diff --git a/Linux/Makefile b/Linux/Makefile index 63b1341..2288b97 100644 --- a/Linux/Makefile +++ b/Linux/Makefile @@ -11,7 +11,7 @@ OPENSSL = ../openssl CFLAGS = -Wall -O $(WITH_DEBUG) -I $(OPENSSL)/include LDFLAGS = -L$(OPENSSL) -LDLIBS = -lcrypto +LDLIBS = -lcrypto -lpthread MAN = sscep.8 PROG = sscep @@ -20,7 +20,7 @@ OBJS = sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configurati all: $(PROG)_static $(PROG)_dyn $(PROG)_static: $(OBJS) - $(CC) $(CFLAGS) -o $(PROG)_static $(OBJS) $(OPENSSL)/libcrypto.a -ldl + $(CC) $(CFLAGS) -o $(PROG)_static $(OBJS) $(OPENSSL)/libcrypto.a -lpthread -ldl $(PROG)_dyn: $(OBJS) $(CC) $(CFLAGS) -o $(PROG)_dyn $(OBJS) $(LDLIBS) $(LDFLAGS) diff --git a/configuration.c b/configuration.c index 828f961..9d5b4dc 100644 --- a/configuration.c +++ b/configuration.c @@ -5,19 +5,19 @@ #define itoa _itoa #endif -NAME_VALUE_PAIR* NAME_VALUE_PAIR_new(char *name, char *value) { - NAME_VALUE_PAIR *ret = OPENSSL_malloc(sizeof(NAME_VALUE_PAIR)); - ret->name = OPENSSL_strdup(name); - ret->value = OPENSSL_strdup(value); - return ret; -} - -void NAME_VALUE_PAIR_free(NAME_VALUE_PAIR *nvp) { - OPENSSL_free(nvp->name); - OPENSSL_free(nvp->value); - OPENSSL_free(nvp); -} - +NAME_VALUE_PAIR* NAME_VALUE_PAIR_new(char *name, char *value) { + NAME_VALUE_PAIR *ret = OPENSSL_malloc(sizeof(NAME_VALUE_PAIR)); + ret->name = OPENSSL_strdup(name); + ret->value = OPENSSL_strdup(value); + return ret; +} + +void NAME_VALUE_PAIR_free(NAME_VALUE_PAIR *nvp) { + OPENSSL_free(nvp->name); + OPENSSL_free(nvp->value); + OPENSSL_free(nvp); +} + int scep_conf_init(char *filename) { long err; CONF *conf; @@ -54,8 +54,6 @@ int scep_conf_load(CONF *conf) { char *windir; #endif - int ret; - //load global scep vars if((var = NCONF_get_string(conf, SCEP_CONFIGURATION_SECTION, SCEP_CONFIGURATION_PARAM_CACERTFILE)) && !c_flag) { c_flag = 1; @@ -112,23 +110,22 @@ int scep_conf_load(CONF *conf) { //loading options for specific operation switch(operation_flag) { case SCEP_OPERATION_ENROLL: - ret = scep_conf_load_operation_enroll(conf); + scep_conf_load_operation_enroll(conf); break; case SCEP_OPERATION_GETCA: - ret = scep_conf_load_operation_getca(conf); + scep_conf_load_operation_getca(conf); break; case SCEP_OPERATION_GETCERT: - ret = scep_conf_load_operation_getcert(conf); + scep_conf_load_operation_getcert(conf); break; case SCEP_OPERATION_GETCRL: - ret = scep_conf_load_operation_getcrl(conf); + scep_conf_load_operation_getcrl(conf); break; case SCEP_OPERATION_GETNEXTCA: - ret = scep_conf_load_operation_getnextca(conf); + scep_conf_load_operation_getnextca(conf); break; default: fprintf(stderr, "No operation specified, can't load specific settings!\n"); - ret = -1; break; } @@ -156,7 +153,7 @@ int scep_conf_load(CONF *conf) { printf("%s: Engine Section %s found and processing it\n", pname, SCEP_CONFIGURATION_PARAM_ENGINE); //getting engine ID - if(var = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_ID)) { + if((var = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_ID))) { if(v_flag) printf("%s: Configuration: Engine ID set to %s\n", pname, var); scep_conf->engine->engine_id = var; @@ -179,7 +176,7 @@ int scep_conf_load(CONF *conf) { //load capi only option //TODO move if(strncmp(scep_conf->engine->engine_id, "capi", 4) == 0) { - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_CAPI_NEWKEYLOCATION)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_CAPI_NEWKEYLOCATION))) { if(v_flag) printf("%s: