Mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-18 17:11:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

3.4-POST-CLANG-FORMAT-WEBKIT

Browse Source 
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29260)
This commit is contained in:
Bob Beck
2025-12-09 06:46:59 -07:00
parent c809b02206
commit 5a450b3b25
2000 changed files with 193561 additions and 150273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
apps/asn1parse.c
View File

@@ -20,40 +20,51 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM,
OPT_INFORM,
OPT_IN,
OPT_OUT,
OPT_INDENT,
OPT_NOOUT,
OPT_OID,
OPT_OFFSET,
OPT_LENGTH,
OPT_DUMP,
OPT_DLIMIT,
OPT_STRPARSE,
OPT_GENSTR,
OPT_GENCONF,
OPT_STRICTPEM,
OPT_ITEM
} OPTION_CHOICE;
const OPTIONS asn1parse_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"oid", OPT_OID, '<', "file of extra oid definitions"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "oid", OPT_OID, '<', "file of extra oid definitions" },
OPT_SECTION("I/O"),
{"inform", OPT_INFORM, 'A', "input format - one of DER PEM B64"},
{"in", OPT_IN, '<', "input file"},
{"out", OPT_OUT, '>', "output file (output format is always DER)"},
{"noout", OPT_NOOUT, 0, "do not produce any output"},
{"offset", OPT_OFFSET, 'p', "offset into file"},
{"length", OPT_LENGTH, 'p', "length of section in file"},
{"strparse", OPT_STRPARSE, 'p',
"offset; a series of these can be used to 'dig'"},
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
{"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
{"strictpem", OPT_STRICTPEM, 0,
"equivalent to '-inform pem' (obsolete)"},
{"item", OPT_ITEM, 's', "item to parse and print"},
{OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
{ "inform", OPT_INFORM, 'A', "input format - one of DER PEM B64" },
{ "in", OPT_IN, '<', "input file" },
{ "out", OPT_OUT, '>', "output file (output format is always DER)" },
{ "noout", OPT_NOOUT, 0, "do not produce any output" },
{ "offset", OPT_OFFSET, 'p', "offset into file" },
{ "length", OPT_LENGTH, 'p', "length of section in file" },
{ "strparse", OPT_STRPARSE, 'p',
"offset; a series of these can be used to 'dig'" },
{ OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings" },
{ "genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from" },
{ "genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from" },
{ "strictpem", OPT_STRICTPEM, 0,
"equivalent to '-inform pem' (obsolete)" },
{ "item", OPT_ITEM, 's', "item to parse and print" },
{ OPT_MORE_STR, 0, 0, "(-inform will be ignored)" },
OPT_SECTION("Formatting"),
{"i", OPT_INDENT, 0, "indents the output"},
{"dump", OPT_DUMP, 0, "unknown data in hex form"},
{"dlimit", OPT_DLIMIT, 'p',
"dump the first arg bytes of unknown data in hex form"},
{NULL}
{ "i", OPT_INDENT, 0, "indents the output" },
{ "dump", OPT_DUMP, 0, "unknown data in hex form" },
{ "dlimit", OPT_DLIMIT, 'p',
"dump the first arg bytes of unknown data in hex form" },
{ NULL }
};
static int do_generate(char *genstr, const char *genconf, BUF_MEM *buf);
@@ -88,7 +99,7 @@ int asn1parse_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -189,7 +200,7 @@ int asn1parse_main(int argc, char **argv)
buf->length = buf->max = num;
} else {
if (!BUF_MEM_grow(buf, BUFSIZ * 8))
goto end; /* Pre-allocate :-) */
goto end; /* Pre-allocate :-) */
if (genstr || genconf) {
num = do_generate(genstr, genconf, buf);
@@ -224,7 +235,6 @@ int asn1parse_main(int argc, char **argv)
}
}
str = (unsigned char *)buf->data;
}
/* If any structs to parse go through in sequence */
@@ -238,7 +248,7 @@ int asn1parse_main(int argc, char **argv)
j = strtol(sk_OPENSSL_STRING_value(osk, i), NULL, 0);
if (j <= 0 || j >= tmplen) {
BIO_printf(bio_err, "'%s' is out of range\n",
sk_OPENSSL_STRING_value(osk, i));
sk_OPENSSL_STRING_value(osk, i));
continue;
}
tmpbuf += j;
@@ -304,7 +314,7 @@ int asn1parse_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
BIO_free(derout);
BIO_free(in);
BIO_free(b64);
@@ -358,7 +368,7 @@ static int do_generate(char *genstr, const char *genconf, BUF_MEM *buf)
ASN1_TYPE_free(atyp);
return len;
err:
err:
NCONF_free(cnf);
ASN1_TYPE_free(atyp);
return -1;

757
apps/ca.c
View File

File diff suppressed because it is too large Load Diff

55
apps/ciphers.c
View File

@@ -28,58 +28,61 @@ typedef enum OPTION_choice {
OPT_PSK,
OPT_SRP,
OPT_CIPHERSUITES,
OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM
OPT_V,
OPT_UPPER_V,
OPT_S,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ciphers_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Output"),
{"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
{"V", OPT_UPPER_V, '-', "Even more verbose"},
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
{"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
{ "v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers" },
{ "V", OPT_UPPER_V, '-', "Even more verbose" },
{ "stdname", OPT_STDNAME, '-', "Show standard cipher names" },
{ "convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name" },
OPT_SECTION("Cipher specification"),
{"s", OPT_S, '-', "Only supported ciphers"},
{ "s", OPT_S, '-', "Only supported ciphers" },
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"},
{ "ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3" },
#endif
#ifndef OPENSSL_NO_TLS1
{"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"},
{ "tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1" },
#endif
#ifndef OPENSSL_NO_TLS1_1
{"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"},
{ "tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1" },
#endif
#ifndef OPENSSL_NO_TLS1_2
{"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"},
{ "tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2" },
#endif
#ifndef OPENSSL_NO_TLS1_3
{"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"},
{ "tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3" },
#endif
#ifndef OPENSSL_NO_PSK
{"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"},
{ "psk", OPT_PSK, '-', "Include ciphersuites requiring PSK" },
#endif
#ifndef OPENSSL_NO_SRP
{"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"},
{ "srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP" },
#endif
{"ciphersuites", OPT_CIPHERSUITES, 's',
"Configure the TLSv1.3 ciphersuites to use"},
{ "ciphersuites", OPT_CIPHERSUITES, 's',
"Configure the TLSv1.3 ciphersuites to use" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cipher", 0, 0, "Cipher string to decode (optional)"},
{NULL}
{ "cipher", 0, 0, "Cipher string to decode (optional)" },
{ NULL }
};
#ifndef OPENSSL_NO_PSK
static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len,
unsigned char *psk,
unsigned int max_psk_len)
unsigned int max_identity_len,
unsigned char *psk,
unsigned int max_psk_len)
{
return 0;
}
@@ -110,7 +113,7 @@ int ciphers_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -181,7 +184,7 @@ int ciphers_main(int argc, char **argv)
if (convert != NULL) {
BIO_printf(bio_out, "OpenSSL cipher name: %s\n",
OPENSSL_cipher_name(convert));
OPENSSL_cipher_name(convert));
ret = 0;
goto end;
}
@@ -273,9 +276,9 @@ int ciphers_main(int argc, char **argv)
ret = 0;
goto end;
err:
err:
ERR_print_errors(bio_err);
end:
end:
if (use_supported)
sk_SSL_CIPHER_free(sk);
SSL_CTX_free(ctx);

1340
apps/cmp.c
View File

File diff suppressed because it is too large Load Diff

501
apps/cms.c
View File

@@ -24,31 +24,30 @@
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
static void receipt_request_print(CMS_ContentInfo *cms);
static CMS_ReceiptRequest
*make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from);
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from);
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param);
STACK_OF(OPENSSL_STRING) *param);
#define SMIME_OP 0x100
#define SMIME_IP 0x200
#define SMIME_SIGNERS 0x400
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP)
#define SMIME_VERIFY_RECEIPT (7 | SMIME_IP)
#define SMIME_DIGEST_CREATE (8 | SMIME_OP)
#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
#define SMIME_COMPRESS (10 | SMIME_OP)
#define SMIME_UNCOMPRESS (11 | SMIME_IP)
#define SMIME_OP 0x100
#define SMIME_IP 0x200
#define SMIME_SIGNERS 0x400
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP)
#define SMIME_VERIFY_RECEIPT (7 | SMIME_IP)
#define SMIME_DIGEST_CREATE (8 | SMIME_OP)
#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
#define SMIME_COMPRESS (10 | SMIME_OP)
#define SMIME_UNCOMPRESS (11 | SMIME_IP)
#define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP)
#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
#define SMIME_DATA_CREATE (14 | SMIME_OP)
#define SMIME_DATA_OUT (15 | SMIME_IP)
#define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP)
#define SMIME_DATA_CREATE (14 | SMIME_OP)
#define SMIME_DATA_OUT (15 | SMIME_IP)
#define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP)
static int verify_err = 0;
@@ -62,188 +61,249 @@ struct cms_key_param_st {
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN,
OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
OPT_DIGEST, OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
OPT_CAPATH, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_SIGN,
OPT_CADES,
OPT_SIGN_RECEIPT,
OPT_RESIGN,
OPT_VERIFY,
OPT_VERIFY_RETCODE,
OPT_VERIFY_RECEIPT,
OPT_CMSOUT,
OPT_DATA_OUT,
OPT_DATA_CREATE,
OPT_DIGEST_VERIFY,
OPT_DIGEST,
OPT_DIGEST_CREATE,
OPT_COMPRESS,
OPT_UNCOMPRESS,
OPT_ED_DECRYPT,
OPT_ED_ENCRYPT,
OPT_DEBUG_DECRYPT,
OPT_TEXT,
OPT_ASCIICRLF,
OPT_NOINTERN,
OPT_NOVERIFY,
OPT_NOCERTS,
OPT_NOATTR,
OPT_NODETACH,
OPT_NOSMIMECAP,
OPT_BINARY,
OPT_KEYID,
OPT_NOSIGS,
OPT_NO_CONTENT_VERIFY,
OPT_NO_ATTR_VERIFY,
OPT_INDEF,
OPT_NOINDEF,
OPT_CRLFEOL,
OPT_NOOUT,
OPT_RR_PRINT,
OPT_RR_ALL,
OPT_RR_FIRST,
OPT_RCTFORM,
OPT_CERTFILE,
OPT_CAFILE,
OPT_CAPATH,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_CONTENT,
OPT_PRINT,
OPT_NAMEOPT,
OPT_SECRETKEY,
OPT_SECRETKEYID,
OPT_PWRI_PASSWORD,
OPT_ECONTENT_TYPE,
OPT_PASSIN,
OPT_TO,
OPT_FROM,
OPT_SUBJECT,
OPT_SIGNER,
OPT_RECIP,
OPT_CERTSOUT,
OPT_MD,
OPT_INKEY,
OPT_KEYFORM,
OPT_KEYOPT,
OPT_RR_FROM,
OPT_RR_TO,
OPT_AES128_WRAP,
OPT_AES192_WRAP,
OPT_AES256_WRAP,
OPT_3DES_WRAP,
OPT_WRAP,
OPT_ENGINE,
OPT_R_ENUM,
OPT_PROV_ENUM, OPT_CONFIG,
OPT_PROV_ENUM,
OPT_CONFIG,
OPT_V_ENUM,
OPT_CIPHER,
OPT_ORIGINATOR
} OPTION_CHOICE;
const OPTIONS cms_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
{"help", OPT_HELP, '-', "Display this summary"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n" },
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("General"),
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{ "in", OPT_IN, '<', "Input file" },
{ "out", OPT_OUT, '>', "Output file" },
OPT_CONFIG_OPTION,
OPT_SECTION("Operation"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
{"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"sign_receipt", OPT_SIGN_RECEIPT, '-',
"Generate a signed receipt for a message"},
{"verify_receipt", OPT_VERIFY_RECEIPT, '<',
"Verify receipts; exit if receipt signatures do not verify"},
{"digest", OPT_DIGEST, 's', "Sign a pre-computed digest in hex notation"},
{"digest_create", OPT_DIGEST_CREATE, '-',
"Create a CMS \"DigestedData\" object"},
{"digest_verify", OPT_DIGEST_VERIFY, '-',
"Verify a CMS \"DigestedData\" object and output it"},
{"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
{"uncompress", OPT_UNCOMPRESS, '-',
"Uncompress a CMS \"CompressedData\" object"},
{"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
"Create CMS \"EncryptedData\" object using symmetric key"},
{"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
"Decrypt CMS \"EncryptedData\" object using symmetric key"},
{"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
{"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
{"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt message" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message" },
{ "sign", OPT_SIGN, '-', "Sign message" },
{ "verify", OPT_VERIFY, '-', "Verify signed message" },
{ "resign", OPT_RESIGN, '-', "Resign a signed message" },
{ "sign_receipt", OPT_SIGN_RECEIPT, '-',
"Generate a signed receipt for a message" },
{ "verify_receipt", OPT_VERIFY_RECEIPT, '<',
"Verify receipts; exit if receipt signatures do not verify" },
{ "digest", OPT_DIGEST, 's', "Sign a pre-computed digest in hex notation" },
{ "digest_create", OPT_DIGEST_CREATE, '-',
"Create a CMS \"DigestedData\" object" },
{ "digest_verify", OPT_DIGEST_VERIFY, '-',
"Verify a CMS \"DigestedData\" object and output it" },
{ "compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object" },
{ "uncompress", OPT_UNCOMPRESS, '-',
"Uncompress a CMS \"CompressedData\" object" },
{ "EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
"Create CMS \"EncryptedData\" object using symmetric key" },
{ "EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
"Decrypt CMS \"EncryptedData\" object using symmetric key" },
{ "data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object" },
{ "data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output" },
{ "cmsout", OPT_CMSOUT, '-', "Output CMS structure" },
OPT_SECTION("File format"),
{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
{"outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER"},
{"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
{"stream", OPT_INDEF, '-', "Enable CMS streaming"},
{"indef", OPT_INDEF, '-', "Same as -stream"},
{"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
{"binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form"},
{"crlfeol", OPT_CRLFEOL, '-',
"Use CRLF as EOL termination instead of LF only" },
{"asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing"},
{ "inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER" },
{ "outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER" },
{ "rctform", OPT_RCTFORM, 'F', "Receipt file format" },
{ "stream", OPT_INDEF, '-', "Enable CMS streaming" },
{ "indef", OPT_INDEF, '-', "Same as -stream" },
{ "noindef", OPT_NOINDEF, '-', "Disable CMS streaming" },
{ "binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form" },
{ "crlfeol", OPT_CRLFEOL, '-',
"Use CRLF as EOL termination instead of LF only" },
{ "asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing" },
OPT_SECTION("Keys and passwords"),
{"pwri_password", OPT_PWRI_PASSWORD, 's',
"Specific password for recipient"},
{"secretkey", OPT_SECRETKEY, 's',
"Use specified hex-encoded key to decrypt/encrypt recipients or content"},
{"secretkeyid", OPT_SECRETKEYID, 's',
"Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
{"keyform", OPT_KEYFORM, 'f',
"Input private key format (ENGINE, other values ignored)"},
{ "pwri_password", OPT_PWRI_PASSWORD, 's',
"Specific password for recipient" },
{ "secretkey", OPT_SECRETKEY, 's',
"Use specified hex-encoded key to decrypt/encrypt recipients or content" },
{ "secretkeyid", OPT_SECRETKEYID, 's',
"Identity of the -secretkey for CMS \"KEKRecipientInfo\" object" },
{ "inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs" },
{ "keyform", OPT_KEYFORM, 'f',
"Input private key format (ENGINE, other values ignored)" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
OPT_R_OPTIONS,
OPT_SECTION("Encryption and decryption"),
{"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
{"recip", OPT_RECIP, '<', "Recipient cert file"},
{"cert...", OPT_PARAM, '.',
"Recipient certs (optional; used only when encrypting)"},
{"", OPT_CIPHER, '-',
"The encryption algorithm to use (any supported cipher)"},
{"wrap", OPT_WRAP, 's',
"Key wrap algorithm to use when encrypting with key agreement"},
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
{"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
{"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
{"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
"Disable MMA protection, return error if no recipient found (see doc)"},
{ "originator", OPT_ORIGINATOR, 's', "Originator certificate file" },
{ "recip", OPT_RECIP, '<', "Recipient cert file" },
{ "cert...", OPT_PARAM, '.',
"Recipient certs (optional; used only when encrypting)" },
{ "", OPT_CIPHER, '-',
"The encryption algorithm to use (any supported cipher)" },
{ "wrap", OPT_WRAP, 's',
"Key wrap algorithm to use when encrypting with key agreement" },
{ "aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key" },
{ "aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key" },
{ "aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key" },
{ "des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key" },
{ "debug_decrypt", OPT_DEBUG_DECRYPT, '-',
"Disable MMA protection, return error if no recipient found (see doc)" },
OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "Digest algorithm to use"},
{"signer", OPT_SIGNER, 's', "Signer certificate input file"},
{"certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing"},
{OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying"},
{"cades", OPT_CADES, '-',
"Include signingCertificate attribute (CAdES-BES)"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
{"nocerts", OPT_NOCERTS, '-',
"Don't include signer's certificate when signing"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
{"receipt_request_all", OPT_RR_ALL, '-',
"When signing, create a receipt request for all recipients"},
{"receipt_request_first", OPT_RR_FIRST, '-',
"When signing, create a receipt request for first recipient"},
{"receipt_request_from", OPT_RR_FROM, 's',
"Create signed receipt request with specified email address"},
{"receipt_request_to", OPT_RR_TO, 's',
"Create signed receipt targeted to specified address"},
{ "md", OPT_MD, 's', "Digest algorithm to use" },
{ "signer", OPT_SIGNER, 's', "Signer certificate input file" },
{ "certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing" },
{ OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying" },
{ "cades", OPT_CADES, '-',
"Include signingCertificate attribute (CAdES-BES)" },
{ "nodetach", OPT_NODETACH, '-', "Use opaque signing" },
{ "nocerts", OPT_NOCERTS, '-',
"Don't include signer's certificate when signing" },
{ "noattr", OPT_NOATTR, '-', "Don't include any signed attributes" },
{ "nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute" },
{ "receipt_request_all", OPT_RR_ALL, '-',
"When signing, create a receipt request for all recipients" },
{ "receipt_request_first", OPT_RR_FIRST, '-',
"When signing, create a receipt request for first recipient" },
{ "receipt_request_from", OPT_RR_FROM, 's',
"Create signed receipt request with specified email address" },
{ "receipt_request_to", OPT_RR_TO, 's',
"Create signed receipt targeted to specified address" },
OPT_SECTION("Verification"),
{"signer", OPT_DUP, 's', "Signer certificate(s) output file"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
"Do not verify signed content signatures"},
{"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
"Do not verify signed attribute signatures"},
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
{"nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer"},
{"cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)"},
{"verify_retcode", OPT_VERIFY_RETCODE, '-',
"Exit non-zero on verification failure"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{ "signer", OPT_DUP, 's', "Signer certificate(s) output file" },
{ "content", OPT_CONTENT, '<',
"Supply or override content for detached signature" },
{ "no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
"Do not verify signed content signatures" },
{ "no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
"Do not verify signed attribute signatures" },
{ "nosigs", OPT_NOSIGS, '-', "Don't verify message signature" },
{ "noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate" },
{ "nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer" },
{ "cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)" },
{ "verify_retcode", OPT_VERIFY_RETCODE, '-',
"Exit non-zero on verification failure" },
{ "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
{ "CApath", OPT_CAPATH, '/', "Trusted certificates directory" },
{ "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
OPT_SECTION("Output"),
{"keyid", OPT_KEYID, '-', "Use subject key identifier"},
{"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
{"to", OPT_TO, 's', "To address"},
{"from", OPT_FROM, 's', "From address"},
{"subject", OPT_SUBJECT, 's', "Subject"},
{ "keyid", OPT_KEYID, '-', "Use subject key identifier" },
{ "econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content" },
{ "text", OPT_TEXT, '-', "Include or delete text MIME headers" },
{ "certsout", OPT_CERTSOUT, '>', "Certificate output file" },
{ "to", OPT_TO, 's', "To address" },
{ "from", OPT_FROM, 's', "From address" },
{ "subject", OPT_SUBJECT, 's', "Subject" },
OPT_SECTION("Printing"),
{"noout", OPT_NOOUT, '-',
"For the -cmsout operation do not output the parsed CMS structure"},
{"print", OPT_PRINT, '-',
"For the -cmsout operation print out all fields of the CMS structure"},
{"nameopt", OPT_NAMEOPT, 's',
"For the -print option specifies various strings printing options"},
{"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
{ "noout", OPT_NOOUT, '-',
"For the -cmsout operation do not output the parsed CMS structure" },
{ "print", OPT_PRINT, '-',
"For the -cmsout operation print out all fields of the CMS structure" },
{ "nameopt", OPT_NAMEOPT, 's',
"For the -print option specifies various strings printing options" },
{ "receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
OPT_V_OPTIONS,
{NULL}
{ NULL }
};
static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
BIO **indata, const char *name)
BIO **indata, const char *name)
{
CMS_ContentInfo *ret, *ci;
@@ -271,7 +331,7 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
goto err;
}
return ret;
err:
err:
CMS_ContentInfo_free(ret);
return NULL;
}
@@ -327,7 +387,7 @@ int cms_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -471,7 +531,7 @@ int cms_main(int argc, char **argv)
break;
case OPT_RCTFORM:
if (!opt_format(opt_arg(),
OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
goto opthelp;
break;
case OPT_CERTFILE:
@@ -525,7 +585,7 @@ int cms_main(int argc, char **argv)
case OPT_SECRETKEY:
if (secret_key != NULL) {
BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
opt_arg());
opt_arg());
goto opthelp;
}
secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
@@ -538,7 +598,7 @@ int cms_main(int argc, char **argv)
case OPT_SECRETKEYID:
if (secret_keyid != NULL) {
BIO_printf(bio_err, "Invalid id (supplied twice) %s\n",
opt_arg());
opt_arg());
goto opthelp;
}
secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
@@ -554,7 +614,7 @@ int cms_main(int argc, char **argv)
case OPT_ECONTENT_TYPE:
if (econtent_type != NULL) {
BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n",
opt_arg());
opt_arg());
goto opthelp;
}
econtent_type = OBJ_txt2obj(opt_arg(), 0);
@@ -634,7 +694,7 @@ int cms_main(int argc, char **argv)
case OPT_RECIP:
if (operation == SMIME_ENCRYPT) {
cert = load_cert(opt_arg(), FORMAT_UNDEF,
"recipient certificate file");
"recipient certificate file");
if (cert == NULL)
goto end;
if (!sk_X509_push(encerts, cert))
@@ -744,13 +804,13 @@ int cms_main(int argc, char **argv)
if ((flags & CMS_CADES) != 0) {
if ((flags & CMS_NOATTR) != 0) {
BIO_puts(bio_err, "Incompatible options: "
"CAdES requires signed attributes\n");
"CAdES requires signed attributes\n");
goto opthelp;
}
if (operation == SMIME_VERIFY
&& (flags & (CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY)) != 0) {
&& (flags & (CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY)) != 0) {
BIO_puts(bio_err, "Incompatible options: CAdES validation requires"
" certs and signed attributes validations\n");
" certs and signed attributes validations\n");
goto opthelp;
}
}
@@ -784,7 +844,7 @@ int cms_main(int argc, char **argv)
if (recipfile == NULL && keyfile == NULL
&& secret_key == NULL && pwri_pass == NULL) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
"No recipient certificate or key specified\n");
goto opthelp;
}
} else if (operation == SMIME_ENCRYPT) {
@@ -808,16 +868,16 @@ int cms_main(int argc, char **argv)
if ((operation & SMIME_SIGNERS) == 0) {
if ((flags & CMS_DETACHED) == 0)
BIO_printf(bio_err,
"Warning: -nodetach option is ignored for non-signing operation\n");
"Warning: -nodetach option is ignored for non-signing operation\n");
flags &= ~CMS_DETACHED;
}
if ((operation & SMIME_IP) == 0 && contfile != NULL)
BIO_printf(bio_err,
"Warning: -contfile option is ignored for the given operation\n");
"Warning: -contfile option is ignored for the given operation\n");
if (operation != SMIME_ENCRYPT && *argv != NULL)
BIO_printf(bio_err,
"Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
"Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
if ((flags & CMS_BINARY) != 0) {
if (!(operation & SMIME_OP))
@@ -847,7 +907,7 @@ int cms_main(int argc, char **argv)
for (; *argv != NULL; argv++) {
cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file");
"recipient certificate file");
if (cert == NULL)
goto end;
if (!sk_X509_push(encerts, cert))
@@ -865,7 +925,8 @@ int cms_main(int argc, char **argv)
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
"recipient certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -873,7 +934,8 @@ int cms_main(int argc, char **argv)
if (originatorfile != NULL) {
if ((originator = load_cert(originatorfile, FORMAT_UNDEF,
"originator certificate file")) == NULL) {
"originator certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -881,7 +943,8 @@ int cms_main(int argc, char **argv)
if (operation == SMIME_SIGN_RECEIPT) {
if ((signer = load_cert(signerfile, FORMAT_UNDEF,
"receipt signer certificate file")) == NULL) {
"receipt signer certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -906,25 +969,25 @@ int cms_main(int argc, char **argv)
if (digesthex != NULL) {
if (operation != SMIME_SIGN) {
BIO_printf(bio_err,
"Cannot use -digest for non-signing operation\n");
"Cannot use -digest for non-signing operation\n");
goto end;
}
if (infile != NULL
|| (flags & CMS_DETACHED) == 0
|| (flags & CMS_STREAM) != 0) {
BIO_printf(bio_err,
"Cannot use -digest when -in, -nodetach or streaming is used\n");
"Cannot use -digest when -in, -nodetach or streaming is used\n");
goto end;
}
digestbin = OPENSSL_hexstr2buf(digesthex, &digestlen);
if (digestbin == NULL) {
BIO_printf(bio_err,
"Invalid hex value after -digest\n");
"Invalid hex value after -digest\n");
goto end;
}
} else {
in = bio_open_default(infile, 'r',
binary_files ? FORMAT_BINARY : informat);
binary_files ? FORMAT_BINARY : informat);
if (in == NULL)
goto end;
}
@@ -945,7 +1008,7 @@ int cms_main(int argc, char **argv)
allcerts = CMS_get1_certs(cms);
if (!save_certs(certsoutfile, allcerts)) {
BIO_printf(bio_err,
"Error writing certs to %s\n", certsoutfile);
"Error writing certs to %s\n", certsoutfile);
ret = 5;
goto end;
}
@@ -967,13 +1030,14 @@ int cms_main(int argc, char **argv)
}
out = bio_open_default(outfile, 'w',
binary_files ? FORMAT_BINARY : outformat);
binary_files ? FORMAT_BINARY : outformat);
if (out == NULL)
goto end;
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
X509_STORE_set_verify_cb(store, cms_cb);
if (vpmtouched)
@@ -1019,13 +1083,13 @@ int cms_main(int argc, char **argv)
}
res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
EVP_PKEY_CTRL_CIPHER,
EVP_CIPHER_get_nid(cipher), NULL);
EVP_PKEY_CTRL_CIPHER,
EVP_CIPHER_get_nid(cipher), NULL);
if (res <= 0 && res != -2)
goto end;
if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
&& wrap_cipher != NULL) {
&& wrap_cipher != NULL) {
EVP_CIPHER_CTX *wctx;
wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
@@ -1035,9 +1099,9 @@ int cms_main(int argc, char **argv)
if (secret_key != NULL) {
if (!CMS_add0_recipient_key(cms, NID_undef,
secret_key, secret_keylen,
secret_keyid, secret_keyidlen,
NULL, NULL, NULL))
secret_key, secret_keylen,
secret_keyid, secret_keyidlen,
NULL, NULL, NULL))
goto end;
/* NULL these because call absorbs them */
secret_key = NULL;
@@ -1048,8 +1112,9 @@ int cms_main(int argc, char **argv)
if (pwri_tmp == NULL)
goto end;
if (CMS_add0_recipient_password(cms,
-1, NID_undef, NID_undef,
pwri_tmp, -1, NULL) == NULL)
-1, NID_undef, NID_undef,
pwri_tmp, -1, NULL)
== NULL)
goto end;
pwri_tmp = NULL;
}
@@ -1057,7 +1122,7 @@ int cms_main(int argc, char **argv)
if (!CMS_final(cms, in, NULL, flags)) {
if (originator != NULL
&& ERR_GET_REASON(ERR_peek_error())
== CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) {
== CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) {
BIO_printf(bio_err, "Cannot use originator for encryption\n");
goto end;
}
@@ -1066,7 +1131,7 @@ int cms_main(int argc, char **argv)
}
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
secret_keylen, flags, libctx, app_get0_propq());
secret_keylen, flags, libctx, app_get0_propq());
} else if (operation == SMIME_SIGN_RECEIPT) {
CMS_ContentInfo *srcms = NULL;
@@ -1173,8 +1238,8 @@ int cms_main(int argc, char **argv)
if (secret_key != NULL) {
if (!CMS_decrypt_set1_key(cms,
secret_key, secret_keylen,
secret_keyid, secret_keyidlen)) {
secret_key, secret_keylen,
secret_keyid, secret_keyidlen)) {
BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
goto end;
}
@@ -1213,15 +1278,15 @@ int cms_main(int argc, char **argv)
}
} else if (operation == SMIME_ENCRYPTED_DECRYPT) {
if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
indata, out, flags))
indata, out, flags))
goto end;
} else if (operation == SMIME_VERIFY) {
if (CMS_verify(cms, other, store, indata, out, flags) > 0) {
BIO_printf(bio_err, "%s Verification successful\n",
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
} else {
BIO_printf(bio_err, "%s Verification failure\n",
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
if (verify_retcode)
ret = verify_err + 32;
goto end;
@@ -1231,7 +1296,7 @@ int cms_main(int argc, char **argv)
if (!save_certs(signerfile, signers)) {
BIO_printf(bio_err,
"Error writing signers to %s\n", signerfile);
"Error writing signers to %s\n", signerfile);
ret = 5;
goto end;
}
@@ -1288,7 +1353,7 @@ int cms_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
if (ret)
ERR_print_errors(bio_err);
OSSL_STACK_OF_X509_free(encerts);
@@ -1364,7 +1429,6 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx)
policies_print(ctx);
return ok;
}
static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
@@ -1408,7 +1472,7 @@ static void receipt_request_print(CMS_ContentInfo *cms)
const char *id;
int idlen;
CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
&rlist, &rto);
&rlist, &rto);
BIO_puts(bio_err, " Signed Content ID:\n");
idlen = ASN1_STRING_length(scid);
id = (const char *)ASN1_STRING_get0_data(scid);
@@ -1458,16 +1522,15 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
return ret;
err:
err:
sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
GENERAL_NAMES_free(gens);
GENERAL_NAME_free(gen);
return NULL;
}
static CMS_ReceiptRequest
*make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from)
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from)
{
STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
CMS_ReceiptRequest *rr;
@@ -1483,18 +1546,18 @@ static CMS_ReceiptRequest
rct_from = NULL;
}
rr = CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from,
rct_to, app_get0_libctx());
rct_to, app_get0_libctx());
if (rr == NULL)
goto err;
return rr;
err:
err:
sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
sk_GENERAL_NAMES_pop_free(rct_from, GENERAL_NAMES_free);
return NULL;
}
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param)
STACK_OF(OPENSSL_STRING) *param)
{
char *keyopt;
int i;

126
apps/crl.c
View File

@@ -20,58 +20,81 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_DATEOPT, OPT_TEXT, OPT_HASH,
OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD, OPT_PROV_ENUM
OPT_INFORM,
OPT_IN,
OPT_OUTFORM,
OPT_OUT,
OPT_KEYFORM,
OPT_KEY,
OPT_ISSUER,
OPT_LASTUPDATE,
OPT_NEXTUPDATE,
OPT_FINGERPRINT,
OPT_CRLNUMBER,
OPT_BADSIG,
OPT_GENDELTA,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_VERIFY,
OPT_DATEOPT,
OPT_TEXT,
OPT_HASH,
OPT_HASH_OLD,
OPT_NOOUT,
OPT_NAMEOPT,
OPT_MD,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS crl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "verify", OPT_VERIFY, '-', "Verify CRL signature" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"},
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
{"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"},
{ "in", OPT_IN, '<', "Input file - default stdin" },
{ "inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect" },
{ "key", OPT_KEY, '<', "CRL signing Private key to use" },
{ "keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "output file - default stdout"},
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
{"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
{"text", OPT_TEXT, '-', "Print out a text format version"},
{"hash", OPT_HASH, '-', "Print hash value"},
{ "out", OPT_OUT, '>', "output file - default stdout" },
{ "outform", OPT_OUTFORM, 'F', "Output format - default PEM" },
{ "dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822." },
{ "text", OPT_TEXT, '-', "Print out a text format version" },
{ "hash", OPT_HASH, '-', "Print hash value" },
#ifndef OPENSSL_NO_MD5
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
{ "hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value" },
#endif
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"", OPT_MD, '-', "Any supported digest"},
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "", OPT_MD, '-', "Any supported digest" },
OPT_SECTION("CRL"),
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
{"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
{"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
{"noout", OPT_NOOUT, '-', "No CRL output"},
{"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"},
{"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
{"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
{ "issuer", OPT_ISSUER, '-', "Print issuer DN" },
{ "lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field" },
{ "nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field" },
{ "noout", OPT_NOOUT, '-', "No CRL output" },
{ "fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint" },
{ "crlnumber", OPT_CRLNUMBER, '-', "Print CRL number" },
{ "badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
{ "gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one" },
OPT_SECTION("Certificate"),
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
{"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{ "CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir" },
{ "CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name" },
{ "CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int crl_main(int argc, char **argv)
@@ -104,7 +127,7 @@ int crl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -148,13 +171,13 @@ int crl_main(int argc, char **argv)
do_ver = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
noCAfile = 1;
break;
case OPT_NOCASTORE:
noCAstore = 1;
noCAstore = 1;
break;
case OPT_HASH_OLD:
#ifndef OPENSSL_NO_MD5
@@ -221,7 +244,8 @@ int crl_main(int argc, char **argv)
if (do_ver) {
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
@@ -233,7 +257,7 @@ int crl_main(int argc, char **argv)
}
xobj = X509_STORE_CTX_get_obj_by_subject(ctx, X509_LU_X509,
X509_CRL_get_issuer(x));
X509_CRL_get_issuer(x));
if (xobj == NULL) {
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
@@ -250,7 +274,7 @@ int crl_main(int argc, char **argv)
goto end;
if (i == 0) {
BIO_printf(bio_err, "verify failure\n");
goto end;
goto end;
} else
BIO_printf(bio_err, "verify OK\n");
}
@@ -309,9 +333,8 @@ int crl_main(int argc, char **argv)
}
if (hash == i) {
int ok;
unsigned long hash_value =
X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
app_get0_propq(), &ok);
unsigned long hash_value = X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
app_get0_propq(), &ok);
if (num > 1)
BIO_printf(bio_out, "issuer name hash=");
@@ -327,7 +350,7 @@ int crl_main(int argc, char **argv)
if (num > 1)
BIO_printf(bio_out, "issuer name old hash=");
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i) {
@@ -353,10 +376,9 @@ int crl_main(int argc, char **argv)
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
EVP_MD_get0_name(digest));
EVP_MD_get0_name(digest));
for (j = 0; j < (int)n; j++) {
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':');
}
}
}
@@ -383,7 +405,7 @@ int crl_main(int argc, char **argv)
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);

36
apps/crl2pkcs7.c
View File

@@ -23,27 +23,32 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE,
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_NOCRL,
OPT_CERTFILE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS crl2pkcs7_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
{"certfile", OPT_CERTFILE, '<',
"File of chain of certs to a trusted CA; can be repeated"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format - DER or PEM" },
{ "nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'" },
{ "certfile", OPT_CERTFILE, '<',
"File of chain of certs to a trusted CA; can be repeated" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int crl2pkcs7_main(int argc, char **argv)
@@ -56,8 +61,7 @@ int crl2pkcs7_main(int argc, char **argv)
STACK_OF(X509_CRL) *crl_stack = NULL;
X509_CRL *crl = NULL;
char *infile = NULL, *outfile = NULL, *prog, *certfile;
int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
0;
int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl = 0;
OPTION_CHOICE o;
prog = opt_init(argc, argv, crl2pkcs7_options);
@@ -65,7 +69,7 @@ int crl2pkcs7_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -139,7 +143,7 @@ int crl2pkcs7_main(int argc, char **argv)
goto end;
p7s->crl = crl_stack;
sk_X509_CRL_push(crl_stack, crl);
crl = NULL; /* now part of p7 for OPENSSL_freeing */
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if (certflst != NULL) {
@@ -171,7 +175,7 @@ int crl2pkcs7_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
sk_OPENSSL_STRING_free(certflst);
BIO_free(in);
BIO_free_all(out);
@@ -224,7 +228,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
}
ret = count;
end:
end:
/* never need to OPENSSL_free x */
BIO_free(in);
sk_X509_INFO_free(sk);

137
apps/dgst.c
View File

@@ -22,12 +22,12 @@
#include <ctype.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
#define BUFSIZE 1024 * 8
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file);
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file);
static void show_digests(const OBJ_NAME *name, void *bio_);
struct doall_dgst_digests {
@@ -38,57 +38,74 @@ struct doall_dgst_digests {
typedef enum OPTION_choice {
OPT_COMMON,
OPT_LIST,
OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_XOFLEN,
OPT_C,
OPT_R,
OPT_OUT,
OPT_SIGN,
OPT_PASSIN,
OPT_VERIFY,
OPT_PRVERIFY,
OPT_SIGNATURE,
OPT_KEYFORM,
OPT_ENGINE,
OPT_ENGINE_IMPL,
OPT_HEX,
OPT_BINARY,
OPT_DEBUG,
OPT_FIPS_FINGERPRINT,
OPT_HMAC,
OPT_MAC,
OPT_SIGOPT,
OPT_MACOPT,
OPT_XOFLEN,
OPT_DIGEST,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dgst_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List digests"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "list", OPT_LIST, '-', "List digests" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{"engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for digest operations"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
{ "engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for digest operations" },
#endif
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"hex", OPT_HEX, '-', "Print as hex dump"},
{"binary", OPT_BINARY, '-', "Print in binary form"},
{"xoflen", OPT_XOFLEN, 'p', "Output length for XOF algorithms. To obtain the maximum security strength set this to 32 (or greater) for SHAKE128, and 64 (or greater) for SHAKE256"},
{"d", OPT_DEBUG, '-', "Print debug info"},
{"debug", OPT_DEBUG, '-', "Print debug info"},
{ "c", OPT_C, '-', "Print the digest with separating colons" },
{ "r", OPT_R, '-', "Print the digest in coreutils format" },
{ "out", OPT_OUT, '>', "Output to filename rather than stdout" },
{ "keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)" },
{ "hex", OPT_HEX, '-', "Print as hex dump" },
{ "binary", OPT_BINARY, '-', "Print in binary form" },
{ "xoflen", OPT_XOFLEN, 'p', "Output length for XOF algorithms. To obtain the maximum security strength set this to 32 (or greater) for SHAKE128, and 64 (or greater) for SHAKE256" },
{ "d", OPT_DEBUG, '-', "Print debug info" },
{ "debug", OPT_DEBUG, '-', "Print debug info" },
OPT_SECTION("Signing"),
{"sign", OPT_SIGN, 's', "Sign digest using private key"},
{"verify", OPT_VERIFY, 's', "Verify a signature using public key"},
{"prverify", OPT_PRVERIFY, 's', "Verify a signature using private key"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
{"", OPT_DIGEST, '-', "Any supported digest"},
{"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
{ "sign", OPT_SIGN, 's', "Sign digest using private key" },
{ "verify", OPT_VERIFY, 's', "Verify a signature using public key" },
{ "prverify", OPT_PRVERIFY, 's', "Verify a signature using private key" },
{ "sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form" },
{ "signature", OPT_SIGNATURE, '<', "File with signature to verify" },
{ "hmac", OPT_HMAC, 's', "Create hashed MAC with key" },
{ "mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)" },
{ "macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key" },
{ "", OPT_DIGEST, '-', "Any supported digest" },
{ "fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"file", 0, 0, "Files to digest (optional; default is stdin)"},
{NULL}
{ "file", 0, 0, "Files to digest (optional; default is stdin)" },
{ NULL }
};
int dgst_main(int argc, char **argv)
@@ -123,7 +140,7 @@ int dgst_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -135,7 +152,7 @@ int dgst_main(int argc, char **argv)
dec.bio = bio_out;
dec.n = 0;
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
show_digests, &dec);
show_digests, &dec);
BIO_printf(bio_out, "\n");
ret = EXIT_SUCCESS;
goto end;
@@ -239,7 +256,7 @@ int dgst_main(int argc, char **argv)
if (do_verify && sigfile == NULL) {
BIO_printf(bio_err,
"No signature to verify: use the -signature option\n");
"No signature to verify: use the -signature option\n");
goto end;
}
if (engine_impl)
@@ -331,8 +348,8 @@ int dgst_main(int argc, char **argv)
digestname = SN_sha256;
}
sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl,
(unsigned char *)hmac_key,
strlen(hmac_key));
(unsigned char *)hmac_key,
strlen(hmac_key));
if (sigkey == NULL)
goto end;
}
@@ -349,17 +366,16 @@ int dgst_main(int argc, char **argv)
if (do_verify)
if (impl == NULL)
res = EVP_DigestVerifyInit_ex(mctx, &pctx, digestname,
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
else
res = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
else if (impl == NULL)
res = EVP_DigestSignInit_ex(mctx, &pctx, digestname,
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
else
if (impl == NULL)
res = EVP_DigestSignInit_ex(mctx, &pctx, digestname,
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
else
res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
if (res == 0) {
BIO_printf(bio_err, "Error setting context\n");
goto end;
@@ -370,7 +386,7 @@ int dgst_main(int argc, char **argv)
if (pkey_ctrl_string(pctx, sigopt) <= 0) {
BIO_printf(bio_err, "Signature parameter error \"%s\"\n",
sigopt);
sigopt);
goto end;
}
}
@@ -437,7 +453,7 @@ int dgst_main(int argc, char **argv)
if (argc == 0) {
BIO_set_fp(in, stdin, BIO_NOCLOSE);
ret = do_fp(out, buf, inp, separator, out_bin, xoflen, sigkey, sigbuf,
siglen, NULL, md_name, "stdin");
siglen, NULL, md_name, "stdin");
} else {
const char *sig_name = NULL;
@@ -453,13 +469,13 @@ int dgst_main(int argc, char **argv)
continue;
} else {
if (do_fp(out, buf, inp, separator, out_bin, xoflen,
sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
ret = EXIT_FAILURE;
}
(void)BIO_reset(bmd);
}
}
end:
end:
if (ret != EXIT_SUCCESS)
ERR_print_errors(bio_err);
OPENSSL_clear_free(buf, BUFSIZE);
@@ -541,14 +557,13 @@ static const char *newline_escape_filename(const char *file, int *backslash)
e++;
}
file_cpy[i] = '\0';
return (const char*)file_cpy;
return (const char *)file_cpy;
}
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
{
size_t len = BUFSIZE;
int i, backslash = 0, ret = EXIT_FAILURE;
@@ -651,7 +666,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
}
ret = EXIT_SUCCESS;
end:
end:
if (allocated_buf != NULL)
OPENSSL_clear_free(allocated_buf, len);

159
apps/dhparam.c
View File

@@ -36,47 +36,59 @@ static int verbose = 1;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
OPT_DSAPARAM, OPT_2, OPT_3, OPT_5, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_ENGINE,
OPT_CHECK,
OPT_TEXT,
OPT_NOOUT,
OPT_DSAPARAM,
OPT_2,
OPT_3,
OPT_5,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dhparam_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"check", OPT_CHECK, '-', "Check the DH parameters"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "check", OPT_CHECK, '-', "Check the DH parameters" },
#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
{ "dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH" },
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format, DER or PEM" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"3", OPT_3, '-', "Generate parameters using 3 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format, DER or PEM" },
{ "text", OPT_TEXT, '-', "Print a text form of the DH parameters" },
{ "noout", OPT_NOOUT, '-', "Don't output any DH parameters" },
{ "2", OPT_2, '-', "Generate parameters using 2 as the generator value" },
{ "3", OPT_3, '-', "Generate parameters using 3 as the generator value" },
{ "5", OPT_5, '-', "Generate parameters using 5 as the generator value" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
{NULL}
{ "numbits", 0, 0, "Number of bits if generating parameters (optional)" },
{ NULL }
};
int dhparam_main(int argc, char **argv)
@@ -96,7 +108,7 @@ int dhparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -175,7 +187,7 @@ int dhparam_main(int argc, char **argv)
if (dsaparam && g) {
BIO_printf(bio_err,
"Error, generator may not be chosen for DSA parameters\n");
"Error, generator may not be chosen for DSA parameters\n");
goto end;
}
@@ -197,22 +209,22 @@ int dhparam_main(int argc, char **argv)
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), alg, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, %s param generation context allocation failed\n",
alg);
"Error, %s param generation context allocation failed\n",
alg);
goto end;
}
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
if (verbose) {
EVP_PKEY_CTX_set_cb(ctx, progress_cb);
BIO_printf(bio_err,
"Generating %s parameters, %d bit long %sprime\n",
alg, num, dsaparam ? "" : "safe ");
"Generating %s parameters, %d bit long %sprime\n",
alg, num, dsaparam ? "" : "safe ");
}
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
BIO_printf(bio_err,
"Error, unable to initialise %s parameters\n",
alg);
"Error, unable to initialise %s parameters\n",
alg);
goto end;
}
@@ -262,32 +274,34 @@ int dhparam_main(int argc, char **argv)
*/
done = 1;
/*
* We set NULL for the keytype to allow any key type. We don't know
* if we're going to get DH or DHX (or DSA in the event of dsaparam).
* We check that we got one of those key types afterwards.
*/
* We set NULL for the keytype to allow any key type. We don't know
* if we're going to get DH or DHX (or DSA in the event of dsaparam).
* We check that we got one of those key types afterwards.
*/
decoderctx
= OSSL_DECODER_CTX_new_for_pkey(&tmppkey,
(informat == FORMAT_ASN1)
? "DER" : "PEM",
NULL,
(informat == FORMAT_ASN1)
? keytype : NULL,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
NULL, NULL);
(informat == FORMAT_ASN1)
? "DER"
: "PEM",
NULL,
(informat == FORMAT_ASN1)
? keytype
: NULL,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
NULL, NULL);
if (decoderctx != NULL
&& !OSSL_DECODER_from_bio(decoderctx, in)
&& informat == FORMAT_ASN1
&& strcmp(keytype, "DH") == 0) {
&& !OSSL_DECODER_from_bio(decoderctx, in)
&& informat == FORMAT_ASN1
&& strcmp(keytype, "DH") == 0) {
/*
* When reading DER we explicitly state the expected keytype
* because, unlike PEM, there is no header to declare what
* the contents of the DER file are. The decoders just try
* and guess. Unfortunately with DHX key types they may guess
* wrong and think we have a DSA keytype. Therefore, we try
* both DH and DHX sequentially.
*/
* When reading DER we explicitly state the expected keytype
* because, unlike PEM, there is no header to declare what
* the contents of the DER file are. The decoders just try
* and guess. Unfortunately with DHX key types they may guess
* wrong and think we have a DSA keytype. Therefore, we try
* both DH and DHX sequentially.
*/
keytype = "DHX";
/*
* BIO_reset() returns 0 for success for file BIOs only!!!
@@ -313,7 +327,7 @@ int dhparam_main(int argc, char **argv)
goto end;
} else {
if (!EVP_PKEY_is_a(tmppkey, "DH")
&& !EVP_PKEY_is_a(tmppkey, "DHX")) {
&& !EVP_PKEY_is_a(tmppkey, "DHX")) {
BIO_printf(bio_err, "Error, unable to load DH parameters\n");
goto end;
}
@@ -339,12 +353,12 @@ int dhparam_main(int argc, char **argv)
}
if (!noout) {
OSSL_ENCODER_CTX *ectx =
OSSL_ENCODER_CTX_new_for_pkey(pkey,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1
? "DER" : "PEM",
NULL, NULL);
OSSL_ENCODER_CTX *ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1
? "DER"
: "PEM",
NULL, NULL);
if (ectx == NULL || !OSSL_ENCODER_to_bio(ectx, out)) {
OSSL_ENCODER_CTX_free(ectx);
@@ -354,7 +368,7 @@ int dhparam_main(int argc, char **argv)
OSSL_ENCODER_CTX_free(ectx);
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free(in);
@@ -380,33 +394,33 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh)
EVP_PKEY *pkey = NULL;
if (!EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_P, &bn_p)
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_Q, &bn_q)
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_G, &bn_g)) {
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_Q, &bn_q)
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_G, &bn_g)) {
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
goto err;
}
if ((tmpl = OSSL_PARAM_BLD_new()) == NULL
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P,
bn_p)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q,
bn_q)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G,
bn_g)
|| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P,
bn_p)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q,
bn_q)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G,
bn_g)
|| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
goto err;
}
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DHX", app_get0_propq());
if (ctx == NULL
|| EVP_PKEY_fromdata_init(ctx) <= 0
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) {
|| EVP_PKEY_fromdata_init(ctx) <= 0
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) {
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
goto err;
}
err:
err:
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
OSSL_PARAM_BLD_free(tmpl);
@@ -415,4 +429,3 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh)
BN_free(bn_g);
return pkey;
}

78
apps/dsa.c
View File

@@ -27,51 +27,63 @@
#include <openssl/core_dispatch.h>
#ifndef OPENSSL_NO_RC4
# define DEFAULT_PVK_ENCR_STRENGTH 2
#define DEFAULT_PVK_ENCR_STRENGTH 2
#else
# define DEFAULT_PVK_ENCR_STRENGTH 0
#define DEFAULT_PVK_ENCR_STRENGTH 0
#endif
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE,
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_ENGINE,
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT,
OPT_PVK_NONE,
OPT_PVK_WEAK,
OPT_PVK_STRONG,
OPT_NOOUT,
OPT_TEXT,
OPT_MODULUS,
OPT_PUBIN,
OPT_PUBOUT,
OPT_CIPHER,
OPT_PASSIN,
OPT_PASSOUT,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dsa_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
#ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
{ "pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)" },
{ "pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level" },
{ "pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding" },
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "in", OPT_IN, 's', "Input key" },
{ "inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect" },
{ "pubin", OPT_PUBIN, '-', "Expect a public key in input file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK" },
{ "noout", OPT_NOOUT, '-', "Don't print key out" },
{ "text", OPT_TEXT, '-', "Print the key in text" },
{ "modulus", OPT_MODULUS, '-', "Print the DSA public value" },
{ "pubout", OPT_PUBOUT, '-', "Output public key, not private" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int dsa_main(int argc, char **argv)
@@ -98,7 +110,7 @@ int dsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
ret = 0;
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
@@ -129,9 +141,9 @@ int dsa_main(int argc, char **argv)
case OPT_PASSOUT:
passoutarg = opt_arg();
break;
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
#ifndef OPENSSL_NO_RC4
pvk_encr = (o - OPT_PVK_NONE);
#endif
@@ -252,12 +264,12 @@ int dsa_main(int argc, char **argv)
} else {
assert(private);
selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
}
/* Perform the encoding */
ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, output_type,
output_structure, NULL);
output_structure, NULL);
if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
BIO_printf(bio_err, "%s format not supported\n", output_type);
goto end;
@@ -273,8 +285,8 @@ int dsa_main(int argc, char **argv)
if (passout != NULL)
/* When passout given, override the passphrase prompter */
OSSL_ENCODER_CTX_set_passphrase(ectx,
(const unsigned char *)passout,
strlen(passout));
(const unsigned char *)passout,
strlen(passout));
}
/* PVK requires a bit more */
@@ -293,7 +305,7 @@ int dsa_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
OSSL_ENCODER_CTX_free(ectx);

71
apps/dsaparam.c
View File

@@ -26,40 +26,49 @@ static int verbose = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_NOOUT,
OPT_GENKEY,
OPT_ENGINE,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dsaparam_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits] [numqbits]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits] [numqbits]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format - DER or PEM" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"text", OPT_TEXT, '-', "Print as text"},
{"noout", OPT_NOOUT, '-', "No output"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "text", OPT_TEXT, '-', "Print as text" },
{ "noout", OPT_NOOUT, '-', "No output" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
{ "genkey", OPT_GENKEY, '-', "Generate a DSA key" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Number of bits if generating parameters or key (optional)"},
{"numqbits", 0, 0, "Number of bits in the subprime parameter q if generating parameters or key (optional)"},
{NULL}
{ "numbits", 0, 0, "Number of bits if generating parameters or key (optional)" },
{ "numqbits", 0, 0, "Number of bits in the subprime parameter q if generating parameters or key (optional)" },
{ NULL }
};
int dsaparam_main(int argc, char **argv)
@@ -79,7 +88,7 @@ int dsaparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -157,37 +166,37 @@ int dsaparam_main(int argc, char **argv)
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, DSA parameter generation context allocation failed\n");
"Error, DSA parameter generation context allocation failed\n");
goto end;
}
if (numbits > 0) {
if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
if (verbose) {
EVP_PKEY_CTX_set_cb(ctx, progress_cb);
BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
num);
num);
BIO_printf(bio_err, "This could take some time\n");
}
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
BIO_printf(bio_err,
"Error, DSA key generation paramgen init failed\n");
"Error, DSA key generation paramgen init failed\n");
goto end;
}
if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num) <= 0) {
BIO_printf(bio_err,
"Error, DSA key generation setting bit length failed\n");
"Error, DSA key generation setting bit length failed\n");
goto end;
}
if (numqbits > 0) {
if (EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, numqbits) <= 0) {
BIO_printf(bio_err,
"Error, DSA key generation setting subprime bit length failed\n");
"Error, DSA key generation setting subprime bit length failed\n");
goto end;
}
}
@@ -220,15 +229,15 @@ int dsaparam_main(int argc, char **argv)
if (genkey) {
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
app_get0_propq());
app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, DSA key generation context allocation failed\n");
"Error, DSA key generation context allocation failed\n");
goto end;
}
if (EVP_PKEY_keygen_init(ctx) <= 0) {
BIO_printf(bio_err,
"Error, unable to initialise for key generation\n");
"Error, unable to initialise for key generation\n");
goto end;
}
pkey = app_keygen(ctx, "DSA", numbits, verbose);
@@ -241,7 +250,7 @@ int dsaparam_main(int argc, char **argv)
i = PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL);
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);

78
apps/ec.c
View File

@@ -23,42 +23,56 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_NOOUT,
OPT_TEXT,
OPT_PARAM_OUT,
OPT_PUBIN,
OPT_PUBOUT,
OPT_PASSIN,
OPT_PASSOUT,
OPT_PARAM_ENC,
OPT_CONV_FORM,
OPT_CIPHER,
OPT_NO_PUBLIC,
OPT_CHECK,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ec_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"check", OPT_CHECK, '-', "check key consistency"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{"param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
{ "in", OPT_IN, 's', "Input file" },
{ "inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)" },
{ "pubin", OPT_PUBIN, '-', "Expect a public key in input file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "check", OPT_CHECK, '-', "check key consistency" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
{ "param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded" },
{ "conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form " },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key"},
{"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "noout", OPT_NOOUT, '-', "Don't print key out" },
{ "text", OPT_TEXT, '-', "Print the key" },
{ "param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters" },
{ "pubout", OPT_PUBOUT, '-', "Output public key, not private" },
{ "no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int ec_main(int argc, char **argv)
@@ -86,7 +100,7 @@ int ec_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -188,15 +202,15 @@ int ec_main(int argc, char **argv)
if (point_format
&& !EVP_PKEY_set_utf8_string_param(
eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
BIO_printf(bio_err, "unable to set point conversion format\n");
goto end;
}
if (asn1_encoding != NULL
&& !EVP_PKEY_set_utf8_string_param(
eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
goto end;
}
@@ -253,8 +267,8 @@ int ec_main(int argc, char **argv)
}
ectx = OSSL_ENCODER_CTX_new_for_pkey(eckey, selection,
output_type, output_structure,
NULL);
output_type, output_structure,
NULL);
if (enc != NULL) {
OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(enc), NULL);
/* Default passphrase prompter */
@@ -262,8 +276,8 @@ int ec_main(int argc, char **argv)
if (passout != NULL)
/* When passout given, override the passphrase prompter */
OSSL_ENCODER_CTX_set_passphrase(ectx,
(const unsigned char *)passout,
strlen(passout));
(const unsigned char *)passout,
strlen(passout));
}
if (!OSSL_ENCODER_to_bio(ectx, out)) {
BIO_printf(bio_err, "unable to write EC key\n");

117
apps/ecparam.c
View File

@@ -23,46 +23,59 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_CHECK,
OPT_LIST_CURVES,
OPT_NO_SEED,
OPT_NOOUT,
OPT_NAME,
OPT_CONV_FORM,
OPT_PARAM_ENC,
OPT_GENKEY,
OPT_ENGINE,
OPT_CHECK_NAMED,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ecparam_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list_curves", OPT_LIST_CURVES, '-',
"Prints a list of all curve 'short names'"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "list_curves", OPT_LIST_CURVES, '-',
"Prints a list of all curve 'short names'" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
{"in", OPT_IN, '<', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
{ "genkey", OPT_GENKEY, '-', "Generate ec key" },
{ "in", OPT_IN, '<', "Input file - default stdin" },
{ "inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)" },
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "outform", OPT_OUTFORM, 'F', "Output format - default PEM" },
OPT_SECTION("Output"),
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
{"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
{"param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded"},
{ "text", OPT_TEXT, '-', "Print the ec parameters in text form" },
{ "noout", OPT_NOOUT, '-', "Do not print the ec parameter" },
{ "param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded" },
OPT_SECTION("Parameter"),
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
{"check_named", OPT_CHECK_NAMED, '-',
"Check that named EC curve parameters have not been modified"},
{"no_seed", OPT_NO_SEED, '-',
"If 'explicit' parameters are chosen do not use the seed"},
{"name", OPT_NAME, 's',
"Use the ec parameters with specified 'short name'"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
{ "check", OPT_CHECK, '-', "Validate the ec parameters" },
{ "check_named", OPT_CHECK_NAMED, '-',
"Check that named EC curve parameters have not been modified" },
{ "no_seed", OPT_NO_SEED, '-',
"If 'explicit' parameters are chosen do not use the seed" },
{ "name", OPT_NAME, 's',
"Use the ec parameters with specified 'short name'" },
{ "conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form " },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
static int list_builtin_curves(BIO *out)
@@ -116,7 +129,7 @@ int ecparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -210,30 +223,30 @@ int ecparam_main(int argc, char **argv)
if (strcmp(curve_name, "secp192r1") == 0) {
BIO_printf(bio_err,
"using curve name prime192v1 instead of secp192r1\n");
"using curve name prime192v1 instead of secp192r1\n");
curve_name = SN_X9_62_prime192v1;
} else if (strcmp(curve_name, "secp256r1") == 0) {
BIO_printf(bio_err,
"using curve name prime256v1 instead of secp256r1\n");
"using curve name prime256v1 instead of secp256r1\n");
curve_name = SN_X9_62_prime256v1;
}
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
curve_name, 0);
curve_name, 0);
if (asn1_encoding != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
asn1_encoding, 0);
asn1_encoding, 0);
if (point_format != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
*p = OSSL_PARAM_construct_end();
if (OPENSSL_strcasecmp(curve_name, "SM2") == 0)
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "sm2",
app_get0_propq());
app_get0_propq());
else
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "ec",
app_get0_propq());
app_get0_propq());
if (gctx_params == NULL
|| EVP_PKEY_keygen_init(gctx_params) <= 0
|| EVP_PKEY_CTX_set_params(gctx_params, params) <= 0
@@ -243,10 +256,10 @@ int ecparam_main(int argc, char **argv)
}
} else {
params_key = load_keyparams_suppress(infile, informat, 1, "EC",
"EC parameters", 1);
"EC parameters", 1);
if (params_key == NULL)
params_key = load_keyparams_suppress(infile, informat, 1, "SM2",
"SM2 parameters", 1);
"SM2 parameters", 1);
if (params_key == NULL) {
BIO_printf(bio_err, "Unable to load parameters from %s\n", infile);
@@ -255,15 +268,15 @@ int ecparam_main(int argc, char **argv)
if (point_format
&& !EVP_PKEY_set_utf8_string_param(
params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
BIO_printf(bio_err, "unable to set point conversion format\n");
goto end;
}
if (asn1_encoding != NULL
&& !EVP_PKEY_set_utf8_string_param(
params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
goto end;
}
@@ -271,7 +284,7 @@ int ecparam_main(int argc, char **argv)
if (no_seed
&& !EVP_PKEY_set_octet_string_param(params_key, OSSL_PKEY_PARAM_EC_SEED,
NULL, 0)) {
NULL, 0)) {
BIO_printf(bio_err, "unable to clear seed\n");
goto end;
}
@@ -287,13 +300,13 @@ int ecparam_main(int argc, char **argv)
if (check_named
&& !EVP_PKEY_set_utf8_string_param(params_key,
OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
BIO_printf(bio_err, "unable to set check_type\n");
goto end;
OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
BIO_printf(bio_err, "unable to set check_type\n");
goto end;
}
pctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
app_get0_propq());
app_get0_propq());
if (pctx == NULL || EVP_PKEY_param_check(pctx) <= 0) {
BIO_printf(bio_err, "failed\n");
goto end;
@@ -306,8 +319,8 @@ int ecparam_main(int argc, char **argv)
if (!noout) {
ectx_params = OSSL_ENCODER_CTX_new_for_pkey(
params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
if (!OSSL_ENCODER_to_bio(ectx_params, out)) {
BIO_printf(bio_err, "unable to write elliptic curve parameters\n");
goto end;
@@ -324,7 +337,7 @@ int ecparam_main(int argc, char **argv)
* EVP_PKEY_keygen(gctx, &key) <= 0)
*/
gctx_key = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
app_get0_propq());
app_get0_propq());
if (EVP_PKEY_keygen_init(gctx_key) <= 0
|| EVP_PKEY_keygen(gctx_key, &key) <= 0) {
BIO_printf(bio_err, "unable to generate key\n");
@@ -332,11 +345,11 @@ int ecparam_main(int argc, char **argv)
}
assert(private);
ectx_key = OSSL_ENCODER_CTX_new_for_pkey(
key, OSSL_KEYMGMT_SELECT_ALL,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
key, OSSL_KEYMGMT_SELECT_ALL,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
if (!OSSL_ENCODER_to_bio(ectx_key, out)) {
BIO_printf(bio_err, "unable to write elliptic "
"curve parameters\n");
"curve parameters\n");
goto end;
}
}

