openssl: import 3.5.5

This change adds OpenSSL 3.5.5 from upstream [1].

The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3].

This is a security release, but also contains several bugfixes. All of
the CVE-worthy issues have already been addressed on the target
branch(es), so the net-result is that this is a bugfix release.

More information about the release (from a high level) can be found in
the release notes [4].

MFC after:	1 week

1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.md

Merge commit '808413da28df9fb93e1f304e6016b15e660f54c8'
This commit is contained in:
Enji Cooper
2026-01-31 14:00:39 -08:00
2269 changed files with 199884 additions and 161354 deletions
+1 -2
View File
@@ -1,5 +1,5 @@
#
# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2023-2026 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -10,4 +10,3 @@
# List file names or patterns you want ctags to ignore.
--exclude=.ctags.d
--exclude=test
--exclude=check-format-test-positives.c
+269
View File
@@ -28,6 +28,245 @@ OpenSSL Releases
OpenSSL 3.5
-----------
### Changes between 3.5.4 and 3.5.5 [27 Jan 2026]
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
Severity: Moderate
Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation
which can trigger a stack-based buffer overflow, invalid pointer or NULL
pointer dereference during MAC verification.
Impact summary: The stack buffer overflow or NULL pointer dereference may
cause a crash leading to Denial of Service for an application that parses
untrusted PKCS#12 files. The buffer overflow may also potentially enable
code execution depending on platform mitigations.
Reported by: Stanislav Fort (Aisle Research) and Petr Šimeček (Aisle
Research) and Hamza (Metadust)
([CVE-2025-11187])
*Tomáš Mráz*
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
Severity: High
Issue summary: Parsing CMS `AuthEnvelopedData` message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
Reported by: Stanislav Fort (Aisle Research)
([CVE-2025-15467])
*Igor Ustinov*
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
Severity: Low
Issue summary: If an application using the `SSL_CIPHER_find()` function
in a QUIC protocol client or server receives an unknown cipher suite from
the peer, a NULL dereference occurs.
Impact summary: A NULL pointer dereference leads to abnormal termination
of the running process causing Denial of Service.
Reported by: Stanislav Fort (Aisle Research)
([CVE-2025-15468])
*Stanislav Fort*
* Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB.
Severity: Low
Issue summary: The `openssl dgst` command-line tool silently truncates input
data to 16 MiB when using one-shot signing algorithms and reports success
instead of an error.
Impact summary: A user signing or verifying files larger than 16 MiB with
one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the
entire file is authenticated while trailing data beyond 16 MiB remains
unauthenticated.
Reported by: Stanislav Fort (Aisle Research)
([CVE-2025-15469])
*Viktor Dukhovni*
* Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation.
Severity: Low
Issue summary: A TLS 1.3 connection using certificate compression can be
forced to allocate a large buffer before decompression without checking
against the configured certificate size limit.
Impact summary: An attacker can cause per-connection memory allocations
of up to approximately 22 MiB and extra CPU work, potentially leading
to service degradation or resource exhaustion (Denial of Service).
Reported by: Tomas Dulka (Aisle Research) and Stanislav Fort (Aisle
Research)
([CVE-2025-66199])
*Tomas Dulka and Stanislav Fort*
* Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
Severity: Low
Issue summary: Writing large, newline-free data into a BIO chain using the
line-buffering filter where the next BIO performs short writes can trigger
a heap-based out-of-bounds write.
Impact summary: This out-of-bounds write can cause memory corruption
which typically results in a crash, leading to Denial of Service for
an application.
Reported by: Petr Simecek (Aisle Research) and Stanislav Fort (Aisle
Research)
([CVE-2025-68160])
*Stanislav Fort and Neil Horman*
* Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
function calls.
Severity: Low
Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and
unauthenticated.
Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.
Reported by: Stanislav Fort (Aisle Research)
([CVE-2025-69418])
*Stanislav Fort*
* Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
Severity: Low
Issue summary: Calling `PKCS12_get_friendlyname()` function on a maliciously
crafted PKCS#12 file with a `BMPString` (UTF-16BE) friendly name containing
non-ASCII BMP code point can trigger a one byte write before the allocated
buffer.
Impact summary: The out-of-bounds write can cause a memory corruption
which can have various consequences including a Denial of Service.
Reported by: Stanislav Fort (Aisle Research)
([CVE-2025-69419])
*Norbert Pócs*
* Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()` function.
Severity: Low
Issue summary: A type confusion vulnerability exists in the TimeStamp
Response verification code where an `ASN1_TYPE` union member is accessed
without first validating the type, causing an invalid or NULL pointer
dereference when processing a malformed `TimeStamp` Response file.
Impact summary: An application calling `TS_RESP_verify_response()`
with a malformed TimeStamp Response can be caused to dereference an invalid
or NULL pointer when reading, resulting in a Denial of Service.
Reported by: Luigino Camastra (Aisle Research)
([CVE-2025-69420])
*Bob Beck*
* Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
Severity: Low
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL
pointer dereference in the `PKCS12_item_decrypt_d2i_ex()` function.
Impact summary: A NULL pointer dereference can trigger a crash which leads
to Denial of Service for an application processing PKCS#12 files.
Reported by: Luigino Camastra (Aisle Research)
([CVE-2025-69421])
*Luigino Camastra*
* Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
Severity: Low
Issue summary: An invalid or NULL pointer dereference can happen in
an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file can be
caused to dereference an invalid or NULL pointer on memory read, resulting
in a Denial of Service.
Reported by: Luigino Camastra (Aisle Research)
([CVE-2026-22795])
*Bob Beck*
* Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
function.
Severity: Low
Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an `ASN1_TYPE` union member
is accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification of PKCS#7
data or calling directly the `PKCS7_digest_from_attributes()` function can be
caused to dereference an invalid or NULL pointer when reading, resulting in
a Denial of Service.
Reported by: Luigino Camastra (Aisle Research)
([CVE-2026-22796])
*Bob Beck*
* RISC-V capabilities string format has changed to include the base
architecture and the vector length for the V extension.
<!-- https://github.com/openssl/openssl/pull/28760 -->
*Bernd Edlinger*
* Fixed incorrect acceptance of some malformed ECDSA signatures on s390x.
<!-- https://github.com/openssl/openssl/pull/29214 -->
*Holger Dengler*
* Source code has been reformatted with `clang-format`.
<!-- https://github.com/openssl/openssl/pull/29262 -->
*Bob Beck*
### Changes between 3.5.3 and 3.5.4 [30 Sep 2025]
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
@@ -2340,6 +2579,24 @@ breaking changes, and mappings for the large list of deprecated functions.
### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
* Fixed carry bug in BN_mod_exp which may produce incorrect results on MIPS
squaring procedure. Many EC algorithms are affected, including some of the
TLS 1.3 default curves. Impact was not analyzed in detail, because the
pre-requisites for attack are considered unlikely and include reusing
private keys. Analysis suggests that attacks against RSA and DSA as a result
of this defect would be very difficult to perform and are not believed
likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information about
a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have
to share the DH private key among multiple clients, which is no longer
an option since CVE-2016-0701.
The issue only affects OpenSSL on MIPS platforms.
([CVE-2021-4160])
*Bernd Edlinger*
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
verify a certificate supplied by a server. That function may return a
@@ -21350,6 +21607,18 @@ ndif
<!-- Links -->
[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796
[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795
[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421
[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420
[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419
[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418
[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160
[CVE-2025-66199]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-66199
[CVE-2025-15469]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15469
[CVE-2025-15468]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15468
[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467
[CVE-2025-11187]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-11187
[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
+8
View File
@@ -19,6 +19,14 @@ open an issue for it before starting work, to get comments from the community.
Someone may be already working on the same thing,
or there may be special reasons why a feature is not implemented.
Similarly, if you plan to submit many pull requests, please start with
a representative sample (no more than 3 or 4) and open an issue
explaining your process. The OpenSSL project has limited resources,
especially when it comes to reviewers, so we appreciate advanced
communication before submitting many pull requests. In addition,
contributors should personally evaluate potential patches generated by
automated tools.
To make it easier to review and accept your pull request, please follow these
guidelines:
@@ -168,6 +168,7 @@
# Build models
'nonstop-model-put' => {
template => 1,
disable => ['secure-memory'],
defines => ['_PUT_MODEL_',
'_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'],
ex_libs => '-lput',
@@ -177,6 +178,7 @@
# Build models
'nonstop-model-klt' => {
template => 1,
disable => ['secure-memory'],
defines => ['_KLT_MODEL_',
'_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'],
ex_libs => '-lklt',
@@ -880,6 +880,7 @@ uninstall_dev: uninstall_runtime_libs
done
-$(RMDIR) "$(DESTDIR)$(PKGCONFIGDIR)"
-$(RMDIR) "$(DESTDIR)$(CMAKECONFIGDIR)"
-$(RMDIR) "$(DESTDIR)$(libdir)/cmake"
-$(RMDIR) "$(DESTDIR)$(libdir)"
_install_modules_deps: install_runtime_libs build_modules
@@ -1205,10 +1206,18 @@ lint: ## Evaluate C code via "splint"
echo splint -DLINT -posixlib -preproc -D__gnuc_va_list=void \
-I. -Iinclude -Iapps/include $(CRYPTOHEADERS) $(SSLHEADERS) $(SRCS) )
.PHONY: check-format
check-format: ## Evaluate C code according to OpenSSL coding standards
( cd $(SRCDIR); $(PERL) util/check-format.pl \
$(SRCS) \$(CRYPTOHEADERS) $(SSLHEADERS) )
CLANG_FORMAT_DIFF = clang-format-diff
.PHONY: check-format check-clang-format-diff-cmd
check-clang-format-diff-cmd:
@if ! command -v "$(CLANG_FORMAT_DIFF)" >/dev/null; then \
echo "Unable to find ${CLANG_FORMAT_DIFF}";\
echo "Please set the CLANG_FORMAT_DIFF variable to your clang-format-diff command";\
exit 1;\
fi
check-format: check-clang-format-diff-cmd ## Evaluate C code according to OpenSSL coding standards
( cd $(SRCDIR); git diff -U0 --no-prefix --no-color | $(CLANG_FORMAT_DIFF) )
generate_apps:
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
+61 -1
View File
@@ -23,6 +23,52 @@ OpenSSL Releases
OpenSSL 3.5
-----------
### Major changes between OpenSSL 3.5.4 and OpenSSL 3.5.5 [27 Jan 2026]
OpenSSL 3.5.5 is a security patch release. The most severe CVE fixed in this
release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
([CVE-2025-11187])
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
([CVE-2025-15467])
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
([CVE-2025-15468])
* Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB.
([CVE-2025-15469])
* Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation.
([CVE-2025-66199])
* Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
([CVE-2025-68160])
* Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
function calls.
([CVE-2025-69418])
* Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
([CVE-2025-69419])
* Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()`
function.
([CVE-2025-69420])
* Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
([CVE-2025-69421])
* Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
([CVE-2026-22795])
* Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
function.
([CVE-2026-22796])
### Major changes between OpenSSL 3.5.3 and OpenSSL 3.5.4 [30 Sep 2025]
OpenSSL 3.5.4 is a security patch release. The most severe CVE fixed in this
@@ -307,7 +353,7 @@ This release adds the following new features:
* Added X509_STORE_get1_objects to avoid issues with the existing
X509_STORE_get0_objects API in multi-threaded applications.