Location of the new key will be in %s\n", pname, var); scep_conf->engine->new_key_location = var; @@ -189,7 +186,7 @@ int scep_conf_load(CONF *conf) { scep_conf->engine->new_key_location = "REQUEST"; } - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_CAPI_STORELOCATION)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_CAPI_STORELOCATION))) { if(v_flag) printf("%s: The store used will be %s\n", pname, var); if(!strncmp(var, "LOCAL_MACHINE", 13)) { @@ -212,25 +209,25 @@ int scep_conf_load(CONF *conf) { //load JKSEngine only option //TODO move if(strncmp(scep_conf->engine->engine_id, "jksengine", 9) == 0) { - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_KEYSTOREPASS)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_KEYSTOREPASS))) { if(v_flag) printf("%s: KeyStorePass will be set to %s\n", pname, var); scep_conf->engine->storepass = var; } - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JCONNPATH)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JCONNPATH))) { if(v_flag) printf("%s: JavaConnectorPath will be set to %s\n", pname, var); scep_conf->engine->jconnpath = var; } - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_PROVIDER)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_PROVIDER))) { if(v_flag) printf("%s: KeyStoreProvider will be set to %s\n", pname, var); scep_conf->engine->provider = var; } - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JAVAPATH)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JAVAPATH))) { if(v_flag) printf("%s: JavaPath will be set to %s\n", pname, var); scep_conf->engine->javapath = var; @@ -241,7 +238,7 @@ int scep_conf_load(CONF *conf) { //TODO move if(strncmp(scep_conf->engine->engine_id, "pkcs11", 6) == 0) { scep_conf->engine->pin = NULL; - if(var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_PKCS11_PIN)) { + if((var = NCONF_get_string(conf, engine_special_section, SCEP_CONFIGURATION_ENGINE_PKCS11_PIN))) { if(v_flag) printf("%s: Setting PIN to configuration value\n", pname); scep_conf->engine->pin = var; @@ -249,7 +246,7 @@ int scep_conf_load(CONF *conf) { } //loading dynamic path variable - if(var = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_DYNPATH)) { + if((var = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_DYNPATH))) { if(v_flag) printf("%s: Setting dynamic dll path to %s\n", pname, var); scep_conf->engine->dynamic_path = var; @@ -270,7 +267,7 @@ int scep_conf_load(CONF *conf) { } //loading module path variable - if(var = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_MODULEPATH)) { + if((var = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_MODULEPATH))) { if(v_flag) printf("%s: Setting module path to %s\n", pname, var); scep_conf->engine->module_path = var; @@ -280,42 +277,42 @@ int scep_conf_load(CONF *conf) { printf("%s: No module path defined, not using/loading any module\n", pname); } - // If there is a section specified in 'engine_section/cmds', store all those commands IN ORDER - char *cmds_section; - if(cmds_section = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_CMDS)) { - if(!NCONF_get_section(conf, cmds_section)) { - fprintf(stderr, "%s: Section %s defined but not found!