189
apps/enc.c
View File

@@ -21,16 +21,16 @@
#include <openssl/rand.h>
#include <openssl/pem.h>
#ifndef OPENSSL_NO_COMP
# include <openssl/comp.h>
#include <openssl/comp.h>
#endif
#include <ctype.h>
#undef SIZE
#undef BSIZE
#define SIZE (512)
#define BSIZE (8*1024)
#define SIZE (512)
#define BSIZE (8 * 1024)
#define PBKDF2_ITER_DEFAULT 10000
#define PBKDF2_ITER_DEFAULT 10000
#define STR(a) XSTR(a)
#define XSTR(a) #a
@@ -45,71 +45,96 @@ struct doall_enc_ciphers {
typedef enum OPTION_choice {
OPT_COMMON,
OPT_LIST,
OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM
OPT_E,
OPT_IN,
OPT_OUT,
OPT_PASS,
OPT_ENGINE,
OPT_D,
OPT_P,
OPT_V,
OPT_NOPAD,
OPT_SALT,
OPT_NOSALT,
OPT_DEBUG,
OPT_UPPER_P,
OPT_UPPER_A,
OPT_A,
OPT_Z,
OPT_BUFSIZE,
OPT_K,
OPT_KFILE,
OPT_UPPER_K,
OPT_NONE,
OPT_UPPER_S,
OPT_IV,
OPT_MD,
OPT_ITER,
OPT_PBKDF2,
OPT_CIPHER,
OPT_SALTLEN,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS enc_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List ciphers"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "list", OPT_LIST, '-', "List ciphers" },
#ifndef OPENSSL_NO_DEPRECATED_3_0
{"ciphers", OPT_LIST, '-', "Alias for -list"},
{ "ciphers", OPT_LIST, '-', "Alias for -list" },
#endif
{"e", OPT_E, '-', "Encrypt"},
{"d", OPT_D, '-', "Decrypt"},
{"p", OPT_P, '-', "Print the iv/key"},
{"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
{ "e", OPT_E, '-', "Encrypt" },
{ "d", OPT_D, '-', "Decrypt" },
{ "p", OPT_P, '-', "Print the iv/key" },
{ "P", OPT_UPPER_P, '-', "Print the iv/key and exit" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"k", OPT_K, 's', "Passphrase"},
{"kfile", OPT_KFILE, '<', "Read passphrase from file"},
{ "in", OPT_IN, '<', "Input file" },
{ "k", OPT_K, 's', "Passphrase" },
{ "kfile", OPT_KFILE, '<', "Read passphrase from file" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"pass", OPT_PASS, 's', "Passphrase source"},
{"v", OPT_V, '-', "Verbose output"},
{"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
{"base64", OPT_A, '-', "Same as option -a"},
{"A", OPT_UPPER_A, '-',
"Used with -[base64|a] to specify base64 buffer as a single line"},
{ "out", OPT_OUT, '>', "Output file" },
{ "pass", OPT_PASS, 's', "Passphrase source" },
{ "v", OPT_V, '-', "Verbose output" },
{ "a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag" },
{ "base64", OPT_A, '-', "Same as option -a" },
{ "A", OPT_UPPER_A, '-',
"Used with -[base64|a] to specify base64 buffer as a single line" },
OPT_SECTION("Encryption"),
{"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
{"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
{"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
{"debug", OPT_DEBUG, '-', "Print debug info"},
{ "nopad", OPT_NOPAD, '-', "Disable standard block padding" },
{ "salt", OPT_SALT, '-', "Use salt in the KDF (default)" },
{ "nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF" },
{ "debug", OPT_DEBUG, '-', "Print debug info" },
{"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
{"K", OPT_UPPER_K, 's', "Raw key, in hex"},
{"S", OPT_UPPER_S, 's', "Salt, in hex"},
{"iv", OPT_IV, 's', "IV in hex"},
{"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"},
{"iter", OPT_ITER, 'p',
"Specify the iteration count and force the use of PBKDF2"},
{OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT)},
{"pbkdf2", OPT_PBKDF2, '-',
"Use password-based key derivation function 2 (PBKDF2)"},
{OPT_MORE_STR, 0, 0,
"Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)},
{"none", OPT_NONE, '-', "Don't encrypt"},
{"saltlen", OPT_SALTLEN, 'p', "Specify the PBKDF2 salt length (in bytes)"},
{OPT_MORE_STR, 0, 0, "Default: 16"},
{ "bufsize", OPT_BUFSIZE, 's', "Buffer size" },
{ "K", OPT_UPPER_K, 's', "Raw key, in hex" },
{ "S", OPT_UPPER_S, 's', "Salt, in hex" },
{ "iv", OPT_IV, 's', "IV in hex" },
{ "md", OPT_MD, 's', "Use specified digest to create a key from the passphrase" },
{ "iter", OPT_ITER, 'p',
"Specify the iteration count and force the use of PBKDF2" },
{ OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT) },
{ "pbkdf2", OPT_PBKDF2, '-',
"Use password-based key derivation function 2 (PBKDF2)" },
{ OPT_MORE_STR, 0, 0,
"Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT) },
{ "none", OPT_NONE, '-', "Don't encrypt" },
{ "saltlen", OPT_SALTLEN, 'p', "Specify the PBKDF2 salt length (in bytes)" },
{ OPT_MORE_STR, 0, 0, "Default: 16" },
#ifndef OPENSSL_NO_ZLIB
{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
{ "z", OPT_Z, '-', "Compress or decompress encrypted data using zlib" },
#endif
{"", OPT_CIPHER, '-', "Any supported cipher"},
{ "", OPT_CIPHER, '-', "Any supported cipher" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int enc_main(int argc, char **argv)
@@ -117,8 +142,7 @@ int enc_main(int argc, char **argv)
static char buf[128];
static const char magic[] = "Salted__";
ENGINE *e = NULL;
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
NULL, *wbio = NULL;
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = NULL, *wbio = NULL;
EVP_CIPHER_CTX *ctx = NULL;
EVP_CIPHER *cipher = NULL;
EVP_MD *dgst = NULL;
@@ -175,7 +199,7 @@ int enc_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -187,7 +211,7 @@ int enc_main(int argc, char **argv)
dec.bio = bio_out;
dec.n = 0;
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
show_ciphers, &dec);
show_ciphers, &dec);
BIO_printf(bio_out, "\n");
ret = 0;
goto end;
@@ -248,7 +272,7 @@ int enc_main(int argc, char **argv)
if (k)
p[i] = '\0';
if (!opt_long(opt_arg(), &n)
|| n < 0 || (k && n >= LONG_MAX / 1024))
|| n < 0 || (k && n >= LONG_MAX / 1024))
goto opthelp;
if (k)
n *= 1024;
@@ -268,7 +292,7 @@ int enc_main(int argc, char **argv)
in = NULL;
if (i <= 0) {
BIO_printf(bio_err,
"%s Can't read key from %s\n", prog, opt_arg());
"%s Can't read key from %s\n", prog, opt_arg());
goto opthelp;
}
while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n'))
@@ -306,7 +330,7 @@ int enc_main(int argc, char **argv)
break;
case OPT_PBKDF2:
pbkdf2 = 1;
if (iter == 0) /* do not overwrite a chosen value */
if (iter == 0) /* do not overwrite a chosen value */
iter = PBKDF2_ITER_DEFAULT;
break;
case OPT_NONE:
@@ -374,7 +398,7 @@ int enc_main(int argc, char **argv)
buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
if (infile == NULL) {
if (!streamable && printkey != 2) { /* if just print key and exit, it's ok */
if (!streamable && printkey != 2) { /* if just print key and exit, it's ok */
BIO_printf(bio_err, "Unstreamable cipher mode\n");
goto end;
}
@@ -400,8 +424,8 @@ int enc_main(int argc, char **argv)
char prompt[200];
BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:",
EVP_CIPHER_get0_name(cipher),
(enc) ? "encryption" : "decryption");
EVP_CIPHER_get0_name(cipher),
(enc) ? "encryption" : "decryption");
strbuf[0] = '\0';
i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
if (i == 0) {
@@ -439,7 +463,7 @@ int enc_main(int argc, char **argv)
wbio = out;
#ifndef OPENSSL_NO_COMP
# ifndef OPENSSL_NO_ZLIB
#ifndef OPENSSL_NO_ZLIB
if (do_zlib) {
if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
goto end;
@@ -452,7 +476,7 @@ int enc_main(int argc, char **argv)
else
rbio = BIO_push(bzl, rbio);
}
# endif
#endif
if (do_brotli) {
if ((bbrot = BIO_new(BIO_f_brotli())) == NULL)
@@ -513,7 +537,7 @@ int enc_main(int argc, char **argv)
BIO_printf(bio_err, "invalid hex salt value\n");
goto end;
}
if (enc) { /* encryption */
if (enc) { /* encryption */
if (hsalt == NULL) {
if (RAND_bytes(salt, saltlen) <= 0) {
BIO_printf(bio_err, "RAND_bytes failed\n");
@@ -525,15 +549,17 @@ int enc_main(int argc, char **argv)
*/
if ((printkey != 2)
&& (BIO_write(wbio, magic,
sizeof(magic) - 1) != sizeof(magic) - 1
sizeof(magic) - 1)
!= sizeof(magic) - 1
|| BIO_write(wbio,
(char *)salt,
saltlen) != saltlen)) {
(char *)salt,
saltlen)
!= saltlen)) {
BIO_printf(bio_err, "error writing output file\n");
goto end;
}
}
} else { /* decryption */
} else { /* decryption */
if (hsalt == NULL) {
if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf)) {
BIO_printf(bio_err, "error reading input file\n");
@@ -541,7 +567,8 @@ int enc_main(int argc, char **argv)
}
if (memcmp(mbuf, magic, sizeof(mbuf)) == 0) { /* file IS salted */
if (BIO_read(rbio, salt,
saltlen) != saltlen) {
saltlen)
!= saltlen) {
BIO_printf(bio_err, "error reading input file\n");
goto end;
}
@@ -556,9 +583,9 @@ int enc_main(int argc, char **argv)
if (pbkdf2 == 1) {
/*
* derive key and default iv
* concatenated into a temporary buffer
*/
* derive key and default iv
* concatenated into a temporary buffer
*/
unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
int iklen = EVP_CIPHER_get_key_length(cipher);
int ivlen = EVP_CIPHER_get_iv_length(cipher);
@@ -566,20 +593,20 @@ int enc_main(int argc, char **argv)
int islen = (sptr != NULL ? saltlen : 0);
if (!PKCS5_PBKDF2_HMAC(str, str_len, sptr, islen,
iter, dgst, iklen+ivlen, tmpkeyiv)) {
iter, dgst, iklen + ivlen, tmpkeyiv)) {
BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n");
goto end;
}
/* split and move data back to global buffer */
memcpy(key, tmpkeyiv, iklen);
memcpy(iv, tmpkeyiv+iklen, ivlen);
memcpy(iv, tmpkeyiv + iklen, ivlen);
} else {
BIO_printf(bio_err, "*** WARNING : "
"deprecated key derivation used.\n"
"Using -iter or -pbkdf2 would be better.\n");
if (!EVP_BytesToKey(cipher, dgst, sptr,
(unsigned char *)str, str_len,
1, key, iv)) {
(unsigned char *)str, str_len,
1, key, iv)) {
BIO_printf(bio_err, "EVP_BytesToKey failed\n");
goto end;
}
@@ -637,7 +664,7 @@ int enc_main(int argc, char **argv)
if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
BIO_printf(bio_err, "Error setting cipher %s\n",
EVP_CIPHER_get0_name(cipher));
EVP_CIPHER_get0_name(cipher));
ERR_print_errors(bio_err);
goto end;
}
@@ -646,9 +673,9 @@ int enc_main(int argc, char **argv)
EVP_CIPHER_CTX_set_padding(ctx, 0);
if (!EVP_CipherInit_ex(ctx, NULL, NULL, key,
(hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
(hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
BIO_printf(bio_err, "Error setting cipher %s\n",
EVP_CIPHER_get0_name(cipher));
EVP_CIPHER_get0_name(cipher));
ERR_print_errors(bio_err);
goto end;
}
@@ -692,7 +719,7 @@ int enc_main(int argc, char **argv)
inl = BIO_read(rbio, (char *)buff, bsize);
if (inl <= 0)
break;
if (!streamable && !BIO_eof(rbio)) { /* do not output data */
if (!streamable && !BIO_eof(rbio)) { /* do not output data */
BIO_printf(bio_err, "Unstreamable cipher mode\n");
goto end;
}
@@ -716,7 +743,7 @@ int enc_main(int argc, char **argv)
BIO_printf(bio_err, "bytes read : %8ju\n", BIO_number_read(in));
BIO_printf(bio_err, "bytes written: %8ju\n", BIO_number_written(out));
}
end:
end:
ERR_print_errors(bio_err);
OPENSSL_free(strbuf);
OPENSSL_free(buff);
@@ -747,8 +774,8 @@ static void show_ciphers(const OBJ_NAME *name, void *arg)
/* Filter out ciphers that we cannot use */
cipher = EVP_get_cipherbyname(name->name);
if (cipher == NULL
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|| EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|| EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
return;
BIO_printf(dec->bio, "-%-25s", name->name);

112
apps/engine.c
View File

@@ -24,32 +24,39 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
OPT_C,
OPT_T,
OPT_TT,
OPT_PRE,
OPT_POST,
OPT_V = 100,
OPT_VV,
OPT_VVV,
OPT_VVVV
} OPTION_CHOICE;
const OPTIONS engine_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"t", OPT_T, '-', "Check that specified engine is available"},
{"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
{"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "t", OPT_T, '-', "Check that specified engine is available" },
{ "pre", OPT_PRE, 's', "Run command against the ENGINE before loading it" },
{ "post", OPT_POST, 's', "Run command against the ENGINE after loading it" },
OPT_SECTION("Output"),
{"v", OPT_V, '-', "List 'control commands' For each specified engine"},
{"vv", OPT_VV, '-', "Also display each command's description"},
{"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
{"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
{"c", OPT_C, '-', "List the capabilities of specified engine"},
{"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
{OPT_MORE_STR, OPT_EOF, 1,
"Commands are like \"SO_PATH:/lib/libdriver.so\""},
{ "v", OPT_V, '-', "List 'control commands' For each specified engine" },
{ "vv", OPT_VV, '-', "Also display each command's description" },
{ "vvv", OPT_VVV, '-', "Also add the input flags for each command" },
{ "vvvv", OPT_VVVV, '-', "Also show internal input flags" },
{ "c", OPT_C, '-', "List the capabilities of specified engine" },
{ "tt", OPT_TT, '-', "Display error trace for unavailable engines" },
{ OPT_MORE_STR, OPT_EOF, 1,
"Commands are like \"SO_PATH:/lib/libdriver.so\"" },
OPT_PARAMETERS(),
{"engine", 0, 0, "ID of engine(s) to load"},
{NULL}
{ "engine", 0, 0, "ID of engine(s) to load" },
{ NULL }
};
static int append_buf(char **buf, int *size, const char *s)
@@ -133,9 +140,7 @@ static int util_flags(BIO *out, unsigned int flags, const char *indent)
started = 1;
}
/* Check for unknown flags */
flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
~ENGINE_CMD_FLAG_STRING &
~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
flags = flags & ~ENGINE_CMD_FLAG_NUMERIC & ~ENGINE_CMD_FLAG_STRING & ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
if (flags) {
if (started)
BIO_printf(out, "|");
@@ -157,9 +162,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
int flags;
int xpos = 0;
STACK_OF(OPENSSL_STRING) *cmds = NULL;
if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
0, NULL, NULL)) <= 0)) {
if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, 0, NULL, NULL)) <= 0)) {
return 1;
}
@@ -171,25 +174,30 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
int len;
/* Get the command input flags */
if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
NULL, NULL)) < 0)
NULL, NULL))
< 0)
goto err;
if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
/* Get the command name */
if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
NULL, NULL)) <= 0)
NULL, NULL))
<= 0)
goto err;
name = app_malloc(len + 1, "name buffer");
if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
NULL) <= 0)
NULL)
<= 0)
goto err;
/* Get the command description */
if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
NULL, NULL)) < 0)
NULL, NULL))
< 0)
goto err;
if (len > 0) {
desc = app_malloc(len + 1, "description buffer");
if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
NULL) <= 0)
NULL)
<= 0)
goto err;
}
/* Now decide on the output */
@@ -203,8 +211,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
/*
* We're just listing names, comma-delimited
*/
if ((xpos > (int)strlen(indent)) &&
(xpos + (int)strlen(name) > line_wrap)) {
if ((xpos > (int)strlen(indent)) && (xpos + (int)strlen(name) > line_wrap)) {
BIO_printf(out, "\n");
xpos = BIO_puts(out, indent);
}
@@ -212,7 +219,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
} else {
/* We're listing names plus descriptions */
BIO_printf(out, "%s: %s\n", name,
(desc == NULL) ? "<no description>" : desc);
(desc == NULL) ? "<no description>" : desc);
/* ... and sometimes input flags */
if ((verbose >= 3) && !util_flags(out, flags, indent))
goto err;
@@ -229,7 +236,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
if (xpos > 0)
BIO_printf(out, "\n");
ret = 1;
err:
err:
sk_OPENSSL_STRING_free(cmds);
OPENSSL_free(name);
OPENSSL_free(desc);
@@ -237,7 +244,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
}
static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
BIO *out, const char *indent)
BIO *out, const char *indent)
{
int loop, res, num = sk_OPENSSL_STRING_num(cmds);
@@ -249,7 +256,7 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
char buf[256];
const char *cmd, *arg;
cmd = sk_OPENSSL_STRING_value(cmds, loop);
res = 1; /* assume success */
res = 1; /* assume success */
/* Check if this command has no ":arg" */
if ((arg = strchr(cmd, ':')) == NULL) {
if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
@@ -261,7 +268,7 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
}
memcpy(buf, cmd, (int)(arg - cmd));
buf[arg - cmd] = '\0';
arg++; /* Move past the ":" */
arg++; /* Move past the ":" */
/* Call the command with the argument */
if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
res = 0;
@@ -288,7 +295,7 @@ static void util_store_cap(const OSSL_STORE_LOADER *loader, void *arg)
if (OSSL_STORE_LOADER_get0_engine(loader) == ctx->engine) {
char buf[256];
BIO_snprintf(buf, sizeof(buf), "STORE(%s)",
OSSL_STORE_LOADER_get0_scheme(loader));
OSSL_STORE_LOADER_get0_scheme(loader));
if (!append_buf(ctx->cap_buf, ctx->cap_size, buf))
ctx->ok = 0;
}
@@ -365,10 +372,10 @@ int engine_main(int argc, char **argv)
/* Any remaining arguments are engine names. */
argc = opt_num_rest();
argv = opt_rest();
for ( ; *argv; argv++) {
for (; *argv; argv++) {
if (**argv == '-') {
BIO_printf(bio_err, "%s: Cannot mix flags and engine names.\n",
prog);
prog);
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
}
@@ -393,7 +400,7 @@ int engine_main(int argc, char **argv)
util_do_cmds(e, pre_cmds, out, indent);
if (strcmp(ENGINE_get_id(e), id) != 0) {
BIO_printf(out, "Loaded: (%s) %s\n",
ENGINE_get_id(e), ENGINE_get_name(e));
ENGINE_get_id(e), ENGINE_get_name(e));
}
if (list_cap) {
int cap_size = 256;
@@ -428,7 +435,7 @@ int engine_main(int argc, char **argv)
if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
goto end;
skip_ciphers:
skip_ciphers:
fn_d = ENGINE_get_digests(e);
if (fn_d == NULL)
goto skip_digests;
@@ -437,7 +444,7 @@ int engine_main(int argc, char **argv)
if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
goto end;
skip_digests:
skip_digests:
fn_pk = ENGINE_get_pkey_meths(e);
if (fn_pk == NULL)
goto skip_pmeths;
@@ -445,19 +452,18 @@ int engine_main(int argc, char **argv)
for (k = 0; k < n; ++k)
if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
goto end;
skip_pmeths:
{
struct util_store_cap_data store_ctx;
skip_pmeths: {
struct util_store_cap_data store_ctx;
store_ctx.engine = e;
store_ctx.cap_buf = &cap_buf;
store_ctx.cap_size = &cap_size;
store_ctx.ok = 1;
store_ctx.engine = e;
store_ctx.cap_buf = &cap_buf;
store_ctx.cap_size = &cap_size;
store_ctx.ok = 1;
OSSL_STORE_do_all_loaders(util_store_cap, &store_ctx);
if (!store_ctx.ok)
goto end;
}
OSSL_STORE_do_all_loaders(util_store_cap, &store_ctx);
if (!store_ctx.ok)
goto end;
}
if (cap_buf != NULL && (*cap_buf != '\0'))
BIO_printf(out, " [%s]\n", cap_buf);
@@ -487,7 +493,7 @@ int engine_main(int argc, char **argv)
}
}
end:
end:
ERR_print_errors(bio_err);
sk_OPENSSL_CSTRING_free(engines);

17
apps/errstr.c
View File

@@ -17,18 +17,20 @@
#include <openssl/ssl.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP
OPT_ERR = -1,
OPT_EOF = 0,
OPT_HELP
} OPTION_CHOICE;
const OPTIONS errstr_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_PARAMETERS(),
{"errnum", 0, 0, "Error number(s) to decode"},
{NULL}
{ "errnum", 0, 0, "Error number(s) to decode" },
{ NULL }
};
int errstr_main(int argc, char **argv)
@@ -57,7 +59,8 @@ int errstr_main(int argc, char **argv)
* we're still interested in SSL error strings
*/
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
NULL);
/* All remaining arg are error code. */
ret = 0;
@@ -69,6 +72,6 @@ int errstr_main(int argc, char **argv)
BIO_printf(bio_out, "%s\n", buf);
}
}
end:
end:
return ret;
}

516
apps/fipsinstall.c
View File

@@ -21,8 +21,8 @@
#define BUFSIZE 4096
/* Configuration file values */
#define VERSION_KEY "version"
#define VERSION_VAL "1"
#define VERSION_KEY "version"
#define VERSION_VAL "1"
#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN"
static OSSL_CALLBACK self_test_events;
@@ -33,15 +33,29 @@ static int quiet = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_IN, OPT_OUT, OPT_MODULE, OPT_PEDANTIC,
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
OPT_IN,
OPT_OUT,
OPT_MODULE,
OPT_PEDANTIC,
OPT_PROV_NAME,
OPT_SECTION_NAME,
OPT_MAC_NAME,
OPT_MACOPT,
OPT_VERIFY,
OPT_NO_LOG,
OPT_CORRUPT_DESC,
OPT_CORRUPT_TYPE,
OPT_QUIET,
OPT_CONFIG,
OPT_NO_CONDITIONAL_ERRORS,
OPT_NO_SECURITY_CHECKS,
OPT_TLS_PRF_EMS_CHECK, OPT_NO_SHORT_MAC,
OPT_DISALLOW_PKCS15_PADDING, OPT_RSA_PSS_SALTLEN_CHECK,
OPT_TLS_PRF_EMS_CHECK,
OPT_NO_SHORT_MAC,
OPT_DISALLOW_PKCS15_PADDING,
OPT_RSA_PSS_SALTLEN_CHECK,
OPT_DISALLOW_SIGNATURE_X931_PADDING,
OPT_HMAC_KEY_CHECK, OPT_KMAC_KEY_CHECK,
OPT_HMAC_KEY_CHECK,
OPT_KMAC_KEY_CHECK,
OPT_DISALLOW_DRGB_TRUNC_DIGEST,
OPT_SIGNATURE_DIGEST_CHECK,
OPT_HKDF_DIGEST_CHECK,
@@ -62,93 +76,94 @@ typedef enum OPTION_choice {
OPT_X942KDF_KEY_CHECK,
OPT_NO_PBKDF2_LOWER_BOUND_CHECK,
OPT_ECDH_COFACTOR_CHECK,
OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
OPT_SELF_TEST_ONLOAD,
OPT_SELF_TEST_ONINSTALL
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
{"verify", OPT_VERIFY, '-',
"Verify a config file instead of generating one"},
{"module", OPT_MODULE, '<', "File name of the provider module"},
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
{"section_name", OPT_SECTION_NAME, 's',
"FIPS Provider config section name (optional)"},
{"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
"Disable the ability of the fips module to enter an error state if"
" any conditional self tests fail"},
{"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
"Disable the run-time FIPS security checks in the module"},
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
"Forces self tests to always run on module load"},
{"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
"Forces self tests to run once on module installation"},
{"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
"Enable the run-time FIPS check for EMS during TLS1_PRF"},
{"no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output"},
{"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
"Disallow truncated digests with Hash and HMAC DRBGs"},
{"signature_digest_check", OPT_SIGNATURE_DIGEST_CHECK, '-',
"Enable checking for approved digests for signatures"},
{"hmac_key_check", OPT_HMAC_KEY_CHECK, '-', "Enable key check for HMAC"},
{"kmac_key_check", OPT_KMAC_KEY_CHECK, '-', "Enable key check for KMAC"},
{"hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
"Enable digest check for HKDF"},
{"tls13_kdf_digest_check", OPT_TLS13_KDF_DIGEST_CHECK, '-',
"Enable digest check for TLS13-KDF"},
{"tls1_prf_digest_check", OPT_TLS1_PRF_DIGEST_CHECK, '-',
"Enable digest check for TLS1-PRF"},
{"sshkdf_digest_check", OPT_SSHKDF_DIGEST_CHECK, '-',
"Enable digest check for SSHKDF"},
{"sskdf_digest_check", OPT_SSKDF_DIGEST_CHECK, '-',
"Enable digest check for SSKDF"},
{"x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
"Enable digest check for X963KDF"},
{"dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
"Disallow DSA signing"},
{"tdes_encrypt_disabled", OPT_DISALLOW_TDES_ENCRYPT, '-',
"Disallow Triple-DES encryption"},
{"rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
"Disallow PKCS#1 version 1.5 padding for RSA encryption"},
{"rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
"Enable salt length check for RSA-PSS signature operations"},
{"rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
"Disallow X931 Padding for RSA signing"},
{"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
"Enable key check for HKDF"},
{"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
"Enable key check for KBKDF"},
{"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
"Enable key check for TLS13-KDF"},
{"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
"Enable key check for TLS1-PRF"},
{"sshkdf_key_check", OPT_SSHKDF_KEY_CHECK, '-',
"Enable key check for SSHKDF"},
{"sskdf_key_check", OPT_SSKDF_KEY_CHECK, '-',
"Enable key check for SSKDF"},
{"x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
"Enable key check for X963KDF"},
{"x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
"Enable key check for X942KDF"},
{"no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
"Disable lower bound check for PBKDF2"},
{"ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
"Enable Cofactor check for ECDH"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance" },
{ "verify", OPT_VERIFY, '-',
"Verify a config file instead of generating one" },
{ "module", OPT_MODULE, '<', "File name of the provider module" },
{ "provider_name", OPT_PROV_NAME, 's', "FIPS provider name" },
{ "section_name", OPT_SECTION_NAME, 's',
"FIPS Provider config section name (optional)" },
{ "no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
"Disable the ability of the fips module to enter an error state if"
" any conditional self tests fail" },
{ "no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
"Disable the run-time FIPS security checks in the module" },
{ "self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
"Forces self tests to always run on module load" },
{ "self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
"Forces self tests to run once on module installation" },
{ "ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
"Enable the run-time FIPS check for EMS during TLS1_PRF" },
{ "no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output" },
{ "no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
"Disallow truncated digests with Hash and HMAC DRBGs" },
{ "signature_digest_check", OPT_SIGNATURE_DIGEST_CHECK, '-',
"Enable checking for approved digests for signatures" },
{ "hmac_key_check", OPT_HMAC_KEY_CHECK, '-', "Enable key check for HMAC" },
{ "kmac_key_check", OPT_KMAC_KEY_CHECK, '-', "Enable key check for KMAC" },
{ "hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
"Enable digest check for HKDF" },
{ "tls13_kdf_digest_check", OPT_TLS13_KDF_DIGEST_CHECK, '-',
"Enable digest check for TLS13-KDF" },
{ "tls1_prf_digest_check", OPT_TLS1_PRF_DIGEST_CHECK, '-',
"Enable digest check for TLS1-PRF" },
{ "sshkdf_digest_check", OPT_SSHKDF_DIGEST_CHECK, '-',
"Enable digest check for SSHKDF" },
{ "sskdf_digest_check", OPT_SSKDF_DIGEST_CHECK, '-',
"Enable digest check for SSKDF" },
{ "x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
"Enable digest check for X963KDF" },
{ "dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
"Disallow DSA signing" },
{ "tdes_encrypt_disabled", OPT_DISALLOW_TDES_ENCRYPT, '-',
"Disallow Triple-DES encryption" },
{ "rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
"Disallow PKCS#1 version 1.5 padding for RSA encryption" },
{ "rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
"Enable salt length check for RSA-PSS signature operations" },
{ "rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
"Disallow X931 Padding for RSA signing" },
{ "hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
"Enable key check for HKDF" },
{ "kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
"Enable key check for KBKDF" },
{ "tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
"Enable key check for TLS13-KDF" },
{ "tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
"Enable key check for TLS1-PRF" },
{ "sshkdf_key_check", OPT_SSHKDF_KEY_CHECK, '-',
"Enable key check for SSHKDF" },
{ "sskdf_key_check", OPT_SSKDF_KEY_CHECK, '-',
"Enable key check for SSKDF" },
{ "x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
"Enable key check for X963KDF" },
{ "x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
"Enable key check for X942KDF" },
{ "no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
"Disable lower bound check for PBKDF2" },
{ "ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
"Enable Cofactor check for ECDH" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input config file, used when verifying"},
{ "in", OPT_IN, '<', "Input config file, used when verifying" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output config file, used when generating"},
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form."},
{OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
{"config", OPT_CONFIG, '<', "The parent config to verify"},
{"quiet", OPT_QUIET, '-', "No messages, just exit status"},
{NULL}
{ "out", OPT_OUT, '>', "Output config file, used when generating" },
{ "mac_name", OPT_MAC_NAME, 's', "MAC name" },
{ "macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form." },
{ OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs" },
{ "noout", OPT_NO_LOG, '-', "Disable logging of self test events" },
{ "corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description" },
{ "corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type" },
{ "config", OPT_CONFIG, '<', "The parent config to verify" },
{ "quiet", OPT_QUIET, '-', "No messages, just exit status" },
{ NULL }
};
typedef struct {
@@ -186,70 +201,70 @@ typedef struct {
/* Pedantic FIPS compliance */
static const FIPS_OPTS pedantic_opts = {
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
1, /* hmac_key_check */
1, /* kmac_key_check */
1, /* tls_prf_ems_check */
1, /* no_short_mac */
1, /* drgb_no_trunc_dgst */
1, /* signature_digest_check */
1, /* hkdf_digest_check */
1, /* tls13_kdf_digest_check */
1, /* tls1_prf_digest_check */
1, /* sshkdf_digest_check */
1, /* sskdf_digest_check */
1, /* x963kdf_digest_check */
1, /* dsa_sign_disabled */
1, /* tdes_encrypt_disabled */
1, /* rsa_pkcs15_padding_disabled */
1, /* rsa_pss_saltlen_check */
1, /* sign_x931_padding_disabled */
1, /* hkdf_key_check */
1, /* kbkdf_key_check */
1, /* tls13_kdf_key_check */
1, /* tls1_prf_key_check */
1, /* sshkdf_key_check */
1, /* sskdf_key_check */
1, /* x963kdf_key_check */
1, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
1, /* ecdh_cofactor_check */
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
1, /* hmac_key_check */
1, /* kmac_key_check */
1, /* tls_prf_ems_check */
1, /* no_short_mac */
1, /* drgb_no_trunc_dgst */
1, /* signature_digest_check */
1, /* hkdf_digest_check */
1, /* tls13_kdf_digest_check */
1, /* tls1_prf_digest_check */
1, /* sshkdf_digest_check */
1, /* sskdf_digest_check */
1, /* x963kdf_digest_check */
1, /* dsa_sign_disabled */
1, /* tdes_encrypt_disabled */
1, /* rsa_pkcs15_padding_disabled */
1, /* rsa_pss_saltlen_check */
1, /* sign_x931_padding_disabled */
1, /* hkdf_key_check */
1, /* kbkdf_key_check */
1, /* tls13_kdf_key_check */
1, /* tls1_prf_key_check */
1, /* sshkdf_key_check */
1, /* sskdf_key_check */
1, /* x963kdf_key_check */
1, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
1, /* ecdh_cofactor_check */
};
/* Default FIPS settings for backward compatibility */
static FIPS_OPTS fips_opts = {
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
0, /* hmac_key_check */
0, /* kmac_key_check */
0, /* tls_prf_ems_check */
0, /* no_short_mac */
0, /* drgb_no_trunc_dgst */
0, /* signature_digest_check */
0, /* hkdf_digest_check */
0, /* tls13_kdf_digest_check */
0, /* tls1_prf_digest_check */
0, /* sshkdf_digest_check */
0, /* sskdf_digest_check */
0, /* x963kdf_digest_check */
0, /* dsa_sign_disabled */
0, /* tdes_encrypt_disabled */
0, /* rsa_pkcs15_padding_disabled */
0, /* rsa_pss_saltlen_check */
0, /* sign_x931_padding_disabled */
0, /* hkdf_key_check */
0, /* kbkdf_key_check */
0, /* tls13_kdf_key_check */
0, /* tls1_prf_key_check */
0, /* sshkdf_key_check */
0, /* sskdf_key_check */
0, /* x963kdf_key_check */
0, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
0, /* ecdh_cofactor_check */
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
0, /* hmac_key_check */
0, /* kmac_key_check */
0, /* tls_prf_ems_check */
0, /* no_short_mac */
0, /* drgb_no_trunc_dgst */
0, /* signature_digest_check */
0, /* hkdf_digest_check */
0, /* tls13_kdf_digest_check */
0, /* tls1_prf_digest_check */
0, /* sshkdf_digest_check */
0, /* sskdf_digest_check */
0, /* x963kdf_digest_check */
0, /* dsa_sign_disabled */
0, /* tdes_encrypt_disabled */
0, /* rsa_pkcs15_padding_disabled */
0, /* rsa_pss_saltlen_check */
0, /* sign_x931_padding_disabled */
0, /* hkdf_key_check */
0, /* kbkdf_key_check */
0, /* tls13_kdf_key_check */
0, /* tls1_prf_key_check */
0, /* sshkdf_key_check */
0, /* sskdf_key_check */
0, /* x963kdf_key_check */
0, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
0, /* ecdh_cofactor_check */
};
static int check_non_pedantic_fips(int pedantic, const char *name)
@@ -262,7 +277,7 @@ static int check_non_pedantic_fips(int pedantic, const char *name)
}
static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
unsigned char *out, size_t *out_len)
unsigned char *out, size_t *out_len)
{
int ret = 0;
int i;
@@ -298,11 +313,11 @@ static int load_fips_prov_and_run_self_test(const char *prov_name)
}
if (!quiet) {
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
&name, sizeof(name));
&name, sizeof(name));
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
&vers, sizeof(vers));
&vers, sizeof(vers));
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
&build, sizeof(build));
&build, sizeof(build));
*p = OSSL_PARAM_construct_end();
if (!OSSL_PROVIDER_get_params(prov, params)) {
BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
@@ -322,7 +337,7 @@ end:
}
static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
size_t len)
size_t len)
{
int ret;
char *hexstr = NULL;
@@ -336,13 +351,13 @@ static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
}
static int write_config_header(BIO *out, const char *prov_name,
const char *section)
const char *section)
{
return BIO_printf(out, "openssl_conf = openssl_init\n\n")
&& BIO_printf(out, "[openssl_init]\n")
&& BIO_printf(out, "providers = provider_section\n\n")
&& BIO_printf(out, "[provider_section]\n")
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
&& BIO_printf(out, "[openssl_init]\n")
&& BIO_printf(out, "providers = provider_section\n\n")
&& BIO_printf(out, "[provider_section]\n")
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
}
/*
@@ -353,94 +368,125 @@ static int write_config_header(BIO *out, const char *prov_name,
* Returns 1 if the config file is written otherwise it returns 0 on error.
*/
static int write_config_fips_section(BIO *out, const char *section,
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts,
unsigned char *install_mac,
size_t install_mac_len)
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts,
unsigned char *install_mac,
size_t install_mac_len)
{
int ret = 0;
if (BIO_printf(out, "[%s]\n", section) <= 0
|| BIO_printf(out, "activate = 1\n") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
VERSION_VAL) <= 0
VERSION_VAL)
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
opts->conditional_errors ? "1" : "0") <= 0
opts->conditional_errors ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS,
opts->security_checks ? "1" : "0") <= 0
opts->security_checks ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK,
opts->hmac_key_check ? "1": "0") <= 0
opts->hmac_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK,
opts->kmac_key_check ? "1": "0") <= 0
opts->kmac_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
opts->tls_prf_ems_check ? "1" : "0") <= 0
opts->tls_prf_ems_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
opts->no_short_mac ? "1" : "0") <= 0
opts->no_short_mac ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
opts->drgb_no_trunc_dgst ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK,
opts->signature_digest_check ? "1" : "0") <= 0
opts->signature_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
opts->hkdf_digest_check ? "1": "0") <= 0
opts->hkdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
opts->tls13_kdf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
opts->tls13_kdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
opts->tls1_prf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
opts->tls1_prf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
opts->sshkdf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
opts->sshkdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
opts->sskdf_digest_check ? "1": "0") <= 0
opts->sskdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
opts->x963kdf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
opts->x963kdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
opts->dsa_sign_disabled ? "1" : "0") <= 0
opts->dsa_sign_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
opts->tdes_encrypt_disabled ? "1" : "0") <= 0
opts->tdes_encrypt_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
opts->rsa_pkcs15_padding_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
opts->rsa_pss_saltlen_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
opts->sign_x931_padding_disabled ? "1" : "0") <= 0
OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
opts->sign_x931_padding_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK,
opts->hkdf_key_check ? "1": "0") <= 0
opts->hkdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
opts->kbkdf_key_check ? "1": "0") <= 0
opts->kbkdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
opts->tls13_kdf_key_check ? "1": "0") <= 0
OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
opts->tls13_kdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
opts->tls1_prf_key_check ? "1": "0") <= 0
opts->tls1_prf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
opts->sshkdf_key_check ? "1": "0") <= 0
opts->sshkdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
opts->sskdf_key_check ? "1": "0") <= 0
opts->sskdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
opts->x963kdf_key_check ? "1": "0") <= 0
opts->x963kdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X942KDF_KEY_CHECK,
opts->x942kdf_key_check ? "1": "0") <= 0
opts->x942kdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
opts->pbkdf2_lower_bound_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
opts->ecdh_cofactor_check ? "1": "0") <= 0
opts->ecdh_cofactor_check ? "1" : "0")
<= 0
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
module_mac_len))
module_mac_len))
goto end;
if (install_mac != NULL && install_mac_len > 0) {
if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
install_mac_len)
install_mac_len)
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
INSTALL_STATUS_VAL) <= 0)
INSTALL_STATUS_VAL)
<= 0)
goto end;
}
ret = 1;
@@ -449,10 +495,10 @@ end:
}
static CONF *generate_config_and_load(const char *prov_name,
const char *section,
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts)
const char *section,
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts)
{
BIO *mem_bio = NULL;
CONF *conf = NULL;
@@ -462,8 +508,8 @@ static CONF *generate_config_and_load(const char *prov_name,
return 0;
if (!write_config_header(mem_bio, prov_name, section)
|| !write_config_fips_section(mem_bio, section,
module_mac, module_mac_len,
opts, NULL, 0))
module_mac, module_mac_len,
opts, NULL, 0))
goto end;
conf = app_load_config_bio(mem_bio, NULL);
@@ -498,8 +544,8 @@ static int verify_module_load(const char *parent_config_file)
* install_mac values, otherwise it returns 0.
*/
static int verify_config(const char *infile, const char *section,
unsigned char *module_mac, size_t module_mac_len,
unsigned char *install_mac, size_t install_mac_len)
unsigned char *module_mac, size_t module_mac_len,
unsigned char *install_mac, size_t install_mac_len)
{
int ret = 0;
char *s = NULL;
@@ -524,8 +570,8 @@ static int verify_config(const char *infile, const char *section,
}
buf1 = OPENSSL_hexstr2buf(s, &len);
if (buf1 == NULL
|| (size_t)len != module_mac_len
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
|| (size_t)len != module_mac_len
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
BIO_printf(bio_err, "Module integrity mismatch\n");
goto end;
}
@@ -542,8 +588,8 @@ static int verify_config(const char *infile, const char *section,
}
buf2 = OPENSSL_hexstr2buf(s, &len);
if (buf2 == NULL
|| (size_t)len != install_mac_len
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
|| (size_t)len != install_mac_len
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
BIO_printf(bio_err, "Install indicator status mismatch\n");
goto end;
}
@@ -585,7 +631,7 @@ int fipsinstall_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto cleanup;
case OPT_HELP:
@@ -758,7 +804,7 @@ int fipsinstall_main(int argc, char **argv)
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
if (!quiet) {
BIO_printf(bio_err, "FIPS provider is %s\n",
ret == 0 ? "available" : "not available");
ret == 0 ? "available" : "not available");
}
}
goto end;
@@ -777,8 +823,8 @@ int fipsinstall_main(int argc, char **argv)
}
if (self_test_log
|| self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)
|| self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)
OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL);
/* Use the default FIPS HMAC digest and key if not specified. */
@@ -811,8 +857,7 @@ int fipsinstall_main(int argc, char **argv)
if (opts != NULL) {
int ok = 1;
OSSL_PARAM *params =
app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
OSSL_PARAM *params = app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
if (params == NULL)
goto end;
@@ -838,7 +883,7 @@ int fipsinstall_main(int argc, char **argv)
if (fips_opts.self_test_onload == 0) {
mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
strlen(INSTALL_STATUS_VAL));
strlen(INSTALL_STATUS_VAL));
if (mem_bio == NULL) {
BIO_printf(bio_err, "Unable to create memory BIO\n");
goto end;
@@ -851,29 +896,28 @@ int fipsinstall_main(int argc, char **argv)
if (verify) {
if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
install_mac, install_mac_len))
install_mac, install_mac_len))
goto end;
if (!quiet)
BIO_printf(bio_err, "VERIFY PASSED\n");
} else {
conf = generate_config_and_load(prov_name, section_name, module_mac,
module_mac_len, &fips_opts);
module_mac_len, &fips_opts);
if (conf == NULL)
goto end;
if (!load_fips_prov_and_run_self_test(prov_name))
goto end;
fout =
out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
fout = out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
if (fout == NULL) {
BIO_printf(bio_err, "Failed to open file\n");
goto end;
}
if (!write_config_fips_section(fout, section_name,
module_mac, module_mac_len, &fips_opts,
install_mac, install_mac_len))
module_mac, module_mac_len, &fips_opts,
install_mac, install_mac_len))
goto end;
if (!quiet)
BIO_printf(bio_err, "INSTALL PASSED\n");
@@ -926,7 +970,7 @@ static int self_test_events(const OSSL_PARAM params[], void *arg)
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
BIO_printf(bio_err, "%s : (%s) : ", desc, type);
else if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
BIO_printf(bio_err, "%s\n", phase);
}
/*
@@ -934,13 +978,13 @@ static int self_test_events(const OSSL_PARAM params[], void *arg)
* error is returned during the corrupt phase.
*/
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
&& (self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)) {
&& (self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)) {
if (self_test_corrupt_desc != NULL
&& strcmp(self_test_corrupt_desc, desc) != 0)
&& strcmp(self_test_corrupt_desc, desc) != 0)
goto end;
if (self_test_corrupt_type != NULL
&& strcmp(self_test_corrupt_type, type) != 0)
&& strcmp(self_test_corrupt_type, type) != 0)
goto end;
BIO_printf(bio_err, "%s ", phase);
goto err;

42
apps/gendsa.c
View File

@@ -24,31 +24,37 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_OUT,
OPT_PASSOUT,
OPT_ENGINE,
OPT_CIPHER,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS gendsa_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] dsaparam-file\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] dsaparam-file\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output the key to the specified file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "out", OPT_OUT, '>', "Output the key to the specified file" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{ "", OPT_CIPHER, '-', "Encrypt the output with any supported cipher" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
OPT_PARAMETERS(),
{"dsaparam-file", 0, 0, "File containing DSA parameters"},
{NULL}
{ "dsaparam-file", 0, 0, "File containing DSA parameters" },
{ NULL }
};
int gendsa_main(int argc, char **argv)
@@ -69,7 +75,7 @@ int gendsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -132,9 +138,9 @@ int gendsa_main(int argc, char **argv)
nbits = EVP_PKEY_get_bits(pkey);
if (nbits > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
if (ctx == NULL) {
@@ -157,10 +163,10 @@ int gendsa_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
end2:
end2:
BIO_free(in);
BIO_free_all(out);
EVP_PKEY_free(pkey);

97
apps/genpkey.c
View File

@@ -18,45 +18,57 @@
static int verbose = 1;
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
OSSL_LIB_CTX *libctx, const char *propq);
OSSL_LIB_CTX *libctx, const char *propq);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER,
OPT_VERBOSE, OPT_QUIET, OPT_CONFIG, OPT_OUTPUBKEY,
OPT_PROV_ENUM, OPT_R_ENUM
OPT_ENGINE,
OPT_OUTFORM,
OPT_OUT,
OPT_PASS,
OPT_PARAMFILE,
OPT_ALGORITHM,
OPT_PKEYOPT,
OPT_GENPARAM,
OPT_TEXT,
OPT_CIPHER,
OPT_VERBOSE,
OPT_QUIET,
OPT_CONFIG,
OPT_OUTPUBKEY,
OPT_PROV_ENUM,
OPT_R_ENUM
} OPTION_CHOICE;
const OPTIONS genpkey_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
{"verbose", OPT_VERBOSE, '-', "Output status while generating keys"},
{"quiet", OPT_QUIET, '-', "Do not output status while generating keys"},
{"pkeyopt", OPT_PKEYOPT, 's',
"Set the public key algorithm option as opt:value"},
OPT_CONFIG_OPTION,
{ "paramfile", OPT_PARAMFILE, '<', "Parameters file" },
{ "algorithm", OPT_ALGORITHM, 's', "The public key algorithm" },
{ "verbose", OPT_VERBOSE, '-', "Output status while generating keys" },
{ "quiet", OPT_QUIET, '-', "Do not output status while generating keys" },
{ "pkeyopt", OPT_PKEYOPT, 's',
"Set the public key algorithm option as opt:value" },
OPT_CONFIG_OPTION,
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output (private key) file"},
{"outpubkey", OPT_OUTPUBKEY, '>', "Output public key file"},
{"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
{"pass", OPT_PASS, 's', "Output file pass phrase source"},
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
{"text", OPT_TEXT, '-', "Print the private key in text"},
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
{ "out", OPT_OUT, '>', "Output (private key) file" },
{ "outpubkey", OPT_OUTPUBKEY, '>', "Output public key file" },
{ "outform", OPT_OUTFORM, 'F', "output format (DER or PEM)" },
{ "pass", OPT_PASS, 's', "Output file pass phrase source" },
{ "genparam", OPT_GENPARAM, '-', "Generate parameters, not key" },
{ "text", OPT_TEXT, '-', "Print the private key in text" },
{ "", OPT_CIPHER, '-', "Cipher to use to encrypt the key" },
OPT_PROV_OPTIONS,
OPT_R_OPTIONS,
/* This is deliberately last. */
{OPT_HELP_STR, 1, 1,
"Order of options may be important! See the documentation.\n"},
{NULL}
{ OPT_HELP_STR, 1, 1,
"Order of options may be important! See the documentation.\n" },
{ NULL }
};
static const char *param_datatype_2name(unsigned int type, int *ishex)
@@ -64,11 +76,17 @@ static const char *param_datatype_2name(unsigned int type, int *ishex)
*ishex = 0;
switch (type) {
case OSSL_PARAM_INTEGER: return "int";
case OSSL_PARAM_UNSIGNED_INTEGER: return "uint";
case OSSL_PARAM_REAL: return "float";
case OSSL_PARAM_OCTET_STRING: *ishex = 1; return "string";
case OSSL_PARAM_UTF8_STRING: return "string";
case OSSL_PARAM_INTEGER:
return "int";
case OSSL_PARAM_UNSIGNED_INTEGER:
return "uint";
case OSSL_PARAM_REAL:
return "float";
case OSSL_PARAM_OCTET_STRING:
*ishex = 1;
return "string";
case OSSL_PARAM_UTF8_STRING:
return "string";
default:
return NULL;
}
@@ -129,7 +147,7 @@ int genpkey_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -262,12 +280,12 @@ int genpkey_main(int argc, char **argv)
assert(private);
rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
if (rv > 0 && outpubkey != NULL)
rv = PEM_write_bio_PUBKEY(outpubkey, pkey);
rv = PEM_write_bio_PUBKEY(outpubkey, pkey);
} else if (outformat == FORMAT_ASN1) {
assert(private);
rv = i2d_PrivateKey_bio(out, pkey);
if (rv > 0 && outpubkey != NULL)
rv = i2d_PUBKEY_bio(outpubkey, pkey);
rv = i2d_PUBKEY_bio(outpubkey, pkey);
} else {
BIO_printf(bio_err, "Bad format specified for key\n");
goto end;
@@ -292,7 +310,7 @@ int genpkey_main(int argc, char **argv)
}
}
end:
end:
sk_OPENSSL_STRING_free(keyopt);
if (ret != 0)
ERR_print_errors(bio_err);
@@ -309,7 +327,7 @@ int genpkey_main(int argc, char **argv)
}
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
OSSL_LIB_CTX *libctx, const char *propq)
OSSL_LIB_CTX *libctx, const char *propq)
{
BIO *pbio;
EVP_PKEY *pkey = NULL;
@@ -345,18 +363,17 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
*pctx = ctx;
return 1;
err:
err:
BIO_puts(bio_err, "Error initializing context\n");
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
return 0;
}
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq)
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY_CTX *ctx = NULL;
int pkey_id;
@@ -385,11 +402,9 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
*pctx = ctx;
return 1;
err:
err:
BIO_printf(bio_err, "Error initializing %s context\n", algname);
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(ctx);
return 0;
}

61
apps/genrsa.c
View File

@@ -34,43 +34,51 @@ typedef enum OPTION_choice {
#ifndef OPENSSL_NO_DEPRECATED_3_0
OPT_3,
#endif
OPT_F4, OPT_ENGINE,
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
OPT_F4,
OPT_ENGINE,
OPT_OUT,
OPT_PASSOUT,
OPT_CIPHER,
OPT_PRIMES,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS genrsa_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] numbits\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] numbits\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
#ifndef OPENSSL_NO_DEPRECATED_3_0
{"3", OPT_3, '-', "(deprecated) Use 3 for the E value"},
{ "3", OPT_3, '-', "(deprecated) Use 3 for the E value" },
#endif
{"F4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
{"f4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
{ "F4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value" },
{ "f4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output the key to specified file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
{ "out", OPT_OUT, '>', "Output the key to specified file" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "primes", OPT_PRIMES, 'p', "Specify number of primes" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
{ "traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys" },
{ "", OPT_CIPHER, '-', "Encrypt the output with any supported cipher" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Size of key in bits"},
{NULL}
{ "numbits", 0, 0, "Size of key in bits" },
{ NULL }
};
int genrsa_main(int argc, char **argv)
@@ -98,7 +106,7 @@ int genrsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -157,9 +165,9 @@ opthelp:
goto end;
if (num > OPENSSL_RSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, num);
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, num);
} else if (!opt_check_rest_arg(NULL)) {
goto opthelp;
}
@@ -180,7 +188,7 @@ opthelp:
goto end;
if (!init_gen_str(&ctx, "RSA", eng, 0, app_get0_libctx(),
app_get0_propq()))
app_get0_propq()))
goto end;
if (verbose)
@@ -227,7 +235,7 @@ opthelp:
}
if (traditional) {
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
NULL, passout))
NULL, passout))
goto end;
} else {
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
@@ -235,7 +243,7 @@ opthelp:
}
ret = 0;
end:
end:
BN_free(bn);
BN_GENCB_free(cb);
EVP_PKEY_CTX_free(ctx);
@@ -248,4 +256,3 @@ opthelp:
ERR_print_errors(bio_err);
return ret;
}

4
apps/include/app_libctx.h
View File

@@ -8,9 +8,9 @@
*/
#ifndef OSSL_APPS_LIBCTX_H
# define OSSL_APPS_LIBCTX_H
#define OSSL_APPS_LIBCTX_H
# include <openssl/types.h>
#include <openssl/types.h>
OSSL_LIB_CTX *app_create_libctx(void);
OSSL_LIB_CTX *app_get0_libctx(void);

1
apps/include/app_params.h
View File

@@ -11,4 +11,3 @@
int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent);
void print_param_value(const OSSL_PARAM *p, int indent);

248
apps/include/apps.h
View File

@@ -8,44 +8,44 @@
*/
#ifndef OSSL_APPS_H
# define OSSL_APPS_H
#define OSSL_APPS_H
# include "internal/e_os.h" /* struct timeval for DTLS */
# include "internal/common.h" /* for HAS_PREFIX */
# include "internal/nelem.h"
# include "internal/sockets.h" /* for openssl_fdset() */
# include <assert.h>
#include "internal/e_os.h" /* struct timeval for DTLS */
#include "internal/common.h" /* for HAS_PREFIX */
#include "internal/nelem.h"
#include "internal/sockets.h" /* for openssl_fdset() */
#include <assert.h>
# include <stdarg.h>
# include <sys/types.h>
# ifndef OPENSSL_NO_POSIX_IO
# include <sys/stat.h>
# include <fcntl.h>
# endif
#include <stdarg.h>
#include <sys/types.h>
#ifndef OPENSSL_NO_POSIX_IO
#include <sys/stat.h>
#include <fcntl.h>
#endif
# include <openssl/e_os2.h>
# include <openssl/types.h>
# include <openssl/bio.h>
# include <openssl/x509.h>
# include <openssl/conf.h>
# include <openssl/txt_db.h>
# include <openssl/engine.h>
# include <openssl/ocsp.h>
# include <openssl/http.h>
# include <signal.h>
# include "apps_ui.h"
# include "opt.h"
# include "fmt.h"
# include "platform.h"
# include "engine_loader.h"
# include "app_libctx.h"
#include <openssl/e_os2.h>
#include <openssl/types.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
#include <openssl/conf.h>
#include <openssl/txt_db.h>
#include <openssl/engine.h>
#include <openssl/ocsp.h>
#include <openssl/http.h>
#include <signal.h>
#include "apps_ui.h"
#include "opt.h"
#include "fmt.h"
#include "platform.h"
#include "engine_loader.h"
#include "app_libctx.h"
/*
* quick macro when you need to pass an unsigned char instead of a char.
* this is true for some implementations of the is*() functions, for
* example.
*/
# define _UC(c) ((unsigned char)(c))
#define _UC(c) ((unsigned char)(c))
void app_RAND_load_conf(CONF *c, const char *section);
int app_RAND_write(void);
@@ -67,30 +67,30 @@ BIO *bio_open_default(const char *filename, char mode, int format);
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
char *app_conf_try_string(const CONF *cnf, const char *group, const char *name);
int app_conf_try_number(const CONF *conf, const char *group, const char *name,
long *result);
long *result);
CONF *app_load_config_bio(BIO *in, const char *filename);
# define app_load_config(filename) app_load_config_internal(filename, 0)
# define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
#define app_load_config(filename) app_load_config_internal(filename, 0)
#define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
CONF *app_load_config_internal(const char *filename, int quiet);
CONF *app_load_config_verbose(const char *filename, int verbose);
int app_load_modules(const CONF *config);
CONF *app_load_config_modules(const char *configfile);
void unbuffer(FILE *fp);
void wait_for_async(SSL *s);
# if defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_SYS_MSDOS)
int has_stdin_waiting(void);
# endif
#endif
void corrupt_signature(const ASN1_STRING *signature);
/* Helpers for setting X509v3 certificate fields notBefore and notAfter */
int check_cert_time_string(const char *time, const char *desc);
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
int days, int strict_compare_times);
int days, int strict_compare_times);
int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
long days, long hours, long secs);
long days, long hours, long secs);
typedef struct args_st {
int size;
@@ -107,7 +107,7 @@ int progress_cb(EVP_PKEY_CTX *ctx);
void dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, const X509_NAME *nm);
void print_bignum_var(BIO *, const BIGNUM *, const char *,
int, unsigned char *);
int, unsigned char *);
void print_array(BIO *, const char *, int, const unsigned char *);
int set_nameopt(const char *arg);
unsigned long get_nameopt(void);
@@ -121,52 +121,52 @@ int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc);
X509_REQ *load_csr_autofmt(const char *infile, int format,
STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc);
STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc);
X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc);
# define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
const char *pass, const char *desc);
#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
const char *desc);
const char *desc);
void cleanse(char *str);
void clear_free(char *str);
EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
const char *pass, ENGINE *e, const char *desc);
/* first try reading public key, on failure resort to loading private key */
EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
const char *pass, ENGINE *e, const char *desc);
EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
const char *keytype, const char *desc);
const char *keytype, const char *desc);
EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin,
const char *keytype, const char *desc,
int suppress_decode_errors);
const char *keytype, const char *desc,
int suppress_decode_errors);
char *next_item(char *opt); /* in list separated by comma and/or space */
int load_cert_certs(const char *uri,
X509 **pcert, STACK_OF(X509) **pcerts,
int exclude_http, const char *pass, const char *desc,
X509_VERIFY_PARAM *vpm);
X509 **pcert, STACK_OF(X509) **pcerts,
int exclude_http, const char *pass, const char *desc,
X509_VERIFY_PARAM *vpm);
STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
const char *desc, X509_VERIFY_PARAM *vpm);
const char *desc, X509_VERIFY_PARAM *vpm);
X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
X509_VERIFY_PARAM *vpm);
X509_VERIFY_PARAM *vpm);
int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
const char *pass, const char *desc);
const char *pass, const char *desc);
int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
const char *pass, const char *desc);
const char *pass, const char *desc);
int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc, int quiet,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
EVP_PKEY **pparams,
X509 **pcert, STACK_OF(X509) **pcerts,
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
const char *pass, const char *desc, int quiet,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
EVP_PKEY **pparams,
X509 **pcert, STACK_OF(X509) **pcerts,
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
__owur int ctx_set_verify_locations(SSL_CTX *ctx,
const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
# ifndef OPENSSL_NO_CT
#ifndef OPENSSL_NO_CT
/*
* Sets the file to load the Certificate Transparency log list from.
@@ -175,10 +175,10 @@ __owur int ctx_set_verify_locations(SSL_CTX *ctx,
*/
__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
# endif
#endif
ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug);
# define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
#define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
void release_engine(ENGINE *e);
int init_engine(ENGINE *e);
int finish_engine(ENGINE *e);
@@ -188,30 +188,30 @@ int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
const EVP_MD *get_digest_from_engine(const char *name);
const EVP_CIPHER *get_cipher_from_engine(const char *name);
# ifndef OPENSSL_NO_OCSP
#ifndef OPENSSL_NO_OCSP
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout);
# endif
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout);
#endif
/* Functions defined in ca.c and also used in ocsp.c */
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
# define DB_type 0
# define DB_exp_date 1
# define DB_rev_date 2
# define DB_serial 3 /* index - unique */
# define DB_file 4
# define DB_name 5 /* index - unique when active and not disabled */
# define DB_NUMBER 6
#define DB_type 0
#define DB_exp_date 1
#define DB_rev_date 2
#define DB_serial 3 /* index - unique */
#define DB_file 4
#define DB_name 5 /* index - unique when active and not disabled */
#define DB_NUMBER 6
# define DB_TYPE_REV 'R' /* Revoked */
# define DB_TYPE_EXP 'E' /* Expired */
# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
# define DB_TYPE_SUSP 'S' /* Suspended */
#define DB_TYPE_REV 'R' /* Revoked */
#define DB_TYPE_EXP 'E' /* Expired */
#define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
#define DB_TYPE_SUSP 'S' /* Suspended */
typedef struct db_attr_st {
int unique_subject;
@@ -220,9 +220,9 @@ typedef struct ca_db_st {
DB_ATTR attributes;
TXT_DB *db;
char *dbfname;
# ifndef OPENSSL_NO_POSIX_IO
#ifndef OPENSSL_NO_POSIX_IO
struct stat dbst;
# endif
#endif
} CA_DB;
extern int do_updatedb(CA_DB *db, time_t *now);
@@ -232,53 +232,53 @@ void *app_malloc(size_t sz, const char *what);
/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
BIGNUM *load_serial(const char *serialfile, int *exists, int create,
ASN1_INTEGER **retai);
ASN1_INTEGER **retai);
int save_serial(const char *serialfile, const char *suffix,
const BIGNUM *serial, ASN1_INTEGER **retai);
const BIGNUM *serial, ASN1_INTEGER **retai);
int rotate_serial(const char *serialfile, const char *new_suffix,
const char *old_suffix);
const char *old_suffix);
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
int index_index(CA_DB *db);
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
int rotate_index(const char *dbfile, const char *new_suffix,
const char *old_suffix);
const char *old_suffix);
void free_index(CA_DB *db);
# define index_name_cmp_noconst(a, b) \
#define index_name_cmp_noconst(a, b) \
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
int parse_yesno(const char *str, int def);
X509_NAME *parse_name(const char *str, int chtype, int multirdn,
const char *desc);
const char *desc);
void policies_print(X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
int x509_ctrl_string(X509 *x, const char *value);
int x509_req_ctrl_string(X509_REQ *x, const char *value);
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey);
int do_X509_sign(X509 *x, int force_v1, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts);
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *vfyopts);
STACK_OF(OPENSSL_STRING) *vfyopts);
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts);
STACK_OF(OPENSSL_STRING) *sigopts);
extern char *psk_key;
unsigned char *next_protos_parse(size_t *outlen, const char *in);
int check_cert_attributes(BIO *bio, X509 *x,
const char *checkhost, const char *checkemail,
const char *checkip, int print);
const char *checkhost, const char *checkemail,
const char *checkip, int print);
void store_setup_crl_download(X509_STORE *st);
@@ -290,38 +290,38 @@ typedef struct app_http_tls_info_st {
SSL_CTX *ssl_ctx;
} APP_HTTP_TLS_INFO;
BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
int connect, int detail);
int connect, int detail);
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info);
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it);
const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it);
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *path, const char *proxy,
const char *no_proxy, SSL_CTX *ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it);
# endif
const char *path, const char *proxy,
const char *no_proxy, SSL_CTX *ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it);
#endif
# define EXT_COPY_NONE 0
# define EXT_COPY_ADD 1
# define EXT_COPY_ALL 2
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
#define EXT_COPY_ALL 2
# define NETSCAPE_CERT_HDR "certificate"
#define NETSCAPE_CERT_HDR "certificate"
# define APP_PASS_LEN 1024
#define APP_PASS_LEN 1024
/*
* IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
* so that the first bit will never be one, so that the DER encoding
* rules won't force a leading octet.
*/
# define SERIAL_RAND_BITS 159
#define SERIAL_RAND_BITS 159
int app_isdir(const char *);
int app_access(const char *, int flag);
@@ -330,8 +330,8 @@ int fileno_stdout(void);
int raw_read_stdin(void *, int);
int raw_write_stdout(const void *, int);
# define TM_START 0
# define TM_STOP 1
#define TM_START 0
#define TM_STOP 1
double app_tminterval(int stop, int usertime);
void make_uppercase(char *string);
@@ -346,7 +346,7 @@ typedef struct verify_options_st {
extern VERIFY_CB_ARGS verify_args;
OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
const OSSL_PARAM *paramdefs);
const OSSL_PARAM *paramdefs);
void app_params_free(OSSL_PARAM *params);
int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name);
void app_providers_cleanup(void);