* Support for using certificate profiles and extened delayed delivery in CMP
* Support for using certificate profiles and extended delayed delivery in CMP
This release incorporates the following potentially significant or incompatible
changes:
@@ -583,6 +629,8 @@ OpenSSL 3.0
### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021]
* Fixed carry bug in BN_mod_exp which may produce incorrect results on MIPS
([CVE-2021-4160])
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
([CVE-2021-4044])
* Allow fetching an operation from the provider that owns an unexportable key
@@ -1940,6 +1988,18 @@ OpenSSL 0.9.x
* Support for various new platforms
<!-- Links -->
[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796
[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795
[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421
[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420
[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419
[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418
[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160
[CVE-2025-66199]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-66199
[CVE-2025-15469]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15469
[CVE-2025-15468]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15468
[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467
[CVE-2025-11187]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-11187
[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
+10 -2
View File
@@ -37,8 +37,7 @@ for each on the TNS/X (L-Series) platform:
The KLT threading model is a newly released model on NonStop. It implements
kernel-level threading. KLT provides much closer threading to what OpenSSL
uses for Linux-like threading models. KLT continues to use the pthread library
API. There is no supported 32-bit or Guardian builds for KLT. Note: KLT is
not currently available but is planned for post-2024.
API. There is no supported 32-bit or Guardian builds for KLT.
The SPT threading model is no longer supported as of OpenSSL 3.2.
@@ -53,6 +52,9 @@ instead of `nsx` in the set above.
You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
option to `./Configure`.
TNS/E has moved to a limited support state, so fixes for this platform will not
be guaranteed in future.
Linking and Loading Considerations
----------------------------------
@@ -73,6 +75,12 @@ for NonStop builds. If you need to have `atexit()` functionality, set
register `OPENSSL_cleanup()` automatically. Preferably, you can explicitly call
`OPENSSL_cleanup()` from your application.
Secure Memory
-------------
The mechanism used by OpenSSL for secure memory is not supported on NonStop.
Use the `no-secure-memory` option when running `Configure`.
About Prefix and OpenSSLDir
---------------------------
+1 -1
View File
@@ -196,7 +196,7 @@ attempting to develop or distribute cryptographic code.
Copyright
=========
Copyright (c) 1998-2025 The OpenSSL Project Authors
Copyright (c) 1998-2026 The OpenSSL Project Authors
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+2 -2
View File
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=5
PATCH=4
PATCH=5
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="30 Sep 2025"
RELEASE_DATE="27 Jan 2026"
SHLIB_VERSION=3
+41 -31
View File
@@ -20,40 +20,51 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM,
OPT_INFORM,
OPT_IN,
OPT_OUT,
OPT_INDENT,
OPT_NOOUT,
OPT_OID,
OPT_OFFSET,
OPT_LENGTH,
OPT_DUMP,
OPT_DLIMIT,
OPT_STRPARSE,
OPT_GENSTR,
OPT_GENCONF,
OPT_STRICTPEM,
OPT_ITEM
} OPTION_CHOICE;
const OPTIONS asn1parse_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"oid", OPT_OID, '<', "file of extra oid definitions"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "oid", OPT_OID, '<', "file of extra oid definitions" },
OPT_SECTION("I/O"),
{"inform", OPT_INFORM, 'A', "input format - one of DER PEM B64"},
{"in", OPT_IN, '<', "input file"},
{"out", OPT_OUT, '>', "output file (output format is always DER)"},
{"noout", OPT_NOOUT, 0, "do not produce any output"},
{"offset", OPT_OFFSET, 'p', "offset into file"},
{"length", OPT_LENGTH, 'p', "length of section in file"},
{"strparse", OPT_STRPARSE, 'p',
"offset; a series of these can be used to 'dig'"},
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
{"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
{"strictpem", OPT_STRICTPEM, 0,
"equivalent to '-inform pem' (obsolete)"},
{"item", OPT_ITEM, 's', "item to parse and print"},
{OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
{ "inform", OPT_INFORM, 'A', "input format - one of DER PEM B64" },
{ "in", OPT_IN, '<', "input file" },
{ "out", OPT_OUT, '>', "output file (output format is always DER)" },
{ "noout", OPT_NOOUT, 0, "do not produce any output" },
{ "offset", OPT_OFFSET, 'p', "offset into file" },
{ "length", OPT_LENGTH, 'p', "length of section in file" },
{ "strparse", OPT_STRPARSE, 'p',
"offset; a series of these can be used to 'dig'" },
{ OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings" },
{ "genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from" },
{ "genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from" },
{ "strictpem", OPT_STRICTPEM, 0,
"equivalent to '-inform pem' (obsolete)" },
{ "item", OPT_ITEM, 's', "item to parse and print" },
{ OPT_MORE_STR, 0, 0, "(-inform will be ignored)" },
OPT_SECTION("Formatting"),
{"i", OPT_INDENT, 0, "indents the output"},
{"dump", OPT_DUMP, 0, "unknown data in hex form"},
{"dlimit", OPT_DLIMIT, 'p',
"dump the first arg bytes of unknown data in hex form"},
{NULL}
{ "i", OPT_INDENT, 0, "indents the output" },
{ "dump", OPT_DUMP, 0, "unknown data in hex form" },
{ "dlimit", OPT_DLIMIT, 'p',
"dump the first arg bytes of unknown data in hex form" },
{ NULL }
};
static int do_generate(char *genstr, const char *genconf, BUF_MEM *buf);
@@ -88,7 +99,7 @@ int asn1parse_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -189,7 +200,7 @@ int asn1parse_main(int argc, char **argv)
buf->length = buf->max = num;
} else {
if (!BUF_MEM_grow(buf, BUFSIZ * 8))
goto end; /* Pre-allocate :-) */
goto end; /* Pre-allocate :-) */
if (genstr || genconf) {
num = do_generate(genstr, genconf, buf);
@@ -224,7 +235,6 @@ int asn1parse_main(int argc, char **argv)
}
}
str = (unsigned char *)buf->data;
}
/* If any structs to parse go through in sequence */
@@ -238,7 +248,7 @@ int asn1parse_main(int argc, char **argv)
j = strtol(sk_OPENSSL_STRING_value(osk, i), NULL, 0);
if (j <= 0 || j >= tmplen) {
BIO_printf(bio_err, "'%s' is out of range\n",
sk_OPENSSL_STRING_value(osk, i));
sk_OPENSSL_STRING_value(osk, i));
continue;
}
tmpbuf += j;
@@ -304,7 +314,7 @@ int asn1parse_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
BIO_free(derout);
BIO_free(in);
BIO_free(b64);
@@ -358,7 +368,7 @@ static int do_generate(char *genstr, const char *genconf, BUF_MEM *buf)
ASN1_TYPE_free(atyp);
return len;
err:
err:
NCONF_free(cnf);
ASN1_TYPE_free(atyp);
return -1;
+397 -360
View File
File diff suppressed because it is too large Load Diff
+29 -26
View File
@@ -28,58 +28,61 @@ typedef enum OPTION_choice {
OPT_PSK,
OPT_SRP,
OPT_CIPHERSUITES,
OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM
OPT_V,
OPT_UPPER_V,
OPT_S,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ciphers_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Output"),
{"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
{"V", OPT_UPPER_V, '-', "Even more verbose"},
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
{"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
{ "v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers" },
{ "V", OPT_UPPER_V, '-', "Even more verbose" },
{ "stdname", OPT_STDNAME, '-', "Show standard cipher names" },
{ "convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name" },
OPT_SECTION("Cipher specification"),
{"s", OPT_S, '-', "Only supported ciphers"},
{ "s", OPT_S, '-', "Only supported ciphers" },
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"},
{ "ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3" },
#endif
#ifndef OPENSSL_NO_TLS1
{"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"},
{ "tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1" },
#endif
#ifndef OPENSSL_NO_TLS1_1
{"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"},
{ "tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1" },
#endif
#ifndef OPENSSL_NO_TLS1_2
{"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"},
{ "tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2" },
#endif
#ifndef OPENSSL_NO_TLS1_3
{"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"},
{ "tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3" },
#endif
#ifndef OPENSSL_NO_PSK
{"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"},
{ "psk", OPT_PSK, '-', "Include ciphersuites requiring PSK" },
#endif
#ifndef OPENSSL_NO_SRP
{"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"},
{ "srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP" },
#endif
{"ciphersuites", OPT_CIPHERSUITES, 's',
"Configure the TLSv1.3 ciphersuites to use"},
{ "ciphersuites", OPT_CIPHERSUITES, 's',
"Configure the TLSv1.3 ciphersuites to use" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cipher", 0, 0, "Cipher string to decode (optional)"},
{NULL}
{ "cipher", 0, 0, "Cipher string to decode (optional)" },
{ NULL }
};
#ifndef OPENSSL_NO_PSK
static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len,
unsigned char *psk,
unsigned int max_psk_len)
unsigned int max_identity_len,
unsigned char *psk,
unsigned int max_psk_len)
{
return 0;
}
@@ -110,7 +113,7 @@ int ciphers_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -181,7 +184,7 @@ int ciphers_main(int argc, char **argv)
if (convert != NULL) {
BIO_printf(bio_out, "OpenSSL cipher name: %s\n",
OPENSSL_cipher_name(convert));
OPENSSL_cipher_name(convert));
ret = 0;
goto end;
}
@@ -273,9 +276,9 @@ int ciphers_main(int argc, char **argv)
ret = 0;
goto end;
err:
err:
ERR_print_errors(bio_err);
end:
end:
if (use_supported)
sk_SSL_CIPHER_free(sk);
SSL_CTX_free(ctx);
+740 -671
View File
File diff suppressed because it is too large Load Diff
+285 -222
View File
@@ -24,31 +24,30 @@
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
static void receipt_request_print(CMS_ContentInfo *cms);
static CMS_ReceiptRequest
*make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from);
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from);
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param);
STACK_OF(OPENSSL_STRING) *param);
#define SMIME_OP 0x100
#define SMIME_IP 0x200
#define SMIME_SIGNERS 0x400
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP)
#define SMIME_VERIFY_RECEIPT (7 | SMIME_IP)
#define SMIME_DIGEST_CREATE (8 | SMIME_OP)
#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
#define SMIME_COMPRESS (10 | SMIME_OP)
#define SMIME_UNCOMPRESS (11 | SMIME_IP)
#define SMIME_OP 0x100
#define SMIME_IP 0x200
#define SMIME_SIGNERS 0x400
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP)
#define SMIME_VERIFY_RECEIPT (7 | SMIME_IP)
#define SMIME_DIGEST_CREATE (8 | SMIME_OP)
#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
#define SMIME_COMPRESS (10 | SMIME_OP)
#define SMIME_UNCOMPRESS (11 | SMIME_IP)
#define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP)
#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
#define SMIME_DATA_CREATE (14 | SMIME_OP)
#define SMIME_DATA_OUT (15 | SMIME_IP)
#define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP)
#define SMIME_DATA_CREATE (14 | SMIME_OP)
#define SMIME_DATA_OUT (15 | SMIME_IP)
#define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP)
static int verify_err = 0;
@@ -62,191 +61,252 @@ struct cms_key_param_st {
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN,
OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
OPT_DIGEST, OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_NO_SIGNING_TIME,
OPT_BINARY, OPT_KEYID,
OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
OPT_CAPATH, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_SIGN,
OPT_CADES,
OPT_SIGN_RECEIPT,
OPT_RESIGN,
OPT_VERIFY,
OPT_VERIFY_RETCODE,
OPT_VERIFY_RECEIPT,
OPT_CMSOUT,
OPT_DATA_OUT,
OPT_DATA_CREATE,
OPT_DIGEST_VERIFY,
OPT_DIGEST,
OPT_DIGEST_CREATE,
OPT_COMPRESS,
OPT_UNCOMPRESS,
