Bug Summary

File:src/usr.bin/openssl/cms.c
Warning:line 291, column 31
Access to field 'next' results in a dereference of a null pointer (loaded from field 'key_param')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name cms.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/openssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/openssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/openssl/cms.c
1/* $OpenBSD: cms.c,v 1.28 2022/01/08 06:05:39 inoguchi Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54/* CMS utility function */
55
56#include <stdio.h>
57#include <string.h>
58
59#include "apps.h"
60
61#ifndef OPENSSL_NO_CMS
62
63#include <openssl/crypto.h>
64#include <openssl/err.h>
65#include <openssl/pem.h>
66#include <openssl/x509_vfy.h>
67#include <openssl/x509v3.h>
68
69#include <openssl/cms.h>
70
71static int save_certs(char *signerfile, STACK_OF(X509)struct stack_st_X509 *signers);
72static int cms_cb(int ok, X509_STORE_CTX *ctx);
73static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
74static CMS_ReceiptRequest *make_receipt_request(
75 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *rr_to, int rr_allorfirst,
76 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *rr_from);
77static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
78 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *param);
79
80#define SMIME_OP0x10 0x10
81#define SMIME_IP0x20 0x20
82#define SMIME_SIGNERS0x40 0x40
83#define SMIME_ENCRYPT(1 | 0x10) (1 | SMIME_OP0x10)
84#define SMIME_DECRYPT(2 | 0x20) (2 | SMIME_IP0x20)
85#define SMIME_SIGN(3 | 0x10 | 0x40) (3 | SMIME_OP0x10 | SMIME_SIGNERS0x40)
86#define SMIME_VERIFY(4 | 0x20) (4 | SMIME_IP0x20)
87#define SMIME_CMSOUT(5 | 0x20 | 0x10) (5 | SMIME_IP0x20 | SMIME_OP0x10)
88#define SMIME_RESIGN(6 | 0x20 | 0x10 | 0x40) (6 | SMIME_IP0x20 | SMIME_OP0x10 | SMIME_SIGNERS0x40)
89#define SMIME_DATAOUT(7 | 0x20) (7 | SMIME_IP0x20)
90#define SMIME_DATA_CREATE(8 | 0x10) (8 | SMIME_OP0x10)
91#define SMIME_DIGEST_VERIFY(9 | 0x20) (9 | SMIME_IP0x20)
92#define SMIME_DIGEST_CREATE(10 | 0x10) (10 | SMIME_OP0x10)
93#define SMIME_UNCOMPRESS(11 | 0x20) (11 | SMIME_IP0x20)
94#define SMIME_COMPRESS(12 | 0x10) (12 | SMIME_OP0x10)
95#define SMIME_ENCRYPTED_DECRYPT(13 | 0x20) (13 | SMIME_IP0x20)
96#define SMIME_ENCRYPTED_ENCRYPT(14 | 0x10) (14 | SMIME_OP0x10)
97#define SMIME_SIGN_RECEIPT(15 | 0x20 | 0x10) (15 | SMIME_IP0x20 | SMIME_OP0x10)
98#define SMIME_VERIFY_RECEIPT(16 | 0x20) (16 | SMIME_IP0x20)
99
100int verify_err = 0;
101
102struct cms_key_param {
103 int idx;
104 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *param;
105 struct cms_key_param *next;
106};
107
108static struct {
109 char *CAfile;
110 char *CApath;
111 X509 *cert;
112 char *certfile;
113 char *certsoutfile;
114 const EVP_CIPHER *cipher;
115 char *contfile;
116 ASN1_OBJECT *econtent_type;
117 STACK_OF(X509)struct stack_st_X509 *encerts;
118 int flags;
119 char *from;
120 char *infile;
121 int informat;
122 struct cms_key_param *key_first;
123 struct cms_key_param *key_param;
124 char *keyfile;
125 int keyform;
126 int noout;
127 int operation;
128 char *outfile;
129 int outformat;
130 char *passargin;
131 int print;
132 unsigned char *pwri_pass;
133 int rr_allorfirst;
134 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *rr_from;
135 int rr_print;
136 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *rr_to;
137 char *rctfile;
138 int rctformat;
139 char *recipfile;
140 unsigned char *secret_key;
141 unsigned char *secret_keyid;
142 size_t secret_keyidlen;
143 size_t secret_keylen;
144 const EVP_MD *sign_md;
145 char *signerfile;
146 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *skkeys;
147 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sksigners;
148 char *subject;
149 char *to;
150 int verify_retcode;
151 X509_VERIFY_PARAM *vpm;
152} cms_config;
153
154static const EVP_CIPHER *
155get_cipher_by_name(char *name)
156{
157 if (name == NULL((void*)0) || strcmp(name, "") == 0)
158 return (NULL((void*)0));
159#ifndef OPENSSL_NO_AES
160 else if (strcmp(name, "aes128") == 0)
161 return EVP_aes_128_cbc();
162 else if (strcmp(name, "aes192") == 0)
163 return EVP_aes_192_cbc();
164 else if (strcmp(name, "aes256") == 0)
165 return EVP_aes_256_cbc();
166#endif
167#ifndef OPENSSL_NO_CAMELLIA
168 else if (strcmp(name, "camellia128") == 0)
169 return EVP_camellia_128_cbc();
170 else if (strcmp(name, "camellia192") == 0)
171 return EVP_camellia_192_cbc();
172 else if (strcmp(name, "camellia256") == 0)
173 return EVP_camellia_256_cbc();
174#endif
175#ifndef OPENSSL_NO_DES
176 else if (strcmp(name, "des") == 0)
177 return EVP_des_cbc();
178 else if (strcmp(name, "des3") == 0)
179 return EVP_des_ede3_cbc();
180#endif
181#ifndef OPENSSL_NO_RC2
182 else if (!strcmp(name, "rc2-40"))
183 return EVP_rc2_40_cbc();
184 else if (!strcmp(name, "rc2-64"))
185 return EVP_rc2_64_cbc();
186 else if (!strcmp(name, "rc2-128"))
187 return EVP_rc2_cbc();
188#endif
189 else
190 return (NULL((void*)0));
191}
192
193static int
194cms_opt_cipher(int argc, char **argv, int *argsused)
195{
196 char *name = argv[0];
197
198 if (*name++ != '-')
199 return (1);
200
201 if ((cms_config.cipher = get_cipher_by_name(name)) == NULL((void*)0))
202 if ((cms_config.cipher = EVP_get_cipherbyname(name)) == NULL((void*)0))
203 return (1);
204
205 *argsused = 1;
206 return (0);
207}
208
209static int
210cms_opt_econtent_type(char *arg)
211{
212 ASN1_OBJECT_free(cms_config.econtent_type);
213
214 if ((cms_config.econtent_type = OBJ_txt2obj(arg, 0)) == NULL((void*)0)) {
215 BIO_printf(bio_err, "Invalid OID %s\n", arg);
216 return (1);
217 }
218 return (0);
219}
220
221static int
222cms_opt_inkey(char *arg)
223{
224 if (cms_config.keyfile == NULL((void*)0)) {
225 cms_config.keyfile = arg;
226 return (0);
227 }
228
229 if (cms_config.signerfile == NULL((void*)0)) {
230 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
231 return (1);
232 }
233
234 if (cms_config.sksigners == NULL((void*)0))
235 cms_config.sksigners = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null());
236 if (cms_config.sksigners == NULL((void*)0))
237 return (1);
238 if (!sk_OPENSSL_STRING_push(cms_config.sksigners, cms_config.signerfile)sk_push(((_STACK*) (1 ? cms_config.sksigners : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.signerfile : (char*)0))))
239 return (1);
240
241 cms_config.signerfile = NULL((void*)0);
242
243 if (cms_config.skkeys == NULL((void*)0))
244 cms_config.skkeys = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null());
245 if (cms_config.skkeys == NULL((void*)0))
246 return (1);
247 if (!sk_OPENSSL_STRING_push(cms_config.skkeys, cms_config.keyfile)sk_push(((_STACK*) (1 ? cms_config.skkeys : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.keyfile : (char*)0))))
248 return (1);
249
250 cms_config.keyfile = arg;
251 return (0);
252}
253
254static int
255cms_opt_keyopt(char *arg)
256{
257 int keyidx = -1;
258
259 if (cms_config.operation == SMIME_ENCRYPT(1 | 0x10)) {
1
Assuming the condition is true
2
Taking true branch
260 if (cms_config.encerts != NULL((void*)0))
3
Assuming field 'encerts' is not equal to NULL
4
Taking true branch
261 keyidx += sk_X509_num(cms_config.encerts)sk_num(((_STACK*) (1 ? (cms_config.encerts) : (struct stack_st_X509
*)0)));
5
'?' condition is true
262 } else {
263 if (cms_config.keyfile != NULL((void*)0) || cms_config.signerfile != NULL((void*)0))
264 keyidx++;
265 if (cms_config.skkeys != NULL((void*)0))
266 keyidx += sk_OPENSSL_STRING_num(cms_config.skkeys)sk_num(((_STACK*) (1 ? cms_config.skkeys : (struct stack_st_OPENSSL_STRING
*)0)));
267 }
268
269 if (keyidx < 0) {
6
Assuming 'keyidx' is >= 0
7
Taking false branch
270 BIO_printf(bio_err, "No key specified\n");
271 return (1);
272 }
273
274 if (cms_config.key_param == NULL((void*)0) ||
8
Assuming field 'key_param' is equal to NULL
275 cms_config.key_param->idx != keyidx) {
276 struct cms_key_param *nparam;
277
278 if ((nparam = calloc(1, sizeof(struct cms_key_param))) == NULL((void*)0))
9
Assuming the condition is false
10
Taking false branch
279 return (1);
280
281 nparam->idx = keyidx;
282 if ((nparam->param = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null())) == NULL((void*)0)) {
11
Assuming the condition is false
12
Taking false branch
283 free(nparam);
284 return (1);