5
apps/include/apps_ui.h
View File

@@ -8,10 +8,9 @@
*/
#ifndef OSSL_APPS_UI_H
# define OSSL_APPS_UI_H
#define OSSL_APPS_UI_H
# define PW_MIN_LENGTH 4
#define PW_MIN_LENGTH 4
typedef struct pw_cb_data {
const void *password;
const char *prompt_info;

18
apps/include/cmp_mock_srv.h
View File

@@ -9,32 +9,32 @@
*/
#ifndef OSSL_APPS_CMP_MOCK_SRV_H
# define OSSL_APPS_CMP_MOCK_SRV_H
#define OSSL_APPS_CMP_MOCK_SRV_H
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CMP
#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_CMP
# include <openssl/cmp.h>
#include <openssl/cmp.h>
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
const char *propq);
const char *propq);
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl);
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *chain);
STACK_OF(X509) *chain);
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *caPubs);
STACK_OF(X509) *caPubs);
int ossl_cmp_mock_srv_set1_newWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_newWithOld(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text);
int fail_info, const char *text);
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
# endif /* !defined(OPENSSL_NO_CMP) */
#endif /* !defined(OPENSSL_NO_CMP) */
#endif /* !defined(OSSL_APPS_CMP_MOCK_SRV_H) */

8
apps/include/engine_loader.h
View File

@@ -7,13 +7,13 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_ENGINE_LOADER_H
# define HEADER_ENGINE_LOADER_H
#define HEADER_ENGINE_LOADER_H
# include <openssl/store.h>
#include <openssl/store.h>
/* this is a private URI scheme */
# define ENGINE_SCHEME "org.openssl.engine"
# define ENGINE_SCHEME_COLON ENGINE_SCHEME ":"
#define ENGINE_SCHEME "org.openssl.engine"
#define ENGINE_SCHEME_COLON ENGINE_SCHEME ":"
int setup_engine_loader(void);
void destroy_engine_loader(void);

32
apps/include/fmt.h
View File

@@ -23,22 +23,22 @@
* contents. The FORMAT_xxx macros are meant to express an intent with the
* file being read or created.
*/
# define B_FORMAT_TEXT 0x8000
# define FORMAT_UNDEF 0
# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
# define FORMAT_BINARY 2 /* Generic binary */
# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
# define FORMAT_ASN1 4 /* ASN.1/DER */
# define FORMAT_PEM (5 | B_FORMAT_TEXT)
# define FORMAT_PKCS12 6
# define FORMAT_SMIME (7 | B_FORMAT_TEXT)
# define FORMAT_ENGINE 8 /* Not really a file format */
# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPublicKey format */
# define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
# define FORMAT_MSBLOB 11 /* MS Key blob format */
# define FORMAT_PVK 12 /* MS PVK file format */
# define FORMAT_HTTP 13 /* Download using HTTP */
# define FORMAT_NSS 14 /* NSS keylog format */
#define B_FORMAT_TEXT 0x8000
#define FORMAT_UNDEF 0
#define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
#define FORMAT_BINARY 2 /* Generic binary */
#define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
#define FORMAT_ASN1 4 /* ASN.1/DER */
#define FORMAT_PEM (5 | B_FORMAT_TEXT)
#define FORMAT_PKCS12 6
#define FORMAT_SMIME (7 | B_FORMAT_TEXT)
#define FORMAT_ENGINE 8 /* Not really a file format */
#define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPublicKey format */
#define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
#define FORMAT_MSBLOB 11 /* MS Key blob format */
#define FORMAT_PVK 12 /* MS PVK file format */
#define FORMAT_HTTP 13 /* Download using HTTP */
#define FORMAT_NSS 14 /* NSS keylog format */
int FMT_istext(int format);

17
apps/include/function.h
View File

@@ -8,16 +8,21 @@
*/
#ifndef OSSL_APPS_FUNCTION_H
# define OSSL_APPS_FUNCTION_H
#define OSSL_APPS_FUNCTION_H
# include <openssl/lhash.h>
# include "opt.h"
#include <openssl/lhash.h>
#include "opt.h"
#define DEPRECATED_NO_ALTERNATIVE "unknown"
#define DEPRECATED_NO_ALTERNATIVE "unknown"
typedef enum FUNC_TYPE {
FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
FT_md_alg, FT_cipher_alg
FT_none,
FT_general,
FT_md,
FT_cipher,
FT_pkey,
FT_md_alg,
FT_cipher_alg
} FUNC_TYPE;
typedef struct function_st {

64
apps/include/http_server.h
View File

@@ -8,35 +8,35 @@
*/
#ifndef OSSL_HTTP_SERVER_H
# define OSSL_HTTP_SERVER_H
#define OSSL_HTTP_SERVER_H
# include "apps.h"
# include "log.h"
#include "apps.h"
#include "log.h"
# ifndef HAVE_FORK
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
# define HAVE_FORK 0
# else
# define HAVE_FORK 1
# endif
# endif
#ifndef HAVE_FORK
#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
#define HAVE_FORK 0
#else
#define HAVE_FORK 1
#endif
#endif
# if HAVE_FORK
# undef NO_FORK
# else
# define NO_FORK
# endif
#if HAVE_FORK
#undef NO_FORK
#else
#define NO_FORK
#endif
# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
# define HTTP_DAEMON
# include <sys/types.h>
# include <sys/wait.h>
# include <signal.h>
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
# endif
#define HTTP_DAEMON
#include <sys/types.h>
#include <sys/wait.h>
#include <signal.h>
#define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
#endif
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
/*-
* Initialize an HTTP server, setting up its listening BIO
* prog: the name of the current app
@@ -66,9 +66,9 @@ BIO *http_server_init(const char *prog, const char *port, int verbosity);
* The caller must free any non-NULL *preq, *ppath, and *pcbio pointers.
*/
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout);
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout);
/*-
* Send an ASN.1-formatted HTTP response
@@ -82,8 +82,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
* returns 1 on success, 0 on failure
*/
int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp);
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp);
/*-
* Send a trivial HTTP response, typically to report an error or OK
@@ -94,16 +94,16 @@ int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
* returns 1 on success, 0 on failure
*/
int http_server_send_status(const char *prog, BIO *cbio,
int status, const char *reason);
int status, const char *reason);
# endif
#endif
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
extern int n_responders;
extern int acfd;
void socket_timeout(int signum);
void spawn_loop(const char *prog);
# endif
#endif
#endif

34
apps/include/log.h
View File

@@ -8,25 +8,25 @@
*/
#ifndef OSSL_APPS_LOG_H
# define OSSL_APPS_LOG_H
#define OSSL_APPS_LOG_H
# include <openssl/bio.h>
# if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) \
#include <openssl/bio.h>
#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) \
&& !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_POSIX_IO)
# include <syslog.h>
# else
# define LOG_EMERG 0
# define LOG_ALERT 1
# define LOG_CRIT 2
# define LOG_ERR 3
# define LOG_WARNING 4
# define LOG_NOTICE 5
# define LOG_INFO 6
# define LOG_DEBUG 7
# endif
#include <syslog.h>
#else
#define LOG_EMERG 0
#define LOG_ALERT 1
#define LOG_CRIT 2
#define LOG_ERR 3
#define LOG_WARNING 4
#define LOG_NOTICE 5
#define LOG_INFO 6
#define LOG_DEBUG 7
#endif
# undef LOG_TRACE
# define LOG_TRACE (LOG_DEBUG + 1)
#undef LOG_TRACE
#define LOG_TRACE (LOG_DEBUG + 1)
int log_set_verbosity(const char *prog, int level);
int log_get_verbosity(void);
@@ -45,6 +45,6 @@ int log_get_verbosity(void);
* returns nothing
*/
void trace_log_message(int category,
const char *prog, int level, const char *fmt, ...);
const char *prog, int level, const char *fmt, ...);
#endif /* OSSL_APPS_LOG_H */

2
apps/include/names.h
View File

@@ -10,7 +10,7 @@
#include <openssl/safestack.h>
/* Standard comparing function for names */
int name_cmp(const char * const *a, const char * const *b);
int name_cmp(const char *const *a, const char *const *b);
/* collect_names is meant to be used with EVP_{type}_doall_names */
void collect_names(const char *name, void *vdata);
/* Sorts and prints a stack of names to |out| */

565
apps/include/opt.h
View File

@@ -19,298 +19,309 @@
/*
* Common verification options.
*/
# define OPT_V_ENUM \
OPT_V__FIRST=2000, \
OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
OPT_V__LAST
#define OPT_V_ENUM \
OPT_V__FIRST = 2000, \
OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
OPT_V__LAST
# define OPT_V_OPTIONS \
OPT_SECTION("Validation"), \
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
{ "purpose", OPT_V_PURPOSE, 's', \
"certificate chain purpose"}, \
{ "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
{ "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
"chain depth limit" }, \
{ "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
"chain authentication security level" }, \
{ "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
{ "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
"expected peer hostname" }, \
{ "verify_email", OPT_V_VERIFY_EMAIL, 's', \
"expected peer email" }, \
{ "verify_ip", OPT_V_VERIFY_IP, 's', \
"expected peer IP address" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"permit unhandled critical extensions"}, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
{ "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
"set policy variable require-explicit-policy"}, \
{ "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
"set policy variable inhibit-any-policy"}, \
{ "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
"set policy variable inhibit-policy-mapping"}, \
{ "x509_strict", OPT_V_X509_STRICT, '-', \
"disable certificate compatibility work-arounds"}, \
{ "extended_crl", OPT_V_EXTENDED_CRL, '-', \
"enable extended CRL features"}, \
{ "use_deltas", OPT_V_USE_DELTAS, '-', \
"use delta CRLs"}, \
{ "policy_print", OPT_V_POLICY_PRINT, '-', \
"print policy processing diagnostics"}, \
{ "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
"check root CA self-signatures"}, \
{ "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
"search trust store first (default)" }, \
{ "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
{ "suiteB_128", OPT_V_SUITEB_128, '-', \
"Suite B 128-bit mode allowing 192-bit algorithms"}, \
{ "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
"accept chains anchored by intermediate trust-store CAs"}, \
{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
#define OPT_V_OPTIONS \
OPT_SECTION("Validation"), \
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set" }, \
{ "purpose", OPT_V_PURPOSE, 's', \
"certificate chain purpose" }, \
{ "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name" }, \
{ "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
"chain depth limit" }, \
{ "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
"chain authentication security level" }, \
{ "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
{ "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
"expected peer hostname" }, \
{ "verify_email", OPT_V_VERIFY_EMAIL, 's', \
"expected peer email" }, \
{ "verify_ip", OPT_V_VERIFY_IP, 's', \
"expected peer IP address" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"permit unhandled critical extensions" }, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)" }, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks" }, \
{ "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
"set policy variable require-explicit-policy" }, \
{ "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
"set policy variable inhibit-any-policy" }, \
{ "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
"set policy variable inhibit-policy-mapping" }, \
{ "x509_strict", OPT_V_X509_STRICT, '-', \
"disable certificate compatibility work-arounds" }, \
{ "extended_crl", OPT_V_EXTENDED_CRL, '-', \
"enable extended CRL features" }, \
{ "use_deltas", OPT_V_USE_DELTAS, '-', \
"use delta CRLs" }, \
{ "policy_print", OPT_V_POLICY_PRINT, '-', \
"print policy processing diagnostics" }, \
{ "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
"check root CA self-signatures" }, \
{ "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
"search trust store first (default)" }, \
{ "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode" }, \
{ "suiteB_128", OPT_V_SUITEB_128, '-', \
"Suite B 128-bit mode allowing 192-bit algorithms" }, \
{ "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
"accept chains anchored by intermediate trust-store CAs" }, \
{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
{ "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
{ "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
# define OPT_V_CASES \
OPT_V__FIRST: case OPT_V__LAST: break; \
case OPT_V_POLICY: \
case OPT_V_PURPOSE: \
case OPT_V_VERIFY_NAME: \
case OPT_V_VERIFY_DEPTH: \
case OPT_V_VERIFY_AUTH_LEVEL: \
case OPT_V_ATTIME: \
case OPT_V_VERIFY_HOSTNAME: \
case OPT_V_VERIFY_EMAIL: \
case OPT_V_VERIFY_IP: \
case OPT_V_IGNORE_CRITICAL: \
case OPT_V_ISSUER_CHECKS: \
case OPT_V_CRL_CHECK: \
case OPT_V_CRL_CHECK_ALL: \
case OPT_V_POLICY_CHECK: \
case OPT_V_EXPLICIT_POLICY: \
case OPT_V_INHIBIT_ANY: \
case OPT_V_INHIBIT_MAP: \
case OPT_V_X509_STRICT: \
case OPT_V_EXTENDED_CRL: \
case OPT_V_USE_DELTAS: \
case OPT_V_POLICY_PRINT: \
case OPT_V_CHECK_SS_SIG: \
case OPT_V_TRUSTED_FIRST: \
case OPT_V_SUITEB_128_ONLY: \
case OPT_V_SUITEB_128: \
case OPT_V_SUITEB_192: \
case OPT_V_PARTIAL_CHAIN: \
case OPT_V_NO_ALT_CHAINS: \
case OPT_V_NO_CHECK_TIME: \
case OPT_V_ALLOW_PROXY_CERTS
#define OPT_V_CASES \
OPT_V__FIRST: \
case OPT_V__LAST: \
break; \
case OPT_V_POLICY: \
case OPT_V_PURPOSE: \
case OPT_V_VERIFY_NAME: \
case OPT_V_VERIFY_DEPTH: \
case OPT_V_VERIFY_AUTH_LEVEL: \
case OPT_V_ATTIME: \
case OPT_V_VERIFY_HOSTNAME: \
case OPT_V_VERIFY_EMAIL: \
case OPT_V_VERIFY_IP: \
case OPT_V_IGNORE_CRITICAL: \
case OPT_V_ISSUER_CHECKS: \
case OPT_V_CRL_CHECK: \
case OPT_V_CRL_CHECK_ALL: \
case OPT_V_POLICY_CHECK: \
case OPT_V_EXPLICIT_POLICY: \
case OPT_V_INHIBIT_ANY: \
case OPT_V_INHIBIT_MAP: \
case OPT_V_X509_STRICT: \
case OPT_V_EXTENDED_CRL: \
case OPT_V_USE_DELTAS: \
case OPT_V_POLICY_PRINT: \
case OPT_V_CHECK_SS_SIG: \
case OPT_V_TRUSTED_FIRST: \
case OPT_V_SUITEB_128_ONLY: \
case OPT_V_SUITEB_128: \
case OPT_V_SUITEB_192: \
case OPT_V_PARTIAL_CHAIN: \
case OPT_V_NO_ALT_CHAINS: \
case OPT_V_NO_CHECK_TIME: \
case OPT_V_ALLOW_PROXY_CERTS
/*
* Common "extended validation" options.
*/
# define OPT_X_ENUM \
OPT_X__FIRST=1000, \
OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
OPT_X_CERTFORM, OPT_X_KEYFORM, \
OPT_X__LAST
#define OPT_X_ENUM \
OPT_X__FIRST = 1000, \
OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
OPT_X_CERTFORM, OPT_X_KEYFORM, \
OPT_X__LAST
# define OPT_X_OPTIONS \
OPT_SECTION("Extended certificate"), \
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
"build certificate chain for the extended certificates"}, \
{ "xcertform", OPT_X_CERTFORM, 'F', \
#define OPT_X_OPTIONS \
OPT_SECTION("Extended certificate"), \
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates" }, \
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates" }, \
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates" }, \
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
"build certificate chain for the extended certificates" }, \
{ "xcertform", OPT_X_CERTFORM, 'F', \
"format of Extended certificate (PEM/DER/P12); has no effect" }, \
{ "xkeyform", OPT_X_KEYFORM, 'F', \
"format of Extended certificate's key (DER/PEM/P12); has no effect"}
{ "xkeyform", OPT_X_KEYFORM, 'F', \
"format of Extended certificate's key (DER/PEM/P12); has no effect" }
# define OPT_X_CASES \
OPT_X__FIRST: case OPT_X__LAST: break; \
case OPT_X_KEY: \
case OPT_X_CERT: \
case OPT_X_CHAIN: \
case OPT_X_CHAIN_BUILD: \
case OPT_X_CERTFORM: \
case OPT_X_KEYFORM
#define OPT_X_CASES \
OPT_X__FIRST: \
case OPT_X__LAST: \
break; \
case OPT_X_KEY: \
case OPT_X_CERT: \
case OPT_X_CHAIN: \
case OPT_X_CHAIN_BUILD: \
case OPT_X_CERTFORM: \
case OPT_X_KEYFORM
/*
* Common SSL options.
* Any changes here must be coordinated with ../ssl/ssl_conf.c
*/
# define OPT_S_ENUM \
OPT_S__FIRST=3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, \
OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PREFER_NO_DHE_KEX, \
OPT_S_PRIORITIZE_CHACHA, \
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, \
OPT_S_NO_EMS, \
OPT_S_NO_TX_CERT_COMP, \
OPT_S_NO_RX_CERT_COMP, \
OPT_S__LAST
#define OPT_S_ENUM \
OPT_S__FIRST = 3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, \
OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PREFER_NO_DHE_KEX, \
OPT_S_PRIORITIZE_CHACHA, \
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, \
OPT_S_NO_EMS, \
OPT_S_NO_TX_CERT_COMP, \
OPT_S_NO_RX_CERT_COMP, \
OPT_S__LAST
# define OPT_S_OPTIONS \
OPT_SECTION("TLS/SSL"), \
{"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
{"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
{"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
{"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
{"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, \
{"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
{"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{"no_tx_cert_comp", OPT_S_NO_TX_CERT_COMP, '-', "Disable sending TLSv1.3 compressed certificates" }, \
{"no_rx_cert_comp", OPT_S_NO_RX_CERT_COMP, '-', "Disable receiving TLSv1.3 compressed certificates" }, \
{"no_ticket", OPT_S_NOTICKET, '-', \
"Disable use of TLS session tickets"}, \
{"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
{"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
"Enable use of legacy renegotiation (dangerous)"}, \
{"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
"Allow client-initiated renegotiation" }, \
{"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
"Disable all renegotiation."}, \
{"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
"Allow initial connection to servers that don't support RI"}, \
{"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
"Disallow session resumption on renegotiation"}, \
{"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
"Disallow initial connection to servers that don't support RI"}, \
{"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \
"In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \
{"prefer_no_dhe_kex", OPT_S_PREFER_NO_DHE_KEX, '-', \
"In TLSv1.3 prefer non-(ec)dhe over (ec)dhe-based key exchange on resumption"}, \
{"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \
"Prioritize ChaCha ciphers when preferred by clients"}, \
{"strict", OPT_S_STRICT, '-', \
"Enforce strict certificate checks as per TLS standard"}, \
{"sigalgs", OPT_S_SIGALGS, 's', \
"Signature algorithms to support (colon-separated list)" }, \
{"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
"Signature algorithms to support for client certificate" \
" authentication (colon-separated list)" }, \
{"groups", OPT_S_GROUPS, 's', \
"Groups to advertise (colon-separated list)" }, \
{"curves", OPT_S_CURVES, 's', \
"Groups to advertise (colon-separated list)" }, \
{"named_curve", OPT_S_NAMEDCURVE, 's', \
"Elliptic curve used for ECDHE (server-side only)" }, \
{"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \
{"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
{"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
{"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
{"record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to."}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
"Perform all sorts of protocol violations for testing purposes"}, \
{"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
"Disable TLSv1.3 middlebox compat mode" }, \
{"no_etm", OPT_S_NO_ETM, '-', \
"Disable Encrypt-then-Mac extension"}, \
{"no_ems", OPT_S_NO_EMS, '-', \
"Disable Extended master secret extension"}
#define OPT_S_OPTIONS \
OPT_SECTION("TLS/SSL"), \
{ "no_ssl3", OPT_S_NOSSL3, '-', "Just disable SSLv3" }, \
{ "no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1" }, \
{ "no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
{ "no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2" }, \
{ "no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3" }, \
{ "bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility" }, \
{ "no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{ "comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{ "no_tx_cert_comp", OPT_S_NO_TX_CERT_COMP, '-', "Disable sending TLSv1.3 compressed certificates" }, \
{ "no_rx_cert_comp", OPT_S_NO_RX_CERT_COMP, '-', "Disable receiving TLSv1.3 compressed certificates" }, \
{ "no_ticket", OPT_S_NOTICKET, '-', \
"Disable use of TLS session tickets" }, \
{ "serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences" }, \
{ "legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
"Enable use of legacy renegotiation (dangerous)" }, \
{ "client_renegotiation", OPT_S_CLIENTRENEG, '-', \
"Allow client-initiated renegotiation" }, \
{ "no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
"Disable all renegotiation." }, \
{ "legacy_server_connect", OPT_S_LEGACYCONN, '-', \
"Allow initial connection to servers that don't support RI" }, \
{ "no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
"Disallow session resumption on renegotiation" }, \
{ "no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
"Disallow initial connection to servers that don't support RI" }, \
{ "allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \
"In TLSv1.3 allow non-(ec)dhe based key exchange on resumption" }, \
{ "prefer_no_dhe_kex", OPT_S_PREFER_NO_DHE_KEX, '-', \
"In TLSv1.3 prefer non-(ec)dhe over (ec)dhe-based key exchange on resumption" }, \
{ "prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \
"Prioritize ChaCha ciphers when preferred by clients" }, \
{ "strict", OPT_S_STRICT, '-', \
"Enforce strict certificate checks as per TLS standard" }, \
{ "sigalgs", OPT_S_SIGALGS, 's', \
"Signature algorithms to support (colon-separated list)" }, \
{ "client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
"Signature algorithms to support for client certificate" \
" authentication (colon-separated list)" }, \
{ "groups", OPT_S_GROUPS, 's', \
"Groups to advertise (colon-separated list)" }, \
{ "curves", OPT_S_CURVES, 's', \
"Groups to advertise (colon-separated list)" }, \
{ "named_curve", OPT_S_NAMEDCURVE, 's', \
"Elliptic curve used for ECDHE (server-side only)" }, \
{ "cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used" }, \
{ "ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used" }, \
{ "min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used" }, \
{ "max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used" }, \
{ "record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to." }, \
{ "debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
"Perform all sorts of protocol violations for testing purposes" }, \
{ "no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
"Disable TLSv1.3 middlebox compat mode" }, \
{ "no_etm", OPT_S_NO_ETM, '-', \
"Disable Encrypt-then-Mac extension" }, \
{ "no_ems", OPT_S_NO_EMS, '-', \
"Disable Extended master secret extension" }
# define OPT_S_CASES \
OPT_S__FIRST: case OPT_S__LAST: break; \
case OPT_S_NOSSL3: \
case OPT_S_NOTLS1: \
case OPT_S_NOTLS1_1: \
case OPT_S_NOTLS1_2: \
case OPT_S_NOTLS1_3: \
case OPT_S_BUGS: \
case OPT_S_NO_COMP: \
case OPT_S_COMP: \
case OPT_S_NO_TX_CERT_COMP: \
case OPT_S_NO_RX_CERT_COMP: \
case OPT_S_NOTICKET: \
case OPT_S_SERVERPREF: \
case OPT_S_LEGACYRENEG: \
case OPT_S_CLIENTRENEG: \
case OPT_S_LEGACYCONN: \
case OPT_S_ONRESUMP: \
case OPT_S_NOLEGACYCONN: \
case OPT_S_ALLOW_NO_DHE_KEX: \
case OPT_S_PREFER_NO_DHE_KEX: \
case OPT_S_PRIORITIZE_CHACHA: \
case OPT_S_STRICT: \
case OPT_S_SIGALGS: \
case OPT_S_CLIENTSIGALGS: \
case OPT_S_GROUPS: \
case OPT_S_CURVES: \
case OPT_S_NAMEDCURVE: \
case OPT_S_CIPHER: \
case OPT_S_CIPHERSUITES: \
case OPT_S_RECORD_PADDING: \
case OPT_S_NO_RENEGOTIATION: \
case OPT_S_MINPROTO: \
case OPT_S_MAXPROTO: \
case OPT_S_DEBUGBROKE: \
case OPT_S_NO_MIDDLEBOX: \
case OPT_S_NO_ETM: \
case OPT_S_NO_EMS
#define OPT_S_CASES \
OPT_S__FIRST: \
case OPT_S__LAST: \
break; \
case OPT_S_NOSSL3: \
case OPT_S_NOTLS1: \
case OPT_S_NOTLS1_1: \
case OPT_S_NOTLS1_2: \
case OPT_S_NOTLS1_3: \
case OPT_S_BUGS: \
case OPT_S_NO_COMP: \
case OPT_S_COMP: \
case OPT_S_NO_TX_CERT_COMP: \
case OPT_S_NO_RX_CERT_COMP: \
case OPT_S_NOTICKET: \
case OPT_S_SERVERPREF: \
case OPT_S_LEGACYRENEG: \
case OPT_S_CLIENTRENEG: \
case OPT_S_LEGACYCONN: \
case OPT_S_ONRESUMP: \
case OPT_S_NOLEGACYCONN: \
case OPT_S_ALLOW_NO_DHE_KEX: \
case OPT_S_PREFER_NO_DHE_KEX: \
case OPT_S_PRIORITIZE_CHACHA: \
case OPT_S_STRICT: \
case OPT_S_SIGALGS: \
case OPT_S_CLIENTSIGALGS: \
case OPT_S_GROUPS: \
case OPT_S_CURVES: \
case OPT_S_NAMEDCURVE: \
case OPT_S_CIPHER: \
case OPT_S_CIPHERSUITES: \
case OPT_S_RECORD_PADDING: \
case OPT_S_NO_RENEGOTIATION: \
case OPT_S_MINPROTO: \
case OPT_S_MAXPROTO: \
case OPT_S_DEBUGBROKE: \
case OPT_S_NO_MIDDLEBOX: \
case OPT_S_NO_ETM: \
case OPT_S_NO_EMS
#define IS_NO_PROT_FLAG(o) \
(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
|| o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
#define IS_NO_PROT_FLAG(o) \
(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
|| o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
/*
* Random state options.
*/
# define OPT_R_ENUM \
OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
#define OPT_R_ENUM \
OPT_R__FIRST = 1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
# define OPT_R_OPTIONS \
OPT_SECTION("Random state"), \
{"rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator"}, \
{"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
#define OPT_R_OPTIONS \
OPT_SECTION("Random state"), \
{ "rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator" }, \
{ "writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file" }
# define OPT_R_CASES \
OPT_R__FIRST: case OPT_R__LAST: break; \
case OPT_R_RAND: case OPT_R_WRITERAND
#define OPT_R_CASES \
OPT_R__FIRST: \
case OPT_R__LAST: \
break; \
case OPT_R_RAND: \
case OPT_R_WRITERAND
/*
* Provider options.
*/
# define OPT_PROV_ENUM \
OPT_PROV__FIRST=1600, \
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
OPT_PROV__LAST
#define OPT_PROV_ENUM \
OPT_PROV__FIRST = 1600, \
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
OPT_PROV__LAST
# define OPT_CONFIG_OPTION \
{ "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
#define OPT_CONFIG_OPTION \
{ "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
# define OPT_PROV_OPTIONS \
OPT_SECTION("Provider"), \
#define OPT_PROV_OPTIONS \
OPT_SECTION("Provider"), \
{ "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
{ "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
{ "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
{ "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
# define OPT_PROV_CASES \
OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
case OPT_PROV_PROVIDER: \
case OPT_PROV_PROVIDER_PATH: \
case OPT_PROV_PROPQUERY
#define OPT_PROV_CASES \
OPT_PROV__FIRST: \
case OPT_PROV__LAST: \
break; \
case OPT_PROV_PROVIDER: \
case OPT_PROV_PROVIDER_PATH: \
case OPT_PROV_PROPQUERY
/*
* Option parsing.
@@ -364,27 +375,24 @@ typedef struct string_int_pair_st {
} OPT_PAIR, STRINT_PAIR;
/* Flags to pass into opt_format; see FORMAT_xxx, below. */
# define OPT_FMT_PEM (1L << 1)
# define OPT_FMT_DER (1L << 2)
# define OPT_FMT_B64 (1L << 3)
# define OPT_FMT_PKCS12 (1L << 4)
# define OPT_FMT_SMIME (1L << 5)
# define OPT_FMT_ENGINE (1L << 6)
# define OPT_FMT_MSBLOB (1L << 7)
# define OPT_FMT_NSS (1L << 8)
# define OPT_FMT_TEXT (1L << 9)
# define OPT_FMT_HTTP (1L << 10)
# define OPT_FMT_PVK (1L << 11)
#define OPT_FMT_PEM (1L << 1)
#define OPT_FMT_DER (1L << 2)
#define OPT_FMT_B64 (1L << 3)
#define OPT_FMT_PKCS12 (1L << 4)
#define OPT_FMT_SMIME (1L << 5)
#define OPT_FMT_ENGINE (1L << 6)
#define OPT_FMT_MSBLOB (1L << 7)
#define OPT_FMT_NSS (1L << 8)
#define OPT_FMT_TEXT (1L << 9)
#define OPT_FMT_HTTP (1L << 10)
#define OPT_FMT_PVK (1L << 11)
# define OPT_FMT_PEMDER (OPT_FMT_PEM | OPT_FMT_DER)
# define OPT_FMT_ASN1 (OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64)
# define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
# define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
# define OPT_FMT_ANY ( \
OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64 | \
OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
#define OPT_FMT_PEMDER (OPT_FMT_PEM | OPT_FMT_DER)
#define OPT_FMT_ASN1 (OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64)
#define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
#define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
#define OPT_FMT_ANY ( \
OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64 | OPT_FMT_PKCS12 | OPT_FMT_SMIME | OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
/* Divide options into sections when displaying usage */
#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" }
@@ -437,5 +445,4 @@ int opt_check_rest_arg(const char *expected);
/* Returns non-zero if legacy paths are still available */
int opt_legacy_okay(void);
#endif /* OSSL_APPS_OPT_H */

12
apps/include/platform.h
View File

@@ -8,25 +8,25 @@
*/
#ifndef OSSL_APPS_PLATFORM_H
# define OSSL_APPS_PLATFORM_H
#define OSSL_APPS_PLATFORM_H
# include <openssl/e_os2.h>
#include <openssl/e_os2.h>
# if defined(OPENSSL_SYS_VMS) && defined(__DECC)
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
/*
* VMS C only for now, implemented in vms_decc_init.c
* If other C compilers forget to terminate argv with NULL, this function
* can be reused.
*/
char **copy_argv(int *argc, char *argv[]);
# endif
#endif
# ifdef _WIN32
#ifdef _WIN32
/*
* Win32-specific argv initialization that splits OS-supplied UNICODE
* command line string to array of UTF8-encoded strings.
*/
void win32_utf8argv(int *argc, char **argv[]);
# endif
#endif
#endif

60
apps/include/s_apps.h
View File

@@ -12,8 +12,8 @@
#include <openssl/ssl.h>
#include <openssl/srp.h>
#define PORT "4433"
#define PROTOCOL "tcp"
#define PORT "4433"
#define PROTOCOL "tcp"
#define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
(SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
@@ -22,48 +22,48 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
void get_sock_info_address(int asock, char **hostname, char **service);
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo);
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo);
int verify_callback(int ok, X509_STORE_CTX *ctx);
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain, int build_chain);
STACK_OF(X509) *chain, int build_chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_groups(BIO *out, SSL *s, int noshared);
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret);
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret);
int should_retry(int i);
void do_ssl_shutdown(SSL *ssl);
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
int argi, long argl, int ret, size_t *processed);
int argi, long argl, int ret, size_t *processed);
void apps_ssl_info_callback(const SSL *s, int where, int ret);
void msg_cb(int write_p, int version, int content_type, const void *buf,
size_t len, SSL *ssl, void *arg);
size_t len, SSL *ssl, void *arg);
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
int len, void *arg);
int len, void *arg);
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len);
unsigned int *cookie_len);
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
unsigned int cookie_len);
unsigned int cookie_len);
#ifdef __VMS /* 31 char symbol name limit */
# define generate_stateless_cookie_callback generate_stateless_cookie_cb
# define verify_stateless_cookie_callback verify_stateless_cookie_cb
#ifdef __VMS /* 31 char symbol name limit */
#define generate_stateless_cookie_callback generate_stateless_cookie_cb
#define verify_stateless_cookie_callback verify_stateless_cookie_cb
#endif
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
size_t *cookie_len);
size_t *cookie_len);
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
size_t cookie_len);
size_t cookie_len);
typedef struct ssl_excert_st SSL_EXCERT;
@@ -75,12 +75,12 @@ void print_verify_detail(SSL *s, BIO *bio);
void print_ssl_summary(SSL *s);
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
const char *vfyCAfile, const char *vfyCAstore,
const char *chCApath, const char *chCAfile,
const char *chCAstore, STACK_OF(X509_CRL) *crls,
int crl_download);
const char *vfyCAfile, const char *vfyCAstore,
const char *chCApath, const char *chCAfile,
const char *chCAstore, STACK_OF(X509_CRL) *crls,
int crl_download);
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
@@ -91,14 +91,14 @@ void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s);
typedef struct srp_arg_st {
char *srppassin;
char *srplogin;
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength; /* minimal size for N */
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength; /* minimal size for N */
} SRP_ARG;
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
int c_debug);
int c_debug);
void set_up_dummy_srp(SSL_CTX *ctx);
/* The server side SRP context that we pass to all SRP related callbacks */
@@ -109,6 +109,6 @@ typedef struct srpsrvparm_st {
} srpsrvparm;
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
char *srpuserseed, char *srp_verifier_file);
char *srpuserseed, char *srp_verifier_file);
void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
#endif /* OPENSSL_NO_SRP */

12
apps/include/vms_term_sock.h
View File

@@ -9,23 +9,23 @@
*/
#ifndef OSSL_APPS_VMS_TERM_SOCK_H
# define OSSL_APPS_VMS_TERM_SOCK_H
#define OSSL_APPS_VMS_TERM_SOCK_H
/*
** Terminal Socket Function Codes
*/
# define TERM_SOCK_CREATE 1
# define TERM_SOCK_DELETE 2
#define TERM_SOCK_CREATE 1
#define TERM_SOCK_DELETE 2
/*
** Terminal Socket Status Codes
*/
# define TERM_SOCK_FAILURE 0
# define TERM_SOCK_SUCCESS 1
#define TERM_SOCK_FAILURE 0
#define TERM_SOCK_SUCCESS 1
/*
** Terminal Socket Prototype
*/
int TerminalSocket (int FunctionCode, int *ReturnSocket);
int TerminalSocket(int FunctionCode, int *ReturnSocket);
#endif

39
apps/info.c
View File

@@ -13,27 +13,34 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS, OPT_WINDOWSCONTEXT
OPT_CONFIGDIR,
OPT_ENGINESDIR,
OPT_MODULESDIR,
OPT_DSOEXT,
OPT_DIRNAMESEP,
OPT_LISTSEP,
OPT_SEEDS,
OPT_CPUSETTINGS,
OPT_WINDOWSCONTEXT
} OPTION_CHOICE;
const OPTIONS info_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Output"),
{"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"},
{"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"},
{"modulesdir", OPT_MODULESDIR, '-',
"Default module directory (other than engine modules)"},
{"dsoext", OPT_DSOEXT, '-', "Configured extension for modules"},
{"dirnamesep", OPT_DIRNAMESEP, '-', "Directory-filename separator"},
{"listsep", OPT_LISTSEP, '-', "List separator character"},
{"seeds", OPT_SEEDS, '-', "Seed sources"},
{"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
{"windowscontext", OPT_WINDOWSCONTEXT, '-', "Windows install context"},
{NULL}
{ "configdir", OPT_CONFIGDIR, '-', "Default configuration file directory" },
{ "enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory" },
{ "modulesdir", OPT_MODULESDIR, '-',
"Default module directory (other than engine modules)" },
{ "dsoext", OPT_DSOEXT, '-', "Configured extension for modules" },
{ "dirnamesep", OPT_DIRNAMESEP, '-', "Directory-filename separator" },
{ "listsep", OPT_LISTSEP, '-', "List separator character" },
{ "seeds", OPT_SEEDS, '-', "Seed sources" },
{ "cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info" },
{ "windowscontext", OPT_WINDOWSCONTEXT, '-', "Windows install context" },
{ NULL }
};
int info_main(int argc, char **argv)
@@ -47,7 +54,7 @@ int info_main(int argc, char **argv)
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
default:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -106,6 +113,6 @@ opthelp:
typedata = OPENSSL_info(type);
BIO_printf(bio_out, "%s\n", typedata == NULL ? "Undefined" : typedata);
ret = 0;
end:
end:
return ret;
}

45
apps/kdf.c
View File

@@ -19,37 +19,42 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT,
OPT_CIPHER, OPT_DIGEST, OPT_MAC,
OPT_KDFOPT,
OPT_BIN,
OPT_KEYLEN,
OPT_OUT,
OPT_CIPHER,
OPT_DIGEST,
OPT_MAC,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS kdf_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form"},
{"cipher", OPT_CIPHER, 's', "Cipher"},
{"digest", OPT_DIGEST, 's', "Digest"},
{"mac", OPT_MAC, 's', "MAC"},
{OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n"},
{"keylen", OPT_KEYLEN, 's', "The size of the output derived key"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form" },
{ "cipher", OPT_CIPHER, 's', "Cipher" },
{ "digest", OPT_DIGEST, 's', "Digest" },
{ "mac", OPT_MAC, 's', "MAC" },
{ OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n" },
{ "keylen", OPT_KEYLEN, 's', "The size of the output derived key" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)"},
{ "out", OPT_OUT, '>', "Output to filename rather than stdout" },
{ "binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"kdf_name", 0, 0, "Name of the KDF algorithm"},
{NULL}
{ "kdf_name", 0, 0, "Name of the KDF algorithm" },
{ NULL }
};
static char *alloc_kdf_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
const char *name, const char *arg)
const char *name, const char *arg)
{
size_t len = strlen(name) + strlen(arg) + 2;
char *res;
@@ -85,7 +90,7 @@ int kdf_main(int argc, char **argv)
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
default:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto err;
case OPT_HELP:
@@ -139,7 +144,8 @@ opthelp:
goto opthelp;
if ((kdf = EVP_KDF_fetch(app_get0_libctx(), argv[0],
app_get0_propq())) == NULL) {
app_get0_propq()))
== NULL) {
BIO_printf(bio_err, "Invalid KDF name %s\n", argv[0]);
goto opthelp;
}
@@ -150,8 +156,7 @@ opthelp:
if (opts != NULL) {
int ok = 1;
OSSL_PARAM *params =
app_params_new_from_opts(opts, EVP_KDF_settable_ctx_params(kdf));
OSSL_PARAM *params = app_params_new_from_opts(opts, EVP_KDF_settable_ctx_params(kdf));
if (params == NULL)
goto err;

1
apps/lib/app_libctx.c
View File

@@ -45,4 +45,3 @@ OSSL_LIB_CTX *app_create_libctx(void)
opt_printf_stderr("Failed to create library context\n");
return app_libctx;
}

7
apps/lib/app_params.c
View File

@@ -63,7 +63,7 @@ static int describe_param_type(char *buf, size_t bufsz, const OSSL_PARAM *param)
printed_len = BIO_snprintf(buf, bufsz, " (arbitrary size)");
else
printed_len = BIO_snprintf(buf, bufsz, " (max %zu bytes large)",
param->data_size);
param->data_size);
if (printed_len > 0) {
buf += printed_len;
bufsz -= printed_len;
@@ -85,7 +85,7 @@ int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent)
} else {
BIO_printf(bio_out, "%*s%s:\n", indent, "", thing);
for (; pdefs->key != NULL; pdefs++) {
char buf[200]; /* This should be ample space */
char buf[200]; /* This should be ample space */
describe_param_type(buf, sizeof(buf), pdefs);
BIO_printf(bio_out, "%*s %s\n", indent, "", buf);
@@ -125,8 +125,7 @@ void print_param_value(const OSSL_PARAM *p, int indent)
break;
default:
BIO_printf(bio_out, "unknown type (%u) of %zu bytes\n",
p->data_type, p->data_size);
p->data_type, p->data_size);
break;
}
}

2
apps/lib/app_provider.c
View File

@@ -38,7 +38,7 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name)
if (prov == NULL) {
opt_printf_stderr("%s: unable to load provider %s\n"
"Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n",
opt_getprog(), provider_name);
opt_getprog(), provider_name);
ERR_print_errors(bio_err);
return 0;
}

5
apps/lib/app_rand.c
View File

@@ -88,11 +88,10 @@ int app_RAND_write(void)
ret = 0;
}
OPENSSL_free(save_rand_file);
save_rand_file = NULL;
save_rand_file = NULL;
return ret;
}
/*
* See comments in opt_verify for explanation of this.
*/
@@ -106,7 +105,7 @@ int opt_rand(int opt)
break;
case OPT_R_RAND:
if (randfiles == NULL
&& (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
&& (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
return 0;
if (!sk_OPENSSL_STRING_push(randfiles, opt_arg()))
return 0;

50
apps/lib/app_x509.c
View File

@@ -38,53 +38,51 @@ static int x509_ctrl(void *object, int cmd, void *value, size_t value_n)
{
switch (cmd) {
#ifdef EVP_PKEY_CTRL_SET1_ID
case EVP_PKEY_CTRL_SET1_ID:
{
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
case EVP_PKEY_CTRL_SET1_ID: {
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate failed\n");
return 0;
}
X509_set0_distinguishing_id(object, v);
return 1;
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate failed\n");
return 0;
}
X509_set0_distinguishing_id(object, v);
return 1;
}
#endif
default:
break;
}
return -2; /* typical EVP_PKEY return for "unsupported" */
return -2; /* typical EVP_PKEY return for "unsupported" */
}
static int x509_req_ctrl(void *object, int cmd, void *value, size_t value_n)
{
switch (cmd) {
#ifdef EVP_PKEY_CTRL_SET1_ID
case EVP_PKEY_CTRL_SET1_ID:
{
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
case EVP_PKEY_CTRL_SET1_ID: {
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate signing request failed\n");
return 0;
}
X509_REQ_set0_distinguishing_id(object, v);
return 1;
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate signing request failed\n");
return 0;
}
X509_REQ_set0_distinguishing_id(object, v);
return 1;
}
#endif
default:
break;
}
return -2; /* typical EVP_PKEY return for "unsupported" */
return -2; /* typical EVP_PKEY return for "unsupported" */
}
static int do_x509_ctrl_string(int (*ctrl)(void *object, int cmd,
void *value, size_t value_n),
void *object, const char *value)
void *value, size_t value_n),
void *object, const char *value)
{
int rv = 0;
char *stmp, *vtmp = NULL;

682
apps/lib/apps.c
View File

File diff suppressed because it is too large Load Diff

1
apps/lib/apps_opt_printf.c
View File

@@ -22,4 +22,3 @@ int opt_printf_stderr(const char *fmt, ...)
va_end(ap);
return ret;
}

37
apps/lib/apps_ui.c
View File

@@ -32,17 +32,14 @@ static int ui_read(UI *ui, UI_STRING *uis)
&& UI_get0_user_data(ui)) {
switch (UI_get_string_type(uis)) {
case UIT_PROMPT:
case UIT_VERIFY:
{
const char *password =
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
case UIT_VERIFY: {
const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
if (password != NULL) {
UI_set_result(ui, uis, password);
return 1;
}
if (password != NULL) {
UI_set_result(ui, uis, password);
return 1;
}
break;
} break;
case UIT_NONE:
case UIT_BOOLEAN:
case UIT_INFO:
@@ -67,15 +64,12 @@ static int ui_write(UI *ui, UI_STRING *uis)
&& UI_get0_user_data(ui)) {
switch (UI_get_string_type(uis)) {
case UIT_PROMPT:
case UIT_VERIFY:
{
const char *password =
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
case UIT_VERIFY: {
const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
if (password != NULL)
return 1;
}
break;
if (password != NULL)
return 1;
} break;
case UIT_NONE:
case UIT_BOOLEAN:
case UIT_INFO:
@@ -101,7 +95,7 @@ static int ui_close(UI *ui)
/* object_name defaults to prompt_info from ui user data if present */
static char *ui_prompt_construct(UI *ui, const char *phrase_desc,
const char *object_name)
const char *object_name)
{
PW_CB_DATA *cb_data = (PW_CB_DATA *)UI_get0_user_data(ui);
@@ -132,8 +126,7 @@ int setup_ui_method(void)
&& 0 == UI_method_set_reader(ui_method, ui_read)
&& 0 == UI_method_set_writer(ui_method, ui_write)
&& 0 == UI_method_set_closer(ui_method, ui_close)
&& 0 == UI_method_set_prompt_constructor(ui_method,
ui_prompt_construct);
&& 0 == UI_method_set_prompt_constructor(ui_method, ui_prompt_construct);
}
void destroy_ui_method(void)
@@ -190,12 +183,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data)
(void)UI_add_user_data(ui, cb_data);
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
PW_MIN_LENGTH, bufsiz - 1);
PW_MIN_LENGTH, bufsiz - 1);
if (ok >= 0 && verify) {
buff = ui_malloc(bufsiz, "password buffer");
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
PW_MIN_LENGTH, bufsiz - 1, buf);
PW_MIN_LENGTH, bufsiz - 1, buf);
}
if (ok >= 0)
do {

325
apps/lib/cmp_mock_srv.c
View File

@@ -17,20 +17,20 @@
/* the context for the CMP mock server */
typedef struct {
X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
X509_CRL *crlOut; /* CRL to be returned in genp for crls */
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
X509_CRL *crlOut; /* CRL to be returned in genp for crls */
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
int sendError; /* send error response on given request type */
OSSL_CMP_MSG *req; /* original request message during polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
int checkAfterTime; /* time the client should wait between polling */
int sendError; /* send error response on given request type */
OSSL_CMP_MSG *req; /* original request message during polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
int checkAfterTime; /* time the client should wait between polling */
} mock_srv_ctx;
static void mock_srv_ctx_free(mock_srv_ctx *ctx)
@@ -61,34 +61,34 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
err:
err:
mock_srv_ctx_free(ctx);
return NULL;
}
#define DEFINE_OSSL_SET1_CERT(FIELD) \
int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
X509 *cert) \
{ \
#define DEFINE_OSSL_SET1_CERT(FIELD) \
int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
X509 *cert) \
{ \
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \
\
if (ctx == NULL) { \
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
if (cert == NULL || X509_up_ref(cert)) { \
X509_free(ctx->FIELD); \
ctx->FIELD = cert; \
return 1; \
} \
return 0; \
\
if (ctx == NULL) { \
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
if (cert == NULL || X509_up_ref(cert)) { \
X509_free(ctx->FIELD); \
ctx->FIELD = cert; \
return 1; \
} \
return 0; \
}
DEFINE_OSSL_SET1_CERT(refCert)
DEFINE_OSSL_SET1_CERT(certOut)
int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
X509_CRL *crl)
X509_CRL *crl)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -104,7 +104,7 @@ int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
}
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *chain)
STACK_OF(X509) *chain)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
STACK_OF(X509) *chain_copy = NULL;
@@ -121,7 +121,7 @@ int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
}
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *caPubs)
STACK_OF(X509) *caPubs)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
STACK_OF(X509) *caPubs_copy = NULL;
@@ -142,7 +142,7 @@ DEFINE_OSSL_SET1_CERT(newWithOld)
DEFINE_OSSL_SET1_CERT(oldWithNew)
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text)
int fail_info, const char *text)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
OSSL_CMP_PKISI *si;
@@ -233,7 +233,7 @@ static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req)
/* check for matching reference cert components, as far as given */
static int refcert_cmp(const X509 *refcert,
const X509_NAME *issuer, const ASN1_INTEGER *serial)
const X509_NAME *issuer, const ASN1_INTEGER *serial)
{
const X509_NAME *ref_issuer;
const ASN1_INTEGER *ref_serial;
@@ -248,7 +248,7 @@ static int refcert_cmp(const X509 *refcert,
/* reset the state that belongs to a transaction */
static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
ossl_unused const ASN1_OCTET_STRING *id)
ossl_unused const ASN1_OCTET_STRING *id)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -264,20 +264,20 @@ static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *cert_req,
ossl_unused int certReqId,
const OSSL_CRMF_MSG *crm,
const X509_REQ *p10cr,
X509 **certOut,
STACK_OF(X509) **chainOut,
STACK_OF(X509) **caPubs)
const OSSL_CMP_MSG *cert_req,
ossl_unused int certReqId,
const OSSL_CRMF_MSG *crm,
const X509_REQ *p10cr,
X509 **certOut,
STACK_OF(X509) **chainOut,
STACK_OF(X509) **caPubs)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
int bodytype;
OSSL_CMP_PKISI *si = NULL;
if (ctx == NULL || cert_req == NULL
|| certOut == NULL || chainOut == NULL || caPubs == NULL) {
|| certOut == NULL || chainOut == NULL || caPubs == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
@@ -303,8 +303,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
/* accept cert profile for cr messages only with the configured name */
if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) {
STACK_OF(OSSL_CMP_ITAV) *itavs =
OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
STACK_OF(OSSL_CMP_ITAV) *itavs = OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
int i;
for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
@@ -323,8 +322,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
str = sk_ASN1_UTF8STRING_value(strs, 0);
if (str == NULL
|| (data =
(const char *)ASN1_STRING_get0_data(str)) == NULL) {
|| (data = (const char *)ASN1_STRING_get0_data(str)) == NULL) {
ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
}
@@ -339,7 +337,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
/* accept cert update request only for the reference cert, if given */
if (bodytype == OSSL_CMP_KUR
&& crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
&& crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
if (cid == NULL) {
@@ -347,29 +345,29 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
if (!refcert_cmp(ctx->refCert,
OSSL_CRMF_CERTID_get0_issuer(cid),
OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
OSSL_CRMF_CERTID_get0_issuer(cid),
OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
return NULL;
}
}
if (ctx->certOut != NULL
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
/* Should return a cert produced from request template, see FR #16054 */
goto err;
if (ctx->chainOut != NULL
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
goto err;
if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */
&& (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
&& (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
goto err;
if (ctx->statusOut != NULL
&& (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
&& (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
goto err;
return si;
err:
err:
X509_free(*certOut);
*certOut = NULL;
OSSL_STACK_OF_X509_free(*chainOut);
@@ -380,9 +378,9 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *rr,
const X509_NAME *issuer,
const ASN1_INTEGER *serial)
const OSSL_CMP_MSG *rr,
const X509_NAME *issuer,
const ASN1_INTEGER *serial)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -391,7 +389,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return NULL;
}
@@ -399,9 +397,9 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
/* allow any RR derived from CSR which does not include issuer and serial */
if ((issuer != NULL || serial != NULL)
/* accept revocation only for the reference cert, if given */
&& !refcert_cmp(ctx->refCert, issuer, serial)) {
&& !refcert_cmp(ctx->refCert, issuer, serial)) {
ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
"wrong certificate to revoke");
"wrong certificate to revoke");
return NULL;
}
return OSSL_CMP_PKISI_dup(ctx->statusOut);
@@ -409,7 +407,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
/* return -1 for error, 0 for no update available */
static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
const X509_CRL *crl)
const X509_CRL *crl)
{
OSSL_CMP_CRLSTATUS *crlstatus;
DIST_POINT_NAME *dpn = NULL;
@@ -437,9 +435,9 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
return -1;
}
} else {
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
return -1; /* error according to RFC 9483 section 4.3.4 */
} else {
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
return -1; /* error according to RFC 9483 section 4.3.4 */
}
}
@@ -448,7 +446,7 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
}
static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
const OSSL_CMP_ITAV *req)
const OSSL_CMP_ITAV *req)
{
OSSL_CMP_ITAV *rsp = NULL;
@@ -456,81 +454,76 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
case NID_id_it_caCerts:
rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
break;
case NID_id_it_rootCaCert:
{
X509 *rootcacert = NULL;
case NID_id_it_rootCaCert: {
X509 *rootcacert = NULL;
if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
return NULL;
if (rootcacert != NULL
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
X509_get_subject_name(ctx->newWithNew)) != 0)
/* The subjects do not match */
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
else
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
}
break;
case NID_id_it_crlStatusList:
{
STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
int res = 0;
if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
return NULL;
res = check_client_crl(crlstatuslist, ctx->crlOut);
if (res < 0)
rsp = NULL;
else
rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
}
break;
case NID_id_it_certReqTemplate:
{
OSSL_CRMF_CERTTEMPLATE *reqtemp;
OSSL_CMP_ATAVS *keyspec = NULL;
X509_ALGOR *keyalg = NULL;
OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
int ok = 0;
if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
return NULL;
if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
X509_get_issuer_name(ctx->refCert),
NULL))
goto crt_err;
if ((keyalg = X509_ALGOR_new()) == NULL)
goto crt_err;
(void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
V_ASN1_UNDEF, NULL); /* cannot fail */
eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
&& OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
OSSL_CMP_ATAV_free(eckeyalg);
OSSL_CMP_ATAV_free(rsakeylen);
X509_ALGOR_free(keyalg);
if (!ok)
goto crt_err;
rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
return rsp;
crt_err:
OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
OSSL_CMP_ATAVS_free(keyspec);
if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
return NULL;
}
break;
if (rootcacert != NULL
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
X509_get_subject_name(ctx->newWithNew))
!= 0)
/* The subjects do not match */
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
else
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
} break;
case NID_id_it_crlStatusList: {
STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
int res = 0;
if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
return NULL;
res = check_client_crl(crlstatuslist, ctx->crlOut);
if (res < 0)
rsp = NULL;
else
rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
} break;
case NID_id_it_certReqTemplate: {
OSSL_CRMF_CERTTEMPLATE *reqtemp;
OSSL_CMP_ATAVS *keyspec = NULL;
X509_ALGOR *keyalg = NULL;
OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
int ok = 0;
if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
return NULL;
if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
X509_get_issuer_name(ctx->refCert),
NULL))
goto crt_err;
if ((keyalg = X509_ALGOR_new()) == NULL)
goto crt_err;
(void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
V_ASN1_UNDEF, NULL); /* cannot fail */
eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
&& OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
OSSL_CMP_ATAV_free(eckeyalg);
OSSL_CMP_ATAV_free(rsakeylen);
X509_ALGOR_free(keyalg);
if (!ok)
goto crt_err;
rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
return rsp;
crt_err:
OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
OSSL_CMP_ATAVS_free(keyspec);
return NULL;
} break;
default:
rsp = OSSL_CMP_ITAV_dup(req);
}
@@ -538,9 +531,9 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
}
static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *genm,
const STACK_OF(OSSL_CMP_ITAV) *in,
STACK_OF(OSSL_CMP_ITAV) **out)
const OSSL_CMP_MSG *genm,
const STACK_OF(OSSL_CMP_ITAV) *in,
STACK_OF(OSSL_CMP_ITAV) **out)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -549,8 +542,8 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
|| sk_OSSL_CMP_ITAV_num(in) > 1) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
|| sk_OSSL_CMP_ITAV_num(in) > 1) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@@ -568,14 +561,14 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
}
*out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
OSSL_CMP_ITAV_free);
OSSL_CMP_ITAV_free);
return *out != NULL;
}
static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
const OSSL_CMP_PKISI *statusInfo,
const ASN1_INTEGER *errorCode,
const OSSL_CMP_PKIFREETEXT *errorDetails)
const OSSL_CMP_PKISI *statusInfo,
const ASN1_INTEGER *errorCode,
const OSSL_CMP_PKIFREETEXT *errorDetails)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
char buf[OSSL_CMP_PKISI_BUFLEN];
@@ -594,7 +587,7 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
} else {
sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
BIO_printf(bio_err, "pkiStatusInfo: %s\n",
sibuf != NULL ? sibuf: "<invalid>");
sibuf != NULL ? sibuf : "<invalid>");
}
if (errorCode == NULL)
@@ -610,18 +603,18 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
if (i > 0)
BIO_printf(bio_err, ", ");
ASN1_STRING_print_ex(bio_err,
sk_ASN1_UTF8STRING_value(errorDetails, i),
ASN1_STRFLGS_ESC_QUOTE);
sk_ASN1_UTF8STRING_value(errorDetails, i),
ASN1_STRFLGS_ESC_QUOTE);
}
BIO_printf(bio_err, "\n");
}
}
static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *certConf,
ossl_unused int certReqId,
const ASN1_OCTET_STRING *certHash,
const OSSL_CMP_PKISI *si)
const OSSL_CMP_MSG *certConf,
ossl_unused int certReqId,
const ASN1_OCTET_STRING *certHash,
const OSSL_CMP_PKISI *si)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
ASN1_OCTET_STRING *digest;
@@ -631,8 +624,8 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
|| ctx->certOut == NULL) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
|| ctx->certOut == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@@ -650,22 +643,22 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
/* return 0 on failure, 1 on success, setting *req or otherwise *check_after */
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *pollReq,
ossl_unused int certReqId,
OSSL_CMP_MSG **req, int64_t *check_after)
const OSSL_CMP_MSG *pollReq,
ossl_unused int certReqId,
OSSL_CMP_MSG **req, int64_t *check_after)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
if (req != NULL)
*req = NULL;
if (ctx == NULL || pollReq == NULL
|| req == NULL || check_after == NULL) {
|| req == NULL || check_after == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@@ -691,11 +684,11 @@ OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
mock_srv_ctx *ctx = mock_srv_ctx_new();
if (srv_ctx != NULL && ctx != NULL
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
process_rr, process_genm, process_error,
process_certConf, process_pollReq)
&& OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
delayed_delivery, clean_transaction))
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
process_rr, process_genm, process_error,
process_certConf, process_pollReq)
&& OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
delayed_delivery, clean_transaction))
return srv_ctx;
mock_srv_ctx_free(ctx);

1
apps/lib/columns.c
View File

@@ -24,4 +24,3 @@ void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc)
dc->width = maxlen + 2;
dc->columns = (80 - 1) / dc->width;
}

15
apps/lib/engine.c
View File

@@ -19,7 +19,7 @@
#include <openssl/types.h> /* Ensure we have the ENGINE type, regardless */
#include <openssl/err.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#include <openssl/engine.h>
#endif
#include "apps.h"
@@ -60,8 +60,8 @@ ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug)
if (debug)
(void)ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0,
(void *)get_ui_method(), 0, 1)
|| !ENGINE_set_default(e, methods)) {
(void *)get_ui_method(), 0, 1)
|| !ENGINE_set_default(e, methods)) {
BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e));
ERR_print_errors(bio_err);
ENGINE_free(e);
@@ -113,8 +113,7 @@ char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc)
BIO_printf(bio_err, "No engine key id specified for loading %s\n", desc);
} else {
const char *engineid = ENGINE_get_id(e);
size_t uri_sz =
sizeof(ENGINE_SCHEME_COLON) - 1
size_t uri_sz = sizeof(ENGINE_SCHEME_COLON) - 1
+ strlen(engineid)
+ 1 /* : */
+ strlen(key_id)
@@ -151,9 +150,9 @@ int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
else
#endif
/* We're only interested if it comes from an ENGINE */
if (tmpeng == NULL)
ameth = NULL;
/* We're only interested if it comes from an ENGINE */
if (tmpeng == NULL)
ameth = NULL;
ERR_pop_to_mark();
if (ameth == NULL)

38
apps/lib/engine_loader.c
View File

@@ -18,10 +18,10 @@
#ifndef OPENSSL_NO_ENGINE
# include <stdarg.h>
# include <string.h>
# include <openssl/engine.h>
# include <openssl/store.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/engine.h>
#include <openssl/store.h>
/*
* Support for legacy private engine keys via the 'org.openssl.engine:' scheme
@@ -35,10 +35,10 @@
/* Local definition of OSSL_STORE_LOADER_CTX */
struct ossl_store_loader_ctx_st {
ENGINE *e; /* Structural reference */
ENGINE *e; /* Structural reference */
char *keyid;
int expected;
int loaded; /* 0 = key not loaded yet, 1 = key loaded */
int loaded; /* 0 = key not loaded yet, 1 = key loaded */
};
static OSSL_STORE_LOADER_CTX *OSSL_STORE_LOADER_CTX_new(ENGINE *e, char *keyid)
@@ -62,9 +62,9 @@ static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx)
}
static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader,
const char *uri,
const UI_METHOD *ui_method,
void *ui_data)
const char *uri,
const UI_METHOD *ui_method,
void *ui_data)
{
const char *p = uri, *q;
ENGINE *e = NULL;
@@ -76,9 +76,9 @@ static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader,
/* Look for engine ID */
q = strchr(p, ':');
if (q != NULL /* There is both an engine ID and a key ID */
&& p[0] != ':' /* The engine ID is at least one character */
&& q[1] != '\0') { /* The key ID is at least one character */
if (q != NULL /* There is both an engine ID and a key ID */
&& p[0] != ':' /* The engine ID is at least one character */
&& q[1] != '\0') { /* The key ID is at least one character */
char engineid[256];
size_t engineid_l = q - p;
@@ -112,7 +112,7 @@ static int engine_expect(OSSL_STORE_LOADER_CTX *ctx, int expected)
}
static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx,
const UI_METHOD *ui_method, void *ui_data)
const UI_METHOD *ui_method, void *ui_data)
{
EVP_PKEY *pkey = NULL, *pubkey = NULL;
OSSL_STORE_INFO *info = NULL;
@@ -121,14 +121,12 @@ static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx,
if (ENGINE_init(ctx->e)) {
if (ctx->expected == 0
|| ctx->expected == OSSL_STORE_INFO_PKEY)
pkey =
ENGINE_load_private_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
pkey = ENGINE_load_private_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
if ((pkey == NULL && ctx->expected == 0)
|| ctx->expected == OSSL_STORE_INFO_PUBKEY)
pubkey =
ENGINE_load_public_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
pubkey = ENGINE_load_public_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
ENGINE_finish(ctx->e);
}
}
@@ -187,7 +185,7 @@ void destroy_engine_loader(void)
OSSL_STORE_LOADER_free(loader);
}
#else /* !OPENSSL_NO_ENGINE */
#else /* !OPENSSL_NO_ENGINE */
int setup_engine_loader(void)
{