OPT_ED_DECRYPT,
OPT_ED_ENCRYPT,
OPT_DEBUG_DECRYPT,
OPT_TEXT,
OPT_ASCIICRLF,
OPT_NOINTERN,
OPT_NOVERIFY,
OPT_NOCERTS,
OPT_NOATTR,
OPT_NODETACH,
OPT_NOSMIMECAP,
OPT_NO_SIGNING_TIME,
OPT_BINARY,
OPT_KEYID,
OPT_NOSIGS,
OPT_NO_CONTENT_VERIFY,
OPT_NO_ATTR_VERIFY,
OPT_INDEF,
OPT_NOINDEF,
OPT_CRLFEOL,
OPT_NOOUT,
OPT_RR_PRINT,
OPT_RR_ALL,
OPT_RR_FIRST,
OPT_RCTFORM,
OPT_CERTFILE,
OPT_CAFILE,
OPT_CAPATH,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_CONTENT,
OPT_PRINT,
OPT_NAMEOPT,
OPT_SECRETKEY,
OPT_SECRETKEYID,
OPT_PWRI_PASSWORD,
OPT_ECONTENT_TYPE,
OPT_PASSIN,
OPT_TO,
OPT_FROM,
OPT_SUBJECT,
OPT_SIGNER,
OPT_RECIP,
OPT_CERTSOUT,
OPT_MD,
OPT_INKEY,
OPT_KEYFORM,
OPT_KEYOPT,
OPT_RR_FROM,
OPT_RR_TO,
OPT_AES128_WRAP,
OPT_AES192_WRAP,
OPT_AES256_WRAP,
OPT_3DES_WRAP,
OPT_WRAP,
OPT_ENGINE,
OPT_R_ENUM,
OPT_PROV_ENUM, OPT_CONFIG,
OPT_PROV_ENUM,
OPT_CONFIG,
OPT_V_ENUM,
OPT_CIPHER,
OPT_ORIGINATOR
} OPTION_CHOICE;
const OPTIONS cms_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
{"help", OPT_HELP, '-', "Display this summary"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n" },
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("General"),
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{ "in", OPT_IN, '<', "Input file" },
{ "out", OPT_OUT, '>', "Output file" },
OPT_CONFIG_OPTION,
OPT_SECTION("Operation"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
{"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"sign_receipt", OPT_SIGN_RECEIPT, '-',
"Generate a signed receipt for a message"},
{"verify_receipt", OPT_VERIFY_RECEIPT, '<',
"Verify receipts; exit if receipt signatures do not verify"},
{"digest", OPT_DIGEST, 's', "Sign a pre-computed digest in hex notation"},
{"digest_create", OPT_DIGEST_CREATE, '-',
"Create a CMS \"DigestedData\" object"},
{"digest_verify", OPT_DIGEST_VERIFY, '-',
"Verify a CMS \"DigestedData\" object and output it"},
{"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
{"uncompress", OPT_UNCOMPRESS, '-',
"Uncompress a CMS \"CompressedData\" object"},
{"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
"Create CMS \"EncryptedData\" object using symmetric key"},
{"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
"Decrypt CMS \"EncryptedData\" object using symmetric key"},
{"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
{"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
{"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt message" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message" },
{ "sign", OPT_SIGN, '-', "Sign message" },
{ "verify", OPT_VERIFY, '-', "Verify signed message" },
{ "resign", OPT_RESIGN, '-', "Resign a signed message" },
{ "sign_receipt", OPT_SIGN_RECEIPT, '-',
"Generate a signed receipt for a message" },
{ "verify_receipt", OPT_VERIFY_RECEIPT, '<',
"Verify receipts; exit if receipt signatures do not verify" },
{ "digest", OPT_DIGEST, 's', "Sign a pre-computed digest in hex notation" },
{ "digest_create", OPT_DIGEST_CREATE, '-',
"Create a CMS \"DigestedData\" object" },
{ "digest_verify", OPT_DIGEST_VERIFY, '-',
"Verify a CMS \"DigestedData\" object and output it" },
{ "compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object" },
{ "uncompress", OPT_UNCOMPRESS, '-',
"Uncompress a CMS \"CompressedData\" object" },
{ "EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
"Create CMS \"EncryptedData\" object using symmetric key" },
{ "EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
"Decrypt CMS \"EncryptedData\" object using symmetric key" },
{ "data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object" },
{ "data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output" },
{ "cmsout", OPT_CMSOUT, '-', "Output CMS structure" },
OPT_SECTION("File format"),
{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
{"outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER"},
{"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
{"stream", OPT_INDEF, '-', "Enable CMS streaming"},
{"indef", OPT_INDEF, '-', "Same as -stream"},
{"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
{"binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form"},
{"crlfeol", OPT_CRLFEOL, '-',
"Use CRLF as EOL termination instead of LF only" },
{"asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing"},
{ "inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER" },
{ "outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER" },
{ "rctform", OPT_RCTFORM, 'F', "Receipt file format" },
{ "stream", OPT_INDEF, '-', "Enable CMS streaming" },
{ "indef", OPT_INDEF, '-', "Same as -stream" },
{ "noindef", OPT_NOINDEF, '-', "Disable CMS streaming" },
{ "binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form" },
{ "crlfeol", OPT_CRLFEOL, '-',
"Use CRLF as EOL termination instead of LF only" },
{ "asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing" },
OPT_SECTION("Keys and passwords"),
{"pwri_password", OPT_PWRI_PASSWORD, 's',
"Specific password for recipient"},
{"secretkey", OPT_SECRETKEY, 's',
"Use specified hex-encoded key to decrypt/encrypt recipients or content"},
{"secretkeyid", OPT_SECRETKEYID, 's',
"Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
{"keyform", OPT_KEYFORM, 'f',
"Input private key format (ENGINE, other values ignored)"},
{ "pwri_password", OPT_PWRI_PASSWORD, 's',
"Specific password for recipient" },
{ "secretkey", OPT_SECRETKEY, 's',
"Use specified hex-encoded key to decrypt/encrypt recipients or content" },
{ "secretkeyid", OPT_SECRETKEYID, 's',
"Identity of the -secretkey for CMS \"KEKRecipientInfo\" object" },
{ "inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs" },
{ "keyform", OPT_KEYFORM, 'f',
"Input private key format (ENGINE, other values ignored)" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
OPT_R_OPTIONS,
OPT_SECTION("Encryption and decryption"),
{"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
{"recip", OPT_RECIP, '<', "Recipient cert file"},
{"cert...", OPT_PARAM, '.',
"Recipient certs (optional; used only when encrypting)"},
{"", OPT_CIPHER, '-',
"The encryption algorithm to use (any supported cipher)"},
{"wrap", OPT_WRAP, 's',
"Key wrap algorithm to use when encrypting with key agreement"},
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
{"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
{"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
{"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
"Disable MMA protection, return error if no recipient found (see doc)"},
{ "originator", OPT_ORIGINATOR, 's', "Originator certificate file" },
{ "recip", OPT_RECIP, '<', "Recipient cert file" },
{ "cert...", OPT_PARAM, '.',
"Recipient certs (optional; used only when encrypting)" },
{ "", OPT_CIPHER, '-',
"The encryption algorithm to use (any supported cipher)" },
{ "wrap", OPT_WRAP, 's',
"Key wrap algorithm to use when encrypting with key agreement" },
{ "aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key" },
{ "aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key" },
{ "aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key" },
{ "des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key" },
{ "debug_decrypt", OPT_DEBUG_DECRYPT, '-',
"Disable MMA protection, return error if no recipient found (see doc)" },
OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "Digest algorithm to use"},
{"signer", OPT_SIGNER, 's', "Signer certificate input file"},
{"certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing"},
{OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying"},
{"cades", OPT_CADES, '-',
"Include signingCertificate attribute (CAdES-BES)"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
{"nocerts", OPT_NOCERTS, '-',
"Don't include signer's certificate when signing"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
{"no_signing_time", OPT_NO_SIGNING_TIME, '-',
"Omit the signing time attribute"},
{"receipt_request_all", OPT_RR_ALL, '-',
"When signing, create a receipt request for all recipients"},
{"receipt_request_first", OPT_RR_FIRST, '-',
"When signing, create a receipt request for first recipient"},
{"receipt_request_from", OPT_RR_FROM, 's',
"Create signed receipt request with specified email address"},
{"receipt_request_to", OPT_RR_TO, 's',
"Create signed receipt targeted to specified address"},
{ "md", OPT_MD, 's', "Digest algorithm to use" },
{ "signer", OPT_SIGNER, 's', "Signer certificate input file" },
{ "certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing" },
{ OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying" },
{ "cades", OPT_CADES, '-',
"Include signingCertificate attribute (CAdES-BES)" },
{ "nodetach", OPT_NODETACH, '-', "Use opaque signing" },
{ "nocerts", OPT_NOCERTS, '-',
"Don't include signer's certificate when signing" },
{ "noattr", OPT_NOATTR, '-', "Don't include any signed attributes" },
{ "nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute" },
{ "no_signing_time", OPT_NO_SIGNING_TIME, '-',
"Omit the signing time attribute" },
{ "receipt_request_all", OPT_RR_ALL, '-',
"When signing, create a receipt request for all recipients" },
{ "receipt_request_first", OPT_RR_FIRST, '-',
"When signing, create a receipt request for first recipient" },
{ "receipt_request_from", OPT_RR_FROM, 's',
"Create signed receipt request with specified email address" },
{ "receipt_request_to", OPT_RR_TO, 's',
"Create signed receipt targeted to specified address" },
OPT_SECTION("Verification"),
{"signer", OPT_DUP, 's', "Signer certificate(s) output file"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
"Do not verify signed content signatures"},
{"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
"Do not verify signed attribute signatures"},
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
{"nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer"},
{"cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)"},
{"verify_retcode", OPT_VERIFY_RETCODE, '-',
"Exit non-zero on verification failure"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{ "signer", OPT_DUP, 's', "Signer certificate(s) output file" },
{ "content", OPT_CONTENT, '<',
"Supply or override content for detached signature" },
{ "no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
"Do not verify signed content signatures" },
{ "no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
"Do not verify signed attribute signatures" },
{ "nosigs", OPT_NOSIGS, '-', "Don't verify message signature" },
{ "noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate" },
{ "nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer" },
{ "cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)" },
{ "verify_retcode", OPT_VERIFY_RETCODE, '-',
"Exit non-zero on verification failure" },
{ "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
{ "CApath", OPT_CAPATH, '/', "Trusted certificates directory" },
{ "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
OPT_SECTION("Output"),
{"keyid", OPT_KEYID, '-', "Use subject key identifier"},
{"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
{"to", OPT_TO, 's', "To address"},
{"from", OPT_FROM, 's', "From address"},
{"subject", OPT_SUBJECT, 's', "Subject"},
{ "keyid", OPT_KEYID, '-', "Use subject key identifier" },
{ "econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content" },
{ "text", OPT_TEXT, '-', "Include or delete text MIME headers" },
{ "certsout", OPT_CERTSOUT, '>', "Certificate output file" },
{ "to", OPT_TO, 's', "To address" },
{ "from", OPT_FROM, 's', "From address" },
{ "subject", OPT_SUBJECT, 's', "Subject" },
OPT_SECTION("Printing"),
{"noout", OPT_NOOUT, '-',
"For the -cmsout operation do not output the parsed CMS structure"},
{"print", OPT_PRINT, '-',
"For the -cmsout operation print out all fields of the CMS structure"},
{"nameopt", OPT_NAMEOPT, 's',
"For the -print option specifies various strings printing options"},
{"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
{ "noout", OPT_NOOUT, '-',
"For the -cmsout operation do not output the parsed CMS structure" },
{ "print", OPT_PRINT, '-',
"For the -cmsout operation print out all fields of the CMS structure" },
{ "nameopt", OPT_NAMEOPT, 's',
"For the -print option specifies various strings printing options" },
{ "receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