285 }
286
287 nparam->next = NULL((void*)0);
288 if (cms_config.key_first == NULL((void*)0))
13
Assuming field 'key_first' is not equal to NULL
14
Taking false branch
289 cms_config.key_first = nparam;
290 else
291 cms_config.key_param->next = nparam;
15
Access to field 'next' results in a dereference of a null pointer (loaded from field 'key_param')
292
293 cms_config.key_param = nparam;
294 }
295
296 if (!sk_OPENSSL_STRING_push(cms_config.key_param->param, arg)sk_push(((_STACK*) (1 ? cms_config.key_param->param : (struct
stack_st_OPENSSL_STRING*)0)), ((void*) (1 ? arg : (char*)0))
))
297 return (1);
298
299 return (0);
300}
301
302static int
303cms_opt_md(char *arg)
304{
305 if ((cms_config.sign_md = EVP_get_digestbyname(arg)) == NULL((void*)0)) {
306 BIO_printf(bio_err, "Unknown digest %s\n", arg);
307 return (1);
308 }
309 return (0);
310}
311
312static int
313cms_opt_print(void)
314{
315 cms_config.noout = 1;
316 cms_config.print = 1;
317 return (0);
318}
319
320static int
321cms_opt_pwri_pass(char *arg)
322{
323 cms_config.pwri_pass = (unsigned char *)arg;
324 return (0);
325}
326
327static int
328cms_opt_recip(char *arg)
329{
330 if (cms_config.operation == SMIME_ENCRYPT(1 | 0x10)) {
331 if (cms_config.encerts == NULL((void*)0)) {
332 if ((cms_config.encerts = sk_X509_new_null()((struct stack_st_X509 *)sk_new_null())) == NULL((void*)0))
333 return (1);
334 }
335
336 cms_config.cert = load_cert(bio_err, arg, FORMAT_PEM3,
337 NULL((void*)0), "recipient certificate file");
338 if (cms_config.cert == NULL((void*)0))
339 return (1);
340
341 if (!sk_X509_push(cms_config.encerts, cms_config.cert)sk_push(((_STACK*) (1 ? (cms_config.encerts) : (struct stack_st_X509
*)0)), ((void*) (1 ? (cms_config.cert) : (X509*)0))))
342 return (1);
343
344 cms_config.cert = NULL((void*)0);
345 } else {
346 cms_config.recipfile = arg;
347 }
348 return (0);
349}
350
351static int
352cms_opt_receipt_request_from(char *arg)
353{
354 if (cms_config.rr_from == NULL((void*)0))
355 cms_config.rr_from = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null());
356 if (cms_config.rr_from == NULL((void*)0))
357 return (1);
358 if (!sk_OPENSSL_STRING_push(cms_config.rr_from, arg)sk_push(((_STACK*) (1 ? cms_config.rr_from : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? arg : (char*)0))))
359 return (1);
360
361 return (0);
362}
363
364static int
365cms_opt_receipt_request_to(char *arg)
366{
367 if (cms_config.rr_to == NULL((void*)0))
368 cms_config.rr_to = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null());
369 if (cms_config.rr_to == NULL((void*)0))
370 return (1);
371 if (!sk_OPENSSL_STRING_push(cms_config.rr_to, arg)sk_push(((_STACK*) (1 ? cms_config.rr_to : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? arg : (char*)0))))
372 return (1);
373
374 return (0);
375}
376
377static int
378cms_opt_secretkey(char *arg)
379{
380 long ltmp;
381
382 free(cms_config.secret_key);
383
384 if ((cms_config.secret_key = string_to_hex(arg, &ltmp)) == NULL((void*)0)) {
385 BIO_printf(bio_err, "Invalid key %s\n", arg);
386 return (1);
387 }
388 cms_config.secret_keylen = (size_t)ltmp;
389 return (0);
390}
391
392static int
393cms_opt_secretkeyid(char *arg)
394{
395 long ltmp;
396
397 free(cms_config.secret_keyid);
398
399 if ((cms_config.secret_keyid = string_to_hex(arg, &ltmp)) == NULL((void*)0)) {
400 BIO_printf(bio_err, "Invalid id %s\n", arg);
401 return (1);
402 }
403 cms_config.secret_keyidlen = (size_t)ltmp;
404 return (0);
405}
406
407static int
408cms_opt_signer(char *arg)
409{
410 if (cms_config.signerfile == NULL((void*)0)) {
411 cms_config.signerfile = arg;
412 return (0);
413 }
414
415 if (cms_config.sksigners == NULL((void*)0))
416 cms_config.sksigners = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null());
417 if (cms_config.sksigners == NULL((void*)0))
418 return (1);
419 if (!sk_OPENSSL_STRING_push(cms_config.sksigners, cms_config.signerfile)sk_push(((_STACK*) (1 ? cms_config.sksigners : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.signerfile : (char*)0))))
420 return (1);
421
422 if (cms_config.keyfile == NULL((void*)0))
423 cms_config.keyfile = cms_config.signerfile;
424
425 if (cms_config.skkeys == NULL((void*)0))
426 cms_config.skkeys = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null());
427 if (cms_config.skkeys == NULL((void*)0))
428 return (1);
429 if (!sk_OPENSSL_STRING_push(cms_config.skkeys, cms_config.keyfile)sk_push(((_STACK*) (1 ? cms_config.skkeys : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.keyfile : (char*)0))))
430 return (1);
431
432 cms_config.keyfile = NULL((void*)0);
433
434 cms_config.signerfile = arg;
435 return (0);
436}
437
438static int
439cms_opt_verify_param(int argc, char **argv, int *argsused)
440{
441 int oargc = argc;
442 int badarg = 0;
443
444 if (!args_verify(&argv, &argc, &badarg, bio_err, &cms_config.vpm))
445 return (1);
446 if (badarg)
447 return (1);
448
449 *argsused = oargc - argc;
450
451 return (0);
452}
453
454static int
455cms_opt_verify_receipt(char *arg)
456{
457 cms_config.operation = SMIME_VERIFY_RECEIPT(16 | 0x20);
458 cms_config.rctfile = arg;
459 return (0);
460}
461
462static const struct option cms_options[] = {
463#ifndef OPENSSL_NO_AES
464 {
465 .name = "aes128",
466 .desc = "Encrypt PEM output with CBC AES",
467 .type = OPTION_ARGV_FUNC,
468 .opt.argvfunc = cms_opt_cipher,
469 },
470 {
471 .name = "aes192",
472 .desc = "Encrypt PEM output with CBC AES",
473 .type = OPTION_ARGV_FUNC,
474 .opt.argvfunc = cms_opt_cipher,
475 },
476 {
477 .name = "aes256",
478 .desc = "Encrypt PEM output with CBC AES",
479 .type = OPTION_ARGV_FUNC,
480 .opt.argvfunc = cms_opt_cipher,
481 },
482#endif
483#ifndef OPENSSL_NO_CAMELLIA
484 {
485 .name = "camellia128",
486 .desc = "Encrypt PEM output with CBC Camellia",
487 .type = OPTION_ARGV_FUNC,
488 .opt.argvfunc = cms_opt_cipher,
489 },
490 {
491 .name = "camellia192",
492 .desc = "Encrypt PEM output with CBC Camellia",
493 .type = OPTION_ARGV_FUNC,
494 .opt.argvfunc = cms_opt_cipher,
495 },
496 {
497 .name = "camellia256",
498 .desc = "Encrypt PEM output with CBC Camellia",
499 .type = OPTION_ARGV_FUNC,
500 .opt.argvfunc = cms_opt_cipher,
501 },
502#endif
503#ifndef OPENSSL_NO_DES
504 {
505 .name = "des",
506 .desc = "Encrypt with DES",
507 .type = OPTION_ARGV_FUNC,
508 .opt.argvfunc = cms_opt_cipher,
509 },
510 {
511 .name = "des3",
512 .desc = "Encrypt with triple DES (default)",
513 .type = OPTION_ARGV_FUNC,
514 .opt.argvfunc = cms_opt_cipher,
515 },
516#endif
517#ifndef OPENSSL_NO_RC2
518 {
519 .name = "rc2-40",
520 .desc = "Encrypt with RC2-40",
521 .type = OPTION_ARGV_FUNC,
522 .opt.argvfunc = cms_opt_cipher,
523 },
524 {
525 .name = "rc2-64",
526 .desc = "Encrypt with RC2-64",
527 .type = OPTION_ARGV_FUNC,
528 .opt.argvfunc = cms_opt_cipher,
529 },
530 {
531 .name = "rc2-128",
532 .desc = "Encrypt with RC2-128",
533 .type = OPTION_ARGV_FUNC,
534 .opt.argvfunc = cms_opt_cipher,
535 },
536#endif
537 {
538 .name = "CAfile",
539 .argname = "file",
540 .desc = "Certificate Authority file",
541 .type = OPTION_ARG,
542 .opt.arg = &cms_config.CAfile,
543 },
544 {
545 .name = "CApath",
546 .argname = "path",
547 .desc = "Certificate Authority path",
548 .type = OPTION_ARG,
549 .opt.arg = &cms_config.CApath,
550 },
551 {
552 .name = "binary",
553 .desc = "Do not translate message to text",
554 .type = OPTION_VALUE_OR,
555 .opt.value = &cms_config.flags,
556 .value = CMS_BINARY0x80,
557 },
558 {
559 .name = "certfile",
560 .argname = "file",
561 .desc = "Other certificates file",
562 .type = OPTION_ARG,
563 .opt.arg = &cms_config.certfile,
564 },
565 {
566 .name = "certsout",
567 .argname = "file",
568 .desc = "Certificate output file",
569 .type = OPTION_ARG,
570 .opt.arg = &cms_config.certsoutfile,
571 },
572 {
573 .name = "cmsout",
574 .desc = "Output CMS structure",
575 .type = OPTION_VALUE,
576 .opt.value = &cms_config.operation,
577 .value = SMIME_CMSOUT(5 | 0x20 | 0x10),
578 },
579 {
580 .name = "compress",
581 .desc = "Create CMS CompressedData type",
582 .type = OPTION_VALUE,
583 .opt.value = &cms_config.operation,
584 .value = SMIME_COMPRESS(12 | 0x10),
585 },
586 {
587 .name = "content",
588 .argname = "file",
589 .desc = "Supply or override content for detached signature",
590 .type = OPTION_ARG,
591 .opt.arg = &cms_config.contfile,
