictly same as sizeof(".pem") == 5 Simplify loop of code for certificate filename creation Fix MAX_PATH usage Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1936) --- diff --git a/apps/ca.c b/apps/ca.c index f17e7226b9..658dc8c818 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -42,11 +42,6 @@ #ifndef PATH_MAX # define PATH_MAX 4096 #endif -#ifndef NAME_MAX -# define NAME_MAX 255 -#endif - -#define CERT_MAX (PATH_MAX + NAME_MAX) #define BASE_SECTION "ca" @@ -250,10 +245,11 @@ int ca_main(int argc, char **argv) const char *serialfile = NULL, *subj = NULL; char *prog, *startdate = NULL, *enddate = NULL; char *dbfile = NULL, *f; - char new_cert[CERT_MAX + 1]; + char new_cert[PATH_MAX]; char tmp[10 + 1] = "\0"; char *const *pp; const char *p; + size_t outdirlen = 0; int create_ser = 0, free_key = 0, total = 0, total_done = 0; int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; @@ -266,8 +262,6 @@ int ca_main(int argc, char **argv) X509_REVOKED *r = NULL; OPTION_CHOICE o; - new_cert[CERT_MAX] = '\0'; - prog = opt_init(argc, argv, ca_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { @@ -356,8 +350,7 @@ opthelp: case OPT_SIGOPT: if (sigopts == NULL) sigopts = sk_OPENSSL_STRING_new_null(); - if (sigopts == NULL - || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) goto end; break; case OPT_NOTEXT: @@ -421,7 +414,7 @@ opthelp: case OPT_CRLEXTS: crl_ext = opt_arg(); break; - case OPT_CRL_REASON: /* := REV_CRL_REASON */ + case OPT_CRL_REASON: /* := REV_CRL_REASON */ case OPT_CRL_HOLD: case OPT_CRL_COMPROMISE: case OPT_CRL_CA_COMPROMISE: @@ -709,8 +702,7 @@ end_of_options: goto end; if (verbose) - BIO_printf(bio_err, - "Done. %d entries marked as expired\n", i); + BIO_printf(bio_err, "Done. %d entries marked as expired\n", i); } } @@ -742,8 +734,7 @@ end_of_options: goto end; } - if (md == NULL - && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) + if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) goto end; if (strcmp(md, "default") == 0) { @@ -811,8 +802,7 @@ end_of_options: } if (startdate == NULL) { - startdate = NCONF_get_string(conf, section, - ENV_DEFAULT_STARTDATE); + startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE); if (startdate == NULL) ERR_clear_error(); } @@ -839,9 +829,8 @@ end_of_options: if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) days = 0; } - if (enddate == NULL && (days == 0)) { - BIO_printf(bio_err, - "cannot lookup how many days to certify for\n"); + if (enddate == NULL && days == 0) { + BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); goto end; } @@ -972,8 +961,7 @@ end_of_options: (void)BIO_flush(bio_err); tmp[0] = '\0'; if (fgets(tmp, sizeof(tmp), stdin) == NULL) { - BIO_printf(bio_err, - "CERTIFICATION CANCELED: I/O error\n"); + BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); ret = 0; goto end; } @@ -995,37 +983,34 @@ end_of_options: goto end; } + outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert)); +#ifndef OPENSSL_SYS_VMS + outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); +#endif + if (verbose) BIO_printf(bio_err, "writing new certificates\n"); + for (i = 0; i < sk_X509_num(cert_sk); i++) { BIO *Cout = NULL; X509 *xi = sk_X509_value(cert_sk, i); ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi); - int k; - char *n; + const unsigned char *psn = ASN1_STRING_get0_data(serialNumber); + const int snl = ASN1_STRING_length(serialNumber); + const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem"); + char *n = new_cert + outdirlen; - j = ASN1_STRING_length(serialNumber); - p = (const char *)ASN1_STRING_get0_data(serialNumber); - - if (strlen(outdir) >= (size_t)(j ? CERT_MAX - j * 2 - 6 : CERT_MAX - 8)) { + if (outdirlen + filen_len > PATH_MAX) { BIO_printf(bio_err, "certificate file name too long\n"); goto end; } - strcpy(new_cert, outdir); -#ifndef OPENSSL_SYS_VMS - OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); -#endif + if (snl > 0) { + static const char HEX_DIGITS[] = "0123456789ABCDEF"; - n = (char *)&(new_cert[strlen(new_cert)]); - if (j > 0) { - for (k = 0; k < j; k++) { - if (n >= &(new_cert[sizeof(new_cert)])) - break; - BIO_snprintf(n, - &new_cert[0] + sizeof(new_cert) - n, - "%02X", (unsigned char)*(p++)); - n += 2; + for (j = 0; j < snl; j++, psn++) { + *n++ = HEX_DIGITS[*psn >> 4]; + *n++ = HEX_DIGITS[*psn & 0x0F]; } } else { *(n++) = '0'; @@ -1035,7 +1020,7 @@ end_of_options: *(n++) = 'p'; *(n++) = 'e'; *(n++) = 'm'; - *n = '\0'; + *n = '\0'; /* closing new_cert */ if (verbose) BIO_printf(bio_err, "writing %s\n", new_cert); @@ -1076,8 +1061,7 @@ end_of_options: X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { BIO_printf(bio_err, - "Error Loading CRL extension section %s\n", - crl_ext); + "Error Loading CRL extension section %s\n", crl_ext); ret = 1; goto end; } @@ -1393,8 +1377,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, int selfsign) { - X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = - NULL; + X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL; const ASN1_TIME *tm; ASN1_STRING *str, *str2; ASN1_OBJECT *obj; @@ -1424,8 +1407,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } if (default_op) - BIO_printf(bio_err, - "The Subject's Distinguished Name is as follows\n"); + BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n"); name = X509_REQ_get_subject_name(req); for (i = 0; i < X509_NAME_entry_count(name); i++) { @@ -1543,8 +1525,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((j < 0) && (last2 == -1)) { BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\n" - "the 'policy' is misconfigured\n", - cv->name); + "the 'policy' is misconfigured\n", cv->name); goto end; } if (j >= 0) { @@ -1888,8 +1869,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, return (ok); } -static void write_new_certificate(BIO *bp, X509 *x, int output_der, - int notext) +static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) { if (output_der) { @@ -2005,8 +1985,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, * Now extract the key from the SPKI structure. */ - BIO_printf(bio_err, - "Check that the SPKAC request matches the signature\n"); + BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n"); if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { BIO_printf(bio_err, "error unpacking SPKAC public key\n"); @@ -2546,8 +2525,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, hold = OBJ_txt2obj(arg_str, 0); if (!hold) { - BIO_printf(bio_err, "invalid object identifier %s\n", - arg_str); + BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); goto end; } if (phold)