OPT_V_OPTIONS,
{NULL}
{ NULL }
};
static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
BIO **indata, const char *name)
BIO **indata, const char *name)
{
CMS_ContentInfo *ret, *ci;
@@ -274,7 +334,7 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
goto err;
}
return ret;
err:
err:
CMS_ContentInfo_free(ret);
return NULL;
}
@@ -330,7 +390,7 @@ int cms_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -477,7 +537,7 @@ int cms_main(int argc, char **argv)
break;
case OPT_RCTFORM:
if (!opt_format(opt_arg(),
OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
goto opthelp;
break;
case OPT_CERTFILE:
@@ -531,7 +591,7 @@ int cms_main(int argc, char **argv)
case OPT_SECRETKEY:
if (secret_key != NULL) {
BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
opt_arg());
opt_arg());
goto opthelp;
}
secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
@@ -544,7 +604,7 @@ int cms_main(int argc, char **argv)
case OPT_SECRETKEYID:
if (secret_keyid != NULL) {
BIO_printf(bio_err, "Invalid id (supplied twice) %s\n",
opt_arg());
opt_arg());
goto opthelp;
}
secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
@@ -560,7 +620,7 @@ int cms_main(int argc, char **argv)
case OPT_ECONTENT_TYPE:
if (econtent_type != NULL) {
BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n",
opt_arg());
opt_arg());
goto opthelp;
}
econtent_type = OBJ_txt2obj(opt_arg(), 0);
@@ -640,7 +700,7 @@ int cms_main(int argc, char **argv)
case OPT_RECIP:
if (operation == SMIME_ENCRYPT) {
cert = load_cert(opt_arg(), FORMAT_UNDEF,
"recipient certificate file");
"recipient certificate file");
if (cert == NULL)
goto end;
if (!sk_X509_push(encerts, cert))
@@ -749,13 +809,13 @@ int cms_main(int argc, char **argv)
if ((flags & CMS_CADES) != 0) {
if ((flags & CMS_NOATTR) != 0) {
BIO_puts(bio_err, "Incompatible options: "
"CAdES requires signed attributes\n");
"CAdES requires signed attributes\n");
goto opthelp;
}
if (operation == SMIME_VERIFY
&& (flags & (CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY)) != 0) {
&& (flags & (CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY)) != 0) {
BIO_puts(bio_err, "Incompatible options: CAdES validation requires"
" certs and signed attributes validations\n");
" certs and signed attributes validations\n");
goto opthelp;
}
}
@@ -789,7 +849,7 @@ int cms_main(int argc, char **argv)
if (recipfile == NULL && keyfile == NULL
&& secret_key == NULL && pwri_pass == NULL) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
"No recipient certificate or key specified\n");
goto opthelp;
}
} else if (operation == SMIME_ENCRYPT) {
@@ -813,16 +873,16 @@ int cms_main(int argc, char **argv)
if ((operation & SMIME_SIGNERS) == 0) {
if ((flags & CMS_DETACHED) == 0)
BIO_printf(bio_err,
"Warning: -nodetach option is ignored for non-signing operation\n");
"Warning: -nodetach option is ignored for non-signing operation\n");
flags &= ~CMS_DETACHED;
}
if ((operation & SMIME_IP) == 0 && contfile != NULL)
BIO_printf(bio_err,
"Warning: -contfile option is ignored for the given operation\n");
"Warning: -contfile option is ignored for the given operation\n");
if (operation != SMIME_ENCRYPT && *argv != NULL)
BIO_printf(bio_err,
"Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
"Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
if ((flags & CMS_BINARY) != 0) {
if (!(operation & SMIME_OP))
@@ -845,7 +905,7 @@ int cms_main(int argc, char **argv)
for (; *argv != NULL; argv++) {
cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file");
"recipient certificate file");
if (cert == NULL)
goto end;
if (!sk_X509_push(encerts, cert))
@@ -863,7 +923,8 @@ int cms_main(int argc, char **argv)
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
"recipient certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -871,7 +932,8 @@ int cms_main(int argc, char **argv)
if (originatorfile != NULL) {
if ((originator = load_cert(originatorfile, FORMAT_UNDEF,
"originator certificate file")) == NULL) {
"originator certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -879,7 +941,8 @@ int cms_main(int argc, char **argv)
if (operation == SMIME_SIGN_RECEIPT) {
if ((signer = load_cert(signerfile, FORMAT_UNDEF,
"receipt signer certificate file")) == NULL) {
"receipt signer certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -904,25 +967,25 @@ int cms_main(int argc, char **argv)
if (digesthex != NULL) {
if (operation != SMIME_SIGN) {
BIO_printf(bio_err,
"Cannot use -digest for non-signing operation\n");
"Cannot use -digest for non-signing operation\n");
goto end;
}
if (infile != NULL
|| (flags & CMS_DETACHED) == 0
|| (flags & CMS_STREAM) != 0) {
BIO_printf(bio_err,
"Cannot use -digest when -in, -nodetach or streaming is used\n");
"Cannot use -digest when -in, -nodetach or streaming is used\n");
goto end;
}
digestbin = OPENSSL_hexstr2buf(digesthex, &digestlen);
if (digestbin == NULL) {
BIO_printf(bio_err,
"Invalid hex value after -digest\n");
"Invalid hex value after -digest\n");
goto end;
}
} else {
in = bio_open_default(infile, 'r',
binary_files ? FORMAT_BINARY : informat);
binary_files ? FORMAT_BINARY : informat);
if (in == NULL)
goto end;
}
@@ -943,7 +1006,7 @@ int cms_main(int argc, char **argv)
allcerts = CMS_get1_certs(cms);
if (!save_certs(certsoutfile, allcerts)) {
BIO_printf(bio_err,
"Error writing certs to %s\n", certsoutfile);
"Error writing certs to %s\n", certsoutfile);
ret = 5;
goto end;
}
@@ -965,13 +1028,14 @@ int cms_main(int argc, char **argv)
}
out = bio_open_default(outfile, 'w',
binary_files ? FORMAT_BINARY : outformat);
binary_files ? FORMAT_BINARY : outformat);
if (out == NULL)
goto end;
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
X509_STORE_set_verify_cb(store, cms_cb);
if (vpmtouched)
@@ -1017,13 +1081,13 @@ int cms_main(int argc, char **argv)
}
res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
EVP_PKEY_CTRL_CIPHER,
EVP_CIPHER_get_nid(cipher), NULL);
EVP_PKEY_CTRL_CIPHER,
EVP_CIPHER_get_nid(cipher), NULL);
if (res <= 0 && res != -2)
goto end;
if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
&& wrap_cipher != NULL) {
&& wrap_cipher != NULL) {
EVP_CIPHER_CTX *wctx;
wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
@@ -1033,9 +1097,9 @@ int cms_main(int argc, char **argv)
if (secret_key != NULL) {
if (!CMS_add0_recipient_key(cms, NID_undef,
secret_key, secret_keylen,
secret_keyid, secret_keyidlen,
NULL, NULL, NULL))
secret_key, secret_keylen,
secret_keyid, secret_keyidlen,
NULL, NULL, NULL))
goto end;
/* NULL these because call absorbs them */
secret_key = NULL;
@@ -1046,8 +1110,9 @@ int cms_main(int argc, char **argv)
if (pwri_tmp == NULL)
goto end;
if (CMS_add0_recipient_password(cms,
-1, NID_undef, NID_undef,
pwri_tmp, -1, NULL) == NULL)
-1, NID_undef, NID_undef,
pwri_tmp, -1, NULL)
== NULL)
goto end;
pwri_tmp = NULL;
}
@@ -1055,7 +1120,7 @@ int cms_main(int argc, char **argv)
if (!CMS_final(cms, in, NULL, flags)) {
if (originator != NULL
&& ERR_GET_REASON(ERR_peek_error())
== CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) {
== CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) {
BIO_printf(bio_err, "Cannot use originator for encryption\n");
goto end;
}
@@ -1064,7 +1129,7 @@ int cms_main(int argc, char **argv)
}
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
secret_keylen, flags, libctx, app_get0_propq());
secret_keylen, flags, libctx, app_get0_propq());
} else if (operation == SMIME_SIGN_RECEIPT) {
CMS_ContentInfo *srcms = NULL;
@@ -1171,8 +1236,8 @@ int cms_main(int argc, char **argv)
if (secret_key != NULL) {
if (!CMS_decrypt_set1_key(cms,
secret_key, secret_keylen,
secret_keyid, secret_keyidlen)) {
secret_key, secret_keylen,
secret_keyid, secret_keyidlen)) {
BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
goto end;
}
@@ -1211,15 +1276,15 @@ int cms_main(int argc, char **argv)
}
} else if (operation == SMIME_ENCRYPTED_DECRYPT) {
if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
indata, out, flags))
indata, out, flags))
goto end;
} else if (operation == SMIME_VERIFY) {
if (CMS_verify(cms, other, store, indata, out, flags) > 0) {
BIO_printf(bio_err, "%s Verification successful\n",
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
} else {
BIO_printf(bio_err, "%s Verification failure\n",
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS");
if (verify_retcode)
ret = verify_err + 32;
goto end;
@@ -1229,7 +1294,7 @@ int cms_main(int argc, char **argv)
if (!save_certs(signerfile, signers)) {
BIO_printf(bio_err,
"Error writing signers to %s\n", signerfile);
"Error writing signers to %s\n", signerfile);
ret = 5;
goto end;
}
@@ -1286,7 +1351,7 @@ int cms_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
if (ret)
ERR_print_errors(bio_err);
OSSL_STACK_OF_X509_free(encerts);
@@ -1362,7 +1427,6 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx)
policies_print(ctx);
return ok;
}
static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
@@ -1406,7 +1470,7 @@ static void receipt_request_print(CMS_ContentInfo *cms)
const char *id;
int idlen;
CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
&rlist, &rto);
&rlist, &rto);
BIO_puts(bio_err, " Signed Content ID:\n");
idlen = ASN1_STRING_length(scid);
id = (const char *)ASN1_STRING_get0_data(scid);
@@ -1456,16 +1520,15 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
return ret;
err:
err:
sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
GENERAL_NAMES_free(gens);
GENERAL_NAME_free(gen);
return NULL;
}
static CMS_ReceiptRequest
*make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from)
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
STACK_OF(OPENSSL_STRING) *rr_from)
{
STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
CMS_ReceiptRequest *rr;
@@ -1481,18 +1544,18 @@ static CMS_ReceiptRequest
rct_from = NULL;
}
rr = CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from,
rct_to, app_get0_libctx());
rct_to, app_get0_libctx());
if (rr == NULL)
goto err;
return rr;
err:
err:
sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
sk_GENERAL_NAMES_pop_free(rct_from, GENERAL_NAMES_free);
return NULL;
}
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param)
STACK_OF(OPENSSL_STRING) *param)
{
char *keyopt;
int i;
+74 -52
View File
@@ -20,58 +20,81 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_DATEOPT, OPT_TEXT, OPT_HASH,
OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD, OPT_PROV_ENUM
OPT_INFORM,
OPT_IN,
OPT_OUTFORM,
OPT_OUT,
OPT_KEYFORM,
OPT_KEY,
OPT_ISSUER,
OPT_LASTUPDATE,
OPT_NEXTUPDATE,
OPT_FINGERPRINT,
OPT_CRLNUMBER,
OPT_BADSIG,
OPT_GENDELTA,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_VERIFY,
OPT_DATEOPT,
OPT_TEXT,
OPT_HASH,
OPT_HASH_OLD,
OPT_NOOUT,
OPT_NAMEOPT,
OPT_MD,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS crl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "verify", OPT_VERIFY, '-', "Verify CRL signature" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"},
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
{"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"},
{ "in", OPT_IN, '<', "Input file - default stdin" },
{ "inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect" },
{ "key", OPT_KEY, '<', "CRL signing Private key to use" },
{ "keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "output file - default stdout"},
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
{"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
{"text", OPT_TEXT, '-', "Print out a text format version"},
{"hash", OPT_HASH, '-', "Print hash value"},
{ "out", OPT_OUT, '>', "output file - default stdout" },
{ "outform", OPT_OUTFORM, 'F', "Output format - default PEM" },
{ "dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822." },
{ "text", OPT_TEXT, '-', "Print out a text format version" },
{ "hash", OPT_HASH, '-', "Print hash value" },
#ifndef OPENSSL_NO_MD5
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
{ "hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value" },
#endif
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"", OPT_MD, '-', "Any supported digest"},
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "", OPT_MD, '-', "Any supported digest" },
OPT_SECTION("CRL"),
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
{"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