592 },
593 {
594 .name = "crlfeol",
595 .desc = "Use CRLF as EOL termination instead of CR only",
596 .type = OPTION_VALUE_OR,
597 .opt.value = &cms_config.flags,
598 .value = CMS_CRLFEOL0x800,
599 },
600 {
601 .name = "data_create",
602 .desc = "Create CMS Data type",
603 .type = OPTION_VALUE,
604 .opt.value = &cms_config.operation,
605 .value = SMIME_DATA_CREATE(8 | 0x10),
606 },
607 {
608 .name = "data_out",
609 .desc = "Output content from the input CMS Data type",
610 .type = OPTION_VALUE,
611 .opt.value = &cms_config.operation,
612 .value = SMIME_DATAOUT(7 | 0x20),
613 },
614 {
615 .name = "debug_decrypt",
616 .desc = "Set the CMS_DEBUG_DECRYPT flag when decrypting",
617 .type = OPTION_VALUE_OR,
618 .opt.value = &cms_config.flags,
619 .value = CMS_DEBUG_DECRYPT0x20000,
620 },
621 {
622 .name = "decrypt",
623 .desc = "Decrypt encrypted message",
624 .type = OPTION_VALUE,
625 .opt.value = &cms_config.operation,
626 .value = SMIME_DECRYPT(2 | 0x20),
627 },
628 {
629 .name = "digest_create",
630 .desc = "Create CMS DigestedData type",
631 .type = OPTION_VALUE,
632 .opt.value = &cms_config.operation,
633 .value = SMIME_DIGEST_CREATE(10 | 0x10),
634 },
635 {
636 .name = "digest_verify",
637 .desc = "Verify CMS DigestedData type and output the content",
638 .type = OPTION_VALUE,
639 .opt.value = &cms_config.operation,
640 .value = SMIME_DIGEST_VERIFY(9 | 0x20),
641 },
642 {
643 .name = "econtent_type",
644 .argname = "type",
645 .desc = "Set the encapsulated content type",
646 .type = OPTION_ARG_FUNC,
647 .opt.argfunc = cms_opt_econtent_type,
648 },
649 {
650 .name = "encrypt",
651 .desc = "Encrypt message",
652 .type = OPTION_VALUE,
653 .opt.value = &cms_config.operation,
654 .value = SMIME_ENCRYPT(1 | 0x10),
655 },
656 {
657 .name = "EncryptedData_decrypt",
658 .desc = "Decrypt CMS EncryptedData",
659 .type = OPTION_VALUE,
660 .opt.value = &cms_config.operation,
661 .value = SMIME_ENCRYPTED_DECRYPT(13 | 0x20),
662 },
663 {
664 .name = "EncryptedData_encrypt",
665 .desc = "Encrypt content using supplied symmetric key and algorithm",
666 .type = OPTION_VALUE,
667 .opt.value = &cms_config.operation,
668 .value = SMIME_ENCRYPTED_ENCRYPT(14 | 0x10),
669 },
670 {
671 .name = "from",
672 .argname = "addr",
673 .desc = "From address",
674 .type = OPTION_ARG,
675 .opt.arg = &cms_config.from,
676 },
677 {
678 .name = "in",
679 .argname = "file",
680 .desc = "Input file",
681 .type = OPTION_ARG,
682 .opt.arg = &cms_config.infile,
683 },
684 {
685 .name = "indef",
686 .desc = "Same as -stream",
687 .type = OPTION_VALUE_OR,
688 .opt.value = &cms_config.flags,
689 .value = CMS_STREAM0x1000,
690 },
691 {
692 .name = "inform",
693 .argname = "fmt",
694 .desc = "Input format (DER, PEM or SMIME (default))",
695 .type = OPTION_ARG_FORMAT,
696 .opt.value = &cms_config.informat,
697 },
698 {
699 .name = "inkey",
700 .argname = "file",
701 .desc = "Input key file",
702 .type = OPTION_ARG_FUNC,
703 .opt.argfunc = cms_opt_inkey,
704 },
705 {
706 .name = "keyform",
707 .argname = "fmt",
708 .desc = "Input key format (DER or PEM (default))",
709 .type = OPTION_ARG_FORMAT,
710 .opt.value = &cms_config.keyform,
711 },
712 {
713 .name = "keyid",
714 .desc = "Use subject key identifier",
715 .type = OPTION_VALUE_OR,
716 .opt.value = &cms_config.flags,
717 .value = CMS_USE_KEYID0x10000,
718 },
719 {
720 .name = "keyopt",
721 .argname = "nm:v",
722 .desc = "Set public key parameters",
723 .type = OPTION_ARG_FUNC,
724 .opt.argfunc = cms_opt_keyopt,
725 },
726 {
727 .name = "md",
728 .argname = "digest",
729 .desc = "Digest to use when signing or resigning",
730 .type = OPTION_ARG_FUNC,
731 .opt.argfunc = cms_opt_md,
732 },
733 {
734 .name = "no_attr_verify",
735 .desc = "Do not verify the signer's attribute of a signature",
736 .type = OPTION_VALUE_OR,
737 .opt.value = &cms_config.flags,
738 .value = CMS_NO_ATTR_VERIFY0x8,
739 },
740 {
741 .name = "no_content_verify",
742 .desc = "Do not verify the content of a signed message",
743 .type = OPTION_VALUE_OR,
744 .opt.value = &cms_config.flags,
745 .value = CMS_NO_CONTENT_VERIFY0x4,
746 },
747 {
748 .name = "no_signer_cert_verify",
749 .desc = "Do not verify the signer's certificate",
750 .type = OPTION_VALUE_OR,
751 .opt.value = &cms_config.flags,
752 .value = CMS_NO_SIGNER_CERT_VERIFY0x20,
753 },
754 {
755 .name = "noattr",
756 .desc = "Do not include any signed attributes",
757 .type = OPTION_VALUE_OR,
758 .opt.value = &cms_config.flags,
759 .value = CMS_NOATTR0x100,
760 },
761 {
762 .name = "nocerts",
763 .desc = "Do not include signer's certificate when signing",
764 .type = OPTION_VALUE_OR,
765 .opt.value = &cms_config.flags,
766 .value = CMS_NOCERTS0x2,
767 },
768 {
769 .name = "nodetach",
770 .desc = "Use opaque signing",
771 .type = OPTION_VALUE_AND,
772 .value = ~CMS_DETACHED0x40,
773 },
774 {
775 .name = "noindef",
776 .desc = "Disable CMS streaming",
777 .type = OPTION_VALUE_AND,
778 .value = ~CMS_STREAM0x1000,
779 },
780 {
781 .name = "nointern",
782 .desc = "Do not search certificates in message for signer",
783 .type = OPTION_VALUE_OR,
784 .opt.value = &cms_config.flags,
785 .value = CMS_NOINTERN0x10,
786 },
787 {
788 .name = "nooldmime",
789 .desc = "Output old S/MIME content type",
790 .type = OPTION_VALUE_OR,
791 .opt.value = &cms_config.flags,
792 .value = CMS_NOOLDMIMETYPE0x400,
793 },
794 {
795 .name = "noout",
796 .desc = "Do not output the parsed CMS structure",
797 .type = OPTION_FLAG,
798 .opt.flag = &cms_config.noout,
799 },
800 {
801 .name = "nosigs",
802 .desc = "Do not verify message signature",
803 .type = OPTION_VALUE_OR,
804 .opt.value = &cms_config.flags,
805 .value = CMS_NOSIGS(0x4|0x8),
806 },
807 {
808 .name = "nosmimecap",
809 .desc = "Omit the SMIMECapabilities attribute",
810 .type = OPTION_VALUE_OR,
811 .opt.value = &cms_config.flags,
812 .value = CMS_NOSMIMECAP0x200,
813 },
814 {
815 .name = "noverify",
816 .desc = "Do not verify signer's certificate",
817 .type = OPTION_VALUE_OR,
818 .opt.value = &cms_config.flags,
819 .value = CMS_NO_SIGNER_CERT_VERIFY0x20,
820 },
821 {
822 .name = "out",
823 .argname = "file",
824 .desc = "Output file",
825 .type = OPTION_ARG,
826 .opt.arg = &cms_config.outfile,
827 },
828 {
829 .name = "outform",
830 .argname = "fmt",
831 .desc = "Output format (DER, PEM or SMIME (default))",
832 .type = OPTION_ARG_FORMAT,
833 .opt.value = &cms_config.outformat,
834 },
835 {
836 .name = "passin",
837 .argname = "src",
838 .desc = "Private key password source",
839 .type = OPTION_ARG,
840 .opt.arg = &cms_config.passargin,
841 },
842 {
843 .name = "print",
844 .desc = "Print out all fields of the CMS structure for the -cmsout",
845 .type = OPTION_FUNC,
846 .opt.func = cms_opt_print,
847 },
848 {
849 .name = "pwri_password",
850 .argname = "arg",
851 .desc = "Specify PasswordRecipientInfo (PWRI) password to use",
852 .type = OPTION_ARG_FUNC,
853 .opt.argfunc = cms_opt_pwri_pass,
854 },
855 {
856 .name = "rctform",
857 .argname = "fmt",
858 .desc = "Receipt file format (DER, PEM or SMIME (default))",
859 .type = OPTION_ARG_FORMAT,
860 .opt.value = &cms_config.rctformat,
861 },
862 {
863 .name = "receipt_request_all",
864 .desc = "Indicate requests should be provided by all recipients",
865 .type = OPTION_VALUE,
866 .opt.value = &cms_config.rr_allorfirst,
867 .value = 0,
868 },
869 {
870 .name = "receipt_request_first",
871 .desc = "Indicate requests should be provided by first tier recipient",
872 .type = OPTION_VALUE,
873 .opt.value = &cms_config.rr_allorfirst,
874 .value = 1,
875 },
876 {
877 .name = "receipt_request_from",
878 .argname = "addr",
879 .desc = "Add explicit email address where receipts should be supplied",
880 .type = OPTION_ARG_FUNC,
881 .opt.argfunc = cms_opt_receipt_request_from,
882 },
883 {
884 .name = "receipt_request_print",
885 .desc = "Print out the contents of any signed receipt requests",
886 .type = OPTION_FLAG,
887 .opt.flag = &cms_config.rr_print,
888 },
889 {
890 .name = "receipt_request_to",
891 .argname = "addr",
892 .desc = "Add explicit email address where receipts should be sent to",
893 .type = OPTION_ARG_FUNC,
894 .opt.argfunc = cms_opt_receipt_request_to,
895 },
896 {
897 .name = "recip",
898 .argname = "file",
899 .desc = "Recipient certificate file for decryption",
900 .type = OPTION_ARG_FUNC,
901 .opt.argfunc = cms_opt_recip,
902 },