125
apps/lib/http_server.c
View File

@@ -14,7 +14,7 @@
* On VMS, you need to define this to get the declaration of fileno(). The
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
*/
# define _POSIX_C_SOURCE 2
#define _POSIX_C_SOURCE 2
#endif
#include <ctype.h>
@@ -28,9 +28,9 @@
#define HTTP_PREFIX "HTTP/"
#define HTTP_VERSION_PATT "1." /* allow 1.x */
#define HTTP_PREFIX_VERSION HTTP_PREFIX""HTTP_VERSION_PATT
#define HTTP_1_0 HTTP_PREFIX_VERSION"0" /* "HTTP/1.0" */
#define HTTP_VERSION_STR " "HTTP_PREFIX_VERSION
#define HTTP_PREFIX_VERSION HTTP_PREFIX "" HTTP_VERSION_PATT
#define HTTP_1_0 HTTP_PREFIX_VERSION "0" /* "HTTP/1.0" */
#define HTTP_VERSION_STR " " HTTP_PREFIX_VERSION
#define log_HTTP(prog, level, text) \
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, "%s", text)
@@ -38,7 +38,7 @@
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, fmt, arg)
#define log_HTTP2(prog, level, fmt, arg1, arg2) \
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, fmt, arg1, arg2)
#define log_HTTP3(prog, level, fmt, a1, a2, a3) \
#define log_HTTP3(prog, level, fmt, a1, a2, a3) \
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, fmt, a1, a2, a3)
#ifdef HTTP_DAEMON
@@ -86,8 +86,8 @@ void spawn_loop(const char *prog)
if (setpgid(0, 0)) {
log_HTTP1(prog, LOG_CRIT,
"error detaching from parent process group: %s",
strerror(errno));
"error detaching from parent process group: %s",
strerror(errno));
exit(1);
}
kidpids = app_malloc(n_responders * sizeof(*kidpids), "child PID array");
@@ -115,32 +115,32 @@ void spawn_loop(const char *prog)
}
if (i >= n_responders) {
log_HTTP1(prog, LOG_CRIT,
"internal error: no matching child slot for pid: %ld",
(long)fpid);
"internal error: no matching child slot for pid: %ld",
(long)fpid);
killall(1, kidpids);
}
if (status != 0) {
if (WIFEXITED(status)) {
log_HTTP2(prog, LOG_WARNING,
"child process: %ld, exit status: %d",
(long)fpid, WEXITSTATUS(status));
"child process: %ld, exit status: %d",
(long)fpid, WEXITSTATUS(status));
} else if (WIFSIGNALED(status)) {
char *dumped = "";
# ifdef WCOREDUMP
#ifdef WCOREDUMP
if (WCOREDUMP(status))
dumped = " (core dumped)";
# endif
#endif
log_HTTP3(prog, LOG_WARNING,
"child process: %ld, term signal %d%s",
(long)fpid, WTERMSIG(status), dumped);
"child process: %ld, term signal %d%s",
(long)fpid, WTERMSIG(status), dumped);
}
OSSL_sleep(1000);
}
break;
} else if (errno != EINTR) {
log_HTTP1(prog, LOG_CRIT,
"waitpid() failed: %s", strerror(errno));
"waitpid() failed: %s", strerror(errno));
killall(1, kidpids);
}
}
@@ -163,7 +163,7 @@ void spawn_loop(const char *prog)
_exit(1);
}
return;
default: /* parent */
default: /* parent */
for (i = 0; i < n_responders; ++i) {
if (kidpids[i] == 0) {
kidpids[i] = fpid;
@@ -173,7 +173,7 @@ void spawn_loop(const char *prog)
}
if (i >= n_responders) {
log_HTTP(prog, LOG_CRIT,
"internal error: no free child slots");
"internal error: no free child slots");
killall(1, kidpids);
}
break;
@@ -226,7 +226,7 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
return acbio;
err:
err:
ERR_print_errors(bio_err);
BIO_free_all(acbio);
BIO_free(bufbio);
@@ -260,9 +260,9 @@ static int urldecode(char *p)
/* if *pcbio != NULL, continue given connected session, else accept new */
/* if found_keep_alive != NULL, return this way connection persistence state */
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout)
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout)
{
BIO *cbio = *pcbio, *getbio = NULL, *b64 = NULL;
int len;
@@ -284,7 +284,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
goto fatal;
}
log_HTTP1(prog, LOG_DEBUG,
"awaiting new connection on port %s ...", port);
"awaiting new connection on port %s ...", port);
OPENSSL_free(port);
if (BIO_do_accept(acbio) <= 0)
@@ -301,12 +301,12 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
goto out;
}
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
if (timeout > 0) {
(void)BIO_get_fd(cbio, &acfd);
alarm(timeout);
}
# endif
#endif
/* Read the request line. */
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
@@ -320,23 +320,23 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
}
if (((end = strchr(reqbuf, '\r')) != NULL && end[1] == '\n')
|| (end = strchr(reqbuf, '\n')) != NULL)
|| (end = strchr(reqbuf, '\n')) != NULL)
*end = '\0';
if (log_get_verbosity() < LOG_TRACE)
trace_log_message(-1, prog, LOG_INFO,
"received request, 1st line: %s", reqbuf);
"received request, 1st line: %s", reqbuf);
log_HTTP(prog, LOG_TRACE, "received request header:");
log_HTTP1(prog, LOG_TRACE, "%s", reqbuf);
if (end == NULL) {
log_HTTP(prog, LOG_WARNING,
"cannot parse HTTP header: missing end of line");
"cannot parse HTTP header: missing end of line");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
url = meth = reqbuf;
if ((accept_get && CHECK_AND_SKIP_PREFIX(url, "GET "))
|| CHECK_AND_SKIP_PREFIX(url, "POST ")) {
|| CHECK_AND_SKIP_PREFIX(url, "POST ")) {
/* Expecting (GET|POST) {sp} /URL {sp} HTTP/1.x */
url[-1] = '\0';
@@ -344,8 +344,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
url++;
if (*url != '/') {
log_HTTP2(prog, LOG_WARNING,
"invalid %s -- URL does not begin with '/': %s",
meth, url);
"invalid %s -- URL does not begin with '/': %s",
meth, url);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -357,8 +357,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
break;
if (!HAS_PREFIX(end, HTTP_VERSION_STR)) {
log_HTTP2(prog, LOG_WARNING,
"invalid %s -- bad HTTP/version string: %s",
meth, end + 1);
"invalid %s -- bad HTTP/version string: %s",
meth, end + 1);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -380,7 +380,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
len = urldecode(url);
if (len < 0) {
log_HTTP2(prog, LOG_WARNING,
"invalid %s request -- bad URL encoding: %s", meth, url);
"invalid %s request -- bad URL encoding: %s", meth, url);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -388,7 +388,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
if ((getbio = BIO_new_mem_buf(url, len)) == NULL
|| (b64 = BIO_new(BIO_f_base64())) == NULL) {
log_HTTP1(prog, LOG_ERR,
"could not allocate base64 bio with size = %d", len);
"could not allocate base64 bio with size = %d", len);
goto fatal;
}
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
@@ -396,8 +396,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
}
} else {
log_HTTP2(prog, LOG_WARNING,
"HTTP request does not begin with %sPOST: %s",
accept_get ? "GET or " : "", reqbuf);
"HTTP request does not begin with %sPOST: %s",
accept_get ? "GET or " : "", reqbuf);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -423,11 +423,10 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
if (((end = strchr(inbuf, '\r')) != NULL && end[1] == '\n')
|| (end = strchr(inbuf, '\n')) != NULL)
*end = '\0';
log_HTTP1(prog, LOG_TRACE, "%s", *inbuf == '\0' ?
" " /* workaround for "" getting ignored */ : inbuf);
log_HTTP1(prog, LOG_TRACE, "%s", *inbuf == '\0' ? " " /* workaround for "" getting ignored */ : inbuf);
if (end == NULL) {
log_HTTP(prog, LOG_WARNING,
"error parsing HTTP header: missing end of line");
"error parsing HTTP header: missing end of line");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -439,7 +438,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
value = strchr(key, ':');
if (value == NULL) {
log_HTTP(prog, LOG_WARNING,
"error parsing HTTP header: missing ':'");
"error parsing HTTP header: missing ':'");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -456,37 +455,37 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
}
}
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
/* Clear alarm before we close the client socket */
alarm(0);
timeout = 0;
# endif
#endif
/* Try to read and parse request */
req = ASN1_item_d2i_bio(it, getbio != NULL ? getbio : cbio, NULL);
if (req == NULL) {
log_HTTP(prog, LOG_WARNING,
"error parsing DER-encoded request content");
"error parsing DER-encoded request content");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
} else if (ppath != NULL && (*ppath = OPENSSL_strdup(url)) == NULL) {
log_HTTP1(prog, LOG_ERR,
"out of memory allocating %zu bytes", strlen(url) + 1);
"out of memory allocating %zu bytes", strlen(url) + 1);
ASN1_item_free(req, it);
goto fatal;
}
*preq = req;
out:
out:
BIO_free_all(getbio);
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
if (timeout > 0)
alarm(0);
acfd = (int)INVALID_SOCKET;
# endif
#endif
return ret;
fatal:
fatal:
(void)http_server_send_status(prog, cbio, 500, "Internal Server Error");
if (ppath != NULL) {
OPENSSL_free(*ppath);
@@ -500,23 +499,23 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
/* assumes that cbio does not do an encoding that changes the output length */
int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp)
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp)
{
char buf[200], *p;
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0" 200 OK\r\n%s"
"Content-type: %s\r\n"
"Content-Length: %d\r\n",
keep_alive ? "Connection: keep-alive\r\n" : "",
content_type,
ASN1_item_i2d(resp, NULL, it));
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0 " 200 OK\r\n%s"
"Content-type: %s\r\n"
"Content-Length: %d\r\n",
keep_alive ? "Connection: keep-alive\r\n" : "",
content_type,
ASN1_item_i2d(resp, NULL, it));
if (ret < 0 || (size_t)ret >= sizeof(buf))
return 0;
if (log_get_verbosity() < LOG_TRACE && (p = strchr(buf, '\r')) != NULL)
trace_log_message(-1, prog, LOG_INFO,
"sending response, 1st line: %.*s", (int)(p - buf),
buf);
"sending response, 1st line: %.*s", (int)(p - buf),
buf);
log_HTTP1(prog, LOG_TRACE, "sending response header:\n%s", buf);
ret = BIO_printf(cbio, "%s\r\n", buf) > 0
@@ -527,12 +526,12 @@ int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
}
int http_server_send_status(const char *prog, BIO *cbio,
int status, const char *reason)
int status, const char *reason)
{
char buf[200];
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0" %d %s\r\n\r\n",
/* This implicitly cancels keep-alive */
status, reason);
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0 " %d %s\r\n\r\n",
/* This implicitly cancels keep-alive */
status, reason);
if (ret < 0 || (size_t)ret >= sizeof(buf))
return 0;

8
apps/lib/log.c
View File

@@ -17,7 +17,7 @@ int log_set_verbosity(const char *prog, int level)
{
if (level < LOG_EMERG || level > LOG_TRACE) {
trace_log_message(-1, prog, LOG_ERR,
"Invalid verbosity level %d", level);
"Invalid verbosity level %d", level);
return 0;
}
verbosity = level;
@@ -65,11 +65,11 @@ static void log_with_prefix(const char *prog, const char *fmt, va_list ap)
*/
#undef OSSL_NO_C99
#if !defined(__STDC_VERSION__) || __STDC_VERSION__ + 0 < 199900L
# define OSSL_NO_C99
#define OSSL_NO_C99
#endif
void trace_log_message(int category,
const char *prog, int level, const char *fmt, ...)
const char *prog, int level, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
@@ -103,6 +103,6 @@ void trace_log_message(int category,
ERR_print_errors_cb(print_syslog, &level);
} else
#endif
log_with_prefix(prog, fmt, ap);
log_with_prefix(prog, fmt, ap);
va_end(ap);
}

2
apps/lib/names.c
View File

@@ -13,7 +13,7 @@
#include "names.h"
#include "internal/e_os.h"
int name_cmp(const char * const *a, const char * const *b)
int name_cmp(const char *const *a, const char *const *b)
{
return OPENSSL_strcasecmp(*a, *b);
}

202
apps/lib/opt.c
View File

@@ -17,7 +17,7 @@
#include "internal/numbers.h"
#include <string.h>
#if !defined(OPENSSL_SYS_MSDOS)
# include <unistd.h>
#include <unistd.h>
#endif
#include <stdlib.h>
@@ -56,7 +56,7 @@ const char *opt_path_end(const char *filename)
const char *p;
/* find the last '/', '\' or ':' */
for (p = filename + strlen(filename); --p > filename; )
for (p = filename + strlen(filename); --p > filename;)
if (*p == '/' || *p == '\\' || *p == ':') {
p++;
break;
@@ -74,8 +74,7 @@ char *opt_progname(const char *argv0)
/* Strip off trailing nonsense. */
n = strlen(p);
if (n > 4 &&
(strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
if (n > 4 && (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
n -= 4;
/* Copy over the name, in lowercase. */
@@ -178,8 +177,8 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
#endif
if (o->name == OPT_HELP_STR
|| o->name == OPT_MORE_STR
|| o->name == OPT_SECTION_STR)
|| o->name == OPT_MORE_STR
|| o->name == OPT_SECTION_STR)
continue;
#ifndef NDEBUG
i = o->valtype;
@@ -191,10 +190,26 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
else
OPENSSL_assert(o->retval == OPT_DUP || o->retval > OPT_PARAM);
switch (i) {
case 0: case '-': case '.':
case '/': case '<': case '>': case 'E': case 'F':
case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
case 'u': case 'c': case ':': case 'N': case 'A':
case 0:
case '-':
case '.':
case '/':
case '<':
case '>':
case 'E':
case 'F':
case 'M':
case 'U':
case 'f':
case 'l':
case 'n':
case 'p':
case 's':
case 'u':
case 'c':
case ':':
case 'N':
case 'A':
break;
default:
OPENSSL_assert(0);
@@ -209,7 +224,7 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
&& strcmp(o->name, next->name) == 0;
if (duplicated) {
opt_printf_stderr("%s: Internal error: duplicate option %s\n",
prog, o->name);
prog, o->name);
OPENSSL_assert(!duplicated);
}
}
@@ -225,18 +240,18 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
}
static OPT_PAIR formats[] = {
{"pem", OPT_FMT_PEM},
{"der", OPT_FMT_DER},
{"b64", OPT_FMT_B64},
{"pkcs12", OPT_FMT_PKCS12},
{"smime", OPT_FMT_SMIME},
{"engine", OPT_FMT_ENGINE},
{"msblob", OPT_FMT_MSBLOB},
{"nss", OPT_FMT_NSS},
{"text", OPT_FMT_TEXT},
{"http", OPT_FMT_HTTP},
{"pvk", OPT_FMT_PVK},
{NULL}
{ "pem", OPT_FMT_PEM },
{ "der", OPT_FMT_DER },
{ "b64", OPT_FMT_B64 },
{ "pkcs12", OPT_FMT_PKCS12 },
{ "smime", OPT_FMT_SMIME },
{ "engine", OPT_FMT_ENGINE },
{ "msblob", OPT_FMT_MSBLOB },
{ "nss", OPT_FMT_NSS },
{ "text", OPT_FMT_TEXT },
{ "http", OPT_FMT_HTTP },
{ "pvk", OPT_FMT_PVK },
{ NULL }
};
void opt_set_unknown_name(const char *name)
@@ -269,7 +284,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
case 'b':
if (s[1] == '\0'
|| strcmp(s, "B64") == 0 || strcmp(s, "b64") == 0
|| strcmp(s, "BASE64") == 0 || strcmp(s, "base64") == 0 ) {
|| strcmp(s, "BASE64") == 0 || strcmp(s, "base64") == 0) {
if ((flags & OPT_FMT_B64) == 0)
return opt_format_error(s, flags);
*result = FORMAT_BASE64;
@@ -337,7 +352,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
return opt_format_error(s, flags);
*result = FORMAT_PVK;
} else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0
|| strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
|| strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
if ((flags & OPT_FMT_PKCS12) == 0)
return opt_format_error(s, flags);
*result = FORMAT_PKCS12;
@@ -395,7 +410,8 @@ int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp)
ERR_set_mark();
if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name,
app_get0_propq())) != NULL
app_get0_propq()))
!= NULL
|| (opt_legacy_okay()
&& (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) {
ERR_pop_to_mark();
@@ -416,7 +432,7 @@ int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
int ret;
if (name == NULL)
return 1;
return 1;
if ((ret = opt_cipher_silent(name, cipherp)) == 0)
opt_printf_stderr("%s: Unknown option or cipher: %s\n", prog, name);
return ret;
@@ -424,13 +440,13 @@ int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
int opt_cipher(const char *name, EVP_CIPHER **cipherp)
{
int mode, ret = 0;
unsigned long int flags;
EVP_CIPHER *c = NULL;
int mode, ret = 0;
unsigned long int flags;
EVP_CIPHER *c = NULL;
if (name == NULL)
return 1;
if (opt_cipher_any(name, &c)) {
return 1;
if (opt_cipher_any(name, &c)) {
mode = EVP_CIPHER_get_mode(c);
flags = EVP_CIPHER_get_flags(c);
if (mode == EVP_CIPH_XTS_MODE) {
@@ -478,7 +494,7 @@ int opt_md(const char *name, EVP_MD **mdp)
return 1;
if ((ret = opt_md_silent(name, mdp)) == 0)
opt_printf_stderr("%s: Unknown option or message digest: %s\n",
prog, name);
prog, name);
return ret;
}
@@ -491,7 +507,7 @@ int opt_check_md(const char *name)
}
/* Look through a list of name/value pairs. */
int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
int opt_pair(const char *name, const OPT_PAIR *pairs, int *result)
{
const OPT_PAIR *pp;
@@ -530,7 +546,7 @@ int opt_int(const char *value, int *result)
*result = (int)l;
if (*result != l) {
opt_printf_stderr("%s: Value \"%s\" outside integer range\n",
prog, value);
prog, value);
return 0;
}
return 1;
@@ -552,15 +568,15 @@ static void opt_number_error(const char *v)
char *prefix;
char *name;
} b[] = {
{"0x", "a hexadecimal"},
{"0X", "a hexadecimal"},
{"0", "an octal"}
{ "0x", "a hexadecimal" },
{ "0X", "a hexadecimal" },
{ "0", "an octal" }
};
for (i = 0; i < OSSL_NELEM(b); i++) {
if (strncmp(v, b[i].prefix, strlen(b[i].prefix)) == 0) {
opt_printf_stderr("%s: Can't parse \"%s\" as %s number\n",
prog, v, b[i].name);
prog, v, b[i].name);
return;
}
}
@@ -578,9 +594,9 @@ int opt_long(const char *value, long *result)
errno = 0;
l = strtol(value, &endp, 0);
if (*endp
|| endp == value
|| ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
|| endp == value
|| ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -590,9 +606,7 @@ int opt_long(const char *value, long *result)
return 1;
}
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
defined(INTMAX_MAX) && defined(UINTMAX_MAX) && \
!defined(OPENSSL_NO_INTTYPES_H)
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && defined(INTMAX_MAX) && defined(UINTMAX_MAX) && !defined(OPENSSL_NO_INTTYPES_H)
/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
int opt_intmax(const char *value, ossl_intmax_t *result)
@@ -604,10 +618,10 @@ int opt_intmax(const char *value, ossl_intmax_t *result)
errno = 0;
m = strtoimax(value, &endp, 0);
if (*endp
|| endp == value
|| ((m == INTMAX_MAX || m == INTMAX_MIN)
&& errno == ERANGE)
|| (m == 0 && errno != 0)) {
|| endp == value
|| ((m == INTMAX_MAX || m == INTMAX_MIN)
&& errno == ERANGE)
|| (m == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -633,9 +647,9 @@ int opt_uintmax(const char *value, ossl_uintmax_t *result)
errno = 0;
m = strtoumax(value, &endp, 0);
if (*endp
|| endp == value
|| (m == UINTMAX_MAX && errno == ERANGE)
|| (m == 0 && errno != 0)) {
|| endp == value
|| (m == UINTMAX_MAX && errno == ERANGE)
|| (m == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -685,9 +699,9 @@ int opt_ulong(const char *value, unsigned long *result)
errno = 0;
l = strtoul(value, &endptr, 0);
if (*endptr
|| endptr == value
|| ((l == ULONG_MAX) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
|| endptr == value
|| ((l == ULONG_MAX) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -729,7 +743,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
if (!X509_VERIFY_PARAM_add0_policy(vpm, otmp)) {
ASN1_OBJECT_free(otmp);
opt_printf_stderr("%s: Internal error adding Policy %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
break;
@@ -749,7 +763,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
opt_printf_stderr("%s: Internal error setting purpose %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
break;
@@ -757,7 +771,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
if (vtmp == NULL) {
opt_printf_stderr("%s: Invalid verify name %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set1(vpm, vtmp);
@@ -777,7 +791,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
return 0;
if (t != (time_t)t) {
opt_printf_stderr("%s: epoch time out of range %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
@@ -805,8 +819,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
break;
case OPT_V_CRL_CHECK_ALL:
X509_VERIFY_PARAM_set_flags(vpm,
X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
break;
case OPT_V_POLICY_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
@@ -861,7 +874,6 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
break;
}
return 1;
}
void opt_begin(void)
@@ -911,14 +923,14 @@ int opt_next(void)
for (o = opts; o->name; ++o) {
/* If not this option, move on to the next one. */
if (!(strcmp(p, "h") == 0 && strcmp(o->name, "help") == 0)
&& strcmp(p, o->name) != 0)
&& strcmp(p, o->name) != 0)
continue;
/* If it doesn't take a value, make sure none was given. */
if (o->valtype == 0 || o->valtype == '-') {
if (arg) {
opt_printf_stderr("%s: Option -%s does not take a value\n",
prog, p);
prog, p);
return -1;
}
return o->retval;
@@ -928,7 +940,7 @@ int opt_next(void)
if (arg == NULL) {
if (argv[opt_index] == NULL) {
opt_printf_stderr("%s: Option -%s needs a value\n",
prog, o->name);
prog, o->name);
return -1;
}
arg = argv[opt_index++];
@@ -962,12 +974,12 @@ int opt_next(void)
return -1;
if (o->valtype == 'p' && ival <= 0) {
opt_printf_stderr("%s: Non-positive number \"%s\" for option -%s\n",
prog, arg, o->name);
prog, arg, o->name);
return -1;
}
if (o->valtype == 'N' && ival < 0) {
opt_printf_stderr("%s: Negative number \"%s\" for option -%s\n",
prog, arg, o->name);
prog, arg, o->name);
return -1;
}
break;
@@ -994,14 +1006,14 @@ int opt_next(void)
case 'A':
case 'a':
if (opt_format(arg,
o->valtype == 'c' ? OPT_FMT_PDS :
o->valtype == 'E' ? OPT_FMT_PDE :
o->valtype == 'F' ? OPT_FMT_PEMDER :
o->valtype == 'A' ? OPT_FMT_ASN1 :
OPT_FMT_ANY, &ival))
o->valtype == 'c' ? OPT_FMT_PDS : o->valtype == 'E' ? OPT_FMT_PDE
: o->valtype == 'F' ? OPT_FMT_PEMDER
: o->valtype == 'A' ? OPT_FMT_ASN1
: OPT_FMT_ANY,
&ival))
break;
opt_printf_stderr("%s: Invalid format \"%s\" for option -%s\n",
prog, arg, o->name);
prog, arg, o->name);
return -1;
}
@@ -1011,7 +1023,7 @@ int opt_next(void)
if (unknown != NULL) {
if (dunno != NULL) {
opt_printf_stderr("%s: Multiple %s or unknown options: -%s and -%s\n",
prog, unknown_name, dunno, p);
prog, unknown_name, dunno, p);
return -1;
}
dunno = p;
@@ -1083,7 +1095,7 @@ int opt_check_rest_arg(const char *expected)
opt_printf_stderr("%s: Extra option: \"%s\"\n", prog, opt);
else
opt_printf_stderr("%s: Extra (unknown) options: \"%s\" \"%s\"\n",
prog, opt_unknown(), opt);
prog, opt_unknown(), opt);
return 0;
}
@@ -1130,7 +1142,7 @@ static const char *valtype2param(const OPTIONS *o)
static void opt_print(const OPTIONS *o, int doingparams, int width)
{
const char* help;
const char *help;
char start[80 + 1];
int linelen, printlen;
@@ -1168,11 +1180,11 @@ static void opt_print(const OPTIONS *o, int doingparams, int width)
printlen = opt_printf_stderr(" %s", !doingparams ? "-" : "");
linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH;
printlen = opt_printf_stderr("%s" , o->name[0] ? o->name : "*");
printlen = opt_printf_stderr("%s", o->name[0] ? o->name : "*");
linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH;
if (o->valtype != '-') {
printlen = opt_printf_stderr(" %s" , valtype2param(o));
printlen = opt_printf_stderr(" %s", valtype2param(o));
linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH;
}
@@ -1229,52 +1241,52 @@ void opt_help(const OPTIONS *list)
/* opt_isdir section */
#ifdef _WIN32
# include <windows.h>
#include <windows.h>
int opt_isdir(const char *name)
{
DWORD attr;
# if defined(UNICODE) || defined(_UNICODE)
#if defined(UNICODE) || defined(_UNICODE)
size_t i, len_0 = strlen(name) + 1;
WCHAR tempname[MAX_PATH];
if (len_0 > MAX_PATH)
return -1;
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
#if !defined(_WIN32_WCE) || _WIN32_WCE >= 101
if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH))
# endif
#endif
for (i = 0; i < len_0; i++)
tempname[i] = (WCHAR)name[i];
attr = GetFileAttributes(tempname);
# else
#else
attr = GetFileAttributes(name);
# endif
#endif
if (attr == INVALID_FILE_ATTRIBUTES)
return -1;
return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0);
}
#else
# include <sys/stat.h>
# ifndef S_ISDIR
# if defined(_S_IFMT) && defined(_S_IFDIR)
# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
# else
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
# endif
# endif
#include <sys/stat.h>
#ifndef S_ISDIR
#if defined(_S_IFMT) && defined(_S_IFDIR)
#define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
#else
#define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
#endif
#endif
int opt_isdir(const char *name)
{
# if defined(S_ISDIR)
#if defined(S_ISDIR)
struct stat st;
if (stat(name, &st) == 0)
return S_ISDIR(st.st_mode);
else
return -1;
# else
#else
return -1;
# endif
#endif
}
#endif

643
apps/lib/s_cb.c
View File

File diff suppressed because it is too large Load Diff

102
apps/lib/s_socket.c
View File

@@ -22,27 +22,27 @@
* needed to have fileno() declared correctly... So let's define u_int
*/
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
# define __U_INT
#define __U_INT
typedef unsigned int u_int;
#endif
#ifdef _WIN32
# include <process.h>
#include <process.h>
/* MSVC renamed some POSIX functions to have an underscore prefix. */
# ifdef _MSC_VER
# define getpid _getpid
# endif
#ifdef _MSC_VER
#define getpid _getpid
#endif
#endif
#ifndef OPENSSL_NO_SOCK
# include "apps.h"
# include "s_apps.h"
# include "internal/sockets.h"
#include "apps.h"
#include "s_apps.h"
#include "internal/sockets.h"
# include <openssl/bio.h>
# include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/err.h>
/* Keep track of our peer's address for the cookie callback */
BIO_ADDR *ourpeer = NULL;
@@ -72,9 +72,9 @@ BIO_ADDR *ourpeer = NULL;
* Returns 1 on success, 0 on failure.
*/
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret)
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret)
{
BIO_ADDRINFO *res = NULL;
BIO_ADDRINFO *bindaddr = NULL;
@@ -88,7 +88,7 @@ int init_client(int *sock, const char *host, const char *port,
return 0;
ret = BIO_lookup_ex(host, port, BIO_LOOKUP_CLIENT, family, type, protocol,
&res);
&res);
if (ret == 0) {
ERR_print_errors(bio_err);
return 0;
@@ -96,9 +96,9 @@ int init_client(int *sock, const char *host, const char *port,
if (bindhost != NULL || bindport != NULL) {
ret = BIO_lookup_ex(bindhost, bindport, BIO_LOOKUP_CLIENT,
family, type, protocol, &bindaddr);
family, type, protocol, &bindaddr);
if (ret == 0) {
ERR_print_errors (bio_err);
ERR_print_errors(bio_err);
goto out;
}
}
@@ -109,10 +109,10 @@ int init_client(int *sock, const char *host, const char *port,
* anything in the BIO_ADDRINFO chain that we haven't
* asked for. */
OPENSSL_assert((family == AF_UNSPEC
|| family == BIO_ADDRINFO_family(ai))
&& (type == 0 || type == BIO_ADDRINFO_socktype(ai))
&& (protocol == 0
|| protocol == BIO_ADDRINFO_protocol(ai)));
|| family == BIO_ADDRINFO_family(ai))
&& (type == 0 || type == BIO_ADDRINFO_socktype(ai))
&& (protocol == 0
|| protocol == BIO_ADDRINFO_protocol(ai)));
if (bindaddr != NULL) {
for (bi = bindaddr; bi != NULL; bi = BIO_ADDRINFO_next(bi)) {
@@ -125,7 +125,7 @@ int init_client(int *sock, const char *host, const char *port,
}
*sock = BIO_socket(BIO_ADDRINFO_family(ai), BIO_ADDRINFO_socktype(ai),
BIO_ADDRINFO_protocol(ai), 0);
BIO_ADDRINFO_protocol(ai), 0);
if (*sock == INVALID_SOCKET) {
/* Maybe the kernel doesn't support the socket family, even if
* BIO_lookup() added it in the returned result...
@@ -135,7 +135,7 @@ int init_client(int *sock, const char *host, const char *port,
if (bi != NULL) {
if (!BIO_bind(*sock, BIO_ADDRINFO_address(bi),
BIO_SOCK_REUSEADDR)) {
BIO_SOCK_REUSEADDR)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
break;
@@ -192,13 +192,14 @@ int init_client(int *sock, const char *host, const char *port,
if (bindaddr != NULL && !found) {
BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
#ifdef AF_INET6
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
#endif
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
bindhost != NULL ? bindhost : "",
bindport != NULL ? ":" : "",
bindport != NULL ? bindport : "");
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 "
: BIO_ADDRINFO_family(res) == AF_UNIX ? "unix "
: "",
bindhost != NULL ? bindhost : "",
bindport != NULL ? ":" : "",
bindport != NULL ? bindport : "");
ERR_clear_error();
ret = 0;
}
@@ -217,7 +218,7 @@ int init_client(int *sock, const char *host, const char *port,
}
out:
if (bindaddr != NULL) {
BIO_ADDRINFO_free (bindaddr);
BIO_ADDRINFO_free(bindaddr);
}
BIO_ADDRINFO_free(res);
return ret;
@@ -233,7 +234,7 @@ void get_sock_info_address(int asock, char **hostname, char **service)
*service = NULL;
if ((info.addr = BIO_ADDR_new()) != NULL
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)) {
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)) {
if (hostname != NULL)
*hostname = BIO_ADDR_hostname_string(info.addr, 1);
if (service != NULL)
@@ -255,10 +256,11 @@ int report_server_accept(BIO *out, int asock, int with_address, int with_pid)
success = hostname != NULL && service != NULL;
if (success)
success = BIO_printf(out,
strchr(hostname, ':') == NULL
? /* IPv4 */ " %s:%s"
: /* IPv6 */ " [%s]:%s",
hostname, service) > 0;
strchr(hostname, ':') == NULL
? /* IPv4 */ " %s:%s"
: /* IPv6 */ " [%s]:%s",
hostname, service)
> 0;
else
(void)BIO_printf(out, "unknown:error\n");
OPENSSL_free(hostname);
@@ -293,9 +295,9 @@ int report_server_accept(BIO *out, int asock, int with_address, int with_pid)
* 0 on failure, something other on success.
*/
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo)
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo)
{
int asock = 0;
int sock;
@@ -313,7 +315,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
return 0;
if (!BIO_lookup_ex(host, port, BIO_LOOKUP_SERVER, family, type, protocol,
&res)) {
&res)) {
ERR_print_errors(bio_err);
return 0;
}
@@ -321,8 +323,8 @@ int do_server(int *accept_sock, const char *host, const char *port,
/* Admittedly, these checks are quite paranoid, we should not get
* anything in the BIO_ADDRINFO chain that we haven't asked for */
OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
&& (type == 0 || type == BIO_ADDRINFO_socktype(res))
&& (protocol == 0 || protocol == BIO_ADDRINFO_protocol(res)));
&& (type == 0 || type == BIO_ADDRINFO_socktype(res))
&& (protocol == 0 || protocol == BIO_ADDRINFO_protocol(res)));
sock_family = BIO_ADDRINFO_family(res);
sock_type = BIO_ADDRINFO_socktype(res);
@@ -335,10 +337,10 @@ int do_server(int *accept_sock, const char *host, const char *port,
if (sock_family == AF_INET6)
sock_options |= BIO_SOCK_V6_ONLY;
if (next != NULL
&& BIO_ADDRINFO_socktype(next) == sock_type
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
&& BIO_ADDRINFO_socktype(next) == sock_type
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
if (sock_family == AF_INET
&& BIO_ADDRINFO_family(next) == AF_INET6) {
&& BIO_ADDRINFO_family(next) == AF_INET6) {
/* In case AF_INET6 is returned but not supported by the
* kernel, retry with the first detected address family */
sock_family_fallback = sock_family;
@@ -346,7 +348,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
sock_family = AF_INET6;
sock_address = BIO_ADDRINFO_address(next);
} else if (sock_family == AF_INET6
&& BIO_ADDRINFO_family(next) == AF_INET) {
&& BIO_ADDRINFO_family(next) == AF_INET) {
sock_options &= ~BIO_SOCK_V6_ONLY;
}
}
@@ -444,12 +446,12 @@ int do_server(int *accept_sock, const char *host, const char *port,
* alerts are passed on...]
*/
timeout.tv_sec = 0;
timeout.tv_usec = 500000; /* some extreme round-trip */
timeout.tv_usec = 500000; /* some extreme round-trip */
do {
FD_ZERO(&readfds);
openssl_fdset(sock, &readfds);
} while (select(sock + 1, &readfds, NULL, NULL, &timeout) > 0
&& readsocket(sock, sink, sizeof(sink)) > 0);
&& readsocket(sock, sink, sizeof(sink)) > 0);
BIO_closesocket(sock);
} else {
@@ -466,11 +468,11 @@ int do_server(int *accept_sock, const char *host, const char *port,
break;
}
}
end:
# ifdef AF_UNIX
end:
#ifdef AF_UNIX
if (family == AF_UNIX)
unlink(host);
# endif
#endif
BIO_ADDR_free(ourpeer);
ourpeer = NULL;
return ret;
@@ -497,4 +499,4 @@ void do_ssl_shutdown(SSL *ssl)
} while (ret < 0);
}
#endif /* OPENSSL_NO_SOCK */
#endif /* OPENSSL_NO_SOCK */

47
apps/lib/tlssrp_depr.c
View File

@@ -29,16 +29,11 @@ static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
BN_CTX *bn_ctx = BN_CTX_new();
BIGNUM *p = BN_new();
BIGNUM *r = BN_new();
int ret =
g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
BN_check_prime(N, bn_ctx, NULL) == 1 &&
p != NULL && BN_rshift1(p, N) &&
int ret = g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && BN_check_prime(N, bn_ctx, NULL) == 1 && p != NULL && BN_rshift1(p, N) &&
/* p = (N-1)/2 */
BN_check_prime(p, bn_ctx, NULL) == 1 &&
r != NULL &&
BN_check_prime(p, bn_ctx, NULL) == 1 && r != NULL &&
/* verify g^((N-1)/2) == -1 (mod N) */
BN_mod_exp(r, g, p, N, bn_ctx) &&
BN_add_word(r, 1) && BN_cmp(r, N) == 0;
BN_mod_exp(r, g, p, N, bn_ctx) && BN_add_word(r, 1) && BN_cmp(r, N) == 0;
BN_free(r);
BN_free(p);
@@ -84,7 +79,7 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg)
if (srp_arg->amp == 1) {
if (srp_arg->debug)
BIO_printf(bio_err,
"SRP param N and g are not known params, going to check deeper.\n");
"SRP param N and g are not known params, going to check deeper.\n");
/*
* The srp_moregroups is a real debugging feature. Implementers
@@ -120,7 +115,7 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
}
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
int c_debug)
int c_debug)
{
if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg->srplogin)) {
BIO_printf(bio_err, "Unable to set SRP username\n");
@@ -144,7 +139,7 @@ static char *dummy_srp(SSL *ssl, void *arg)
void set_up_dummy_srp(SSL_CTX *ctx)
{
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
}
/*
@@ -157,7 +152,7 @@ void set_up_dummy_srp(SSL_CTX *ctx)
*/
static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
{
srpsrvparm *p = (srpsrvparm *) arg;
srpsrvparm *p = (srpsrvparm *)arg;
int ret = SSL3_AL_FATAL;
if (p->login == NULL && p->user == NULL) {
@@ -171,18 +166,18 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
goto err;
}
if (SSL_set_srp_server_param
(s, p->user->N, p->user->g, p->user->s, p->user->v,
p->user->info) < 0) {
if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
p->user->info)
< 0) {
*ad = SSL_AD_INTERNAL_ERROR;
goto err;
}
BIO_printf(bio_err,
"SRP parameters set: username = \"%s\" info=\"%s\"\n",
p->login, p->user->info);
"SRP parameters set: username = \"%s\" info=\"%s\"\n",
p->login, p->user->info);
ret = SSL_ERROR_NONE;
err:
err:
SRP_user_pwd_free(p->user);
p->user = NULL;
p->login = NULL;
@@ -190,7 +185,7 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
}
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
char *srpuserseed, char *srp_verifier_file)
char *srpuserseed, char *srp_verifier_file)
{
int ret;
@@ -202,12 +197,12 @@ int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
BIO_printf(bio_err, "Failed to initialize SRP verifier file\n");
return 0;
}
if ((ret =
SRP_VBASE_init(srp_callback_parm->vb,
srp_verifier_file)) != SRP_NO_ERROR) {
if ((ret = SRP_VBASE_init(srp_callback_parm->vb,
srp_verifier_file))
!= SRP_NO_ERROR) {
BIO_printf(bio_err,
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
srp_verifier_file, ret);
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
srp_verifier_file, ret);
return 0;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
@@ -221,11 +216,11 @@ void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out)
{
SRP_user_pwd_free(srp_callback_parm->user);
srp_callback_parm->user = SRP_VBASE_get1_by_user(srp_callback_parm->vb,
srp_callback_parm->login);
srp_callback_parm->login);
if (srp_callback_parm->user != NULL)
BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm->user->info);
srp_callback_parm->user->info);
else
BIO_printf(bio_s_out, "LOOKUP not successful\n");
}

2
apps/lib/vms_decc_argv.c
View File

@@ -9,7 +9,7 @@
#include <stdlib.h>
#include <openssl/crypto.h>
#include "platform.h" /* for copy_argv() */
#include "platform.h" /* for copy_argv() */
char **newargv = NULL;

487
apps/lib/vms_term_sock.c
View File

@@ -9,107 +9,122 @@
*/
#ifdef __VMS
# define OPENSSL_SYS_VMS
# pragma message disable DOLLARID
#define OPENSSL_SYS_VMS
#pragma message disable DOLLARID
#include <openssl/opensslconf.h>
# include <openssl/opensslconf.h>
# if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
/*
* On VMS, you need to define this to get the declaration of fileno(). The
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
*/
# define _POSIX_C_SOURCE 2
# endif
#define _POSIX_C_SOURCE 2
#endif
# include <stdio.h>
#include <stdio.h>
# undef _POSIX_C_SOURCE
#undef _POSIX_C_SOURCE
# include <sys/types.h>
# include <sys/socket.h>
# include <netinet/in.h>
# include <inet.h>
# include <unistd.h>
# include <string.h>
# include <errno.h>
# include <starlet.h>
# include <iodef.h>
# ifdef __alpha
# include <iosbdef.h>
# else
typedef struct _iosb { /* Copied from IOSBDEF.H for Alpha */
# pragma __nomember_alignment
__union {
__struct {
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <inet.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <starlet.h>
#include <iodef.h>
#ifdef __alpha
#include <iosbdef.h>
#else
typedef struct _iosb { /* Copied from IOSBDEF.H for Alpha */
#pragma __nomember_alignment
__union
{
__struct
{
unsigned short int iosb$w_status; /* Final I/O status */
__union {
__struct { /* 16-bit byte count variant */
__union
{
__struct
{ /* 16-bit byte count variant */
unsigned short int iosb$w_bcnt; /* 16-bit byte count */
__union {
__union
{
unsigned int iosb$l_dev_depend; /* 32-bit device dependent info */
unsigned int iosb$l_pid; /* 32-bit pid */
} iosb$r_l;
} iosb$r_bcnt_16;
__struct { /* 32-bit byte count variant */
}
iosb$r_l;
}
iosb$r_bcnt_16;
__struct
{ /* 32-bit byte count variant */
unsigned int iosb$l_bcnt; /* 32-bit byte count (unaligned) */
unsigned short int iosb$w_dev_depend_high; /* 16-bit device dependent info */
} iosb$r_bcnt_32;
} iosb$r_devdepend;
} iosb$r_io_64;
__struct {
__union {
}
iosb$r_bcnt_32;
}
iosb$r_devdepend;
}
iosb$r_io_64;
__struct
{
__union
{
unsigned int iosb$l_getxxi_status; /* Final GETxxI status */
unsigned int iosb$l_reg_status; /* Final $Registry status */
} iosb$r_l_status;
}
iosb$r_l_status;
unsigned int iosb$l_reserved; /* Reserved field */
} iosb$r_get_64;
} iosb$r_io_get;
}
iosb$r_get_64;
}
iosb$r_io_get;
} IOSB;
# if !defined(__VAXC)
# define iosb$w_status iosb$r_io_get.iosb$r_io_64.iosb$w_status
# define iosb$w_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$w_bcnt
# define iosb$r_l iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$r_l
# define iosb$l_dev_depend iosb$r_l.iosb$l_dev_depend
# define iosb$l_pid iosb$r_l.iosb$l_pid
# define iosb$l_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$l_bcnt
# define iosb$w_dev_depend_high iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$w_dev_depend_high
# define iosb$l_getxxi_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_getxxi_status
# define iosb$l_reg_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_reg_status
# endif /* #if !defined(__VAXC) */
#if !defined(__VAXC)
#define iosb$w_status iosb$r_io_get.iosb$r_io_64.iosb$w_status
#define iosb$w_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$w_bcnt
#define iosb$r_l iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$r_l
#define iosb$l_dev_depend iosb$r_l.iosb$l_dev_depend
#define iosb$l_pid iosb$r_l.iosb$l_pid
#define iosb$l_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$l_bcnt
#define iosb$w_dev_depend_high iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$w_dev_depend_high
#define iosb$l_getxxi_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_getxxi_status
#define iosb$l_reg_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_reg_status
#endif /* #if !defined(__VAXC) */
# endif /* End of IOSBDEF */
#endif /* End of IOSBDEF */
# include <efndef.h>
# include <stdlib.h>
# include <ssdef.h>
# include <time.h>
# include <stdarg.h>
# include <descrip.h>
#include <efndef.h>
#include <stdlib.h>
#include <ssdef.h>
#include <time.h>
#include <stdarg.h>
#include <descrip.h>
# include "vms_term_sock.h"
#include "vms_term_sock.h"
# ifdef __alpha
#ifdef __alpha
static struct _iosb TerminalDeviceIosb;
# else
#else
IOSB TerminalDeviceIosb;
# endif
#endif
static char TerminalDeviceBuff[255 + 2];
static int TerminalSocketPair[2] = {0, 0};
static int TerminalSocketPair[2] = { 0, 0 };
static unsigned short TerminalDeviceChan = 0;
static int CreateSocketPair (int, int, int, int *);
static void SocketPairTimeoutAst (int);
static int TerminalDeviceAst (int);
static void LogMessage (char *, ...);
static int CreateSocketPair(int, int, int, int *);
static void SocketPairTimeoutAst(int);
static int TerminalDeviceAst(int);
static void LogMessage(char *, ...);
/*
** Socket Pair Timeout Value (must be 0-59 seconds)
*/
# define SOCKET_PAIR_TIMEOUT_VALUE 20
#define SOCKET_PAIR_TIMEOUT_VALUE 20
/*
** Socket Pair Timeout Block which is passed to timeout AST
@@ -119,55 +134,54 @@ typedef struct _SocketPairTimeoutBlock {
unsigned short SockChan2;
} SPTB;
# ifdef TERM_SOCK_TEST
#ifdef TERM_SOCK_TEST
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
int main (int argc, char *argv[], char *envp[])
int main(int argc, char *argv[], char *envp[])
{
char TermBuff[80];
int TermSock,
status,
len;
LogMessage ("Enter 'q' or 'Q' to quit ...");
while (OPENSSL_strcasecmp (TermBuff, "Q")) {
LogMessage("Enter 'q' or 'Q' to quit ...");
while (OPENSSL_strcasecmp(TermBuff, "Q")) {
/*
** Create the terminal socket
*/
status = TerminalSocket (TERM_SOCK_CREATE, &TermSock);
status = TerminalSocket(TERM_SOCK_CREATE, &TermSock);
if (status != TERM_SOCK_SUCCESS)
exit (1);
exit(1);
/*
** Process the terminal input
*/
LogMessage ("Waiting on terminal I/O ...\n");
len = recv (TermSock, TermBuff, sizeof(TermBuff), 0) ;
LogMessage("Waiting on terminal I/O ...\n");
len = recv(TermSock, TermBuff, sizeof(TermBuff), 0);
TermBuff[len] = '\0';
LogMessage ("Received terminal I/O [%s]", TermBuff);
LogMessage("Received terminal I/O [%s]", TermBuff);
/*
** Delete the terminal socket
*/
status = TerminalSocket (TERM_SOCK_DELETE, &TermSock);
status = TerminalSocket(TERM_SOCK_DELETE, &TermSock);
if (status != TERM_SOCK_SUCCESS)
exit (1);
exit(1);
}
return 1;
}
# endif
#endif
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
int TerminalSocket (int FunctionCode, int *ReturnSocket)
int TerminalSocket(int FunctionCode, int *ReturnSocket)
{
int status;
$DESCRIPTOR (TerminalDeviceDesc, "SYS$COMMAND");
$DESCRIPTOR(TerminalDeviceDesc, "SYS$COMMAND");
/*
** Process the requested function code
@@ -177,45 +191,45 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
/*
** Create a socket pair
*/
status = CreateSocketPair (AF_INET, SOCK_STREAM, 0, TerminalSocketPair);
status = CreateSocketPair(AF_INET, SOCK_STREAM, 0, TerminalSocketPair);
if (status == -1) {
LogMessage ("TerminalSocket: CreateSocketPair () - %08X", status);
LogMessage("TerminalSocket: CreateSocketPair () - %08X", status);
if (TerminalSocketPair[0])
close (TerminalSocketPair[0]);
close(TerminalSocketPair[0]);
if (TerminalSocketPair[1])
close (TerminalSocketPair[1]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Assign a channel to the terminal device
*/
status = sys$assign (&TerminalDeviceDesc,
&TerminalDeviceChan,
0, 0, 0);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$ASSIGN () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$assign(&TerminalDeviceDesc,
&TerminalDeviceChan,
0, 0, 0);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$ASSIGN () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Queue an async IO to the terminal device
*/
status = sys$qio (EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$QIO () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$qio(EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$QIO () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
@@ -229,30 +243,30 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
/*
** Cancel any pending IO on the terminal channel
*/
status = sys$cancel (TerminalDeviceChan);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$CANCEL () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$cancel(TerminalDeviceChan);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$CANCEL () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Deassign the terminal channel
*/
status = sys$dassgn (TerminalDeviceChan);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$DASSGN () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$dassgn(TerminalDeviceChan);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$DASSGN () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Close the terminal socket pair
*/
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
/*
** Return the initialized socket
@@ -264,7 +278,7 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
/*
** Invalid function code
*/
LogMessage ("TerminalSocket: Invalid Function Code - %d", FunctionCode);
LogMessage("TerminalSocket: Invalid Function Code - %d", FunctionCode);
return TERM_SOCK_FAILURE;
break;
}
@@ -273,21 +287,20 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
** Return success
*/
return TERM_SOCK_SUCCESS;
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static int CreateSocketPair (int SocketFamily,
int SocketType,
int SocketProtocol,
int *SocketPair)
static int CreateSocketPair(int SocketFamily,
int SocketType,
int SocketProtocol,
int *SocketPair)
{
struct dsc$descriptor AscTimeDesc = {0, DSC$K_DTYPE_T, DSC$K_CLASS_S, NULL};
static const char* LocalHostAddr = {"127.0.0.1"};
struct dsc$descriptor AscTimeDesc = { 0, DSC$K_DTYPE_T, DSC$K_CLASS_S, NULL };
static const char *LocalHostAddr = { "127.0.0.1" };
unsigned short TcpAcceptChan = 0,
TcpDeviceChan = 0;
TcpDeviceChan = 0;
unsigned long BinTimeBuff[2];
struct sockaddr_in sin;
char AscTimeBuff[32];
@@ -295,23 +308,23 @@ static int CreateSocketPair (int SocketFamily,
int status;
unsigned int slen;
# ifdef __alpha
#ifdef __alpha
struct _iosb iosb;
# else
#else
IOSB iosb;
# endif
#endif
int SockDesc1 = 0,
SockDesc2 = 0;
SPTB sptb;
$DESCRIPTOR (TcpDeviceDesc, "TCPIP$DEVICE");
$DESCRIPTOR(TcpDeviceDesc, "TCPIP$DEVICE");
/*
** Create a socket
*/
SockDesc1 = socket (SocketFamily, SocketType, 0);
SockDesc1 = socket(SocketFamily, SocketType, 0);
if (SockDesc1 < 0) {
LogMessage ("CreateSocketPair: socket () - %d", errno);
LogMessage("CreateSocketPair: socket () - %d", errno);
return -1;
}
@@ -319,28 +332,28 @@ static int CreateSocketPair (int SocketFamily,
** Initialize the socket information
*/
slen = sizeof(sin);
memset ((char *) &sin, 0, slen);
memset((char *)&sin, 0, slen);
sin.sin_family = SocketFamily;
sin.sin_addr.s_addr = inet_addr (LocalHostAddr);
sin.sin_addr.s_addr = inet_addr(LocalHostAddr);
sin.sin_port = 0;
/*
** Bind the socket to the local IP
*/
status = bind (SockDesc1, (struct sockaddr *) &sin, slen);
status = bind(SockDesc1, (struct sockaddr *)&sin, slen);
if (status < 0) {
LogMessage ("CreateSocketPair: bind () - %d", errno);
close (SockDesc1);
LogMessage("CreateSocketPair: bind () - %d", errno);
close(SockDesc1);
return -1;
}
/*
** Get the socket name so we can save the port number
*/
status = getsockname (SockDesc1, (struct sockaddr *) &sin, &slen);
status = getsockname(SockDesc1, (struct sockaddr *)&sin, &slen);
if (status < 0) {
LogMessage ("CreateSocketPair: getsockname () - %d", errno);
close (SockDesc1);
LogMessage("CreateSocketPair: getsockname () - %d", errno);
close(SockDesc1);
return -1;
} else
LocalHostPort = sin.sin_port;
@@ -348,18 +361,18 @@ static int CreateSocketPair (int SocketFamily,
/*
** Setup a listen for the socket
*/
listen (SockDesc1, 5);
listen(SockDesc1, 5);
/*
** Get the binary (64-bit) time of the specified timeout value
*/
BIO_snprintf(AscTimeBuff, sizeof(AscTimeBuff), "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
AscTimeDesc.dsc$w_length = strlen (AscTimeBuff);
AscTimeDesc.dsc$w_length = strlen(AscTimeBuff);
AscTimeDesc.dsc$a_pointer = AscTimeBuff;
status = sys$bintim (&AscTimeDesc, BinTimeBuff);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$BINTIM () - %08X", status);
close (SockDesc1);
status = sys$bintim(&AscTimeDesc, BinTimeBuff);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$BINTIM () - %08X", status);
close(SockDesc1);
return -1;
}
@@ -367,87 +380,87 @@ static int CreateSocketPair (int SocketFamily,
** Assign another channel to the TCP/IP device for the accept.
** This is the channel that ends up being connected to.
*/
status = sys$assign (&TcpDeviceDesc, &TcpDeviceChan, 0, 0, 0);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$ASSIGN () - %08X", status);
close (SockDesc1);
status = sys$assign(&TcpDeviceDesc, &TcpDeviceChan, 0, 0, 0);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$ASSIGN () - %08X", status);
close(SockDesc1);
return -1;
}
/*
** Get the channel of the first socket for the accept
*/
TcpAcceptChan = decc$get_sdc (SockDesc1);
TcpAcceptChan = decc$get_sdc(SockDesc1);
/*
** Perform the accept using $QIO so we can do this asynchronously
*/
status = sys$qio (EFN$C_ENF,
TcpAcceptChan,
IO$_ACCESS | IO$M_ACCEPT,
&iosb,
0, 0, 0, 0, 0,
&TcpDeviceChan,
0, 0);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$QIO () - %08X", status);
close (SockDesc1);
sys$dassgn (TcpDeviceChan);
status = sys$qio(EFN$C_ENF,
TcpAcceptChan,
IO$_ACCESS | IO$M_ACCEPT,
&iosb,
0, 0, 0, 0, 0,
&TcpDeviceChan,
0, 0);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$QIO () - %08X", status);
close(SockDesc1);
sys$dassgn(TcpDeviceChan);
return -1;
}
/*
** Create the second socket to do the connect
*/
SockDesc2 = socket (SocketFamily, SocketType, 0);
SockDesc2 = socket(SocketFamily, SocketType, 0);
if (SockDesc2 < 0) {
LogMessage ("CreateSocketPair: socket () - %d", errno);
sys$cancel (TcpAcceptChan);
close (SockDesc1);
sys$dassgn (TcpDeviceChan);
return (-1) ;
LogMessage("CreateSocketPair: socket () - %d", errno);
sys$cancel(TcpAcceptChan);
close(SockDesc1);
sys$dassgn(TcpDeviceChan);
return (-1);
}
/*
** Setup the Socket Pair Timeout Block
*/
sptb.SockChan1 = TcpAcceptChan;
sptb.SockChan2 = decc$get_sdc (SockDesc2);
sptb.SockChan2 = decc$get_sdc(SockDesc2);
/*
** Before we block on the connect, set a timer that can cancel I/O on our
** two sockets if it never connects.
*/
status = sys$setimr (EFN$C_ENF,
BinTimeBuff,
SocketPairTimeoutAst,
&sptb,
0);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$SETIMR () - %08X", status);
sys$cancel (TcpAcceptChan);
close (SockDesc1);
close (SockDesc2);
sys$dassgn (TcpDeviceChan);
status = sys$setimr(EFN$C_ENF,
BinTimeBuff,
SocketPairTimeoutAst,
&sptb,
0);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$SETIMR () - %08X", status);
sys$cancel(TcpAcceptChan);
close(SockDesc1);
close(SockDesc2);
sys$dassgn(TcpDeviceChan);
return -1;
}
/*
** Now issue the connect
*/
memset ((char *) &sin, 0, sizeof(sin)) ;
memset((char *)&sin, 0, sizeof(sin));
sin.sin_family = SocketFamily;
sin.sin_addr.s_addr = inet_addr (LocalHostAddr) ;
sin.sin_port = LocalHostPort ;
sin.sin_addr.s_addr = inet_addr(LocalHostAddr);
sin.sin_port = LocalHostPort;
status = connect (SockDesc2, (struct sockaddr *) &sin, sizeof(sin));
status = connect(SockDesc2, (struct sockaddr *)&sin, sizeof(sin));
if (status < 0) {
LogMessage ("CreateSocketPair: connect () - %d", errno);
sys$cantim (&sptb, 0);
sys$cancel (TcpAcceptChan);
close (SockDesc1);
close (SockDesc2);
sys$dassgn (TcpDeviceChan);
LogMessage("CreateSocketPair: connect () - %d", errno);
sys$cantim(&sptb, 0);
sys$cancel(TcpAcceptChan);
close(SockDesc1);
close(SockDesc2);
sys$dassgn(TcpDeviceChan);
return -1;
}
@@ -456,18 +469,18 @@ static int CreateSocketPair (int SocketFamily,
** (SS$_ABORT), then we probably canceled it from the AST routine - so log
** a timeout.
*/
status = sys$synch (EFN$C_ENF, &iosb);
if (! (iosb.iosb$w_status & 1)) {
status = sys$synch(EFN$C_ENF, &iosb);
if (!(iosb.iosb$w_status & 1)) {
if (iosb.iosb$w_status == SS$_ABORT)
LogMessage ("CreateSocketPair: SYS$QIO(iosb) timeout");
LogMessage("CreateSocketPair: SYS$QIO(iosb) timeout");
else {
LogMessage ("CreateSocketPair: SYS$QIO(iosb) - %d",
iosb.iosb$w_status);
sys$cantim (&sptb, 0);
LogMessage("CreateSocketPair: SYS$QIO(iosb) - %d",
iosb.iosb$w_status);
sys$cantim(&sptb, 0);
}
close (SockDesc1);
close (SockDesc2);
sys$dassgn (TcpDeviceChan);
close(SockDesc1);
close(SockDesc2);
sys$dassgn(TcpDeviceChan);
return -1;
}
@@ -476,34 +489,32 @@ static int CreateSocketPair (int SocketFamily,
** I/O channel to a socket fd, close the listener socket and return the
** connected pair.
*/
sys$cantim (&sptb, 0);
sys$cantim(&sptb, 0);
close (SockDesc1) ;
SocketPair[0] = SockDesc2 ;
SocketPair[1] = socket_fd (TcpDeviceChan);
return (0) ;
close(SockDesc1);
SocketPair[0] = SockDesc2;
SocketPair[1] = socket_fd(TcpDeviceChan);
return (0);
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static void SocketPairTimeoutAst (int astparm)
static void SocketPairTimeoutAst(int astparm)
{
SPTB *sptb = (SPTB *) astparm;
SPTB *sptb = (SPTB *)astparm;
sys$cancel (sptb->SockChan2); /* Cancel the connect() */
sys$cancel (sptb->SockChan1); /* Cancel the accept() */
sys$cancel(sptb->SockChan2); /* Cancel the connect() */
sys$cancel(sptb->SockChan1); /* Cancel the accept() */
return;
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static int TerminalDeviceAst (int astparm)
static int TerminalDeviceAst(int astparm)
{
int status;
@@ -511,41 +522,40 @@ static int TerminalDeviceAst (int astparm)
** Terminate the terminal buffer
*/
TerminalDeviceBuff[TerminalDeviceIosb.iosb$w_bcnt] = '\0';
strcat (TerminalDeviceBuff, "\n");
strcat(TerminalDeviceBuff, "\n");
/*
** Send the data read from the terminal device through the socket pair
*/
send (TerminalSocketPair[0], TerminalDeviceBuff,
TerminalDeviceIosb.iosb$w_bcnt + 1, 0);
send(TerminalSocketPair[0], TerminalDeviceBuff,
TerminalDeviceIosb.iosb$w_bcnt + 1, 0);
/*
** Queue another async IO to the terminal device
*/
status = sys$qio (EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
status = sys$qio(EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
/*
** Return status
*/
return status;
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static void LogMessage (char *msg, ...)
static void LogMessage(char *msg, ...)
{
char *Month[] = {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
char *Month[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
static unsigned int pid = 0;
va_list args;
time_t CurTime;
@@ -556,36 +566,35 @@ static void LogMessage (char *msg, ...)
** Get the process pid
*/
if (pid == 0)
pid = getpid ();
pid = getpid();
/*
** Convert the current time into local time
*/
CurTime = time (NULL);
LocTime = localtime (&CurTime);
CurTime = time(NULL);
LocTime = localtime(&CurTime);
/*
** Format the message buffer
*/
BIO_snprintf(MsgBuff, sizeof(MsgBuff), "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
LocTime->tm_mday, Month[LocTime->tm_mon],
(LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
LocTime->tm_sec, pid, msg);
LocTime->tm_mday, Month[LocTime->tm_mon],
(LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
LocTime->tm_sec, pid, msg);
/*
** Get any variable arguments and add them to the print of the message
** buffer
*/
va_start (args, msg);
vfprintf (stderr, MsgBuff, args);
va_end (args);
va_start(args, msg);
vfprintf(stderr, MsgBuff, args);
va_end(args);
/*
** Flush standard error output
*/
fsync (fileno (stderr));
fsync(fileno(stderr));
return;
}
#endif

28
apps/lib/win32_init.c
View File

@@ -81,18 +81,18 @@ static int process_glob(WCHAR *wstr, int wlen)
break;
if (i == wlen)
return 0; /* definitely not a glob */
return 0; /* definitely not a glob */
saved_char = wstr[wlen];
wstr[wlen] = L'\0';
h = FindFirstFileW(wstr, &data);
wstr[wlen] = saved_char;
if (h == INVALID_HANDLE_VALUE)
return 0; /* not a valid glob, just pass... */
return 0; /* not a valid glob, just pass... */
if (slash)
udlen = WideCharToMultiByte(CP_UTF8, 0, wstr, slash,
NULL, 0, NULL, NULL);
NULL, 0, NULL, NULL);
else
udlen = 0;
@@ -104,8 +104,7 @@ static int process_glob(WCHAR *wstr, int wlen)
* skip over . and ..
*/
if (data.cFileName[0] == L'.') {
if ((data.cFileName[1] == L'\0') ||
(data.cFileName[1] == L'.' && data.cFileName[2] == L'\0'))
if ((data.cFileName[1] == L'\0') || (data.cFileName[1] == L'.' && data.cFileName[2] == L'\0'))
continue;
}
@@ -117,7 +116,7 @@ static int process_glob(WCHAR *wstr, int wlen)
* so that |uflen| covers even trailing '\0'.
*/
uflen = WideCharToMultiByte(CP_UTF8, 0, data.cFileName, -1,
NULL, 0, NULL, NULL);
NULL, 0, NULL, NULL);
arg = malloc(udlen + uflen);
if (arg == NULL)
@@ -125,10 +124,10 @@ static int process_glob(WCHAR *wstr, int wlen)
if (udlen)
WideCharToMultiByte(CP_UTF8, 0, wstr, slash,
arg, udlen, NULL, NULL);
arg, udlen, NULL, NULL);
WideCharToMultiByte(CP_UTF8, 0, data.cFileName, -1,
arg + udlen, uflen, NULL, NULL);
arg + udlen, uflen, NULL, NULL);
newargv[newargc++] = arg;
} while (FindNextFileW(h, &data));
@@ -154,7 +153,8 @@ void win32_utf8argv(int *argc, char **argv[])
return;
wcmdline = GetCommandLineW();
if (wcmdline == NULL) return;
if (wcmdline == NULL)
return;
/*
* make a copy of the command line, since we might have to modify it...
@@ -178,7 +178,7 @@ void win32_utf8argv(int *argc, char **argv[])
*/
warg = wend = p;
while (*p != L'\0'
&& (in_quote || (*p != L' ' && *p != L'\t'))) {
&& (in_quote || (*p != L' ' && *p != L'\t'))) {
switch (*p) {
case L'\\':
/*
@@ -259,7 +259,7 @@ void win32_utf8argv(int *argc, char **argv[])
ulen = 0;
if (wlen > 0) {
ulen = WideCharToMultiByte(CP_UTF8, 0, warg, wlen,
NULL, 0, NULL, NULL);
NULL, 0, NULL, NULL);
if (ulen <= 0)
continue;
}
@@ -272,7 +272,7 @@ void win32_utf8argv(int *argc, char **argv[])
if (wlen > 0)
WideCharToMultiByte(CP_UTF8, 0, warg, wlen,
arg, ulen, NULL, NULL);
arg, ulen, NULL, NULL);
arg[ulen] = '\0';
newargv[newargc++] = arg;
@@ -303,5 +303,7 @@ void win32_utf8argv(int *argc, char **argv[])
}
#else
void win32_utf8argv(int *argc, char **argv[])
{ return; }
{
return;
}
#endif