{"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
{"noout", OPT_NOOUT, '-', "No CRL output"},
{"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"},
{"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
{"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
{ "issuer", OPT_ISSUER, '-', "Print issuer DN" },
{ "lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field" },
{ "nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field" },
{ "noout", OPT_NOOUT, '-', "No CRL output" },
{ "fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint" },
{ "crlnumber", OPT_CRLNUMBER, '-', "Print CRL number" },
{ "badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
{ "gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one" },
OPT_SECTION("Certificate"),
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
{"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{ "CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir" },
{ "CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name" },
{ "CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int crl_main(int argc, char **argv)
@@ -104,7 +127,7 @@ int crl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -148,13 +171,13 @@ int crl_main(int argc, char **argv)
do_ver = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
noCAfile = 1;
break;
case OPT_NOCASTORE:
noCAstore = 1;
noCAstore = 1;
break;
case OPT_HASH_OLD:
#ifndef OPENSSL_NO_MD5
@@ -221,7 +244,8 @@ int crl_main(int argc, char **argv)
if (do_ver) {
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
@@ -233,7 +257,7 @@ int crl_main(int argc, char **argv)
}
xobj = X509_STORE_CTX_get_obj_by_subject(ctx, X509_LU_X509,
X509_CRL_get_issuer(x));
X509_CRL_get_issuer(x));
if (xobj == NULL) {
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
@@ -250,7 +274,7 @@ int crl_main(int argc, char **argv)
goto end;
if (i == 0) {
BIO_printf(bio_err, "verify failure\n");
goto end;
goto end;
} else
BIO_printf(bio_err, "verify OK\n");
}
@@ -309,9 +333,8 @@ int crl_main(int argc, char **argv)
}
if (hash == i) {
int ok;
unsigned long hash_value =
X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
app_get0_propq(), &ok);
unsigned long hash_value = X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
app_get0_propq(), &ok);
if (num > 1)
BIO_printf(bio_out, "issuer name hash=");
@@ -327,7 +350,7 @@ int crl_main(int argc, char **argv)
if (num > 1)
BIO_printf(bio_out, "issuer name old hash=");
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i) {
@@ -353,10 +376,9 @@ int crl_main(int argc, char **argv)
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
EVP_MD_get0_name(digest));
EVP_MD_get0_name(digest));
for (j = 0; j < (int)n; j++) {
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':');
}
}
}
@@ -383,7 +405,7 @@ int crl_main(int argc, char **argv)
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
+20 -16
View File
@@ -23,27 +23,32 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE,
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_NOCRL,
OPT_CERTFILE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS crl2pkcs7_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
{"certfile", OPT_CERTFILE, '<',
"File of chain of certs to a trusted CA; can be repeated"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format - DER or PEM" },
{ "nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'" },
{ "certfile", OPT_CERTFILE, '<',
"File of chain of certs to a trusted CA; can be repeated" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int crl2pkcs7_main(int argc, char **argv)
@@ -56,8 +61,7 @@ int crl2pkcs7_main(int argc, char **argv)
STACK_OF(X509_CRL) *crl_stack = NULL;
X509_CRL *crl = NULL;
char *infile = NULL, *outfile = NULL, *prog, *certfile;
int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
0;
int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl = 0;
OPTION_CHOICE o;
prog = opt_init(argc, argv, crl2pkcs7_options);
@@ -65,7 +69,7 @@ int crl2pkcs7_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -141,7 +145,7 @@ int crl2pkcs7_main(int argc, char **argv)
if (!sk_X509_CRL_push(crl_stack, crl))
goto end;
crl = NULL; /* now part of p7 for OPENSSL_freeing */
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if (certflst != NULL) {
@@ -173,7 +177,7 @@ int crl2pkcs7_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
sk_OPENSSL_STRING_free(certflst);
BIO_free(in);
BIO_free_all(out);
@@ -229,7 +233,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
}
ret = count;
end:
end:
/* never need to OPENSSL_free x */
BIO_free(in);
sk_X509_INFO_free(sk);
+90 -73
View File
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -22,15 +22,15 @@
#include <ctype.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
#define BUFSIZE 1024 * 8
static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *file);
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *file);
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file);
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file);
static void show_digests(const OBJ_NAME *name, void *bio_);
struct doall_dgst_digests {
@@ -41,57 +41,74 @@ struct doall_dgst_digests {
typedef enum OPTION_choice {
OPT_COMMON,
OPT_LIST,
OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_XOFLEN,
OPT_C,
OPT_R,
OPT_OUT,
OPT_SIGN,
OPT_PASSIN,
OPT_VERIFY,
OPT_PRVERIFY,
OPT_SIGNATURE,
OPT_KEYFORM,
OPT_ENGINE,
OPT_ENGINE_IMPL,
OPT_HEX,
OPT_BINARY,
OPT_DEBUG,
OPT_FIPS_FINGERPRINT,
OPT_HMAC,
OPT_MAC,
OPT_SIGOPT,
OPT_MACOPT,
OPT_XOFLEN,
OPT_DIGEST,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dgst_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List digests"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "list", OPT_LIST, '-', "List digests" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{"engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for digest operations"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
{ "engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for digest operations" },
#endif
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"hex", OPT_HEX, '-', "Print as hex dump"},
{"binary", OPT_BINARY, '-', "Print in binary form"},
{"xoflen", OPT_XOFLEN, 'p', "Output length for XOF algorithms. To obtain the maximum security strength set this to 32 (or greater) for SHAKE128, and 64 (or greater) for SHAKE256"},
{"d", OPT_DEBUG, '-', "Print debug info"},
{"debug", OPT_DEBUG, '-', "Print debug info"},
{ "c", OPT_C, '-', "Print the digest with separating colons" },
{ "r", OPT_R, '-', "Print the digest in coreutils format" },
{ "out", OPT_OUT, '>', "Output to filename rather than stdout" },
{ "keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)" },
{ "hex", OPT_HEX, '-', "Print as hex dump" },
{ "binary", OPT_BINARY, '-', "Print in binary form" },
{ "xoflen", OPT_XOFLEN, 'p', "Output length for XOF algorithms. To obtain the maximum security strength set this to 32 (or greater) for SHAKE128, and 64 (or greater) for SHAKE256" },
{ "d", OPT_DEBUG, '-', "Print debug info" },
{ "debug", OPT_DEBUG, '-', "Print debug info" },
OPT_SECTION("Signing"),
{"sign", OPT_SIGN, 's', "Sign digest using private key"},
{"verify", OPT_VERIFY, 's', "Verify a signature using public key"},
{"prverify", OPT_PRVERIFY, 's', "Verify a signature using private key"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
{"", OPT_DIGEST, '-', "Any supported digest"},
{"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
{ "sign", OPT_SIGN, 's', "Sign digest using private key" },
{ "verify", OPT_VERIFY, 's', "Verify a signature using public key" },
{ "prverify", OPT_PRVERIFY, 's', "Verify a signature using private key" },
{ "sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form" },
{ "signature", OPT_SIGNATURE, '<', "File with signature to verify" },
{ "hmac", OPT_HMAC, 's', "Create hashed MAC with key" },
{ "mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)" },
{ "macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key" },
{ "", OPT_DIGEST, '-', "Any supported digest" },
{ "fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"file", 0, 0, "Files to digest (optional; default is stdin)"},
{NULL}
{ "file", 0, 0, "Files to digest (optional; default is stdin)" },
{ NULL }
};
int dgst_main(int argc, char **argv)
@@ -128,7 +145,7 @@ int dgst_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -140,7 +157,7 @@ int dgst_main(int argc, char **argv)
dec.bio = bio_out;
dec.n = 0;
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
show_digests, &dec);
show_digests, &dec);
BIO_printf(bio_out, "\n");
ret = EXIT_SUCCESS;
goto end;
@@ -244,7 +261,7 @@ int dgst_main(int argc, char **argv)
if (do_verify && sigfile == NULL) {
BIO_printf(bio_err,
"No signature to verify: use the -signature option\n");
"No signature to verify: use the -signature option\n");
goto end;
}
if (engine_impl)
@@ -297,8 +314,9 @@ int dgst_main(int argc, char **argv)
char def_md[80];
if (EVP_PKEY_get_default_digest_name(sigkey, def_md,
sizeof(def_md)) == 2
&& strcmp(def_md, "UNDEF") == 0)
sizeof(def_md))
== 2
&& strcmp(def_md, "UNDEF") == 0)
oneshot_sign = 1;
signctx = EVP_MD_CTX_new();
if (signctx == NULL)
@@ -336,8 +354,8 @@ int dgst_main(int argc, char **argv)
digestname = SN_sha256;
}
sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl,
(unsigned char *)hmac_key,
strlen(hmac_key));
(unsigned char *)hmac_key,
strlen(hmac_key));
if (sigkey == NULL)
goto end;
}
@@ -356,17 +374,16 @@ int dgst_main(int argc, char **argv)
if (do_verify)
if (impl == NULL)
res = EVP_DigestVerifyInit_ex(mctx, &pctx, digestname,
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
else
res = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
else if (impl == NULL)
res = EVP_DigestSignInit_ex(mctx, &pctx, digestname,
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
else
if (impl == NULL)
res = EVP_DigestSignInit_ex(mctx, &pctx, digestname,
app_get0_libctx(),
app_get0_propq(), sigkey, NULL);
else
res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
if (res == 0) {
BIO_printf(bio_err, "Error setting context\n");
goto end;
@@ -377,7 +394,7 @@ int dgst_main(int argc, char **argv)
if (pkey_ctrl_string(pctx, sigopt) <= 0) {
BIO_printf(bio_err, "Signature parameter error \"%s\"\n",
sigopt);
sigopt);
goto end;
}
}
@@ -451,10 +468,10 @@ int dgst_main(int argc, char **argv)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
if (oneshot_sign)
ret = do_fp_oneshot_sign(out, signctx, in, separator, out_bin,
sigkey, sigbuf, siglen, NULL, "stdin");
sigkey, sigbuf, siglen, NULL, "stdin");
else
ret = do_fp(out, buf, inp, separator, out_bin, xoflen,
sigkey, sigbuf, siglen, NULL, md_name, "stdin");
sigkey, sigbuf, siglen, NULL, md_name, "stdin");
} else {
const char *sig_name = NULL;
@@ -471,19 +488,19 @@ int dgst_main(int argc, char **argv)
} else {
if (oneshot_sign) {
if (do_fp_oneshot_sign(out, signctx, in, separator, out_bin,
sigkey, sigbuf, siglen, sig_name,
argv[i]))
sigkey, sigbuf, siglen, sig_name,
argv[i]))
ret = EXIT_FAILURE;
} else {
if (do_fp(out, buf, inp, separator, out_bin, xoflen,
sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
ret = EXIT_FAILURE;
}
}
(void)BIO_reset(bmd);
}
}
end:
end:
if (ret != EXIT_SUCCESS)
ERR_print_errors(bio_err);
OPENSSL_clear_free(buf, BUFSIZE);
@@ -566,12 +583,12 @@ static const char *newline_escape_filename(const char *file, int *backslash)
e++;
}
file_cpy[i] = '\0';
return (const char*)file_cpy;
return (const char *)file_cpy;
}
static void print_out(BIO *out, unsigned char *buf, size_t len,
int sep, int binout,
const char *sig_name, const char *md_name, const char *file)
int sep, int binout,
const char *sig_name, const char *md_name, const char *file)
{
int i, backslash = 0;
@@ -619,9 +636,9 @@ static void print_verify_result(BIO *out, int i)
}
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
{
size_t len = BUFSIZE;
int i, ret = EXIT_FAILURE;
@@ -685,7 +702,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
}
print_out(out, buf, len, sep, binout, sig_name, md_name, file);
ret = EXIT_SUCCESS;
end:
end:
if (allocated_buf != NULL)
OPENSSL_clear_free(allocated_buf, len);
@@ -699,8 +716,8 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
* then used inside EVP_DigestVerify() and EVP_DigestSign().