903 {
904 .name = "resign",
905 .desc = "Resign a signed message",
906 .type = OPTION_VALUE,
907 .opt.value = &cms_config.operation,
908 .value = SMIME_RESIGN(6 | 0x20 | 0x10 | 0x40),
909 },
910 {
911 .name = "secretkey",
912 .argname = "key",
913 .desc = "Specify symmetric key to use",
914 .type = OPTION_ARG_FUNC,
915 .opt.argfunc = cms_opt_secretkey,
916 },
917 {
918 .name = "secretkeyid",
919 .argname = "id",
920 .desc = "The key identifier for the supplied symmetric key",
921 .type = OPTION_ARG_FUNC,
922 .opt.argfunc = cms_opt_secretkeyid,
923 },
924 {
925 .name = "sign",
926 .desc = "Sign message",
927 .type = OPTION_VALUE,
928 .opt.value = &cms_config.operation,
929 .value = SMIME_SIGN(3 | 0x10 | 0x40),
930 },
931 {
932 .name = "sign_receipt",
933 .desc = "Generate a signed receipt for the message",
934 .type = OPTION_VALUE,
935 .opt.value = &cms_config.operation,
936 .value = SMIME_SIGN_RECEIPT(15 | 0x20 | 0x10),
937 },
938 {
939 .name = "signer",
940 .argname = "file",
941 .desc = "Signer certificate file",
942 .type = OPTION_ARG_FUNC,
943 .opt.argfunc = cms_opt_signer,
944 },
945 {
946 .name = "stream",
947 .desc = "Enable CMS streaming",
948 .type = OPTION_VALUE_OR,
949 .opt.value = &cms_config.flags,
950 .value = CMS_STREAM0x1000,
951 },
952 {
953 .name = "subject",
954 .argname = "s",
955 .desc = "Subject",
956 .type = OPTION_ARG,
957 .opt.arg = &cms_config.subject,
958 },
959 {
960 .name = "text",
961 .desc = "Include or delete text MIME headers",
962 .type = OPTION_VALUE_OR,
963 .opt.value = &cms_config.flags,
964 .value = CMS_TEXT0x1,
965 },
966 {
967 .name = "to",
968 .argname = "addr",
969 .desc = "To address",
970 .type = OPTION_ARG,
971 .opt.arg = &cms_config.to,
972 },
973 {
974 .name = "uncompress",
975 .desc = "Uncompress CMS CompressedData type",
976 .type = OPTION_VALUE,
977 .opt.value = &cms_config.operation,
978 .value = SMIME_UNCOMPRESS(11 | 0x20),
979 },
980 {
981 .name = "verify",
982 .desc = "Verify signed message",
983 .type = OPTION_VALUE,
984 .opt.value = &cms_config.operation,
985 .value = SMIME_VERIFY(4 | 0x20),
986 },
987 {
988 .name = "verify_receipt",
989 .argname = "file",
990 .desc = "Verify a signed receipt in file",
991 .type = OPTION_ARG_FUNC,
992 .opt.argfunc = cms_opt_verify_receipt,
993 },
994 {
995 .name = "verify_retcode",
996 .desc = "Set verification error code to exit code",
997 .type = OPTION_FLAG,
998 .opt.flag = &cms_config.verify_retcode,
999 },
1000 {
1001 .name = "check_ss_sig",
1002 .type = OPTION_ARGV_FUNC,
1003 .opt.argvfunc = cms_opt_verify_param,
1004 },
1005 {
1006 .name = "crl_check",
1007 .type = OPTION_ARGV_FUNC,
1008 .opt.argvfunc = cms_opt_verify_param,
1009 },
1010 {
1011 .name = "crl_check_all",
1012 .type = OPTION_ARGV_FUNC,
1013 .opt.argvfunc = cms_opt_verify_param,
1014 },
1015 {
1016 .name = "extended_crl",
1017 .type = OPTION_ARGV_FUNC,
1018 .opt.argvfunc = cms_opt_verify_param,
1019 },
1020 {
1021 .name = "ignore_critical",
1022 .type = OPTION_ARGV_FUNC,
1023 .opt.argvfunc = cms_opt_verify_param,
1024 },
1025 {
1026 .name = "issuer_checks",
1027 .type = OPTION_ARGV_FUNC,
1028 .opt.argvfunc = cms_opt_verify_param,
1029 },
1030 {
1031 .name = "policy",
1032 .type = OPTION_ARGV_FUNC,
1033 .opt.argvfunc = cms_opt_verify_param,
1034 },
1035 {
1036 .name = "policy_check",
1037 .type = OPTION_ARGV_FUNC,
1038 .opt.argvfunc = cms_opt_verify_param,
1039 },
1040 {
1041 .name = "purpose",
1042 .type = OPTION_ARGV_FUNC,
1043 .opt.argvfunc = cms_opt_verify_param,
1044 },
1045 {
1046 .name = "x509_strict",
1047 .type = OPTION_ARGV_FUNC,
1048 .opt.argvfunc = cms_opt_verify_param,
1049 },
1050 {
1051 .name = NULL((void*)0),
1052 .type = OPTION_ARGV_FUNC,
1053 .opt.argvfunc = cms_opt_cipher,
1054 },
1055 { NULL((void*)0) },
1056};
1057
1058static const struct option verify_shared_options[] = {
1059 {
1060 .name = "check_ss_sig",
1061 .desc = "Check the root CA self-signed certificate signature",
1062 },
1063 {
1064 .name = "crl_check",
1065 .desc = "Enable CRL checking for the leaf certificate",
1066 },
1067 {
1068 .name = "crl_check_all",
1069 .desc = "Enable CRL checking for the entire certificate chain",
1070 },
1071 {
1072 .name = "extended_crl",
1073 .desc = "Enable extended CRL support",
1074 },
1075 {
1076 .name = "ignore_critical",
1077 .desc = "Disable critical extension checking",
1078 },
1079 {
1080 .name = "issuer_checks",
1081 .desc = "Enable debugging of certificate issuer checks",
1082 },
1083 {
1084 .name = "policy",
1085 .argname = "name",
1086 .desc = "Add given policy to the acceptable set",
1087 },
1088 {
1089 .name = "policy_check",
1090 .desc = "Enable certificate policy checking",
1091 },
1092 {
1093 .name = "purpose",
1094 .argname = "name",
1095 .desc = "Verify for the given purpose",
1096 },
1097 {
1098 .name = "x509_strict",
1099 .desc = "Use strict X.509 rules (disables workarounds)",
1100 },
1101 { NULL((void*)0) },
1102};
1103
1104static void
1105cms_usage(void)
1106{
1107 int i;
1108
1109 fprintf(stderr(&__sF[2]), "usage: cms "
1110 "[-aes128 | -aes192 | -aes256 | -camellia128 |\n"
1111 " -camellia192 | -camellia256 | -des | -des3 |\n"
1112 " -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n"
1113 " [-CApath directory] [-binary] [-certfile file]\n"
1114 " [-certsout file] [-cmsout] [-compress] [-content file]\n"
1115 " [-crlfeol] [-data_create] [-data_out] [-debug_decrypt]\n"
1116 " [-decrypt] [-digest_create] [-digest_verify]\n"
1117 " [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n"
1118 " [-EncryptedData_encrypt] [-from addr] [-in file]\n"
1119 " [-inform der | pem | smime] [-inkey file]\n"
1120 " [-keyform der | pem] [-keyid] [-keyopt nm:v] [-md digest]\n"
1121 " [-no_attr_verify] [-no_content_verify]\n"
1122 " [-no_signer_cert_verify] [-noattr] [-nocerts] [-nodetach]\n"
1123 " [-nointern] [-nooldmime] [-noout] [-nosigs] [-nosmimecap]\n"
1124 " [-noverify] [-out file] [-outform der | pem | smime]\n"
1125 " [-passin src] [-print] [-pwri_password arg]\n"
1126 " [-rctform der | pem | smime]\n"
1127 " [-receipt_request_all | -receipt_request_first]\n"
1128 " [-receipt_request_from addr] [-receipt_request_print]\n"
1129 " [-receipt_request_to addr] [-recip file] [-resign]\n"
1130 " [-secretkey key] [-secretkeyid id] [-sign] [-sign_receipt]\n"
1131 " [-signer file] [-stream | -indef | -noindef] [-subject s]\n"
1132 " [-text] [-to addr] [-uncompress] [-verify]\n"
1133 " [-verify_receipt file] [-verify_retcode] [cert.pem ...]\n\n");
1134
1135 options_usage(cms_options);
1136
1137 fprintf(stderr(&__sF[2]), "\nVerification options:\n\n");
1138 options_usage(verify_shared_options);
1139
1140 fprintf(stderr(&__sF[2]), "\nValid purposes:\n\n");
1141 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
1142 X509_PURPOSE *ptmp = X509_PURPOSE_get0(i);
1143 fprintf(stderr(&__sF[2]), " %-18s%s\n", X509_PURPOSE_get0_sname(ptmp),
1144 X509_PURPOSE_get0_name(ptmp));
1145 }
1146}
1147
1148int
1149cms_main(int argc, char **argv)
1150{
1151 int ret = 0;
1152 char **args;
1153 int argsused = 0;
1154 const char *inmode = "r", *outmode = "w";
1155 CMS_ContentInfo *cms = NULL((void*)0), *rcms = NULL((void*)0);
1156 X509_STORE *store = NULL((void*)0);
1157 X509 *recip = NULL((void*)0), *signer = NULL((void*)0);
1158 EVP_PKEY *key = NULL((void*)0);
1159 STACK_OF(X509)struct stack_st_X509 *other = NULL((void*)0);
1160 BIO *in = NULL((void*)0), *out = NULL((void*)0), *indata = NULL((void*)0), *rctin = NULL((void*)0);
1161 int badarg = 0;
1162 CMS_ReceiptRequest *rr = NULL((void*)0);
1163 char *passin = NULL((void*)0);
1164 unsigned char *pwri_tmp = NULL((void*)0);
1165
1166 if (single_execution) {
1167 if (pledge("stdio rpath wpath cpath tty", NULL((void*)0)) == -1) {
1168 perror("pledge");
1169 exit(1);
1170 }
1171 }
1172
1173 memset(&cms_config, 0, sizeof(cms_config));
1174 cms_config.flags = CMS_DETACHED0x40;
1175 cms_config.rr_allorfirst = -1;
1176 cms_config.informat = FORMAT_SMIME6;
1177 cms_config.outformat = FORMAT_SMIME6;
1178 cms_config.rctformat = FORMAT_SMIME6;
1179 cms_config.keyform = FORMAT_PEM3;
1180 if (options_parse(argc, argv, cms_options, NULL((void*)0), &argsused) != 0) {
1181 goto argerr;
1182 }
1183 args = argv + argsused;
1184 ret = 1;
1185
1186 if (((cms_config.rr_allorfirst != -1) || cms_config.rr_from != NULL((void*)0)) &&
1187 cms_config.rr_to == NULL((void*)0)) {