506
apps/list.c
View File

File diff suppressed because it is too large Load Diff

40
apps/mac.c
View File

@@ -18,42 +18,46 @@
#include <openssl/core_names.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
#define BUFSIZE 1024 * 8
typedef enum OPTION_choice {
OPT_COMMON,
OPT_MACOPT, OPT_BIN, OPT_IN, OPT_OUT,
OPT_CIPHER, OPT_DIGEST,
OPT_MACOPT,
OPT_BIN,
OPT_IN,
OPT_OUT,
OPT_CIPHER,
OPT_DIGEST,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS mac_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] mac_name\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] mac_name\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form"},
{"cipher", OPT_CIPHER, 's', "Cipher"},
{"digest", OPT_DIGEST, 's', "Digest"},
{OPT_MORE_STR, 1, '-', "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form" },
{ "cipher", OPT_CIPHER, 's', "Cipher" },
{ "digest", OPT_DIGEST, 's', "Digest" },
{ OPT_MORE_STR, 1, '-', "See 'PARAMETER NAMES' in the EVP_MAC_ docs" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file to MAC (default is stdin)"},
{ "in", OPT_IN, '<', "Input file to MAC (default is stdin)" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)"},
{ "out", OPT_OUT, '>', "Output to filename rather than stdout" },
{ "binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"mac_name", 0, 0, "MAC algorithm"},
{NULL}
{ "mac_name", 0, 0, "MAC algorithm" },
{ NULL }
};
static char *alloc_mac_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
const char *name, const char *arg)
const char *name, const char *arg)
{
size_t len = strlen(name) + strlen(arg) + 2;
char *res;
@@ -95,7 +99,7 @@ int mac_main(int argc, char **argv)
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
default:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto err;
case OPT_HELP:
@@ -155,7 +159,7 @@ opthelp:
int ok = 1;
params = app_params_new_from_opts(opts,
EVP_MAC_settable_ctx_params(mac));
EVP_MAC_settable_ctx_params(mac));
if (params == NULL)
goto err;

22
apps/nseq.c
View File

@@ -16,23 +16,25 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_TOSEQ, OPT_IN, OPT_OUT,
OPT_TOSEQ,
OPT_IN,
OPT_OUT,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS nseq_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{ "in", OPT_IN, '<', "Input file" },
OPT_SECTION("Output"),
{"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
{"out", OPT_OUT, '>', "Output file"},
{ "toseq", OPT_TOSEQ, '-', "Output NS Sequence file" },
{ "out", OPT_OUT, '>', "Output file" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int nseq_main(int argc, char **argv)
@@ -49,7 +51,7 @@ int nseq_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -97,7 +99,7 @@ int nseq_main(int argc, char **argv)
if (!sk_X509_num(seq->certs)) {
BIO_printf(bio_err, "%s: Error reading certs file %s\n",
prog, infile);
prog, infile);
ERR_print_errors(bio_err);
goto end;
}
@@ -109,7 +111,7 @@ int nseq_main(int argc, char **argv)
seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL);
if (seq == NULL) {
BIO_printf(bio_err, "%s: Error reading sequence file %s\n",
prog, infile);
prog, infile);
ERR_print_errors(bio_err);
goto end;
}
@@ -120,7 +122,7 @@ int nseq_main(int argc, char **argv)
PEM_write_bio_X509(out, x509);
}
ret = 0;
end:
end:
BIO_free(in);
BIO_free_all(out);
NETSCAPE_CERT_SEQUENCE_free(seq);

454
apps/ocsp.c
View File

@@ -10,8 +10,8 @@
#include <openssl/opensslconf.h>
#ifdef OPENSSL_SYS_VMS
/* So fd_set and friends get properly defined on OpenVMS */
# define _XOPEN_SOURCE_EXTENDED
/* So fd_set and friends get properly defined on OpenVMS */
#define _XOPEN_SOURCE_EXTENDED
#endif
#include <stdio.h>
@@ -44,33 +44,33 @@ int setpgid(pid_t pid, pid_t pgid)
pid_t fork(void)
{
errno = ENOSYS;
return (pid_t) -1;
return (pid_t)-1;
}
#endif
/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
#define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md);
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout);
int timeout);
static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp);
static char *prog;
@@ -80,131 +80,175 @@ static int index_changed(CA_DB *);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
OPT_OUTFILE,
OPT_TIMEOUT,
OPT_URL,
OPT_HOST,
OPT_PORT,
#ifndef OPENSSL_NO_SOCK
OPT_PROXY, OPT_NO_PROXY,
OPT_PROXY,
OPT_NO_PROXY,
#endif
OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE,
OPT_NOCAPATH, OPT_NOCASTORE,
OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER,
OPT_IGNORE_ERR,
OPT_NOVERIFY,
OPT_NONCE,
OPT_NO_NONCE,
OPT_RESP_NO_CERTS,
OPT_RESP_KEY_ID,
OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY,
OPT_NO_CERT_VERIFY,
OPT_NO_CHAIN,
OPT_NO_CERT_CHECKS,
OPT_NO_EXPLICIT,
OPT_TRUST_OTHER,
OPT_NO_INTERN,
OPT_BADSIG,
OPT_TEXT,
OPT_REQ_TEXT,
OPT_RESP_TEXT,
OPT_REQIN,
OPT_RESPIN,
OPT_SIGNER,
OPT_VAFILE,
OPT_SIGN_OTHER,
OPT_VERIFY_OTHER,
OPT_CAFILE,
OPT_CAPATH,
OPT_CASTORE,
OPT_NOCAFILE,
OPT_NOCAPATH,
OPT_NOCASTORE,
OPT_VALIDITY_PERIOD,
OPT_STATUS_AGE,
OPT_SIGNKEY,
OPT_REQOUT,
OPT_RESPOUT,
OPT_PATH,
OPT_ISSUER,
OPT_CERT,
OPT_SERIAL,
OPT_INDEX,
OPT_CA,
OPT_NMIN,
OPT_REQUEST,
OPT_NDAYS,
OPT_RSIGNER,
OPT_RKEY,
OPT_ROTHER,
OPT_RMD,
OPT_RSIGOPT,
OPT_HEADER,
OPT_PASSIN,
OPT_RCID,
OPT_V_ENUM,
OPT_MD,
OPT_MULTI, OPT_PROV_ENUM
OPT_MULTI,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ocsp_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running" },
{ "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
{ "CApath", OPT_CAPATH, '<', "Trusted certificates directory" },
{ "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
OPT_SECTION("Responder"),
{"timeout", OPT_TIMEOUT, 'p',
"Connection timeout (in seconds) to the OCSP responder"},
{"resp_no_certs", OPT_RESP_NO_CERTS, '-',
"Don't include any certificates in response"},
{ "timeout", OPT_TIMEOUT, 'p',
"Connection timeout (in seconds) to the OCSP responder" },
{ "resp_no_certs", OPT_RESP_NO_CERTS, '-',
"Don't include any certificates in response" },
#ifdef HTTP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
{ "multi", OPT_MULTI, 'p', "run multiple responder processes" },
#endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
{"badsig", OPT_BADSIG, '-',
"Corrupt last byte of loaded OCSP response signature (for test)"},
{"CA", OPT_CA, '<', "CA certificates"},
{"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
{"nrequest", OPT_REQUEST, 'p',
"Number of requests to accept (default unlimited)"},
{"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
{"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
{"sign_other", OPT_SIGN_OTHER, '<',
"Additional certificates to include in signed request"},
{"index", OPT_INDEX, '<', "Certificate status index file"},
{"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
{"rsigner", OPT_RSIGNER, '<',
"Responder certificate to sign responses with"},
{"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
{"passin", OPT_PASSIN, 's', "Responder key pass phrase source"},
{"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
{"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
{"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},
{"header", OPT_HEADER, 's', "key=value header to add"},
{"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"},
{"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
{ "no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request" },
{ "badsig", OPT_BADSIG, '-',
"Corrupt last byte of loaded OCSP response signature (for test)" },
{ "CA", OPT_CA, '<', "CA certificates" },
{ "nmin", OPT_NMIN, 'p', "Number of minutes before next update" },
{ "nrequest", OPT_REQUEST, 'p',
"Number of requests to accept (default unlimited)" },
{ "reqin", OPT_REQIN, 's', "File with the DER-encoded request" },
{ "signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with" },
{ "sign_other", OPT_SIGN_OTHER, '<',
"Additional certificates to include in signed request" },
{ "index", OPT_INDEX, '<', "Certificate status index file" },
{ "ndays", OPT_NDAYS, 'p', "Number of days before next update" },
{ "rsigner", OPT_RSIGNER, '<',
"Responder certificate to sign responses with" },
{ "rkey", OPT_RKEY, '<', "Responder key to sign responses with" },
{ "passin", OPT_PASSIN, 's', "Responder key pass phrase source" },
{ "rother", OPT_ROTHER, '<', "Other certificates to include in response" },
{ "rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response" },
{ "rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form" },
{ "header", OPT_HEADER, 's', "key=value header to add" },
{ "rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response" },
{ "", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )" },
OPT_SECTION("Client"),
{"url", OPT_URL, 's', "Responder URL"},
{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
{"port", OPT_PORT, 'N', "Port to run responder on"},
{"path", OPT_PATH, 's', "Path to use in OCSP request"},
{ "url", OPT_URL, 's', "Responder URL" },
{ "host", OPT_HOST, 's', "TCP/IP hostname:port to connect to" },
{ "port", OPT_PORT, 'N', "Port to run responder on" },
{ "path", OPT_PATH, 's', "Path to use in OCSP request" },
#ifndef OPENSSL_NO_SOCK
{"proxy", OPT_PROXY, 's',
"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
{"no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for"},
{OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
{ "proxy", OPT_PROXY, 's',
"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored" },
{ "no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for" },
{ OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none" },
#endif
{"out", OPT_OUTFILE, '>', "Output filename"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
{"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
"Don't check signature on response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"},
{"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
"Don't check signing certificate"},
{"text", OPT_TEXT, '-', "Print text form of request and response"},
{"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
{"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
{"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate"},
{"no_explicit", OPT_NO_EXPLICIT, '-',
"Do not explicitly check the chain, just verify the root"},
{"trust_other", OPT_TRUST_OTHER, '-',
"Don't verify additional certificates"},
{"no_intern", OPT_NO_INTERN, '-',
"Don't search certificates contained in response for signer"},
{"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
{"verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer"},
{"cert", OPT_CERT, '<',
"Certificate to check; may be given multiple times"},
{"serial", OPT_SERIAL, 's',
"Serial number to check; may be given multiple times"},
{"validity_period", OPT_VALIDITY_PERIOD, 'u',
"Maximum validity discrepancy in seconds"},
{"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
{"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
{"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
{"issuer", OPT_ISSUER, '<', "Issuer certificate"},
{"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
{ "out", OPT_OUTFILE, '>', "Output filename" },
{ "noverify", OPT_NOVERIFY, '-', "Don't verify response at all" },
{ "nonce", OPT_NONCE, '-', "Add OCSP nonce to request" },
{ "no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request" },
{ "no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
"Don't check signature on response" },
{ "resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID" },
{ "no_cert_verify", OPT_NO_CERT_VERIFY, '-',
"Don't check signing certificate" },
{ "text", OPT_TEXT, '-', "Print text form of request and response" },
{ "req_text", OPT_REQ_TEXT, '-', "Print text form of request" },
{ "resp_text", OPT_RESP_TEXT, '-', "Print text form of response" },
{ "no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response" },
{ "no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate" },
{ "no_explicit", OPT_NO_EXPLICIT, '-',
"Do not explicitly check the chain, just verify the root" },
{ "trust_other", OPT_TRUST_OTHER, '-',
"Don't verify additional certificates" },
{ "no_intern", OPT_NO_INTERN, '-',
"Don't search certificates contained in response for signer" },
{ "respin", OPT_RESPIN, 's', "File with the DER-encoded response" },
{ "VAfile", OPT_VAFILE, '<', "Validator certificates file" },
{ "verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer" },
{ "cert", OPT_CERT, '<',
"Certificate to check; may be given multiple times" },
{ "serial", OPT_SERIAL, 's',
"Serial number to check; may be given multiple times" },
{ "validity_period", OPT_VALIDITY_PERIOD, 'u',
"Maximum validity discrepancy in seconds" },
{ "signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with" },
{ "reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request" },
{ "respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response" },
{ "issuer", OPT_ISSUER, '<', "Issuer certificate" },
{ "status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds" },
OPT_V_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int ocsp_main(int argc, char **argv)
@@ -253,8 +297,8 @@ int ocsp_main(int argc, char **argv)
OPTION_CHOICE o;
if ((reqnames = sk_OPENSSL_STRING_new_null()) == NULL
|| (ids = sk_OCSP_CERTID_new_null()) == NULL
|| (vpm = X509_VERIFY_PARAM_new()) == NULL)
|| (ids = sk_OCSP_CERTID_new_null()) == NULL
|| (vpm = X509_VERIFY_PARAM_new()) == NULL)
goto end;
opt_set_unknown_name("digest");
@@ -263,7 +307,7 @@ int ocsp_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -284,8 +328,8 @@ int ocsp_main(int argc, char **argv)
OPENSSL_free(tpath);
thost = tport = tpath = NULL;
if (!OSSL_HTTP_parse_url(opt_arg(), &use_ssl, NULL /* userinfo */,
&host, &port, NULL /* port_num */,
&path, NULL /* qry */, NULL /* frag */)) {
&host, &port, NULL /* port_num */,
&path, NULL /* qry */, NULL /* frag */)) {
BIO_printf(bio_err, "%s Error parsing -url argument\n", prog);
goto end;
}
@@ -485,7 +529,7 @@ int ocsp_main(int argc, char **argv)
case OPT_ROTHER:
rcertfile = opt_arg();
break;
case OPT_RMD: /* Response MessageDigest */
case OPT_RMD: /* Response MessageDigest */
respdigname = opt_arg();
break;
case OPT_RSIGOPT:
@@ -513,8 +557,8 @@ int ocsp_main(int argc, char **argv)
case OPT_MD:
if (trailing_md) {
BIO_printf(bio_err,
"%s: Digest must be before -cert or -serial\n",
prog);
"%s: Digest must be before -cert or -serial\n",
prog);
goto opthelp;
}
if (!opt_md(opt_unknown(), &cert_id_md))
@@ -539,7 +583,7 @@ int ocsp_main(int argc, char **argv)
if (trailing_md) {
BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
prog);
prog);
goto opthelp;
}
@@ -595,7 +639,7 @@ int ocsp_main(int argc, char **argv)
goto end;
if (rcertfile != NULL) {
if (!load_certs(rcertfile, 0, &rother, NULL,
"responder other certificates"))
"responder other certificates"))
goto end;
}
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
@@ -603,7 +647,7 @@ int ocsp_main(int argc, char **argv)
goto end;
}
rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL,
"responder private key");
"responder private key");
if (rkey == NULL)
goto end;
}
@@ -611,7 +655,7 @@ int ocsp_main(int argc, char **argv)
if (ridx_filename != NULL
&& (rkey == NULL || rsigner == NULL || rca_certs == NULL)) {
BIO_printf(bio_err,
"Responder mode requires certificate, key, and CA.\n");
"Responder mode requires certificate, key, and CA.\n");
goto end;
}
@@ -635,7 +679,7 @@ int ocsp_main(int argc, char **argv)
if (acbio != NULL)
trace_log_message(-1, prog,
LOG_INFO, "waiting for OCSP client connections...");
LOG_INFO, "waiting for OCSP client connections...");
redo_accept:
@@ -650,8 +694,8 @@ redo_accept:
} else {
free_index(newrdb);
trace_log_message(-1, prog,
LOG_ERR, "error reloading updated index: %s",
ridx_filename);
LOG_ERR, "error reloading updated index: %s",
ridx_filename);
}
}
#endif
@@ -663,9 +707,8 @@ redo_accept:
if (req == NULL) {
if (res == 1) {
resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL);
resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL);
if (resp != NULL)
send_ocsp_response(cbio, resp);
}
@@ -695,16 +738,16 @@ redo_accept:
}
if (sign_certfile != NULL) {
if (!load_certs(sign_certfile, 0, &sign_other, NULL,
"signer certificates"))
"signer certificates"))
goto end;
}
key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL,
"signer private key");
"signer private key");
if (key == NULL)
goto end;
if (!OCSP_request_sign(req, signer, key, NULL,
sign_other, sign_flags)) {
sign_other, sign_flags)) {
BIO_printf(bio_err, "Error signing OCSP request\n");
goto end;
}
@@ -723,8 +766,8 @@ redo_accept:
if (rdb != NULL) {
make_ocsp_response(bio_err, &resp, req, rdb, rca_certs, rsigner, rkey,
rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
badsig, resp_certid_md);
rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
badsig, resp_certid_md);
if (resp == NULL)
goto end;
if (cbio != NULL)
@@ -732,12 +775,12 @@ redo_accept:
} else if (host != NULL) {
#ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
use_ssl, headers, req_timeout);
use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
#else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported\n");
"Error creating connect BIO - sockets not supported\n");
goto end;
#endif
} else if (respin != NULL) {
@@ -755,7 +798,7 @@ redo_accept:
goto end;
}
done_resp:
done_resp:
if (respout != NULL) {
derbio = bio_open_default(respout, 'w', FORMAT_ASN1);
@@ -769,7 +812,7 @@ redo_accept:
i = OCSP_response_status(resp);
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
OCSP_response_status_str(i), i);
if (!ignore_err)
goto end;
}
@@ -800,7 +843,7 @@ redo_accept:
if (store == NULL) {
store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore);
CAstore, noCAstore);
if (!store)
goto end;
}
@@ -808,7 +851,7 @@ redo_accept:
X509_STORE_set1_param(store, vpm);
if (verify_certfile != NULL) {
if (!load_certs(verify_certfile, 0, &verify_other, NULL,
"validator certificates"))
"validator certificates"))
goto end;
}
@@ -849,7 +892,7 @@ redo_accept:
if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
ret = 1;
end:
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
@@ -904,8 +947,8 @@ static int index_changed(CA_DB *rdb)
#endif
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
{
OCSP_CERTID *id;
@@ -924,14 +967,14 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
goto err;
return 1;
err:
err:
BIO_printf(bio_err, "Error Creating OCSP request\n");
return 0;
}
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
{
OCSP_CERTID *id;
const X509_NAME *iname;
@@ -961,15 +1004,15 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
goto err;
return 1;
err:
err:
BIO_printf(bio_err, "Error Creating OCSP request\n");
return 0;
}
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage)
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage)
{
OCSP_CERTID *id;
const char *name;
@@ -989,7 +1032,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
BIO_printf(out, "%s: ", name);
if (!OCSP_resp_find_status(bs, id, &status, &reason,
&rev, &thisupd, &nextupd)) {
&rev, &thisupd, &nextupd)) {
BIO_puts(out, "ERROR: No Status found.\n");
ret = 0;
continue;
@@ -1029,12 +1072,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
}
static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md)
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md)
{
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid;
@@ -1046,8 +1089,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
id_count = OCSP_request_onereq_count(req);
if (id_count <= 0) {
*resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
goto end;
}
@@ -1079,7 +1121,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
if (cert_id_md == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
NULL);
goto end;
}
for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) {
@@ -1101,18 +1143,18 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
if (!found) {
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
continue;
}
if (inf == NULL) {
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
} else if (inf[DB_type][0] == DB_TYPE_VAL) {
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_GOOD,
0, NULL, thisupd, nextupd);
V_OCSP_CERTSTATUS_GOOD,
0, NULL, thisupd, nextupd);
} else if (inf[DB_type][0] == DB_TYPE_REV) {
ASN1_OBJECT *inst = NULL;
ASN1_TIME *revtm = NULL;
@@ -1122,20 +1164,20 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
single = OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm, thisupd, nextupd);
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm, thisupd, nextupd);
if (single == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
NULL);
goto end;
}
if (invtm != NULL)
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
invtm, 0, 0);
invtm, 0, 0);
else if (inst != NULL)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_hold_instruction_code, inst,
0, 0);
NID_hold_instruction_code, inst,
0, 0);
ASN1_OBJECT_free(inst);
ASN1_TIME_free(revtm);
ASN1_GENERALIZEDTIME_free(invtm);
@@ -1157,7 +1199,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
BIO_printf(err, "parameter error \"%s\"\n", sigopt);
ERR_print_errors(bio_err);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
NULL);
goto end;
}
}
@@ -1173,7 +1215,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
end:
end:
EVP_MD_CTX_free(mctx);
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
@@ -1188,8 +1230,8 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
for (i = 0; i < DB_NUMBER; i++)
row[i] = NULL;
bn = ASN1_INTEGER_to_BN(ser, NULL);
OPENSSL_assert(bn); /* FIXME: should report an error at this
* point and abort */
OPENSSL_assert(bn); /* FIXME: should report an error at this
* point and abort */
if (BN_is_zero(bn)) {
itmp = OPENSSL_strdup("00");
OPENSSL_assert(itmp);
@@ -1204,16 +1246,16 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
}
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout)
int timeout)
{
#ifndef OPENSSL_NO_SOCK
return http_server_get_asn1_req(ASN1_ITEM_rptr(OCSP_REQUEST),
(ASN1_VALUE **)preq, NULL, pcbio, acbio,
NULL /* found_keep_alive */,
prog, 1 /* accept_get */, timeout);
(ASN1_VALUE **)preq, NULL, pcbio, acbio,
NULL /* found_keep_alive */,
prog, 1 /* accept_get */, timeout);
#else
BIO_printf(bio_err,
"Error getting OCSP request - sockets not supported\n");
"Error getting OCSP request - sockets not supported\n");
*preq = NULL;
return 0;
#endif
@@ -1223,23 +1265,23 @@ static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp)
{
#ifndef OPENSSL_NO_SOCK
return http_server_send_asn1_resp(prog, cbio,
0 /* no keep-alive */,
"application/ocsp-response",
ASN1_ITEM_rptr(OCSP_RESPONSE),
(const ASN1_VALUE *)resp);
0 /* no keep-alive */,
"application/ocsp-response",
ASN1_ITEM_rptr(OCSP_RESPONSE),
(const ASN1_VALUE *)resp);
#else
BIO_printf(bio_err,
"Error sending OCSP response - sockets not supported\n");
"Error sending OCSP response - sockets not supported\n");
return 0;
#endif
}
#ifndef OPENSSL_NO_SOCK
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
SSL_CTX *ctx = NULL;
OCSP_RESPONSE *resp = NULL;
@@ -1254,15 +1296,15 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
resp = (OCSP_RESPONSE *)
app_http_post_asn1(host, port, path, proxy, no_proxy,
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
"application/ocsp-response",
req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE));
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
"application/ocsp-response",
req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE));
if (resp == NULL)
BIO_printf(bio_err, "Error querying OCSP responder\n");
end:
end:
SSL_CTX_free(ctx);
return resp;
}

66
apps/openssl.c
View File

@@ -19,12 +19,12 @@
#include <openssl/pem.h>
#include <openssl/ssl.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#include <openssl/engine.h>
#endif
#include <openssl/err.h>
/* Needed to get the other O_xxx flags. */
#ifdef OPENSSL_SYS_VMS
# include <unixio.h>
#include <unixio.h>
#endif
#include "apps.h"
#include "progs.h"
@@ -47,7 +47,7 @@ static void warn_deprecated(const FUNCTION *fp)
{
if (fp->deprecated_version != NULL)
BIO_printf(bio_err, "The command %s was deprecated in version %s.",
fp->name, fp->deprecated_version);
fp->name, fp->deprecated_version);
else
BIO_printf(bio_err, "The command %s is deprecated.", fp->name);
if (strcmp(fp->deprecated_alternative, DEPRECATED_NO_ALTERNATIVE) != 0)
@@ -64,7 +64,8 @@ static int apps_startup(void)
/* Set non-default library initialisation settings */
if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN
| OPENSSL_INIT_LOAD_CONFIG, NULL))
| OPENSSL_INIT_LOAD_CONFIG,
NULL))
return 0;
(void)setup_ui_method();
@@ -94,15 +95,14 @@ static void apps_shutdown(void)
destroy_ui_method();
}
#ifndef OPENSSL_NO_TRACE
typedef struct tracedata_st {
BIO *bio;
unsigned int ingroup:1;
unsigned int ingroup : 1;
} tracedata;
static size_t internal_trace_cb(const char *buf, size_t cnt,
int category, int cmd, void *vdata)
int category, int cmd, void *vdata)
{
int ret = 0;
tracedata *trace_data = vdata;
@@ -120,8 +120,8 @@ static size_t internal_trace_cb(const char *buf, size_t cnt,
tid = CRYPTO_THREAD_get_current_id();
hex = OPENSSL_buf2hexstr((const unsigned char *)&tid, sizeof(tid));
BIO_snprintf(buffer, sizeof(buffer), "TRACE[%s]:%s: ",
hex == NULL ? "<null>" : hex,
OSSL_trace_get_category_name(category));
hex == NULL ? "<null>" : hex,
OSSL_trace_get_category_name(category));
OPENSSL_free(hex);
BIO_set_prefix(trace_data->bio, buffer);
break;
@@ -179,12 +179,13 @@ static void setup_trace_category(int category)
|| bio == NULL
|| (trace_data->bio = channel) == NULL
|| OSSL_trace_set_callback(category, internal_trace_cb,
trace_data) == 0
trace_data)
== 0
|| sk_tracedata_push(trace_data_stack, trace_data) == 0) {
fprintf(stderr,
"warning: unable to setup trace callback for category '%s'.\n",
OSSL_trace_get_category_name(category));
"warning: unable to setup trace callback for category '%s'.\n",
OSSL_trace_get_category_name(category));
OSSL_trace_set_callback(category, NULL, NULL);
BIO_free_all(channel);
@@ -220,7 +221,7 @@ static void setup_trace(const char *str)
setup_trace_category(category);
} else {
fprintf(stderr,
"warning: unknown trace category: '%s'.\n", item);
"warning: unknown trace category: '%s'.\n", item);
}
}
}
@@ -263,10 +264,10 @@ int main(int argc, char *argv[])
#endif
if ((fname = "apps_startup", !apps_startup())
|| (fname = "prog_init", (prog = prog_init()) == NULL)) {
|| (fname = "prog_init", (prog = prog_init()) == NULL)) {
BIO_printf(bio_err,
"FATAL: Startup failure (dev note: %s()) for %s\n",
fname, argv[0]);
"FATAL: Startup failure (dev note: %s()) for %s\n",
fname, argv[0]);
ERR_print_errors(bio_err);
ret = 1;
goto end;
@@ -291,7 +292,8 @@ int main(int argc, char *argv[])
argc--;
argv++;
opt_appname(argc == 1 || global_help ? "help" : global_version ? "version" : argv[0]);
opt_appname(argc == 1 || global_help ? "help" : global_version ? "version"
: argv[0]);
} else {
argv[0] = pname;
}
@@ -300,13 +302,13 @@ int main(int argc, char *argv[])
* If there's no command, assume "help". If there's an override for help
* or version run those, otherwise run the command given.
*/
ret = (argc == 0) || global_help
? do_cmd(prog, 1, help_argv)
: global_version
? do_cmd(prog, 1, version_argv)
: do_cmd(prog, argc, argv);
ret = (argc == 0) || global_help
? do_cmd(prog, 1, help_argv)
: global_version
? do_cmd(prog, 1, version_argv)
: do_cmd(prog, argc, argv);
end:
end:
OPENSSL_free(default_config_file);
lh_FUNCTION_free(prog);
OPENSSL_free(arg.argv);
@@ -321,18 +323,20 @@ int main(int argc, char *argv[])
}
typedef enum HELP_CHOICE {
OPT_hERR = -1, OPT_hEOF = 0, OPT_hHELP
OPT_hERR = -1,
OPT_hEOF = 0,
OPT_hHELP
} HELP_CHOICE;
const OPTIONS help_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: help [options] [command]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: help [options] [command]\n" },
OPT_SECTION("General"),
{"help", OPT_hHELP, '-', "Display this summary"},
{ "help", OPT_hHELP, '-', "Display this summary" },
OPT_PARAMETERS(),
{"command", 0, 0, "Name of command to display help (optional)"},
{NULL}
{ "command", 0, 0, "Name of command to display help (optional)" },
{ NULL }
};
int help_main(int argc, char **argv)
@@ -387,11 +391,11 @@ int help_main(int argc, char **argv)
if (tp == FT_md) {
i = 1;
BIO_printf(bio_err,
"\nMessage Digest commands (see the `dgst' command for more details)\n");
"\nMessage Digest commands (see the `dgst' command for more details)\n");
} else if (tp == FT_cipher) {
i = 1;
BIO_printf(bio_err,
"\nCipher commands (see the `enc' command for more details)\n");
"\nCipher commands (see the `enc' command for more details)\n");
}
}
BIO_printf(bio_err, "%-*s", dc.width, fp->name);
@@ -440,7 +444,7 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
}
BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n",
argv[0]);
argv[0]);
return 1;
}

250
apps/passwd.c
View File

@@ -17,7 +17,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# include <openssl/des.h>
#include <openssl/des.h>
#endif
#include <openssl/md5.h>
#include <openssl/sha.h>
@@ -46,48 +46,58 @@ typedef enum {
} passwd_modes;
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode);
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_IN,
OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
OPT_1, OPT_5, OPT_6, OPT_AIXMD5, OPT_SALT, OPT_STDIN,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_NOVERIFY,
OPT_QUIET,
OPT_TABLE,
OPT_REVERSE,
OPT_APR1,
OPT_1,
OPT_5,
OPT_6,
OPT_AIXMD5,
OPT_SALT,
OPT_STDIN,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS passwd_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [password]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [password]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Read passwords from file"},
{"noverify", OPT_NOVERIFY, '-',
"Never verify when reading password from terminal"},
{"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
{ "in", OPT_IN, '<', "Read passwords from file" },
{ "noverify", OPT_NOVERIFY, '-',
"Never verify when reading password from terminal" },
{ "stdin", OPT_STDIN, '-', "Read passwords from stdin" },
OPT_SECTION("Output"),
{"quiet", OPT_QUIET, '-', "No warnings"},
{"table", OPT_TABLE, '-', "Format output as table"},
{"reverse", OPT_REVERSE, '-', "Switch table columns"},
{ "quiet", OPT_QUIET, '-', "No warnings" },
{ "table", OPT_TABLE, '-', "Format output as table" },
{ "reverse", OPT_REVERSE, '-', "Switch table columns" },
OPT_SECTION("Cryptographic"),
{"salt", OPT_SALT, 's', "Use provided salt"},
{"6", OPT_6, '-', "SHA512-based password algorithm"},
{"5", OPT_5, '-', "SHA256-based password algorithm"},
{"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
{"1", OPT_1, '-', "MD5-based password algorithm"},
{"aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm"},
{ "salt", OPT_SALT, 's', "Use provided salt" },
{ "6", OPT_6, '-', "SHA512-based password algorithm" },
{ "5", OPT_5, '-', "SHA256-based password algorithm" },
{ "apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant" },
{ "1", OPT_1, '-', "MD5-based password algorithm" },
{ "aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"password", 0, 0, "Password text to digest (optional)"},
{NULL}
{ "password", 0, 0, "Password text to digest (optional)" },
{ NULL }
};
int passwd_main(int argc, char **argv)
@@ -112,7 +122,7 @@ int passwd_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -223,8 +233,7 @@ int passwd_main(int argc, char **argv)
passwd_malloc_size = pw_maxlen + 2;
/* longer than necessary so that we can warn about truncation */
passwd = passwd_malloc =
app_malloc(passwd_malloc_size, "password buffer");
passwd = passwd_malloc = app_malloc(passwd_malloc_size, "password buffer");
}
if ((in == NULL) && (passwds == NULL)) {
@@ -240,9 +249,9 @@ int passwd_main(int argc, char **argv)
passwds = passwds_static;
if (in == NULL) {
if (EVP_read_pw_string
(passwd_malloc, passwd_malloc_size, "Password: ",
!(passed_salt || in_noverify)) != 0)
if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ",
!(passed_salt || in_noverify))
!= 0)
goto end;
}
passwds[0] = passwd_malloc;
@@ -257,10 +266,10 @@ int passwd_main(int argc, char **argv)
assert(passwds != NULL);
assert(*passwds != NULL);
do { /* loop over list of passwords */
do { /* loop over list of passwords */
passwd = *passwds++;
if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out,
quiet, table, reverse, pw_maxlen, mode))
quiet, table, reverse, pw_maxlen, mode))
goto end;
} while (*passwds != NULL);
} else {
@@ -273,7 +282,7 @@ int passwd_main(int argc, char **argv)
if (r > 0) {
char *c = (strchr(passwd, '\n'));
if (c != NULL) {
*c = 0; /* truncate at newline */
*c = 0; /* truncate at newline */
} else {
/* ignore rest of line */
char trash[BUFSIZ];
@@ -282,9 +291,8 @@ int passwd_main(int argc, char **argv)
while ((r > 0) && (!strchr(trash, '\n')));
}
if (!do_passwd
(passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
table, reverse, pw_maxlen, mode))
if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
table, reverse, pw_maxlen, mode))
goto end;
}
done = (r <= 0);
@@ -292,7 +300,7 @@ int passwd_main(int argc, char **argv)
}
ret = 0;
end:
end:
#if 0
ERR_print_errors(bio_err);
#endif
@@ -316,8 +324,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
/* "$apr1$..salt..$.......md5hash..........\0" */
static char out_buf[6 + 9 + 24 + 2];
unsigned char buf[MD5_DIGEST_LENGTH];
char ascii_magic[5]; /* "apr1" plus '\0' */
char ascii_salt[9]; /* Max 8 chars plus '\0' */
char ascii_magic[5]; /* "apr1" plus '\0' */
char ascii_salt[9]; /* Max 8 chars plus '\0' */
char *ascii_passwd = NULL;
char *salt_out;
int n;
@@ -331,7 +339,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
magic_len = strlen(magic);
OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic));
#ifdef CHARSET_EBCDIC
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
ebcdic2ascii(ascii_magic, ascii_magic, magic_len);
#endif
@@ -353,7 +361,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
if (magic_len > 0) {
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
if (magic_len > 4) /* assert it's "1" or "apr1" */
if (magic_len > 4) /* assert it's "1" or "apr1" */
goto err;
OPENSSL_strlcat(out_buf, ascii_magic, sizeof(out_buf));
@@ -382,7 +390,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
if (!EVP_DigestUpdate(md, ascii_dollar, 1)
|| !EVP_DigestUpdate(md, ascii_magic, magic_len)
|| !EVP_DigestUpdate(md, ascii_dollar, 1))
goto err;
goto err;
if (!EVP_DigestUpdate(md, ascii_salt, salt_len))
goto err;
@@ -416,8 +424,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
goto err;
if (!EVP_DigestUpdate(md2,
(i & 1) ? (const unsigned char *)passwd : buf,
(i & 1) ? passwd_len : sizeof(buf)))
(i & 1) ? (const unsigned char *)passwd : buf,
(i & 1) ? passwd_len : sizeof(buf)))
goto err;
if (i % 3) {
if (!EVP_DigestUpdate(md2, ascii_salt, salt_len))
@@ -428,11 +436,11 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
goto err;
}
if (!EVP_DigestUpdate(md2,
(i & 1) ? buf : (const unsigned char *)passwd,
(i & 1) ? sizeof(buf) : passwd_len))
goto err;
(i & 1) ? buf : (const unsigned char *)passwd,
(i & 1) ? sizeof(buf) : passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
goto err;
}
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
@@ -447,14 +455,14 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
/* silly output permutation */
for (dest = 0, source = 0; dest < 14;
dest++, source = (source + 6) % 17)
dest++, source = (source + 6) % 17)
buf_perm[dest] = buf[source];
buf_perm[14] = buf[5];
buf_perm[15] = buf[11];
# ifndef PEDANTIC /* Unfortunately, this generates a "no
* effect" warning */
#ifndef PEDANTIC /* Unfortunately, this generates a "no \
* effect" warning */
assert(16 == sizeof(buf_perm));
# endif
#endif
output = salt_out + salt_len;
assert(output == out_buf + strlen(out_buf));
@@ -463,10 +471,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
for (i = 0; i < 15; i += 3) {
*output++ = cov_2char[buf_perm[i + 2] & 0x3f];
*output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
(buf_perm[i + 2] >> 6)];
*output++ = cov_2char[((buf_perm[i] & 3) << 4) |
(buf_perm[i + 1] >> 4)];
*output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) | (buf_perm[i + 2] >> 6)];
*output++ = cov_2char[((buf_perm[i] & 3) << 4) | (buf_perm[i + 1] >> 4)];
*output++ = cov_2char[buf_perm[i] >> 2];
}
assert(i == 15);
@@ -481,7 +487,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
return out_buf;
err:
err:
OPENSSL_free(ascii_passwd);
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
@@ -498,13 +504,13 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
/* Prefix for optional rounds specification. */
static const char rounds_prefix[] = "rounds=";
/* Maximum salt string length. */
# define SALT_LEN_MAX 16
#define SALT_LEN_MAX 16
/* Default number of rounds if not explicitly specified. */
# define ROUNDS_DEFAULT 5000
#define ROUNDS_DEFAULT 5000
/* Minimum number of rounds. */
# define ROUNDS_MIN 1000
#define ROUNDS_MIN 1000
/* Maximum number of rounds. */
# define ROUNDS_MAX 999999999
#define ROUNDS_MAX 999999999
/* "$6$rounds=<N>$......salt......$...shahash(up to 86 chars)...\0" */
static char out_buf[3 + 17 + 17 + 86 + 1];
@@ -512,13 +518,13 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
unsigned char temp_buf[SHA512_DIGEST_LENGTH];
size_t buf_size = 0;
char ascii_magic[2];
char ascii_salt[17]; /* Max 16 chars plus '\0' */
char ascii_salt[17]; /* Max 16 chars plus '\0' */
char *ascii_passwd = NULL;
size_t n;
EVP_MD_CTX *md = NULL, *md2 = NULL;
const EVP_MD *sha = NULL;
size_t passwd_len, salt_len, magic_len;
unsigned int rounds = ROUNDS_DEFAULT; /* Default */
unsigned int rounds = ROUNDS_DEFAULT; /* Default */
char rounds_custom = 0;
char *p_bytes = NULL;
char *s_bytes = NULL;
@@ -547,7 +553,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
if (strncmp(salt, rounds_prefix, sizeof(rounds_prefix) - 1) == 0) {
const char *num = salt + sizeof(rounds_prefix) - 1;
char *endp;
unsigned long int srounds = strtoul (num, &endp, 10);
unsigned long int srounds = strtoul(num, &endp, 10);
if (*endp == '$') {
salt = endp + 1;
if (srounds > ROUNDS_MAX)
@@ -564,7 +570,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic));
#ifdef CHARSET_EBCDIC
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
ebcdic2ascii(ascii_magic, ascii_magic, magic_len);
#endif
@@ -593,7 +599,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
BIO_snprintf(tmp_buf, sizeof(tmp_buf), "rounds=%u", rounds);
#ifdef CHARSET_EBCDIC
/* In case we're really on a ASCII based platform and just pretend */
if (tmp_buf[0] != 0x72) /* ASCII 'r' */
if (tmp_buf[0] != 0x72) /* ASCII 'r' */
ebcdic2ascii(tmp_buf, tmp_buf, strlen(tmp_buf));
#endif
OPENSSL_strlcat(out_buf, tmp_buf, sizeof(out_buf));
@@ -631,8 +637,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
n = passwd_len;
while (n) {
if (!EVP_DigestUpdate(md,
(n & 1) ? buf : (const unsigned char *)passwd,
(n & 1) ? buf_size : passwd_len))
(n & 1) ? buf : (const unsigned char *)passwd,
(n & 1) ? buf_size : passwd_len))
goto err;
n >>= 1;
}
@@ -677,8 +683,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
if (!EVP_DigestInit_ex(md2, sha, NULL))
goto err;
if (!EVP_DigestUpdate(md2,
(n & 1) ? (const unsigned char *)p_bytes : buf,
(n & 1) ? passwd_len : buf_size))
(n & 1) ? (const unsigned char *)p_bytes : buf,
(n & 1) ? passwd_len : buf_size))
goto err;
if (n % 3) {
if (!EVP_DigestUpdate(md2, s_bytes, salt_len))
@@ -689,11 +695,11 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
goto err;
}
if (!EVP_DigestUpdate(md2,
(n & 1) ? buf : (const unsigned char *)p_bytes,
(n & 1) ? buf_size : passwd_len))
goto err;
(n & 1) ? buf : (const unsigned char *)p_bytes,
(n & 1) ? buf_size : passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
goto err;
}
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
@@ -707,53 +713,53 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
cp = out_buf + strlen(out_buf);
*cp++ = ascii_dollar[0];
# define b64_from_24bit(B2, B1, B0, N) \
do { \
unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
int i = (N); \
while (i-- > 0) { \
*cp++ = cov_2char[w & 0x3f]; \
w >>= 6; \
} \
#define b64_from_24bit(B2, B1, B0, N) \
do { \
unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
int i = (N); \
while (i-- > 0) { \
*cp++ = cov_2char[w & 0x3f]; \
w >>= 6; \
} \
} while (0)
switch (magic[0]) {
case '5':
b64_from_24bit (buf[0], buf[10], buf[20], 4);
b64_from_24bit (buf[21], buf[1], buf[11], 4);
b64_from_24bit (buf[12], buf[22], buf[2], 4);
b64_from_24bit (buf[3], buf[13], buf[23], 4);
b64_from_24bit (buf[24], buf[4], buf[14], 4);
b64_from_24bit (buf[15], buf[25], buf[5], 4);
b64_from_24bit (buf[6], buf[16], buf[26], 4);
b64_from_24bit (buf[27], buf[7], buf[17], 4);
b64_from_24bit (buf[18], buf[28], buf[8], 4);
b64_from_24bit (buf[9], buf[19], buf[29], 4);
b64_from_24bit (0, buf[31], buf[30], 3);
b64_from_24bit(buf[0], buf[10], buf[20], 4);
b64_from_24bit(buf[21], buf[1], buf[11], 4);
b64_from_24bit(buf[12], buf[22], buf[2], 4);
b64_from_24bit(buf[3], buf[13], buf[23], 4);
b64_from_24bit(buf[24], buf[4], buf[14], 4);
b64_from_24bit(buf[15], buf[25], buf[5], 4);
b64_from_24bit(buf[6], buf[16], buf[26], 4);
b64_from_24bit(buf[27], buf[7], buf[17], 4);
b64_from_24bit(buf[18], buf[28], buf[8], 4);
b64_from_24bit(buf[9], buf[19], buf[29], 4);
b64_from_24bit(0, buf[31], buf[30], 3);
break;
case '6':
b64_from_24bit (buf[0], buf[21], buf[42], 4);
b64_from_24bit (buf[22], buf[43], buf[1], 4);
b64_from_24bit (buf[44], buf[2], buf[23], 4);
b64_from_24bit (buf[3], buf[24], buf[45], 4);
b64_from_24bit (buf[25], buf[46], buf[4], 4);
b64_from_24bit (buf[47], buf[5], buf[26], 4);
b64_from_24bit (buf[6], buf[27], buf[48], 4);
b64_from_24bit (buf[28], buf[49], buf[7], 4);
b64_from_24bit (buf[50], buf[8], buf[29], 4);
b64_from_24bit (buf[9], buf[30], buf[51], 4);
b64_from_24bit (buf[31], buf[52], buf[10], 4);
b64_from_24bit (buf[53], buf[11], buf[32], 4);
b64_from_24bit (buf[12], buf[33], buf[54], 4);
b64_from_24bit (buf[34], buf[55], buf[13], 4);
b64_from_24bit (buf[56], buf[14], buf[35], 4);
b64_from_24bit (buf[15], buf[36], buf[57], 4);
b64_from_24bit (buf[37], buf[58], buf[16], 4);
b64_from_24bit (buf[59], buf[17], buf[38], 4);
b64_from_24bit (buf[18], buf[39], buf[60], 4);
b64_from_24bit (buf[40], buf[61], buf[19], 4);
b64_from_24bit (buf[62], buf[20], buf[41], 4);
b64_from_24bit (0, 0, buf[63], 2);
b64_from_24bit(buf[0], buf[21], buf[42], 4);
b64_from_24bit(buf[22], buf[43], buf[1], 4);
b64_from_24bit(buf[44], buf[2], buf[23], 4);
b64_from_24bit(buf[3], buf[24], buf[45], 4);
b64_from_24bit(buf[25], buf[46], buf[4], 4);
b64_from_24bit(buf[47], buf[5], buf[26], 4);
b64_from_24bit(buf[6], buf[27], buf[48], 4);
b64_from_24bit(buf[28], buf[49], buf[7], 4);
b64_from_24bit(buf[50], buf[8], buf[29], 4);
b64_from_24bit(buf[9], buf[30], buf[51], 4);
b64_from_24bit(buf[31], buf[52], buf[10], 4);
b64_from_24bit(buf[53], buf[11], buf[32], 4);
b64_from_24bit(buf[12], buf[33], buf[54], 4);
b64_from_24bit(buf[34], buf[55], buf[13], 4);
b64_from_24bit(buf[56], buf[14], buf[35], 4);
b64_from_24bit(buf[15], buf[36], buf[57], 4);
b64_from_24bit(buf[37], buf[58], buf[16], 4);
b64_from_24bit(buf[59], buf[17], buf[38], 4);
b64_from_24bit(buf[18], buf[39], buf[60], 4);
b64_from_24bit(buf[40], buf[61], buf[19], 4);
b64_from_24bit(buf[62], buf[20], buf[41], 4);
b64_from_24bit(0, 0, buf[63], 2);
break;
default:
goto err;
@@ -765,7 +771,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
return out_buf;
err:
err:
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
OPENSSL_free(p_bytes);
@@ -775,8 +781,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
}
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode)
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode)
{
char *hash = NULL;
@@ -804,10 +810,10 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
for (i = 0; i < saltlen; i++)
(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
(*salt_p)[i] = 0;
# ifdef CHARSET_EBCDIC
#ifdef CHARSET_EBCDIC
/* The password encryption function will convert back to ASCII */
ascii2ebcdic(*salt_p, *salt_p, saltlen);
# endif
#endif
}
assert(*salt_p != NULL);
@@ -819,8 +825,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
* XXX: really we should know how to print a size_t, not cast it
*/
BIO_printf(bio_err,
"Warning: truncating password to %u characters\n",
(unsigned)pw_maxlen);
"Warning: truncating password to %u characters\n",
(unsigned)pw_maxlen);
passwd[pw_maxlen] = 0;
}
assert(strlen(passwd) <= pw_maxlen);
@@ -842,6 +848,6 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
BIO_printf(out, "%s\n", hash);
return 1;
end:
end:
return 0;
}

361
apps/pkcs12.c
View File

@@ -23,11 +23,11 @@
#include <openssl/kdf.h>
#include <openssl/rand.h>
#define NOKEYS 0x1
#define NOCERTS 0x2
#define INFO 0x4
#define CLCERTS 0x8
#define CACERTS 0x10
#define NOKEYS 0x1
#define NOCERTS 0x2
#define INFO 0x4
#define CLCERTS 0x8
#define CACERTS 0x10
#define PASSWD_BUF_SIZE 2048
@@ -37,20 +37,20 @@
BIO_printf(bio_err, "Warning: -%s option ignored without -export\n", opt);
static int get_cert_chain(X509 *cert, X509_STORE *store,
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain);
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain);
int dump_certs_keys_p12(BIO *out, const PKCS12 *p12,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags,
const char *pass, int passlen,
int options, char *pempass, const EVP_CIPHER *enc);
const char *pass, int passlen,
int options, char *pempass, const EVP_CIPHER *enc);
void print_attribute(BIO *out, const ASN1_TYPE *av);
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name);
const char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
static int alg_print(const X509_ALGOR *alg);
int cert_load(BIO *in, STACK_OF(X509) *sk);
@@ -59,18 +59,58 @@ static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS,
OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER,
OPT_CIPHER,
OPT_NOKEYS,
OPT_KEYEX,
OPT_KEYSIG,
OPT_NOCERTS,
OPT_CLCERTS,
OPT_CACERTS,
OPT_NOOUT,
OPT_INFO,
OPT_CHAIN,
OPT_TWOPASS,
OPT_NOMACVER,
#ifndef OPENSSL_NO_DES
OPT_DESCERT,
#endif
OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_MACSALTLEN,
OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS,
OPT_NAME, OPT_CSP, OPT_CANAME,
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, OPT_PBMAC1_PBKDF2, OPT_PBMAC1_PBKDF2_MD,
OPT_EXPORT,
OPT_ITER,
OPT_NOITER,
OPT_MACITER,
OPT_NOMACITER,
OPT_MACSALTLEN,
OPT_NOMAC,
OPT_LMK,
OPT_NODES,
OPT_NOENC,
OPT_MACALG,
OPT_CERTPBE,
OPT_KEYPBE,
OPT_INKEY,
OPT_CERTFILE,
OPT_UNTRUSTED,
OPT_PASSCERTS,
OPT_NAME,
OPT_CSP,
OPT_CANAME,
OPT_IN,
OPT_OUT,
OPT_PASSIN,
OPT_PASSOUT,
OPT_PASSWORD,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_ENGINE,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_JDKTRUST,
OPT_PBMAC1_PBKDF2,
OPT_PBMAC1_PBKDF2_MD,
#ifndef OPENSSL_NO_DES
OPT_LEGACY_ALG
#endif
@@ -78,85 +118,85 @@ typedef enum OPTION_choice {
const OPTIONS pkcs12_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"password", OPT_PASSWORD, 's', "Set PKCS#12 import/export password source"},
{"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
{"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
{"nocerts", OPT_NOCERTS, '-', "Don't output certificates"},
{"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "in", OPT_IN, '<', "Input file" },
{ "out", OPT_OUT, '>', "Output file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "password", OPT_PASSWORD, 's', "Set PKCS#12 import/export password source" },
{ "twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords" },
{ "nokeys", OPT_NOKEYS, '-', "Don't output private keys" },
{ "nocerts", OPT_NOCERTS, '-', "Don't output certificates" },
{ "noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input" },
#ifndef OPENSSL_NO_DES
{"legacy", OPT_LEGACY_ALG, '-',
# ifdef OPENSSL_NO_RC2
"Use legacy encryption algorithm 3DES_CBC for keys and certs"
# else
"Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs"
# endif
{ "legacy", OPT_LEGACY_ALG, '-',
#ifdef OPENSSL_NO_RC2
"Use legacy encryption algorithm 3DES_CBC for keys and certs"
#else
"Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs"
#endif
},
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
OPT_R_OPTIONS,
OPT_SECTION("PKCS#12 import (parsing PKCS#12)"),
{"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
{"nomacver", OPT_NOMACVER, '-', "Don't verify integrity MAC"},
{"clcerts", OPT_CLCERTS, '-', "Only output client certificates"},
{"cacerts", OPT_CACERTS, '-', "Only output CA certificates"},
{"", OPT_CIPHER, '-', "Any supported cipher for output encryption"},
{"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
{"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
{ "info", OPT_INFO, '-', "Print info about PKCS#12 structure" },
{ "nomacver", OPT_NOMACVER, '-', "Don't verify integrity MAC" },
{ "clcerts", OPT_CLCERTS, '-', "Only output client certificates" },
{ "cacerts", OPT_CACERTS, '-', "Only output CA certificates" },
{ "", OPT_CIPHER, '-', "Any supported cipher for output encryption" },
{ "noenc", OPT_NOENC, '-', "Don't encrypt private keys" },
{ "nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated" },
OPT_SECTION("PKCS#12 output (export)"),
{"export", OPT_EXPORT, '-', "Create PKCS12 file"},
{"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"},
{"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"},
{"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"},
{"chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert,"},
{OPT_MORE_STR, 0, 0,
"which is the 1st cert from -in matching the private key (if given)"},
{"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"},
{"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{"name", OPT_NAME, 's', "Use name as friendly name"},
{"caname", OPT_CANAME, 's',
"Use name as CA friendly name (can be repeated)"},
{"CSP", OPT_CSP, 's', "Microsoft CSP name"},
{"LMK", OPT_LMK, '-',
"Add local machine keyset attribute to private key"},
{"keyex", OPT_KEYEX, '-', "Set key type to MS key exchange"},
{"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"},
{"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"},
{"certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"},
{ "export", OPT_EXPORT, '-', "Create PKCS12 file" },
{ "inkey", OPT_INKEY, 's', "Private key, else read from -in input file" },
{ "certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output" },
{ "passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source" },
{ "chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert," },
{ OPT_MORE_STR, 0, 0,
"which is the 1st cert from -in matching the private key (if given)" },
{ "untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building" },
{ "CAfile", OPT_CAFILE, '<', "PEM-format file of CA's" },
{ "CApath", OPT_CAPATH, '/', "PEM-format directory of CA's" },
{ "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
{ "name", OPT_NAME, 's', "Use name as friendly name" },
{ "caname", OPT_CANAME, 's',
"Use name as CA friendly name (can be repeated)" },
{ "CSP", OPT_CSP, 's', "Microsoft CSP name" },
{ "LMK", OPT_LMK, '-',
"Add local machine keyset attribute to private key" },
{ "keyex", OPT_KEYEX, '-', "Set key type to MS key exchange" },
{ "keysig", OPT_KEYSIG, '-', "Set key type to MS key signature" },
{ "keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)" },
{ "certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)" },
#ifndef OPENSSL_NO_DES
{"descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"},
{ "descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)" },
#endif
{"macalg", OPT_MACALG, 's',
"Digest algorithm to use in MAC (default SHA256)"},
{"pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC"},
{"pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)"},
{"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"},
{"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
{"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)"},
{"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
{"macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC"},
{"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
{"jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility"},
{NULL}
{ "macalg", OPT_MACALG, 's',
"Digest algorithm to use in MAC (default SHA256)" },
{ "pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC" },
{ "pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)" },
{ "iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC" },
{ "noiter", OPT_NOITER, '-', "Don't use encryption iteration" },
{ "nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)" },
{ "maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility" },
{ "macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC" },
{ "nomac", OPT_NOMAC, '-', "Don't generate MAC" },
{ "jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility" },
{ NULL }
};
int pkcs12_main(int argc, char **argv)
@@ -197,7 +237,7 @@ int pkcs12_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -399,7 +439,7 @@ int pkcs12_main(int argc, char **argv)
WARN_EXPORT("cacerts");
if (enc != default_enc)
BIO_printf(bio_err,
"Warning: output encryption option -%s ignored with -export\n", enc_name);
"Warning: output encryption option -%s ignored with -export\n", enc_name);
} else {
if (keyname != NULL)
WARN_NO_EXPORT("inkey");
@@ -462,11 +502,11 @@ int pkcs12_main(int argc, char **argv)
}
if (cert_pbe == NID_undef) {
/* Adapt default algorithm */
# ifndef OPENSSL_NO_RC2
#ifndef OPENSSL_NO_RC2
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
# else
#else
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
#endif
}
if (key_pbe == NID_undef)
@@ -524,7 +564,7 @@ int pkcs12_main(int argc, char **argv)
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
if (EVP_read_pw_string(
macpass, sizeof(macpass), "Enter MAC Password:", export_pkcs12)) {
macpass, sizeof(macpass), "Enter MAC Password:", export_pkcs12)) {
BIO_printf(bio_err, "Can't read Password\n");
goto end;
}
@@ -557,10 +597,8 @@ int pkcs12_main(int argc, char **argv)
if (!(options & NOKEYS)) {
key = load_key(keyname ? keyname : infile,
FORMAT_PEM, 1, passin, e,
keyname ?
"private key from -inkey file" :
"private key from -in file");
FORMAT_PEM, 1, passin, e,
keyname ? "private key from -inkey file" : "private key from -in file");
if (key == NULL)
goto export_end;
}
@@ -568,7 +606,7 @@ int pkcs12_main(int argc, char **argv)
/* Load all certs in input file */
if (!(options & NOCERTS)) {
if (!load_certs(infile, 1, &certs, passin,
"certificates from -in file"))
"certificates from -in file"))
goto export_end;
if (sk_X509_num(certs) < 1) {
BIO_printf(bio_err, "No certificate in -in file %s\n", infile);
@@ -591,8 +629,8 @@ int pkcs12_main(int argc, char **argv)
}
if (ee_cert == NULL) {
BIO_printf(bio_err,
"No cert in -in file '%s' matches private key\n",
infile);
"No cert in -in file '%s' matches private key\n",
infile);
goto export_end;
}
}
@@ -601,7 +639,7 @@ int pkcs12_main(int argc, char **argv)
/* Load any untrusted certificates for chain building */
if (untrusted != NULL) {
if (!load_certs(untrusted, 0, &untrusted_certs, passcerts,
"untrusted certificates"))
"untrusted certificates"))
goto export_end;
}
@@ -618,13 +656,13 @@ int pkcs12_main(int argc, char **argv)
if (ee_cert_tmp == NULL) {
BIO_printf(bio_err,
"No end entity certificate to check with -chain\n");
"No end entity certificate to check with -chain\n");
goto export_end;
}
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore))
== NULL)
CAstore, noCAstore))
== NULL)
goto export_end;
vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
@@ -635,15 +673,14 @@ int pkcs12_main(int argc, char **argv)
/* Remove from chain2 the first (end entity) certificate */
X509_free(sk_X509_shift(chain2));
/* Add the remaining certs (except for duplicates) */
add_certs = X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF
| X509_ADD_FLAG_NO_DUP);
add_certs = X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP);
OSSL_STACK_OF_X509_free(chain2);
if (!add_certs)
goto export_end;
} else {
if (vret != X509_V_ERR_UNSPECIFIED)
BIO_printf(bio_err, "Error getting chain: %s\n",
X509_verify_cert_error_string(vret));
X509_verify_cert_error_string(vret));
goto export_end;
}
}
@@ -651,7 +688,7 @@ int pkcs12_main(int argc, char **argv)
/* Add any extra certificates asked for */
if (certfile != NULL) {
if (!load_certs(certfile, 0, &certs, passcerts,
"extra certificates from -certfile"))
"extra certificates from -certfile"))
goto export_end;
}
@@ -663,8 +700,8 @@ int pkcs12_main(int argc, char **argv)
if (csp_name != NULL && key != NULL)
EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
MBSTRING_ASC, (unsigned char *)csp_name,
-1);
MBSTRING_ASC, (unsigned char *)csp_name,
-1);
if (add_lmk && key != NULL)
EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
@@ -674,7 +711,7 @@ int pkcs12_main(int argc, char **argv)
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
if (EVP_read_pw_string(pass, sizeof(pass),
"Enter Export Password:", 1)) {
"Enter Export Password:", 1)) {
BIO_printf(bio_err, "Can't read Password\n");
goto export_end;
}
@@ -693,13 +730,13 @@ int pkcs12_main(int argc, char **argv)
}
p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs,
key_pbe, cert_pbe, iter, -1, keytype,
app_get0_libctx(), app_get0_propq(),
jdk_trust, (void*)obj);
key_pbe, cert_pbe, iter, -1, keytype,
app_get0_libctx(), app_get0_propq(),
jdk_trust, (void *)obj);
if (p12 == NULL) {
BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n",
outfile);
outfile);
goto export_end;
}
@@ -711,8 +748,8 @@ int pkcs12_main(int argc, char **argv)
if (maciter != -1) {
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
macmd, pbmac1_pbkdf2_md)) {
macsaltlen, maciter,
macmd, pbmac1_pbkdf2_md)) {
BIO_printf(bio_err, "Error creating PBMAC1\n");
goto export_end;
}
@@ -720,7 +757,7 @@ int pkcs12_main(int argc, char **argv)
if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) {
BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n");
BIO_printf(bio_err,
"Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n");
"Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n");
goto export_end;
}
}
@@ -735,7 +772,7 @@ int pkcs12_main(int argc, char **argv)
ret = 0;
export_end:
export_end:
EVP_PKEY_free(key);
EVP_MD_free(macmd);
@@ -745,7 +782,6 @@ int pkcs12_main(int argc, char **argv)
ASN1_OBJECT_free(obj);
ERR_print_errors(bio_err);
goto end;
}
in = bio_open_default(infile, 'r', FORMAT_PKCS12);
@@ -766,7 +802,7 @@ int pkcs12_main(int argc, char **argv)
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
if (EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:",
0)) {
0)) {
BIO_printf(bio_err, "Can't read Password\n");
goto end;
}
@@ -803,10 +839,10 @@ int pkcs12_main(int argc, char **argv)
int prfnid;
BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n",
ASN1_INTEGER_get(pbkdf2_param->iter));
ASN1_INTEGER_get(pbkdf2_param->iter));
BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n",
ASN1_INTEGER_get(pbkdf2_param->keylength),
ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
ASN1_INTEGER_get(pbkdf2_param->keylength),
ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
if (pbkdf2_param->prf == NULL) {
prfnid = NID_hmacWithSHA1;
} else {
@@ -818,10 +854,10 @@ int pkcs12_main(int argc, char **argv)
PBKDF2PARAM_free(pbkdf2_param);
} else {
BIO_printf(bio_err, ", Iteration %ld\n",
tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n",
tmac != NULL ? ASN1_STRING_length(tmac) : 0L,
tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
tmac != NULL ? ASN1_STRING_length(tmac) : 0L,
tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
}
}
@@ -842,7 +878,7 @@ int pkcs12_main(int argc, char **argv)
EVP_KDF *pkcs12kdf;
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
app_get0_propq());
app_get0_propq());
if (pkcs12kdf == NULL) {
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
@@ -889,7 +925,7 @@ int pkcs12_main(int argc, char **argv)
}
}
dump:
dump:
assert(private);
out = bio_open_owner(outfile, FORMAT_PEM, private);
@@ -902,7 +938,7 @@ int pkcs12_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
PKCS12_free(p12);
release_engine(e);
BIO_free(in);
@@ -925,10 +961,10 @@ static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg)
return 1;
/* Get the current attrs */
attrs = (STACK_OF(X509_ATTRIBUTE)*)PKCS12_SAFEBAG_get0_attrs(bag);
attrs = (STACK_OF(X509_ATTRIBUTE) *)PKCS12_SAFEBAG_get0_attrs(bag);
/* Create a new attr for the JDK Trusted Usage and add it */
attr = X509_ATTRIBUTE_create(NID_oracle_jdk_trustedkeyusage, V_ASN1_OBJECT, (ASN1_OBJECT*)cbarg);
attr = X509_ATTRIBUTE_create(NID_oracle_jdk_trustedkeyusage, V_ASN1_OBJECT, (ASN1_OBJECT *)cbarg);
/* Add the new attr, if attrs is NULL, it'll be initialised */
X509at_add1_attr(&attrs, attr);
@@ -941,8 +977,8 @@ static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg)
}
int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
int passlen, int options, char *pempass,
const EVP_CIPHER *enc)
int passlen, int options, char *pempass,
const EVP_CIPHER *enc)
{
STACK_OF(PKCS7) *asafes = NULL;
int i, bagnid;
@@ -976,7 +1012,7 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
if (bags == NULL)
goto err;
if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
options, pempass, enc)) {
options, pempass, enc)) {
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
goto err;
}
@@ -984,28 +1020,28 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
}
ret = 1;
err:
err:
sk_PKCS7_pop_free(asafes, PKCS7_free);
return ret;
}
int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
{
int i;
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
if (!dump_certs_pkeys_bag(out,
sk_PKCS12_SAFEBAG_value(bags, i),
pass, passlen, options, pempass, enc))
sk_PKCS12_SAFEBAG_value(bags, i),
pass, passlen, options, pempass, enc))
return 0;
}
return 1;
}
int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
{
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
@@ -1091,7 +1127,7 @@ int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
BIO_printf(bio_err, "Safe Contents bag\n");
print_attribs(out, attrs, "Bag Attributes");
return dump_certs_pkeys_bags(out, PKCS12_SAFEBAG_get0_safes(bag),
pass, passlen, options, pempass, enc);
pass, passlen, options, pempass, enc);
default:
BIO_printf(bio_err, "Warning unsupported bag type: ");
@@ -1105,8 +1141,8 @@ int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
/* Given a single certificate return a verified chain or NULL if error */
static int get_cert_chain(X509 *cert, X509_STORE *store,
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain)
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain)
{
X509_STORE_CTX *store_ctx = NULL;
STACK_OF(X509) *chn = NULL;
@@ -1114,15 +1150,14 @@ static int get_cert_chain(X509 *cert, X509_STORE *store,
store_ctx = X509_STORE_CTX_new_ex(app_get0_libctx(), app_get0_propq());
if (store_ctx == NULL) {
i = X509_V_ERR_UNSPECIFIED;
i = X509_V_ERR_UNSPECIFIED;
goto end;
}
if (!X509_STORE_CTX_init(store_ctx, store, cert, untrusted_certs)) {
i = X509_V_ERR_UNSPECIFIED;
i = X509_V_ERR_UNSPECIFIED;
goto end;
}
if (X509_verify_cert(store_ctx) > 0)
chn = X509_STORE_CTX_get1_chain(store_ctx);
else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0)
@@ -1165,7 +1200,7 @@ static int alg_print(const X509_ALGOR *alg)
X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
encnid = OBJ_obj2nid(aoid);
BIO_printf(bio_err, ", %s, %s", OBJ_nid2ln(pbenid),
OBJ_nid2sn(encnid));
OBJ_nid2sn(encnid));
/* If KDF is PBKDF2 decode parameters */
if (pbenid == NID_id_pbkdf2) {
PBKDF2PARAM *kdf = NULL;
@@ -1184,7 +1219,7 @@ static int alg_print(const X509_ALGOR *alg)
prfnid = OBJ_obj2nid(aoid);
}
BIO_printf(bio_err, ", Iteration %ld, PRF %s",
ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
PBKDF2PARAM_free(kdf);
#ifndef OPENSSL_NO_SCRYPT
} else if (pbenid == NID_id_scrypt) {
@@ -1197,11 +1232,11 @@ static int alg_print(const X509_ALGOR *alg)
goto done;
}
BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, "
"Block size(r): %ld, Parallelism(p): %ld",
ASN1_STRING_length(kdf->salt),
ASN1_INTEGER_get(kdf->costParameter),
ASN1_INTEGER_get(kdf->blockSize),
ASN1_INTEGER_get(kdf->parallelizationParameter));
"Block size(r): %ld, Parallelism(p): %ld",
ASN1_STRING_length(kdf->salt),
ASN1_INTEGER_get(kdf->costParameter),
ASN1_INTEGER_get(kdf->blockSize),
ASN1_INTEGER_get(kdf->parallelizationParameter));
SCRYPT_PARAMS_free(kdf);
#endif
}
@@ -1216,7 +1251,7 @@ static int alg_print(const X509_ALGOR *alg)
BIO_printf(bio_err, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
PBEPARAM_free(pbe);
}
done:
done:
BIO_puts(bio_err, "\n");
return 1;
}
@@ -1249,25 +1284,25 @@ void print_attribute(BIO *out, const ASN1_TYPE *av)
switch (av->type) {
case V_ASN1_BMPSTRING:
value = OPENSSL_uni2asc(av->value.bmpstring->data,
av->value.bmpstring->length);
av->value.bmpstring->length);
BIO_printf(out, "%s\n", value);
OPENSSL_free(value);
break;
case V_ASN1_UTF8STRING:
BIO_printf(out, "%.*s\n", av->value.utf8string->length,
av->value.utf8string->data);
av->value.utf8string->data);
break;
case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
av->value.octet_string->length);
BIO_printf(out, "\n");
break;
case V_ASN1_BIT_STRING:
hex_prin(out, av->value.bit_string->data,
av->value.bit_string->length);
av->value.bit_string->length);
BIO_printf(out, "\n");
break;
@@ -1289,7 +1324,7 @@ void print_attribute(BIO *out, const ASN1_TYPE *av)
/* Generalised attribute print: handle PKCS#8 and bag attributes */
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name)
const char *name)
{
X509_ATTRIBUTE *attr;
ASN1_TYPE *av;