*/
static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *file)
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *file)
{
int res, ret = EXIT_FAILURE;
size_t len = 0;
@@ -736,7 +753,7 @@ static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int b
goto end;
}
end:
end:
OPENSSL_free(sig);
OPENSSL_clear_free(buf, buflen);
+86 -73
View File
@@ -36,47 +36,59 @@ static int verbose = 1;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
OPT_DSAPARAM, OPT_2, OPT_3, OPT_5, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_ENGINE,
OPT_CHECK,
OPT_TEXT,
OPT_NOOUT,
OPT_DSAPARAM,
OPT_2,
OPT_3,
OPT_5,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dhparam_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"check", OPT_CHECK, '-', "Check the DH parameters"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "check", OPT_CHECK, '-', "Check the DH parameters" },
#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
{ "dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH" },
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format, DER or PEM" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"3", OPT_3, '-', "Generate parameters using 3 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format, DER or PEM" },
{ "text", OPT_TEXT, '-', "Print a text form of the DH parameters" },
{ "noout", OPT_NOOUT, '-', "Don't output any DH parameters" },
{ "2", OPT_2, '-', "Generate parameters using 2 as the generator value" },
{ "3", OPT_3, '-', "Generate parameters using 3 as the generator value" },
{ "5", OPT_5, '-', "Generate parameters using 5 as the generator value" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
{NULL}
{ "numbits", 0, 0, "Number of bits if generating parameters (optional)" },
{ NULL }
};
int dhparam_main(int argc, char **argv)
@@ -96,7 +108,7 @@ int dhparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -175,7 +187,7 @@ int dhparam_main(int argc, char **argv)
if (dsaparam && g) {
BIO_printf(bio_err,
"Error, generator may not be chosen for DSA parameters\n");
"Error, generator may not be chosen for DSA parameters\n");
goto end;
}
@@ -193,22 +205,22 @@ int dhparam_main(int argc, char **argv)
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), alg, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, %s param generation context allocation failed\n",
alg);
"Error, %s param generation context allocation failed\n",
alg);
goto end;
}
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
if (verbose) {
EVP_PKEY_CTX_set_cb(ctx, progress_cb);
BIO_printf(bio_err,
"Generating %s parameters, %d bit long %sprime\n",
alg, num, dsaparam ? "" : "safe ");
"Generating %s parameters, %d bit long %sprime\n",
alg, num, dsaparam ? "" : "safe ");
}
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
BIO_printf(bio_err,
"Error, unable to initialise %s parameters\n",
alg);
"Error, unable to initialise %s parameters\n",
alg);
goto end;
}
@@ -258,32 +270,34 @@ int dhparam_main(int argc, char **argv)
*/
done = 1;
/*
* We set NULL for the keytype to allow any key type. We don't know
* if we're going to get DH or DHX (or DSA in the event of dsaparam).
* We check that we got one of those key types afterwards.
*/
* We set NULL for the keytype to allow any key type. We don't know
* if we're going to get DH or DHX (or DSA in the event of dsaparam).
* We check that we got one of those key types afterwards.
*/
decoderctx
= OSSL_DECODER_CTX_new_for_pkey(&tmppkey,
(informat == FORMAT_ASN1)
? "DER" : "PEM",
NULL,
(informat == FORMAT_ASN1)
? keytype : NULL,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
NULL, NULL);
(informat == FORMAT_ASN1)
? "DER"
: "PEM",
NULL,
(informat == FORMAT_ASN1)
? keytype
: NULL,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
NULL, NULL);
if (decoderctx != NULL
&& !OSSL_DECODER_from_bio(decoderctx, in)
&& informat == FORMAT_ASN1
&& strcmp(keytype, "DH") == 0) {
&& !OSSL_DECODER_from_bio(decoderctx, in)
&& informat == FORMAT_ASN1
&& strcmp(keytype, "DH") == 0) {
/*
* When reading DER we explicitly state the expected keytype
* because, unlike PEM, there is no header to declare what
* the contents of the DER file are. The decoders just try
* and guess. Unfortunately with DHX key types they may guess
* wrong and think we have a DSA keytype. Therefore, we try
* both DH and DHX sequentially.
*/
* When reading DER we explicitly state the expected keytype
* because, unlike PEM, there is no header to declare what
* the contents of the DER file are. The decoders just try
* and guess. Unfortunately with DHX key types they may guess
* wrong and think we have a DSA keytype. Therefore, we try
* both DH and DHX sequentially.
*/
keytype = "DHX";
/*
* BIO_reset() returns 0 for success for file BIOs only!!!
@@ -309,7 +323,7 @@ int dhparam_main(int argc, char **argv)
goto end;
} else {
if (!EVP_PKEY_is_a(tmppkey, "DH")
&& !EVP_PKEY_is_a(tmppkey, "DHX")) {
&& !EVP_PKEY_is_a(tmppkey, "DHX")) {
BIO_printf(bio_err, "Error, unable to load DH parameters\n");
goto end;
}
@@ -339,12 +353,12 @@ int dhparam_main(int argc, char **argv)
}
if (!noout) {
OSSL_ENCODER_CTX *ectx =
OSSL_ENCODER_CTX_new_for_pkey(pkey,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1
? "DER" : "PEM",
NULL, NULL);
OSSL_ENCODER_CTX *ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey,
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1
? "DER"
: "PEM",
NULL, NULL);
if (ectx == NULL || !OSSL_ENCODER_to_bio(ectx, out)) {
OSSL_ENCODER_CTX_free(ectx);
@@ -354,7 +368,7 @@ int dhparam_main(int argc, char **argv)
OSSL_ENCODER_CTX_free(ectx);
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free(in);
@@ -380,33 +394,33 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh)
EVP_PKEY *pkey = NULL;
if (!EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_P, &bn_p)
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_Q, &bn_q)
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_G, &bn_g)) {
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_Q, &bn_q)
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_G, &bn_g)) {
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
goto err;
}
if ((tmpl = OSSL_PARAM_BLD_new()) == NULL
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P,
bn_p)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q,
bn_q)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G,
bn_g)
|| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P,
bn_p)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q,
bn_q)
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G,
bn_g)
|| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
goto err;
}
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DHX", app_get0_propq());
if (ctx == NULL
|| EVP_PKEY_fromdata_init(ctx) <= 0
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) {
|| EVP_PKEY_fromdata_init(ctx) <= 0
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) {
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
goto err;
}
err:
err:
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
OSSL_PARAM_BLD_free(tmpl);
@@ -415,4 +429,3 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh)
BN_free(bn_g);
return pkey;
}
+45 -33
View File
@@ -27,51 +27,63 @@
#include <openssl/core_dispatch.h>
#ifndef OPENSSL_NO_RC4
# define DEFAULT_PVK_ENCR_STRENGTH 2
#define DEFAULT_PVK_ENCR_STRENGTH 2
#else
# define DEFAULT_PVK_ENCR_STRENGTH 0
#define DEFAULT_PVK_ENCR_STRENGTH 0
#endif
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE,
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_ENGINE,
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT,
OPT_PVK_NONE,
OPT_PVK_WEAK,
OPT_PVK_STRONG,
OPT_NOOUT,
OPT_TEXT,
OPT_MODULUS,
OPT_PUBIN,
OPT_PUBOUT,
OPT_CIPHER,
OPT_PASSIN,
OPT_PASSOUT,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dsa_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
#ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
{ "pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)" },
{ "pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level" },
{ "pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding" },
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "in", OPT_IN, 's', "Input key" },
{ "inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect" },
{ "pubin", OPT_PUBIN, '-', "Expect a public key in input file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK" },
{ "noout", OPT_NOOUT, '-', "Don't print key out" },
{ "text", OPT_TEXT, '-', "Print the key in text" },
{ "modulus", OPT_MODULUS, '-', "Print the DSA public value" },
{ "pubout", OPT_PUBOUT, '-', "Output public key, not private" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int dsa_main(int argc, char **argv)
@@ -98,7 +110,7 @@ int dsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
ret = 0;
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
@@ -129,9 +141,9 @@ int dsa_main(int argc, char **argv)
case OPT_PASSOUT:
passoutarg = opt_arg();
break;
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
#ifndef OPENSSL_NO_RC4
pvk_encr = (o - OPT_PVK_NONE);
#endif
@@ -252,12 +264,12 @@ int dsa_main(int argc, char **argv)
} else {
assert(private);
selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
}
/* Perform the encoding */
ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, output_type,
output_structure, NULL);
output_structure, NULL);
if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
BIO_printf(bio_err, "%s format not supported\n", output_type);
goto end;
@@ -273,8 +285,8 @@ int dsa_main(int argc, char **argv)
if (passout != NULL)
/* When passout given, override the passphrase prompter */
OSSL_ENCODER_CTX_set_passphrase(ectx,
(const unsigned char *)passout,
strlen(passout));
(const unsigned char *)passout,
strlen(passout));
}
/* PVK requires a bit more */
@@ -293,7 +305,7 @@ int dsa_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
OSSL_ENCODER_CTX_free(ectx);
+40 -31
View File
@@ -26,40 +26,49 @@ static int verbose = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_NOOUT,
OPT_GENKEY,
OPT_ENGINE,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dsaparam_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits] [numqbits]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits] [numqbits]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format - DER or PEM" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"text", OPT_TEXT, '-', "Print as text"},
{"noout", OPT_NOOUT, '-', "No output"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "text", OPT_TEXT, '-', "Print as text" },
{ "noout", OPT_NOOUT, '-', "No output" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
{ "genkey", OPT_GENKEY, '-', "Generate a DSA key" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Number of bits if generating parameters or key (optional)"},
{"numqbits", 0, 0, "Number of bits in the subprime parameter q if generating parameters or key (optional)"},
{NULL}
{ "numbits", 0, 0, "Number of bits if generating parameters or key (optional)" },
{ "numqbits", 0, 0, "Number of bits in the subprime parameter q if generating parameters or key (optional)" },
{ NULL }
};
int dsaparam_main(int argc, char **argv)
@@ -79,7 +88,7 @@ int dsaparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -153,37 +162,37 @@ int dsaparam_main(int argc, char **argv)
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, DSA parameter generation context allocation failed\n");
"Error, DSA parameter generation context allocation failed\n");
goto end;
}
if (numbits > 0) {
if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
if (verbose) {
EVP_PKEY_CTX_set_cb(ctx, progress_cb);
BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