1188 BIO_puts(bio_err, "No Signed Receipts Recipients\n");
1189 goto argerr;
1190 }
1191 if (!(cms_config.operation & SMIME_SIGNERS0x40) &&
1192 (cms_config.rr_to != NULL((void*)0) || cms_config.rr_from != NULL((void*)0))) {
1193 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
1194 goto argerr;
1195 }
1196 if (!(cms_config.operation & SMIME_SIGNERS0x40) &&
1197 (cms_config.skkeys != NULL((void*)0) || cms_config.sksigners != NULL((void*)0))) {
1198 BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
1199 goto argerr;
1200 }
1201 if (cms_config.operation & SMIME_SIGNERS0x40) {
1202 if (cms_config.keyfile != NULL((void*)0) &&
1203 cms_config.signerfile == NULL((void*)0)) {
1204 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
1205 goto argerr;
1206 }
1207 /* Check to see if any final signer needs to be appended */
1208 if (cms_config.signerfile != NULL((void*)0)) {
1209 if (cms_config.sksigners == NULL((void*)0) &&
1210 (cms_config.sksigners =
1211 sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null())) == NULL((void*)0))
1212 goto end;
1213 if (!sk_OPENSSL_STRING_push(cms_config.sksigners,sk_push(((_STACK*) (1 ? cms_config.sksigners : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.signerfile : (char*)0)))
1214 cms_config.signerfile)sk_push(((_STACK*) (1 ? cms_config.sksigners : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.signerfile : (char*)0))))
1215 goto end;
1216 if (cms_config.skkeys == NULL((void*)0) &&
1217 (cms_config.skkeys =
1218 sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)sk_new_null())) == NULL((void*)0))
1219 goto end;
1220 if (cms_config.keyfile == NULL((void*)0))
1221 cms_config.keyfile = cms_config.signerfile;
1222 if (!sk_OPENSSL_STRING_push(cms_config.skkeys,sk_push(((_STACK*) (1 ? cms_config.skkeys : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.keyfile : (char*)0)))
1223 cms_config.keyfile)sk_push(((_STACK*) (1 ? cms_config.skkeys : (struct stack_st_OPENSSL_STRING
*)0)), ((void*) (1 ? cms_config.keyfile : (char*)0))))
1224 goto end;
1225 }
1226 if (cms_config.sksigners == NULL((void*)0)) {
1227 BIO_printf(bio_err,
1228 "No signer certificate specified\n");
1229 badarg = 1;
1230 }
1231 cms_config.signerfile = NULL((void*)0);
1232 cms_config.keyfile = NULL((void*)0);
1233 } else if (cms_config.operation == SMIME_DECRYPT(2 | 0x20)) {
1234 if (cms_config.recipfile == NULL((void*)0) &&
1235 cms_config.keyfile == NULL((void*)0) &&
1236 cms_config.secret_key == NULL((void*)0) &&
1237 cms_config.pwri_pass == NULL((void*)0)) {
1238 BIO_printf(bio_err,
1239 "No recipient certificate or key specified\n");
1240 badarg = 1;
1241 }
1242 } else if (cms_config.operation == SMIME_ENCRYPT(1 | 0x10)) {
1243 if (*args == NULL((void*)0) && cms_config.secret_key == NULL((void*)0) &&
1244 cms_config.pwri_pass == NULL((void*)0) &&
1245 cms_config.encerts == NULL((void*)0)) {
1246 BIO_printf(bio_err,
1247 "No recipient(s) certificate(s) specified\n");
1248 badarg = 1;
1249 }
1250 } else if (!cms_config.operation) {
1251 badarg = 1;
1252 }
1253
1254 if (badarg) {
1255 argerr:
1256 cms_usage();
1257 goto end;
1258 }
1259
1260 if (!app_passwd(bio_err, cms_config.passargin, NULL((void*)0), &passin, NULL((void*)0))) {
1261 BIO_printf(bio_err, "Error getting password\n");
1262 goto end;
1263 }
1264 ret = 2;
1265
1266 if (!(cms_config.operation & SMIME_SIGNERS0x40))
1267 cms_config.flags &= ~CMS_DETACHED0x40;
1268
1269 if (cms_config.operation & SMIME_OP0x10) {
1270 if (cms_config.outformat == FORMAT_ASN11)
1271 outmode = "wb";
1272 } else {
1273 if (cms_config.flags & CMS_BINARY0x80)
1274 outmode = "wb";
1275 }
1276
1277 if (cms_config.operation & SMIME_IP0x20) {
1278 if (cms_config.informat == FORMAT_ASN11)
1279 inmode = "rb";
1280 } else {
1281 if (cms_config.flags & CMS_BINARY0x80)
1282 inmode = "rb";
1283 }
1284
1285 if (cms_config.operation == SMIME_ENCRYPT(1 | 0x10)) {
1286 if (cms_config.cipher == NULL((void*)0)) {
1287#ifndef OPENSSL_NO_DES
1288 cms_config.cipher = EVP_des_ede3_cbc();
1289#else
1290 BIO_printf(bio_err, "No cipher selected\n");
1291 goto end;
1292#endif
1293 }
1294 if (cms_config.secret_key != NULL((void*)0) &&
1295 cms_config.secret_keyid == NULL((void*)0)) {
1296 BIO_printf(bio_err, "No secret key id\n");
1297 goto end;
1298 }
1299 if (*args != NULL((void*)0) && cms_config.encerts == NULL((void*)0))
1300 if ((cms_config.encerts = sk_X509_new_null()((struct stack_st_X509 *)sk_new_null())) == NULL((void*)0))
1301 goto end;
1302 while (*args) {
1303 if ((cms_config.cert = load_cert(bio_err, *args,
1304 FORMAT_PEM3, NULL((void*)0),
1305 "recipient certificate file")) == NULL((void*)0))
1306 goto end;
1307 if (!sk_X509_push(cms_config.encerts, cms_config.cert)sk_push(((_STACK*) (1 ? (cms_config.encerts) : (struct stack_st_X509
*)0)), ((void*) (1 ? (cms_config.cert) : (X509*)0))))
1308 goto end;
1309 cms_config.cert = NULL((void*)0);
1310 args++;
1311 }
1312 }
1313 if (cms_config.certfile != NULL((void*)0)) {
1314 if ((other = load_certs(bio_err, cms_config.certfile,
1315 FORMAT_PEM3, NULL((void*)0), "certificate file")) == NULL((void*)0)) {
1316 ERR_print_errors(bio_err);
1317 goto end;
1318 }
1319 }
1320 if (cms_config.recipfile != NULL((void*)0) &&
1321 (cms_config.operation == SMIME_DECRYPT(2 | 0x20))) {
1322 if ((recip = load_cert(bio_err, cms_config.recipfile,
1323 FORMAT_PEM3, NULL((void*)0), "recipient certificate file")) == NULL((void*)0)) {
1324 ERR_print_errors(bio_err);
1325 goto end;
1326 }
1327 }
1328 if (cms_config.operation == SMIME_SIGN_RECEIPT(15 | 0x20 | 0x10)) {
1329 if ((signer = load_cert(bio_err, cms_config.signerfile,
1330 FORMAT_PEM3, NULL((void*)0),
1331 "receipt signer certificate file")) == NULL((void*)0)) {
1332 ERR_print_errors(bio_err);
1333 goto end;
1334 }
1335 }
1336 if (cms_config.operation == SMIME_DECRYPT(2 | 0x20)) {
1337 if (cms_config.keyfile == NULL((void*)0))
1338 cms_config.keyfile = cms_config.recipfile;
1339 } else if ((cms_config.operation == SMIME_SIGN(3 | 0x10 | 0x40)) ||
1340 (cms_config.operation == SMIME_SIGN_RECEIPT(15 | 0x20 | 0x10))) {
1341 if (cms_config.keyfile == NULL((void*)0))
1342 cms_config.keyfile = cms_config.signerfile;
1343 } else {
1344 cms_config.keyfile = NULL((void*)0);
1345 }
1346
1347 if (cms_config.keyfile != NULL((void*)0)) {
1348 key = load_key(bio_err, cms_config.keyfile, cms_config.keyform,
1349 0, passin, "signing key file");
1350 if (key == NULL((void*)0))
1351 goto end;
1352 }
1353 if (cms_config.infile != NULL((void*)0)) {
1354 if ((in = BIO_new_file(cms_config.infile, inmode)) == NULL((void*)0)) {
1355 BIO_printf(bio_err,
1356 "Can't open input file %s\n", cms_config.infile);
1357 goto end;
1358 }
1359 } else {
1360 if ((in = BIO_new_fp(stdin(&__sF[0]), BIO_NOCLOSE0x00)) == NULL((void*)0))
1361 goto end;
1362 }
1363
1364 if (cms_config.operation & SMIME_IP0x20) {
1365 if (cms_config.informat == FORMAT_SMIME6)
1366 cms = SMIME_read_CMS(in, &indata);
1367 else if (cms_config.informat == FORMAT_PEM3)
1368 cms = PEM_read_bio_CMS(in, NULL((void*)0), NULL((void*)0), NULL((void*)0));
1369 else if (cms_config.informat == FORMAT_ASN11)
1370 cms = d2i_CMS_bio(in, NULL((void*)0));
1371 else {
1372 BIO_printf(bio_err, "Bad input format for CMS file\n");
1373 goto end;
1374 }
1375
1376 if (cms == NULL((void*)0)) {
1377 BIO_printf(bio_err, "Error reading S/MIME message\n");
1378 goto end;
1379 }
1380 if (cms_config.contfile != NULL((void*)0)) {
1381 BIO_free(indata);
1382 if ((indata = BIO_new_file(cms_config.contfile,
1383 "rb")) == NULL((void*)0)) {
1384 BIO_printf(bio_err,
1385 "Can't read content file %s\n",
1386 cms_config.contfile);
1387 goto end;
1388 }
1389 }
1390 if (cms_config.certsoutfile != NULL((void*)0)) {
1391 STACK_OF(X509)struct stack_st_X509 *allcerts;
1392 if ((allcerts = CMS_get1_certs(cms)) == NULL((void*)0))
1393 goto end;
1394 if (!save_certs(cms_config.certsoutfile, allcerts)) {
1395 BIO_printf(bio_err,
1396 "Error writing certs to %s\n",
1397 cms_config.certsoutfile);
1398 ret = 5;
1399 goto end;
1400 }
1401 sk_X509_pop_free(allcerts, X509_free)sk_pop_free(((_STACK*) (1 ? (allcerts) : (struct stack_st_X509
*)0)), ((void (*)(void *)) ((1 ? (X509_free) : (void (*)(X509
*))0))));
1402 }
1403 }
1404 if (cms_config.rctfile != NULL((void*)0)) {
1405 char *rctmode = (cms_config.rctformat == FORMAT_ASN11) ?
