diff options
| author | Brian Carlstrom <bdc@google.com> | 2010-03-09 09:56:55 -0800 |
|---|---|---|
| committer | Brian Carlstrom <bdc@google.com> | 2010-03-09 09:56:55 -0800 |
| commit | 98d58bb80c64b02a33662f0ea80351d4a1535267 (patch) | |
| tree | 888bb3c433b6adb3778f6c3539e67ba6e6fc2639 /apps | |
| parent | 1ddd788de7dc2f73716b032bdaeb988dccd95ab5 (diff) | |
| download | replicant_openssl-98d58bb80c64b02a33662f0ea80351d4a1535267.zip replicant_openssl-98d58bb80c64b02a33662f0ea80351d4a1535267.tar.gz replicant_openssl-98d58bb80c64b02a33662f0ea80351d4a1535267.tar.bz2 | |
Summary: upgrading to openssl-0.9.8m and adding new testssl.sh
Testing Summary:
- Passed new android.testssl/testssl.sh
- General testing with BrowserActivity based program
Details:
Expanded detail in README.android about how to build and test openssl
upgrades based on my first experience.
modified: README.android
Significant rework of import_openssl.sh script that does most of
the work of the upgrade. Most of the existing code became the main
and import functions. The newly regenerate code helps regenerate
patch files, building on the fact that import now keeps and
original unmodified read-only source tree for use for patch
generation. Patch generation relies on additions to openssl.config
for defining which patches include which files. Note that
sometimes a file may be patched multiple times, in that case
manual review is still necessary to prune the patch after
auto-regeneration. Other enhancements to import_openssl.sh include
generating android.testssl and printing Makefile defines for
android-config.mk review.
modified: import_openssl.sh
Test support files for openssl/
Add support for building /system/bin/ssltest as test executible for
use by testssl script. Need confirmation that this is the right way
to define such a test binary.
modified: patches/ssl_Android.mk
Driver script that generates user and CA keys and certs on the
device with /system/bin/openssl before running testssl. Based on
openssl/test/testss for generation and openssl/test/Makefile
test_ssl for test execution.
new file: patches/testssl.sh
Note all following android.testssl files are automatically
imported from openssl, although possible with modifications by
import_openssl.sh
testssl script imported from openssl/test that does the bulk of
the testing. Includes new tests patched in for our additions.
new file: android.testssl/testssl
CA and user certificate configuration files from openssl.
Automatically imported from openssl/test/
new file: android.testssl/CAss.cnf
new file: android.testssl/Uss.cnf
certificate and key test file imported from openssl/apps
new file: android.testssl/server2.pem
Actual 0.9.8m upgrade specific bits
Trying to bring ngm's small records support into 0.9.8m. Needs
signoff by ngm although it does pass testing.
modified: patches/small_records.patch
Update openssl.config for 0.9.8m. Expanded lists of undeeded
directories and files for easier update and review, adding new
excludes. Also added new definitions to support "import_openssl.sh
regenerate" for patch updating.
modified: openssl.config
Updated OPENSSL_VERSION to 0.9.8m
modified: openssl.version
Automatically imported/patched files. Seems like it could be
further pruned in by openssl.config UNNEEDED_SOURCES, but extra
stuff doesn't end up impacting device.
modified: apps/...
modified: crypto/...
modified: include/...
modified: ssl/...
Other Android build stuff.
Note for these patches/... is source, .../Android.mk is derived.
Split LOCAL_CFLAGS additions into lines based on openssl/Makefile
source for easier comparison when upgrading. I knowingly left the
lines long and unwrapped for easy vdiff with openssl/Makefile
modified: android-config.mk
Removed local -DOPENSSL_NO_ECDH already in android-config.mk.
modified: patches/apps_Android.mk
Sync up with changes that had crept into derived crypto/Android.mk
modified: patches/crypto_Android.mk
Change-Id: I73204c56cdaccfc45d03a9c8088a6a93003d7ce6
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/Android.mk | 5 | ||||
| -rw-r--r-- | apps/CA.sh | 121 | ||||
| -rw-r--r-- | apps/Makefile | 71 | ||||
| -rw-r--r-- | apps/apps.c | 2 | ||||
| -rw-r--r-- | apps/ca.c | 69 | ||||
| -rw-r--r-- | apps/dsa.c | 2 | ||||
| -rw-r--r-- | apps/dsaparam.c | 6 | ||||
| -rw-r--r-- | apps/enc.c | 7 | ||||
| -rw-r--r-- | apps/gendsa.c | 6 | ||||
| -rw-r--r-- | apps/genpkey.c | 440 | ||||
| -rw-r--r-- | apps/genrsa.c | 8 | ||||
| -rw-r--r-- | apps/install.com | 44 | ||||
| -rw-r--r-- | apps/makeapps.com | 240 | ||||
| -rw-r--r-- | apps/openssl.c | 10 | ||||
| -rw-r--r-- | apps/pkcs12.c | 6 | ||||
| -rw-r--r-- | apps/pkey.c | 284 | ||||
| -rw-r--r-- | apps/pkeyparam.c | 201 | ||||
| -rw-r--r-- | apps/pkeyutl.c | 570 | ||||
| -rw-r--r-- | apps/req.c | 6 | ||||
| -rw-r--r-- | apps/s_apps.h | 3 | ||||
| -rw-r--r-- | apps/s_cb.c | 105 | ||||
| -rw-r--r-- | apps/s_client.c | 43 | ||||
| -rw-r--r-- | apps/s_server.c | 56 | ||||
| -rw-r--r-- | apps/s_socket.c | 6 | ||||
| -rw-r--r-- | apps/speed.c | 26 | ||||
| -rw-r--r-- | apps/ts.c | 1144 | ||||
| -rw-r--r-- | apps/tsget | 195 | ||||
| -rw-r--r-- | apps/x509.c | 1 |
28 files changed, 559 insertions, 3118 deletions
diff --git a/apps/Android.mk b/apps/Android.mk index d4e701f..e9a4981 100644 --- a/apps/Android.mk +++ b/apps/Android.mk @@ -24,11 +24,8 @@ LOCAL_C_INCLUDES := \ LOCAL_CFLAGS := -DMONOLITH -LOCAL_CFLAGS += -DOPENSSL_NO_ECDH - include $(LOCAL_PATH)/../android-config.mk - # These flags omit whole features from the commandline "openssl". # However, portions of these features are actually turned on. LOCAL_CFLAGS += -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_DTLS1 @@ -36,6 +33,6 @@ LOCAL_CFLAGS += -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_DTLS1 LOCAL_MODULE:= openssl -LOCAL_MODULE_TAGS := optional +LOCAL_MODULE_TAGS := tests include $(BUILD_EXECUTABLE) @@ -5,10 +5,10 @@ # things easier between now and when Eric is convinced to fix it :-) # # CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request -# CA -sign ... will sign the generated request and output +# CA -newreq ... will generate a certificate request +# CA -sign ... will sign the generated request and output # -# At the end of that grab newreq.pem and newcert.pem (one has the key +# At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what # you want/need ... I'll make even this a little cleaner later. # @@ -16,8 +16,8 @@ # 12-Jan-96 tjh Added more things ... including CA -signcert which # converts a certificate to a request and then signs it. # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG -# environment variable so this can be driven from -# a script. +# environment variable so this can be driven from +# a script. # 25-Jul-96 eay Cleaned up filenames some more. # 11-Jun-96 eay Fixed a few filename missmatches. # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. @@ -29,52 +29,87 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +cp_pem() { + infile=$1 + outfile=$2 + bound=$3 + flag=0 + exec <$infile; + while read line; do + if [ $flag -eq 1 ]; then + echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null + if [ $? -eq 0 ] ; then + echo $line >>$outfile + break + else + echo $line >>$outfile + fi + fi + + echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null + if [ $? -eq 0 ]; then + echo $line >$outfile + flag=1 + fi + done +} + +usage() { + echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 +} if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi -DAYS="-days 365" # 1 year +if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year CADAYS="-days 1095" # 3 years REQ="$OPENSSL req $SSLEAY_CONFIG" CA="$OPENSSL ca $SSLEAY_CONFIG" VERIFY="$OPENSSL verify" X509="$OPENSSL x509" +PKCS12="openssl pkcs12" -CATOP=./demoCA +if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi CAKEY=./cakey.pem CAREQ=./careq.pem CACERT=./cacert.pem -for i -do -case $i in +RET=0 + +while [ "$1" != "" ] ; do +case $1 in -\?|-h|-help) - echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 + usage exit 0 ;; --newcert) +-newcert) # create a certificate $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS RET=$? echo "Certificate is in newcert.pem, private key is in newkey.pem" ;; --newreq) +-newreq) # create a certificate request $REQ -new -keyout newkey.pem -out newreq.pem $DAYS RET=$? echo "Request is in newreq.pem, private key is in newkey.pem" ;; --newca) +-newreq-nodes) + # create a certificate request + $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS + RET=$? + echo "Request (and private key) is in newreq.pem" + ;; +-newca) # if explicitly asked for or it doesn't exist then setup the directory - # structure that Eric likes to manage things + # structure that Eric likes to manage things NEW="1" if [ "$NEW" -o ! -f ${CATOP}/serial ]; then # create the directory hierarchy - mkdir ${CATOP} - mkdir ${CATOP}/certs - mkdir ${CATOP}/crl - mkdir ${CATOP}/newcerts - mkdir ${CATOP}/private - echo "00" > ${CATOP}/serial + mkdir -p ${CATOP} + mkdir -p ${CATOP}/certs + mkdir -p ${CATOP}/crl + mkdir -p ${CATOP}/newcerts + mkdir -p ${CATOP}/private touch ${CATOP}/index.txt fi if [ ! -f ${CATOP}/private/$CAKEY ]; then @@ -83,37 +118,60 @@ case $i in # ask user for existing CA certificate if [ "$FILE" ]; then - cp $FILE ${CATOP}/private/$CAKEY + cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE + cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE RET=$? + if [ ! -f "${CATOP}/serial" ]; then + $X509 -in ${CATOP}/$CACERT -noout -next_serial \ + -out ${CATOP}/serial + fi else echo "Making CA certificate ..." $REQ -new -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CAREQ - $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ -keyfile ${CATOP}/private/$CAKEY -selfsign \ - -infiles ${CATOP}/$CAREQ + -extensions v3_ca \ + -infiles ${CATOP}/$CAREQ RET=$? fi fi ;; -xsign) - $CA -policy policy_anything -infiles newreq.pem + $CA -policy policy_anything -infiles newreq.pem RET=$? ;; --sign|-signreq) +-pkcs12) + if [ -z "$2" ] ; then + CNAME="My Certificate" + else + CNAME="$2" + fi + $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ + -out newcert.p12 -export -name "$CNAME" + RET=$? + exit $RET + ;; +-sign|-signreq) $CA -policy policy_anything -out newcert.pem -infiles newreq.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; --signcert) +-signCA) + $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem + RET=$? + echo "Signed CA certificate is in newcert.pem" + ;; +-signcert) echo "Cert passphrase will be requested twice - bug?" $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem $CA -policy policy_anything -out newcert.pem -infiles tmp.pem + RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; --verify) +-verify) shift if [ -z "$1" ]; then $VERIFY -CAfile $CATOP/$CACERT newcert.pem @@ -127,13 +185,14 @@ case $i in fi done fi - exit 0 + exit $RET ;; *) - echo "Unknown arg $i"; + echo "Unknown arg $i" >&2 + usage exit 1 ;; esac +shift done exit $RET - diff --git a/apps/Makefile b/apps/Makefile index 402981a..a548815 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -153,17 +153,19 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ + CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} - -(cd ..; \ - OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ - $(PERL) tools/c_rehash certs) + @if [ -z "$(CROSS_COMPILE)" ]; then \ + (cd ..; \ + OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ + $(PERL) tools/c_rehash certs) \ + fi progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h @@ -750,13 +752,14 @@ s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s_cb.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c +s_cb.o: ../include/openssl/rand.h ../include/openssl/safestack.h +s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_cb.o: s_apps.h s_cb.c s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -805,28 +808,28 @@ s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h -s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h -s_socket.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_socket.o: s_apps.h s_socket.c +s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h +s_socket.o: ../include/openssl/bio.h ../include/openssl/bn.h +s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_socket.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s_socket.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +s_socket.o: ../include/openssl/evp.h ../include/openssl/fips.h +s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s_socket.