[openssl] master update

dev at ddvo.net dev at ddvo.net
Sat May 22 10:10:16 UTC 2021


The branch master has been updated
       via  56c98a7d94d25df5999bd12c600788ec947e588c (commit)
      from  06621ba387f8d45e0c273f77f18573eb52cd66b8 (commit)


- Log -----------------------------------------------------------------
commit 56c98a7d94d25df5999bd12c600788ec947e588c
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sat Apr 3 19:51:36 2021 +0200

    apps/cms: Simplify handling of encerts; add warning if they are ignored
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14843)

-----------------------------------------------------------------------

Summary of changes:
 apps/cms.c | 42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/apps/cms.c b/apps/cms.c
index 25ef1effd4..e9fe29ab8e 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -307,10 +307,10 @@ int cms_main(int argc, char **argv)
     EVP_MD *sign_md = NULL;
     STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
     STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
-    STACK_OF(X509) *encerts = NULL, *other = NULL;
+    STACK_OF(X509) *encerts = sk_X509_new_null(), *other = NULL;
     X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = NULL;
     X509_STORE *store = NULL;
-    X509_VERIFY_PARAM *vpm = NULL;
+    X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new();
     char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
     char *certsoutfile = NULL, *digestname = NULL, *wrapname = NULL;
@@ -332,8 +332,8 @@ int cms_main(int argc, char **argv)
     OPTION_CHOICE o;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
 
-    if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
-        return 1;
+    if (encerts == NULL || vpm == NULL)
+        goto end;
 
     prog = opt_init(argc, argv, cms_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -641,8 +641,6 @@ int cms_main(int argc, char **argv)
             break;
         case OPT_RECIP:
             if (operation == SMIME_ENCRYPT) {
-                if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
-                    goto end;
                 cert = load_cert(opt_arg(), FORMAT_UNDEF,
                                  "recipient certificate file");
                 if (cert == NULL)
@@ -659,7 +657,7 @@ int cms_main(int argc, char **argv)
         case OPT_KEYOPT:
             keyidx = -1;
             if (operation == SMIME_ENCRYPT) {
-                if (encerts != NULL)
+                if (sk_X509_num(encerts) > 0)
                     keyidx += sk_X509_num(encerts);
             } else {
                 if (keyfile != NULL || signerfile != NULL)
@@ -797,7 +795,7 @@ int cms_main(int argc, char **argv)
         }
     } else if (operation == SMIME_ENCRYPT) {
         if (*argv == NULL && secret_key == NULL
-            && pwri_pass == NULL && encerts == NULL) {
+            && pwri_pass == NULL && sk_X509_num(encerts) <= 0) {
             BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
             goto opthelp;
         }
@@ -838,16 +836,19 @@ int cms_main(int argc, char **argv)
             goto end;
         }
 
-        if (*argv && encerts == NULL)
-            if ((encerts = sk_X509_new_null()) == NULL)
-                goto end;
-        while (*argv) {
-            if ((cert = load_cert(*argv, FORMAT_UNDEF,
-                                  "recipient certificate file")) == NULL)
-                goto end;
-            sk_X509_push(encerts, cert);
-            cert = NULL;
-            argv++;
+        if (*argv != NULL) {
+            if (operation == SMIME_ENCRYPT) {
+                for (; *argv != NULL; argv++) {
+                    cert = load_cert(*argv, FORMAT_UNDEF,
+                                     "recipient certificate file");
+                    if (cert == NULL)
+                        goto end;
+                    sk_X509_push(encerts, cert);
+                    cert = NULL;
+                }
+            } else {
+                BIO_printf(bio_err, "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
+            }
         }
     }
 
@@ -1182,9 +1183,10 @@ int cms_main(int argc, char **argv)
     } else if (operation == SMIME_VERIFY) {
         if (CMS_verify(cms, other, store, indata, out, flags) > 0) {
             BIO_printf(bio_err, "%s Verification successful\n",
-                       (flags & CMS_CADES) ? "CAdES" : "CMS");
+                       (flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
         } else {
-            BIO_printf(bio_err, "Verification failure\n");
+            BIO_printf(bio_err, "%s Verification failure\n",
+                       (flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
             if (verify_retcode)
                 ret = verify_err + 32;
             goto end;


More information about the openssl-commits mailing list