Commit graph

303 commits

Author SHA1 Message Date
Dr. Matthias St. Pierre
135e806236 Fix: 'openssl ca' command crashes when used with 'rand_serial' option
Commit ffb46830e2 introduced the 'rand_serial' option. When it is used,
the 'serialfile' does not get initialized, i.e. it remains a NULL pointer.
This causes a crash when the NULL pointer is passed to the rotate_serial()
call.

This commit fixes the crash and unifies the pointer checking before
calling the rotate_serial() and save_serial() commands.

Fixes #7412

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7417)

(cherry picked from commit aeec793b4b)
2018-10-17 12:04:17 +02:00
agnosticdev
c257f61f10 typo-fixes: miscellaneous typo fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7277)

(cherry picked from commit 46d085096c)
2018-09-21 23:59:02 +02:00
Matt Caswell
aabbc24e42 Improve the usability of the ca app using EdDSA
Previously you had to supply "null" as the digest to use EdDSA. This changes
things so that any digest is ignored.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)
2018-08-22 16:35:54 +01:00
FdaSilvaYY
991f0355fb apps/ca: fix useless get before delete.
Small simplification by skipping effectively redundant step and
not resuming search from point past deletion.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6195)
2018-06-21 15:14:06 +02:00
Richard Levitte
63871d9f81 openssl ca: open the output file as late as possible
Fixes #6544

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6546)
2018-06-21 06:56:23 +02:00
Matt Caswell
f3021aca4a Allow the ca application to use EdDSA
Using the ca application to sign certificates with EdDSA failed because it
is not possible to set the digest to "null". This adds the capability and
updates the documentation accordingly.

Fixes #6201

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6286)
2018-05-18 10:14:29 +01:00
Pavel Kopyl
aebd0e5ca1 Fix memory leaks in CA related functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4700)
2018-05-02 08:35:32 +02:00
Richard Levitte
25642ad29e Fix openssl ca, to correctly make output file binary when using -spkac
On Unix, this doesn't matter, but on other platforms, it may.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6050)
2018-04-23 11:07:46 +02:00
Viktor Dukhovni
a4107d73d5 Add missing index_index() when reloading OCSP responder
Also, future-proof index_index() return codes by requiring success
to return a positive value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-04-18 22:29:35 -04:00
Matt Caswell
01985122ae Fix a memory leak in the ca application
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
2018-03-15 12:51:34 +00:00
Matt Caswell
5af88441f4 Allow multiple entries without a Subject even if unique_subject == yes
It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
2018-03-15 12:51:34 +00:00
Matt Caswell
2cedf79474 Report a readable error on a duplicate cert in ca app
Commit 87e8feca (16 years ago!) introduced a bug where if we are
attempting to insert a cert with a duplicate subject name, and
duplicate subject names are not allowed (which is the default),
then we get an unhelpful error message back (error number 2). Prior
to that commit we got a helpful error message which displayed details
of the conflicting entry in the database.

That commit was itself attempting to fix a bug with the noemailDN option
where we were setting the subject field in the database too early
(before extensions had made any amendments to it).

This PR moves the check for a conflicting Subject name until after all
changes to the Subject have been made by extensions etc.

This also, co-incidentally fixes the ca crashing bug described in issue
5109.

Fixes #5109

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
2018-03-15 12:51:34 +00:00
Matt Caswell
c845ff070d Revert "Don't allow an empty Subject when creating a Certificate"
This reverts commit e505f1e868.

Empty Subjects should be permissible.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
2018-03-15 12:51:34 +00:00
Matt Caswell
62e394de91 Revert "Don't crash on a missing Subject in index.txt"
This reverts commit 1e05c6d07f.