46
apps/pkcs7.c
View File

@@ -22,35 +22,43 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT,
OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_QUIET,
OPT_ENGINE, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_NOOUT,
OPT_TEXT,
OPT_PRINT,
OPT_PRINT_CERTS,
OPT_QUIET,
OPT_ENGINE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs7_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format - DER or PEM" },
OPT_SECTION("Output"),
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't output encoded data"},
{"text", OPT_TEXT, '-', "Print full details of certificates"},
{"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"},
{"print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input"},
{"quiet", OPT_QUIET, '-',
"When used with -print_certs, it produces a cleaner output"},
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "out", OPT_OUT, '>', "Output file" },
{ "noout", OPT_NOOUT, '-', "Don't output encoded data" },
{ "text", OPT_TEXT, '-', "Print full details of certificates" },
{ "print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure" },
{ "print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input" },
{ "quiet", OPT_QUIET, '-',
"When used with -print_certs, it produces a cleaner output" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkcs7_main(int argc, char **argv)
@@ -69,7 +77,7 @@ int pkcs7_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -215,7 +223,7 @@ int pkcs7_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
PKCS7_free(p7);
release_engine(e);
BIO_free(in);

92
apps/pkcs8.c
View File

@@ -22,54 +22,69 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT,
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_TOPK8,
OPT_NOITER,
OPT_NOCRYPT,
#ifndef OPENSSL_NO_SCRYPT
OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
OPT_SCRYPT,
OPT_SCRYPT_N,
OPT_SCRYPT_R,
OPT_SCRYPT_P,
#endif
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
OPT_V2,
OPT_V1,
OPT_V2PRF,
OPT_ITER,
OPT_PASSIN,
OPT_PASSOUT,
OPT_TRADITIONAL,
OPT_SALTLEN,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs8_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
{"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
{"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"},
{ "v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher" },
{ "v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher" },
{ "v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format (DER or PEM)" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
{"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"},
{"iter", OPT_ITER, 'p', "Specify the iteration count"},
{"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
{"saltlen", OPT_SALTLEN, 'p', "Specify the salt length (in bytes)"},
{OPT_MORE_STR, 0, 0, "Default: 8 (For PBE1) or 16 (for PBE2)"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)" },
{ "topk8", OPT_TOPK8, '-', "Output PKCS8 file" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "traditional", OPT_TRADITIONAL, '-', "use traditional format private key" },
{ "iter", OPT_ITER, 'p', "Specify the iteration count" },
{ "noiter", OPT_NOITER, '-', "Use 1 as iteration count" },
{ "saltlen", OPT_SALTLEN, 'p', "Specify the salt length (in bytes)" },
{ OPT_MORE_STR, 0, 0, "Default: 8 (For PBE1) or 16 (for PBE2)" },
#ifndef OPENSSL_NO_SCRYPT
OPT_SECTION("Scrypt"),
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
{"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
{"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
{"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
{ "scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm" },
{ "scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter" },
{ "scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter" },
{ "scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter" },
#endif
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkcs8_main(int argc, char **argv)
@@ -100,7 +115,7 @@ int pkcs8_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -148,7 +163,7 @@ int pkcs8_main(int argc, char **argv)
pbe_nid = OBJ_txt2nid(opt_arg());
if (pbe_nid == NID_undef) {
BIO_printf(bio_err,
"%s: Unknown PBE algorithm %s\n", prog, opt_arg());
"%s: Unknown PBE algorithm %s\n", prog, opt_arg());
goto opthelp;
}
break;
@@ -156,14 +171,14 @@ int pkcs8_main(int argc, char **argv)
pbe_nid = OBJ_txt2nid(opt_arg());
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
BIO_printf(bio_err,
"%s: Unknown PRF algorithm %s\n", prog, opt_arg());
"%s: Unknown PRF algorithm %s\n", prog, opt_arg());
goto opthelp;
}
if (cipher == NULL)
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
break;
case OPT_ITER:
iter = opt_int_arg();
iter = opt_int_arg();
break;
case OPT_PASSIN:
passinarg = opt_arg();
@@ -224,7 +239,7 @@ int pkcs8_main(int argc, char **argv)
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
in = bio_open_default(infile, 'r',
informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
if (in == NULL)
goto end;
out = bio_open_owner(outfile, outformat, private);
@@ -256,11 +271,11 @@ int pkcs8_main(int argc, char **argv)
#ifndef OPENSSL_NO_SCRYPT
if (scrypt_N && scrypt_r && scrypt_p)
pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, saltlen, NULL,
scrypt_N, scrypt_r, scrypt_p);
scrypt_N, scrypt_r, scrypt_p);
else
#endif
pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, saltlen, NULL,
pbe_nid);
pbe_nid);
} else {
pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, saltlen);
}
@@ -275,8 +290,7 @@ int pkcs8_main(int argc, char **argv)
/* To avoid bit rot */
#ifndef OPENSSL_NO_UI_CONSOLE
p8pass = pass;
if (EVP_read_pw_string
(pass, sizeof(pass), "Enter Encryption Password:", 1)) {
if (EVP_read_pw_string(pass, sizeof(pass), "Enter Encryption Password:", 1)) {
X509_ALGOR_free(pbe);
goto end;
}
@@ -364,7 +378,7 @@ int pkcs8_main(int argc, char **argv)
if (outformat == FORMAT_PEM) {
if (traditional)
PEM_write_bio_PrivateKey_traditional(out, pkey, NULL, NULL, 0,
NULL, passout);
NULL, passout);
else
PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
} else if (outformat == FORMAT_ASN1) {
@@ -375,7 +389,7 @@ int pkcs8_main(int argc, char **argv)
}
ret = 0;
end:
end:
X509_SIG_free(p8);
PKCS8_PRIV_KEY_INFO_free(p8inf);
EVP_PKEY_free(pkey);

100
apps/pkey.c
View File

@@ -19,50 +19,64 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
OPT_TEXT, OPT_NOOUT, OPT_CIPHER, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM,
OPT_INFORM,
OPT_OUTFORM,
OPT_PASSIN,
OPT_PASSOUT,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_PUBIN,
OPT_PUBOUT,
OPT_TEXT_PUB,
OPT_TEXT,
OPT_NOOUT,
OPT_CIPHER,
OPT_TRADITIONAL,
OPT_CHECK,
OPT_PUB_CHECK,
OPT_EC_PARAM_ENC,
OPT_EC_CONV_FORM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkey_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
{"check", OPT_CHECK, '-', "Check key consistency"},
{"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
{ "check", OPT_CHECK, '-', "Check key consistency" },
{ "pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency" },
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
{"inform", OPT_INFORM, 'f',
"Key input format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Key input pass phrase source"},
{"pubin", OPT_PUBIN, '-',
"Read only public components from key input"},
{ "in", OPT_IN, 's', "Input key" },
{ "inform", OPT_INFORM, 'f',
"Key input format (ENGINE, other values ignored)" },
{ "passin", OPT_PASSIN, 's', "Key input pass phrase source" },
{ "pubin", OPT_PUBIN, '-',
"Read only public components from key input" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file for encoded and/or text output"},
{"outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)"},
{"", OPT_CIPHER, '-', "Any supported cipher to be used for encryption"},
{"passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private key PEM output"},
{"pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components"},
{"noout", OPT_NOOUT, '-', "Do not output the key in encoded form"},
{"text", OPT_TEXT, '-', "Output key components in plaintext"},
{"text_pub", OPT_TEXT_PUB, '-',
"Output only public key components in text form"},
{"ec_conv_form", OPT_EC_CONV_FORM, 's',
"Specifies the EC point conversion form in the encoding"},
{"ec_param_enc", OPT_EC_PARAM_ENC, 's',
"Specifies the way the EC parameters are encoded"},
{ "out", OPT_OUT, '>', "Output file for encoded and/or text output" },
{ "outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)" },
{ "", OPT_CIPHER, '-', "Any supported cipher to be used for encryption" },
{ "passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source" },
{ "traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private key PEM output" },
{ "pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components" },
{ "noout", OPT_NOOUT, '-', "Do not output the key in encoded form" },
{ "text", OPT_TEXT, '-', "Output key components in plaintext" },
{ "text_pub", OPT_TEXT_PUB, '-',
"Output only public key components in text form" },
{ "ec_conv_form", OPT_EC_CONV_FORM, 's',
"Specifies the EC point conversion form in the encoding" },
{ "ec_param_enc", OPT_EC_PARAM_ENC, 's',
"Specifies the way the EC parameters are encoded" },
{NULL}
{ NULL }
};
int pkey_main(int argc, char **argv)
@@ -89,7 +103,7 @@ int pkey_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -177,10 +191,10 @@ int pkey_main(int argc, char **argv)
if (text && text_pub)
BIO_printf(bio_err,
"Warning: The -text option is ignored with -text_pub\n");
"Warning: The -text option is ignored with -text_pub\n");
if (traditional && (noout || outformat != FORMAT_PEM))
BIO_printf(bio_err,
"Warning: The -traditional is ignored since there is no PEM output\n");
"Warning: The -traditional is ignored since there is no PEM output\n");
/* -pubout and -text is the same as -text_pub */
if (!text_pub && pubout && text) {
@@ -195,11 +209,11 @@ int pkey_main(int argc, char **argv)
if (cipher == NULL) {
if (passoutarg != NULL)
BIO_printf(bio_err,
"Warning: The -passout option is ignored without a cipher option\n");
"Warning: The -passout option is ignored without a cipher option\n");
} else {
if (noout || outformat != FORMAT_PEM) {
BIO_printf(bio_err,
"Error: Cipher options are supported only for PEM output\n");
"Error: Cipher options are supported only for PEM output\n");
goto end;
}
}
@@ -228,11 +242,11 @@ int pkey_main(int argc, char **argv)
if (asn1_encoding != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
asn1_encoding, 0);
asn1_encoding, 0);
if (point_format != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
*p = OSSL_PARAM_construct_end();
if (EVP_PKEY_set_params(pkey, params) <= 0)
goto end;
@@ -275,19 +289,19 @@ int pkey_main(int argc, char **argv)
assert(private);
if (traditional) {
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, cipher,
NULL, 0, NULL,
passout))
NULL, 0, NULL,
passout))
goto end;
} else {
if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout))
NULL, 0, NULL, passout))
goto end;
}
}
} else if (outformat == FORMAT_ASN1) {
if (text || text_pub) {
BIO_printf(bio_err,
"Error: Text output cannot be combined with DER output\n");
"Error: Text output cannot be combined with DER output\n");
goto end;
}
if (pubout) {
@@ -315,7 +329,7 @@ int pkey_main(int argc, char **argv)
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(ctx);

32
apps/pkeyparam.c
View File

@@ -18,29 +18,33 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT,
OPT_ENGINE, OPT_CHECK,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_NOOUT,
OPT_ENGINE,
OPT_CHECK,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkeyparam_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"check", OPT_CHECK, '-', "Check key param consistency"},
{ "check", OPT_CHECK, '-', "Check key param consistency" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{ "in", OPT_IN, '<', "Input file" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"text", OPT_TEXT, '-', "Print parameters as text"},
{"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
{ "out", OPT_OUT, '>', "Output file" },
{ "text", OPT_TEXT, '-', "Print parameters as text" },
{ "noout", OPT_NOOUT, '-', "Don't output encoded parameters" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkeyparam_main(int argc, char **argv)
@@ -58,7 +62,7 @@ int pkeyparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -101,7 +105,7 @@ int pkeyparam_main(int argc, char **argv)
if (out == NULL)
goto end;
pkey = PEM_read_bio_Parameters_ex(in, NULL, app_get0_libctx(),
app_get0_propq());
app_get0_propq());
if (pkey == NULL) {
BIO_printf(bio_err, "Error reading parameters\n");
ERR_print_errors(bio_err);
@@ -111,7 +115,7 @@ int pkeyparam_main(int argc, char **argv)
if (check) {
if (e == NULL)
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey,
app_get0_propq());
app_get0_propq());
else
ctx = EVP_PKEY_CTX_new(pkey, e);
if (ctx == NULL) {
@@ -142,7 +146,7 @@ int pkeyparam_main(int argc, char **argv)
ret = EXIT_SUCCESS;
end:
end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
release_engine(e);

260
apps/pkeyutl.c
View File

@@ -15,96 +15,121 @@
#include <openssl/evp.h>
#include <sys/stat.h>
#define KEY_NONE 0
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
#define KEY_NONE 0
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int impl, int rawin, EVP_PKEY **ppkey,
EVP_MD_CTX *mctx, const char *digestname, const char *kemop,
OSSL_LIB_CTX *libctx, const char *propq);
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int impl, int rawin, EVP_PKEY **ppkey,
EVP_MD_CTX *mctx, const char *digestname, const char *kemop,
OSSL_LIB_CTX *libctx, const char *propq);
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE *e);
ENGINE *e);
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *psecretlen);
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *psecretlen);
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, int siglen,
unsigned char **out, size_t *poutlen);
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, int siglen,
unsigned char **out, size_t *poutlen);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP,
OPT_ENGINE,
OPT_ENGINE_IMPL,
OPT_IN,
OPT_OUT,
OPT_PUBIN,
OPT_CERTIN,
OPT_ASN1PARSE,
OPT_HEXDUMP,
OPT_SIGN,
OPT_VERIFY,
OPT_VERIFYRECOVER,
OPT_REV,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_DERIVE,
OPT_SIGFILE,
OPT_INKEY,
OPT_PEERKEY,
OPT_PASSIN,
OPT_PEERFORM,
OPT_KEYFORM,
OPT_PKEYOPT,
OPT_PKEYOPT_PASSIN,
OPT_KDF,
OPT_KDFLEN,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_DECAP,
OPT_ENCAP,
OPT_SECOUT,
OPT_KEMOP,
OPT_CONFIG,
OPT_RAWIN, OPT_DIGEST
OPT_RAWIN,
OPT_DIGEST
} OPTION_CHOICE;
const OPTIONS pkeyutl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for crypto operations"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
{ "engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for crypto operations" },
#endif
{"sign", OPT_SIGN, '-', "Sign input data with private key"},
{"verify", OPT_VERIFY, '-', "Verify with public key"},
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
{"derive", OPT_DERIVE, '-', "Derive shared secret from own and peer (EC)DH keys"},
{"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
{"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
{ "sign", OPT_SIGN, '-', "Sign input data with private key" },
{ "verify", OPT_VERIFY, '-', "Verify with public key" },
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key" },
{ "derive", OPT_DERIVE, '-', "Derive shared secret from own and peer (EC)DH keys" },
{ "decap", OPT_DECAP, '-', "Decapsulate shared secret" },
{ "encap", OPT_ENCAP, '-', "Encapsulate shared secret" },
OPT_CONFIG_OPTION,
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
{"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
{"inkey", OPT_INKEY, 's', "Input key, by default private key"},
{"pubin", OPT_PUBIN, '-', "Input key is a public key"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
{"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"},
{"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
{"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{ "in", OPT_IN, '<', "Input file - default stdin" },
{ "rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form" },
{ "inkey", OPT_INKEY, 's', "Input key, by default private key" },
{ "pubin", OPT_PUBIN, '-', "Input key is a public key" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation" },
{ "peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)" },
{ "certin", OPT_CERTIN, '-', "Input is a cert with a public key" },
{ "rev", OPT_REV, '-', "Reverse the order of the input buffer" },
{ "sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)" },
{ "keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
{"asn1parse", OPT_ASN1PARSE, '-',
"parse the output as ASN.1 data to check its DER encoding and print errors"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{"verifyrecover", OPT_VERIFYRECOVER, '-',
"Verify RSA signature, recovering original signature input data"},
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "secret", OPT_SECOUT, '>', "File to store secret on encapsulation" },
{ "asn1parse", OPT_ASN1PARSE, '-',
"parse the output as ASN.1 data to check its DER encoding and print errors" },
{ "hexdump", OPT_HEXDUMP, '-', "Hex dump output" },
{ "verifyrecover", OPT_VERIFYRECOVER, '-',
"Verify RSA signature, recovering original signature input data" },
OPT_SECTION("Signing/Derivation/Encapsulation"),
{"digest", OPT_DIGEST, 's',
"Specify the digest algorithm when signing the raw input data"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
{"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
"Public key option that is read as a passphrase argument opt:passphrase"},
{"kdf", OPT_KDF, 's', "Use KDF algorithm"},
{"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
{"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"},
{ "digest", OPT_DIGEST, 's',
"Specify the digest algorithm when signing the raw input data" },
{ "pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value" },
{ "pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
"Public key option that is read as a passphrase argument opt:passphrase" },
{ "kdf", OPT_KDF, 's', "Use KDF algorithm" },
{ "kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length" },
{ "kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkeyutl_main(int argc, char **argv)
@@ -141,7 +166,7 @@ int pkeyutl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -247,17 +272,13 @@ int pkeyutl_main(int argc, char **argv)
rev = 1;
break;
case OPT_PKEYOPT:
if ((pkeyopts == NULL &&
(pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
if ((pkeyopts == NULL && (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) || sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
BIO_puts(bio_err, "out of memory\n");
goto end;
}
break;
case OPT_PKEYOPT_PASSIN:
if ((pkeyopts_passin == NULL &&
(pkeyopts_passin = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(pkeyopts_passin, opt_arg()) == 0) {
if ((pkeyopts_passin == NULL && (pkeyopts_passin = sk_OPENSSL_STRING_new_null()) == NULL) || sk_OPENSSL_STRING_push(pkeyopts_passin, opt_arg()) == 0) {
BIO_puts(bio_err, "out of memory\n");
goto end;
}
@@ -280,41 +301,41 @@ int pkeyutl_main(int argc, char **argv)
if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
BIO_printf(bio_err,
"%s: -rawin can only be used with -sign or -verify\n",
prog);
"%s: -rawin can only be used with -sign or -verify\n",
prog);
goto opthelp;
}
if (digestname != NULL && !rawin) {
BIO_printf(bio_err,
"%s: -digest can only be used with -rawin\n",
prog);
"%s: -digest can only be used with -rawin\n",
prog);
goto opthelp;
}
if (rawin && rev) {
BIO_printf(bio_err, "%s: -rev cannot be used with raw input\n",
prog);
prog);
goto opthelp;
}
if (kdfalg != NULL) {
if (kdflen == 0) {
BIO_printf(bio_err,
"%s: no KDF length given (-kdflen parameter).\n", prog);
"%s: no KDF length given (-kdflen parameter).\n", prog);
goto opthelp;
}
} else if (inkey == NULL) {
BIO_printf(bio_err,
"%s: no private key given (-inkey parameter).\n", prog);
"%s: no private key given (-inkey parameter).\n", prog);
goto opthelp;
} else if (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE) {
BIO_printf(bio_err,
"%s: -peerkey option not allowed without -derive.\n", prog);
"%s: -peerkey option not allowed without -derive.\n", prog);
goto opthelp;
} else if (peerkey == NULL && pkey_op == EVP_PKEY_OP_DERIVE) {
BIO_printf(bio_err,
"%s: missing -peerkey option for -derive operation.\n", prog);
"%s: missing -peerkey option for -derive operation.\n", prog);
goto opthelp;
}
@@ -325,8 +346,8 @@ int pkeyutl_main(int argc, char **argv)
}
}
ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
passinarg, pkey_op, e, engine_impl, rawin, &pkey,
mctx, digestname, kemop, libctx, app_get0_propq());
passinarg, pkey_op, e, engine_impl, rawin, &pkey,
mctx, digestname, kemop, libctx, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
goto end;
@@ -344,7 +365,7 @@ int pkeyutl_main(int argc, char **argv)
if (pkey_ctrl_string(ctx, opt) <= 0) {
BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
prog, opt);
prog, opt);
goto end;
}
}
@@ -365,7 +386,7 @@ int pkeyutl_main(int argc, char **argv)
BIO_snprintf(passwd_buf, sizeof(passwd_buf), "Enter %s: ", opt);
r = EVP_read_pw_string(passwd_buf, sizeof(passwd_buf) - 1,
passwd_buf, 0);
passwd_buf, 0);
if (r < 0) {
if (r == -2)
BIO_puts(bio_err, "user abort\n");
@@ -391,7 +412,7 @@ int pkeyutl_main(int argc, char **argv)
if (EVP_PKEY_CTX_ctrl_str(ctx, opt, passwd) <= 0) {
BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
prog, opt);
prog, opt);
OPENSSL_free(passwd);
goto end;
}
@@ -401,13 +422,13 @@ int pkeyutl_main(int argc, char **argv)
if (sigfile != NULL && (pkey_op != EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"%s: Signature file specified for non verify\n", prog);
"%s: Signature file specified for non verify\n", prog);
goto end;
}
if (sigfile == NULL && (pkey_op == EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"%s: No signature file specified for verify\n", prog);
"%s: No signature file specified for verify\n", prog);
goto end;
}
@@ -473,21 +494,21 @@ int pkeyutl_main(int argc, char **argv)
/* Sanity check the input if the input is not raw */
if (!rawin
&& buf_inlen > EVP_MAX_MD_SIZE
&& (pkey_op == EVP_PKEY_OP_SIGN
|| pkey_op == EVP_PKEY_OP_VERIFY)) {
&& buf_inlen > EVP_MAX_MD_SIZE
&& (pkey_op == EVP_PKEY_OP_SIGN
|| pkey_op == EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"Error: The input data looks too long to be a hash\n");
"Error: The input data looks too long to be a hash\n");
goto end;
}
if (pkey_op == EVP_PKEY_OP_VERIFY) {
if (rawin) {
rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, sig, siglen,
NULL, 0);
NULL, 0);
} else {
rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
buf_in, (size_t)buf_inlen);
buf_in, (size_t)buf_inlen);
}
if (rv == 1) {
BIO_puts(out, "Signature Verified Successfully\n");
@@ -500,22 +521,22 @@ int pkeyutl_main(int argc, char **argv)
if (rawin) {
/* rawin allocates the buffer in do_raw_keyop() */
rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0,
&buf_out, (size_t *)&buf_outlen);
&buf_out, (size_t *)&buf_outlen);
} else {
if (kdflen != 0) {
buf_outlen = kdflen;
rv = 1;
} else {
rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
}
if (rv > 0 && buf_outlen != 0) {
buf_out = app_malloc(buf_outlen, "buffer output");
if (secretlen > 0)
secret = app_malloc(secretlen, "secret output");
rv = do_keyop(ctx, pkey_op,
buf_out, (size_t *)&buf_outlen,
buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
buf_out, (size_t *)&buf_outlen,
buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
}
}
if (rv <= 0) {
@@ -539,7 +560,7 @@ int pkeyutl_main(int argc, char **argv)
if (secretlen > 0)
BIO_write(secout, secret, secretlen);
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
EVP_MD_CTX_free(mctx);
@@ -560,11 +581,11 @@ int pkeyutl_main(int argc, char **argv)
}
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
@@ -574,7 +595,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
X509 *x;
if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
|| (pkey_op == EVP_PKEY_OP_DERIVE))
|| (pkey_op == EVP_PKEY_OP_DERIVE))
&& (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
BIO_printf(bio_err, "A private key is needed for this operation\n");
goto end;
@@ -602,7 +623,6 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
case KEY_NONE:
break;
}
#ifndef OPENSSL_NO_ENGINE
@@ -617,7 +637,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
kdfnid = OBJ_ln2nid(kdfalg);
if (kdfnid == NID_undef) {
BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n",
kdfalg);
kdfalg);
goto end;
}
}
@@ -648,12 +668,12 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
switch (pkey_op) {
case EVP_PKEY_OP_SIGN:
rv = EVP_DigestSignInit_ex(mctx, NULL, digestname, libctx, propq,
pkey, NULL);
pkey, NULL);
break;
case EVP_PKEY_OP_VERIFY:
rv = EVP_DigestVerifyInit_ex(mctx, NULL, digestname, libctx, propq,
pkey, NULL);
pkey, NULL);
break;
}
@@ -702,14 +722,13 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
ctx = NULL;
}
end:
end:
OPENSSL_free(passin);
return ctx;
}
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE *e)
ENGINE *e)
{
EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx);
EVP_PKEY *peer = NULL;
@@ -725,8 +744,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
}
if (strcmp(EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey)) != 0) {
BIO_printf(bio_err,
"Type of peer public key: %s does not match type of private key: %s\n",
EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey));
"Type of peer public key: %s does not match type of private key: %s\n",
EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey));
ret = 0;
} else {
ret = EVP_PKEY_derive_set_peer(ctx, peer) > 0;
@@ -737,9 +756,9 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
}
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *pseclen)
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *pseclen)
{
int rv = 0;
switch (pkey_op) {
@@ -770,7 +789,6 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
case EVP_PKEY_OP_DECAPSULATE:
rv = EVP_PKEY_decapsulate(ctx, out, poutlen, in, inlen);
break;
}
return rv;
}
@@ -778,9 +796,9 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
#define TBUF_MAXSIZE 2048
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, int siglen,
unsigned char **out, size_t *poutlen)
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, int siglen,
unsigned char **out, size_t *poutlen)
{
int rv = 0;
unsigned char tbuf[TBUF_MAXSIZE];
@@ -789,10 +807,10 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
/* Some algorithms only support oneshot digests */
if (EVP_PKEY_get_id(pkey) == EVP_PKEY_ED25519
|| EVP_PKEY_get_id(pkey) == EVP_PKEY_ED448) {
|| EVP_PKEY_get_id(pkey) == EVP_PKEY_ED448) {
if (filesize < 0) {
BIO_printf(bio_err,
"Error: unable to determine file size for oneshot operation\n");
"Error: unable to determine file size for oneshot operation\n");
goto end;
}
mbuf = app_malloc(filesize, "oneshot sign/verify buffer");
@@ -862,7 +880,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
break;
}
end:
end:
OPENSSL_free(mbuf);
return rv;
}

48
apps/prime.c
View File

@@ -15,7 +15,11 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS,
OPT_HEX,
OPT_GENERATE,
OPT_BITS,
OPT_SAFE,
OPT_CHECKS,
OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -28,33 +32,36 @@ static int check_num(const char *s, const int is_hex)
*/
if (is_hex) {
for (i = 0; ('0' <= s[i] && s[i] <= '9')
|| ('A' <= s[i] && s[i] <= 'F')
|| ('a' <= s[i] && s[i] <= 'f'); i++);
|| ('A' <= s[i] && s[i] <= 'F')
|| ('a' <= s[i] && s[i] <= 'f');
i++)
;
} else {
for (i = 0; '0' <= s[i] && s[i] <= '9'; i++);
for (i = 0; '0' <= s[i] && s[i] <= '9'; i++)
;
}
return s[i] == 0;
}
const OPTIONS prime_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"bits", OPT_BITS, 'p', "Size of number in bits"},
{"checks", OPT_CHECKS, 'p', "Number of checks"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "bits", OPT_BITS, 'p', "Size of number in bits" },
{ "checks", OPT_CHECKS, 'p', "Number of checks" },
OPT_SECTION("Output"),
{"hex", OPT_HEX, '-', "Hex output"},
{"generate", OPT_GENERATE, '-', "Generate a prime"},
{"safe", OPT_SAFE, '-',
"When used with -generate, generate a safe prime"},
{ "hex", OPT_HEX, '-', "Hex output" },
{ "generate", OPT_GENERATE, '-', "Generate a prime" },
{ "safe", OPT_SAFE, '-',
"When used with -generate, generate a safe prime" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"number", 0, 0, "Number(s) to check for primality if not generating"},
{NULL}
{ "number", 0, 0, "Number(s) to check for primality if not generating" },
{ NULL }
};
int prime_main(int argc, char **argv)
@@ -69,7 +76,7 @@ int prime_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -133,7 +140,7 @@ opthelp:
BIO_printf(bio_out, "%s\n", s);
OPENSSL_free(s);
} else {
for ( ; *argv; argv++) {
for (; *argv; argv++) {
int r = check_num(argv[0], hex);
if (r)
@@ -146,14 +153,15 @@ opthelp:
BN_print(bio_out, bn);
BIO_printf(bio_out, " (%s) %s prime\n",
argv[0],
BN_check_prime(bn, NULL, NULL)
? "is" : "is not");
argv[0],
BN_check_prime(bn, NULL, NULL)
? "is"
: "is not");
}
}
ret = 0;
end:
end:
BN_free(bn);
return ret;
}

36
apps/rand.c
View File

@@ -20,30 +20,34 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUT, OPT_ENGINE, OPT_BASE64, OPT_HEX,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_OUT,
OPT_ENGINE,
OPT_BASE64,
OPT_HEX,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rand_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] num[K|M|G|T]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] num[K|M|G|T]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"base64", OPT_BASE64, '-', "Base64 encode output"},
{"hex", OPT_HEX, '-', "Hex encode output"},
{ "out", OPT_OUT, '>', "Output file" },
{ "base64", OPT_BASE64, '-', "Base64 encode output" },
{ "hex", OPT_HEX, '-', "Hex encode output" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"num", 0, 0, "Number of bytes to generate"},
{NULL}
{ "num", 0, 0, "Number of bytes to generate" },
{ NULL }
};
int rand_main(int argc, char **argv)
@@ -63,7 +67,7 @@ int rand_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -124,7 +128,7 @@ int rand_main(int argc, char **argv)
*/
while (argv[0][factoridx]) {
if (!isdigit((int)(argv[0][factoridx]))) {
switch(argv[0][factoridx]) {
switch (argv[0][factoridx]) {
case 'K':
shift = 10;
break;
@@ -139,7 +143,7 @@ int rand_main(int argc, char **argv)
break;
default:
BIO_printf(bio_err, "Invalid size suffix %s\n",
&argv[0][factoridx]);
&argv[0][factoridx]);
goto opthelp;
}
break;
@@ -149,7 +153,7 @@ int rand_main(int argc, char **argv)
if (shift != 0 && strlen(&argv[0][factoridx]) != 1) {
BIO_printf(bio_err, "Invalid size suffix %s\n",
&argv[0][factoridx]);
&argv[0][factoridx]);
goto opthelp;
}
}
@@ -164,7 +168,7 @@ int rand_main(int argc, char **argv)
/* check for overflow */
if ((UINT64_MAX >> shift) < (size_t)num) {
BIO_printf(bio_err, "%lu bytes with suffix overflows\n",
num);
num);
goto opthelp;
}
scaled_num = num << shift;
@@ -219,7 +223,7 @@ int rand_main(int argc, char **argv)
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
OPENSSL_free(buf);

172
apps/rehash.c
View File

@@ -11,15 +11,14 @@
#include "apps.h"
#include "progs.h"
#if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) || \
(defined(__VMS) && defined(__DECC) && __CRTL_VER >= 80300000)
# include <unistd.h>
# include <stdio.h>
# include <limits.h>
# include <errno.h>
# include <string.h>
# include <ctype.h>
# include <sys/stat.h>
#if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) || (defined(__VMS) && defined(__DECC) && __CRTL_VER >= 80300000)
#include <unistd.h>
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#include <string.h>
#include <ctype.h>
#include <sys/stat.h>
/*
* Make sure that the processing of symbol names is treated the same as when
@@ -27,32 +26,32 @@
* include/openssl/__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H),
* but not for internal headers.
*/
# ifdef __VMS
# pragma names save
# pragma names as_is,shortened
# endif
#ifdef __VMS
#pragma names save
#pragma names as_is, shortened
#endif
# include "internal/o_dir.h"
#include "internal/o_dir.h"
# ifdef __VMS
# pragma names restore
# endif
#ifdef __VMS
#pragma names restore
#endif
# include <openssl/evp.h>
# include <openssl/pem.h>
# include <openssl/x509.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
# ifndef PATH_MAX
# define PATH_MAX 4096
# endif
# define MAX_COLLISIONS 256
#ifndef PATH_MAX
#define PATH_MAX 4096
#endif
#define MAX_COLLISIONS 256
# if defined(OPENSSL_SYS_VXWORKS)
#if defined(OPENSSL_SYS_VXWORKS)
/*
* VxWorks has no symbolic links
*/
# define lstat(path, buf) stat(path, buf)
#define lstat(path, buf) stat(path, buf)
int symlink(const char *target, const char *linkpath)
{
@@ -65,7 +64,7 @@ ssize_t readlink(const char *pathname, char *buf, size_t bufsiz)
errno = ENOSYS;
return -1;
}
# endif
#endif
typedef struct hentry_st {
struct hentry_st *next;
@@ -85,14 +84,16 @@ typedef struct bucket_st {
enum Type {
/* Keep in sync with |suffixes|, below. */
TYPE_CERT=0, TYPE_CRL=1
TYPE_CERT = 0,
TYPE_CRL = 1
};
enum Hash {
HASH_OLD, HASH_NEW, HASH_BOTH
HASH_OLD,
HASH_NEW,
HASH_BOTH
};
static int evpmdsize;
static const EVP_MD *evpmd;
static int remove_links = 1;
@@ -102,7 +103,6 @@ static BUCKET *hash_table[257];
static const char *suffixes[] = { "", "r" };
static const char *extensions[] = { "pem", "crt", "cer", "crl" };
static void bit_set(unsigned char *set, unsigned int bit)
{
set[bit >> 3] |= 1 << (bit & 0x7);
@@ -113,13 +113,12 @@ static int bit_isset(unsigned char *set, unsigned int bit)
return set[bit >> 3] & (1 << (bit & 0x7));
}
/*
* Process an entry; return number of errors.
*/
static int add_entry(enum Type type, unsigned int hash, const char *filename,
const unsigned char *digest, int need_symlink,
unsigned short old_id)
const unsigned char *digest, int need_symlink,
unsigned short old_id)
{
static BUCKET nilbucket;
static HENTRY nilhentry;
@@ -142,9 +141,9 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
for (ep = bp->first_entry; ep; ep = ep->next) {
if (digest && memcmp(digest, ep->digest, (size_t)evpmdsize) == 0) {
BIO_printf(bio_err,
"%s: warning: skipping duplicate %s in %s\n",
opt_getprog(),
type == TYPE_CERT ? "certificate" : "CRL", filename);
"%s: warning: skipping duplicate %s in %s\n",
opt_getprog(),
type == TYPE_CERT ? "certificate" : "CRL", filename);
return 0;
}
if (strcmp(filename, ep->filename) == 0) {
@@ -157,8 +156,8 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
if (ep == NULL) {
if (bp->num_needed >= MAX_COLLISIONS) {
BIO_printf(bio_err,
"%s: error: hash table overflow for %s\n",
opt_getprog(), filename);
"%s: error: hash table overflow for %s\n",
opt_getprog(), filename);
return 1;
}
ep = app_malloc(sizeof(*ep), "collision bucket");
@@ -211,7 +210,8 @@ static int handle_symlink(const char *filename, const char *fullpath)
return -1;
for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--)
if (OPENSSL_strncasecmp(&filename[i],
suffixes[type], strlen(suffixes[type])) == 0)
suffixes[type], strlen(suffixes[type]))
== 0)
break;
i += strlen(suffixes[type]);
@@ -233,7 +233,7 @@ static int handle_symlink(const char *filename, const char *fullpath)
*/
static int do_file(const char *filename, const char *fullpath, enum Hash h)
{
STACK_OF (X509_INFO) *inf = NULL;
STACK_OF(X509_INFO) *inf = NULL;
X509_INFO *x;
const X509_NAME *name = NULL;
BIO *b;
@@ -255,7 +255,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
/* Does it have X.509 data in it? */
if ((b = BIO_new_file(fullpath, "r")) == NULL) {
BIO_printf(bio_err, "%s: error: skipping %s, cannot open file\n",
opt_getprog(), filename);
opt_getprog(), filename);
errs++;
goto end;
}
@@ -266,9 +266,9 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
if (sk_X509_INFO_num(inf) != 1) {
BIO_printf(bio_err,
"%s: warning: skipping %s, "
"it does not contain exactly one certificate or CRL\n",
opt_getprog(), filename);
"%s: warning: skipping %s, "
"it does not contain exactly one certificate or CRL\n",
opt_getprog(), filename);
/* This is not an error. */
goto end;
}
@@ -296,21 +296,20 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
if (name != NULL) {
if (h == HASH_NEW || h == HASH_BOTH) {
int ok;
unsigned long hash_value =
X509_NAME_hash_ex(name,
app_get0_libctx(), app_get0_propq(), &ok);
unsigned long hash_value = X509_NAME_hash_ex(name,
app_get0_libctx(), app_get0_propq(), &ok);
if (ok) {
errs += add_entry(type, hash_value, filename, digest, 1, ~0);
} else {
BIO_printf(bio_err, "%s: error calculating SHA1 hash value\n",
opt_getprog());
opt_getprog());
errs++;
}
}
if ((h == HASH_OLD) || (h == HASH_BOTH))
errs += add_entry(type, X509_NAME_hash_old(name),
filename, digest, 1, ~0);
filename, digest, 1, ~0);
}
end:
@@ -327,17 +326,17 @@ static int ends_with_dirsep(const char *path)
{
if (*path != '\0')
path += strlen(path) - 1;
# if defined __VMS
#if defined __VMS
if (*path == ']' || *path == '>' || *path == ':')
return 1;
# elif defined _WIN32
#elif defined _WIN32
if (*path == '\\')
return 1;
# endif
#endif
return *path == '/';
}
static int sk_strcmp(const char * const *a, const char * const *b)
static int sk_strcmp(const char *const *a, const char *const *b)
{
return strcmp(*a, *b);
}
@@ -381,7 +380,7 @@ static int do_dir(const char *dirname, enum Hash h)
size_t fname_len = strlen(filename);
if ((copy = OPENSSL_strdup(filename)) == NULL
|| sk_OPENSSL_STRING_push(files, copy) == 0) {
|| sk_OPENSSL_STRING_push(files, copy) == 0) {
OPENSSL_free(copy);
OPENSSL_DIR_end(&d);
BIO_puts(bio_err, "out of memory\n");
@@ -401,7 +400,8 @@ static int do_dir(const char *dirname, enum Hash h)
for (n = 0; n < numfiles; ++n) {
filename = sk_OPENSSL_STRING_value(files, n);
if (BIO_snprintf(buf, buflen, "%s%s%s",
dirname, pathsep, filename) >= buflen)
dirname, pathsep, filename)
>= buflen)
continue;
if (lstat(buf, &st) < 0)
continue;
@@ -424,47 +424,47 @@ static int do_dir(const char *dirname, enum Hash h)
if (ep->old_id < bp->num_needed) {
/* Link exists, and is used as-is */
BIO_snprintf(buf, buflen, "%08x.%s%d", bp->hash,
suffixes[bp->type], ep->old_id);
suffixes[bp->type], ep->old_id);
if (verbose)
BIO_printf(bio_out, "link %s -> %s\n",
ep->filename, buf);
ep->filename, buf);
} else if (ep->need_symlink) {
/* New link needed (it may replace something) */
while (bit_isset(idmask, nextid))
nextid++;
BIO_snprintf(buf, buflen, "%s%s%08x.%s%d",
dirname, pathsep, bp->hash,
suffixes[bp->type], nextid);
dirname, pathsep, bp->hash,
suffixes[bp->type], nextid);
if (verbose)
BIO_printf(bio_out, "link %s -> %s\n",
ep->filename, &buf[dirlen]);
ep->filename, &buf[dirlen]);
if (unlink(buf) < 0 && errno != ENOENT) {
BIO_printf(bio_err,
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
errs++;
}
if (symlink(ep->filename, buf) < 0) {
BIO_printf(bio_err,
"%s: Can't symlink %s, %s\n",
opt_getprog(), ep->filename,
strerror(errno));
"%s: Can't symlink %s, %s\n",
opt_getprog(), ep->filename,
strerror(errno));
errs++;
}
bit_set(idmask, nextid);
} else if (remove_links) {
/* Link to be deleted */
BIO_snprintf(buf, buflen, "%s%s%08x.%s%d",
dirname, pathsep, bp->hash,
suffixes[bp->type], ep->old_id);
dirname, pathsep, bp->hash,
suffixes[bp->type], ep->old_id);
if (verbose)
BIO_printf(bio_out, "unlink %s\n",
&buf[dirlen]);
&buf[dirlen]);
if (unlink(buf) < 0 && errno != ENOENT) {
BIO_printf(bio_err,
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
errs++;
}
}
@@ -476,7 +476,7 @@ static int do_dir(const char *dirname, enum Hash h)
hash_table[i] = NULL;
}
err:
err:
sk_OPENSSL_STRING_pop_free(files, str_free);
OPENSSL_free(buf);
return errs;
@@ -484,31 +484,33 @@ static int do_dir(const char *dirname, enum Hash h)
typedef enum OPTION_choice {
OPT_COMMON,
OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE,
OPT_COMPAT,
OPT_OLD,
OPT_N,
OPT_VERBOSE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rehash_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [directory...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [directory...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"h", OPT_HELP, '-', "Display this summary"},
{"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"},
{"old", OPT_OLD, '-', "Use old-style hash to generate links"},
{"n", OPT_N, '-', "Do not remove existing links"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "h", OPT_HELP, '-', "Display this summary" },
{ "compat", OPT_COMPAT, '-', "Create both new- and old-style hash links" },
{ "old", OPT_OLD, '-', "Use old-style hash to generate links" },
{ "n", OPT_N, '-', "Do not remove existing links" },
OPT_SECTION("Output"),
{"v", OPT_VERBOSE, '-', "Verbose output"},
{ "v", OPT_VERBOSE, '-', "Verbose output" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"directory", 0, 0, "One or more directories to process (optional)"},
{NULL}
{ "directory", 0, 0, "One or more directories to process (optional)" },
{ NULL }
};
int rehash_main(int argc, char **argv)
{
const char *env, *prog;
@@ -574,13 +576,13 @@ int rehash_main(int argc, char **argv)
errs += do_dir(X509_get_default_cert_dir(), h);
}
end:
end:
return errs;
}
#else
const OPTIONS rehash_options[] = {
{NULL}
{ NULL }
};
int rehash_main(int argc, char **argv)

475
apps/req.c
View File

@@ -28,51 +28,51 @@
#include <openssl/lhash.h>
#include <openssl/rsa.h>
#ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
#include <openssl/dsa.h>
#endif
#include "internal/e_os.h" /* For isatty() */
#include "internal/e_os.h" /* For isatty() */
#define BITS "default_bits"
#define KEYFILE "default_keyfile"
#define PROMPT "prompt"
#define BITS "default_bits"
#define KEYFILE "default_keyfile"
#define PROMPT "prompt"
#define DISTINGUISHED_NAME "distinguished_name"
#define ATTRIBUTES "attributes"
#define V3_EXTENSIONS "x509_extensions"
#define REQ_EXTENSIONS "req_extensions"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define ATTRIBUTES "attributes"
#define V3_EXTENSIONS "x509_extensions"
#define REQ_EXTENSIONS "req_extensions"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define DEFAULT_KEY_LENGTH 2048
#define MIN_KEY_LENGTH 512
#define DEFAULT_DAYS 30 /* default certificate validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
#define EXT_COPY_UNSET -1
#define MIN_KEY_LENGTH 512
#define DEFAULT_DAYS 30 /* default certificate validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
#define EXT_COPY_UNSET -1
static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
int mutlirdn, int attribs, unsigned long chtype);
int mutlirdn, int attribs, unsigned long chtype);
static int prompt_info(X509_REQ *req,
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype);
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype);
static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
STACK_OF(CONF_VALUE) *attr, int attribs,
unsigned long chtype);
STACK_OF(CONF_VALUE) *attr, int attribs,
unsigned long chtype);
static int add_attribute_object(X509_REQ *req, char *text, const char *def,
char *value, int nid, int n_min, int n_max,
unsigned long chtype);
char *value, int nid, int n_min, int n_max,
unsigned long chtype);
static int add_DN_object(X509_NAME *n, char *text, const char *def,
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval);
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval);
static int build_data(char *text, const char *def, char *value,
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2);
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2);
static int req_check_len(int len, int n_min, int n_max);
static int check_end(const char *str, const char *end);
static int join(char buf[], size_t buf_size, const char *name,
const char *tail, const char *desc);
const char *tail, const char *desc);
static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine);
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine);
static const char *section = "req";
static CONF *req_conf = NULL;
@@ -81,98 +81,137 @@ static int batch = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT,
OPT_X509, OPT_X509V1, OPT_CA, OPT_CAKEY,
OPT_MULTIVALUE_RDN, OPT_NOT_BEFORE, OPT_NOT_AFTER, OPT_DAYS, OPT_SET_SERIAL,
OPT_COPY_EXTENSIONS, OPT_EXTENSIONS, OPT_REQEXTS, OPT_ADDEXT,
OPT_PRECERT, OPT_MD,
OPT_SECTION, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_KEYGEN_ENGINE,
OPT_KEY,
OPT_PUBKEY,
OPT_NEW,
OPT_CONFIG,
OPT_KEYFORM,
OPT_IN,
OPT_OUT,
OPT_KEYOUT,
OPT_PASSIN,
OPT_PASSOUT,
OPT_NEWKEY,
OPT_PKEYOPT,
OPT_SIGOPT,
OPT_VFYOPT,
OPT_BATCH,
OPT_NEWHDR,
OPT_MODULUS,
OPT_VERIFY,
OPT_NOENC,
OPT_NODES,
OPT_NOOUT,
OPT_VERBOSE,
OPT_UTF8,
OPT_NAMEOPT,
OPT_REQOPT,
OPT_SUBJ,
OPT_SUBJECT,
OPT_TEXT,
OPT_X509,
OPT_X509V1,
OPT_CA,
OPT_CAKEY,
OPT_MULTIVALUE_RDN,
OPT_NOT_BEFORE,
OPT_NOT_AFTER,
OPT_DAYS,
OPT_SET_SERIAL,
OPT_COPY_EXTENSIONS,
OPT_EXTENSIONS,
OPT_REQEXTS,
OPT_ADDEXT,
OPT_PRECERT,
OPT_MD,
OPT_SECTION,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS req_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
{ "keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations" },
#endif
{"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
{"inform", OPT_INFORM, 'F',
"CSR input format to use (PEM or DER; by default try PEM first)"},
{"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},
{ "in", OPT_IN, '<', "X.509 request input file (default stdin)" },
{ "inform", OPT_INFORM, 'F',
"CSR input format to use (PEM or DER; by default try PEM first)" },
{ "verify", OPT_VERIFY, '-', "Verify self-signature on the request" },
OPT_SECTION("Certificate"),
{"new", OPT_NEW, '-', "New request"},
{"config", OPT_CONFIG, '<', "Request template file"},
{"section", OPT_SECTION, 's', "Config section to use (default \"req\")"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"reqopt", OPT_REQOPT, 's', "Various request text options"},
{"text", OPT_TEXT, '-', "Text form of request"},
{"x509", OPT_X509, '-',
"Output an X.509 certificate structure instead of a cert request"},
{"x509v1", OPT_X509V1, '-', "Request cert generation with X.509 version 1"},
{"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"},
{"CAkey", OPT_CAKEY, 's',
"Issuer private key to use with -CA; default is -CA arg"},
{OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
{"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"},
{"subject", OPT_SUBJECT, '-',
"Print the subject of the output request or cert"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Deprecated; multi-valued RDNs support is always on."},
{"not_before", OPT_NOT_BEFORE, 's',
"[CC]YYMMDDHHMMSSZ value for notBefore certificate field"},
{"not_after", OPT_NOT_AFTER, 's',
"[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
{"days", OPT_DAYS, 'p', "Number of days certificate is valid for"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions from request when using -x509"},
{"extensions", OPT_EXTENSIONS, 's',
"Cert or request extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's', "An alias for -extensions"},
{"addext", OPT_ADDEXT, 's',
"Additional cert extension key=value pair (may be given more than once)"},
{"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"},
{ "new", OPT_NEW, '-', "New request" },
{ "config", OPT_CONFIG, '<', "Request template file" },
{ "section", OPT_SECTION, 's', "Config section to use (default \"req\")" },
{ "utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)" },
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "reqopt", OPT_REQOPT, 's', "Various request text options" },
{ "text", OPT_TEXT, '-', "Text form of request" },
{ "x509", OPT_X509, '-',
"Output an X.509 certificate structure instead of a cert request" },
{ "x509v1", OPT_X509V1, '-', "Request cert generation with X.509 version 1" },
{ "CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509" },
{ "CAkey", OPT_CAKEY, 's',
"Issuer private key to use with -CA; default is -CA arg" },
{ OPT_MORE_STR, 1, 1, "(Required by some CA's)" },
{ "subj", OPT_SUBJ, 's', "Set or modify subject of request or cert" },
{ "subject", OPT_SUBJECT, '-',
"Print the subject of the output request or cert" },
{ "multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Deprecated; multi-valued RDNs support is always on." },
{ "not_before", OPT_NOT_BEFORE, 's',
"[CC]YYMMDDHHMMSSZ value for notBefore certificate field" },
{ "not_after", OPT_NOT_AFTER, 's',
"[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days" },
{ "days", OPT_DAYS, 'p', "Number of days certificate is valid for" },
{ "set_serial", OPT_SET_SERIAL, 's', "Serial number to use" },
{ "copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions from request when using -x509" },
{ "extensions", OPT_EXTENSIONS, 's',
"Cert or request extension section (override value in config file)" },
{ "reqexts", OPT_REQEXTS, 's', "An alias for -extensions" },
{ "addext", OPT_ADDEXT, 's',
"Additional cert extension key=value pair (may be given more than once)" },
{ "precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)" },
OPT_SECTION("Keys and Signing"),
{"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to write private key to"},
{"passin", OPT_PASSIN, 's', "Private key and certificate password source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"newkey", OPT_NEWKEY, 's',
"Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
{"", OPT_MD, '-', "Any supported digest"},
{ "key", OPT_KEY, 's', "Key for signing, and to include unless -in given" },
{ "keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)" },
{ "pubkey", OPT_PUBKEY, '-', "Output public key" },
{ "keyout", OPT_KEYOUT, '>', "File to write private key to" },
{ "passin", OPT_PASSIN, 's', "Private key and certificate password source" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "newkey", OPT_NEWKEY, 's',
"Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>" },
{ "pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value" },
{ "sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form" },
{ "vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form" },
{ "", OPT_MD, '-', "Any supported digest" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"batch", OPT_BATCH, '-',
"Do not ask anything during request generation"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
{"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
{"noout", OPT_NOOUT, '-', "Do not output REQ"},
{"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
{"modulus", OPT_MODULUS, '-', "RSA modulus"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "batch", OPT_BATCH, '-',
"Do not ask anything during request generation" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
{ "noenc", OPT_NOENC, '-', "Don't encrypt private keys" },
{ "nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated" },
{ "noout", OPT_NOOUT, '-', "Do not output REQ" },
{ "newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines" },
{ "modulus", OPT_MODULUS, '-', "RSA modulus" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
/*
@@ -283,7 +322,7 @@ int req_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -360,7 +399,7 @@ int req_main(int argc, char **argv)
if (pkeyopts == NULL)
pkeyopts = sk_OPENSSL_STRING_new_null();
if (pkeyopts == NULL
|| !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
|| !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
goto opthelp;
break;
case OPT_SIGOPT:
@@ -439,7 +478,7 @@ int req_main(int argc, char **argv)
days = atoi(opt_arg());
if (days <= UNSET_DAYS) {
BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",
prog);
prog);
goto end;
}
break;
@@ -464,7 +503,7 @@ int req_main(int argc, char **argv)
case OPT_COPY_EXTENSIONS:
if (!set_ext_copy(&ext_copy, opt_arg())) {
BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n",
opt_arg());
opt_arg());
goto end;
}
break;
@@ -519,7 +558,7 @@ int req_main(int argc, char **argv)
newreq = 1;
else if (!newreq && isatty(fileno_stdin()))
BIO_printf(bio_err,
"Warning: Will read cert request from stdin since no -in option is given\n");
"Warning: Will read cert request from stdin since no -in option is given\n");
}
if (!app_passwd(passargin, passargout, &passin, &passout)) {
@@ -532,7 +571,7 @@ int req_main(int argc, char **argv)
if (addext_bio != NULL) {
if (verbose)
BIO_printf(bio_err,
"Using additional configuration from -addext options\n");
"Using additional configuration from -addext options\n");
if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
goto end;
}
@@ -547,7 +586,7 @@ int req_main(int argc, char **argv)
if (oid_bio == NULL) {
if (verbose)
BIO_printf(bio_err,
"Problems opening '%s' for extra OIDs\n", p);
"Problems opening '%s' for extra OIDs\n", p);
} else {
OBJ_create_objects(oid_bio);
BIO_free(oid_bio);
@@ -570,7 +609,7 @@ int req_main(int argc, char **argv)
if (extsect == NULL)
extsect = app_conf_try_string(req_conf, section,
gen_x509 ? V3_EXTENSIONS : REQ_EXTENSIONS);
gen_x509 ? V3_EXTENSIONS : REQ_EXTENSIONS);
if (extsect != NULL) {
/* Check syntax of extension section in config file */
X509V3_CTX ctx;
@@ -579,8 +618,8 @@ int req_main(int argc, char **argv)
X509V3_set_nconf(&ctx, req_conf);
if (!X509V3_EXT_add_nconf(req_conf, &ctx, extsect, NULL)) {
BIO_printf(bio_err,
"Error checking %s extension section %s\n",
gen_x509 ? "x509" : "request", extsect);
"Error checking %s extension section %s\n",
gen_x509 ? "x509" : "request", extsect);
goto end;
}
}
@@ -597,12 +636,10 @@ int req_main(int argc, char **argv)
}
if (passin == NULL)
passin = nofree_passin =
app_conf_try_string(req_conf, section, "input_password");
passin = nofree_passin = app_conf_try_string(req_conf, section, "input_password");
if (passout == NULL)
passout = nofree_passout =
app_conf_try_string(req_conf, section, "output_password");
passout = nofree_passout = app_conf_try_string(req_conf, section, "output_password");
p = app_conf_try_string(req_conf, section, STRING_MASK);
if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) {
@@ -624,7 +661,7 @@ int req_main(int argc, char **argv)
}
if (keyalg != NULL && pkey != NULL) {
BIO_printf(bio_err,
"Warning: Not generating key via given -newkey option since -key is given\n");
"Warning: Not generating key via given -newkey option since -key is given\n");
/* Better throw an error in this case */
}
if (newreq && pkey == NULL) {
@@ -642,7 +679,7 @@ int req_main(int argc, char **argv)
|| EVP_PKEY_CTX_is_a(genctx, "RSA-PSS")
|| EVP_PKEY_CTX_is_a(genctx, "DSA"))) {
BIO_printf(bio_err, "Private key length too short, needs to be at least %d bits, not %ld.\n",
MIN_KEY_LENGTH, newkey_len);
MIN_KEY_LENGTH, newkey_len);
goto end;
}
@@ -650,17 +687,17 @@ int req_main(int argc, char **argv)
&& (EVP_PKEY_CTX_is_a(genctx, "RSA")
|| EVP_PKEY_CTX_is_a(genctx, "RSA-PSS")))
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len);
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len);
#ifndef OPENSSL_NO_DSA
if (EVP_PKEY_CTX_is_a(genctx, "DSA")
&& newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS)
&& newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len);
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len);
#endif
if (pkeyopts != NULL) {
@@ -709,11 +746,10 @@ int req_main(int argc, char **argv)
cipher = NULL;
i = 0;
loop:
loop:
if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout)) {
if ((ERR_GET_REASON(ERR_peek_error()) ==
PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
NULL, 0, NULL, passout)) {
if ((ERR_GET_REASON(ERR_peek_error()) == PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
ERR_clear_error();
i++;
goto loop;
@@ -730,20 +766,20 @@ int req_main(int argc, char **argv)
* where characters may be escaped by \
*/
if (subj != NULL
&& (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
&& (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
goto end;
if (!newreq) {
if (keyfile != NULL)
BIO_printf(bio_err,
"Warning: Not placing -key in cert or request since request is used\n");
"Warning: Not placing -key in cert or request since request is used\n");
req = load_csr_autofmt(infile /* if NULL, reads from stdin */,
informat, vfyopts, "X509 request");
informat, vfyopts, "X509 request");
if (req == NULL)
goto end;
} else if (infile != NULL) {
BIO_printf(bio_err,
"Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
"Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
/* Better throw an error in this case, as done in the x509 app */
}
@@ -752,30 +788,32 @@ int req_main(int argc, char **argv)
if (CAkeyfile != NULL) {
if (CAfile == NULL) {
BIO_printf(bio_err,
"Warning: Ignoring -CAkey option since no -CA option is given\n");
"Warning: Ignoring -CAkey option since no -CA option is given\n");
} else {
if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e,
CAkeyfile != CAfile
? "issuer private key from -CAkey arg"
: "issuer private key from -CA arg")) == NULL)
0, passin, e,
CAkeyfile != CAfile
? "issuer private key from -CAkey arg"
: "issuer private key from -CA arg"))
== NULL)
goto end;
}
}
if (CAfile != NULL) {
if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
"issuer cert from -CA arg")) == NULL)
"issuer cert from -CA arg"))
== NULL)
goto end;
if (!X509_check_private_key(CAcert, CAkey)) {
BIO_printf(bio_err,
"Issuer CA certificate and key do not match\n");
"Issuer CA certificate and key do not match\n");
goto end;
}
}
if (newreq || gen_x509) {
if (CAcert == NULL && pkey == NULL) {
BIO_printf(bio_err, "Must provide a signature key using -key or"
" provide -CA / -CAkey\n");
" provide -CA / -CAkey\n");
goto end;
}
@@ -795,17 +833,16 @@ int req_main(int argc, char **argv)
EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey;
X509V3_CTX ext_ctx;
X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) :
X509_REQ_get_subject_name(req);
X509_NAME *n_subj = fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req);
X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : X509_REQ_get_subject_name(req);
X509_NAME *n_subj = fsubj != NULL ? fsubj : X509_REQ_get_subject_name(req);
if (CAcert != NULL && keyfile != NULL)
BIO_printf(bio_err,
"Warning: Not using -key or -newkey for signing since -CA option is given\n");
"Warning: Not using -key or -newkey for signing since -CA option is given\n");
if ((new_x509 = X509_new_ex(app_get0_libctx(),
app_get0_propq())) == NULL)
app_get0_propq()))
== NULL)
goto end;
if (serial != NULL) {
@@ -821,7 +858,7 @@ int req_main(int argc, char **argv)
if (days == UNSET_DAYS)
days = DEFAULT_DAYS;
else if (not_after != NULL)
BIO_printf(bio_err,"Warning: -not_after option overriding -days option\n");
BIO_printf(bio_err, "Warning: -not_after option overriding -days option\n");
if (!set_cert_times(new_x509, not_before, not_after, days, 1))
goto end;
if (!X509_set_subject_name(new_x509, n_subj))
@@ -838,14 +875,14 @@ int req_main(int argc, char **argv)
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509,
new_x509, NULL, NULL, X509V3_CTX_REPLACE);
new_x509, NULL, NULL, X509V3_CTX_REPLACE);
/* prepare fallback for AKID, but only if issuer cert == new_x509 */
if (CAcert == NULL) {
if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key))
goto end;
if (!cert_matches_key(new_x509, issuer_key))
BIO_printf(bio_err,
"Warning: Signature key and public key of cert do not match\n");
"Warning: Signature key and public key of cert do not match\n");
}
X509V3_set_nconf(&ext_ctx, req_conf);
@@ -853,12 +890,12 @@ int req_main(int argc, char **argv)
if (extsect != NULL
&& !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extsect, new_x509)) {
BIO_printf(bio_err, "Error adding x509 extensions from section %s\n",
extsect);
extsect);
goto end;
}
if (addext_conf != NULL
&& !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
new_x509)) {
new_x509)) {
BIO_printf(bio_err, "Error adding x509 extensions defined via -addext\n");
goto end;
}
@@ -866,14 +903,15 @@ int req_main(int argc, char **argv)
/* If a pre-cert was requested, we need to add a poison extension */
if (precert) {
if (X509_add1_ext_i2d(new_x509, NID_ct_precert_poison,
NULL, 1, 0) != 1) {
NULL, 1, 0)
!= 1) {
BIO_printf(bio_err, "Error adding poison extension\n");
goto end;
}
}
i = do_X509_sign(new_x509, x509v1, issuer_key, digest, sigopts,
&ext_ctx);
&ext_ctx);
if (!i)
goto end;
} else {
@@ -881,7 +919,7 @@ int req_main(int argc, char **argv)
if (precert) {
BIO_printf(bio_err,
"Warning: Ignoring -precert flag since no cert is produced\n");
"Warning: Ignoring -precert flag since no cert is produced\n");
}
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, X509V3_CTX_REPLACE);
@@ -891,12 +929,12 @@ int req_main(int argc, char **argv)
if (extsect != NULL
&& !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, extsect, req)) {
BIO_printf(bio_err, "Error adding request extensions from section %s\n",
extsect);
extsect);
goto end;
}
if (addext_conf != NULL
&& !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
req)) {
req)) {
BIO_printf(bio_err, "Error adding request extensions defined via -addext\n");
goto end;
}
@@ -937,7 +975,7 @@ int req_main(int argc, char **argv)
goto end;
if (i == 0) {
BIO_printf(bio_err, "Certificate request self-signature verify failure\n");
goto end;
goto end;
} else /* i > 0 */
BIO_printf(bio_out, "Certificate request self-signature verify OK\n");
}
@@ -948,9 +986,8 @@ int req_main(int argc, char **argv)
}
out = bio_open_default(outfile,
keyout != NULL && outfile != NULL &&
strcmp(keyout, outfile) == 0 ? 'a' : 'w',
outformat);
keyout != NULL && outfile != NULL && strcmp(keyout, outfile) == 0 ? 'a' : 'w',
outformat);
if (out == NULL)
goto end;
@@ -980,9 +1017,7 @@ int req_main(int argc, char **argv)
}
if (subject) {
print_name(out, "subject=", gen_x509
? X509_get_subject_name(new_x509)
: X509_REQ_get_subject_name(req));
print_name(out, "subject=", gen_x509 ? X509_get_subject_name(new_x509) : X509_REQ_get_subject_name(req));
}
if (modulus) {
@@ -1033,7 +1068,7 @@ int req_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
if (ret) {
ERR_print_errors(bio_err);
}
@@ -1067,7 +1102,7 @@ int req_main(int argc, char **argv)
}
static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
int multirdn, int attribs, unsigned long chtype)
int multirdn, int attribs, unsigned long chtype)
{
int ret = 0, i;
char no_prompt = 0;
@@ -1106,7 +1141,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
else
i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
chtype);
chtype);
if (!i)
goto err;
@@ -1114,14 +1149,14 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
goto err;
ret = 1;
err:
err:
return ret;
}
static int prompt_info(X509_REQ *req,
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype)
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype)
{
int i;
char *p, *q;
@@ -1135,22 +1170,22 @@ static int prompt_info(X509_REQ *req,
if (!batch) {
BIO_printf(bio_err,
"You are about to be asked to enter information that will be incorporated\n");
"You are about to be asked to enter information that will be incorporated\n");
BIO_printf(bio_err, "into your certificate request.\n");
BIO_printf(bio_err,
"What you are about to enter is what is called a Distinguished Name or a DN.\n");
"What you are about to enter is what is called a Distinguished Name or a DN.\n");
BIO_printf(bio_err,
"There are quite a few fields but you can leave some blank\n");
"There are quite a few fields but you can leave some blank\n");
BIO_printf(bio_err,
"For some fields there will be a default value,\n");
"For some fields there will be a default value,\n");
BIO_printf(bio_err,
"If you enter '.', the field will be left blank.\n");
"If you enter '.', the field will be left blank.\n");
BIO_printf(bio_err, "-----\n");
}
if (sk_CONF_VALUE_num(dn_sk)) {
i = -1;
start:
start:
for (;;) {
i++;
if (sk_CONF_VALUE_num(dn_sk) <= i)
@@ -1159,8 +1194,7 @@ static int prompt_info(X509_REQ *req,
v = sk_CONF_VALUE_value(dn_sk, i);
p = q = NULL;
type = v->name;
if (!check_end(type, "_min") || !check_end(type, "_max") ||
!check_end(type, "_default") || !check_end(type, "_value"))
if (!check_end(type, "_min") || !check_end(type, "_max") || !check_end(type, "_default") || !check_end(type, "_value"))
continue;
/*
* Skip past any leading X. X: X, etc to allow for multiple
@@ -1203,7 +1237,7 @@ static int prompt_info(X509_REQ *req,
n_max = -1;
if (!add_DN_object(subj, v->value, def, value, nid,
n_min, n_max, chtype, mval))
n_min, n_max, chtype, mval))
return 0;
}
if (X509_NAME_entry_count(subj) == 0) {
@@ -1215,13 +1249,13 @@ static int prompt_info(X509_REQ *req,
if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
&& (!batch)) {
BIO_printf(bio_err,
"\nPlease enter the following 'extra' attributes\n");
"\nPlease enter the following 'extra' attributes\n");
BIO_printf(bio_err,
"to be sent with your certificate request\n");
"to be sent with your certificate request\n");
}
i = -1;
start2:
start2:
for (;;) {
i++;
if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
@@ -1253,8 +1287,8 @@ static int prompt_info(X509_REQ *req,
n_max = -1;
if (!add_attribute_object(req,
v->value, def, value, nid, n_min,
n_max, chtype))
v->value, def, value, nid, n_min,
n_max, chtype))
return 0;
}
}
@@ -1264,12 +1298,11 @@ static int prompt_info(X509_REQ *req,
}
return 1;
}
static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
STACK_OF(CONF_VALUE) *attr_sk, int attribs,
unsigned long chtype)
STACK_OF(CONF_VALUE) *attr_sk, int attribs,
unsigned long chtype)
{
int i, spec_char, plus_char;
char *p, *q;
@@ -1292,7 +1325,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
spec_char = (*p == ':' || *p == ',' || *p == '.');
#else
spec_char = (*p == os_toascii[':'] || *p == os_toascii[',']
|| *p == os_toascii['.']);
|| *p == os_toascii['.']);
#endif
if (spec_char) {
p++;
@@ -1313,10 +1346,9 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
mval = 0;
}
if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
(unsigned char *)v->value, -1, -1,
mval))
(unsigned char *)v->value, -1, -1,
mval))
return 0;
}
if (!X509_NAME_entry_count(subj)) {
@@ -1327,7 +1359,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
v = sk_CONF_VALUE_value(attr_sk, i);
if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
(unsigned char *)v->value, -1))
(unsigned char *)v->value, -1))
return 0;
}
}
@@ -1335,40 +1367,40 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
}
static int add_DN_object(X509_NAME *n, char *text, const char *def,
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval)
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval)
{
int ret = 0;
char buf[1024];
ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
"DN value", "DN default");
"DN value", "DN default");
if ((ret == 0) || (ret == 1))
return ret;
ret = 1;
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
(unsigned char *)buf, -1, -1, mval))
(unsigned char *)buf, -1, -1, mval))
ret = 0;
return ret;
}
static int add_attribute_object(X509_REQ *req, char *text, const char *def,
char *value, int nid, int n_min,
int n_max, unsigned long chtype)
char *value, int nid, int n_min,
int n_max, unsigned long chtype)
{
int ret = 0;
char buf[1024];
ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
"Attribute value", "Attribute default");
"Attribute value", "Attribute default");
if ((ret == 0) || (ret == 1))
return ret;
ret = 1;
if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
(unsigned char *)buf, -1)) {
(unsigned char *)buf, -1)) {
BIO_printf(bio_err, "Error adding attribute\n");
ret = 0;
}
@@ -1377,11 +1409,11 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def,
}
static int build_data(char *text, const char *def, char *value,
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2)
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2)
{
int i;
start:
start:
if (!batch)
BIO_printf(bio_err, "%s [%s]:", text, def);
(void)BIO_flush(bio_err);
@@ -1432,12 +1464,12 @@ static int req_check_len(int len, int n_min, int n_max)
{
if (n_min > 0 && len < n_min) {
BIO_printf(bio_err,
"String too short, must be at least %d bytes long\n", n_min);
"String too short, must be at least %d bytes long\n", n_min);
return 0;
}
if (n_max >= 0 && len > n_max) {
BIO_printf(bio_err,
"String too long, must be at most %d bytes long\n", n_max);
"String too long, must be at most %d bytes long\n", n_max);
return 0;
}
return 1;
@@ -1462,7 +1494,7 @@ static int check_end(const char *str, const char *end)
* overflow and producing an error message if there is.
*/
static int join(char buf[], size_t buf_size, const char *name,
const char *tail, const char *desc)
const char *tail, const char *desc)
{
const size_t name_len = strlen(name), tail_len = strlen(tail);
@@ -1476,8 +1508,8 @@ static int join(char buf[], size_t buf_size, const char *name,
}
static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine)
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine)
{
EVP_PKEY_CTX *gctx = NULL;
EVP_PKEY *param = NULL;
@@ -1513,8 +1545,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
expect_paramfile = 1;
if (p == NULL) {
BIO_printf(bio_err,
"Parameter file requested but no path given: %s\n",
gstr);
"Parameter file requested but no path given: %s\n",
gstr);
return NULL;
}
} else {
@@ -1597,19 +1629,19 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
gctx = EVP_PKEY_CTX_new(param, keygen_engine);
else
gctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
param, app_get0_propq());
param, app_get0_propq());
*pkeylen = EVP_PKEY_get_bits(param);
EVP_PKEY_free(param);
} else {
if (keygen_engine != NULL) {
int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype,
keygen_engine);
keygen_engine);
if (pkey_id != NID_undef)
gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine);
} else {
gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(),
*pkeytype, app_get0_propq());
*pkeytype, app_get0_propq());
}
}
@@ -1623,16 +1655,14 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
EVP_PKEY_CTX_free(gctx);
return NULL;
}
if (keylen == -1 && (EVP_PKEY_CTX_is_a(gctx, "RSA")
|| EVP_PKEY_CTX_is_a(gctx, "RSA-PSS")))
if (keylen == -1 && (EVP_PKEY_CTX_is_a(gctx, "RSA") || EVP_PKEY_CTX_is_a(gctx, "RSA-PSS")))
keylen = *pkeylen;
if (keylen != -1) {
OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
size_t bits = keylen;
params[0] =
OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_BITS, &bits);
params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_BITS, &bits);
if (EVP_PKEY_CTX_set_params(gctx, params) <= 0) {
BIO_puts(bio_err, "Error setting keysize\n");
EVP_PKEY_CTX_free(gctx);
@@ -1642,4 +1672,3 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
return gctx;
}