1406 "rb" : "r";
1407 if ((rctin = BIO_new_file(cms_config.rctfile, rctmode)) == NULL((void*)0)) {
1408 BIO_printf(bio_err,
1409 "Can't open receipt file %s\n", cms_config.rctfile);
1410 goto end;
1411 }
1412 if (cms_config.rctformat == FORMAT_SMIME6)
1413 rcms = SMIME_read_CMS(rctin, NULL((void*)0));
1414 else if (cms_config.rctformat == FORMAT_PEM3)
1415 rcms = PEM_read_bio_CMS(rctin, NULL((void*)0), NULL((void*)0), NULL((void*)0));
1416 else if (cms_config.rctformat == FORMAT_ASN11)
1417 rcms = d2i_CMS_bio(rctin, NULL((void*)0));
1418 else {
1419 BIO_printf(bio_err, "Bad input format for receipt\n");
1420 goto end;
1421 }
1422
1423 if (rcms == NULL((void*)0)) {
1424 BIO_printf(bio_err, "Error reading receipt\n");
1425 goto end;
1426 }
1427 }
1428 if (cms_config.outfile != NULL((void*)0)) {
1429 if ((out = BIO_new_file(cms_config.outfile, outmode)) == NULL((void*)0)) {
1430 BIO_printf(bio_err,
1431 "Can't open output file %s\n", cms_config.outfile);
1432 goto end;
1433 }
1434 } else {
1435 if ((out = BIO_new_fp(stdout(&__sF[1]), BIO_NOCLOSE0x00)) == NULL((void*)0))
1436 goto end;
1437 }
1438
1439 if ((cms_config.operation == SMIME_VERIFY(4 | 0x20)) ||
1440 (cms_config.operation == SMIME_VERIFY_RECEIPT(16 | 0x20))) {
1441 if ((store = setup_verify(bio_err, cms_config.CAfile,
1442 cms_config.CApath)) == NULL((void*)0))
1443 goto end;
1444 X509_STORE_set_verify_cb(store, cms_cb);
1445 if (cms_config.vpm != NULL((void*)0)) {
1446 if (!X509_STORE_set1_param(store, cms_config.vpm))
1447 goto end;
1448 }
1449 }
1450 ret = 3;
1451
1452 if (cms_config.operation == SMIME_DATA_CREATE(8 | 0x10)) {
1453 cms = CMS_data_create(in, cms_config.flags);
1454 } else if (cms_config.operation == SMIME_DIGEST_CREATE(10 | 0x10)) {
1455 cms = CMS_digest_create(in, cms_config.sign_md,
1456 cms_config.flags);
1457 } else if (cms_config.operation == SMIME_COMPRESS(12 | 0x10)) {
1458 cms = CMS_compress(in, -1, cms_config.flags);
1459 } else if (cms_config.operation == SMIME_ENCRYPT(1 | 0x10)) {
1460 int i;
1461 cms_config.flags |= CMS_PARTIAL0x4000;
1462 cms = CMS_encrypt(NULL((void*)0), in, cms_config.cipher,
1463 cms_config.flags);
1464 if (cms == NULL((void*)0))
1465 goto end;
1466 for (i = 0; i < sk_X509_num(cms_config.encerts)sk_num(((_STACK*) (1 ? (cms_config.encerts) : (struct stack_st_X509
*)0))); i++) {
1467 CMS_RecipientInfo *ri;
1468 struct cms_key_param *kparam;
1469 int tflags = cms_config.flags;
1470 X509 *x;
1471
1472 if ((x = sk_X509_value(cms_config.encerts, i)((X509 *)sk_value(((_STACK*) (1 ? (cms_config.encerts) : (struct
stack_st_X509*)0)), (i)))) == NULL((void*)0))
1473 goto end;
1474 for (kparam = cms_config.key_first; kparam != NULL((void*)0);
1475 kparam = kparam->next) {
1476 if (kparam->idx == i) {
1477 tflags |= CMS_KEY_PARAM0x40000;
1478 break;
1479 }
1480 }
1481 ri = CMS_add1_recipient_cert(cms, x, tflags);
1482 if (ri == NULL((void*)0))
1483 goto end;
1484 if (kparam != NULL((void*)0)) {
1485 EVP_PKEY_CTX *pctx;
1486 if ((pctx = CMS_RecipientInfo_get0_pkey_ctx(
1487 ri)) == NULL((void*)0))
1488 goto end;
1489 if (!cms_set_pkey_param(pctx, kparam->param))
1490 goto end;
1491 }
1492 }
1493
1494 if (cms_config.secret_key != NULL((void*)0)) {
1495 if (CMS_add0_recipient_key(cms, NID_undef0,
1496 cms_config.secret_key, cms_config.secret_keylen,
1497 cms_config.secret_keyid, cms_config.secret_keyidlen,
1498 NULL((void*)0), NULL((void*)0), NULL((void*)0)) == NULL((void*)0))
1499 goto end;
1500 /* NULL these because call absorbs them */
1501 cms_config.secret_key = NULL((void*)0);
1502 cms_config.secret_keyid = NULL((void*)0);
1503 }
1504 if (cms_config.pwri_pass != NULL((void*)0)) {
1505 pwri_tmp = strdup(cms_config.pwri_pass);
1506 if (pwri_tmp == NULL((void*)0))
1507 goto end;
1508 if (CMS_add0_recipient_password(cms, -1, NID_undef0,
1509 NID_undef0, pwri_tmp, -1, NULL((void*)0)) == NULL((void*)0))
1510 goto end;
1511 pwri_tmp = NULL((void*)0);
1512 }
1513 if (!(cms_config.flags & CMS_STREAM0x1000)) {
1514 if (!CMS_final(cms, in, NULL((void*)0), cms_config.flags))
1515 goto end;
1516 }
1517 } else if (cms_config.operation == SMIME_ENCRYPTED_ENCRYPT(14 | 0x10)) {
1518 cms = CMS_EncryptedData_encrypt(in, cms_config.cipher,
1519 cms_config.secret_key, cms_config.secret_keylen,
1520 cms_config.flags);
1521
1522 } else if (cms_config.operation == SMIME_SIGN_RECEIPT(15 | 0x20 | 0x10)) {
1523 CMS_ContentInfo *srcms = NULL((void*)0);
1524 STACK_OF(CMS_SignerInfo)struct stack_st_CMS_SignerInfo *sis;
1525 CMS_SignerInfo *si;
1526 sis = CMS_get0_SignerInfos(cms);
1527 if (sis == NULL((void*)0))
1528 goto end;
1529 si = sk_CMS_SignerInfo_value(sis, 0)((CMS_SignerInfo *)sk_value(((_STACK*) (1 ? (sis) : (struct stack_st_CMS_SignerInfo
*)0)), (0)));
1530 if (si == NULL((void*)0))
1531 goto end;
1532 srcms = CMS_sign_receipt(si, signer, key, other,
1533 cms_config.flags);
1534 if (srcms == NULL((void*)0))
1535 goto end;
1536 CMS_ContentInfo_free(cms);
1537 cms = srcms;
1538 } else if (cms_config.operation & SMIME_SIGNERS0x40) {
1539 int i;
1540 /*
1541 * If detached data content we enable streaming if S/MIME
1542 * output format.