Empty subjects should be permissible.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
2018-03-15 12:51:34 +00:00
Pavel Kopyl
59053968e7 do_body: fix heap-use-after-free.
The memory pointed to by the 'push' is freed by the
X509_NAME_ENTRY_free() in do_body(). The second time
it is referenced to (indirectly) in certify_cert:X509_REQ_free().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4698)
2018-02-21 12:18:56 +00:00
Matt Caswell
0d502c3511 Check the return code from ASN1_TIME_diff()
The function can fail so we should check the return code.

Found by Coverity

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5339)
2018-02-15 15:24:47 +00:00
Matt Caswell
bc2a0dd283 The function X509_gmtime_adj() can fail
Check for a failure and free a_tm as appropriate.

Found by Coverity

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5339)
2018-02-15 15:24:46 +00:00
Matt Caswell
6738bf1417 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Richard Levitte
dab2cd68e7 apps: Don't include progs.h in apps.h
Everything in apps includes apps.h, because that one declares apps
internal library routines.  However, progs.h doesn't declare library
routines, but rather the main commands and their options, and there's
no reason why the library modules should include it.

So, remove the inclusion of progs.h from apps.h and add that inclusion
in all command source files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5222)
2018-01-31 23:45:12 +01:00
Matt Caswell
1e05c6d07f Don't crash on a missing Subject in index.txt
An index.txt entry which has an empty Subject name field will cause ca
to crash. Therefore check it when we load it to make sure its not empty.

Fixes #5109

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5114)
2018-01-22 10:07:41 +00:00
Matt Caswell
e505f1e868 Don't allow an empty Subject when creating a Certificate
Misconfiguration (e.g. an empty policy section in the config file) can
lead to an empty Subject. Since certificates should have unique Subjects
this should not be allowed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5114)
2018-01-22 10:07:41 +00:00
FdaSilvaYY
df36429749 Useless conf != NULL test
check is already made 10 line above.
clean commented code

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4885)
2017-12-09 23:59:56 +01:00
KaoruToda
26a7d938c9 Remove parentheses of return.
Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)
2017-10-18 16:05:06 +01:00
FdaSilvaYY
b5895815ab Some cleanups to apps/ca.c
Few code format fixup
Fix limit computation; was too strict by 2 bytes.
Simplify computation of buffer limits
Checking is strictly same as sizeof(".pem") == 5
Simplify loop of code for certificate filename creation
Fix MAX_PATH usage

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1936)
2017-10-16 15:46:50 -04:00
Rich Salz
e3713c365c Remove email addresses from source code.
Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)
2017-10-13 10:06:59 -04:00
Richard Levitte
4881d849da Make sure that a cert with extensions gets version number 2 (v3)
Fixes #4419

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)
2017-09-26 10:47:43 +02:00
Pauli
9590da2cd6 Remove the X_OK define, it is unused.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:44 +10:00
Rich Salz
ffb46830e2 Add random serial# support.
Add -rand_serial to CA command and "serial_rand" config option.

Up RAND_BITS to 159, and comment why: now confirms to CABForum
guidelines (Ballot 164) as well as IETF RFC 5280 (PKIX).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4185)
2017-08-22 09:00:04 -04:00
Rich Salz
3ee1eac27a Standardize apps use of -rand, etc.
Standardized the -rand flag and added a new one:
    -rand file...
            Always reads the specified files
    -writerand file
            Always writes to the file on exit

For apps that use a config file, the RANDFILE config parameter reads
the file at startup (to seed the RNG) and write to it on exit if
the -writerand flag isn't used.

Ensured that every app that took -rand also took -writerand, and
made sure all of that agreed with all the documentation.

Fix error reporting in write_file and -rand

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3862)
2017-07-16 19:20:45 -04:00
Paul Yang
2234212c3d Clean up a bundle of codingstyle stuff in apps directory
Mostly braces and NULL pointer check and also copyright year bump

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3657)
2017-06-12 16:11:05 -04:00
Rich Salz
04e62715db Introduce ASN1_TIME_set_string_X509 API
Make funcs to deal with non-null-term'd string
in both asn1_generalizedtime_to_tm() and asn1_utctime_to_tm().