\n", pname, cmds_section); - exit(SCEP_PKISTATUS_FILE); - } - - // A cmds section was specified. Read all values in there and store for later passing to the engine - if(d_flag) - printf("%s: Engine Cmds Section %s found and processing it\n", pname, cmds_section); - - STACK_OF(CONF_VALUE) *section; - section = NCONF_get_section(conf, cmds_section); - int number_of_cmds = sk_CONF_VALUE_num(section); - if(d_flag) - printf("%s: There are %d engine commands\n", pname, number_of_cmds); - scep_conf->engine->cmds = OPENSSL_malloc((number_of_cmds+1) * sizeof(NAME_VALUE_PAIR*)); - - int i; - for(i=0; iname, conf_value->value); - scep_conf->engine->cmds[i] = NAME_VALUE_PAIR_new(conf_value->name, conf_value->value); - } - - // NULL terminate the array to indicate where it ends - scep_conf->engine->cmds[number_of_cmds] = NULL; - } else { - scep_conf->engine->cmds = NULL; - if(v_flag) - printf("%s: No engine cmds section defined\n", pname); - } - + // If there is a section specified in 'engine_section/cmds', store all those commands IN ORDER + char *cmds_section; + if((cmds_section = NCONF_get_string(conf, engine_section, SCEP_CONFIGURATION_ENGINE_CMDS))) { + if(!NCONF_get_section(conf, cmds_section)) { + fprintf(stderr, "%s: Section %s defined but not found!\n", pname, cmds_section); + exit(SCEP_PKISTATUS_FILE); + } + + // A cmds section was specified. Read all values in there and store for later passing to the engine + if(d_flag) + printf("%s: Engine Cmds Section %s found and processing it\n", pname, cmds_section); + + STACK_OF(CONF_VALUE) *section; + section = NCONF_get_section(conf, cmds_section); + int number_of_cmds = sk_CONF_VALUE_num(section); + if(d_flag) + printf("%s: There are %d engine commands\n", pname, number_of_cmds); + scep_conf->engine->cmds = OPENSSL_malloc((number_of_cmds+1) * sizeof(NAME_VALUE_PAIR*)); + + int i; + for(i=0; iname, conf_value->value); + scep_conf->engine->cmds[i] = NAME_VALUE_PAIR_new(conf_value->name, conf_value->value); + } + + // NULL terminate the array to indicate where it ends + scep_conf->engine->cmds[number_of_cmds] = NULL; + } else { + scep_conf->engine->cmds = NULL; + if(v_flag) + printf("%s: No engine cmds section defined\n", pname); + } + } @@ -552,7 +549,7 @@ void scep_dump_conf() { printf("Option: %s, Flag: %i, Value: %s\n", names[i], flags[i], chars[i]); } } else { - fprintf(stderr, "Length of Arrays does not match! Flags: %i, Chars: %i, Names: %i\n", + fprintf(stderr, "Length of Arrays does not match! Flags: %li, Chars: %li, Names: %li\n", sizeof(flags)/sizeof(int), sizeof(chars)/sizeof(char *), sizeof(names)/sizeof(char *) diff --git a/fileutils.c b/fileutils.c index e7fc047..a96db03 100644 --- a/fileutils.c +++ b/fileutils.c @@ -63,7 +63,7 @@ compare_subject(X509 * cert) char buffer[1024]; int rc = X509_NAME_cmp(X509_get_subject_name(cert), X509_REQ_get_subject_name(request)); if(d_flag) { - fprintf(stderr, "Subject of the returned certificate: %s\n", X509_get_subject_name(cert)); + fprintf(stderr, "Subject of the returned certificate: %s\n", X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)); fprintf(stderr, "Subject of the request: %s\n", X509_NAME_oneline(X509_REQ_get_subject_name(request), buffer, sizeof(buffer)) ); diff --git a/ias.c b/ias.c index bf1fb11..ec7a9ad 100644 --- a/ias.c +++ b/ias.c @@ -14,47 +14,12 @@ #include "sscep.h" #include "ias.h" -int i2d_pkcs7_issuer_and_subject(pkcs7_issuer_and_subject *a, - unsigned char **pp) { +ASN1_SEQUENCE(PKCS7_ISSUER_AND_SUBJECT) = { + ASN1_SIMPLE(PKCS7_ISSUER_AND_SUBJECT, subject, X509_NAME), + ASN1_SIMPLE(PKCS7_ISSUER_AND_SUBJECT, issuer, X509_NAME), +} ASN1_SEQUENCE_END(PKCS7_ISSUER_AND_SUBJECT) - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->issuer,i2d_X509_NAME); - M_ASN1_I2D_len(a->subject,i2d_X509_NAME); - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put(a->issuer,i2d_X509_NAME); - M_ASN1_I2D_put(a->subject,i2d_X509_NAME); - M_ASN1_I2D_finish(); -} - -pkcs7_issuer_and_subject * -d2i_pkcs7_issuer_and_subject(pkcs7_issuer_and_subject **a, - unsigned char **pp, long length) { - - M_ASN1_D2I_vars(a, pkcs7_issuer_and_subject *, - pkcs7_issuer_and_subject_new); - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME); - M_ASN1_D2I_get(ret->subject,d2i_X509_NAME); - M_ASN1_D2I_Finish(a,pkcs7_issuer_and_subject_free, 99); -} - -pkcs7_issuer_and_subject *pkcs7_issuer_and_subject_new(void) { - - pkcs7_issuer_and_subject *ret=NULL; - ASN1_CTX c; - M_ASN1_New_Malloc(ret,pkcs7_issuer_and_subject); - M_ASN1_New(ret->issuer,X509_NAME_new); - M_ASN1_New(ret->subject,X509_NAME_new); - return(ret); - M_ASN1_New_Error(199); -} - -void pkcs7_issuer_and_subject_free(pkcs7_issuer_and_subject *a) { - - if (a == NULL) return; - X509_NAME_free(a->issuer); - M_ASN1_INTEGER_free(a->subject); - OPENSSL_free(a); -} +IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SUBJECT); +IMPLEMENT_ASN1_PRINT_FUNCTION(PKCS7_ISSUER_AND_SUBJECT); +IMPLEMENT_ASN1_PRINT_FUNCTION(PKCS7_ISSUER_AND_SERIAL); \ No newline at end of file diff --git a/ias.h b/ias.h index 470d908..b3d1f5a 100644 --- a/ias.h +++ b/ias.h @@ -7,17 +7,7 @@ /* Macros */ -#define i2d_pkcs7_issuer_and_subject_bio(bp, ias) \ - ASN1_i2d_bio(i2d_pkcs7_issuer_and_subject, bp, (unsigned char *)ias) -#define i2d_PKCS7_ISSUER_AND_SERIAL_bio(bp, ias) \ - ASN1_i2d_bio(i2d_PKCS7_ISSUER_AND_SERIAL, bp, (unsigned char *)ias) - -/* Routines */ -int i2d_pkcs7_issuer_and_subject(pkcs7_issuer_and_subject *, unsigned char **); -pkcs7_issuer_and_subject * -d2i_pkcs7_issuer_and_subject(pkcs7_issuer_and_subject **, unsigned char **, - long length); -pkcs7_issuer_and_subject *pkcs7_issuer_and_subject_new(void); -void pkcs7_issuer_and_subject_free(pkcs7_issuer_and_subject *); - +DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SUBJECT); +DECLARE_ASN1_PRINT_FUNCTION(PKCS7_ISSUER_AND_SUBJECT); +DECLARE_ASN1_PRINT_FUNCTION(PKCS7_ISSUER_AND_SERIAL); \ No newline at end of file diff --git a/init.c b/init.c index 621c9bb..eff856d 100644 --- a/init.c +++ b/init.c @@ -15,7 +15,7 @@ void init_config(FILE *conf) { char buff[1024]; char *str1, *str2; - int k, i, lines; + int i, lines; lines = 0; while (fgets(buff, 1024, conf)) { @@ -38,12 +38,11 @@ init_config(FILE *conf) { /* fetch key and value: */ - k = 0; str1 = get_string(&buff[i]); i += strlen(&buff[i])+1; for ( ; isspace(buff[i]) ; i++ ) ; - k = 1; + str2 = get_string(&buff[i]); /* if not found... */ diff --git a/net.c b/net.c index 2bded32..5ea60e7 100644 --- a/net.c +++ b/net.c @@ -197,10 +197,10 @@ send_msg(struct http_reply *http,char *msg,char *host,int port,int operation) { return (0); mime_err: -if (v_flag) - fprintf(stderr, "%s: wrong (or missing) MIME content type\n", pname); - return (1); + if (v_flag) + fprintf(stderr, "%s: wrong (or missing) MIME content type\n", pname); + return (1); } /* URL-encode the input and return back encoded string */ diff --git a/pkcs7.c b/pkcs7.c index 4f66d98..3efec63 100644 --- a/pkcs7.c +++ b/pkcs7.c @@ -9,9 +9,15 @@ #include "sscep.h" #include "ias.h" +unsigned