1543 */
1544 if (cms_config.operation == SMIME_SIGN(3 | 0x10 | 0x40)) {
1545
1546 if (cms_config.flags & CMS_DETACHED0x40) {
1547 if (cms_config.outformat == FORMAT_SMIME6)
1548 cms_config.flags |= CMS_STREAM0x1000;
1549 }
1550 cms_config.flags |= CMS_PARTIAL0x4000;
1551 cms = CMS_sign(NULL((void*)0), NULL((void*)0), other, in, cms_config.flags);
1552 if (cms == NULL((void*)0))
1553 goto end;
1554 if (cms_config.econtent_type != NULL((void*)0))
1555 if (!CMS_set1_eContentType(cms,
1556 cms_config.econtent_type))
1557 goto end;
1558
1559 if (cms_config.rr_to != NULL((void*)0)) {
1560 rr = make_receipt_request(cms_config.rr_to,
1561 cms_config.rr_allorfirst,
1562 cms_config.rr_from);
1563 if (rr == NULL((void*)0)) {
1564 BIO_puts(bio_err,
1565 "Signed Receipt Request Creation Error\n");
1566 goto end;
1567 }
1568 }
1569 } else {
1570 cms_config.flags |= CMS_REUSE_DIGEST0x8000;
1571 }
1572
1573 for (i = 0; i < sk_OPENSSL_STRING_num(cms_config.sksigners)sk_num(((_STACK*) (1 ? cms_config.sksigners : (struct stack_st_OPENSSL_STRING
*)0))); i++) {
1574 CMS_SignerInfo *si;
1575 struct cms_key_param *kparam;
1576 int tflags = cms_config.flags;
1577
1578 cms_config.signerfile = sk_OPENSSL_STRING_value(((OPENSSL_STRING)sk_value(((_STACK*) (1 ? cms_config.sksigners
: (struct stack_st_OPENSSL_STRING*)0)), i))
1579 cms_config.sksigners, i)((OPENSSL_STRING)sk_value(((_STACK*) (1 ? cms_config.sksigners
: (struct stack_st_OPENSSL_STRING*)0)), i));
1580 cms_config.keyfile = sk_OPENSSL_STRING_value(((OPENSSL_STRING)sk_value(((_STACK*) (1 ? cms_config.skkeys :
(struct stack_st_OPENSSL_STRING*)0)), i))
1581 cms_config.skkeys, i)((OPENSSL_STRING)sk_value(((_STACK*) (1 ? cms_config.skkeys :
(struct stack_st_OPENSSL_STRING*)0)), i));
1582
1583 signer = load_cert(bio_err, cms_config.signerfile,
1584 FORMAT_PEM3, NULL((void*)0), "signer certificate");
1585 if (signer == NULL((void*)0))
1586 goto end;
1587 key = load_key(bio_err, cms_config.keyfile,
1588 cms_config.keyform, 0, passin, "signing key file");
1589 if (key == NULL((void*)0))
1590 goto end;
1591 for (kparam = cms_config.key_first; kparam != NULL((void*)0);
1592 kparam = kparam->next) {
1593 if (kparam->idx == i) {
1594 tflags |= CMS_KEY_PARAM0x40000;
1595 break;
1596 }
1597 }
1598 si = CMS_add1_signer(cms, signer, key,
1599 cms_config.sign_md, tflags);
1600 if (si == NULL((void*)0))
1601 goto end;
1602 if (kparam != NULL((void*)0)) {
1603 EVP_PKEY_CTX *pctx;
1604 if ((pctx = CMS_SignerInfo_get0_pkey_ctx(
1605 si)) == NULL((void*)0))
1606 goto end;
1607 if (!cms_set_pkey_param(pctx, kparam->param))
1608 goto end;
1609 }
1610 if (rr != NULL((void*)0) && !CMS_add1_ReceiptRequest(si, rr))
1611 goto end;
1612 X509_free(signer);
1613 signer = NULL((void*)0);
1614 EVP_PKEY_free(key);
1615 key = NULL((void*)0);
1616 }
1617 /* If not streaming or resigning finalize structure */
1618 if ((cms_config.operation == SMIME_SIGN(3 | 0x10 | 0x40)) &&
1619 !(cms_config.flags & CMS_STREAM0x1000)) {
1620 if (!CMS_final(cms, in, NULL((void*)0), cms_config.flags))
1621 goto end;
1622 }
1623 }
1624 if (cms == NULL((void*)0)) {
1625 BIO_printf(bio_err, "Error creating CMS structure\n");
1626 goto end;
1627 }
1628 ret = 4;
1629 if (cms_config.operation == SMIME_DECRYPT(2 | 0x20)) {
1630 if (cms_config.flags & CMS_DEBUG_DECRYPT0x20000)
1631 CMS_decrypt(cms, NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0),
1632 cms_config.flags);
1633
1634 if (cms_config.secret_key != NULL((void*)0)) {
1635 if (!CMS_decrypt_set1_key(cms, cms_config.secret_key,
1636 cms_config.secret_keylen, cms_config.secret_keyid,
1637 cms_config.secret_keyidlen)) {
1638 BIO_puts(bio_err,
1639 "Error decrypting CMS using secret key\n");
1640 goto end;
1641 }
1642 }
1643 if (key != NULL((void*)0)) {
1644 if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
1645 BIO_puts(bio_err,
1646 "Error decrypting CMS using private key\n");
1647 goto end;
1648 }
1649 }
1650 if (cms_config.pwri_pass != NULL((void*)0)) {
1651 if (!CMS_decrypt_set1_password(cms,
1652 cms_config.pwri_pass, -1)) {
1653 BIO_puts(bio_err,
1654 "Error decrypting CMS using password\n");
1655 goto end;
1656 }
1657 }
1658 if (!CMS_decrypt(cms, NULL((void*)0), NULL((void*)0), indata, out,
1659 cms_config.flags)) {
1660 BIO_printf(bio_err, "Error decrypting CMS structure\n");
1661 goto end;
1662 }
1663 } else if (cms_config.operation == SMIME_DATAOUT(7 | 0x20)) {
1664 if (!CMS_data(cms, out, cms_config.flags))
1665 goto end;
1666 } else if (cms_config.operation == SMIME_UNCOMPRESS(11 | 0x20)) {
1667 if (!CMS_uncompress(cms, indata, out, cms_config.flags))
1668 goto end;
1669 } else if (cms_config.operation == SMIME_DIGEST_VERIFY(9 | 0x20)) {
1670 if (CMS_digest_verify(cms, indata, out, cms_config.flags) > 0)
1671 BIO_printf(bio_err, "Verification successful\n");
1672 else {
1673 BIO_printf(bio_err, "Verification failure\n");
1674 goto end;
1675 }
1676 } else if (cms_config.operation == SMIME_ENCRYPTED_DECRYPT(13 | 0x20)) {
1677 if (!CMS_EncryptedData_decrypt(cms, cms_config.secret_key,
1678 cms_config.secret_keylen, indata, out, cms_config.flags))
1679 goto end;
1680 } else if (cms_config.operation == SMIME_VERIFY(4 | 0x20)) {
1681 if (CMS_verify(cms, other, store, indata, out,
1682 cms_config.flags) > 0) {
1683 BIO_printf(bio_err, "Verification successful\n");
1684 } else {
1685 BIO_printf(bio_err, "Verification failure\n");
1686 if (cms_config.verify_retcode)
1687 ret = verify_err + 32;
1688 goto end;
1689 }
1690 if (cms_config.signerfile != NULL((void*)0)) {
1691 STACK_OF(X509)struct stack_st_X509 *signers;
1692 if ((signers = CMS_get0_signers(cms)) == NULL((void*)0))
1693 goto end;
1694 if (!save_certs(cms_config.signerfile, signers)) {
1695 BIO_printf(bio_err,
1696 "Error writing signers to %s\n",
1697 cms_config.signerfile);
1698 ret = 5;
1699 goto end;
1700 }
1701 sk_X509_free(signers)sk_free(((_STACK*) (1 ? (signers) : (struct stack_st_X509*)0)
));
1702 }
1703 if (cms_config.rr_print)
1704 receipt_request_print(bio_err, cms);
1705
1706 } else if (cms_config.operation == SMIME_VERIFY_RECEIPT(16 | 0x20)) {
1707 if (CMS_verify_receipt(rcms, cms, other, store,
1708 cms_config.flags) > 0) {
1709 BIO_printf(bio_err, "Verification successful\n");
1710 } else {
1711 BIO_printf(bio_err, "Verification failure\n");
1712 goto end;
1713 }
1714 } else {
1715 if (cms_config.noout) {
1716 if (cms_config.print &&
1717 !CMS_ContentInfo_print_ctx(out, cms, 0, NULL((void*)0)))
1718 goto end;
1719 } else if (cms_config.outformat == FORMAT_SMIME6) {
1720 if (cms_config.to != NULL((void*)0))
1721 BIO_printf(out, "To: %s\n", cms_config.to);
1722 if (cms_config.from != NULL((void*)0))
1723 BIO_printf(out, "From: %s\n", cms_config.from);
1724 if (cms_config.subject != NULL((void*)0))
1725 BIO_printf(out, "Subject: %s\n",
1726 cms_config.subject);
1727 if (cms_config.operation == SMIME_RESIGN(6 | 0x20 | 0x10 | 0x40))
1728 ret = SMIME_write_CMS(out, cms, indata,
1729 cms_config.flags);
1730 else
1731 ret = SMIME_write_CMS(out, cms, in,
1732 cms_config.flags);
1733 } else if (cms_config.outformat == FORMAT_PEM3) {
1734 ret = PEM_write_bio_CMS_stream(out, cms, in,
1735 cms_config.flags);
1736 } else if (cms_config.outformat == FORMAT_ASN11) {
1737 ret = i2d_CMS_bio_stream(out, cms, in, cms_config.flags);
1738 } else {
1739 BIO_printf(bio_err, "Bad output format for CMS file\n");
1740 goto end;
1741 }
1742 if (ret <= 0) {
1743 ret = 6;
1744 goto end;
1745 }
1746 }
1747 ret = 0;
1748
1749 end:
1750 if (ret)
1751 ERR_print_errors(bio_err);
1752
1753 sk_X509_pop_free(cms_config.encerts, X509_free)sk_pop_free(((_STACK*) (1 ? (cms_config.encerts) : (struct stack_st_X509
*)0)), ((void (*)(void *)) ((1 ? (X509_free) : (void (*)(X509
*))0))));
1754 sk_X509_pop_free(other, X509_free)sk_pop_free(((_STACK*) (1 ? (other) : (struct stack_st_X509*)
0)), ((void (*)(void *)) ((1 ? (X509_free) : (void (*)(X509 *
))0))));
1755 X509_VERIFY_PARAM_free(cms_config.vpm);
1756 sk_OPENSSL_STRING_free(cms_config.sksigners)sk_free(((_STACK*) (1 ? cms_config.sksigners : (struct stack_st_OPENSSL_STRING
*)0)));
1757 sk_OPENSSL_STRING_free(cms_config.skkeys)sk_free(((_STACK*) (1 ? cms_config.skkeys : (struct stack_st_OPENSSL_STRING
*)0)));
1758 free(cms_config.secret_key);
1759 free(cms_config.secret_keyid);
1760 free(pwri_tmp);
1761 ASN1_OBJECT_free(cms_config.econtent_type);
1762 CMS_ReceiptRequest_free(rr);