Fixes issue #3444.

This one is used to enforce strict format (RFC 5280) check and to
convert GeneralizedTime to UTCTime.

apps/ca has been changed to use the new API.

Test cases and documentation are updated/added

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3566)
2017-06-11 16:36:07 -04:00
Paul Yang
bd91e3c870 Fix a bundle of trailing spaces in several files
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3622)
2017-06-09 12:04:10 -04:00
Dmitry Belyavskiy
b5c4209be9 Switch command-line utils to new nameopt API.
The CA names should be printed according to user's decision
print_name instead of set of BIO_printf
dump_cert_text instead of set of BIO_printf
Testing cyrillic output of X509_CRL_print_ex
Write and use X509_CRL_print_ex
Reduce usage of X509_NAME_online
Using X509_REQ_print_ex instead of X509_REQ_print
Fix nameopt processing.
Make dump_cert_text nameopt-friendly
Move nameopt getter/setter to apps/apps.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3262)
2017-04-25 12:37:17 -04:00
Matt Caswell
9fa36f5f4b Remove some commented out code in the apps
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2774)
2017-02-28 16:02:11 +00:00
Richard Levitte
e627a13cd5 Code health: Remove obvious VAX C fixups
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2775)
2017-02-28 15:32:01 +01:00
Bernd Edlinger
0fbaef9e64 Fix some more memory leaks with TXT_DB_insert.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)
2017-02-21 14:13:58 -05:00
Bernd Edlinger
9ad52c562a Fix a few memleaks in TXT_DB.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)
2017-02-21 14:13:58 -05:00
Robert Scheck
20967afb7f Add Sieve support (RFC 5804) to s_client ("-starttls sieve")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)
2017-02-14 14:15:28 -05:00
FdaSilvaYY
07a38fd2bf Fix some style and indent issue
simplify some code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
FdaSilvaYY
0db1fb3fc1 Fix use before assignment
it was getting the SerialNumber of a previous cert.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2272)
2017-01-23 14:29:33 +00:00
FdaSilvaYY
dfc3ffe502 Introduce PATH_MAX and NAME_MAX
to define the certificate filename storage buffer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1569)
2016-11-15 23:37:22 +01:00
FdaSilvaYY
3a19b22ae1 Simplify and fix usage of three string array variable...
using two separated local variables.

buf[1] was unused.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1569)
2016-11-15 23:37:22 +01:00
Matt Caswell
229bd12487 Fix a double free in ca command line
Providing a spkac file with no default section causes a double free.

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-10-28 09:25:04 +01:00
Richard Levitte
dd1abd4462 If an engine comes up explicitely, it must also come down explicitely
In apps/apps.c, one can set up an engine with setup_engine().
However, we freed the structural reference immediately, which means
that for engines that don't already have a structural reference
somewhere else (because it's a built in engine), we end up returning
an invalid reference.

Instead, the function release_engine() is added, and called at the end
of the routines that call setup_engine().

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
2016-10-19 17:44:08 +02:00
FdaSilvaYY
44c83ebd70 Constify command options
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1694)
2016-10-14 18:25:50 +02:00
FdaSilvaYY
06a79af200 Fix some magic values about revocation info type...
Add comments, document -valid option.
Add some const qualifiers.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1560)
2016-09-13 11:42:57 -04:00
FdaSilvaYY
2d87ee6825 Closing output file from inside the loop who open it
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1471
2016-08-22 21:32:04 +02:00
Dr. Stephen Henson
568ce3a583 Constify certificate and CRL time routines.
Update certificate and CRL time routines to match new standard.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 18:40:55 +01:00
Dr. Stephen Henson
dc047d31fa Set certificate times in one function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 16:52:58 +01:00
FdaSilvaYY
d6073e27eb Small nits and cleanups
using util/openssl-format-source on s_derver, s_client, ca.c, speed.c only...

Fix/merge some #ifndef

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 17:09:19 +01:00