From 0996dc5440cc233f029129182bbb6e3d4613045a Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 16 Jan 2016 00:08:38 -0500 Subject: [PATCH] Refactor apps load_certs/load_crls to work incrementally Reviewed-by: Richard Levitte --- apps/apps.c | 30 ++++++++++++++---------------- apps/apps.h | 10 ++++------ apps/cms.c | 4 ++-- apps/ocsp.c | 15 ++++++--------- apps/pkcs12.c | 13 ++++--------- apps/s_cb.c | 5 ++--- apps/s_client.c | 5 ++--- apps/s_server.c | 10 ++++------ apps/smime.c | 4 ++-- apps/verify.c | 13 +++++-------- 10 files changed, 45 insertions(+), 64 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index bb47039ce0..9b55f820e1 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -921,13 +921,13 @@ static int load_certs_crls(const char *file, int format, BIO_free(bio); - if (pcerts) { + if (pcerts && *pcerts == NULL) { *pcerts = sk_X509_new_null(); if (!*pcerts) goto end; } - if (pcrls) { + if (pcrls && *pcrls == NULL) { *pcrls = sk_X509_CRL_new_null(); if (!*pcrls) goto end; @@ -986,24 +986,22 @@ void* app_malloc(int sz, const char *what) return vp; } - - -STACK_OF(X509) *load_certs(const char *file, int format, - const char *pass, ENGINE *e, const char *desc) +/* + * Initialize or extend, if *certs != NULL, a certificate stack. + */ +int load_certs(const char *file, STACK_OF(X509) **certs, int format, + const char *pass, ENGINE *e, const char *desc) { - STACK_OF(X509) *certs; - if (!load_certs_crls(file, format, pass, e, desc, &certs, NULL)) - return NULL; - return certs; + return load_certs_crls(file, format, pass, e, desc, certs, NULL); } -STACK_OF(X509_CRL) *load_crls(const char *file, int format, - const char *pass, ENGINE *e, const char *desc) +/* + * Initialize or extend, if *crls != NULL, a certificate stack. + */ +int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, + const char *pass, ENGINE *e, const char *desc) { - STACK_OF(X509_CRL) *crls; - if (!load_certs_crls(file, format, pass, e, desc, NULL, &crls)) - return NULL; - return crls; + return load_certs_crls(file, format, pass, e, desc, NULL, crls); } #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) diff --git a/apps/apps.h b/apps/apps.h index e549e3ff94..e402f3c9ac 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -443,12 +443,10 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); -STACK_OF(X509) *load_certs(const char *file, int format, - const char *pass, ENGINE *e, - const char *cert_descrip); -STACK_OF(X509_CRL) *load_crls(const char *file, int format, - const char *pass, ENGINE *e, - const char *cert_descrip); +int load_certs(const char *file, STACK_OF(X509) **certs, int format, + const char *pass, ENGINE *e, const char *cert_descrip); +int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, + const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(char *CAfile, char *CApath, int noCAfile, int noCApath); int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, diff --git a/apps/cms.c b/apps/cms.c index 8cf99de516..bcfcd5446a 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -735,8 +735,8 @@ int cms_main(int argc, char **argv) } if (certfile) { - if ((other = load_certs(certfile, FORMAT_PEM, NULL, e, - "certificate file")) == NULL) { + if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e, + "certificate file")) { ERR_print_errors(bio_err); goto end; } diff --git a/apps/ocsp.c b/apps/ocsp.c index 0c41c4d5de..d2e3109630 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -533,9 +533,8 @@ int ocsp_main(int argc, char **argv) rca_cert = load_cert(rca_filename, FORMAT_PEM, NULL, NULL, "CA certificate"); if (rcertfile) { - rother = load_certs(rcertfile, FORMAT_PEM, - NULL, NULL, "responder other certificates"); - if (!rother) + if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, NULL, + "responder other certificates")) goto end; } rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL, @@ -578,9 +577,8 @@ int ocsp_main(int argc, char **argv) goto end; } if (sign_certfile) { - sign_other = load_certs(sign_certfile, FORMAT_PEM, - NULL, NULL, "signer certificates"); - if (!sign_other) + if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, NULL, + "signer certificates")) goto