num);
num);
BIO_printf(bio_err, "This could take some time\n");
}
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
BIO_printf(bio_err,
"Error, DSA key generation paramgen init failed\n");
"Error, DSA key generation paramgen init failed\n");
goto end;
}
if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num) <= 0) {
BIO_printf(bio_err,
"Error, DSA key generation setting bit length failed\n");
"Error, DSA key generation setting bit length failed\n");
goto end;
}
if (numqbits > 0) {
if (EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, numqbits) <= 0) {
BIO_printf(bio_err,
"Error, DSA key generation setting subprime bit length failed\n");
"Error, DSA key generation setting subprime bit length failed\n");
goto end;
}
}
@@ -220,15 +229,15 @@ int dsaparam_main(int argc, char **argv)
if (genkey) {
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
app_get0_propq());
app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, DSA key generation context allocation failed\n");
"Error, DSA key generation context allocation failed\n");
goto end;
}
if (EVP_PKEY_keygen_init(ctx) <= 0) {
BIO_printf(bio_err,
"Error, unable to initialise for key generation\n");
"Error, unable to initialise for key generation\n");
goto end;
}
pkey = app_keygen(ctx, "DSA", numbits, verbose);
@@ -241,7 +250,7 @@ int dsaparam_main(int argc, char **argv)
i = PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL);
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
+46 -32
View File
@@ -23,42 +23,56 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_NOOUT,
OPT_TEXT,
OPT_PARAM_OUT,
OPT_PUBIN,
OPT_PUBOUT,
OPT_PASSIN,
OPT_PASSOUT,
OPT_PARAM_ENC,
OPT_CONV_FORM,
OPT_CIPHER,
OPT_NO_PUBLIC,
OPT_CHECK,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ec_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"check", OPT_CHECK, '-', "check key consistency"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{"param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
{ "in", OPT_IN, 's', "Input file" },
{ "inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)" },
{ "pubin", OPT_PUBIN, '-', "Expect a public key in input file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "check", OPT_CHECK, '-', "check key consistency" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
{ "param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded" },
{ "conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form " },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key"},
{"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "noout", OPT_NOOUT, '-', "Don't print key out" },
{ "text", OPT_TEXT, '-', "Print the key" },
{ "param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters" },
{ "pubout", OPT_PUBOUT, '-', "Output public key, not private" },
{ "no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int ec_main(int argc, char **argv)
@@ -86,7 +100,7 @@ int ec_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -188,15 +202,15 @@ int ec_main(int argc, char **argv)
if (point_format
&& !EVP_PKEY_set_utf8_string_param(
eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
BIO_printf(bio_err, "unable to set point conversion format\n");
goto end;
}
if (asn1_encoding != NULL
&& !EVP_PKEY_set_utf8_string_param(
eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
goto end;
}
@@ -253,8 +267,8 @@ int ec_main(int argc, char **argv)
}
ectx = OSSL_ENCODER_CTX_new_for_pkey(eckey, selection,
output_type, output_structure,
NULL);
output_type, output_structure,
NULL);
if (enc != NULL) {
OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(enc), NULL);
/* Default passphrase prompter */
@@ -262,8 +276,8 @@ int ec_main(int argc, char **argv)
if (passout != NULL)
/* When passout given, override the passphrase prompter */
OSSL_ENCODER_CTX_set_passphrase(ectx,
(const unsigned char *)passout,
strlen(passout));
(const unsigned char *)passout,
strlen(passout));
}
if (!OSSL_ENCODER_to_bio(ectx, out)) {
BIO_printf(bio_err, "unable to write EC key\n");
+65 -52
View File
@@ -23,46 +23,59 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_CHECK,
OPT_LIST_CURVES,
OPT_NO_SEED,
OPT_NOOUT,
OPT_NAME,
OPT_CONV_FORM,
OPT_PARAM_ENC,
OPT_GENKEY,
OPT_ENGINE,
OPT_CHECK_NAMED,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ecparam_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list_curves", OPT_LIST_CURVES, '-',
"Prints a list of all curve 'short names'"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "list_curves", OPT_LIST_CURVES, '-',
"Prints a list of all curve 'short names'" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
{"in", OPT_IN, '<', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
{ "genkey", OPT_GENKEY, '-', "Generate ec key" },
{ "in", OPT_IN, '<', "Input file - default stdin" },
{ "inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)" },
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "outform", OPT_OUTFORM, 'F', "Output format - default PEM" },
OPT_SECTION("Output"),
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
{"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
{"param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded"},
{ "text", OPT_TEXT, '-', "Print the ec parameters in text form" },
{ "noout", OPT_NOOUT, '-', "Do not print the ec parameter" },
{ "param_enc", OPT_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded" },
OPT_SECTION("Parameter"),
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
{"check_named", OPT_CHECK_NAMED, '-',
"Check that named EC curve parameters have not been modified"},
{"no_seed", OPT_NO_SEED, '-',
"If 'explicit' parameters are chosen do not use the seed"},
{"name", OPT_NAME, 's',
"Use the ec parameters with specified 'short name'"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
{ "check", OPT_CHECK, '-', "Validate the ec parameters" },
{ "check_named", OPT_CHECK_NAMED, '-',
"Check that named EC curve parameters have not been modified" },
{ "no_seed", OPT_NO_SEED, '-',
"If 'explicit' parameters are chosen do not use the seed" },
{ "name", OPT_NAME, 's',
"Use the ec parameters with specified 'short name'" },
{ "conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form " },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
static int list_builtin_curves(BIO *out)
@@ -112,7 +125,7 @@ int ecparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -206,30 +219,30 @@ int ecparam_main(int argc, char **argv)
if (strcmp(curve_name, "secp192r1") == 0) {
BIO_printf(bio_err,
"using curve name prime192v1 instead of secp192r1\n");
"using curve name prime192v1 instead of secp192r1\n");
curve_name = SN_X9_62_prime192v1;
} else if (strcmp(curve_name, "secp256r1") == 0) {
BIO_printf(bio_err,
"using curve name prime256v1 instead of secp256r1\n");
"using curve name prime256v1 instead of secp256r1\n");
curve_name = SN_X9_62_prime256v1;
}
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
curve_name, 0);
curve_name, 0);
if (asn1_encoding != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
asn1_encoding, 0);
asn1_encoding, 0);
if (point_format != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
*p = OSSL_PARAM_construct_end();
if (OPENSSL_strcasecmp(curve_name, "SM2") == 0)
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "sm2",
app_get0_propq());
app_get0_propq());
else
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "ec",
app_get0_propq());
app_get0_propq());
if (gctx_params == NULL
|| EVP_PKEY_keygen_init(gctx_params) <= 0
|| EVP_PKEY_CTX_set_params(gctx_params, params) <= 0
@@ -239,10 +252,10 @@ int ecparam_main(int argc, char **argv)
}
} else {
params_key = load_keyparams_suppress(infile, informat, 1, "EC",
"EC parameters", 1);
"EC parameters", 1);
if (params_key == NULL)
params_key = load_keyparams_suppress(infile, informat, 1, "SM2",
"SM2 parameters", 1);
"SM2 parameters", 1);
if (params_key == NULL) {
BIO_printf(bio_err, "Unable to load parameters from %s\n", infile);
@@ -251,15 +264,15 @@ int ecparam_main(int argc, char **argv)
if (point_format
&& !EVP_PKEY_set_utf8_string_param(
params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format)) {
BIO_printf(bio_err, "unable to set point conversion format\n");
goto end;
}
if (asn1_encoding != NULL
&& !EVP_PKEY_set_utf8_string_param(
params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
goto end;
}
@@ -267,7 +280,7 @@ int ecparam_main(int argc, char **argv)
if (no_seed
&& !EVP_PKEY_set_octet_string_param(params_key, OSSL_PKEY_PARAM_EC_SEED,
NULL, 0)) {
NULL, 0)) {
BIO_printf(bio_err, "unable to clear seed\n");
goto end;
}
@@ -287,13 +300,13 @@ int ecparam_main(int argc, char **argv)
if (check_named
&& !EVP_PKEY_set_utf8_string_param(params_key,
OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
BIO_printf(bio_err, "unable to set check_type\n");
goto end;
OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
BIO_printf(bio_err, "unable to set check_type\n");
goto end;
}
pctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
app_get0_propq());
app_get0_propq());
if (pctx == NULL || EVP_PKEY_param_check(pctx) <= 0) {
BIO_printf(bio_err, "failed\n");
goto end;
@@ -306,8 +319,8 @@ int ecparam_main(int argc, char **argv)
if (!noout) {
ectx_params = OSSL_ENCODER_CTX_new_for_pkey(
params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
if (!OSSL_ENCODER_to_bio(ectx_params, out)) {
BIO_printf(bio_err, "unable to write elliptic curve parameters\n");
goto end;
@@ -324,7 +337,7 @@ int ecparam_main(int argc, char **argv)
* EVP_PKEY_keygen(gctx, &key) <= 0)
*/
gctx_key = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
app_get0_propq());
app_get0_propq());
if (EVP_PKEY_keygen_init(gctx_key) <= 0
|| EVP_PKEY_keygen(gctx_key, &key) <= 0) {
BIO_printf(bio_err, "unable to generate key\n");
@@ -332,11 +345,11 @@ int ecparam_main(int argc, char **argv)
}
assert(private);
ectx_key = OSSL_ENCODER_CTX_new_for_pkey(
key, OSSL_KEYMGMT_SELECT_ALL,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
key, OSSL_KEYMGMT_SELECT_ALL,
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
if (!OSSL_ENCODER_to_bio(ectx_key, out)) {
BIO_printf(bio_err, "unable to write elliptic "
"curve parameters\n");
"curve parameters\n");
goto end;
}
}
+120 -94
View File
@@ -21,16 +21,16 @@
#include <openssl/rand.h>
#include <openssl/pem.h>
#ifndef OPENSSL_NO_COMP
# include <openssl/comp.h>
#include <openssl/comp.h>
#endif
#include <ctype.h>
#undef SIZE
#undef BSIZE
#define SIZE (512)
#define BSIZE (8*1024)
#define SIZE (512)
#define BSIZE (8 * 1024)
#define PBKDF2_ITER_DEFAULT 10000
#define PBKDF2_ITER_DEFAULT 10000
#define STR(a) XSTR(a)
#define XSTR(a) #a
@@ -45,74 +45,100 @@ struct doall_enc_ciphers {
typedef enum OPTION_choice {
OPT_COMMON,
OPT_LIST,
OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM,
OPT_SKEYOPT, OPT_SKEYMGMT
OPT_E,
OPT_IN,
OPT_OUT,
OPT_PASS,
OPT_ENGINE,
OPT_D,
OPT_P,
OPT_V,
OPT_NOPAD,
OPT_SALT,
OPT_NOSALT,
OPT_DEBUG,
OPT_UPPER_P,
OPT_UPPER_A,
OPT_A,
OPT_Z,
OPT_BUFSIZE,
OPT_K,
OPT_KFILE,
OPT_UPPER_K,
OPT_NONE,
OPT_UPPER_S,
OPT_IV,
OPT_MD,
OPT_ITER,
OPT_PBKDF2,
OPT_CIPHER,
OPT_SALTLEN,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_SKEYOPT,
OPT_SKEYMGMT
} OPTION_CHOICE;
const OPTIONS enc_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List ciphers"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "list", OPT_LIST, '-', "List ciphers" },
#ifndef OPENSSL_NO_DEPRECATED_3_0
{"ciphers", OPT_LIST, '-', "Alias for -list"},
{ "ciphers", OPT_LIST, '-', "Alias for -list" },
#endif
{"e", OPT_E, '-', "Encrypt"},
{"d", OPT_D, '-', "Decrypt"},
{"p", OPT_P, '-', "Print the iv/key"},
{"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
{ "e", OPT_E, '-', "Encrypt" },