char* generate_nonce(int len) { + unsigned char * nonce = malloc(len); + RAND_bytes(nonce, len); + return nonce; +} + /* * Wrap data in PKCS#7 envelopes and base64-encode the result. - * Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject + * Data is PKCS#10 request in PKCSReq, or PKCS7_ISSUER_AND_SUBJECT * structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in * GetCert and GETCrl. */ @@ -31,13 +37,11 @@ int pkcs7_wrap(struct scep *s) { STACK_OF(X509_ATTRIBUTE) *attributes; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; - X509_REQ *reqcsr = NULL; /* Create a new sender nonce for all messages * XXXXXXXXXXXXXX should it be per transaction? */ s->sender_nonce_len = 16; - s->sender_nonce = malloc(s->sender_nonce_len); - RAND_bytes(s->sender_nonce, s->sender_nonce_len); + s->sender_nonce = generate_nonce(s->sender_nonce_len); /* Prepare data payload */ switch(s->request_type) { @@ -86,8 +90,8 @@ int pkcs7_wrap(struct scep *s) { /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); - if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio, - s->ias_getcertinit)) <= 0) { + if ((rc = PKCS7_ISSUER_AND_SUBJECT_print_ctx(databio, + s->ias_getcertinit, 0, NULL)) <= 0) { fprintf(stderr, "%s: error writing " "GetCertInitial data in bio\n", pname); ERR_print_errors_fp(stderr); @@ -105,8 +109,8 @@ int pkcs7_wrap(struct scep *s) { /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); - if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio, - s->ias_getcert)) <= 0) { + if ((rc = PKCS7_ISSUER_AND_SERIAL_print_ctx(databio, + s->ias_getcert, 0, NULL)) <= 0) { fprintf(stderr, "%s: error writing " "GetCert data in bio\n", pname); ERR_print_errors_fp(stderr); @@ -124,8 +128,8 @@ int pkcs7_wrap(struct scep *s) { /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); - if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio, - s->ias_getcrl)) <= 0) { + if ((rc = PKCS7_ISSUER_AND_SERIAL_print_ctx(databio, + s->ias_getcrl, 0, NULL)) <= 0) { fprintf(stderr, "%s: error writing " "GetCert data in bio\n", pname); ERR_print_errors_fp(stderr); @@ -182,7 +186,7 @@ int pkcs7_wrap(struct scep *s) { /* Create BIO for encryption */ if (d_flag){ - printf("\n %s: hexdump request payload \n", pname , i); + printf("\n %s: hexdump request payload\n", pname); for(i=0; i < s->request_len; i++ ){ printf("%02x", s->request_payload[i]); } @@ -333,15 +337,10 @@ int pkcs7_verify_unwrap(struct scep *s , char * cachainfile ) { BIO *memorybio; BIO *outbio; BIO *pkcs7bio; - int i, len, bytes, used; + int len, bytes, used; STACK_OF(PKCS7_SIGNER_INFO) *sk; - PKCS7 *p7; PKCS7_SIGNER_INFO *si; - STACK_OF(X509_ATTRIBUTE) *attribs; - char *p; unsigned char buffer[1024]; - X509 *recipientcert; - EVP_PKEY *recipientkey; X509 *signercert; FILE *fp; @@ -458,19 +457,19 @@ int pkcs7_verify_unwrap(struct scep *s , char * cachainfile ) { { #ifdef WIN32 - if ((fopen_s(&fp, w_char, "w"))) + if ((fopen_s(&fp, w_char, "w"))) #else - if (!(fp = fopen(w_char, "w"))) + if (!