end; } key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, @@ -702,9 +700,8 @@ int ocsp_main(int argc, char **argv) if (vpmtouched) X509_STORE_set1_param(store, vpm); if (verify_certfile) { - verify_other = load_certs(verify_certfile, FORMAT_PEM, - NULL, NULL, "validator certificate"); - if (!verify_other) + if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, NULL, + "validator certificate")) goto end; } diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 33a58df524..2ede38491b 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -395,9 +395,8 @@ int pkcs12_main(int argc, char **argv) /* Load in all certs in input file */ if (!(options & NOCERTS)) { - certs = load_certs(infile, FORMAT_PEM, NULL, e, - "certificates"); - if (!certs) + if (!load_certs(infile, &certs, FORMAT_PEM, NULL, e, + "certificates")) goto export_end; if (key) { @@ -425,13 +424,9 @@ int pkcs12_main(int argc, char **argv) /* Add any more certificates asked for */ if (certfile) { - STACK_OF(X509) *morecerts = NULL; - if ((morecerts = load_certs(certfile, FORMAT_PEM, NULL, e, - "certificates from certfile")) == NULL) + if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, e, + "certificates from certfile")) goto export_end; - while (sk_X509_num(morecerts) > 0) - sk_X509_push(certs, sk_X509_shift(morecerts)); - sk_X509_free(morecerts); } /* If chaining get chain from user cert */ diff --git a/apps/s_cb.c b/apps/s_cb.c index c72e4c2314..55d2c39e8b 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1002,9 +1002,8 @@ int load_excert(SSL_EXCERT **pexc) if (!exc->key) return 0; if (exc->chainfile) { - exc->chain = load_certs(exc->chainfile, FORMAT_PEM, - NULL, NULL, "Server Chain"); - if (!exc->chain) + if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL, + NULL, "Server Chain")) return 0; } } diff --git a/apps/s_client.c b/apps/s_client.c index 4dea7c460a..717d7c146b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1331,9 +1331,8 @@ int s_client_main(int argc, char **argv) } if (chain_file) { - chain = load_certs(chain_file, FORMAT_PEM, - NULL, e, "client certificate chain"); - if (!chain) + if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL, e, + "client certificate chain")) goto end; } diff --git a/apps/s_server.c b/apps/s_server.c index 93f608319b..9d9cb241be 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1507,9 +1507,8 @@ int s_server_main(int argc, char *argv[]) goto end; } if (s_chain_file) { - s_chain = load_certs(s_chain_file, FORMAT_PEM, - NULL, e, "server certificate chain"); - if (!s_chain) + if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, e, + "server certificate chain")) goto end; } @@ -1587,9 +1586,8 @@ int s_server_main(int argc, char *argv[]) goto end; } if (s_dchain_file) { - s_dchain = load_certs(s_dchain_file, FORMAT_PEM, - NULL, e, "second server certificate chain"); - if (!s_dchain) + if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, e, + "second server certificate chain")) goto end; } diff --git a/apps/smime.c b/apps/smime.c index 551a8fd44d..024e83b1d2 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -468,8 +468,8 @@ int smime_main(int argc, char **argv) } if (certfile) { - if ((other = load_certs(certfile, FORMAT_PEM, NULL, - e, "certificate file")) == NULL) { + if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e, + "certificate file")) { ERR_print_errors(bio_err); goto end; } diff --git a/apps/verify.c b/apps/verify.c index 16b25c9ef0..183579c06d 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -208,22 +208,19 @@ int verify_main(int argc, char **argv) ERR_clear_error(); if (untfile) { - untrusted = load_certs(untfile, FORMAT_PEM, - NULL, e, "untrusted certificates"); - if (!untrusted) + if (!load_certs(untfile, &untrusted, FORMAT_PEM, NULL, e, + "untrusted certificates")) goto end; } if (trustfile) { - trusted = load_certs(trustfile, FORMAT_PEM, - NULL, e, "trusted certificates"); - if (!trusted) + if (!load_certs(trustfile, &trusted, FORMAT_PEM, NULL, e, + "trusted certificates")) goto end; } if (crlfile) { - crls = load_crls(crlfile, FORMAT_PEM, NULL, e, "other CRLs"); - if (!crls) + if (!load_crls(crlfile, &crls, FORMAT_PEM, NULL, e, "other CRLs")) goto end; } -- GitLab