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_socket.o: ../include/openssl/x509v3.h apps.h s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h diff --git a/apps/apps.c b/apps/apps.c index 498722a..35b62b8 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_X509_STRICT; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; @@ -216,7 +216,6 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, @@ -227,7 +226,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); static int get_certificate_status(const char *ser_status, CA_DB *db); static int do_updatedb(CA_DB *db); -static int check_time_format(char *str); +static int check_time_format(const char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, const char *str); int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); @@ -858,8 +857,8 @@ bad: perror(outdir); goto err; } -#ifdef S_IFDIR - if (!(sb.st_mode & S_IFDIR)) +#ifdef S_ISDIR + if (!S_ISDIR(sb.st_mode)) { BIO_printf(bio_err,"%s need to be a directory\n",outdir); perror(outdir); @@ -895,7 +894,7 @@ bad: BIO_printf(bio_err," in entry %d\n", i+1); goto err; } - if (!check_time_format((char *)pp[DB_exp_date])) + if (!check_time_format(pp[DB_exp_date])) { BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1); goto err; @@ -1249,7 +1248,12 @@ bad: BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total); (void)BIO_flush(bio_err); buf[0][0]='\0'; - fgets(buf[0],10,stdin); + if (!fgets(buf[0],10,stdin)) + { + BIO_printf(bio_err,"CERTIFICATION CANCELED: I/O error\n"); + ret=0; + goto err; + } if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) { BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); @@ -2091,7 +2095,7 @@ again2: } BIO_printf(bio_err,"Certificate is to be certified until "); - ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); + ASN1_TIME_print(bio_err,X509_get_notAfter(ret)); if (days) BIO_printf(bio_err," (%ld days)",days); BIO_printf(bio_err, "\n"); @@ -2101,7 +2105,12 @@ again2: BIO_printf(bio_err,"Sign the certificate? [y/n]:"); (void)BIO_flush(bio_err); buf[0]='\0'; - fgets(buf,sizeof(buf)-1,stdin); + if (!fgets(buf,sizeof(buf)-1,stdin)) + { + BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); + ok=0; + goto err; + } if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n"); @@ -2317,25 +2326,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, continue; } - /* - if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) - continue; - */ - - j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); - if (fix_data(nid, &j) == 0) - { - BIO_printf(bio_err, - "invalid characters in string %s\n",buf); - goto err; - } - - if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, - (unsigned char *)buf, - strlen(buf))) == NULL) + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + (unsigned char *)buf, -1, -1, 0)) goto err; - - if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; } if (spki == NULL) { @@ -2378,29 +2371,17 @@ err: return(ok); } -static int fix_data(int nid, int *type) - { - if (nid == NID_pkcs9_emailAddress) - *type=V_ASN1_IA5STRING; - if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) - *type=V_ASN1_T61STRING; - if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) - *type=V_ASN1_T61STRING; - if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) - return(0); - if (nid == NID_pkcs9_unstructuredName) - *type=V_ASN1_IA5STRING; - return(1); - } - -static int check_time_format(char *str) +static int check_time_format(const char *str) { - ASN1_UTCTIME tm; + ASN1_TIME tm; tm.data=(unsigned char *)str; tm.length=strlen(str); tm.type=V_ASN1_UTCTIME; - return(ASN1_UTCTIME_check(&tm)); + if (ASN1_TIME_check(&tm)) + return 1; + tm.type=V_ASN1_GENERALIZEDTIME; + return ASN1_TIME_check(&tm); } static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) @@ -65,11 +65,11 @@ #include "apps.h" #include <openssl/bio.h> #include <openssl/err.h> -#include <openssl/dsa.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/bn.h> +#include <openssl/dsa.h> #undef PROG #define PROG dsa_main diff --git a/apps/dsaparam.c b/apps/dsaparam.c index c301e81..4305a73 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -475,4 +475,10 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb) #endif return 1; } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif @@ -226,7 +226,12 @@ int MAIN(int argc, char **argv) goto bad; } buf[0]='\0'; - fgets(buf,sizeof buf,infile); + if (!fgets(buf,sizeof buf,infile)) + { + BIO_printf(bio_err,"unable to read key from '%s'\n", + file); + goto bad; + } fclose(infile); i=strlen(buf); if ((i > 0) && diff --git a/apps/gendsa.c b/apps/gendsa.c index 8a296c6..22c3962 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -279,4 +279,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/apps/genpkey.c b/apps/genpkey.c deleted file mode 100644 index 6dfda08..0000000 --- a/apps/genpkey.c +++ /dev/null @@ -1,440 +0,0 @@ -/* apps/genpkey.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006 - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include <stdio.h> -#include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/err.h> -#include <openssl/evp.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif - -static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, - const char *file, ENGINE *e); -static int genpkey_cb(EVP_PKEY_CTX *ctx); - -#define PROG genpkey_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - ENGINE *e = NULL; - char **args, *outfile = NULL; - char *passarg = NULL; - BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int outformat; - int text = 0; - EVP_PKEY *pkey=NULL; - EVP_PKEY_CTX *ctx = NULL; - char *pass = NULL; - int badarg = 0; - int ret = 1, rv; - - int do_param = 0; - - if (bio_err == NULL) - bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - outformat=FORMAT_PEM; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp(*args,"-outform")) - { - if (args[1]) - { - args++; - outformat=str2fmt(*args); - } - else badarg = 1; - } - else if (!strcmp(*args,"-pass")) - { - if (!args[1]) goto bad; - passarg= *(++args); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args,"-engine") == 0) - { - if (!args[1]) - goto bad; - e = setup_engine(bio_err, *(++args), 0); - } -#endif - else if (!strcmp (*args, "-paramfile")) - { - if (!args[1]) - goto bad; - args++; - if (do_param == 1) - goto bad; - if (!init_keygen_file(bio_err, &ctx, *args, e)) - goto end; - } - else if (!strcmp (*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } - else if (strcmp(*args,"-algorithm") == 0) - { - if (!args[1]) - goto bad; - if (!init_gen_str(bio_err, &ctx, *(++args),e, do_param)) - goto end; - } - else if (strcmp(*args,"-pkeyopt") == 0) - { - if (!args[1]) - goto bad; - if (!ctx) - { - BIO_puts(bio_err, "No keytype specified\n"); - goto bad; - } - else if (pkey_ctrl_string(ctx, *(++args)) <= 0) - { - BIO_puts(bio_err, "parameter setting error\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else if (strcmp(*args,"-genparam") == 0) - { - if (ctx) - goto bad; - do_param = 1; - } - else if (strcmp(*args,"-text") == 0) - text=1; - else - { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) - { - BIO_printf(bio_err, "Unknown cipher %s\n", - *args + 1); - badarg = 1; - } - if (do_param == 1) - badarg = 1; - } - args++; - } - - if (!ctx) - badarg = 1; - - if (badarg) - { - bad: - BIO_printf(bio_err, "Usage: genpkey [options]\n"); - BIO_printf(bio_err, "where options may be\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-pass arg output file pass phrase source\n"); - BIO_printf(bio_err, "-<cipher> use cipher <cipher> to encrypt the key\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-paramfile file parameters file\n"); - BIO_printf(bio_err, "-algorithm alg the public key algorithm\n"); - BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n" - " to value <value>\n"); - BIO_printf(bio_err, "-genparam generate parameters, not key\n"); - BIO_printf(bio_err, "-text print the in text\n"); - BIO_printf(bio_err, "NB: options order may be important! See the manual page.\n"); - goto end; - } - - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) - { - BIO_puts(bio_err, "Error getting password\n"); - goto end; - } - - if (outfile) - { - if (!(out = BIO_new_file (outfile, "wb"))) - { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); - goto end; - } - } - else - { - out = BIO_new_fp (stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - EVP_PKEY_CTX_set_cb(ctx, genpkey_cb); - EVP_PKEY_CTX_set_app_data(ctx, bio_err); - - if (do_param) - { - if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) - { - BIO_puts(bio_err, "Error generating parameters\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else - { - if (EVP_PKEY_keygen(ctx, &pkey) <= 0) - { - BIO_puts(bio_err, "Error generating key\n"); - ERR_print_errors(bio_err); - goto end; - } - } - - if (do_param) - rv = PEM_write_bio_Parameters(out, pkey); - else if (outformat == FORMAT_PEM) - rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, - NULL, pass); - else if (outformat == FORMAT_ASN1) - rv = i2d_PrivateKey_bio(out, pkey); - else - { - BIO_printf(bio_err, "Bad format specified for key\n"); - goto end; - } - - if (rv <= 0) - { - BIO_puts(bio_err, "Error writing key\n"); - ERR_print_errors(bio_err); - } - - if (text) - { - if (do_param) - rv = EVP_PKEY_print_params(out, pkey, 0, NULL); - else - rv = EVP_PKEY_print_private(out, pkey, 0, NULL); - - if (rv <= 0) - { - BIO_puts(bio_err, "Error printing key\n"); - ERR_print_errors(bio_err); - } - } - - ret = 0; - - end: - if (pkey) - EVP_PKEY_free(pkey); - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (out) - BIO_free_all(out); - BIO_free(in); - if (pass) - OPENSSL_free(pass); - - return ret; - } - -static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, - const char *file, ENGINE *e) - { - BIO *pbio; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; - if (*pctx) - { - BIO_puts(err, "Parameters already set!\n"); - return 0; - } - - pbio = BIO_new_file(file, "r"); - if (!pbio) - { - BIO_printf(err, "Can't open parameter file %s\n", file); - return 0; - } - - pkey = PEM_read_bio_Parameters(pbio, NULL); - BIO_free(pbio); - - if (!pkey) - { - BIO_printf(bio_err, "Error reading parameter file %s\n", file); - return 0; - } - - ctx = EVP_PKEY_CTX_new(pkey, e); - if (!ctx) - goto err; - if (EVP_PKEY_keygen_init(ctx) <= 0) - goto err; - EVP_PKEY_free(pkey); - *pctx = ctx; - return 1; - - err: - BIO_puts(err, "Error initializing context\n"); - ERR_print_errors(err); - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (pkey) - EVP_PKEY_free(pkey); - return 0; - - } - -int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, - const char *algname, ENGINE *e, int do_param) - { - EVP_PKEY_CTX *ctx = NULL; - const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *tmpeng = NULL; - int pkey_id; - - if (*pctx) - { - BIO_puts(err, "Algorithm already set!\n"); - return 0; - } - - ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1); - -#ifndef OPENSSL_NO_ENGINE - if (!ameth && e) - ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1); -#endif - - if (!ameth) - { - BIO_printf(bio_err, "Algorithm %s not found\n", algname); - return 0; - } - - ERR_clear_error(); - - EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); -#ifndef OPENSSL_NO_ENGINE - if (tmpeng) - ENGINE_finish(tmpeng); -#endif - ctx = EVP_PKEY_CTX_new_id(pkey_id, e); - - if (!ctx) - goto err; - if (do_param) - { - if (EVP_PKEY_paramgen_init(ctx) <= 0) - goto err; - } - else - { - if (EVP_PKEY_keygen_init(ctx) <= 0) - goto err; - } - - *pctx = ctx; - return 1; - - err: - BIO_printf(err, "Error initializing %s context\n", algname); - ERR_print_errors(err); - if (ctx) - EVP_PKEY_CTX_free(ctx); - return 0; - - } - -static int genpkey_cb(EVP_PKEY_CTX *ctx) - { - char c='*'; - BIO *b = EVP_PKEY_CTX_get_app_data(ctx); - int p; - p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); - if (p == 0) c='.'; - if (p == 1) c='+'; - if (p == 2) c='*'; - if (p == 3) c='\n'; - BIO_write(b,&c,1); - (void)BIO_flush(b); -#ifdef LINT - p=n; -#endif - return 1; - } diff --git a/apps/genrsa.c b/apps/genrsa.c index fdc0d4a..5759acb 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -106,9 +106,9 @@ int MAIN(int argc, char **argv) char *inrand=NULL; BIO *out=NULL; BIGNUM *bn = BN_new(); - RSA *rsa = RSA_new(); + RSA *rsa = NULL; - if(!bn || !rsa) goto err; + if(!bn) goto err; apps_startup(); BN_GENCB_set(&cb, genrsa_cb, bio_err); @@ -269,6 +269,10 @@ bad: BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n", num); + rsa = RSA_new(); + if (!rsa) + goto err; + if (use_x931) { BIGNUM *pubexp; diff --git a/apps/install.com b/apps/install.com index f927dc2..c5821b4 100644 --- a/apps/install.com +++ b/apps/install.com @@ -5,13 +5,23 @@ $! Time of creation: 22-MAY-1998 10:13 $! $! P1 root of the directory tree $! +$ $ IF P1 .EQS. "" $ THEN $ WRITE SYS$OUTPUT "First argument missing." -$ WRITE SYS$OUTPUT "Should be the directory where you want things installed." +$ WRITE SYS$OUTPUT - + "Should be the directory where you want things installed." $ EXIT $ ENDIF $ +$ IF (F$GETSYI("CPU").LT.128) +$ THEN +$ ARCH := VAX +$ ELSE +$ ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") +$ IF (ARCH .EQS. "") THEN ARCH = "UNK" +$ ENDIF +$ $ ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0" $ ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY") $ ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") - @@ -19,23 +29,16 @@ $ ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") - $ ROOT = ROOT_DEV + "[" + ROOT_DIR $ $ DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC -$ DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE] -$ DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE] -$ DEFINE/NOLOG WRK_SSLLIB WRK_SSLROOT:[LIB] +$ DEFINE/NOLOG WRK_SSLEXE WRK_SSLROOT:['ARCH'_EXE] $ $ IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN - CREATE/DIR/LOG WRK_SSLROOT:[000000] -$ IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN - - CREATE/DIR/LOG WRK_SSLVEXE: -$ IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN - - CREATE/DIR/LOG WRK_SSLAEXE: -$ IF F$PARSE("WRK_SSLLIB:") .EQS. "" THEN - - CREATE/DIR/LOG WRK_SSLLIB: +$ IF F$PARSE("WRK_SSLEXE:") .EQS. "" THEN - + CREATE/DIR/LOG WRK_SSLEXE: $ $ EXE := openssl $ -$ VEXE_DIR := [-.VAX.EXE.APPS] -$ AEXE_DIR := [-.AXP.EXE.APPS] +$ EXE_DIR := [-.'ARCH'.EXE.APPS] $ $ I = 0 $ LOOP_EXE: @@ -43,25 +46,18 @@ $ E = F$EDIT(F$ELEMENT(I, ",", EXE),"TRIM") $ I = I + 1 $ IF E .EQS. "," THEN GOTO LOOP_EXE_END $ SET NOON -$ IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. "" -$ THEN -$ COPY 'VEXE_DIR''E'.EXE WRK_SSLVEXE:'E'.EXE/log -$ SET FILE/PROT=W:RE WRK_SSLVEXE:'E'.EXE -$ ENDIF -$ IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. "" +$ IF F$SEARCH(EXE_DIR+E+".EXE") .NES. "" $ THEN -$ COPY 'AEXE_DIR''E'.EXE WRK_SSLAEXE:'E'.EXE/log -$ SET FILE/PROT=W:RE WRK_SSLAEXE:'E'.EXE +$ COPY 'EXE_DIR''E'.EXE WRK_SSLEXE:'E'.EXE/log +$ SET FILE/PROT=W:RE WRK_SSLEXE:'E'.EXE $ ENDIF $ SET ON $ GOTO LOOP_EXE $ LOOP_EXE_END: $ $ SET NOON -$ COPY CA.COM WRK_SSLAEXE:CA.COM/LOG -$ SET FILE/PROT=W:RE WRK_SSLAEXE:CA.COM -$ COPY CA.COM WRK_SSLVEXE:CA.COM/LOG -$ SET FILE/PROT=W:RE WRK_SSLVEXE:CA.COM +$ COPY CA.COM WRK_SSLEXE:CA.COM/LOG +$ SET FILE/PROT=W:RE WRK_SSLEXE:CA.COM $ COPY OPENSSL-VMS.CNF WRK_SSLROOT:[000000]OPENSSL.CNF/LOG $ SET FILE/PROT=W:R WRK_SSLROOT:[000000]OPENSSL.CNF $ SET ON diff --git a/apps/makeapps.com b/apps/makeapps.com index 0580a1f..cb749bf 100644 --- a/apps/makeapps.com +++ b/apps/makeapps.com @@ -6,11 +6,12 @@ $! A-Com Computing, Inc. $! byer@mail.all-net.net $! $! Changes by Richard Levitte <richard@levitte.org> +$! Zoltan Arpadffy <zoli@polarhome.com> $! $! This command files compiles and creates all the various different $! "application" programs for the different types of encryption for OpenSSL. $! The EXE's are placed in the directory [.xxx.EXE.APPS] where "xxx" denotes -$! either AXP or VAX depending on your machine architecture. +$! ALPHA, IA64 or VAX, depending on your machine architecture. $! $! It was written so it would try to determine what "C" compiler to $! use or you can specify which "C" compiler to use. @@ -46,20 +47,21 @@ $ TCPIP_LIB = "" $! $! Check What Architecture We Are Using. $! -$ IF (F$GETSYI("CPU").GE.128) +$ IF (F$GETSYI("CPU").LT.128) $ THEN $! -$! The Architecture Is AXP. +$! The Architecture Is VAX. $! -$ ARCH := AXP +$ ARCH := VAX $! $! Else... $! $ ELSE $! -$! The Architecture Is VAX. +$! The Architecture Is Alpha, IA64 or whatever comes in the future. $! -$ ARCH := VAX +$ ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") +$ IF (ARCH .EQS. "") THEN ARCH = "UNK" $! $! End The Architecture Check. $! @@ -68,22 +70,6 @@ $! $! Define what programs should be compiled $! $ PROGRAMS := OPENSSL -$!$ PROGRAMS := VERIFY,ASN1PARS,REQ,DGST,DH,ENC,PASSWD,GENDH,ERRSTR,CA,CRL,- -$! RSA,DSA,DSAPARAM,- -$! X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,- -$! S_TIME,VERSION,PKCS7,CRL2P7,SESS_ID,CIPHERS,NSEQ, -$! -$! Check To Make Sure We Have Valid Command Line Parameters. -$! -$ GOSUB CHECK_OPTIONS -$! -$! Initialise logical names and such -$! -$ GOSUB INITIALISE -$! -$! Tell The User What Kind of Machine We Run On. -$! -$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." $! $! Define The CRYPTO Library. $! @@ -97,6 +83,22 @@ $! Define The OBJ Directory. $! $ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.APPS] $! +$! Define The EXE Directory. +$! +$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS] +$! +$! Check To Make Sure We Have Valid Command Line Parameters. +$! +$ GOSUB CHECK_OPTIONS +$! +$! Initialise logical names and such +$! +$ GOSUB INITIALISE +$! +$! Tell The User What Kind of Machine We Run On. +$! +$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." +$! $! Check To See If The OBJ Directory Exists. $! $ IF (F$PARSE(OBJ_DIR).EQS."") @@ -110,10 +112,6 @@ $! End The OBJ Directory Check. $! $ ENDIF $! -$! Define The EXE Directory. -$! -$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS] -$! $! Check To See If The EXE Directory Exists. $! $ IF (F$PARSE(EXE_DIR).EQS."") @@ -136,140 +134,172 @@ $! $ GOSUB CHECK_OPT_FILE $! $! Define The Application Files. -$! -$ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+- - "CA;PKCS7;CRL2P7;CRL;"+- - "RSA;RSAUTL;DSA;DSAPARAM;EC;ECPARAM;"+- - "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+- - "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+- - "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME" +$! NOTE: Some might think this list ugly. However, it's made this way to +$! reflect the E_OBJ variable in Makefile as closely as possible, thereby +$! making it fairly easy to verify that the lists are the same. +$! +$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+- + "CA,PKCS7,CRL2P7,CRL,"+- + "RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+- + "X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,"+- + "S_TIME,APPS,S_CB,S_SOCKET,APP_RAND,VERSION,SESS_ID,"+- + "CIPHERS,NSEQ,PKCS12,PKCS8,SPKAC,SMIME,RAND,ENGINE,"+- + "OCSP,PRIME,CMS" $ TCPIP_PROGRAMS = ",," $ IF COMPILER .EQS. "VAXC" THEN - TCPIP_PROGRAMS = ",OPENSSL," $! $! Setup exceptional compilations $! -$ COMPILEWITH_CC2 = ",S_SERVER,S_CLIENT," +$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT," $! $ PHASE := LIB $! $ RESTART: $! -$! Define A File Counter And Set It To "0". +$! Define An App Counter And Set It To "0". +$! +$ APP_COUNTER = 0 +$! +$! Top Of The App Loop. $! -$ FILE_COUNTER = 0 +$ NEXT_APP: $! -$! Top Of The File Loop. +$! Make The Application File Name $! -$ NEXT_FILE: +$ CURRENT_APP = F$EDIT(F$ELEMENT(APP_COUNTER,",",PROGRAMS),"TRIM") $! -$! O.K, Extract The File Name From The File List. +$! Create The Executable File Name. $! -$ FILE_NAME0 = F$EDIT(F$ELEMENT(FILE_COUNTER,";",'PHASE'_FILES),"TRIM") -$ FILE_NAME = F$EDIT(F$ELEMENT(0,",",FILE_NAME0),"TRIM") -$ EXTRA_OBJ = FILE_NAME0 - FILE_NAME +$ EXE_FILE = EXE_DIR + CURRENT_APP + ".EXE" $! -$! Check To See If We Are At The End Of The File List. +$! Check To See If We Are At The End Of The File List. $! -$ IF (FILE_NAME0.EQS.";") +$ IF (CURRENT_APP.EQS.",") $ THEN $ IF (PHASE.EQS."LIB") $ THEN $ PHASE := APP $ GOTO RESTART $ ELSE -$ GOTO FILE_DONE +$ GOTO APP_DONE $ ENDIF $ ENDIF $! -$! Increment The Counter. +$! Increment The Counter. $! -$ FILE_COUNTER = FILE_COUNTER + 1 +$ APP_COUNTER = APP_COUNTER + 1 $! -$! Check to see if this program should actually be compiled +$! Decide if we're building the object files or not. $! -$ IF PHASE .EQS. "APP" .AND. - - ","+PROGRAMS+"," - (","+F$EDIT(FILE_NAME,"UPCASE")+",") .EQS. ","+PROGRAMS+"," +$ IF (PHASE.EQS."LIB") $ THEN -$ GOTO NEXT_FILE -$ ENDIF $! -$! Create The Source File Name. +$! Define A Library File Counter And Set It To "-1". +$! -1 Means The Application File Name Is To Be Used. $! -$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C" +$ LIB_COUNTER = -1 $! -$! Create The Object File Name. +$! Create a .OPT file for the object files $! -$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ" +$ OPEN/WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT $! -$! Create The Executable File Name. +$! Top Of The File Loop. $! -$ EXE_FILE = EXE_DIR + FILE_NAME + ".EXE" -$ ON WARNING THEN GOTO NEXT_FILE +$ NEXT_LIB: $! -$! Check To See If The File We Want To Compile Actually Exists. +$! O.K, Extract The File Name From The File List. $! -$ IF (F$SEARCH(SOURCE_FILE).EQS."") -$ THEN +$ IF LIB_COUNTER .GE. 0 +$ THEN +$ FILE_NAME = F$EDIT(F$ELEMENT(LIB_COUNTER,",",LIB_'CURRENT_APP'),"TRIM") +$ ELSE +$ FILE_NAME = CURRENT_APP +$ ENDIF $! -$! Tell The User That The File Dosen't Exist. +$! Check To See If We Are At The End Of The File List. $! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." -$ WRITE SYS$OUTPUT "" +$ IF (FILE_NAME.EQS.",") +$ THEN +$ CLOSE OBJECTS +$ GOTO NEXT_APP +$ ENDIF $! -$! Exit The Build. +$! Increment The Counter. $! -$ GOTO EXIT +$ LIB_COUNTER = LIB_COUNTER + 1 $! -$! End The File Exist Check. +$! Create The Source File Name. $! -$ ENDIF +$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C" $! -$! Tell The User What We Are Building. +$! Create The Object File Name. $! -$ IF (PHASE.EQS."LIB") -$ THEN -$ WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File." -$ ELSE -$ WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program." -$ ENDIF +$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ" +$ ON WARNING THEN GOTO NEXT_LIB $! -$! Compile The File. +$! Check To See If The File We Want To Compile Actually Exists. $! -$ ON ERROR THEN GOTO NEXT_FILE -$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2 -$ THEN -$ CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE' -$ ELSE -$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE' -$ ENDIF +$ IF (F$SEARCH(SOURCE_FILE).EQS."") +$ THEN $! -$ ON WARNING THEN GOTO NEXT_FILE +$! Tell The User That The File Dosen't Exist. $! -$ IF (PHASE.EQS."LIB") -$ THEN -$ GOTO NEXT_FILE +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." +$ WRITE SYS$OUTPUT "" +$! +$! Exit The Build. +$! +$ GOTO EXIT +$! +$! End The File Exist Check. +$! +$ ENDIF +$! +$! Tell The User What We Are Building. +$! +$ IF (PHASE.EQS."LIB") +$ THEN +$ WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File." +$ ELSE +$ WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program." +$ ENDIF +$! +$! Compile The File. +$! +$ ON ERROR THEN GOTO NEXT_LIB +$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2 +$ THEN +$ CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE' +$ ELSE +$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE' +$ ENDIF +$ WRITE OBJECTS OBJECT_FILE +$! +$ GOTO NEXT_LIB $ ENDIF $! $! Check if this program works well without a TCPIP library $! -$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - FILE_NAME .NES. TCPIP_PROGRAMS +$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - CURRENT_APP .NES. TCPIP_PROGRAMS $ THEN -$ WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library. Can't link. Skipping..." -$ GOTO NEXT_FILE +$ WRITE SYS$OUTPUT CURRENT_APP," needs a TCP/IP library. Can't link. Skipping..." +$ GOTO NEXT_APP $ ENDIF $! $! Link The Program. $! Check To See If We Are To Link With A Specific TCP/IP Library. $! +$ ON WARNING THEN GOTO NEXT_APP +$! $ IF (TCPIP_LIB.NES."") $ THEN $! $! Don't Link With The RSAREF Routines And TCP/IP Library. $! $ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - + 'EXE_DIR''CURRENT_APP'.OPT/OPTION, - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - 'TCPIP_LIB','OPT_FILE'/OPTION $! @@ -280,7 +310,7 @@ $! $! Don't Link With The RSAREF Routines And Link With A TCP/IP Library. $! $ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - + 'EXE_DIR''CURRENT_APP'.OPT/OPTION, - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - 'OPT_FILE'/OPTION $! @@ -290,11 +320,11 @@ $ ENDIF $! $! Go Back And Do It Again. $! -$ GOTO NEXT_FILE +$ GOTO NEXT_APP $! $! All Done With This File. $! -$ FILE_DONE: +$ APP_DONE: $ EXIT: $! $! All Done, Time To Clean Up And Exit. @@ -395,19 +425,19 @@ $! Else... $! $ ELSE $! -$! Create The AXP Linker Option File. +$! Create The non-VAX Linker Option File. $! $ CREATE 'OPT_FILE' $DECK ! -! Default System Options File For AXP To Link Agianst +! Default System Options File For non-VAX To Link Agianst ! The Sharable C Runtime Library. ! SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE SYS$SHARE:CMA$OPEN_RTL/SHARE $EOD $! -$! End The VAX/AXP DEC C Option File Check. +$! End The DEC C Option File Check. $! $ ENDIF $! @@ -556,7 +586,7 @@ $ ELSE $! $! Check To See If We Have VAXC Or DECC. $! -$ IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."") +$ IF (ARCH.NES."VAX").