1763 sk_OPENSSL_STRING_free(cms_config.rr_to)sk_free(((_STACK*) (1 ? cms_config.rr_to : (struct stack_st_OPENSSL_STRING
*)0)));
1764 sk_OPENSSL_STRING_free(cms_config.rr_from)sk_free(((_STACK*) (1 ? cms_config.rr_from : (struct stack_st_OPENSSL_STRING
*)0)));
1765 for (cms_config.key_param = cms_config.key_first; cms_config.key_param;) {
1766 struct cms_key_param *tparam;
1767 sk_OPENSSL_STRING_free(cms_config.key_param->param)sk_free(((_STACK*) (1 ? cms_config.key_param->param : (struct
stack_st_OPENSSL_STRING*)0)));
1768 tparam = cms_config.key_param->next;
1769 free(cms_config.key_param);
1770 cms_config.key_param = tparam;
1771 }
1772 X509_STORE_free(store);
1773 X509_free(cms_config.cert);
1774 X509_free(recip);
1775 X509_free(signer);
1776 EVP_PKEY_free(key);
1777 CMS_ContentInfo_free(cms);
1778 CMS_ContentInfo_free(rcms);
1779 BIO_free(rctin);
1780 BIO_free(in);
1781 BIO_free(indata);
1782 BIO_free_all(out);
1783 free(passin);
1784
1785 return (ret);
1786}
1787
1788static int
1789save_certs(char *signerfile, STACK_OF(X509)struct stack_st_X509 *signers)
1790{
1791 int i;
1792 BIO *tmp;
1793
1794 if (signerfile == NULL((void*)0))
1795 return 1;
1796 tmp = BIO_new_file(signerfile, "w");
1797 if (tmp == NULL((void*)0))
1798 return 0;
1799 for (i = 0; i < sk_X509_num(signers)sk_num(((_STACK*) (1 ? (signers) : (struct stack_st_X509*)0))
); i++)
1800 PEM_write_bio_X509(tmp, sk_X509_value(signers, i)((X509 *)sk_value(((_STACK*) (1 ? (signers) : (struct stack_st_X509
*)0)), (i))));
1801 BIO_free(tmp);
1802 return 1;
1803}
1804
1805/* Minimal callback just to output policy info (if any) */
1806
1807static int
1808cms_cb(int ok, X509_STORE_CTX *ctx)
1809{
1810 int error;
1811
1812 error = X509_STORE_CTX_get_error(ctx);
1813
1814 verify_err = error;
1815
1816 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY43) &&
1817 ((error != X509_V_OK0) || (ok != 2)))
1818 return ok;
1819
1820 policies_print(NULL((void*)0), ctx);
1821
1822 return ok;
1823}
1824
1825static void
1826gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES)struct stack_st_GENERAL_NAMES *gns)
1827{
1828 STACK_OF(GENERAL_NAME)struct stack_st_GENERAL_NAME *gens;
1829 GENERAL_NAME *gen;
1830 int i, j;
1831
1832 for (i = 0; i < sk_GENERAL_NAMES_num(gns)sk_num(((_STACK*) (1 ? (gns) : (struct stack_st_GENERAL_NAMES
*)0))); i++) {
1833 gens = sk_GENERAL_NAMES_value(gns, i)((GENERAL_NAMES *)sk_value(((_STACK*) (1 ? (gns) : (struct stack_st_GENERAL_NAMES
*)0)), (i)));
1834 for (j = 0; j < sk_GENERAL_NAME_num(gens)sk_num(((_STACK*) (1 ? (gens) : (struct stack_st_GENERAL_NAME
*)0))); j++) {
1835 gen = sk_GENERAL_NAME_value(gens, j)((GENERAL_NAME *)sk_value(((_STACK*) (1 ? (gens) : (struct stack_st_GENERAL_NAME
*)0)), (j)));
1836 BIO_puts(out, " ");
1837 GENERAL_NAME_print(out, gen);
1838 BIO_puts(out, "\n");
1839 }
1840 }
1841 return;
1842}
1843
1844static void
1845receipt_request_print(BIO *out, CMS_ContentInfo *cms)
1846{
1847 STACK_OF(CMS_SignerInfo)struct stack_st_CMS_SignerInfo *sis;
1848 CMS_SignerInfo *si;
1849 CMS_ReceiptRequest *rr;
1850 int allorfirst;
1851 STACK_OF(GENERAL_NAMES)struct stack_st_GENERAL_NAMES *rto, *rlist;
1852 ASN1_STRING *scid;
1853 int i, rv;
1854
1855 if ((sis = CMS_get0_SignerInfos(cms)) == NULL((void*)0))
1856 return;
1857 for (i = 0; i < sk_CMS_SignerInfo_num(sis)sk_num(((_STACK*) (1 ? (sis) : (struct stack_st_CMS_SignerInfo
*)0))); i++) {
1858 if ((si = sk_CMS_SignerInfo_value(sis, i)((CMS_SignerInfo *)sk_value(((_STACK*) (1 ? (sis) : (struct stack_st_CMS_SignerInfo
*)0)), (i)))) == NULL((void*)0))
1859 return;
1860 rv = CMS_get1_ReceiptRequest(si, &rr);
1861 BIO_printf(bio_err, "Signer %d:\n", i + 1);
1862 if (rv == 0) {
1863 BIO_puts(bio_err, " No Receipt Request\n");
1864 } else if (rv < 0) {
1865 BIO_puts(bio_err, " Receipt Request Parse Error\n");
1866 ERR_print_errors(bio_err);
1867 } else {
1868 char *id;
1869 int idlen;
1870
1871 CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
1872 &rlist, &rto);
1873 BIO_puts(out, " Signed Content ID:\n");
1874 idlen = ASN1_STRING_length(scid);
1875 id = (char *) ASN1_STRING_data(scid);
1876 BIO_dump_indent(out, id, idlen, 4);
1877 BIO_puts(out, " Receipts From");
1878 if (rlist != NULL((void*)0)) {
1879 BIO_puts(out, " List:\n");
1880 gnames_stack_print(out, rlist);
1881 } else if (allorfirst == 1) {
1882 BIO_puts(out, ": First Tier\n");
1883 } else if (allorfirst == 0) {
1884 BIO_puts(out, ": All\n");
1885 } else {
1886 BIO_printf(out, " Unknown (%d)\n", allorfirst);
1887 }
1888 BIO_puts(out, " Receipts To:\n");
1889 gnames_stack_print(out, rto);
1890 }
1891 CMS_ReceiptRequest_free(rr);
1892 }
1893}
1894
1895static STACK_OF(GENERAL_NAMES)struct stack_st_GENERAL_NAMES *
1896make_names_stack(STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *ns)
1897{
1898 int i;
1899 STACK_OF(GENERAL_NAMES)struct stack_st_GENERAL_NAMES *ret;
1900 GENERAL_NAMES *gens = NULL((void*)0);
1901 GENERAL_NAME *gen = NULL((void*)0);
1902
1903 if ((ret = sk_GENERAL_NAMES_new_null()((struct stack_st_GENERAL_NAMES *)sk_new_null())) == NULL((void*)0))
1904 goto err;
1905 for (i = 0; i < sk_OPENSSL_STRING_num(ns)sk_num(((_STACK*) (1 ? ns : (struct stack_st_OPENSSL_STRING*)
0))); i++) {
1906 char *str = sk_OPENSSL_STRING_value(ns, i)((OPENSSL_STRING)sk_value(((_STACK*) (1 ? ns : (struct stack_st_OPENSSL_STRING
*)0)), i));
1907 gen = a2i_GENERAL_NAME(NULL((void*)0), NULL((void*)0), NULL((void*)0), GEN_EMAIL1, str, 0);
1908 if (gen == NULL((void*)0))
1909 goto err;
1910 gens = GENERAL_NAMES_new();
1911 if (gens == NULL((void*)0))
1912 goto err;
1913 if (!sk_GENERAL_NAME_push(gens, gen)sk_push(((_STACK*) (1 ? (gens) : (struct stack_st_GENERAL_NAME
*)0)), ((void*) (1 ? (gen) : (GENERAL_NAME*)0))))
1914 goto err;
1915 gen = NULL((void*)0);
1916 if (!sk_GENERAL_NAMES_push(ret, gens)sk_push(((_STACK*) (1 ? (ret) : (struct stack_st_GENERAL_NAMES
*)0)), ((void*) (1 ? (gens) : (GENERAL_NAMES*)0))))
1917 goto err;
1918 gens = NULL((void*)0);
1919 }
1920
1921 return ret;
1922
1923 err:
1924 sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free)sk_pop_free(((_STACK*) (1 ? (ret) : (struct stack_st_GENERAL_NAMES
*)0)), ((void (*)(void *)) ((1 ? (GENERAL_NAMES_free) : (void
(*)(GENERAL_NAMES *))0))));
1925 GENERAL_NAMES_free(gens);
1926 GENERAL_NAME_free(gen);
1927
1928 return NULL((void*)0);
1929}
1930
1931
1932static CMS_ReceiptRequest *
1933make_receipt_request(STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *rr_to, int rr_allorfirst,
1934 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *rr_from)
1935{
1936 STACK_OF(GENERAL_NAMES)struct stack_st_GENERAL_NAMES *rct_to = NULL((void*)0), *rct_from = NULL((void*)0);
1937 CMS_ReceiptRequest *rr;
1938
1939 rct_to = make_names_stack(rr_to);
1940 if (rct_to == NULL((void*)0))
1941 goto err;
1942 if (rr_from != NULL((void*)0)) {
1943 rct_from = make_names_stack(rr_from);
1944 if (rct_from == NULL((void*)0))
1945 goto err;
1946 } else {
1947 rct_from = NULL((void*)0);
1948 }
1949
1950 if ((rr = CMS_ReceiptRequest_create0(NULL((void*)0), -1, rr_allorfirst, rct_from,
1951 rct_to)) == NULL((void*)0))
1952 goto err;
1953
1954 return rr;
1955
1956 err:
1957 sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free)sk_pop_free(((_STACK*) (1 ? (rct_to) : (struct stack_st_GENERAL_NAMES
*)0)), ((void (*)(void *)) ((1 ? (GENERAL_NAMES_free) : (void
(*)(GENERAL_NAMES *))0))));
1958 sk_GENERAL_NAMES_pop_free(rct_from, GENERAL_NAMES_free)sk_pop_free(((_STACK*) (1 ? (rct_from) : (struct stack_st_GENERAL_NAMES
*)0)), ((void (*)(void *)) ((1 ? (GENERAL_NAMES_free) : (void
(*)(GENERAL_NAMES *))0))));
1959 return NULL((void*)0);
1960}
1961
1962static int
1963cms_set_pkey_param(EVP_PKEY_CTX *pctx, STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *param)
1964{
1965 char *keyopt;
1966 int i;
1967
1968 if (sk_OPENSSL_STRING_num(param)sk_num(((_STACK*) (1 ? param : (struct stack_st_OPENSSL_STRING
*)0))) <= 0)
1969 return 1;
1970 for (i = 0; i < sk_OPENSSL_STRING_num(param)sk_num(((_STACK*) (1 ? param : (struct stack_st_OPENSSL_STRING
*)0))); i++) {
1971 keyopt = sk_OPENSSL_STRING_value(param, i)((OPENSSL_STRING)sk_value(((_STACK*) (1 ? param : (struct stack_st_OPENSSL_STRING
*)0)), i));
1972 if (pkey_ctrl_string(pctx, keyopt) <= 0) {
1973 BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
1974 ERR_print_errors(bio_err);
1975 return 0;
1976 }
1977 }
1978 return 1;
1979}
1980
1981#endif