(fp = fopen(w_char, "w"))) #endif - { - fprintf(stderr, "%s: cannot open cert file for writing\n", - w_char); - exit (SCEP_PKISTATUS_FILE); - } - if (v_flag) - printf("%s: writing cert\n", w_char); - if (d_flag) - PEM_write_X509(stdout, signercert); + { + fprintf(stderr, "%s: cannot open cert file for writing\n", + w_char); + exit (SCEP_PKISTATUS_FILE); + } + if (v_flag) + printf("%s: writing cert\n", w_char); + if (d_flag) + PEM_write_X509(stdout, signercert); if (PEM_write_X509(fp, signercert) != 1) { fprintf(stderr, "%s: error while writing certificate " @@ -625,7 +624,7 @@ int pkcs7_unwrap(struct scep *s) { /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXX exit (SCEP_PKISTATUS_P7); */ } - s->reply_sender_nonce = p; + s->reply_sender_nonce = (unsigned char *) p; if (v_flag) { printf("%s: senderNonce in reply: ", pname); for (i = 0; i < 16; i++) { @@ -638,7 +637,7 @@ int pkcs7_unwrap(struct scep *s) { fprintf(stderr, "%s: cannot find recipientNonce\n", pname); exit (SCEP_PKISTATUS_P7); } - s->reply_recipient_nonce = p; + s->reply_recipient_nonce = (unsigned char *) p; if (v_flag) { printf("%s: recipientNonce in reply: ", pname); for (i = 0; i < 16; i++) { @@ -807,7 +806,7 @@ int add_attribute_string(STACK_OF(X509_ATTRIBUTE) *attrs, int nid, char *buffer) return (0); } -int add_attribute_octet(STACK_OF(X509_ATTRIBUTE) *attrs, int nid, char *buffer, +int add_attribute_octet(STACK_OF(X509_ATTRIBUTE) *attrs, int nid, unsigned char *buffer, int len) { ASN1_STRING *asn1_string = NULL; X509_ATTRIBUTE *x509_a; @@ -865,7 +864,7 @@ int get_signed_attribute(STACK_OF(X509_ATTRIBUTE) *attribs, int nid,int type, ch pname); exit (SCEP_PKISTATUS_P7); } - memcpy(*buffer, ASN1_STRING_data(asn1_type->value.asn1_string), len); + memcpy(*buffer, ASN1_STRING_get0_data(asn1_type->value.asn1_string), len); /* Add null terminator if it's a PrintableString */ if (type == V_ASN1_PRINTABLESTRING) { @@ -895,16 +894,14 @@ int get_attribute(STACK_OF(X509_ATTRIBUTE) *attribs, int required_nid, /* Find attribute */ for (i = 0; i < sk_X509_ATTRIBUTE_num(attribs); i++) { x509_attrib = sk_X509_ATTRIBUTE_value(attribs, i); - if (OBJ_cmp(x509_attrib->object, asn1_obj) == 0) { - if ((x509_attrib->value.set) && - (sk_ASN1_TYPE_num(x509_attrib->value.set) != 0)) { + if (OBJ_cmp(X509_ATTRIBUTE_get0_object(x509_attrib), asn1_obj) == 0) { + if (X509_ATTRIBUTE_count(x509_attrib) != 0) { if (*asn1_type != NULL) { fprintf(stderr, "%s: no value found", pname); exit (SCEP_PKISTATUS_P7); } - *asn1_type = - sk_ASN1_TYPE_value(x509_attrib->value.set, 0); + *asn1_type = X509_ATTRIBUTE_get0_type(x509_attrib, 0); } } } diff --git a/sceputils.c b/sceputils.c index a810229..29e371e 100644 --- a/sceputils.c +++ b/sceputils.c @@ -27,7 +27,7 @@ int new_transaction(struct scep *s) { s->fail_info_str = NULL; /* Set other variables */ - s->ias_getcertinit = pkcs7_issuer_and_subject_new(); + s->ias_getcertinit = PKCS7_ISSUER_AND_SUBJECT_new(); s->ias_getcert = PKCS7_ISSUER_AND_SERIAL_new(); s->ias_getcrl = PKCS7_ISSUER_AND_SERIAL_new(); @@ -47,7 +47,6 @@ int new_transaction(struct scep *s) { * Set also subjectAltName extension if found from request. */ int new_selfsigned(struct scep *s) { - unsigned char *ptr; X509 *cert; X509_NAME *subject; ASN1_INTEGER *serial; @@ -98,8 +97,8 @@ int new_selfsigned(struct scep *s) { exit (SCEP_PKISTATUS_SS); } /* Get serial no from transaction id */ - ptr = (unsigned char *)s->transaction_id; - if (!