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."") $ THEN $! $! Looks Like DECC, Set To Use DECC. @@ -666,7 +696,7 @@ $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT" +$ OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT" $! $! End DECC Check. $! @@ -687,9 +717,9 @@ $! $! Compile Using VAXC. $! $ CC = "CC" -$ IF ARCH.EQS."AXP" +$ IF ARCH.NES."VAX" $ THEN -$ WRITE SYS$OUTPUT "There is no VAX C on Alpha!" +$ WRITE SYS$OUTPUT "There is no VAX C on ''ARCH'!" $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" @@ -703,7 +733,7 @@ $ DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB] $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT" +$ OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT" $! $! End VAXC Check $! @@ -730,7 +760,7 @@ $ CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT" +$ OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT" $! $! End The GNU C Check. $! diff --git a/apps/openssl.c b/apps/openssl.c index 7d2b476..480fef9 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -235,16 +235,19 @@ int main(int Argc, char *Argv[]) in_FIPS_mode = 0; -#ifdef OPENSSL_FIPS if(getenv("OPENSSL_FIPS")) { +#ifdef OPENSSL_FIPS if (!FIPS_mode_set(1)) { ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); EXIT(1); } in_FIPS_mode = 1; - } +#else + fprintf(stderr, "FIPS mode not supported.\n"); + EXIT(1); #endif + } if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) @@ -333,7 +336,8 @@ int main(int Argc, char *Argv[]) else prompt="OpenSSL> "; fputs(prompt,stdout); fflush(stdout); - fgets(p,n,stdin); + if (!fgets(p,n,stdin)) + goto end; if (p[0] == '\0') goto end; i=strlen(p); if (i <= 1) break; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 248bc11..0db0b79 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -68,6 +68,12 @@ #include <openssl/pem.h> #include <openssl/pkcs12.h> +#ifdef OPENSSL_SYS_NETWARE +/* Rename these functions to avoid name clashes on NetWare OS */ +#define uni2asc OPENSSL_uni2asc +#define asc2uni OPENSSL_asc2uni +#endif + #define PROG pkcs12_main const EVP_CIPHER *enc; diff --git a/apps/pkey.c b/apps/pkey.c deleted file mode 100644 index 17e6702..0000000 --- a/apps/pkey.c +++ /dev/null @@ -1,284 +0,0 @@ -/* apps/pkey.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006 - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include <stdio.h> -#include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/err.h> -#include <openssl/evp.h> - -#define PROG pkey_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - ENGINE *e = NULL; - char **args, *infile = NULL, *outfile = NULL; - char *passargin = NULL, *passargout = NULL; - BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int informat, outformat; - int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0; - EVP_PKEY *pkey=NULL; - char *passin = NULL, *passout = NULL; - int badarg = 0; -#ifndef OPENSSL_NO_ENGINE - char *engine=NULL; -#endif - int ret = 1; - - if (bio_err == NULL) - bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - informat=FORMAT_PEM; - outformat=FORMAT_PEM; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp(*args,"-inform")) - { - if (args[1]) - { - args++; - informat=str2fmt(*args); - } - else badarg = 1; - } - else if (!strcmp(*args,"-outform")) - { - if (args[1]) - { - args++; - outformat=str2fmt(*args); - } - else badarg = 1; - } - else if (!strcmp(*args,"-passin")) - { - if (!args[1]) goto bad; - passargin= *(++args); - } - else if (!strcmp(*args,"-passout")) - { - if (!args[1]) goto bad; - passargout= *(++args); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args,"-engine") == 0) - { - if (!args[1]) goto bad; - engine= *(++args); - } -#endif - else if (!strcmp (*args, "-in")) - { - if (args[1]) - { - args++; - infile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } - else if (strcmp(*args,"-pubin") == 0) - { - pubin=1; - pubout=1; - pubtext=1; - } - else if (strcmp(*args,"-pubout") == 0) - pubout=1; - else if (strcmp(*args,"-text_pub") == 0) - { - pubtext=1; - text=1; - } - else if (strcmp(*args,"-text") == 0) - text=1; - else if (strcmp(*args,"-noout") == 0) - noout=1; - else - { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) - { - BIO_printf(bio_err, "Unknown cipher %s\n", - *args + 1); - badarg = 1; - } - } - args++; - } - - if (badarg) - { - bad: - BIO_printf(bio_err, "Usage pkey [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); - BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-passout arg output file pass phrase source\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - return 1; - } - -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) - { - BIO_printf(bio_err, "Error getting passwords\n"); - goto end; - } - - if (outfile) - { - if (!(out = BIO_new_file (outfile, "wb"))) - { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); - goto end; - } - } - else - { - out = BIO_new_fp (stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (pubin) - pkey = load_pubkey(bio_err, infile, informat, 1, - passin, e, "Public Key"); - else - pkey = load_key(bio_err, infile, informat, 1, - passin, e, "key"); - if (!pkey) - goto end; - - if (!noout) - { - if (outformat == FORMAT_PEM) - { - if (pubout) - PEM_write_bio_PUBKEY(out,pkey); - else - PEM_write_bio_PrivateKey(out, pkey, cipher, - NULL, 0, NULL, passout); - } - else if (outformat == FORMAT_ASN1) - { - if (pubout) - i2d_PUBKEY_bio(out, pkey); - else - i2d_PrivateKey_bio(out, pkey); - } - else - { - BIO_printf(bio_err, "Bad format specified for key\n"); - goto end; - } - - } - - if (text) - { - if (pubtext) - EVP_PKEY_print_public(out, pkey, 0, NULL); - else - EVP_PKEY_print_private(out, pkey, 0, NULL); - } - - ret = 0; - - end: - EVP_PKEY_free(pkey); - BIO_free_all(out); - BIO_free(in); - if (passin) - OPENSSL_free(passin); - if (passout) - OPENSSL_free(passout); - - return ret; - } diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c deleted file mode 100644 index 4319eb4..0000000 --- a/apps/pkeyparam.c +++ /dev/null @@ -1,201 +0,0 @@ -/* apps/pkeyparam.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006 - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include <stdio.h> -#include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/err.h> -#include <openssl/evp.h> - -#define PROG pkeyparam_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - char **args, *infile = NULL, *outfile = NULL; - BIO *in = NULL, *out = NULL; - int text = 0, noout = 0; - EVP_PKEY *pkey=NULL; - int badarg = 0; -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; - char *engine=NULL; -#endif - int ret = 1; - - if (bio_err == NULL) - bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp (*args, "-in")) - { - if (args[1]) - { - args++; - infile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args,"-engine") == 0) - { - if (!args[1]) goto bad; - engine= *(++args); - } -#endif - - else if (strcmp(*args,"-text") == 0) - text=1; - else if (strcmp(*args,"-noout") == 0) - noout=1; - args++; - } - - if (badarg) - { -#ifndef OPENSSL_NO_ENGINE - bad: -#endif - BIO_printf(bio_err, "Usage pkeyparam [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-text print parameters as text\n"); - BIO_printf(bio_err, "-noout don't output encoded parameters\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - return 1; - } - -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - - if (infile) - { - if (!(in = BIO_new_file (infile, "r"))) - { - BIO_printf(bio_err, - "Can't open input file %s\n", infile); - goto end; - } - } - else - in = BIO_new_fp (stdin, BIO_NOCLOSE); - - if (outfile) - { - if (!(out = BIO_new_file (outfile, "w"))) - { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); - goto end; - } - } - else - { - out = BIO_new_fp (stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - pkey = PEM_read_bio_Parameters(in, NULL); - if (!pkey) - { - BIO_printf(bio_err, "Error reading paramters\n"); - ERR_print_errors(bio_err); - goto end; - } - - if (!noout) - PEM_write_bio_Parameters(out,pkey); - - if (text) - EVP_PKEY_print_params(out, pkey, 0, NULL); - - ret = 0; - - end: - EVP_PKEY_free(pkey); - BIO_free_all(out); - BIO_free(in); - - return ret; - } diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c deleted file mode 100644 index b808e1e..0000000 --- a/apps/pkeyutl.c +++ /dev/null @@ -1,570 +0,0 @@ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include "apps.h" -#include <string.h> -#include <openssl/err.h> -#include <openssl/pem.h> -#include <openssl/evp.h> - -#define KEY_PRIVKEY 1 -#define KEY_PUBKEY 2 -#define KEY_CERT 3 - -static void usage(void); - -#undef PROG - -#define PROG pkeyutl_main - -static EVP_PKEY_CTX *init_ctx(int *pkeysize, - char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e); - -static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file); - -static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, - unsigned char *out, size_t *poutlen, - unsigned char *in, size_t inlen); - -int MAIN(int argc, char **); - -int MAIN(int argc, char **argv) -{ - BIO *in = NULL, *out = NULL; - char *infile = NULL, *outfile = NULL, *sigfile = NULL; - ENGINE *e = NULL; - int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; - int keyform = FORMAT_PEM, peerform = FORMAT_PEM; - char badarg = 0, rev = 0; - char hexdump = 0, asn1parse = 0; - EVP_PKEY_CTX *ctx = NULL; - char *passargin = NULL; - int keysize = -1; - - unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; - size_t buf_outlen; - int buf_inlen = 0, siglen = -1; - - int ret = 1, rv = -1; - - argc--; - argv++; - - if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - - while(argc >= 1) - { - if (!strcmp(*argv,"-in")) - { - if (--argc < 1) badarg = 1; - infile= *(++argv); - } - else if (!strcmp(*argv,"-out")) - { - if (--argc < 1) badarg = 1; - outfile= *(++argv); - } - else if (!strcmp(*argv,"-sigfile")) - { - if (--argc < 1) badarg = 1; - sigfile= *(++argv); - } - else if(!strcmp(*argv, "-inkey")) - { - if (--argc < 1) - badarg = 1; - else - { - ctx = init_ctx(&keysize, - *(++argv), keyform, key_type, - passargin, pkey_op, e); - if (!ctx) - { - BIO_puts(bio_err, - "Error initializing context\n"); - ERR_print_errors(bio_err); - badarg = 1; - } - } - } - else if (!strcmp(*argv,"-peerkey")) - { - if (--argc < 1) - badarg = 1; - else if (!setup_peer(bio_err, ctx, peerform, *(++argv))) - badarg = 1; - } - else if (!strcmp(*argv,"-passin")) - { - if (--argc < 1) badarg = 1; - passargin= *(++argv); - } - else if (strcmp(*argv,"-peerform") == 0) - { - if (--argc < 1) badarg = 1; - peerform=str2fmt(*(++argv)); - } - else if (strcmp(*argv,"-keyform") == 0) - { - if (--argc < 1) badarg = 1; - keyform=str2fmt(*(++argv)); - } -#ifndef OPENSSL_NO_ENGINE - else if(!strcmp(*argv, "-engine")) - { - if (--argc < 1) - badarg = 1; - else - e = setup_engine(bio_err, *(++argv), 0); - } -#endif - else if(!strcmp(*argv, "-pubin")) - key_type = KEY_PUBKEY; - else if(!strcmp(*argv, "-certin")) - key_type = KEY_CERT; - else if(!strcmp(*argv, "-asn1parse")) - asn1parse = 1; - else if(!strcmp(*argv, "-hexdump")) - hexdump = 1; - else if(!strcmp(*argv, "-sign")) - pkey_op = EVP_PKEY_OP_SIGN; - else if(!strcmp(*argv, "-verify")) - pkey_op = EVP_PKEY_OP_VERIFY; - else if(!strcmp(*argv, "-verifyrecover")) - pkey_op = EVP_PKEY_OP_VERIFYRECOVER; - else if(!strcmp(*argv, "-rev")) - rev = 1; - else if(!strcmp(*argv, "-encrypt")) - pkey_op = EVP_PKEY_OP_ENCRYPT; - else if(!strcmp(*argv, "-decrypt")) - pkey_op = EVP_PKEY_OP_DECRYPT; - else if(!strcmp(*argv, "-derive")) - pkey_op = EVP_PKEY_OP_DERIVE; - else if (strcmp(*argv,"-pkeyopt") == 0) - { - if (--argc < 1) - badarg = 1; - else if (!ctx) - { - BIO_puts(bio_err, - "-pkeyopt command before -inkey\n"); - badarg = 1; - } - else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) - { - BIO_puts(bio_err, "parameter setting error\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else badarg = 1; - if(badarg) - { - usage(); - goto end; - } - argc--; - argv++; - } - - if (!ctx) - { - usage(); - goto end; - } - - if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) - { - BIO_puts(bio_err, "Signature file specified for non verify\n"); - goto end; - } - - if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) - { - BIO_puts(bio_err, "No signature file specified for verify\n"); - goto end; - } - -/* FIXME: seed PRNG only if needed */ - app_RAND_load_file(NULL, bio_err, 0); - - if (pkey_op != EVP_PKEY_OP_DERIVE) - { - if(infile) - { - if(!(in = BIO_new_file(infile, "rb"))) - { - BIO_puts(bio_err, - "Error Opening Input File\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - } - - if(outfile) - { - if(!