103
apps/rsa.c
View File

@@ -34,63 +34,78 @@
#include <openssl/core_dispatch.h>
#ifndef OPENSSL_NO_RC4
# define DEFAULT_PVK_ENCR_STRENGTH 2
#define DEFAULT_PVK_ENCR_STRENGTH 2
#else
# define DEFAULT_PVK_ENCR_STRENGTH 0
#define DEFAULT_PVK_ENCR_STRENGTH 0
#endif
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN,
OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT,
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_PUBIN,
OPT_PUBOUT,
OPT_PASSOUT,
OPT_PASSIN,
OPT_RSAPUBKEY_IN,
OPT_RSAPUBKEY_OUT,
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER,
OPT_PROV_ENUM, OPT_TRADITIONAL
OPT_PVK_NONE,
OPT_PVK_WEAK,
OPT_PVK_STRONG,
OPT_NOOUT,
OPT_TEXT,
OPT_MODULUS,
OPT_CHECK,
OPT_CIPHER,
OPT_PROV_ENUM,
OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS rsa_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"check", OPT_CHECK, '-', "Verify key consistency"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "check", OPT_CHECK, '-', "Verify key consistency" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "in", OPT_IN, 's', "Input file" },
{ "inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)" },
{ "pubin", OPT_PUBIN, '-', "Expect a public key in input file" },
{ "RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
{"pubout", OPT_PUBOUT, '-', "Output a public key"},
{"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK" },
{ "pubout", OPT_PUBOUT, '-', "Output a public key" },
{ "RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "noout", OPT_NOOUT, '-', "Don't print key out" },
{ "text", OPT_TEXT, '-', "Print the key in text" },
{ "modulus", OPT_MODULUS, '-', "Print the RSA key modulus" },
{ "traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys" },
#ifndef OPENSSL_NO_RC4
OPT_SECTION("PVK"),
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
{ "pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)" },
{ "pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level" },
{ "pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding" },
#endif
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
static int try_legacy_encoding(EVP_PKEY *pkey, int outformat, int pubout,
BIO *out)
BIO *out)
{
int ret = 0;
#ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -109,10 +124,10 @@ static int try_legacy_encoding(EVP_PKEY *pkey, int outformat, int pubout,
ret = PEM_write_bio_RSAPublicKey(out, rsa) > 0;
else
ret = PEM_write_bio_RSA_PUBKEY(out, rsa) > 0;
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
ret = i2b_PublicKey_bio(out, pkey) > 0;
# endif
#endif
}
#endif
@@ -145,7 +160,7 @@ int rsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -187,9 +202,9 @@ int rsa_main(int argc, char **argv)
case OPT_RSAPUBKEY_OUT:
pubout = 2;
break;
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
pvk_encr = (o - OPT_PVK_NONE);
break;
case OPT_NOOUT:
@@ -338,7 +353,7 @@ int rsa_main(int argc, char **argv)
} else {
assert(private);
selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
}
/* For DER based output, select the desired output structure */
@@ -359,8 +374,8 @@ int rsa_main(int argc, char **argv)
/* Now, perform the encoding */
ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection,
output_type, output_structure,
NULL);
output_type, output_structure,
NULL);
if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
if ((!pubout && !pubin)
|| !try_legacy_encoding(pkey, outformat, pubout, out))
@@ -380,8 +395,8 @@ int rsa_main(int argc, char **argv)
if (passout != NULL)
/* When passout given, override the passphrase prompter */
OSSL_ENCODER_CTX_set_passphrase(ectx,
(const unsigned char *)passout,
strlen(passout));
(const unsigned char *)passout,
strlen(passout));
}
/* PVK is a bit special... */
@@ -401,7 +416,7 @@ int rsa_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
OSSL_ENCODER_CTX_free(ectx);
release_engine(e);
BIO_free_all(out);

91
apps/rsautl.c
View File

@@ -16,57 +16,73 @@
#include <openssl/pem.h>
#include <openssl/rsa.h>
#define RSA_SIGN 1
#define RSA_VERIFY 2
#define RSA_ENCRYPT 3
#define RSA_DECRYPT 4
#define RSA_SIGN 1
#define RSA_VERIFY 2
#define RSA_ENCRYPT 3
#define RSA_DECRYPT 4
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP,
OPT_RSA_RAW, OPT_OAEP, OPT_PKCS, OPT_X931,
OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_ASN1PARSE,
OPT_HEXDUMP,
OPT_RSA_RAW,
OPT_OAEP,
OPT_PKCS,
OPT_X931,
OPT_SIGN,
OPT_VERIFY,
OPT_REV,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_PUBIN,
OPT_CERTIN,
OPT_INKEY,
OPT_PASSIN,
OPT_KEYFORM,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rsautl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"sign", OPT_SIGN, '-', "Sign with private key"},
{"verify", OPT_VERIFY, '-', "Verify with public key"},
{"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "sign", OPT_SIGN, '-', "Sign with private key" },
{ "verify", OPT_VERIFY, '-', "Verify with public key" },
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt with public key" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt with private key" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inkey", OPT_INKEY, 's', "Input key, by default an RSA private key"},
{"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"pubin", OPT_PUBIN, '-', "Input key is an RSA public pkey"},
{"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "in", OPT_IN, '<', "Input file" },
{ "inkey", OPT_INKEY, 's', "Input key, by default an RSA private key" },
{ "keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)" },
{ "pubin", OPT_PUBIN, '-', "Input key is an RSA public pkey" },
{ "certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key" },
{ "rev", OPT_REV, '-', "Reverse the order of the input buffer" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"raw", OPT_RSA_RAW, '-', "Use no padding"},
{"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"},
{"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
{"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
{"asn1parse", OPT_ASN1PARSE, '-',
"Run output through asn1parse; useful with -verify"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{ "out", OPT_OUT, '>', "Output file" },
{ "raw", OPT_RSA_RAW, '-', "Use no padding" },
{ "pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)" },
{ "x931", OPT_X931, '-', "Use ANSI X9.31 padding" },
{ "oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP" },
{ "asn1parse", OPT_ASN1PARSE, '-',
"Run output through asn1parse; useful with -verify" },
{ "hexdump", OPT_HEXDUMP, '-', "Hex dump output" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int rsautl_main(int argc, char **argv)
@@ -90,7 +106,7 @@ int rsautl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -245,7 +261,8 @@ int rsautl_main(int argc, char **argv)
rv = EVP_PKEY_verify_recover_init(ctx) > 0
&& EVP_PKEY_CTX_set_rsa_padding(ctx, pad) > 0
&& EVP_PKEY_verify_recover(ctx, rsa_out, &rsa_outlen,
rsa_in, rsa_inlen) > 0;
rsa_in, rsa_inlen)
> 0;
break;
case RSA_SIGN:
rv = EVP_PKEY_sign_init(ctx) > 0
@@ -279,7 +296,7 @@ int rsautl_main(int argc, char **argv)
} else {
BIO_write(out, rsa_out, rsa_outlen);
}
end:
end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
release_engine(e);

1875
apps/s_client.c
View File

File diff suppressed because it is too large Load Diff

929
apps/s_server.c
View File

File diff suppressed because it is too large Load Diff

148
apps/s_time.c
View File

@@ -24,10 +24,10 @@
#include <openssl/err.h>
#include "internal/sockets.h"
#if !defined(OPENSSL_SYS_MSDOS)
# include <unistd.h>
#include <unistd.h>
#endif
#define SSL_CONNECT_NAME "localhost:4433"
#define SSL_CONNECT_NAME "localhost:4433"
#define SECONDS 30
#define SECONDSSTR "30"
@@ -44,68 +44,86 @@ static const size_t fmt_http_get_cmd_size = sizeof(fmt_http_get_cmd) - 2;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CONNECT, OPT_CIPHER, OPT_CIPHERSUITES, OPT_CERT, OPT_NAMEOPT, OPT_KEY,
OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
OPT_CONNECT,
OPT_CIPHER,
OPT_CIPHERSUITES,
OPT_CERT,
OPT_NAMEOPT,
OPT_KEY,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_NEW,
OPT_REUSE,
OPT_BUGS,
OPT_VERIFY,
OPT_TIME,
OPT_SSL3,
OPT_WWW,
OPT_TLS1,
OPT_TLS1_1,
OPT_TLS1_2,
OPT_TLS1_3,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS s_time_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Connection"),
{"connect", OPT_CONNECT, 's',
"Where to connect as post:port (default is " SSL_CONNECT_NAME ")"},
{"new", OPT_NEW, '-', "Just time new connections"},
{"reuse", OPT_REUSE, '-', "Just time connection reuse"},
{"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
{"cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used"},
{"ciphersuites", OPT_CIPHERSUITES, 's',
"Specify TLSv1.3 ciphersuites to be used"},
{ "connect", OPT_CONNECT, 's',
"Where to connect as post:port (default is " SSL_CONNECT_NAME ")" },
{ "new", OPT_NEW, '-', "Just time new connections" },
{ "reuse", OPT_REUSE, '-', "Just time connection reuse" },
{ "bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility" },
{ "cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used" },
{ "ciphersuites", OPT_CIPHERSUITES, 's',
"Specify TLSv1.3 ciphersuites to be used" },
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
{ "ssl3", OPT_SSL3, '-', "Just use SSLv3" },
#endif
#ifndef OPENSSL_NO_TLS1
{"tls1", OPT_TLS1, '-', "Just use TLSv1.0"},
{ "tls1", OPT_TLS1, '-', "Just use TLSv1.0" },
#endif
#ifndef OPENSSL_NO_TLS1_1
{"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
{ "tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1" },
#endif
#ifndef OPENSSL_NO_TLS1_2
{"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
{ "tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2" },
#endif
#ifndef OPENSSL_NO_TLS1_3
{"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
{ "tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3" },
#endif
{"verify", OPT_VERIFY, 'p',
"Turn on peer certificate verification, set depth"},
{"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
{"www", OPT_WWW, 's', "Fetch specified page from the site"},
{ "verify", OPT_VERIFY, 'p',
"Turn on peer certificate verification, set depth" },
{ "time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR },
{ "www", OPT_WWW, 's', "Fetch specified page from the site" },
OPT_SECTION("Certificate"),
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store URI"},
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "cert", OPT_CERT, '<', "Cert file to use, PEM format assumed" },
{ "key", OPT_KEY, '<', "File with key, PEM; default is -cert file" },
{ "cafile", OPT_CAFILE, '<', "PEM format file of CA's" },
{ "CAfile", OPT_CAFILE, '<', "PEM format file of CA's" },
{ "CApath", OPT_CAPATH, '/', "PEM format directory of CA's" },
{ "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store URI" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
#define START 0
#define STOP 1
#define START 0
#define STOP 1
static double tm_Time_F(int s)
{
@@ -137,7 +155,7 @@ int s_time_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -156,7 +174,7 @@ int s_time_main(int argc, char **argv)
case OPT_VERIFY:
verify_args.depth = opt_int_arg();
BIO_printf(bio_err, "%s: verify depth is %d\n",
prog, verify_args.depth);
prog, verify_args.depth);
break;
case OPT_CERT:
certfile = opt_arg();
@@ -259,7 +277,7 @@ int s_time_main(int argc, char **argv)
goto end;
if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) {
CAstore, noCAstore)) {
ERR_print_errors(bio_err);
goto end;
}
@@ -281,7 +299,7 @@ int s_time_main(int argc, char **argv)
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd,
www_path);
www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
@@ -310,19 +328,17 @@ int s_time_main(int argc, char **argv)
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);
printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);
/*
* Now loop and time connections using the same session id over and over
*/
next:
next:
if (!(perform & 2)) {
ret = 0;
goto end;
@@ -364,7 +380,7 @@ int s_time_main(int argc, char **argv)
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd,
www_path);
www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
@@ -391,19 +407,17 @@ int s_time_main(int argc, char **argv)
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
if (nConn > 0)
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
printf("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
else
printf("0 connections in %ld real seconds\n",
(long)time(NULL) - finishtime + maxtime);
(long)time(NULL) - finishtime + maxtime);
ret = 0;
end:
end:
SSL_free(scon);
SSL_CTX_free(ctx);
return ret;
@@ -422,7 +436,7 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
return NULL;
if (BIO_set_conn_hostname(conn, host) <= 0
|| BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) <= 0) {
|| BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) <= 0) {
BIO_free(conn);
return NULL;
}
@@ -456,7 +470,7 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
BIO_printf(bio_err, "ERROR\n");
if (verify_args.error != X509_V_OK)
BIO_printf(bio_err, "verify error:%s\n",
X509_verify_cert_error_string(verify_args.error));
X509_verify_cert_error_string(verify_args.error));
else
ERR_print_errors(bio_err);
if (scon == NULL)
@@ -469,12 +483,12 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
struct linger no_linger;
int fd;
no_linger.l_onoff = 1;
no_linger.l_onoff = 1;
no_linger.l_linger = 0;
fd = SSL_get_fd(serverCon);
if (fd >= 0)
(void)setsockopt(fd, SOL_SOCKET, SO_LINGER, (char*)&no_linger,
sizeof(no_linger));
(void)setsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&no_linger,
sizeof(no_linger));
}
#endif

42
apps/sess_id.c
View File

@@ -20,27 +20,33 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
OPT_TEXT, OPT_CERT, OPT_NOOUT, OPT_CONTEXT
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_CERT,
OPT_NOOUT,
OPT_CONTEXT
} OPTION_CHOICE;
const OPTIONS sess_id_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"context", OPT_CONTEXT, 's', "Set the session ID context"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "context", OPT_CONTEXT, 's', "Set the session ID context" },
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
{ "in", OPT_IN, 's', "Input file - default stdin" },
{ "inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (PEM, DER or NSS)"},
{"text", OPT_TEXT, '-', "Print ssl session id details"},
{"cert", OPT_CERT, '-', "Output certificate "},
{"noout", OPT_NOOUT, '-', "Don't output the encoded session info"},
{NULL}
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "outform", OPT_OUTFORM, 'f',
"Output format - default PEM (PEM, DER or NSS)" },
{ "text", OPT_TEXT, '-', "Print ssl session id details" },
{ "cert", OPT_CERT, '-', "Output certificate " },
{ "noout", OPT_NOOUT, '-', "Don't output the encoded session info" },
{ NULL }
};
static SSL_SESSION *load_sess_id(char *file, int format);
@@ -60,7 +66,7 @@ int sess_id_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -73,7 +79,7 @@ int sess_id_main(int argc, char **argv)
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER | OPT_FMT_NSS,
&outformat))
&outformat))
goto opthelp;
break;
case OPT_IN:
@@ -114,7 +120,7 @@ int sess_id_main(int argc, char **argv)
goto end;
}
if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context,
ctx_len)) {
ctx_len)) {
BIO_printf(bio_err, "Error setting id context\n");
goto end;
}
@@ -167,7 +173,7 @@ int sess_id_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
BIO_free_all(out);
SSL_SESSION_free(x);
return ret;
@@ -191,7 +197,7 @@ static SSL_SESSION *load_sess_id(char *infile, int format)
goto end;
}
end:
end:
BIO_free(in);
return x;
}

225
apps/smime.c
View File

@@ -22,114 +22,149 @@
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int smime_cb(int ok, X509_STORE_CTX *ctx);
#define SMIME_OP 0x10
#define SMIME_IP 0x20
#define SMIME_SIGNERS 0x40
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP)
#define SMIME_OP 0x10
#define SMIME_IP 0x20
#define SMIME_SIGNERS 0x40
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP)
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENCRYPT, OPT_DECRYPT, OPT_SIGN, OPT_RESIGN, OPT_VERIFY,
OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN,
OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP,
OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF,
OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN,
OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_CONFIG,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_SIGN,
OPT_RESIGN,
OPT_VERIFY,
OPT_PK7OUT,
OPT_TEXT,
OPT_NOINTERN,
OPT_NOVERIFY,
OPT_NOCHAIN,
OPT_NOCERTS,
OPT_NOATTR,
OPT_NODETACH,
OPT_NOSMIMECAP,
OPT_BINARY,
OPT_NOSIGS,
OPT_STREAM,
OPT_INDEF,
OPT_NOINDEF,
OPT_CRLFEOL,
OPT_ENGINE,
OPT_PASSIN,
OPT_TO,
OPT_FROM,
OPT_SUBJECT,
OPT_SIGNER,
OPT_RECIP,
OPT_MD,
OPT_CIPHER,
OPT_INKEY,
OPT_KEYFORM,
OPT_CERTFILE,
OPT_CAFILE,
OPT_CAPATH,
OPT_CASTORE,
OPT_NOCAFILE,
OPT_NOCAPATH,
OPT_NOCASTORE,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_CONFIG,
OPT_V_ENUM,
OPT_IN, OPT_INFORM, OPT_OUT,
OPT_OUTFORM, OPT_CONTENT
OPT_IN,
OPT_INFORM,
OPT_OUT,
OPT_OUTFORM,
OPT_CONTENT
} OPTION_CHOICE;
const OPTIONS smime_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
{"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER" },
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER" },
{ "inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)" },
{ "keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"stream", OPT_STREAM, '-', "Enable CMS streaming" },
{"indef", OPT_INDEF, '-', "Same as -stream" },
{"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
{ "stream", OPT_STREAM, '-', "Enable CMS streaming" },
{ "indef", OPT_INDEF, '-', "Same as -stream" },
{ "noindef", OPT_NOINDEF, '-', "Disable CMS streaming" },
OPT_CONFIG_OPTION,
OPT_SECTION("Action"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
{"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
{"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"},
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt message" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message" },
{ "sign", OPT_SIGN, '-', "Sign message" },
{ "resign", OPT_RESIGN, '-', "Resign a signed message" },
{ "verify", OPT_VERIFY, '-', "Verify signed message" },
{ "pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure" },
OPT_SECTION("Signing/Encryption"),
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{"nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"binary", OPT_BINARY, '-', "Don't translate message to text"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"nocerts", OPT_NOCERTS, '-',
"Don't include signers certificate when signing"},
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "md", OPT_MD, 's', "Digest algorithm to use when signing or resigning" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
{ "nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer" },
{ "nodetach", OPT_NODETACH, '-', "Use opaque signing" },
{ "noattr", OPT_NOATTR, '-', "Don't include any signed attributes" },
{ "binary", OPT_BINARY, '-', "Don't translate message to text" },
{ "signer", OPT_SIGNER, 's', "Signer certificate file" },
{ "content", OPT_CONTENT, '<',
"Supply or override content for detached signature" },
{ "nocerts", OPT_NOCERTS, '-',
"Don't include signers certificate when signing" },
OPT_SECTION("Verification/Decryption"),
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
{ "nosigs", OPT_NOSIGS, '-', "Don't verify message signature" },
{ "noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate" },
{"certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing"},
{OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying"},
{"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
{ "certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing" },
{ OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying" },
{ "recip", OPT_RECIP, '<', "Recipient certificate file for decryption" },
OPT_SECTION("Email"),
{"to", OPT_TO, 's', "To address"},
{"from", OPT_FROM, 's', "From address"},
{"subject", OPT_SUBJECT, 's', "Subject"},
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
{ "to", OPT_TO, 's', "To address" },
{ "from", OPT_FROM, 's', "From address" },
{ "subject", OPT_SUBJECT, 's', "Subject" },
{ "text", OPT_TEXT, '-', "Include or delete text MIME headers" },
{ "nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute" },
OPT_SECTION("Certificate chain"),
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},
{ "CApath", OPT_CAPATH, '/', "Trusted certificates directory" },
{ "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
{ "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
{ "nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
{ "crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only" },
OPT_R_OPTIONS,
OPT_V_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cert", 0, 0, "Recipient certs, used when encrypting"},
{NULL}
{ "cert", 0, 0, "Recipient certs, used when encrypting" },
{ NULL }
};
static const char *operation_name(int operation)
@@ -152,11 +187,10 @@ static const char *operation_name(int operation)
}
}
#define SET_OPERATION(op) \
((operation != 0 && (operation != (op))) \
? 0 * BIO_printf(bio_err, "%s: Cannot use -%s together with -%s\n", \
prog, operation_name(op), operation_name(operation)) \
: (operation = (op)))
#define SET_OPERATION(op) \
((operation != 0 && (operation != (op))) \
? 0 * BIO_printf(bio_err, "%s: Cannot use -%s together with -%s\n", prog, operation_name(op), operation_name(operation)) \
: (operation = (op)))
int smime_main(int argc, char **argv)
{
@@ -179,8 +213,7 @@ int smime_main(int argc, char **argv)
OPTION_CHOICE o;
int noCApath = 0, noCAfile = 0, noCAstore = 0;
int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
FORMAT_UNDEF;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = FORMAT_UNDEF;
int vpmtouched = 0, rv = 0;
ENGINE *e = NULL;
const char *mime_eol = "\n";
@@ -195,7 +228,7 @@ int smime_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -342,7 +375,7 @@ int smime_main(int argc, char **argv)
if (keyfile != NULL) {
if (signerfile == NULL) {
BIO_printf(bio_err,
"%s: Must have -signer before -inkey\n", prog);
"%s: Must have -signer before -inkey\n", prog);
goto opthelp;
}
if (sksigners == NULL
@@ -407,14 +440,14 @@ int smime_main(int argc, char **argv)
goto opthelp;
}
if (!opt_cipher_any(ciphername, &cipher))
goto opthelp;
goto opthelp;
if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
goto opthelp;
}
if (!operation) {
BIO_puts(bio_err,
"No operation (-encrypt|-sign|...) specified\n");
"No operation (-encrypt|-sign|...) specified\n");
goto opthelp;
}
@@ -446,7 +479,7 @@ int smime_main(int argc, char **argv)
} else if (operation == SMIME_DECRYPT) {
if (recipfile == NULL && keyfile == NULL) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
"No recipient certificate or key specified\n");
goto opthelp;
}
} else if (operation == SMIME_ENCRYPT) {
@@ -490,7 +523,7 @@ int smime_main(int argc, char **argv)
goto end;
while (*argv != NULL) {
cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file");
"recipient certificate file");
if (cert == NULL)
goto end;
if (!sk_X509_push(encerts, cert))
@@ -509,7 +542,8 @@ int smime_main(int argc, char **argv)
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
"recipient certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -573,7 +607,8 @@ int smime_main(int argc, char **argv)
if (operation == SMIME_VERIFY) {
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
X509_STORE_set_verify_cb(store, smime_cb);
if (vpmtouched)
@@ -691,7 +726,7 @@ int smime_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
if (ret)
ERR_print_errors(bio_err);
OSSL_STACK_OF_X509_free(encerts);

1593
apps/speed.c
View File

File diff suppressed because it is too large Load Diff

56
apps/spkac.c
View File

@@ -22,38 +22,48 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT,
OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC,
OPT_SPKSECT, OPT_KEYFORM, OPT_DIGEST,
OPT_NOOUT,
OPT_PUBKEY,
OPT_VERIFY,
OPT_IN,
OPT_OUT,
OPT_ENGINE,
OPT_KEY,
OPT_CHALLENGE,
OPT_PASSIN,
OPT_SPKAC,
OPT_SPKSECT,
OPT_KEYFORM,
OPT_DIGEST,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS spkac_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"spksect", OPT_SPKSECT, 's',
"Specify the name of an SPKAC-dedicated section of configuration"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "spksect", OPT_SPKSECT, 's',
"Specify the name of an SPKAC-dedicated section of configuration" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"key", OPT_KEY, '<', "Create SPKAC using private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"challenge", OPT_CHALLENGE, 's', "Challenge string"},
{"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
{ "in", OPT_IN, '<', "Input file" },
{ "key", OPT_KEY, '<', "Create SPKAC using private key" },
{ "keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "challenge", OPT_CHALLENGE, 's', "Challenge string" },
{ "spkac", OPT_SPKAC, 's', "Alternative SPKAC name" },
OPT_SECTION("Output"),
{"digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" },
{"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"verify", OPT_VERIFY, '-', "Verify SPKAC signature"},
{ "digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" },
{ "out", OPT_OUT, '>', "Output file" },
{ "noout", OPT_NOOUT, '-', "Don't print SPKAC" },
{ "pubkey", OPT_PUBKEY, '-', "Output public key" },
{ "verify", OPT_VERIFY, '-', "Verify SPKAC signature" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int spkac_main(int argc, char **argv)
@@ -78,7 +88,7 @@ int spkac_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -146,7 +156,7 @@ int spkac_main(int argc, char **argv)
goto end;
pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL,
keyformat, 1, passin, e, "private key");
keyformat, 1, passin, e, "private key");
if (pkey == NULL)
goto end;
spki = NETSCAPE_SPKI_new();
@@ -154,7 +164,7 @@ int spkac_main(int argc, char **argv)
goto end;
if (challenge != NULL
&& !ASN1_STRING_set(spki->spkac->challenge,
challenge, (int)strlen(challenge)))
challenge, (int)strlen(challenge)))
goto end;
if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) {
BIO_printf(bio_err, "Error setting public key\n");
@@ -221,7 +231,7 @@ int spkac_main(int argc, char **argv)
ret = 0;
end:
end:
EVP_MD_free(md);
NCONF_free(conf);
NETSCAPE_SPKI_free(spki);

192
apps/srp.c
View File

@@ -28,12 +28,11 @@
#include "apps.h"
#include "progs.h"
#define BASE_SECTION "srp"
#define BASE_SECTION "srp"
#define CONFIG_FILE "openssl.cnf"
#define ENV_DATABASE "srpvfile"
#define ENV_DEFAULT_SRP "default_srp"
#define ENV_DATABASE "srpvfile"
#define ENV_DEFAULT_SRP "default_srp"
static int get_index(CA_DB *db, char *id, char type)
{
@@ -86,9 +85,8 @@ static void print_user(CA_DB *db, int userindex, int verbose)
if (pp[DB_srptype][0] != 'I') {
print_entry(db, userindex, verbose, "User entry");
print_entry(db, get_index(db, pp[DB_srpgN], 'I'), verbose,
"g N entry");
"g N entry");
}
}
}
@@ -120,8 +118,8 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
}
static char *srp_verify_user(const char *user, const char *srp_verifier,
char *srp_usersalt, const char *g, const char *N,
const char *passin, int verbose)
char *srp_usersalt, const char *g, const char *N,
const char *passin, int verbose)
{
char password[1025];
PW_CB_DATA cb_tmp;
@@ -132,19 +130,20 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
cb_tmp.prompt_info = user;
cb_tmp.password = passin;
len = password_callback(password, sizeof(password)-1, 0, &cb_tmp);
len = password_callback(password, sizeof(password) - 1, 0, &cb_tmp);
if (len > 0) {
password[len] = 0;
if (verbose)
BIO_printf(bio_err,
"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, srp_verifier, srp_usersalt, g, N);
"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, srp_verifier, srp_usersalt, g, N);
if (verbose > 1)
BIO_printf(bio_err, "Pass %s\n", password);
OPENSSL_assert(srp_usersalt != NULL);
if ((gNid = SRP_create_verifier(user, password, &srp_usersalt,
&verifier, N, g)) == NULL) {
&verifier, N, g))
== NULL) {
BIO_printf(bio_err, "Internal error validating SRP verifier\n");
} else {
if (strcmp(verifier, srp_verifier))
@@ -157,8 +156,8 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
}
static char *srp_create_user(char *user, char **srp_verifier,
char **srp_usersalt, char *g, char *N,
char *passout, int verbose)
char **srp_usersalt, char *g, char *N,
char *passout, int verbose)
{
char password[1025];
PW_CB_DATA cb_tmp;
@@ -168,14 +167,15 @@ static char *srp_create_user(char *user, char **srp_verifier,
cb_tmp.prompt_info = user;
cb_tmp.password = passout;
len = password_callback(password, sizeof(password)-1, 1, &cb_tmp);
len = password_callback(password, sizeof(password) - 1, 1, &cb_tmp);
if (len > 0) {
password[len] = 0;
if (verbose)
BIO_printf(bio_err, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, g, N);
user, g, N);
if ((gNid = SRP_create_verifier(user, password, &salt,
srp_verifier, N, g)) == NULL) {
srp_verifier, N, g))
== NULL) {
BIO_printf(bio_err, "Internal error creating SRP verifier\n");
} else {
*srp_usersalt = salt;
@@ -183,50 +183,61 @@ static char *srp_create_user(char *user, char **srp_verifier,
OPENSSL_cleanse(password, len);
if (verbose > 1)
BIO_printf(bio_err, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n",
gNid, salt, *srp_verifier);
gNid, salt, *srp_verifier);
}
return gNid;
}
typedef enum OPTION_choice {
OPT_COMMON,
OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD,
OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO,
OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM, OPT_PROV_ENUM
OPT_VERBOSE,
OPT_CONFIG,
OPT_NAME,
OPT_SRPVFILE,
OPT_ADD,
OPT_DELETE,
OPT_MODIFY,
OPT_LIST,
OPT_GN,
OPT_USERINFO,
OPT_PASSIN,
OPT_PASSOUT,
OPT_ENGINE,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS srp_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [user...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [user...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"},
{"config", OPT_CONFIG, '<', "A config file"},
{"name", OPT_NAME, 's', "The particular srp definition to use"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "verbose", OPT_VERBOSE, '-', "Talk a lot while doing things" },
{ "config", OPT_CONFIG, '<', "A config file" },
{ "name", OPT_NAME, 's', "The particular srp definition to use" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Action"),
{"add", OPT_ADD, '-', "Add a user and SRP verifier"},
{"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
{"delete", OPT_DELETE, '-', "Delete user from verifier file"},
{"list", OPT_LIST, '-', "List users"},
{ "add", OPT_ADD, '-', "Add a user and SRP verifier" },
{ "modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user" },
{ "delete", OPT_DELETE, '-', "Delete user from verifier file" },
{ "list", OPT_LIST, '-', "List users" },
OPT_SECTION("Configuration"),
{"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"},
{"gn", OPT_GN, 's', "Set g and N values to be used for new verifier"},
{"userinfo", OPT_USERINFO, 's', "Additional info to be set for user"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name" },
{ "gn", OPT_GN, 's', "Set g and N values to be used for new verifier" },
{ "userinfo", OPT_USERINFO, 's', "Additional info to be set for user" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"user", 0, 0, "Username(s) to process (optional)"},
{NULL}
{ "user", 0, 0, "Username(s) to process (optional)" },
{ NULL }
};
int srp_main(int argc, char **argv)
@@ -248,7 +259,7 @@ int srp_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -273,8 +284,8 @@ int srp_main(int argc, char **argv)
case OPT_LIST:
if (mode != OPT_ERR) {
BIO_printf(bio_err,
"%s: Only one of -add/-delete/-modify/-list\n",
prog);
"%s: Only one of -add/-delete/-modify/-list\n",
prog);
goto opthelp;
}
mode = o;
@@ -314,12 +325,12 @@ int srp_main(int argc, char **argv)
if (srpvfile != NULL && configfile != NULL) {
BIO_printf(bio_err,
"-srpvfile and -configfile cannot be specified together.\n");
"-srpvfile and -configfile cannot be specified together.\n");
goto end;
}
if (mode == OPT_ERR) {
BIO_printf(bio_err,
"Exactly one of the options -add, -delete, -modify -list must be specified.\n");
"Exactly one of the options -add, -delete, -modify -list must be specified.\n");
goto opthelp;
}
if (mode == OPT_DELETE || mode == OPT_MODIFY || mode == OPT_ADD) {
@@ -331,7 +342,7 @@ int srp_main(int argc, char **argv)
}
if ((passinarg != NULL || passoutarg != NULL) && argc != 1) {
BIO_printf(bio_err,
"-passin, -passout arguments only valid with one user.\n");
"-passin, -passout arguments only valid with one user.\n");
goto opthelp;
}
@@ -354,8 +365,8 @@ int srp_main(int argc, char **argv)
if (section == NULL) {
if (verbose)
BIO_printf(bio_err,
"trying to read " ENV_DEFAULT_SRP
" in " BASE_SECTION "\n");
"trying to read " ENV_DEFAULT_SRP
" in " BASE_SECTION "\n");
section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_SRP);
if (section == NULL)
@@ -366,8 +377,8 @@ int srp_main(int argc, char **argv)
if (verbose)
BIO_printf(bio_err,
"trying to read " ENV_DATABASE " in section \"%s\"\n",
section);
"trying to read " ENV_DATABASE " in section \"%s\"\n",
section);
srpvfile = lookup_conf(conf, section, ENV_DATABASE);
if (srpvfile == NULL)
@@ -376,7 +387,7 @@ int srp_main(int argc, char **argv)
if (verbose)
BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n",
srpvfile);
srpvfile);
db = load_index(srpvfile, NULL);
if (db == NULL) {
@@ -431,14 +442,13 @@ int srp_main(int argc, char **argv)
print_user(db, i, 1);
} else if (userindex < 0) {
BIO_printf(bio_err,
"user \"%s\" does not exist, ignored. t\n", user);
"user \"%s\" does not exist, ignored. t\n", user);
errors++;
}
} else if (mode == OPT_ADD) {
if (userindex >= 0) {
/* reactivation of a new user */
char **row =
sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
row[DB_srptype][0] = 'V';
@@ -449,16 +459,14 @@ int srp_main(int argc, char **argv)
row[DB_srpverifier] = NULL;
row[DB_srpsalt] = NULL;
row[DB_srpinfo] = NULL;
if (!
(gNid =
srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : gN,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : gN,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
BIO_printf(bio_err,
"Cannot create srp verifier for user \"%s\", operation abandoned .\n",
user);
"Cannot create srp verifier for user \"%s\", operation abandoned .\n",
user);
errors++;
goto end;
}
@@ -487,18 +495,17 @@ int srp_main(int argc, char **argv)
} else if (mode == OPT_MODIFY) {
if (userindex < 0) {
BIO_printf(bio_err,
"user \"%s\" does not exist, operation ignored.\n",
user);
"user \"%s\" does not exist, operation ignored.\n",
user);
errors++;
} else {
char **row =
sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char type = row[DB_srptype][0];
if (type == 'v') {
BIO_printf(bio_err,
"user \"%s\" already updated, operation ignored.\n",
user);
"user \"%s\" already updated, operation ignored.\n",
user);
errors++;
} else {
char *gNid;
@@ -508,40 +515,35 @@ int srp_main(int argc, char **argv)
char **irow = NULL;
if (verbose)
BIO_printf(bio_err,
"Verifying password for user \"%s\"\n",
user);
if ((user_gN =
get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
irow =
sk_OPENSSL_PSTRING_value(db->db->data,
userindex);
"Verifying password for user \"%s\"\n",
user);
if ((user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
irow = sk_OPENSSL_PSTRING_value(db->db->data,
userindex);
if (!srp_verify_user
(user, row[DB_srpverifier], row[DB_srpsalt],
irow ? irow[DB_srpsalt] : row[DB_srpgN],
irow ? irow[DB_srpverifier] : NULL, passin,
verbose)) {
if (!srp_verify_user(user, row[DB_srpverifier], row[DB_srpsalt],
irow ? irow[DB_srpsalt] : row[DB_srpgN],
irow ? irow[DB_srpverifier] : NULL, passin,
verbose)) {
BIO_printf(bio_err,
"Invalid password for user \"%s\", operation abandoned.\n",
user);
"Invalid password for user \"%s\", operation abandoned.\n",
user);
errors++;
goto end;
}
}
if (verbose)
BIO_printf(bio_err, "Password for user \"%s\" ok.\n",
user);
user);
if (!
(gNid =
srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : NULL,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : NULL,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
BIO_printf(bio_err,
"Cannot create srp verifier for user \"%s\", operation abandoned.\n",
user);
"Cannot create srp verifier for user \"%s\", operation abandoned.\n",
user);
errors++;
goto end;
}
@@ -565,8 +567,8 @@ int srp_main(int argc, char **argv)
} else if (mode == OPT_DELETE) {
if (userindex < 0) {
BIO_printf(bio_err,
"user \"%s\" does not exist, operation ignored. t\n",
user);
"user \"%s\" does not exist, operation ignored. t\n",
user);
errors++;
} else {
char **xpp = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
@@ -612,7 +614,7 @@ int srp_main(int argc, char **argv)
}
ret = (errors != 0);
end:
end:
if (errors != 0)
if (verbose)
BIO_printf(bio_err, "User errors %d.\n", errors);

159
apps/storeutl.c
View File

@@ -14,57 +14,67 @@
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/store.h>
#include <openssl/x509v3.h> /* s2i_ASN1_INTEGER */
#include <openssl/x509v3.h> /* s2i_ASN1_INTEGER */
static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, BIO *out,
const char *prog, OSSL_LIB_CTX *libctx);
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, BIO *out,
const char *prog, OSSL_LIB_CTX *libctx);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_OUT, OPT_PASSIN,
OPT_NOOUT, OPT_TEXT, OPT_RECURSIVE,
OPT_SEARCHFOR_CERTS, OPT_SEARCHFOR_KEYS, OPT_SEARCHFOR_CRLS,
OPT_CRITERION_SUBJECT, OPT_CRITERION_ISSUER, OPT_CRITERION_SERIAL,
OPT_CRITERION_FINGERPRINT, OPT_CRITERION_ALIAS,
OPT_MD, OPT_PROV_ENUM
OPT_ENGINE,
OPT_OUT,
OPT_PASSIN,
OPT_NOOUT,
OPT_TEXT,
OPT_RECURSIVE,
OPT_SEARCHFOR_CERTS,
OPT_SEARCHFOR_KEYS,
OPT_SEARCHFOR_CRLS,
OPT_CRITERION_SUBJECT,
OPT_CRITERION_ISSUER,
OPT_CRITERION_SERIAL,
OPT_CRITERION_FINGERPRINT,
OPT_CRITERION_ALIAS,
OPT_MD,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS storeutl_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"", OPT_MD, '-', "Any supported digest"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "", OPT_MD, '-', "Any supported digest" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Search"),
{"certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only"},
{"keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only"},
{"crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only"},
{"subject", OPT_CRITERION_SUBJECT, 's', "Search by subject"},
{"issuer", OPT_CRITERION_ISSUER, 's', "Search by issuer and serial, issuer name"},
{"serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number"},
{"fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex"},
{"alias", OPT_CRITERION_ALIAS, 's', "Search by alias"},
{"r", OPT_RECURSIVE, '-', "Recurse through names"},
{ "certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only" },
{ "keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only" },
{ "crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only" },
{ "subject", OPT_CRITERION_SUBJECT, 's', "Search by subject" },
{ "issuer", OPT_CRITERION_ISSUER, 's', "Search by issuer and serial, issuer name" },
{ "serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number" },
{ "fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex" },
{ "alias", OPT_CRITERION_ALIAS, 's', "Search by alias" },
{ "r", OPT_RECURSIVE, '-', "Recurse through names" },
OPT_SECTION("Input"),
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"text", OPT_TEXT, '-', "Print a text form of the objects"},
{"noout", OPT_NOOUT, '-', "No PEM output, just status"},
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "text", OPT_TEXT, '-', "Print a text form of the objects" },
{ "noout", OPT_NOOUT, '-', "No PEM output, just status" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"uri", 0, 0, "URI of the store object"},
{NULL}
{ "uri", 0, 0, "URI of the store object" },
{ NULL }
};
int storeutl_main(int argc, char *argv[])
@@ -93,7 +103,7 @@ int storeutl_main(int argc, char *argv[])
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -120,7 +130,7 @@ int storeutl_main(int argc, char *argv[])
case OPT_SEARCHFOR_CRLS:
if (expected != 0) {
BIO_printf(bio_err, "%s: only one search type can be given.\n",
prog);
prog);
goto end;
}
{
@@ -128,9 +138,9 @@ int storeutl_main(int argc, char *argv[])
enum OPTION_choice choice;
int type;
} map[] = {
{OPT_SEARCHFOR_CERTS, OSSL_STORE_INFO_CERT},
{OPT_SEARCHFOR_KEYS, OSSL_STORE_INFO_PKEY},
{OPT_SEARCHFOR_CRLS, OSSL_STORE_INFO_CRL},
{ OPT_SEARCHFOR_CERTS, OSSL_STORE_INFO_CERT },
{ OPT_SEARCHFOR_KEYS, OSSL_STORE_INFO_PKEY },
{ OPT_SEARCHFOR_CRLS, OSSL_STORE_INFO_CRL },
};
size_t i;
@@ -150,13 +160,13 @@ int storeutl_main(int argc, char *argv[])
case OPT_CRITERION_SUBJECT:
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_NAME;
if (subject != NULL) {
BIO_printf(bio_err, "%s: subject already given.\n",
prog);
prog);
goto end;
}
subject = parse_name(opt_arg(), MBSTRING_UTF8, 1, "subject");
@@ -167,13 +177,13 @@ int storeutl_main(int argc, char *argv[])
if (criterion != 0
&& criterion != OSSL_STORE_SEARCH_BY_ISSUER_SERIAL) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
if (issuer != NULL) {
BIO_printf(bio_err, "%s: issuer already given.\n",
prog);
prog);
goto end;
}
issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1, "issuer");
@@ -184,31 +194,31 @@ int storeutl_main(int argc, char *argv[])
if (criterion != 0
&& criterion != OSSL_STORE_SEARCH_BY_ISSUER_SERIAL) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
if (serial != NULL) {
BIO_printf(bio_err, "%s: serial number already given.\n",
prog);
prog);
goto end;
}
if ((serial = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) {
BIO_printf(bio_err, "%s: can't parse serial number argument.\n",
prog);
prog);
goto end;
}
break;
case OPT_CRITERION_FINGERPRINT:
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT;
if (fingerprint != NULL) {
BIO_printf(bio_err, "%s: fingerprint already given.\n",
prog);
prog);
goto end;
}
{
@@ -217,8 +227,8 @@ int storeutl_main(int argc, char *argv[])
if ((fingerprint = OPENSSL_hexstr2buf(opt_arg(), &tmplen))
== NULL) {
BIO_printf(bio_err,
"%s: can't parse fingerprint argument.\n",
prog);
"%s: can't parse fingerprint argument.\n",
prog);
goto end;
}
fingerprintlen = (size_t)tmplen;
@@ -227,18 +237,18 @@ int storeutl_main(int argc, char *argv[])
case OPT_CRITERION_ALIAS:
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_ALIAS;
if (alias != NULL) {
BIO_printf(bio_err, "%s: alias already given.\n",
prog);
prog);
goto end;
}
if ((alias = OPENSSL_strdup(opt_arg())) == NULL) {
BIO_printf(bio_err, "%s: can't parse alias argument.\n",
prog);
prog);
goto end;
}
break;
@@ -274,8 +284,8 @@ int storeutl_main(int argc, char *argv[])
case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
if (issuer == NULL || serial == NULL) {
BIO_printf(bio_err,
"%s: both -issuer and -serial must be given.\n",
prog);
"%s: both -issuer and -serial must be given.\n",
prog);
goto end;
}
if ((search = OSSL_STORE_SEARCH_by_issuer_serial(issuer, serial))
@@ -286,8 +296,8 @@ int storeutl_main(int argc, char *argv[])
break;
case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
if ((search = OSSL_STORE_SEARCH_by_key_fingerprint(digest,
fingerprint,
fingerprintlen))
fingerprint,
fingerprintlen))
== NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -314,10 +324,10 @@ int storeutl_main(int argc, char *argv[])
goto end;
ret = process(argv[0], get_ui_method(), &pw_cb_data,
expected, criterion, search,
text, noout, recursive, 0, out, prog, libctx);
expected, criterion, search,
text, noout, recursive, 0, out, prog, libctx);
end:
end:
EVP_MD_free(digest);
OPENSSL_free(fingerprint);
OPENSSL_free(alias);
@@ -353,15 +363,15 @@ static int indent_printf(int indent, BIO *bio, const char *format, ...)
}
static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, BIO *out,
const char *prog, OSSL_LIB_CTX *libctx)
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, BIO *out,
const char *prog, OSSL_LIB_CTX *libctx)
{
OSSL_STORE_CTX *store_ctx = NULL;
int ret = 1, items = 0;
if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata,
NULL, NULL, NULL))
NULL, NULL, NULL))
== NULL) {
BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri);
ERR_print_errors(bio_err);
@@ -378,8 +388,8 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
if (criterion != 0) {
if (!OSSL_STORE_supports_search(store_ctx, criterion)) {
BIO_printf(bio_err,
"%s: the store scheme doesn't support the given search criteria.\n",
prog);
"%s: the store scheme doesn't support the given search criteria.\n",
prog);
goto end2;
}
@@ -395,8 +405,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
for (;;) {
OSSL_STORE_INFO *info = OSSL_STORE_load(store_ctx);
int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
const char *infostr =
info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
const char *infostr = info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
if (info == NULL) {
if (OSSL_STORE_error(store_ctx)) {
@@ -414,8 +423,8 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
break;
BIO_printf(bio_err,
"ERROR: OSSL_STORE_load() returned NULL without "
"eof or error indications\n");
"ERROR: OSSL_STORE_load() returned NULL without "
"eof or error indications\n");
BIO_printf(bio_err, " This is an error in the loader\n");
ERR_print_errors(bio_err);
ret++;
@@ -426,7 +435,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
const char *name = OSSL_STORE_INFO_get0_NAME(info);
const char *desc = OSSL_STORE_INFO_get0_NAME_description(info);
indent_printf(indent, bio_out, "%d: %s: %s\n", items, infostr,
name);
name);
if (desc != NULL)
indent_printf(indent, bio_out, "%s\n", desc);
} else {
@@ -443,33 +452,33 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
if (recursive) {
const char *suburi = OSSL_STORE_INFO_get0_NAME(info);
ret += process(suburi, uimeth, uidata,
expected, criterion, search,
text, noout, recursive, indent + 2, out, prog,
libctx);
expected, criterion, search,
text, noout, recursive, indent + 2, out, prog,
libctx);
}
break;
case OSSL_STORE_INFO_PARAMS:
if (text)
EVP_PKEY_print_params(out, OSSL_STORE_INFO_get0_PARAMS(info),
0, NULL);
0, NULL);
if (!noout)
PEM_write_bio_Parameters(out,
OSSL_STORE_INFO_get0_PARAMS(info));
OSSL_STORE_INFO_get0_PARAMS(info));
break;
case OSSL_STORE_INFO_PUBKEY:
if (text)
EVP_PKEY_print_public(out, OSSL_STORE_INFO_get0_PUBKEY(info),
0, NULL);
0, NULL);
if (!noout)
PEM_write_bio_PUBKEY(out, OSSL_STORE_INFO_get0_PUBKEY(info));
break;
case OSSL_STORE_INFO_PKEY:
if (text)
EVP_PKEY_print_private(out, OSSL_STORE_INFO_get0_PKEY(info),
0, NULL);
0, NULL);
if (!noout)
PEM_write_bio_PrivateKey(out, OSSL_STORE_INFO_get0_PKEY(info),
NULL, NULL, 0, NULL, NULL);
NULL, NULL, 0, NULL, NULL);
break;
case OSSL_STORE_INFO_CERT:
if (text)
@@ -493,7 +502,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
}
indent_printf(indent, out, "Total found: %d\n", items);
end2:
end2:
if (!OSSL_STORE_close(store_ctx)) {
ERR_print_errors(bio_err);
ret++;

1490
apps/testdsa.h
View File

File diff suppressed because it is too large Load Diff

4912
apps/testrsa.h
View File

File diff suppressed because it is too large Load Diff

8
apps/timeouts.h
View File

@@ -8,10 +8,10 @@
*/
#ifndef OSSL_APPS_TIMEOUTS_H
# define OSSL_APPS_TIMEOUTS_H
#define OSSL_APPS_TIMEOUTS_H
/* numbers in us */
# define DGRAM_RCV_TIMEOUT 250000
# define DGRAM_SND_TIMEOUT 250000
#define DGRAM_RCV_TIMEOUT 250000
#define DGRAM_SND_TIMEOUT 250000
#endif /* ! OSSL_APPS_TIMEOUTS_H */
#endif /* ! OSSL_APPS_TIMEOUTS_H */