(serial = c2i_ASN1_INTEGER(NULL, &ptr, 32))) { + read_serial(&serial, (unsigned char **) &s->transaction_id, 32); + if (!serial) { fprintf(stderr, "%s: error converting serial\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_SS); @@ -230,7 +229,7 @@ key_fingerprint(X509_REQ *req) { MD5_CTX ctx; /* Assign space for ASCII presentation of the digest */ - str = (unsigned char *)malloc(2 * MD5_DIGEST_LENGTH + 1); + str = (char *)malloc(2 * MD5_DIGEST_LENGTH + 1); ret = str; /* Create new memory bio for reading the public key */ @@ -252,4 +251,17 @@ key_fingerprint(X509_REQ *req) { return(ret); } +/** + * c2i_ASN1_INTERNAL is not supported anymore since openssl 1.1.x. The only way to + * still get the ASN1_INTEGER is by using d2i_ASN1_INTERNAL instead. However, this requires + * the string to start with two additional octets. One for the type (integer: 0x02) and another + * one representing the data length (source_length). + */ +void read_serial(ASN1_INTEGER** target, unsigned char ** source, int source_len) { + const int buffer_len = source_len + 2; + const unsigned char * buffer = malloc(sizeof(unsigned char[buffer_len])); + + snprintf((char *) buffer, buffer_len, "%c%c%s", 2, source_len, *source); + *target = d2i_ASN1_INTEGER(NULL, &buffer, buffer_len); +} \ No newline at end of file diff --git a/sscep.c b/sscep.c index 05db853..2119d7b 100644 --- a/sscep.c +++ b/sscep.c @@ -76,7 +76,6 @@ main(int argc, char **argv) { BIO *bp; STACK_OF(X509) *nextcara = NULL; X509 *cert=NULL; - PKCS7 p7; int i; int required_option_space; @@ -227,7 +226,7 @@ main(int argc, char **argv) { M_char = realloc(M_char, required_option_space); if(!M_char) error_memory(); - strncat(M_char, "&", 1); + strcat(M_char, "&"); strncat(M_char, optarg, strlen(optarg)); } break; @@ -696,7 +695,6 @@ main(int argc, char **argv) { /* Get certs */ - p7 = *(scep_t.reply_p7); nextcara = scep_t.reply_p7->d.sign->cert; if (v_flag) { @@ -1000,7 +998,7 @@ main(int argc, char **argv) { /* Check payload */ scep_t.reply_len = reply.bytes; - scep_t.reply_payload = (unsigned char *)reply.payload; + scep_t.reply_payload = reply.payload; pkcs7_unwrap(&scep_t); pkistatus = scep_t.pki_status; diff --git a/sscep.h b/sscep.h index bc0c444..645ab27 100644 --- a/sscep.h +++ b/sscep.h @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include @@ -61,7 +62,6 @@ #include #include #include -#include #include /* Global defines */ @@ -195,10 +195,10 @@ int pkistatus; /* GETCertInital data structure */ -typedef struct { +typedef struct PKCS7_ISSUER_AND_SUBJECT_st { X509_NAME *issuer; X509_NAME *subject; -} pkcs7_issuer_and_subject; +} PKCS7_ISSUER_AND_SUBJECT; /* HTTP reply structure */ struct http_reply { @@ -249,13 +249,13 @@ struct scep { PKCS7 *request_p7; unsigned char *request_payload; int request_len; - pkcs7_issuer_and_subject *ias_getcertinit; + PKCS7_ISSUER_AND_SUBJECT *ias_getcertinit; PKCS7_ISSUER_AND_SERIAL *ias_getcert; PKCS7_ISSUER_AND_SERIAL *ias_getcrl; /* Reply */ PKCS7 *reply_p7; - unsigned char *reply_payload; + char *reply_payload; int reply_len; /* Engine */ @@ -306,6 +306,9 @@ void read_cert(X509** cert, char* filename); /* Read certificate request and private key */ void read_request(void); +/* reads the serialnumber from a hex encoded string */ +void read_serial(ASN1_INTEGER** target, unsigned char ** source, int source_len); + /* Write CRL */ void write_crl(struct scep *); @@ -337,7 +340,7 @@ int pkcs7_unwrap(struct scep *); int add_attribute_string(STACK_OF(X509_ATTRIBUTE) *, int, char *); /* Add signed octet attribute */ -int add_attribute_octet(STACK_OF(X509_ATTRIBUTE) *, int, char *, int); +int add_attribute_octet(STACK_OF(X509_ATTRIBUTE) *, int, unsigned char *, int); /* Find signed attributes */ int get_signed_attribute(STACK_OF(X509_ATTRIBUTE) *, int, int, char **);