(out = BIO_new_file(outfile, "wb"))) - { - BIO_printf(bio_err, "Error Creating Output File\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else - { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (sigfile) - { - BIO *sigbio = BIO_new_file(sigfile, "rb"); - if (!sigbio) - { - BIO_printf(bio_err, "Can't open signature file %s\n", - sigfile); - goto end; - } - siglen = bio_to_mem(&sig, keysize * 10, sigbio); - BIO_free(sigbio); - if (siglen <= 0) - { - BIO_printf(bio_err, "Error reading signature data\n"); - goto end; - } - } - - if (in) - { - /* Read the input data */ - buf_inlen = bio_to_mem(&buf_in, keysize * 10, in); - if(buf_inlen <= 0) - { - BIO_printf(bio_err, "Error reading input Data\n"); - exit(1); - } - if(rev) - { - size_t i; - unsigned char ctmp; - size_t l = (size_t)buf_inlen; - for(i = 0; i < l/2; i++) - { - ctmp = buf_in[i]; - buf_in[i] = buf_in[l - 1 - i]; - buf_in[l - 1 - i] = ctmp; - } - } - } - - if(pkey_op == EVP_PKEY_OP_VERIFY) - { - rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, - buf_in, (size_t)buf_inlen); - if (rv == 0) - BIO_puts(out, "Signature Verification Failure\n"); - else if (rv == 1) - BIO_puts(out, "Signature Verified Successfully\n"); - if (rv >= 0) - goto end; - } - else - { - rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - if (rv > 0) - { - buf_out = OPENSSL_malloc(buf_outlen); - if (!buf_out) - rv = -1; - else - rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - } - } - - if(rv <= 0) - { - BIO_printf(bio_err, "Public Key operation error\n"); - ERR_print_errors(bio_err); - goto end; - } - ret = 0; - if(asn1parse) - { - if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) - ERR_print_errors(bio_err); - } - else if(hexdump) - BIO_dump(out, (char *)buf_out, buf_outlen); - else - BIO_write(out, buf_out, buf_outlen); - - end: - if (ctx) - EVP_PKEY_CTX_free(ctx); - BIO_free(in); - BIO_free_all(out); - if (buf_in) - OPENSSL_free(buf_in); - if (buf_out) - OPENSSL_free(buf_out); - if (sig) - OPENSSL_free(sig); - return ret; -} - -static void usage() -{ - BIO_printf(bio_err, "Usage: pkeyutl [options]\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-signature file signature file (verify operation only)\n"); - BIO_printf(bio_err, "-inkey file input key\n"); - BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); - BIO_printf(bio_err, "-pubin input is a public key\n"); - BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n"); - BIO_printf(bio_err, "-pkeyopt X:Y public key options\n"); - BIO_printf(bio_err, "-sign sign with private key\n"); - BIO_printf(bio_err, "-verify verify with public key\n"); - BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n"); - BIO_printf(bio_err, "-encrypt encrypt with public key\n"); - BIO_printf(bio_err, "-decrypt decrypt with private key\n"); - BIO_printf(bio_err, "-derive derive shared secret\n"); - BIO_printf(bio_err, "-hexdump hex dump output\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-passin arg pass phrase source\n"); - -} - -static EVP_PKEY_CTX *init_ctx(int *pkeysize, - char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e) - { - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; - char *passin = NULL; - int rv = -1; - X509 *x; - if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) - || (pkey_op == EVP_PKEY_OP_DERIVE)) - && (key_type != KEY_PRIVKEY)) - { - BIO_printf(bio_err, "A private key is needed for this operation\n"); - goto end; - } - if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) - { - BIO_printf(bio_err, "Error getting password\n"); - goto end; - } - switch(key_type) - { - case KEY_PRIVKEY: - pkey = load_key(bio_err, keyfile, keyform, 0, - passin, e, "Private Key"); - break; - - case KEY_PUBKEY: - pkey = load_pubkey(bio_err, keyfile, keyform, 0, - NULL, e, "Public Key"); - break; - - case KEY_CERT: - x = load_cert(bio_err, keyfile, keyform, - NULL, e, "Certificate"); - if(x) - { - pkey = X509_get_pubkey(x); - X509_free(x); - } - break; - - } - - *pkeysize = EVP_PKEY_size(pkey); - - if (!pkey) - goto end; - - ctx = EVP_PKEY_CTX_new(pkey, e); - - EVP_PKEY_free(pkey); - - if (!ctx) - goto end; - - switch(pkey_op) - { - case EVP_PKEY_OP_SIGN: - rv = EVP_PKEY_sign_init(ctx); - break; - - case EVP_PKEY_OP_VERIFY: - rv = EVP_PKEY_verify_init(ctx); - break; - - case EVP_PKEY_OP_VERIFYRECOVER: - rv = EVP_PKEY_verify_recover_init(ctx); - break; - - case EVP_PKEY_OP_ENCRYPT: - rv = EVP_PKEY_encrypt_init(ctx); - break; - - case EVP_PKEY_OP_DECRYPT: - rv = EVP_PKEY_decrypt_init(ctx); - break; - - case EVP_PKEY_OP_DERIVE: - rv = EVP_PKEY_derive_init(ctx); - break; - } - - if (rv <= 0) - { - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - } - - end: - - if (passin) - OPENSSL_free(passin); - - return ctx; - - - } - -static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file) - { - EVP_PKEY *peer = NULL; - int ret; - if (!ctx) - { - BIO_puts(err, "-peerkey command before -inkey\n"); - return 0; - } - - peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key"); - - if (!peer) - { - BIO_printf(bio_err, "Error reading peer key %s\n", file); - ERR_print_errors(err); - return 0; - } - - ret = EVP_PKEY_derive_set_peer(ctx, peer); - - EVP_PKEY_free(peer); - if (ret <= 0) - ERR_print_errors(err); - return ret; - } - -static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, - unsigned char *out, size_t *poutlen, - unsigned char *in, size_t inlen) - { - int rv = 0; - switch(pkey_op) - { - case EVP_PKEY_OP_VERIFYRECOVER: - rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_SIGN: - rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_ENCRYPT: - rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_DECRYPT: - rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_DERIVE: - rv = EVP_PKEY_derive(ctx, out, poutlen); - break; - - } - return rv; - } @@ -1538,7 +1538,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { @@ -1596,7 +1597,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { diff --git a/apps/s_apps.h b/apps/s_apps.h index 08fbbc2..f5a39ba 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -171,3 +171,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); #endif + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len); +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len); diff --git a/apps/s_cb.c b/apps/s_cb.c index a512589..97caffc 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -117,12 +117,17 @@ #undef NON_MAIN #undef USE_SOCKETS #include <openssl/err.h> +#include <openssl/rand.h> #include <openssl/x509.h> #include <openssl/ssl.h> #include "s_apps.h" +#define COOKIE_SECRET_LENGTH 16 + int verify_depth=0; int verify_error=X509_V_OK; +unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +int cookie_initialized=0; int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { @@ -338,6 +343,12 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * break; default: str_version = "???"; + case DTLS1_VERSION: + str_version = "DTLS 1.0 "; + break; + case DTLS1_BAD_VER: + str_version = "DTLS 1.0 (bad) "; + break; } if (version == SSL2_VERSION) @@ -401,7 +412,10 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * } } - if (version == SSL3_VERSION || version == TLS1_VERSION) + if (version == SSL3_VERSION || + version == TLS1_VERSION || + version == DTLS1_VERSION || + version == DTLS1_BAD_VER) { switch (content_type) { @@ -540,6 +554,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 15: str_details1 = ", CertificateVerify"; break; + case 3: + str_details1 = ", HelloVerifyRequest"; + break; case 16: str_details1 = ", ClientKeyExchange"; break; @@ -621,6 +638,9 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, extname = "server ticket"; break; + case TLSEXT_TYPE_renegotiate: + extname = "renegotiate"; + break; default: extname = "unknown"; @@ -634,3 +654,86 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, BIO_dump(bio, (char *)data, len); (void)BIO_flush(bio); } + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) + { + unsigned char *buffer, result[EVP_MAX_MD_SIZE]; + unsigned int length, resultlength; + struct sockaddr_in peer; + + /* Initialize a random secret */ + if (!cookie_initialized) + { + if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) + { + BIO_printf(bio_err,"error setting random cookie secret\n"); + return 0; + } + cookie_initialized = 1; + } + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + + /* Create buffer with peer's address and port */ + length = sizeof(peer.sin_addr); + length += sizeof(peer.sin_port); + buffer = OPENSSL_malloc(length); + + if (buffer == NULL) + { + BIO_printf(bio_err,"out of memory\n"); + return 0; + } + + memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr)); + memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port)); + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, result, &resultlength); + OPENSSL_free(buffer); + + memcpy(cookie, result, resultlength); + *cookie_len = resultlength; + + return 1; + } + +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len) + { + unsigned char *buffer, result[EVP_MAX_MD_SIZE]; + unsigned int length, resultlength; + struct sockaddr_in peer; + + /* If secret isn't initialized yet, the cookie can't be valid */ + if (!cookie_initialized) + return 0; + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + + /* Create buffer with peer's address and port */ + length = sizeof(peer.sin_addr); + length += sizeof(peer.sin_port); + buffer = (unsigned char*) OPENSSL_malloc(length); + + if (buffer == NULL) + { + BIO_printf(bio_err,"out of memory\n"); + return 0; + } + + memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr)); + memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port)); + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, result, &resultlength); + OPENSSL_free(buffer); + + if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) + return 1; + + return 0; + } diff --git a/apps/s_client.c b/apps/s_client.c index f73ed2d..c071658 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -226,7 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err," -mtu - set the MTU\n"); + BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); @@ -250,6 +250,7 @@ static void sc_usage(void) BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n"); #endif + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); } #ifndef OPENSSL_NO_TLSEXT @@ -287,7 +288,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - int off=0; + int off=0, clr = 0; SSL *con=NULL,*con2=NULL; X509_STORE *store = NULL; int s,k,width,state=0; @@ -320,6 +321,7 @@ int MAIN(int argc, char **argv) BIO *sbio; char *inrand=NULL; int mbuf_len=0; + struct timeval timeout, *timeoutp; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; char *ssl_client_engine_id=NULL; @@ -340,7 +342,7 @@ int MAIN(int argc, char **argv) struct sockaddr peer; int peerlen = sizeof(peer); int enable_timeouts = 0 ; - long mtu = 0; + long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE char *jpake_secret = NULL; #endif @@ -491,7 +493,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-mtu") == 0) { if (--argc < 1) goto bad; - mtu = atol(*(++argv)); + socket_mtu = atol(*(++argv)); } #endif else if (strcmp(*argv,"-bugs") == 0) @@ -539,6 +541,12 @@ int MAIN(int argc, char **argv) cutthrough=1; else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; + else if (strcmp(*argv,"-legacy_renegotiation") == 0) + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + else if (strcmp(*argv,"-legacy_server_connect") == 0) + { off|=SSL_OP_LEGACY_SERVER_CONNECT; } + else if (strcmp(*argv,"-no_legacy_server_connect") == 0) + { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -713,6 +721,9 @@ bad: SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); + + if (clr) + SSL_CTX_clear_options(ctx, clr); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -832,7 +843,6 @@ re_start: if ( SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); if (getsockname(s, &peer, (void *)&peerlen) < 0) @@ -856,10 +866,10 @@ re_start: BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if ( mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1049,6 +1059,12 @@ SSL_set_tlsext_status_ids(con, ids); FD_ZERO(&readfds); FD_ZERO(&writefds); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { in_init=1; @@ -1145,7 +1161,7 @@ SSL_set_tlsext_status_ids(con, ids); if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; #endif } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #elif defined(OPENSSL_SYS_NETWARE) if(!write_tty) { @@ -1155,11 +1171,11 @@ SSL_set_tlsext_status_ids(con, ids); i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); #endif if ( i < 0) { @@ -1170,6 +1186,11 @@ SSL_set_tlsext_status_ids(con, ids); } } + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) { k=SSL_write(con,&(cbuf[cbuf_off]), @@ -1524,6 +1545,8 @@ static void print_stuff(BIO *bio, SSL *s, int full) EVP_PKEY_bits(pktmp)); EVP_PKEY_free(pktmp); } + BIO_printf(bio, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); #ifndef OPENSSL_NO_COMP comp=SSL_get_current_compression(s); expansion=SSL_get_current_expansion(s); diff --git a/apps/s_server.c b/apps/s_server.c index 84b1b28..88b308c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -283,11 +283,10 @@ static char *engine_id=NULL; static const char *session_id_prefix=NULL; static int enable_timeouts = 0; -#ifdef mtu -#undef mtu -#endif -static long mtu; +static long socket_mtu; +#ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; +#endif #ifdef MONOLITH @@ -375,7 +374,7 @@ static void sv_usage(void) BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); @@ -405,6 +404,7 @@ static void sv_usage(void) BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); #endif } @@ -772,6 +772,7 @@ int MAIN(int argc, char *argv[]) int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; X509 *s_cert = NULL, *s_dcert = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; + int no_cache = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; @@ -911,6 +912,8 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-no_cache") == 0) + no_cache = 1; else if (strcmp(*argv,"-crl_check") == 0) { vflags |= X509_V_FLAG_CRL_CHECK; @@ -921,6 +924,8 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-serverpref") == 0) { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } + else if (strcmp(*argv,"-legacy_renegotiation") == 0) + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -1032,7 +1037,7 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-mtu") == 0) { if (--argc < 1) goto bad; - mtu = atol(*(++argv)); + socket_mtu = atol(*(++argv)); } else if (strcmp(*argv, "-chain") == 0) cert_chain = 1; @@ -1253,8 +1258,10 @@ bad: if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - - SSL_CTX_sess_set_cache_size(ctx,128); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + else + SSL_CTX_sess_set_cache_size(ctx,128); #if 0 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); @@ -1321,7 +1328,10 @@ bad: if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); - SSL_CTX_sess_set_cache_size(ctx2,128); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF); + else + SSL_CTX_sess_set_cache_size(ctx2,128); if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx2))) @@ -1498,6 +1508,10 @@ bad: SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); + /* Set DTLS cookie generation and verification callbacks */ + SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); + SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); + #ifndef OPENSSL_NO_TLSEXT if (ctx2) { @@ -1591,8 +1605,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; + struct timeval timeout; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; +#else + struct timeval *timeoutp; #endif if ((buf=OPENSSL_malloc(bufsize)) == NULL) @@ -1644,7 +1661,6 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); @@ -1660,10 +1676,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) } - if ( mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1745,7 +1761,19 @@ static int sv_body(char *hostname, int s, unsigned char *context) if(_kbhit()) read_from_terminal = 1; #else - i=select(width,(void *)&readfds,NULL,NULL,NULL); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + + i=select(width,(void *)&readfds,NULL,NULL,timeoutp); + + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (i <= 0) continue; if (FD_ISSET(fileno(stdin),&readfds)) read_from_terminal = 1; @@ -2002,6 +2030,8 @@ static int init_ssl_connection(SSL *con) con->kssl_ctx->client_princ); } #endif /* OPENSSL_NO_KRB5 */ + BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); return(1); } diff --git a/apps/s_socket.c b/apps/s_socket.c index 4a922e1..cf82358 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -62,6 +62,12 @@ #include <errno.h> #include <signal.h> +#ifdef FLAT_INC +#include "e_os2.h" +#else +#include "../e_os2.h" +#endif + /* With IPv6, it looks like Digital has mixed up the proper order of recursive header file inclusion, resulting in the compiler complaining that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which diff --git a/apps/speed.c b/apps/speed.c index 6b135fb..a0be93f 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -254,8 +254,12 @@ # endif #endif -#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_NETWARE) -# define HAVE_FORK 1 +#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE) +# define NO_FORK 1 +#elif HAVE_FORK +# undef NO_FORK +#else +# define NO_FORK 1 #endif #undef BUFSIZE @@ -271,7 +275,7 @@ static void print_message(const char *s,long num,int length); static void pkey_print_message(const char *str, const char *str2, long num, int bits, int sec); static void print_result(int alg,int run_no,int count,double time_used); -#ifdef HAVE_FORK +#ifndef NO_FORK static int do_multi(int multi); #endif @@ -293,8 +297,12 @@ static const char *names[ALGOR_NUM]={ "aes-128 ige","aes-192 ige","aes-256 ige"}; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +#ifndef OPENSSL_NO_RSA static double rsa_results[RSA_NUM][2]; +#endif +#ifndef OPENSSL_NO_DSA static double dsa_results[DSA_NUM][2]; +#endif #ifndef OPENSSL_NO_ECDSA static double ecdsa_results[EC_NUM][2]; #endif @@ -749,7 +757,7 @@ int MAIN(int argc, char **argv) const EVP_CIPHER *evp_cipher=NULL; const EVP_MD *evp_md=NULL; int decrypt=0; -#ifdef HAVE_FORK +#ifndef NO_FORK int multi=0; #endif @@ -877,7 +885,7 @@ int MAIN(int argc, char **argv) j--; } #endif -#ifdef HAVE_FORK +#ifndef NO_FORK else if ((argc > 0) && (strcmp(*argv,"-multi") == 0)) { argc--; @@ -1257,7 +1265,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-evp e use EVP e.\n"); BIO_printf(bio_err,"-decrypt time decryption instead of encryption (only EVP).\n"); BIO_printf(bio_err,"-mr produce machine readable output.\n"); -#ifdef HAVE_FORK +#ifndef NO_FORK BIO_printf(bio_err,"-multi n run n benchmarks in parallel.\n"); #endif goto end; @@ -1267,7 +1275,7 @@ int MAIN(int argc, char **argv) j++; } -#ifdef HAVE_FORK +#ifndef NO_FORK if(multi && do_multi(multi)) goto show_res; #endif @@ -2464,7 +2472,7 @@ int MAIN(int argc, char **argv) } if (rnd_fake) RAND_cleanup(); #endif -#ifdef HAVE_FORK +#ifndef NO_FORK show_res: #endif if(!mr) @@ -2719,7 +2727,7 @@ static void print_result(int alg,int run_no,int count,double time_used) results[alg][run_no]=((double)count)/time_used*lengths[run_no]; } -#ifdef HAVE_FORK +#ifndef NO_FORK static char *sstrsep(char **string, const char *delim) { char isdelim[256]; diff --git a/apps/ts.c b/apps/ts.c deleted file mode 100644 index 74e7e93..0000000 --- a/apps/ts.c +++ /dev/null @@ -1,1144 +0,0 @@ -/* apps/ts.c */ -/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL - * project 2002. - */ -/* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "apps.h" -#include <openssl/bio.h> -#include <openssl/err.h> -#include <openssl/pem.h> -#include <openssl/rand.h> -#include <openssl/ts.h> -#include <openssl/bn.h> - -#undef PROG -#define PROG ts_main - -/* Length of the nonce of the request in bits (must be a multiple of 8). */ -#define NONCE_LENGTH 64 - -/* Macro definitions for the configuration file. */ -#define ENV_OID_FILE "oid_file" - -/* Local function declarations. */ - -static ASN1_OBJECT *txt2obj(const char *oid); -static CONF *load_config_file(const char *configfile); - -/* Query related functions. */ -static int query_command(const char *data, char *digest, - const EVP_MD *md, const char *policy, int no_nonce, - int cert, const char *in, const char *out, int text); -static BIO *BIO_open_with_default(const char *file, const char *mode, - FILE *default_fp); -static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, - const char *policy, int no_nonce, int cert); -static int create_digest(BIO *input, char *digest, - const EVP_MD *md, unsigned char **md_value); -static ASN1_INTEGER *create_nonce(int bits); - -/* Reply related functions. */ -static int reply_command(CONF *conf, char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, char *out, int token_out, - int text); -static TS_RESP *read_PKCS7(BIO *in_bio); -static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy); -static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data); -static ASN1_INTEGER *next_serial(const char *serialfile); -static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); - -/* Verify related functions. */ -static int verify_command(char *data, char *digest, char *queryfile, - char *in, int token_in, - char *ca_path, char *ca_file, char *untrusted); -static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, - char *queryfile, - char *ca_path, char *ca_file, - char *untrusted); -static X509_STORE *create_cert_store(char *ca_path, char *ca_file); -static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx); - -/* Main function definition. */ -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - int ret = 1; - char *configfile = NULL; - char *section = NULL; - CONF *conf = NULL; - enum mode { - CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY - } mode = CMD_NONE; - char *data = NULL; - char *digest = NULL; - const EVP_MD *md = NULL; - char *rnd = NULL; - char *policy = NULL; - int no_nonce = 0; - int cert = 0; - char *in = NULL; - char *out = NULL; - int text = 0; - char *queryfile = NULL; - char *passin = NULL; /* Password source. */ - char *password =NULL; /* Password itself. */ - char *inkey = NULL; - char *signer = NULL; - char *chain = NULL; - char *ca_path = NULL; - char *ca_file = NULL; - char *untrusted = NULL; - char *engine = NULL; - /* Input is ContentInfo instead of TimeStampResp. */ - int token_in = 0; - /* Output is ContentInfo instead of TimeStampResp. */ - int token_out = 0; - int free_bio_err = 0; - - ERR_load_crypto_strings(); - apps_startup(); - - if (bio_err == NULL && (bio_err = BIO_new(BIO_s_file())) != NULL) - { - free_bio_err = 1; - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - } - - for (argc--, argv++; argc > 0; argc--, argv++) - { - if (strcmp(*argv, "-config") == 0) - { - if (argc-- < 1) goto usage; - configfile = *++argv; - } - else if (strcmp(*argv, "-section") == 0) - { - if (argc-- < 1) goto usage; - section = *++argv; - } - else if (strcmp(*argv, "-query") == 0) - { - if (mode != CMD_NONE) goto usage; - mode = CMD_QUERY; - } - else if (strcmp(*argv, "-data") == 0) - { - if (argc-- < 1) goto usage; - data = *++argv; - } - else if (strcmp(*argv, "-digest") == 0) - { - if (argc-- < 1) goto usage; - digest = *++argv; - } - else if (strcmp(*argv, "-rand") == 0) - { - if (argc-- < 1) goto usage; - rnd = *++argv; - } - else if (strcmp(*argv, "-policy") == 0) - { - if (argc-- < 1) goto usage; - policy = *++argv; - } - else if (strcmp(*argv, "-no_nonce") == 0) - { - no_nonce = 1; - } - else if (strcmp(*argv, "-cert") == 0) - { - cert = 1; - } - else if (strcmp(*argv, "-in") == 0) - { - if (argc-- < 1) goto usage; - in = *++argv; - } - else if (strcmp(*argv, "-token_in") == 0) - { - token_in = 1; - } - else if (strcmp(*argv, "-out") == 0) - { - if (argc-- < 1) goto usage; - out = *++argv; - } - else if (strcmp(*argv, "-token_out") == 0) - { - token_out = 1; - } - else if (strcmp(*argv, "-text") == 0) - { - text = 1; - } - else if (strcmp(*argv, "-reply") == 0) - { - if (mode != CMD_NONE) goto usage; - mode = CMD_REPLY; - } - else if (strcmp(*argv, "-queryfile") == 0) - { - if (argc-- < 1) goto usage; - queryfile = *++argv; - } - else if (strcmp(*argv, "-passin") == 0) - { - if (argc-- < 1) goto usage; - passin = *++argv; - } - else if (strcmp(*argv, "-inkey") == 0) - { - if (argc-- < 1) goto usage; - inkey = *++argv; - } - else if (strcmp(*argv, "-signer") == 0) - { - if (argc-- < 1) goto usage; - signer = *++argv; - } - else if (strcmp(*argv, "-chain") == 0) - { - if (argc-- < 1) goto usage; - chain = *++argv; - } - else if (strcmp(*argv, "-verify") == 0) - { - if (mode != CMD_NONE) goto usage; - mode = CMD_VERIFY; - } - else if (strcmp(*argv, "-CApath") == 0) - { - if (argc-- < 1) goto usage; - ca_path = *++argv; - } - else if (strcmp(*argv, "-CAfile") == 0) - { - if (argc-- < 1) goto usage; - ca_file = *++argv; - } - else if (strcmp(*argv, "-untrusted") == 0) - { - if (argc-- < 1) goto usage; - untrusted = *++argv; - } - else if (strcmp(*argv, "-engine") == 0) - { - if (argc-- < 1) goto usage; - engine = *++argv; - } - else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) - { - /* empty. */ - } - else - goto usage; - } - - /* Seed the random number generator if it is going to be used. */ - if (mode == CMD_QUERY && !no_nonce) - { - if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL) - BIO_printf(bio_err, "warning, not much extra random " - "data, consider using the -rand option\n"); - if (rnd != NULL) - BIO_printf(bio_err,"%ld semi-random bytes loaded\n", - app_RAND_load_files(rnd)); - } - - /* Get the password if required. */ - if(mode == CMD_REPLY && passin && - !app_passwd(bio_err, passin, NULL, &password, NULL)) - { - BIO_printf(bio_err,"Error getting password.\n"); - goto cleanup; - } - - /* Check consistency of parameters and execute - the appropriate function. */ - switch (mode) - { - case CMD_NONE: - goto usage; - case CMD_QUERY: - /* Data file and message imprint cannot be specified - at the same time. */ - ret = data != NULL && digest != NULL; - if (ret) goto usage; - /* Load the config file for possible policy OIDs. */ - conf = load_config_file(configfile); - ret = !query_command(data, digest, md, policy, no_nonce, cert, - in, out, text); - break; - case CMD_REPLY: - conf = load_config_file(configfile); - if (in == NULL) - { - ret = !(queryfile != NULL && conf != NULL && !token_in); - if (ret) goto usage; - } - else - { - /* 'in' and 'queryfile' are exclusive. */ - ret = !