264
apps/ts.c
View File

@@ -21,117 +21,138 @@
#include <openssl/bn.h>
/* Request nonce length, in bits (must be a multiple of 8). */
#define NONCE_LENGTH 64
#define NONCE_LENGTH 64
/* Name of config entry that defines the OID file. */
#define ENV_OID_FILE "oid_file"
#define ENV_OID_FILE "oid_file"
/* Is |EXACTLY_ONE| of three pointers set? */
#define EXACTLY_ONE(a, b, c) \
(( a && !b && !c) || \
( b && !a && !c) || \
( c && !a && !b))
((a && !b && !c) || (b && !a && !c) || (c && !a && !b))
static ASN1_OBJECT *txt2obj(const char *oid);
static CONF *load_config_file(const char *configfile);
/* Query related functions. */
static int query_command(const char *data, const char *digest,
const EVP_MD *md, const char *policy, int no_nonce,
int cert, const char *in, const char *out, int text);
const EVP_MD *md, const char *policy, int no_nonce,
int cert, const char *in, const char *out, int text);
static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
const char *policy, int no_nonce, int cert);
const char *policy, int no_nonce, int cert);
static int create_digest(BIO *input, const char *digest,
const EVP_MD *md, unsigned char **md_value);
const EVP_MD *md, unsigned char **md_value);
static ASN1_INTEGER *create_nonce(int bits);
/* Reply related functions. */
static int reply_command(CONF *conf, const char *section, const char *engine,
const char *queryfile, const char *passin, const char *inkey,
const EVP_MD *md, const char *signer, const char *chain,
const char *policy, const char *in, int token_in,
const char *out, int token_out, int text);
const char *queryfile, const char *passin, const char *inkey,
const EVP_MD *md, const char *signer, const char *chain,
const char *policy, const char *in, int token_in,
const char *out, int token_out, int text);
static TS_RESP *read_PKCS7(BIO *in_bio);
static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
const char *queryfile, const char *passin,
const char *inkey, const EVP_MD *md, const char *signer,
const char *chain, const char *policy);
const char *queryfile, const char *passin,
const char *inkey, const EVP_MD *md, const char *signer,
const char *chain, const char *policy);
static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
static ASN1_INTEGER *next_serial(const char *serialfile);
static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
/* Verify related functions. */
static int verify_command(const char *data, const char *digest, const char *queryfile,
const char *in, int token_in,
const char *CApath, const char *CAfile,
const char *CAstore,
char *untrusted, X509_VERIFY_PARAM *vpm);
const char *in, int token_in,
const char *CApath, const char *CAfile,
const char *CAstore,
char *untrusted, X509_VERIFY_PARAM *vpm);
static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
const char *queryfile,
const char *CApath, const char *CAfile,
const char *CAstore,
char *untrusted,
X509_VERIFY_PARAM *vpm);
const char *queryfile,
const char *CApath, const char *CAfile,
const char *CAstore,
char *untrusted,
X509_VERIFY_PARAM *vpm);
static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
const char *CAstore, X509_VERIFY_PARAM *vpm);
const char *CAstore, X509_VERIFY_PARAM *vpm);
static int verify_cb(int ok, X509_STORE_CTX *ctx);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
OPT_DIGEST, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED,
OPT_MD, OPT_V_ENUM, OPT_R_ENUM, OPT_PROV_ENUM
OPT_ENGINE,
OPT_CONFIG,
OPT_SECTION,
OPT_QUERY,
OPT_DATA,
OPT_DIGEST,
OPT_TSPOLICY,
OPT_NO_NONCE,
OPT_CERT,
OPT_IN,
OPT_TOKEN_IN,
OPT_OUT,
OPT_TOKEN_OUT,
OPT_TEXT,
OPT_REPLY,
OPT_QUERYFILE,
OPT_PASSIN,
OPT_INKEY,
OPT_SIGNER,
OPT_CHAIN,
OPT_VERIFY,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_UNTRUSTED,
OPT_MD,
OPT_V_ENUM,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ts_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"config", OPT_CONFIG, '<', "Configuration file"},
{"section", OPT_SECTION, 's', "Section to use within config file"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "config", OPT_CONFIG, '<', "Configuration file" },
{ "section", OPT_SECTION, 's', "Section to use within config file" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"inkey", OPT_INKEY, 's', "File with private key for reply"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"chain", OPT_CHAIN, '<', "File with signer CA chain"},
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
{"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
{"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
{"untrusted", OPT_UNTRUSTED, '<', "Extra untrusted certs"},
{"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
{"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"", OPT_MD, '-', "Any supported digest"},
{ "inkey", OPT_INKEY, 's', "File with private key for reply" },
{ "signer", OPT_SIGNER, 's', "Signer certificate file" },
{ "chain", OPT_CHAIN, '<', "File with signer CA chain" },
{ "CAfile", OPT_CAFILE, '<', "File with trusted CA certs" },
{ "CApath", OPT_CAPATH, '/', "Path to trusted CA files" },
{ "CAstore", OPT_CASTORE, ':', "URI to trusted CA store" },
{ "untrusted", OPT_UNTRUSTED, '<', "Extra untrusted certs" },
{ "token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file" },
{ "token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "", OPT_MD, '-', "Any supported digest" },
OPT_SECTION("Query"),
{"query", OPT_QUERY, '-', "Generate a TS query"},
{"data", OPT_DATA, '<', "File to hash"},
{"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
{"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
{"cert", OPT_CERT, '-', "Put cert request into query"},
{"in", OPT_IN, '<', "Input file"},
{ "query", OPT_QUERY, '-', "Generate a TS query" },
{ "data", OPT_DATA, '<', "File to hash" },
{ "digest", OPT_DIGEST, 's', "Digest (as a hex string)" },
{ "queryfile", OPT_QUERYFILE, '<', "File containing a TS query" },
{ "cert", OPT_CERT, '-', "Put cert request into query" },
{ "in", OPT_IN, '<', "Input file" },
OPT_SECTION("Verify"),
{"verify", OPT_VERIFY, '-', "Verify a TS response"},
{"reply", OPT_REPLY, '-', "Generate a TS reply"},
{"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
{"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
{"out", OPT_OUT, '>', "Output file"},
{"text", OPT_TEXT, '-', "Output text (not DER)"},
{ "verify", OPT_VERIFY, '-', "Verify a TS response" },
{ "reply", OPT_REPLY, '-', "Generate a TS reply" },
{ "tspolicy", OPT_TSPOLICY, 's', "Policy OID to use" },
{ "no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce" },
{ "out", OPT_OUT, '>', "Output file" },
{ "text", OPT_TEXT, '-', "Output text (not DER)" },
OPT_R_OPTIONS,
OPT_V_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
/*
* This command is so complex, special help is needed.
*/
static char* opt_helplist[] = {
static char *opt_helplist[] = {
"",
"Typical uses:",
" openssl ts -query [-rand file...] [-config file] [-data file]",
@@ -187,7 +208,7 @@ int ts_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -303,8 +324,7 @@ int ts_main(int argc, char **argv)
if (!opt_md(digestname, &md))
goto opthelp;
if (mode == OPT_REPLY && passin &&
!app_passwd(passin, NULL, &password, NULL)) {
if (mode == OPT_REPLY && passin && !app_passwd(passin, NULL, &password, NULL)) {
BIO_printf(bio_err, "Error getting password.\n");
goto end;
}
@@ -321,7 +341,7 @@ int ts_main(int argc, char **argv)
if ((data != NULL) && (digest != NULL))
goto opthelp;
ret = !query_command(data, digest, md, policy, no_nonce, cert,
in, out, text);
in, out, text);
} else if (mode == OPT_REPLY) {
if (vpmtouched)
goto opthelp;
@@ -332,20 +352,20 @@ int ts_main(int argc, char **argv)
goto opthelp;
}
ret = !reply_command(conf, section, engine, queryfile,
password, inkey, md, signer, chain, policy,
in, token_in, out, token_out, text);
password, inkey, md, signer, chain, policy,
in, token_in, out, token_out, text);
} else if (mode == OPT_VERIFY) {
if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
goto opthelp;
ret = !verify_command(data, digest, queryfile, in, token_in,
CApath, CAfile, CAstore, untrusted,
vpmtouched ? vpm : NULL);
CApath, CAfile, CAstore, untrusted,
vpmtouched ? vpm : NULL);
} else {
goto opthelp;
}
end:
end:
X509_VERIFY_PARAM_free(vpm);
EVP_MD_free(md);
NCONF_free(conf);
@@ -395,8 +415,8 @@ static CONF *load_config_file(const char *configfile)
* Query-related method definitions.
*/
static int query_command(const char *data, const char *digest, const EVP_MD *md,
const char *policy, int no_nonce,
int cert, const char *in, const char *out, int text)
const char *policy, int no_nonce,
int cert, const char *in, const char *out, int text)
{
int ret = 0;
TS_REQ *query = NULL;
@@ -432,7 +452,7 @@ static int query_command(const char *data, const char *digest, const EVP_MD *md,
ret = 1;
end:
end:
ERR_print_errors(bio_err);
BIO_free_all(in_bio);
BIO_free_all(data_bio);
@@ -442,7 +462,7 @@ static int query_command(const char *data, const char *digest, const EVP_MD *md,
}
static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
const char *policy, int no_nonce, int cert)
const char *policy, int no_nonce, int cert)
{
int ret = 0;
TS_REQ *ts_req = NULL;
@@ -490,7 +510,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
goto err;
ret = 1;
err:
err:
if (!ret) {
TS_REQ_free(ts_req);
ts_req = NULL;
@@ -506,7 +526,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
}
static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
unsigned char **md_value)
unsigned char **md_value)
{
int md_value_len;
int rv = 0;
@@ -539,12 +559,13 @@ static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
*md_value = OPENSSL_hexstr2buf(digest, &digest_len);
if (*md_value == NULL || md_value_len != digest_len) {
BIO_printf(bio_err, "bad digest, %d bytes "
"must be specified\n", md_value_len);
"must be specified\n",
md_value_len);
goto err;
}
}
rv = md_value_len;
err:
err:
if (rv <= 0) {
OPENSSL_free(*md_value);
*md_value = NULL;
@@ -577,7 +598,7 @@ static ASN1_INTEGER *create_nonce(int bits)
memcpy(nonce->data, buf + i, nonce->length);
return nonce;
err:
err:
BIO_printf(bio_err, "could not create nonce\n");
ASN1_INTEGER_free(nonce);
return NULL;
@@ -588,10 +609,10 @@ static ASN1_INTEGER *create_nonce(int bits)
*/
static int reply_command(CONF *conf, const char *section, const char *engine,
const char *queryfile, const char *passin, const char *inkey,
const EVP_MD *md, const char *signer, const char *chain,
const char *policy, const char *in, int token_in,
const char *out, int token_out, int text)
const char *queryfile, const char *passin, const char *inkey,
const EVP_MD *md, const char *signer, const char *chain,
const char *policy, const char *in, int token_in,
const char *out, int token_out, int text)
{
int ret = 0;
TS_RESP *response = NULL;
@@ -611,7 +632,7 @@ static int reply_command(CONF *conf, const char *section, const char *engine,
}
} else {
response = create_response(conf, section, engine, queryfile,
passin, inkey, md, signer, chain, policy);
passin, inkey, md, signer, chain, policy);
if (response != NULL)
BIO_printf(bio_err, "Response has been generated.\n");
else
@@ -623,7 +644,7 @@ static int reply_command(CONF *conf, const char *section, const char *engine,
/* Write response. */
if (text) {
if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
goto end;
goto end;
if (token_out) {
TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
if (!TS_TST_INFO_print_bio(out_bio, tst_info))
@@ -647,7 +668,7 @@ static int reply_command(CONF *conf, const char *section, const char *engine,
ret = 1;
end:
end:
ERR_print_errors(bio_err);
BIO_free_all(in_bio);
BIO_free_all(query_bio);
@@ -680,11 +701,11 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
if (!TS_RESP_set_status_info(resp, si))
goto end;
TS_RESP_set_tst_info(resp, token, tst_info);
token = NULL; /* Ownership is lost. */
tst_info = NULL; /* Ownership is lost. */
token = NULL; /* Ownership is lost. */
tst_info = NULL; /* Ownership is lost. */
ret = 1;
end:
end:
PKCS7_free(token);
TS_TST_INFO_free(tst_info);
if (!ret) {
@@ -696,9 +717,9 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
}
static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
const char *queryfile, const char *passin,
const char *inkey, const EVP_MD *md, const char *signer,
const char *chain, const char *policy)
const char *queryfile, const char *passin,
const char *inkey, const EVP_MD *md, const char *signer,
const char *chain, const char *policy)
{
int ret = 0;
TS_RESP *response = NULL;
@@ -728,7 +749,7 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng
if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
goto end;
} else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
goto end;
goto end;
}
if (!TS_CONF_set_ess_cert_id_digest(conf, section, resp_ctx))
@@ -753,7 +774,7 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng
goto end;
ret = 1;
end:
end:
if (!ret) {
TS_RESP_free(response);
response = NULL;
@@ -770,8 +791,8 @@ static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data)
if (serial == NULL) {
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Error during serial number "
"generation.");
"Error during serial number "
"generation.");
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_ADD_INFO_NOT_AVAILABLE);
} else {
save_ts_serial(serial_file, serial);
@@ -793,14 +814,15 @@ static ASN1_INTEGER *next_serial(const char *serialfile)
if ((in = BIO_new_file(serialfile, "r")) == NULL) {
ERR_clear_error();
BIO_printf(bio_err, "Warning: could not open file %s for "
"reading, using serial number: 1\n", serialfile);
"reading, using serial number: 1\n",
serialfile);
if (!ASN1_INTEGER_set(serial, 1))
goto err;
} else {
char buf[1024];
if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
BIO_printf(bio_err, "unable to load number from %s\n",
serialfile);
serialfile);
goto err;
}
if ((bn = ASN1_INTEGER_to_BN(serial, NULL)) == NULL)
@@ -814,7 +836,7 @@ static ASN1_INTEGER *next_serial(const char *serialfile)
}
ret = 1;
err:
err:
if (!ret) {
ASN1_INTEGER_free(serial);
serial = NULL;
@@ -836,24 +858,23 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
if (BIO_puts(out, "\n") <= 0)
goto err;
ret = 1;
err:
err:
if (!ret)
BIO_printf(bio_err, "could not save serial number to %s\n",
serialfile);
serialfile);
BIO_free_all(out);
return ret;
}
/*
* Verify-related method definitions.
*/
static int verify_command(const char *data, const char *digest, const char *queryfile,
const char *in, int token_in,
const char *CApath, const char *CAfile,
const char *CAstore, char *untrusted,
X509_VERIFY_PARAM *vpm)
const char *in, int token_in,
const char *CApath, const char *CAfile,
const char *CAstore, char *untrusted,
X509_VERIFY_PARAM *vpm)
{
BIO *in_bio = NULL;
PKCS7 *token = NULL;
@@ -872,15 +893,16 @@ static int verify_command(const char *data, const char *digest, const char *quer
}
if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
CApath, CAfile, CAstore, untrusted,
vpm)) == NULL)
CApath, CAfile, CAstore, untrusted,
vpm))
== NULL)
goto end;
ret = token_in
? TS_RESP_verify_token(verify_ctx, token)
: TS_RESP_verify_response(verify_ctx, response);
end:
end:
printf("Verification: ");
if (ret)
printf("OK\n");
@@ -897,11 +919,11 @@ static int verify_command(const char *data, const char *digest, const char *quer
}
static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
const char *queryfile,
const char *CApath, const char *CAfile,
const char *CAstore,
char *untrusted,
X509_VERIFY_PARAM *vpm)
const char *queryfile,
const char *CApath, const char *CAfile,
const char *CAstore,
char *untrusted,
X509_VERIFY_PARAM *vpm)
{
TS_VERIFY_CTX *ctx = NULL;
STACK_OF(X509) *certs;
@@ -949,20 +971,19 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
/* Initialising the X509_STORE object. */
if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile,
CAstore, vpm)))
if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile, CAstore, vpm)))
goto err;
/* Loading any extra untrusted certificates. */
if (untrusted != NULL) {
certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs",
vpm);
vpm);
if (certs == NULL || !TS_VERIFY_CTX_set0_certs(ctx, certs))
goto err;
}
ret = 1;
err:
err:
if (!ret) {
TS_VERIFY_CTX_free(ctx);
ctx = NULL;
@@ -973,7 +994,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
}
static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
const char *CAstore, X509_VERIFY_PARAM *vpm)
const char *CAstore, X509_VERIFY_PARAM *vpm)
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
@@ -1005,7 +1026,8 @@ static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
goto err;
}
if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM, libctx,
propq) <= 0) {
propq)
<= 0) {
BIO_printf(bio_err, "Error loading file %s\n", CAfile);
goto err;
}
@@ -1028,7 +1050,7 @@ static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
return cert_ctx;
err:
err:
X509_STORE_free(cert_ctx);
return NULL;
}

137
apps/verify.c
View File

@@ -20,60 +20,71 @@
static int cb(int ok, X509_STORE_CTX *ctx);
static int check(X509_STORE *ctx, const char *file,
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
STACK_OF(X509_CRL) *crls, int show_chain,
STACK_OF(OPENSSL_STRING) *opts);
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
STACK_OF(X509_CRL) *crls, int show_chain,
STACK_OF(OPENSSL_STRING) *opts);
static int v_verbose = 0, vflags = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
OPT_V_ENUM, OPT_NAMEOPT, OPT_VFYOPT,
OPT_ENGINE,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_UNTRUSTED,
OPT_TRUSTED,
OPT_CRLFILE,
OPT_CRL_DOWNLOAD,
OPT_SHOW_CHAIN,
OPT_V_ENUM,
OPT_NAMEOPT,
OPT_VFYOPT,
OPT_VERBOSE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS verify_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"verbose", OPT_VERBOSE, '-',
"Print extra information about the operations being performed."},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{ "verbose", OPT_VERBOSE, '-',
"Print extra information about the operations being performed." },
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
OPT_SECTION("Certificate chain"),
{"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
{"CApath", OPT_CAPATH, '/', "A directory of files with trusted certificates"},
{"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default trusted certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load trusted certificates from the default directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load trusted certificates from the default certificates store"},
{"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
{"CRLfile", OPT_CRLFILE, '<',
"File containing one or more CRL's (in PEM format) to load"},
{"crl_download", OPT_CRL_DOWNLOAD, '-',
"Try downloading CRL information for certificates via their CDP entries"},
{"show_chain", OPT_SHOW_CHAIN, '-',
"Display information about the certificate chain"},
{ "trusted", OPT_TRUSTED, '<', "A file of trusted certificates" },
{ "CAfile", OPT_CAFILE, '<', "A file of trusted certificates" },
{ "CApath", OPT_CAPATH, '/', "A directory of files with trusted certificates" },
{ "CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default trusted certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load trusted certificates from the default directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load trusted certificates from the default certificates store" },
{ "untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates" },
{ "CRLfile", OPT_CRLFILE, '<',
"File containing one or more CRL's (in PEM format) to load" },
{ "crl_download", OPT_CRL_DOWNLOAD, '-',
"Try downloading CRL information for certificates via their CDP entries" },
{ "show_chain", OPT_SHOW_CHAIN, '-',
"Display information about the certificate chain" },
OPT_V_OPTIONS,
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
{ "vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cert", 0, 0, "Certificate(s) to verify (optional; stdin used otherwise)"},
{NULL}
{ "cert", 0, 0, "Certificate(s) to verify (optional; stdin used otherwise)" },
{ NULL }
};
int verify_main(int argc, char **argv)
@@ -97,7 +108,7 @@ int verify_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -107,8 +118,8 @@ int verify_main(int argc, char **argv)
X509_PURPOSE *ptmp = X509_PURPOSE_get0(i);
BIO_printf(bio_err, " %-15s %s\n",
X509_PURPOSE_get0_sname(ptmp),
X509_PURPOSE_get0_name(ptmp));
X509_PURPOSE_get0_sname(ptmp),
X509_PURPOSE_get0_name(ptmp));
}
BIO_printf(bio_err, "Recognized certificate policy names:\n");
@@ -116,7 +127,7 @@ int verify_main(int argc, char **argv)
const X509_VERIFY_PARAM *vptmp = X509_VERIFY_PARAM_get0(i);
BIO_printf(bio_err, " %s\n",
X509_VERIFY_PARAM_get0_name(vptmp));
X509_VERIFY_PARAM_get0_name(vptmp));
}
ret = 0;
goto end;
@@ -146,7 +157,7 @@ int verify_main(int argc, char **argv)
case OPT_UNTRUSTED:
/* Zero or more times */
if (!load_certs(opt_arg(), 0, &untrusted, NULL,
"untrusted certificates"))
"untrusted certificates"))
goto end;
break;
case OPT_TRUSTED:
@@ -201,13 +212,14 @@ int verify_main(int argc, char **argv)
if (trusted != NULL
&& (CAfile != NULL || CApath != NULL || CAstore != NULL)) {
BIO_printf(bio_err,
"%s: Cannot use -trusted with -CAfile, -CApath or -CAstore\n",
prog);
"%s: Cannot use -trusted with -CAfile, -CApath or -CAstore\n",
prog);
goto end;
}
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
X509_STORE_set_verify_cb(store, cb);
@@ -222,16 +234,18 @@ int verify_main(int argc, char **argv)
ret = 0;
if (argc < 1) {
if (check(store, NULL, untrusted, trusted, crls, show_chain,
vfyopts) != 1)
vfyopts)
!= 1)
ret = -1;
} else {
for (i = 0; i < argc; i++)
if (check(store, argv[i], untrusted, trusted, crls, show_chain,
vfyopts) != 1)
vfyopts)
!= 1)
ret = -1;
}
end:
end:
X509_VERIFY_PARAM_free(vpm);
X509_STORE_free(store);
OSSL_STACK_OF_X509_free(untrusted);
@@ -243,9 +257,9 @@ int verify_main(int argc, char **argv)
}
static int check(X509_STORE *ctx, const char *file,
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
STACK_OF(X509_CRL) *crls, int show_chain,
STACK_OF(OPENSSL_STRING) *opts)
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
STACK_OF(X509_CRL) *crls, int show_chain,
STACK_OF(OPENSSL_STRING) *opts)
{
X509 *x = NULL;
int i = 0, ret = 0;
@@ -272,7 +286,7 @@ static int check(X509_STORE *ctx, const char *file,
csc = X509_STORE_CTX_new();
if (csc == NULL) {
BIO_printf(bio_err, "error %s: X.509 store context allocation failed\n",
(file == NULL) ? "stdin" : file);
(file == NULL) ? "stdin" : file);
goto end;
}
@@ -280,8 +294,8 @@ static int check(X509_STORE *ctx, const char *file,
if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
X509_STORE_CTX_free(csc);
BIO_printf(bio_err,
"error %s: X.509 store context initialization failed\n",
(file == NULL) ? "stdin" : file);
"error %s: X.509 store context initialization failed\n",
(file == NULL) ? "stdin" : file);
goto end;
}
if (tchain != NULL)
@@ -302,8 +316,8 @@ static int check(X509_STORE *ctx, const char *file,
X509 *cert = sk_X509_value(chain, j);
BIO_printf(bio_out, "depth=%d: ", j);
X509_NAME_print_ex_fp(stdout,
X509_get_subject_name(cert),
0, get_nameopt());
X509_get_subject_name(cert),
0, get_nameopt());
if (j < num_untrusted)
BIO_printf(bio_out, " (untrusted)");
BIO_printf(bio_out, "\n");
@@ -312,12 +326,12 @@ static int check(X509_STORE *ctx, const char *file,
}
} else {
BIO_printf(bio_err,
"error %s: verification failed\n",
(file == NULL) ? "stdin" : file);
"error %s: verification failed\n",
(file == NULL) ? "stdin" : file);
}
X509_STORE_CTX_free(csc);
end:
end:
if (i <= 0)
ERR_print_errors(bio_err);
X509_free(x);
@@ -333,15 +347,15 @@ static int cb(int ok, X509_STORE_CTX *ctx)
if (!ok) {
if (current_cert != NULL) {
X509_NAME_print_ex(bio_err,
X509_get_subject_name(current_cert),
0, get_nameopt());
X509_get_subject_name(current_cert),
0, get_nameopt());
BIO_printf(bio_err, "\n");
}
BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n",
X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "",
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));
X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "",
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));
/*
* Pretend that some errors are ok, so they don't stop further
@@ -383,7 +397,6 @@ static int cb(int ok, X509_STORE_CTX *ctx)
ok = 1;
}
return ok;
}
if (cert_error == X509_V_OK && ok == 2)
policies_print(ctx);

58
apps/version.c
View File

@@ -18,32 +18,43 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_B, OPT_D, OPT_E, OPT_M, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A, OPT_R, OPT_C
OPT_B,
OPT_D,
OPT_E,
OPT_M,
OPT_F,
OPT_O,
OPT_P,
OPT_V,
OPT_A,
OPT_R,
OPT_C
#if defined(_WIN32)
,OPT_W
,
OPT_W
#endif
} OPTION_CHOICE;
const OPTIONS version_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Output"),
{"a", OPT_A, '-', "Show all data"},
{"b", OPT_B, '-', "Show build date"},
{"d", OPT_D, '-', "Show configuration directory"},
{"e", OPT_E, '-', "Show engines directory"},
{"m", OPT_M, '-', "Show modules directory"},
{"f", OPT_F, '-', "Show compiler flags used"},
{"o", OPT_O, '-', "Show some internal datatype options"},
{"p", OPT_P, '-', "Show target build platform"},
{"r", OPT_R, '-', "Show random seeding options"},
{"v", OPT_V, '-', "Show library version"},
{"c", OPT_C, '-', "Show CPU settings info"},
{ "a", OPT_A, '-', "Show all data" },
{ "b", OPT_B, '-', "Show build date" },
{ "d", OPT_D, '-', "Show configuration directory" },
{ "e", OPT_E, '-', "Show engines directory" },
{ "m", OPT_M, '-', "Show modules directory" },
{ "f", OPT_F, '-', "Show compiler flags used" },
{ "o", OPT_O, '-', "Show some internal datatype options" },
{ "p", OPT_P, '-', "Show target build platform" },
{ "r", OPT_R, '-', "Show random seeding options" },
{ "v", OPT_V, '-', "Show library version" },
{ "c", OPT_C, '-', "Show CPU settings info" },
#if defined(_WIN32)
{"w", OPT_W, '-', "Show Windows install context"},
{ "w", OPT_W, '-', "Show Windows install context" },
#endif
{NULL}
{ NULL }
};
int version_main(int argc, char **argv)
@@ -62,7 +73,7 @@ int version_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -121,7 +132,7 @@ opthelp:
if (version)
printf("%s (Library: %s)\n",
OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION));
OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION));
if (date)
printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON));
if (platform)
@@ -150,19 +161,18 @@ opthelp:
printf("%s\n", OpenSSL_version(OPENSSL_WINCTX));
#endif
ret = 0;
end:
end:
return ret;
}
#if defined(__TANDEM) && defined(OPENSSL_VPROC)
/*
* Define a VPROC function for the openssl program.
* This is used by platform version identification tools.
* Do not inline this procedure or make it static.
*/
# define OPENSSL_VPROC_STRING_(x) x##_OPENSSL
# define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x)
# define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC)
void OPENSSL_VPROC_FUNC(void) {}
#define OPENSSL_VPROC_STRING_(x) x##_OPENSSL
#define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x)
#define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC)
void OPENSSL_VPROC_FUNC(void) { }
#endif

73
apps/vms_decc_init.c
View File

@@ -7,9 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#if defined( __VMS) && !defined( OPENSSL_NO_DECC_INIT) && \
defined( __DECC) && !defined( __VAX) && (__CRTL_VER >= 70301000)
# define USE_DECC_INIT 1
#if defined(__VMS) && !defined(OPENSSL_NO_DECC_INIT) && defined(__DECC) && !defined(__VAX) && (__CRTL_VER >= 70301000)
#define USE_DECC_INIT 1
#endif
#ifdef USE_DECC_INIT
@@ -21,9 +20,9 @@
* ----------------------------------------------------------------------
*/
# include <stdio.h>
# include <stdlib.h>
# include <unixlib.h>
#include <stdio.h>
#include <stdlib.h>
#include <unixlib.h>
/* Global storage. */
@@ -45,22 +44,21 @@ typedef struct {
decc_feat_t decc_feat_array[] = {
/* Preserve command-line case with SET PROCESS/PARSE_STYLE=EXTENDED */
{"DECC$ARGV_PARSE_STYLE", 1},
{ "DECC$ARGV_PARSE_STYLE", 1 },
/* Preserve case for file names on ODS5 disks. */
{"DECC$EFS_CASE_PRESERVE", 1},
{ "DECC$EFS_CASE_PRESERVE", 1 },
/*
* Enable multiple dots (and most characters) in ODS5 file names, while
* preserving VMS-ness of ";version".
*/
{"DECC$EFS_CHARSET", 1},
{ "DECC$EFS_CHARSET", 1 },
/* List terminator. */
{(char *)NULL, 0}
{ (char *)NULL, 0 }
};
/* LIB$INITIALIZE initialization function. */
static void decc_init(void)
@@ -98,31 +96,30 @@ static void decc_init(void)
feat_value_max = decc$feature_get_value(feat_index, 3);
/* Check the validity of our desired value. */
if ((decc_feat_array[i].value >= feat_value_min) &&
(decc_feat_array[i].value <= feat_value_max)) {
if ((decc_feat_array[i].value >= feat_value_min) && (decc_feat_array[i].value <= feat_value_max)) {
/* Valid value. Set it if necessary. */
if (feat_value != decc_feat_array[i].value) {
sts = decc$feature_set_value(feat_index,
1, decc_feat_array[i].value);
1, decc_feat_array[i].value);
if (verbose > 1) {
fprintf(stderr, " %s = %d, sts = %d.\n",
decc_feat_array[i].name,
decc_feat_array[i].value, sts);
decc_feat_array[i].name,
decc_feat_array[i].value, sts);
}
}
} else {
/* Invalid DECC feature value. */
fprintf(stderr,
" INVALID DECC$FEATURE VALUE, %d: %d <= %s <= %d.\n",
feat_value,
feat_value_min, decc_feat_array[i].name,
feat_value_max);
" INVALID DECC$FEATURE VALUE, %d: %d <= %s <= %d.\n",
feat_value,
feat_value_min, decc_feat_array[i].name,
feat_value_max);
}
} else {
/* Invalid DECC feature name. */
fprintf(stderr,
" UNKNOWN DECC$FEATURE: %s.\n", decc_feat_array[i].name);
" UNKNOWN DECC$FEATURE: %s.\n", decc_feat_array[i].name);
}
}
@@ -133,44 +130,44 @@ static void decc_init(void)
/* Get "decc_init()" into a valid, loaded LIB$INITIALIZE PSECT. */
# pragma nostandard
#pragma nostandard
/*
* Establish the LIB$INITIALIZE PSECTs, with proper alignment and other
* attributes. Note that "nopic" is significant only on VAX.
*/
# pragma extern_model save
#pragma extern_model save
# if __INITIAL_POINTER_SIZE == 64
# define PSECT_ALIGN 3
# else
# define PSECT_ALIGN 2
# endif
#if __INITIAL_POINTER_SIZE == 64
#define PSECT_ALIGN 3
#else
#define PSECT_ALIGN 2
#endif
# pragma extern_model strict_refdef "LIB$INITIALIZ" PSECT_ALIGN, nopic, nowrt
#pragma extern_model strict_refdef "LIB$INITIALIZ" PSECT_ALIGN, nopic, nowrt
const int spare[8] = { 0 };
# pragma extern_model strict_refdef "LIB$INITIALIZE" PSECT_ALIGN, nopic, nowrt
void (*const x_decc_init) () = decc_init;
#pragma extern_model strict_refdef "LIB$INITIALIZE" PSECT_ALIGN, nopic, nowrt
void (*const x_decc_init)() = decc_init;
# pragma extern_model restore
#pragma extern_model restore
/* Fake reference to ensure loading the LIB$INITIALIZE PSECT. */
# pragma extern_model save
#pragma extern_model save
int LIB$INITIALIZE(void);
# pragma extern_model strict_refdef
#pragma extern_model strict_refdef
int dmy_lib$initialize = (int)LIB$INITIALIZE;
# pragma extern_model restore
#pragma extern_model restore
# pragma standard
#pragma standard
#else /* def USE_DECC_INIT */
#else /* def USE_DECC_INIT */
/* Dummy code to avoid a %CC-W-EMPTYFILE complaint. */
int decc_init_dummy(void);
#endif /* def USE_DECC_INIT */
#endif /* def USE_DECC_INIT */

415
apps/x509.c
View File

@@ -23,170 +23,227 @@
#include <openssl/pem.h>
#include <openssl/rsa.h>
#ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
#include <openssl/dsa.h>
#endif
#include "internal/e_os.h" /* For isatty() */
#include "internal/e_os.h" /* For isatty() */
#undef POSTFIX
#define POSTFIX ".srl"
#define DEFAULT_DAYS 30 /* default certificate validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
#define EXT_COPY_UNSET -1
#define DEFAULT_DAYS 30 /* default certificate validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
#define EXT_COPY_UNSET -1
static int callb(int ok, X509_STORE_CTX *ctx);
static ASN1_INTEGER *x509_load_serial(const char *CAfile,
const char *serialfile, int create);
const char *serialfile, int create);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE,
OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_KEY, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_ISSU, OPT_SUBJ,
OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_DATEOPT, OPT_NAMEOPT,
OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL,
OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH,
OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES,
OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST,
OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST,
OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, OPT_COPY_EXTENSIONS,
OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES,
OPT_NOT_BEFORE, OPT_NOT_AFTER,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_EXT
OPT_INFORM,
OPT_OUTFORM,
OPT_KEYFORM,
OPT_REQ,
OPT_CAFORM,
OPT_CAKEYFORM,
OPT_VFYOPT,
OPT_SIGOPT,
OPT_DAYS,
OPT_PASSIN,
OPT_EXTFILE,
OPT_EXTENSIONS,
OPT_IN,
OPT_OUT,
OPT_KEY,
OPT_SIGNKEY,
OPT_CA,
OPT_CAKEY,
OPT_CASERIAL,
OPT_SET_SERIAL,
OPT_NEW,
OPT_FORCE_PUBKEY,
OPT_ISSU,
OPT_SUBJ,
OPT_ADDTRUST,
OPT_ADDREJECT,
OPT_SETALIAS,
OPT_CERTOPT,
OPT_DATEOPT,
OPT_NAMEOPT,
OPT_EMAIL,
OPT_OCSP_URI,
OPT_SERIAL,
OPT_NEXT_SERIAL,
OPT_MODULUS,
OPT_PUBKEY,
OPT_X509TOREQ,
OPT_TEXT,
OPT_HASH,
OPT_ISSUER_HASH,
OPT_SUBJECT,
OPT_ISSUER,
OPT_FINGERPRINT,
OPT_DATES,
OPT_PURPOSE,
OPT_STARTDATE,
OPT_ENDDATE,
OPT_CHECKEND,
OPT_CHECKHOST,
OPT_CHECKEMAIL,
OPT_CHECKIP,
OPT_NOOUT,
OPT_TRUSTOUT,
OPT_CLRTRUST,
OPT_CLRREJECT,
OPT_ALIAS,
OPT_CACREATESERIAL,
OPT_CLREXT,
OPT_OCSPID,
OPT_SUBJECT_HASH_OLD,
OPT_ISSUER_HASH_OLD,
OPT_COPY_EXTENSIONS,
OPT_BADSIG,
OPT_MD,
OPT_ENGINE,
OPT_NOCERT,
OPT_PRESERVE_DATES,
OPT_NOT_BEFORE,
OPT_NOT_AFTER,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_EXT
} OPTION_CHOICE;
const OPTIONS x509_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
{"in", OPT_IN, '<',
"Certificate input, or CSR input file with -req (default stdin)"},
{"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
{"new", OPT_NEW, '-', "Generate a certificate from scratch"},
{"x509toreq", OPT_X509TOREQ, '-',
"Output a certification request (rather than a certificate)"},
{"req", OPT_REQ, '-', "Input is a CSR file (rather than a certificate)"},
{"copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions when converting from CSR to x509 or vice versa"},
{"inform", OPT_INFORM, 'f',
"CSR input format to use (PEM or DER; by default try PEM first)"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
{"key", OPT_KEY, 's',
"Key for signing, and to include unless using -force_pubkey"},
{"signkey", OPT_SIGNKEY, 's',
"Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
"Key input format (ENGINE, other values ignored)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"outform", OPT_OUTFORM, 'f',
"Output format (DER or PEM) - default PEM"},
{"nocert", OPT_NOCERT, '-',
"No cert output (except for requested printing)"},
{"noout", OPT_NOOUT, '-', "No output (except for requested printing)"},
{ "in", OPT_IN, '<',
"Certificate input, or CSR input file with -req (default stdin)" },
{ "passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source" },
{ "new", OPT_NEW, '-', "Generate a certificate from scratch" },
{ "x509toreq", OPT_X509TOREQ, '-',
"Output a certification request (rather than a certificate)" },
{ "req", OPT_REQ, '-', "Input is a CSR file (rather than a certificate)" },
{ "copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions when converting from CSR to x509 or vice versa" },
{ "inform", OPT_INFORM, 'f',
"CSR input format to use (PEM or DER; by default try PEM first)" },
{ "vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form" },
{ "key", OPT_KEY, 's',
"Key for signing, and to include unless using -force_pubkey" },
{ "signkey", OPT_SIGNKEY, 's',
"Same as -key" },
{ "keyform", OPT_KEYFORM, 'E',
"Key input format (ENGINE, other values ignored)" },
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "outform", OPT_OUTFORM, 'f',
"Output format (DER or PEM) - default PEM" },
{ "nocert", OPT_NOCERT, '-',
"No cert output (except for requested printing)" },
{ "noout", OPT_NOOUT, '-', "No output (except for requested printing)" },
OPT_SECTION("Certificate printing"),
{"text", OPT_TEXT, '-', "Print the certificate in text form"},
{"dateopt", OPT_DATEOPT, 's',
"Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
{"certopt", OPT_CERTOPT, 's', "Various certificate text printing options"},
{"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"},
{"alias", OPT_ALIAS, '-', "Print certificate alias"},
{"serial", OPT_SERIAL, '-', "Print serial number value"},
{"startdate", OPT_STARTDATE, '-', "Print the notBefore field"},
{"enddate", OPT_ENDDATE, '-', "Print the notAfter field"},
{"dates", OPT_DATES, '-', "Print both notBefore and notAfter fields"},
{"subject", OPT_SUBJECT, '-', "Print subject DN"},
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
{"nameopt", OPT_NAMEOPT, 's',
"Certificate subject/issuer name printing options"},
{"email", OPT_EMAIL, '-', "Print email address(es)"},
{"hash", OPT_HASH, '-', "Synonym for -subject_hash (for backward compat)"},
{"subject_hash", OPT_HASH, '-', "Print subject hash value"},
{ "text", OPT_TEXT, '-', "Print the certificate in text form" },
{ "dateopt", OPT_DATEOPT, 's',
"Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822." },
{ "certopt", OPT_CERTOPT, 's', "Various certificate text printing options" },
{ "fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint" },
{ "alias", OPT_ALIAS, '-', "Print certificate alias" },
{ "serial", OPT_SERIAL, '-', "Print serial number value" },
{ "startdate", OPT_STARTDATE, '-', "Print the notBefore field" },
{ "enddate", OPT_ENDDATE, '-', "Print the notAfter field" },
{ "dates", OPT_DATES, '-', "Print both notBefore and notAfter fields" },
{ "subject", OPT_SUBJECT, '-', "Print subject DN" },
{ "issuer", OPT_ISSUER, '-', "Print issuer DN" },
{ "nameopt", OPT_NAMEOPT, 's',
"Certificate subject/issuer name printing options" },
{ "email", OPT_EMAIL, '-', "Print email address(es)" },
{ "hash", OPT_HASH, '-', "Synonym for -subject_hash (for backward compat)" },
{ "subject_hash", OPT_HASH, '-', "Print subject hash value" },
#ifndef OPENSSL_NO_MD5
{"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
"Print old-style (MD5) subject hash value"},
{ "subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
"Print old-style (MD5) subject hash value" },
#endif
{"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
{ "issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value" },
#ifndef OPENSSL_NO_MD5
{"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) issuer hash value"},
{ "issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) issuer hash value" },
#endif
{"ext", OPT_EXT, 's',
"Restrict which X.509 extensions to print and/or copy"},
{"ocspid", OPT_OCSPID, '-',
"Print OCSP hash values for the subject name and public key"},
{"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
{"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"},
{"pubkey", OPT_PUBKEY, '-', "Print the public key in PEM format"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{ "ext", OPT_EXT, 's',
"Restrict which X.509 extensions to print and/or copy" },
{ "ocspid", OPT_OCSPID, '-',
"Print OCSP hash values for the subject name and public key" },
{ "ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)" },
{ "purpose", OPT_PURPOSE, '-', "Print out certificate purposes" },
{ "pubkey", OPT_PUBKEY, '-', "Print the public key in PEM format" },
{ "modulus", OPT_MODULUS, '-', "Print the RSA key modulus" },
OPT_SECTION("Certificate checking"),
{"checkend", OPT_CHECKEND, 'M',
"Check whether cert expires in the next arg seconds"},
{OPT_MORE_STR, 1, 1, "Exit 1 (failure) if so, 0 if not"},
{"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"},
{"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
{"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
{ "checkend", OPT_CHECKEND, 'M',
"Check whether cert expires in the next arg seconds" },
{ OPT_MORE_STR, 1, 1, "Exit 1 (failure) if so, 0 if not" },
{ "checkhost", OPT_CHECKHOST, 's', "Check certificate matches host" },
{ "checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email" },
{ "checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr" },
OPT_SECTION("Certificate output"),
{"set_serial", OPT_SET_SERIAL, 's',
"Serial number to use, overrides -CAserial"},
{"next_serial", OPT_NEXT_SERIAL, '-',
"Increment current certificate serial number"},
{"not_before", OPT_NOT_BEFORE, 's',
"[CC]YYMMDDHHMMSSZ value for notBefore certificate field"},
{"not_after", OPT_NOT_AFTER, 's',
"[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
{"days", OPT_DAYS, 'n',
"Number of days until newly generated certificate expires - default 30"},
{"preserve_dates", OPT_PRESERVE_DATES, '-',
"Preserve existing validity dates"},
{"set_issuer", OPT_ISSU, 's', "Set or override certificate issuer"},
{"set_subject", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"},
{"subj", OPT_SUBJ, 's', "Alias for -set_subject"},
{"force_pubkey", OPT_FORCE_PUBKEY, '<',
"Key to be placed in new certificate or certificate request"},
{"clrext", OPT_CLREXT, '-',
"Do not take over any extensions from the source certificate or request"},
{"extfile", OPT_EXTFILE, '<', "Config file with X509V3 extensions to add"},
{"extensions", OPT_EXTENSIONS, 's',
"Section of extfile to use - default: unnamed section"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter, in n:v form"},
{"badsig", OPT_BADSIG, '-',
"Corrupt last byte of certificate signature (for test)"},
{"", OPT_MD, '-', "Any supported digest, used for signing and printing"},
{ "set_serial", OPT_SET_SERIAL, 's',
"Serial number to use, overrides -CAserial" },
{ "next_serial", OPT_NEXT_SERIAL, '-',
"Increment current certificate serial number" },
{ "not_before", OPT_NOT_BEFORE, 's',
"[CC]YYMMDDHHMMSSZ value for notBefore certificate field" },
{ "not_after", OPT_NOT_AFTER, 's',
"[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days" },
{ "days", OPT_DAYS, 'n',
"Number of days until newly generated certificate expires - default 30" },
{ "preserve_dates", OPT_PRESERVE_DATES, '-',
"Preserve existing validity dates" },
{ "set_issuer", OPT_ISSU, 's', "Set or override certificate issuer" },
{ "set_subject", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)" },
{ "subj", OPT_SUBJ, 's', "Alias for -set_subject" },
{ "force_pubkey", OPT_FORCE_PUBKEY, '<',
"Key to be placed in new certificate or certificate request" },
{ "clrext", OPT_CLREXT, '-',
"Do not take over any extensions from the source certificate or request" },
{ "extfile", OPT_EXTFILE, '<', "Config file with X509V3 extensions to add" },
{ "extensions", OPT_EXTENSIONS, 's',
"Section of extfile to use - default: unnamed section" },
{ "sigopt", OPT_SIGOPT, 's', "Signature parameter, in n:v form" },
{ "badsig", OPT_BADSIG, '-',
"Corrupt last byte of certificate signature (for test)" },
{ "", OPT_MD, '-', "Any supported digest, used for signing and printing" },
OPT_SECTION("Micro-CA"),
{"CA", OPT_CA, '<',
"Use the given CA certificate, conflicts with -key"},
{"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
{"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"},
{"CAkeyform", OPT_CAKEYFORM, 'E',
"CA key format (ENGINE, other values ignored)"},
{"CAserial", OPT_CASERIAL, 's',
"File that keeps track of CA-generated serial number"},
{"CAcreateserial", OPT_CACREATESERIAL, '-',
"Create CA serial number file if it does not exist"},
{ "CA", OPT_CA, '<',
"Use the given CA certificate, conflicts with -key" },
{ "CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect" },
{ "CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg" },
{ "CAkeyform", OPT_CAKEYFORM, 'E',
"CA key format (ENGINE, other values ignored)" },
{ "CAserial", OPT_CASERIAL, 's',
"File that keeps track of CA-generated serial number" },
{ "CAcreateserial", OPT_CACREATESERIAL, '-',
"Create CA serial number file if it does not exist" },
OPT_SECTION("Certificate trust output"),
{"trustout", OPT_TRUSTOUT, '-', "Mark certificate PEM output as trusted"},
{"setalias", OPT_SETALIAS, 's', "Set certificate alias (nickname)"},
{"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
{"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"},
{"clrreject", OPT_CLRREJECT, '-',
"Clears all the prohibited or rejected uses of the certificate"},
{"addreject", OPT_ADDREJECT, 's',
"Reject certificate for a given purpose"},
{ "trustout", OPT_TRUSTOUT, '-', "Mark certificate PEM output as trusted" },
{ "setalias", OPT_SETALIAS, 's', "Set certificate alias (nickname)" },
{ "clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes" },
{ "addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose" },
{ "clrreject", OPT_CLRREJECT, '-',
"Clears all the prohibited or rejected uses of the certificate" },
{ "addreject", OPT_ADDREJECT, 's',
"Reject certificate for a given purpose" },
OPT_R_OPTIONS,
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
static void warn_copying(ASN1_OBJECT *excluded, const char *names)
@@ -195,8 +252,8 @@ static void warn_copying(ASN1_OBJECT *excluded, const char *names)
if (names != NULL && strstr(names, sn) != NULL)
BIO_printf(bio_err,
"Warning: -ext should not specify copying %s extension to CSR; ignoring this\n",
sn);
"Warning: -ext should not specify copying %s extension to CSR; ignoring this\n",
sn);
}
static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names)
@@ -224,13 +281,13 @@ static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names)
ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);
if (OBJ_cmp(obj, skid) != 0 && OBJ_cmp(obj, akid) != 0
&& !sk_X509_EXTENSION_push(exts, ex))
&& !sk_X509_EXTENSION_push(exts, ex))
goto err;
}
if (sk_X509_EXTENSION_num(exts) > 0) {
if (ext_copy != EXT_COPY_UNSET && ext_copy != EXT_COPY_NONE
&& !X509_REQ_add_extensions(req, exts)) {
&& !X509_REQ_add_extensions(req, exts)) {
BIO_printf(bio_err, "Error copying extensions from certificate\n");
goto err;
}
@@ -238,7 +295,7 @@ static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names)
sk_X509_EXTENSION_free(exts);
return req;
err:
err:
sk_X509_EXTENSION_free(exts);
X509_REQ_free(req);
return NULL;
@@ -317,7 +374,7 @@ int x509_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto err;
case OPT_HELP:
@@ -357,14 +414,14 @@ int x509_main(int argc, char **argv)
case OPT_DATEOPT:
if (!set_dateopt(&dateopt, opt_arg())) {
BIO_printf(bio_err,
"Invalid date format: %s\n", opt_arg());
"Invalid date format: %s\n", opt_arg());
goto err;
}
break;
case OPT_COPY_EXTENSIONS:
if (!set_ext_copy(&ext_copy, opt_arg())) {
BIO_printf(bio_err,
"Invalid extension copy option: %s\n", opt_arg());
"Invalid extension copy option: %s\n", opt_arg());
goto err;
}
break;
@@ -391,7 +448,7 @@ int x509_main(int argc, char **argv)
days = atoi(opt_arg());
if (days <= UNSET_DAYS) {
BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",
prog);
prog);
goto err;
}
break;
@@ -450,7 +507,7 @@ int x509_main(int argc, char **argv)
goto err;
if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
BIO_printf(bio_err, "%s: Invalid trust object value %s\n",
prog, opt_arg());
prog, opt_arg());
goto opthelp;
}
sk_ASN1_OBJECT_push(trust, objtmp);
@@ -461,7 +518,7 @@ int x509_main(int argc, char **argv)
goto err;
if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
BIO_printf(bio_err, "%s: Invalid reject object value %s\n",
prog, opt_arg());
prog, opt_arg());
goto opthelp;
}
sk_ASN1_OBJECT_push(reject, objtmp);
@@ -589,7 +646,7 @@ int x509_main(int argc, char **argv)
checkoffset = (time_t)temp;
if ((ossl_intmax_t)checkoffset != temp) {
BIO_printf(bio_err, "%s: Checkend time out of range %s\n",
prog, opt_arg());
prog, opt_arg());
goto opthelp;
}
}
@@ -644,7 +701,7 @@ int x509_main(int argc, char **argv)
}
if (!X509_STORE_set_default_paths_ex(ctx, app_get0_libctx(),
app_get0_propq()))
app_get0_propq()))
goto err;
if (newcert && infile != NULL) {
@@ -662,27 +719,28 @@ int x509_main(int argc, char **argv)
}
if (pubkeyfile != NULL) {
if ((pubkey = load_pubkey(pubkeyfile, keyformat, 0, NULL, e,
"explicitly set public key")) == NULL)
"explicitly set public key"))
== NULL)
goto err;
}
if (newcert) {
if (subj == NULL) {
BIO_printf(bio_err,
"The -new option requires a subject to be set using -subj\n");
"The -new option requires a subject to be set using -subj\n");
goto err;
}
if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
"The -new option requires using the -key or -force_pubkey option\n");
"The -new option requires using the -key or -force_pubkey option\n");
goto err;
}
}
if (issu != NULL
&& (fissu = parse_name(issu, chtype, multirdn, "issuer")) == NULL)
&& (fissu = parse_name(issu, chtype, multirdn, "issuer")) == NULL)
goto err;
if (subj != NULL
&& (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
&& (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
goto err;
if (CAkeyfile == NULL)
@@ -694,7 +752,7 @@ int x509_main(int argc, char **argv)
}
} else {
#define WARN_NO_CA(opt) BIO_printf(bio_err, \
"Warning: ignoring " opt " option since -CA option is not given\n");
"Warning: ignoring " opt " option since -CA option is not given\n");
if (CAkeyfile != NULL)
WARN_NO_CA("-CAkey");
if (CAkeyformat != FORMAT_UNDEF)
@@ -710,7 +768,7 @@ int x509_main(int argc, char **argv)
if (extfile == NULL) {
if (extsect != NULL)
BIO_printf(bio_err,
"Warning: ignoring -extensions option without -extfile\n");
"Warning: ignoring -extensions option without -extfile\n");
} else {
X509V3_CTX ctx2;
@@ -725,7 +783,7 @@ int x509_main(int argc, char **argv)
X509V3_set_nconf(&ctx2, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
BIO_printf(bio_err,
"Error checking extension section %s\n", extsect);
"Error checking extension section %s\n", extsect);
goto err;
}
}
@@ -733,9 +791,9 @@ int x509_main(int argc, char **argv)
if (reqfile) {
if (infile == NULL && isatty(fileno_stdin()))
BIO_printf(bio_err,
"Warning: Reading cert request from stdin since no -in option is given\n");
"Warning: Reading cert request from stdin since no -in option is given\n");
req = load_csr_autofmt(infile, informat, vfyopts,
"certificate request input");
"certificate request input");
if (req == NULL)
goto err;
@@ -745,9 +803,7 @@ int x509_main(int argc, char **argv)
}
i = do_X509_REQ_verify(req, pkey, vfyopts);
if (i <= 0) {
BIO_printf(bio_err, i < 0
? "Error while verifying certificate request self-signature\n"
: "Certificate request self-signature did not match the contents\n");
BIO_printf(bio_err, i < 0 ? "Error while verifying certificate request self-signature\n" : "Certificate request self-signature did not match the contents\n");
goto err;
}
BIO_printf(bio_err, "Certificate request self-signature ok\n");
@@ -760,11 +816,11 @@ int x509_main(int argc, char **argv)
if (reqfile || newcert) {
if (preserve_dates)
BIO_printf(bio_err,
"Warning: ignoring -preserve_dates option with -req or -new\n");
"Warning: ignoring -preserve_dates option with -req or -new\n");
preserve_dates = 0;
if (privkeyfile == NULL && CAkeyfile == NULL) {
BIO_printf(bio_err,
"We need a private key to sign with, use -key or -CAkey or -CA with private key\n");
"We need a private key to sign with, use -key or -CAkey or -CA with private key\n");
goto err;
}
if ((x = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
@@ -786,19 +842,17 @@ int x509_main(int argc, char **argv)
} else {
if (infile == NULL && isatty(fileno_stdin()))
BIO_printf(bio_err,
"Warning: Reading certificate from stdin since no -in or -new option is given\n");
"Warning: Reading certificate from stdin since no -in or -new option is given\n");
x = load_cert_pass(infile, informat, 1, passin, "certificate");
if (x == NULL)
goto err;
}
if ((fsubj != NULL || req != NULL)
&& !X509_set_subject_name(x, fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req)))
&& !X509_set_subject_name(x, fsubj != NULL ? fsubj : X509_REQ_get_subject_name(req)))
goto err;
if ((pubkey != NULL || privkey != NULL || req != NULL)
&& !X509_set_pubkey(x, pubkey != NULL ? pubkey :
privkey != NULL ? privkey :
X509_REQ_get0_pubkey(req)))
&& !X509_set_pubkey(x, pubkey != NULL ? pubkey : privkey != NULL ? privkey
: X509_REQ_get0_pubkey(req)))
goto err;
if (CAfile != NULL) {
@@ -851,7 +905,7 @@ int x509_main(int argc, char **argv)
} else {
if (privkey != NULL && !cert_matches_key(x, privkey))
BIO_printf(bio_err,
"Warning: Signature key and public key of cert do not match\n");
"Warning: Signature key and public key of cert do not match\n");
}
if (sno != NULL && !X509_set_serialNumber(x, sno))
@@ -879,7 +933,7 @@ int x509_main(int argc, char **argv)
X509V3_set_nconf(&ext_ctx, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ext_ctx, extsect, x)) {
BIO_printf(bio_err,
"Error adding extensions from section %s\n", extsect);
"Error adding extensions from section %s\n", extsect);
goto err;
}
}
@@ -907,7 +961,7 @@ int x509_main(int argc, char **argv)
X509V3_set_nconf(&ext_ctx, extconf);
if (!X509V3_EXT_REQ_add_nconf(extconf, &ext_ctx, extsect, rq)) {
BIO_printf(bio_err,
"Error adding request extensions from section %s\n", extsect);
"Error adding request extensions from section %s\n", extsect);
goto err;
}
}
@@ -922,18 +976,19 @@ int x509_main(int argc, char **argv)
}
if (!i) {
BIO_printf(bio_err,
"Unable to write certificate request\n");
"Unable to write certificate request\n");
goto err;
}
}
noout = 1;
} else if (CAfile != NULL) {
if ((CAkey = load_key(CAkeyfile, CAkeyformat,
0, passin, e, "CA private key")) == NULL)
0, passin, e, "CA private key"))
== NULL)
goto err;
if (!X509_check_private_key(xca, CAkey)) {
BIO_printf(bio_err,
"CA certificate and CA private key do not match\n");
"CA certificate and CA private key do not match\n");
goto err;
}
@@ -967,7 +1022,7 @@ int x509_main(int argc, char **argv)
if (bnser == NULL)
goto err;
if (!BN_add_word(bnser, 1)
|| (ser = BN_to_ASN1_INTEGER(bnser, NULL)) == NULL) {
|| (ser = BN_to_ASN1_INTEGER(bnser, NULL)) == NULL) {
BN_free(bnser);
goto err;
}
@@ -976,8 +1031,7 @@ int x509_main(int argc, char **argv)
ASN1_INTEGER_free(ser);
BIO_puts(out, "\n");
} else if (i == email || i == ocsp_uri) {
STACK_OF(OPENSSL_STRING) *emlst =
i == email ? X509_get1_email(x) : X509_get1_ocsp(x);
STACK_OF(OPENSSL_STRING) *emlst = i == email ? X509_get1_email(x) : X509_get1_ocsp(x);
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
BIO_printf(out, "%s\n", sk_OPENSSL_STRING_value(emlst, j));
@@ -1048,7 +1102,8 @@ int x509_main(int argc, char **argv)
fdigname = "SHA1";
if ((fdig = EVP_MD_fetch(app_get0_libctx(), fdigname,
app_get0_propq())) == NULL) {
app_get0_propq()))
== NULL) {
BIO_printf(bio_err, "Unknown digest\n");
goto err;
}
@@ -1107,10 +1162,10 @@ int x509_main(int argc, char **argv)
ret = 0;
goto end;
err:
err:
ERR_print_errors(bio_err);
end:
end:
NCONF_free(extconf);
BIO_free_all(out);
X509_STORE_free(ctx);
@@ -1134,7 +1189,7 @@ int x509_main(int argc, char **argv)
}
static ASN1_INTEGER *x509_load_serial(const char *CAfile,
const char *serialfile, int create)
const char *serialfile, int create)
{
char *buf = NULL;
ASN1_INTEGER *bs = NULL;
@@ -1166,7 +1221,7 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
else
bs = BN_to_ASN1_INTEGER(serial, NULL);
end:
end:
OPENSSL_free(buf);
BN_free(serial);
return bs;
@@ -1189,9 +1244,9 @@ static int callb(int ok, X509_STORE_CTX *ctx)
err_cert = X509_STORE_CTX_get_current_cert(ctx);
print_name(bio_err, "subject=", X509_get_subject_name(err_cert));
BIO_printf(bio_err,
"Error with certificate - error %d at depth %d\n%s\n", err,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(err));
"Error with certificate - error %d at depth %d\n%s\n", err,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(err));
return 1;
}
@@ -1300,7 +1355,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names)
}
ret = X509V3_extensions_print(bio, NULL, exts2, 0, 0);
end:
end:
sk_X509_EXTENSION_free(exts2);
OPENSSL_free(names);
OPENSSL_free(tmp_ext_names);

2
crypto/LPdir_nyi.c
View File

@@ -37,7 +37,7 @@
*/
#ifndef LPDIR_H
# include "LPdir.h"
#include "LPdir.h"
#endif
struct LP_dir_context_st {

23
crypto/LPdir_unix.c
View File

@@ -44,10 +44,10 @@
#include <dirent.h>
#include <errno.h>
#ifndef LPDIR_H
# include "LPdir.h"
#include "LPdir.h"
#endif
#ifdef __VMS
# include <ctype.h>
#include <ctype.h>
#endif
/*
@@ -57,9 +57,9 @@
* if it doesn't exist, use NAME_MAX.
*/
#if defined(PATH_MAX)
# define LP_ENTRY_SIZE PATH_MAX
#define LP_ENTRY_SIZE PATH_MAX
#elif defined(NAME_MAX)
# define LP_ENTRY_SIZE NAME_MAX
#define LP_ENTRY_SIZE NAME_MAX
#endif
/*
@@ -68,9 +68,9 @@
* small value (HP-UX offers 14), so we need to check if we got a result, and
* if it meets a minimum standard, and create or change it if not.
*/
#if !defined(LP_ENTRY_SIZE) || LP_ENTRY_SIZE<255
# undef LP_ENTRY_SIZE
# define LP_ENTRY_SIZE 255
#if !defined(LP_ENTRY_SIZE) || LP_ENTRY_SIZE < 255
#undef LP_ENTRY_SIZE
#define LP_ENTRY_SIZE 255
#endif
struct LP_dir_context_st {
@@ -121,9 +121,9 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
#ifdef __VMS
strncpy((*ctx)->previous_entry_name, (*ctx)->entry_name,
sizeof((*ctx)->previous_entry_name));
sizeof((*ctx)->previous_entry_name));
again:
again:
#endif
direntry = readdir((*ctx)->dir);
@@ -132,7 +132,7 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
}
OPENSSL_strlcpy((*ctx)->entry_name, direntry->d_name,
sizeof((*ctx)->entry_name));
sizeof((*ctx)->entry_name));
#ifdef __VMS
if ((*ctx)->expect_file_generations) {
char *p = (*ctx)->entry_name + strlen((*ctx)->entry_name);
@@ -142,7 +142,8 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
if (p > (*ctx)->entry_name && p[-1] == ';')
p[-1] = '\0';
if (OPENSSL_strcasecmp((*ctx)->entry_name,
(*ctx)->previous_entry_name) == 0)
(*ctx)->previous_entry_name)
== 0)
goto again;
}
#endif

24
crypto/LPdir_vms.c
View File

@@ -49,13 +49,13 @@
#include <str$routines.h>
#include <stsdef.h>
#ifndef LPDIR_H
# include "LPdir.h"
#include "LPdir.h"
#endif
#include "vms_rms.h"
/* Some compiler options hide EVMSERR. */
#ifndef EVMSERR
# define EVMSERR 65535 /* error for non-translatable VMS errors */
#define EVMSERR 65535 /* error for non-translatable VMS errors */
#endif
struct LP_dir_context_st {
@@ -75,12 +75,12 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
/* Arrange 32-bit pointer to (copied) string storage, if needed. */
#if __INITIAL_POINTER_SIZE == 64
# pragma pointer_size save
# pragma pointer_size 32
#pragma pointer_size save
#pragma pointer_size 32
char *ctx_filespec_32p;
# pragma pointer_size restore
#pragma pointer_size restore
char ctx_filespec_32[NAMX_MAXRSS + 1];
#endif /* __INITIAL_POINTER_SIZE == 64 */
#endif /* __INITIAL_POINTER_SIZE == 64 */
#ifdef NAML$C_MAXRSS
flags |= LIB$M_FIL_LONG_NAMES;
@@ -109,7 +109,7 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
return 0;
}
filespeclen += 4; /* "*.*;" */
filespeclen += 4; /* "*.*;" */
if (filespeclen > NAMX_MAXRSS) {
errno = ENAMETOOLONG;
@@ -128,13 +128,13 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
/* Arrange 32-bit pointer to (copied) string storage, if needed. */
#if __INITIAL_POINTER_SIZE == 64
# define CTX_FILESPEC ctx_filespec_32p
#define CTX_FILESPEC ctx_filespec_32p
/* Copy the file name to storage with a 32-bit pointer. */
ctx_filespec_32p = ctx_filespec_32;
strcpy(ctx_filespec_32p, (*ctx)->filespec);
#else /* __INITIAL_POINTER_SIZE == 64 */
# define CTX_FILESPEC (*ctx)->filespec
#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
#else /* __INITIAL_POINTER_SIZE == 64 */
#define CTX_FILESPEC (*ctx)->filespec
#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
(*ctx)->filespec_dsc.dsc$w_length = filespeclen;
(*ctx)->filespec_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
@@ -148,7 +148,7 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
(*ctx)->result_dsc.dsc$a_pointer = 0;
status = lib$find_file(&(*ctx)->filespec_dsc, &(*ctx)->result_dsc,
&(*ctx)->VMS_context, 0, 0, 0, &flags);
&(*ctx)->VMS_context, 0, 0, 0, &flags);
if (status == RMS$_NMF) {
errno = 0;

35
crypto/LPdir_win.c
View File

@@ -40,7 +40,7 @@
#include <tchar.h>
#include "internal/numbers.h"
#ifndef LPDIR_H
# include "LPdir.h"
#include "LPdir.h"
#endif
/*
@@ -49,20 +49,20 @@
* builds are compiled with -DUNICODE [as well as -D_UNICODE].
*/
#if defined(LP_SYS_WINCE) && !defined(FindFirstFile)
# define FindFirstFile FindFirstFileW
#define FindFirstFile FindFirstFileW
#endif
#if defined(LP_SYS_WINCE) && !defined(FindNextFile)
# define FindNextFile FindNextFileW
#define FindNextFile FindNextFileW
#endif
#ifndef NAME_MAX
# define NAME_MAX 255
#define NAME_MAX 255
#endif
#ifdef CP_UTF8
# define CP_DEFAULT CP_UTF8
#define CP_DEFAULT CP_UTF8
#else
# define CP_DEFAULT CP_ACP
#define CP_DEFAULT CP_ACP
#endif
struct LP_dir_context_st {
@@ -103,16 +103,17 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
UINT cp;
do {
# ifdef CP_UTF8
#ifdef CP_UTF8
if ((sz = MultiByteToWideChar((cp = CP_UTF8), 0,
directory, len_0,
NULL, 0)) > 0 ||
GetLastError() != ERROR_NO_UNICODE_TRANSLATION)
directory, len_0,
NULL, 0))
> 0
|| GetLastError() != ERROR_NO_UNICODE_TRANSLATION)
break;
# endif
#endif
sz = MultiByteToWideChar((cp = CP_ACP), 0,
directory, len_0,
NULL, 0);
directory, len_0,
NULL, 0);
} while (0);
if (sz > 0) {
@@ -122,7 +123,7 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
*/
wdir = _alloca((sz + 2) * sizeof(TCHAR));
if (!MultiByteToWideChar(cp, 0, directory, len_0,
(WCHAR *)wdir, sz)) {
(WCHAR *)wdir, sz)) {
free(*ctx);
*ctx = NULL;
errno = EINVAL;
@@ -187,14 +188,14 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
#ifdef LP_MULTIBYTE_AVAILABLE
if (!WideCharToMultiByte(CP_DEFAULT, 0, (WCHAR *)wdir, len_0,
(*ctx)->entry_name,
sizeof((*ctx)->entry_name), NULL, 0))
(*ctx)->entry_name,
sizeof((*ctx)->entry_name), NULL, 0))
#endif
for (index = 0; index < len_0; index++)
(*ctx)->entry_name[index] = (char)wdir[index];
} else
strncpy((*ctx)->entry_name, (const char *)(*ctx)->ctx.cFileName,
sizeof((*ctx)->entry_name) - 1);
sizeof((*ctx)->entry_name) - 1);
(*ctx)->entry_name[sizeof((*ctx)->entry_name) - 1] = '\0';

8
crypto/aes/aes_cbc.c
View File

@@ -18,14 +18,14 @@
#include <openssl/modes.h>
void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
unsigned char *ivec, const int enc)
size_t len, const AES_KEY *key,
unsigned char *ivec, const int enc)
{
if (enc)
CRYPTO_cbc128_encrypt(in, out, len, key, ivec,
(block128_f) AES_encrypt);
(block128_f)AES_encrypt);
else
CRYPTO_cbc128_decrypt(in, out, len, key, ivec,
(block128_f) AES_decrypt);
(block128_f)AES_decrypt);
}

18
crypto/aes/aes_cfb.c
View File

@@ -23,27 +23,27 @@
*/
void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
size_t length, const AES_KEY *key,
unsigned char *ivec, int *num, const int enc)
size_t length, const AES_KEY *key,
unsigned char *ivec, int *num, const int enc)
{
CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,
(block128_f) AES_encrypt);
(block128_f)AES_encrypt);
}
/* N.B. This expects the input to be packed, MS bit first */
void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
size_t length, const AES_KEY *key,
unsigned char *ivec, int *num, const int enc)
size_t length, const AES_KEY *key,
unsigned char *ivec, int *num, const int enc)
{
CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,
(block128_f) AES_encrypt);
(block128_f)AES_encrypt);
}
void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
size_t length, const AES_KEY *key,
unsigned char *ivec, int *num, const int enc)
size_t length, const AES_KEY *key,
unsigned char *ivec, int *num, const int enc)
{
CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,
(block128_f) AES_encrypt);
(block128_f)AES_encrypt);
}

Some files were not shown because too many files have changed in this diff Show More