(queryfile == NULL); - if (ret) goto usage; - } - - ret = !reply_command(conf, section, engine, queryfile, - password, inkey, signer, chain, policy, - in, token_in, out, token_out, text); - break; - case CMD_VERIFY: - ret = !(((queryfile && !data && !digest) - || (!queryfile && data && !digest) - || (!queryfile && !data && digest)) - && in != NULL); - if (ret) goto usage; - - ret = !verify_command(data, digest, queryfile, in, token_in, - ca_path, ca_file, untrusted); - } - - goto cleanup; - - usage: - BIO_printf(bio_err, "usage:\n" - "ts -query [-rand file%cfile%c...] [-config configfile] " - "[-data file_to_hash] [-digest digest_bytes]" - "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " - "[-policy object_id] [-no_nonce] [-cert] " - "[-in request.tsq] [-out request.tsq] [-text]\n", - LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "or\n" - "ts -reply [-config configfile] [-section tsa_section] " - "[-queryfile request.tsq] [-passin password] " - "[-signer tsa_cert.pem] [-inkey private_key.pem] " - "[-chain certs_file.pem] [-policy object_id] " - "[-in response.tsr] [-token_in] " - "[-out response.tsr] [-token_out] [-text] [-engine id]\n"); - BIO_printf(bio_err, "or\n" - "ts -verify [-data file_to_hash] [-digest digest_bytes] " - "[-queryfile request.tsq] " - "-in response.tsr [-token_in] " - "-CApath ca_path -CAfile ca_file.pem " - "-untrusted cert_file.pem\n"); - cleanup: - /* Clean up. */ - app_RAND_write_file(NULL, bio_err); - NCONF_free(conf); - OPENSSL_free(password); - OBJ_cleanup(); - if (free_bio_err) - { - BIO_free_all(bio_err); - bio_err = NULL; - } - - OPENSSL_EXIT(ret); - } - -/* - * Configuration file-related function definitions. - */ - -static ASN1_OBJECT *txt2obj(const char *oid) - { - ASN1_OBJECT *oid_obj = NULL; - - if (!(oid_obj = OBJ_txt2obj(oid, 0))) - BIO_printf(bio_err, "cannot convert %s to OID\n", oid); - - return oid_obj; - } - -static CONF *load_config_file(const char *configfile) - { - CONF *conf = NULL; - long errorline = -1; - - if (!configfile) configfile = getenv("OPENSSL_CONF"); - if (!configfile) configfile = getenv("SSLEAY_CONF"); - - if (configfile && - (!(conf = NCONF_new(NULL)) || - NCONF_load(conf, configfile, &errorline) <= 0)) - { - if (errorline <= 0) - BIO_printf(bio_err, "error loading the config file " - "'%s'\n", configfile); - else - BIO_printf(bio_err, "error on line %ld of config file " - "'%s'\n", errorline, configfile); - } - - if (conf != NULL) - { - const char *p; - - BIO_printf(bio_err,"Using configuration from %s\n", configfile); - p = NCONF_get_string(conf, NULL, ENV_OID_FILE); - if (p != NULL) - { - BIO *oid_bio = BIO_new_file(p, "r"); - if (!oid_bio) - ERR_print_errors(bio_err); - else - { - OBJ_create_objects(oid_bio); - BIO_free_all(oid_bio); - } - } - else - ERR_clear_error(); - if(!add_oid_section(bio_err, conf)) - ERR_print_errors(bio_err); - } - return conf; - } - -/* - * Query-related method definitions. - */ - -static int query_command(const char *data, char *digest, const EVP_MD *md, - const char *policy, int no_nonce, - int cert, const char *in, const char *out, int text) - { - int ret = 0; - TS_REQ *query = NULL; - BIO *in_bio = NULL; - BIO *data_bio = NULL; - BIO *out_bio = NULL; - - /* Build query object either from file or from scratch. */ - if (in != NULL) - { - if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; - query = d2i_TS_REQ_bio(in_bio, NULL); - } - else - { - /* Open the file if no explicit digest bytes were specified. */ - if (!digest - && !(data_bio = BIO_open_with_default(data, "rb", stdin))) - goto end; - /* Creating the query object. */ - query = create_query(data_bio, digest, md, - policy, no_nonce, cert); - /* Saving the random number generator state. */ - } - if (query == NULL) goto end; - - /* Write query either in ASN.1 or in text format. */ - if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) - goto end; - if (text) - { - /* Text output. */ - if (!TS_REQ_print_bio(out_bio, query)) - goto end; - } - else - { - /* ASN.1 output. */ - if (!i2d_TS_REQ_bio(out_bio, query)) - goto end; - } - - ret = 1; - - end: - ERR_print_errors(bio_err); - - /* Clean up. */ - BIO_free_all(in_bio); - BIO_free_all(data_bio); - BIO_free_all(out_bio); - TS_REQ_free(query); - - return ret; - } - -static BIO *BIO_open_with_default(const char *file, const char *mode, - FILE *default_fp) - { - return file == NULL ? - BIO_new_fp(default_fp, BIO_NOCLOSE) - : BIO_new_file(file, mode); - } - -static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, - const char *policy, int no_nonce, int cert) - { - int ret = 0; - TS_REQ *ts_req = NULL; - int len; - TS_MSG_IMPRINT *msg_imprint = NULL; - X509_ALGOR *algo = NULL; - unsigned char *data = NULL; - ASN1_OBJECT *policy_obj = NULL; - ASN1_INTEGER *nonce_asn1 = NULL; - - /* Setting default message digest. */ - if (!md && !(md = EVP_get_digestbyname("sha1"))) goto err; - - /* Creating request object. */ - if (!(ts_req = TS_REQ_new())) goto err; - - /* Setting version. */ - if (!TS_REQ_set_version(ts_req, 1)) goto err; - - /* Creating and adding MSG_IMPRINT object. */ - if (!(msg_imprint = TS_MSG_IMPRINT_new())) goto err; - - /* Adding algorithm. */ - if (!(algo = X509_ALGOR_new())) goto err; - if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md)))) goto err; - if (!(algo->parameter = ASN1_TYPE_new())) goto err; - algo->parameter->type = V_ASN1_NULL; - if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo)) goto err; - - /* Adding message digest. */ - if ((len = create_digest(data_bio, digest, md, &data)) == 0) - goto err; - if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len)) goto err; - - if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint)) goto err; - - /* Setting policy if requested. */ - if (policy && !(policy_obj = txt2obj(policy))) goto err; - if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj)) goto err; - - /* Setting nonce if requested. */ - if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH))) goto err; - if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1)) goto err; - - /* Setting certificate request flag if requested. */ - if (!TS_REQ_set_cert_req(ts_req, cert)) goto err; - - ret = 1; - err: - if (!ret) - { - TS_REQ_free(ts_req); - ts_req = NULL; - BIO_printf(bio_err, "could not create query\n"); - } - TS_MSG_IMPRINT_free(msg_imprint); - X509_ALGOR_free(algo); - OPENSSL_free(data); - ASN1_OBJECT_free(policy_obj); - ASN1_INTEGER_free(nonce_asn1); - return ts_req; - } - -static int create_digest(BIO *input, char *digest, const EVP_MD *md, - unsigned char **md_value) - { - int md_value_len; - - md_value_len = EVP_MD_size(md); - if (md_value_len < 0) - goto err; - if (input) - { - /* Digest must be computed from an input file. */ - EVP_MD_CTX md_ctx; - unsigned char buffer[4096]; - int length; - - *md_value = OPENSSL_malloc(md_value_len); - if (*md_value == 0) goto err; - - EVP_DigestInit(&md_ctx, md); - while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) - { - EVP_DigestUpdate(&md_ctx, buffer, length); - } - EVP_DigestFinal(&md_ctx, *md_value, NULL); - } - else - { - /* Digest bytes are specified with digest. */ - long digest_len; - *md_value = string_to_hex(digest, &digest_len); - if (!*md_value || md_value_len != digest_len) - { - OPENSSL_free(*md_value); - *md_value = NULL; - BIO_printf(bio_err, "bad digest, %d bytes " - "must be specified\n", md_value_len); - goto err; - } - } - - return md_value_len; - err: - return 0; - } - -static ASN1_INTEGER *create_nonce(int bits) - { - unsigned char buf[20]; - ASN1_INTEGER *nonce = NULL; - int len = (bits - 1) / 8 + 1; - int i; - - /* Generating random byte sequence. */ - if (len > (int)sizeof(buf)) goto err; - if (!RAND_bytes(buf, len)) goto err; - - /* Find the first non-zero byte and creating ASN1_INTEGER object. */ - for (i = 0; i < len && !buf[i]; ++i); - if (!(nonce = ASN1_INTEGER_new())) goto err; - OPENSSL_free(nonce->data); - /* Allocate at least one byte. */ - nonce->length = len - i; - if (!(nonce->data = OPENSSL_malloc(nonce->length + 1))) goto err; - memcpy(nonce->data, buf + i, nonce->length); - - return nonce; - err: - BIO_printf(bio_err, "could not create nonce\n"); - ASN1_INTEGER_free(nonce); - return NULL; - } -/* - * Reply-related method definitions. - */ - -static int reply_command(CONF *conf, char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, - char *out, int token_out, int text) - { - int ret = 0; - TS_RESP *response = NULL; - BIO *in_bio = NULL; - BIO *query_bio = NULL; - BIO *inkey_bio = NULL; - BIO *signer_bio = NULL; - BIO *out_bio = NULL; - - /* Build response object either from response or query. */ - if (in != NULL) - { - if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; - if (token_in) - { - /* We have a ContentInfo (PKCS7) object, add - 'granted' status info around it. */ - response = read_PKCS7(in_bio); - } - else - { - /* We have a ready-made TS_RESP object. */ - response = d2i_TS_RESP_bio(in_bio, NULL); - } - } - else - { - response = create_response(conf, section, engine, queryfile, - passin, inkey, signer, chain, - policy); - if (response) - BIO_printf(bio_err, "Response has been generated.\n"); - else - BIO_printf(bio_err, "Response is not generated.\n"); - } - if (response == NULL) goto end; - - /* Write response either in ASN.1 or text format. */ - if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) - goto end; - if (text) - { - /* Text output. */ - if (token_out) - { - TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); - if (!TS_TST_INFO_print_bio(out_bio, tst_info)) goto end; - } - else - { - if (!TS_RESP_print_bio(out_bio, response)) goto end; - } - } - else - { - /* ASN.1 DER output. */ - if (token_out) - { - PKCS7 *token = TS_RESP_get_token(response); - if (!i2d_PKCS7_bio(out_bio, token)) goto end; - } - else - { - if (!i2d_TS_RESP_bio(out_bio, response)) goto end; - } - } - - ret = 1; - - end: - ERR_print_errors(bio_err); - - /* Clean up. */ - BIO_free_all(in_bio); - BIO_free_all(query_bio); - BIO_free_all(inkey_bio); - BIO_free_all(signer_bio); - BIO_free_all(out_bio); - TS_RESP_free(response); - - return ret; - } - -/* Reads a PKCS7 token and adds default 'granted' status info to it. */ -static TS_RESP *read_PKCS7(BIO *in_bio) - { - int ret = 0; - PKCS7 *token = NULL; - TS_TST_INFO *tst_info = NULL; - TS_RESP *resp = NULL; - TS_STATUS_INFO *si = NULL; - - /* Read PKCS7 object and extract the signed time stamp info. */ - if (!(token = d2i_PKCS7_bio(in_bio, NULL))) goto end; - if (!(tst_info = PKCS7_to_TS_TST_INFO(token))) goto end; - - /* Creating response object. */ - if (!(resp = TS_RESP_new())) goto end; - - /* Create granted status info. */ - if (!(si = TS_STATUS_INFO_new())) goto end; - if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED))) goto end; - if (!TS_RESP_set_status_info(resp, si)) goto end; - - /* Setting encapsulated token. */ - TS_RESP_set_tst_info(resp, token, tst_info); - token = NULL; /* Ownership is lost. */ - tst_info = NULL; /* Ownership is lost. */ - - ret = 1; - end: - PKCS7_free(token); - TS_TST_INFO_free(tst_info); - if (!ret) - { - TS_RESP_free(resp); - resp = NULL; - } - TS_STATUS_INFO_free(si); - return resp; - } - -static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy) - { - int ret = 0; - TS_RESP *response = NULL; - BIO *query_bio = NULL; - TS_RESP_CTX *resp_ctx = NULL; - - if (!(query_bio = BIO_new_file(queryfile, "rb"))) - goto end; - - /* Getting TSA configuration section. */ - if (!(section = TS_CONF_get_tsa_section(conf, section))) - goto end; - - /* Setting up response generation context. */ - if (!(resp_ctx = TS_RESP_CTX_new())) goto end; - - /* Setting serial number provider callback. */ - if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx)) goto end; -#ifndef OPENSSL_NO_ENGINE - /* Setting default OpenSSL engine. */ - if (!TS_CONF_set_crypto_device(conf, section, engine)) goto end; -#endif - - /* Setting TSA signer certificate. */ - if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx)) goto end; - - /* Setting TSA signer certificate chain. */ - if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) goto end; - - /* Setting TSA signer private key. */ - if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) - goto end; - - /* Setting default policy OID. */ - if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; - - /* Setting acceptable policy OIDs. */ - if (!TS_CONF_set_policies(conf, section, resp_ctx)) goto end; - - /* Setting the acceptable one-way hash algorithms. */ - if (!TS_CONF_set_digests(conf, section, resp_ctx)) goto end; - - /* Setting guaranteed time stamp accuracy. */ - if (!TS_CONF_set_accuracy(conf, section, resp_ctx)) goto end; - - /* Setting the precision of the time. */ - if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx)) - goto end; - - /* Setting the ordering flaf if requested. */ - if (!TS_CONF_set_ordering(conf, section, resp_ctx)) goto end; - - /* Setting the TSA name required flag if requested. */ - if (!TS_CONF_set_tsa_name(conf, section, resp_ctx)) goto end; - - /* Setting the ESS cert id chain flag if requested. */ - if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx)) goto end; - - /* Creating the response. */ - if (!(response = TS_RESP_create_response(resp_ctx, query_bio))) - goto end; - - ret = 1; - end: - if (!ret) - { - TS_RESP_free(response); - response = NULL; - } - TS_RESP_CTX_free(resp_ctx); - BIO_free_all(query_bio); - - return response; - } - -static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data) - { - const char *serial_file = (const char *) data; - ASN1_INTEGER *serial = next_serial(serial_file); - - if (!serial) - { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Error during serial number " - "generation."); - TS_RESP_CTX_add_failure_info(ctx, - TS_INFO_ADD_INFO_NOT_AVAILABLE); - } - else - save_ts_serial(serial_file, serial); - - return serial; - } - -static ASN1_INTEGER *next_serial(const char *serialfile) - { - int ret = 0; - BIO *in = NULL; - ASN1_INTEGER *serial = NULL; - BIGNUM *bn = NULL; - - if (!(serial = ASN1_INTEGER_new())) goto err; - - if (!(in = BIO_new_file(serialfile, "r"))) - { - ERR_clear_error(); - BIO_printf(bio_err, "Warning: could not open file %s for " - "reading, using serial number: 1\n", serialfile); - if (!ASN1_INTEGER_set(serial, 1)) goto err; - } - else - { - char buf[1024]; - if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) - { - BIO_printf(bio_err, "unable to load number from %s\n", - serialfile); - goto err; - } - if (!(bn = ASN1_INTEGER_to_BN(serial, NULL))) goto err; - ASN1_INTEGER_free(serial); - serial = NULL; - if (!BN_add_word(bn, 1)) goto err; - if (!(serial = BN_to_ASN1_INTEGER(bn, NULL))) goto err; - } - ret = 1; - err: - if (!ret) - { - ASN1_INTEGER_free(serial); - serial = NULL; - } - BIO_free_all(in); - BN_free(bn); - return serial; - } - -static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial) - { - int ret = 0; - BIO *out = NULL; - - if (!(out = BIO_new_file(serialfile, "w"))) goto err; - if (i2a_ASN1_INTEGER(out, serial) <= 0) goto err; - if (BIO_puts(out, "\n") <= 0) goto err; - ret = 1; - err: - if (!ret) - BIO_printf(bio_err, "could not save serial number to %s\n", - serialfile); - BIO_free_all(out); - return ret; - } - -/* - * Verify-related method definitions. - */ - -static int verify_command(char *data, char *digest, char *queryfile, - char *in, int token_in, - char *ca_path, char *ca_file, char *untrusted) - { - BIO *in_bio = NULL; - PKCS7 *token = NULL; - TS_RESP *response = NULL; - TS_VERIFY_CTX *verify_ctx = NULL; - int ret = 0; - - /* Decode the token (PKCS7) or response (TS_RESP) files. */ - if (!(in_bio = BIO_new_file(in, "rb"))) goto end; - if (token_in) - { - if (!(token = d2i_PKCS7_bio(in_bio, NULL))) goto end; - } - else - { - if (!(response = d2i_TS_RESP_bio(in_bio, NULL))) goto end; - } - - if (!(verify_ctx = create_verify_ctx(data, digest, queryfile, - ca_path, ca_file, untrusted))) - goto end; - - /* Checking the token or response against the request. */ - ret = token_in ? - TS_RESP_verify_token(verify_ctx, token) : - TS_RESP_verify_response(verify_ctx, response); - - end: - printf("Verification: "); - if (ret) - printf("OK\n"); - else - { - printf("FAILED\n"); - /* Print errors, if there are any. */ - ERR_print_errors(bio_err); - } - - /* Clean up. */ - BIO_free_all(in_bio); - PKCS7_free(token); - TS_RESP_free(response); - TS_VERIFY_CTX_free(verify_ctx); - return ret; - } - -static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, - char *queryfile, - char *ca_path, char *ca_file, - char *untrusted) - { - TS_VERIFY_CTX *ctx = NULL; - BIO *input = NULL; - TS_REQ *request = NULL; - int ret = 0; - - if (data != NULL || digest != NULL) - { - if (!(ctx = TS_VERIFY_CTX_new())) goto err; - ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER; - if (data != NULL) - { - ctx->flags |= TS_VFY_DATA; - if (!(ctx->data = BIO_new_file(data, "rb"))) goto err; - } - else if (digest != NULL) - { - long imprint_len; - ctx->flags |= TS_VFY_IMPRINT; - if (!(ctx->imprint = string_to_hex(digest, - &imprint_len))) - { - BIO_printf(bio_err, "invalid digest string\n"); - goto err; - } - ctx->imprint_len = imprint_len; - } - - } - else if (queryfile != NULL) - { - /* The request has just to be read, decoded and converted to - a verify context object. */ - if (!(input = BIO_new_file(queryfile, "rb"))) goto err; - if (!(request = d2i_TS_REQ_bio(input, NULL))) goto err; - if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL))) goto err; - } - else - return NULL; - - /* Add the signature verification flag and arguments. */ - ctx->flags |= TS_VFY_SIGNATURE; - - /* Initialising the X509_STORE object. */ - if (!(ctx->store = create_cert_store(ca_path, ca_file))) goto err; - - /* Loading untrusted certificates. */ - if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted))) - goto err; - - ret = 1; - err: - if (!ret) - { - TS_VERIFY_CTX_free(ctx); - ctx = NULL; - } - BIO_free_all(input); - TS_REQ_free(request); - return ctx; - } - -static X509_STORE *create_cert_store(char *ca_path, char *ca_file) - { - X509_STORE *cert_ctx = NULL; - X509_LOOKUP *lookup = NULL; - int i; - - /* Creating the X509_STORE object. */ - cert_ctx = X509_STORE_new(); - - /* Setting the callback for certificate chain verification. */ - X509_STORE_set_verify_cb_func(cert_ctx, verify_cb); - - /* Adding a trusted certificate directory source. */ - if (ca_path) - { - lookup = X509_STORE_add_lookup(cert_ctx, - X509_LOOKUP_hash_dir()); - if (lookup == NULL) - { - BIO_printf(bio_err, "memory allocation failure\n"); - goto err; - } - i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM); - if (!i) - { - BIO_printf(bio_err, "Error loading directory %s\n", - ca_path); - goto err; - } - } - - /* Adding a trusted certificate file source. */ - if (ca_file) - { - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); - if (lookup == NULL) - { - BIO_printf(bio_err, "memory allocation failure\n"); - goto err; - } - i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM); - if (!i) - { - BIO_printf(bio_err, "Error loading file %s\n", ca_file); - goto err; - } - } - - return cert_ctx; - err: - X509_STORE_free(cert_ctx); - return NULL; - } - -static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx) - { - /* - char buf[256]; - - if (!ok) - { - X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), - buf, sizeof(buf)); - printf("%s\n", buf); - printf("error %d at %d depth lookup: %s\n", - ctx->error, ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); - } - */ - - return ok; - } diff --git a/apps/tsget b/apps/tsget deleted file mode 100644 index ddae803..0000000 --- a/apps/tsget +++ /dev/null @@ -1,195 +0,0 @@ -#!/usr/bin/perl -w -# Written by Zoltan Glozik <zglozik@stones.com>. -# Copyright (c) 2002 The OpenTSA Project. All rights reserved. -$::version = '$Id: tsget,v 1.1 2006/02/12 23:11:21 ulf Exp $'; - -use strict; -use IO::Handle; -use Getopt::Std; -use File::Basename; -use WWW::Curl::easy; - -use vars qw(%options); - -# Callback for reading the body. -sub read_body { - my ($maxlength, $state) = @_; - my $return_data = ""; - my $data_len = length ${$state->{data}}; - if ($state->{bytes} < $data_len) { - $data_len = $data_len - $state->{bytes}; - $data_len = $maxlength if $data_len > $maxlength; - $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; - $state->{bytes} += $data_len; - } - return $return_data; -} - -# Callback for writing the body into a variable. -sub write_body { - my ($data, $pointer) = @_; - ${$pointer} .= $data; - return length($data); -} - -# Initialise a new Curl object. -sub create_curl { - my $url = shift; - - # Create Curl object. - my $curl = WWW::Curl::easy::new(); - - # Error-handling related options. - $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; - $curl->setopt(CURLOPT_FAILONERROR, 1); - $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split / /, $::version)[2]); - - # Options for POST method. - $curl->setopt(CURLOPT_UPLOAD, 1); - $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); - $curl->setopt(CURLOPT_HTTPHEADER, - ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply"]); - $curl->setopt(CURLOPT_READFUNCTION, \&read_body); - $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); - - # Options for getting the result. - $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body); - - # SSL related options. - $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); - $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. - $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. - $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); - $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); - $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); - $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C}); - $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P}); - $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r}); - $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g}); - - # Setting destination. - $curl->setopt(CURLOPT_URL, $url); - - return $curl; -} - -# Send a request and returns the body back. -sub get_timestamp { - my $curl = shift; - my $body = shift; - my $ts_body; - local $::error_buf; - - # Error-handling related options. - $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf"); - - # Options for POST method. - $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0}); - $curl->setopt(CURLOPT_INFILESIZE, length(${$body})); - - # Options for getting the result. - $curl->setopt(CURLOPT_FILE, \$ts_body); - - # Send the request... - my $error_code = $curl->perform(); - my $error_string; - if ($error_code != 0) { - my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); - $error_string = "could not get timestamp"; - $error_string .= ", http code: $http_code" unless $http_code == 0; - $error_string .= ", curl code: $error_code"; - $error_string .= " ($::error_buf)" if defined($::error_buf); - } else { - my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply") { - $error_string = "unexpected content type returned: $ct"; - } - } - return ($ts_body, $error_string); - -} - -# Print usage information and exists. -sub usage { - - print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] "; - print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] "; - print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] "; - print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n"; - exit 1; -} - -# ---------------------------------------------------------------------- -# Main program -# ---------------------------------------------------------------------- - -# Getting command-line options (default comes from TSGET environment variable). -my $getopt_arg = "h:e:o:vdk:p:c:C:P:r:g:"; -if (exists $ENV{TSGET}) { - my @old_argv = @ARGV; - @ARGV = split /\s+/, $ENV{TSGET}; - getopts($getopt_arg, \%options) or usage; - @ARGV = @old_argv; -} -getopts($getopt_arg, \%options) or usage; - -# Checking argument consistency. -if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o})) - || (@ARGV > 1 && exists($options{o}))) { - print STDERR "Inconsistent command line options.\n"; - usage; -} -# Setting defaults. -@ARGV = ("-") unless @ARGV != 0; -$options{e} = ".tsr" unless defined($options{e}); - -# Processing requests. -my $curl = create_curl $options{h}; -undef $/; # For reading whole files. -REQUEST: foreach (@ARGV) { - my $input = $_; - my ($base, $path) = fileparse($input, '\.[^.]*'); - my $output_base = $base . $options{e}; - my $output = defined($options{o}) ? $options{o} : $path . $output_base; - - STDERR->printflush("$input: ") if $options{v}; - # Read request. - my $body; - if ($input eq "-") { - # Read the request from STDIN; - $body = <STDIN>; - } else { - # Read the request from file. - open INPUT, "<" . $input - or warn("$input: could not open input file: $!\n"), next REQUEST; - $body = <INPUT>; - close INPUT - or warn("$input: could not close input file: $!\n"), next REQUEST; - } - - # Send request. - STDERR->printflush("sending request") if $options{v}; - - my ($ts_body, $error) = get_timestamp $curl, \$body; - if (defined($error)) { - die "$input: fatal error: $error\n"; - } - STDERR->printflush(", reply received") if $options{v}; - - # Write response. - if ($output eq "-") { - # Write to STDOUT. - print $ts_body; - } else { - # Write to file. - open OUTPUT, ">", $output - or warn("$output: could not open output file: $!\n"), next REQUEST; - print OUTPUT $ts_body; - close OUTPUT - or warn("$output: could not close output file: $!\n"), next REQUEST; - } - STDERR->printflush(", $output written.\n") if $options{v}; -} -$curl->cleanup(); -WWW::Curl::easy::global_cleanup(); diff --git a/apps/x509.c b/apps/x509.c index 6debce4..b25508a 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1151,6 +1151,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); + X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; |