{ "d", OPT_D, '-', "Decrypt" },
{ "p", OPT_P, '-', "Print the iv/key" },
{ "P", OPT_UPPER_P, '-', "Print the iv/key and exit" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"k", OPT_K, 's', "Passphrase"},
{"kfile", OPT_KFILE, '<', "Read passphrase from file"},
{ "in", OPT_IN, '<', "Input file" },
{ "k", OPT_K, 's', "Passphrase" },
{ "kfile", OPT_KFILE, '<', "Read passphrase from file" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"pass", OPT_PASS, 's', "Passphrase source"},
{"v", OPT_V, '-', "Verbose output"},
{"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
{"base64", OPT_A, '-', "Same as option -a"},
{"A", OPT_UPPER_A, '-',
"Used with -[base64|a] to specify base64 buffer as a single line"},
{ "out", OPT_OUT, '>', "Output file" },
{ "pass", OPT_PASS, 's', "Passphrase source" },
{ "v", OPT_V, '-', "Verbose output" },
{ "a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag" },
{ "base64", OPT_A, '-', "Same as option -a" },
{ "A", OPT_UPPER_A, '-',
"Used with -[base64|a] to specify base64 buffer as a single line" },
OPT_SECTION("Encryption"),
{"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
{"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
{"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
{"debug", OPT_DEBUG, '-', "Print debug info"},
{ "nopad", OPT_NOPAD, '-', "Disable standard block padding" },
{ "salt", OPT_SALT, '-', "Use salt in the KDF (default)" },
{ "nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF" },
{ "debug", OPT_DEBUG, '-', "Print debug info" },
{"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
{"K", OPT_UPPER_K, 's', "Raw key, in hex"},
{"S", OPT_UPPER_S, 's', "Salt, in hex"},
{"iv", OPT_IV, 's', "IV in hex"},
{"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"},
{"iter", OPT_ITER, 'p',
"Specify the iteration count and force the use of PBKDF2"},
{OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT)},
{"pbkdf2", OPT_PBKDF2, '-',
"Use password-based key derivation function 2 (PBKDF2)"},
{OPT_MORE_STR, 0, 0,
"Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)},
{"none", OPT_NONE, '-', "Don't encrypt"},
{"saltlen", OPT_SALTLEN, 'p', "Specify the PBKDF2 salt length (in bytes)"},
{OPT_MORE_STR, 0, 0, "Default: 16"},
{ "bufsize", OPT_BUFSIZE, 's', "Buffer size" },
{ "K", OPT_UPPER_K, 's', "Raw key, in hex" },
{ "S", OPT_UPPER_S, 's', "Salt, in hex" },
{ "iv", OPT_IV, 's', "IV in hex" },
{ "md", OPT_MD, 's', "Use specified digest to create a key from the passphrase" },
{ "iter", OPT_ITER, 'p',
"Specify the iteration count and force the use of PBKDF2" },
{ OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT) },
{ "pbkdf2", OPT_PBKDF2, '-',
"Use password-based key derivation function 2 (PBKDF2)" },
{ OPT_MORE_STR, 0, 0,
"Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT) },
{ "none", OPT_NONE, '-', "Don't encrypt" },
{ "saltlen", OPT_SALTLEN, 'p', "Specify the PBKDF2 salt length (in bytes)" },
{ OPT_MORE_STR, 0, 0, "Default: 16" },
#ifndef OPENSSL_NO_ZLIB
{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
{ "z", OPT_Z, '-', "Compress or decompress encrypted data using zlib" },
#endif
{"skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque symmetric key handling"},
{"skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque symmetric key handling"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{ "skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque symmetric key handling" },
{ "skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque symmetric key handling" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int enc_main(int argc, char **argv)
@@ -120,8 +146,7 @@ int enc_main(int argc, char **argv)
static char buf[128];
static const char magic[] = "Salted__";
ENGINE *e = NULL;
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
NULL, *wbio = NULL;
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = NULL, *wbio = NULL;
EVP_CIPHER_CTX *ctx = NULL;
EVP_CIPHER *cipher = NULL;
EVP_MD *dgst = NULL;
@@ -183,7 +208,7 @@ int enc_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -195,7 +220,7 @@ int enc_main(int argc, char **argv)
dec.bio = bio_out;
dec.n = 0;
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
show_ciphers, &dec);
show_ciphers, &dec);
BIO_printf(bio_out, "\n");
ret = 0;
goto end;
@@ -256,7 +281,7 @@ int enc_main(int argc, char **argv)
if (k)
p[i] = '\0';
if (!opt_long(opt_arg(), &n)
|| n < 0 || (k && n >= LONG_MAX / 1024))
|| n < 0 || (k && n >= LONG_MAX / 1024))
goto opthelp;
if (k)
n *= 1024;
@@ -276,7 +301,7 @@ int enc_main(int argc, char **argv)
in = NULL;
if (i <= 0) {
BIO_printf(bio_err,
"%s Can't read key from %s\n", prog, opt_arg());
"%s Can't read key from %s\n", prog, opt_arg());
goto opthelp;
}
while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n'))
@@ -314,16 +339,14 @@ int enc_main(int argc, char **argv)
break;
case OPT_PBKDF2:
pbkdf2 = 1;
if (iter == 0) /* do not overwrite a chosen value */
if (iter == 0) /* do not overwrite a chosen value */
iter = PBKDF2_ITER_DEFAULT;
break;
case OPT_NONE:
cipher = NULL;
break;
case OPT_SKEYOPT:
if ((skeyopts == NULL &&
(skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
if ((skeyopts == NULL && (skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) || sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
BIO_printf(bio_err, "%s: out of memory\n", prog);
goto end;
}
@@ -393,7 +416,7 @@ int enc_main(int argc, char **argv)
buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
if (infile == NULL) {
if (!streamable && printkey != 2) { /* if just print key and exit, it's ok */
if (!streamable && printkey != 2) { /* if just print key and exit, it's ok */
BIO_printf(bio_err, "Unstreamable cipher mode\n");
goto end;
}
@@ -419,8 +442,8 @@ int enc_main(int argc, char **argv)
char prompt[200];
BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:",
EVP_CIPHER_get0_name(cipher),
(enc) ? "encryption" : "decryption");
EVP_CIPHER_get0_name(cipher),
(enc) ? "encryption" : "decryption");
strbuf[0] = '\0';
i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
if (i == 0) {
@@ -458,7 +481,7 @@ int enc_main(int argc, char **argv)
wbio = out;
#ifndef OPENSSL_NO_COMP
# ifndef OPENSSL_NO_ZLIB
#ifndef OPENSSL_NO_ZLIB
if (do_zlib) {
if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
goto end;
@@ -471,7 +494,7 @@ int enc_main(int argc, char **argv)
else
rbio = BIO_push(bzl, rbio);
}
# endif
#endif
if (do_brotli) {
if ((bbrot = BIO_new(BIO_f_brotli())) == NULL)
@@ -532,7 +555,7 @@ int enc_main(int argc, char **argv)
BIO_printf(bio_err, "invalid hex salt value\n");
goto end;
}
if (enc) { /* encryption */
if (enc) { /* encryption */
if (hsalt == NULL) {
if (RAND_bytes(salt, saltlen) <= 0) {
BIO_printf(bio_err, "RAND_bytes failed\n");
@@ -544,15 +567,17 @@ int enc_main(int argc, char **argv)
*/
if ((printkey != 2)
&& (BIO_write(wbio, magic,
sizeof(magic) - 1) != sizeof(magic) - 1
sizeof(magic) - 1)
!= sizeof(magic) - 1
|| BIO_write(wbio,
(char *)salt,
saltlen) != saltlen)) {
(char *)salt,
saltlen)
!= saltlen)) {
BIO_printf(bio_err, "error writing output file\n");
goto end;
}
}
} else { /* decryption */
} else { /* decryption */
if (hsalt == NULL) {
if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf)) {
BIO_printf(bio_err, "error reading input file\n");
@@ -560,7 +585,8 @@ int enc_main(int argc, char **argv)
}
if (memcmp(mbuf, magic, sizeof(mbuf)) == 0) { /* file IS salted */
if (BIO_read(rbio, salt,
saltlen) != saltlen) {
saltlen)
!= saltlen) {
BIO_printf(bio_err, "error reading input file\n");
goto end;
}
@@ -575,9 +601,9 @@ int enc_main(int argc, char **argv)
if (pbkdf2 == 1) {
/*
* derive key and default iv
* concatenated into a temporary buffer
*/
* derive key and default iv
* concatenated into a temporary buffer
*/
unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
int iklen = EVP_CIPHER_get_key_length(cipher);
int ivlen = EVP_CIPHER_get_iv_length(cipher);
@@ -585,21 +611,21 @@ int enc_main(int argc, char **argv)
int islen = (sptr != NULL ? saltlen : 0);
if (!PKCS5_PBKDF2_HMAC(str, str_len, sptr, islen,
iter, dgst, iklen+ivlen, tmpkeyiv)) {
iter, dgst, iklen + ivlen, tmpkeyiv)) {
BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n");
goto end;
}
/* split and move data back to global buffer */
memcpy(key, tmpkeyiv, iklen);
memcpy(iv, tmpkeyiv+iklen, ivlen);
memcpy(iv, tmpkeyiv + iklen, ivlen);
rawkey_set = 1;
} else {
BIO_printf(bio_err, "*** WARNING : "
"deprecated key derivation used.\n"
"Using -iter or -pbkdf2 would be better.\n");
if (!EVP_BytesToKey(cipher, dgst, sptr,
(unsigned char *)str, str_len,
1, key, iv)) {
(unsigned char *)str, str_len,
1, key, iv)) {
BIO_printf(bio_err, "EVP_BytesToKey failed\n");
goto end;
}
@@ -668,9 +694,9 @@ int enc_main(int argc, char **argv)
if (rawkey_set) {
if (!EVP_CipherInit_ex(ctx, cipher, e, key,
(hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
(hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
BIO_printf(bio_err, "Error setting cipher %s\n",
EVP_CIPHER_get0_name(cipher));
EVP_CIPHER_get0_name(cipher));
ERR_print_errors(bio_err);
goto end;
}
@@ -678,31 +704,31 @@ int enc_main(int argc, char **argv)
OSSL_PARAM *params = NULL;
mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
skeymgmt != NULL ? skeymgmt : EVP_CIPHER_name(cipher),
app_get0_propq());
skeymgmt != NULL ? skeymgmt : EVP_CIPHER_name(cipher),
app_get0_propq());
if (mgmt == NULL)
goto end;
params = app_params_new_from_opts(skeyopts,
EVP_SKEYMGMT_get0_imp_settable_params(mgmt));
EVP_SKEYMGMT_get0_imp_settable_params(mgmt));
if (params == NULL)
goto end;
skey = EVP_SKEY_import(app_get0_libctx(), EVP_SKEYMGMT_get0_name(mgmt),
app_get0_propq(), OSSL_SKEYMGMT_SELECT_ALL, params);
app_get0_propq(), OSSL_SKEYMGMT_SELECT_ALL, params);
OSSL_PARAM_free(params);
if (skey == NULL) {
BIO_printf(bio_err, "Error creating opaque key object for skeymgmt %s\n",
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
ERR_print_errors(bio_err);
goto end;
}
if (!EVP_CipherInit_SKEY(ctx, cipher, skey,
(hiv == NULL && wrap == 1 ? NULL : iv),
EVP_CIPHER_get_iv_length(cipher), enc, NULL)) {
(hiv == NULL && wrap == 1 ? NULL : iv),
EVP_CIPHER_get_iv_length(cipher), enc, NULL)) {
BIO_printf(bio_err, "Error setting an opaque key for cipher %s\n",
EVP_CIPHER_get0_name(cipher));
EVP_CIPHER_get0_name(cipher));
ERR_print_errors(bio_err);
goto end;
}
@@ -750,7 +776,7 @@ int enc_main(int argc, char **argv)
inl = BIO_read(rbio, (char *)buff, bsize);
if (inl <= 0)
break;
if (!streamable && !BIO_eof(rbio)) { /* do not output data */
if (!streamable && !BIO_eof(rbio)) { /* do not output data */
BIO_printf(bio_err, "Unstreamable cipher mode\n");
goto end;
}
@@ -774,7 +800,7 @@ int enc_main(int argc, char **argv)
BIO_printf(bio_err, "bytes read : %8ju\n", BIO_number_read(in));
BIO_printf(bio_err, "bytes written: %8ju\n", BIO_number_written(out));
}
end:
end:
ERR_print_errors(bio_err);
sk_OPENSSL_STRING_free(skeyopts);
EVP_SKEYMGMT_free(mgmt);
@@ -808,8 +834,8 @@ static void show_ciphers(const OBJ_NAME *name, void *arg)
/* Filter out ciphers that we cannot use */
cipher = EVP_get_cipherbyname(name->name);
if (cipher == NULL
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|| EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|| EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
return;
BIO_printf(dec->bio, "-%-25s", name->name);
+59 -53
View File
@@ -24,32 +24,39 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
OPT_C,
OPT_T,
OPT_TT,
OPT_PRE,
OPT_POST,
OPT_V = 100,
OPT_VV,
OPT_VVV,
OPT_VVVV
} OPTION_CHOICE;
const OPTIONS engine_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"t", OPT_T, '-', "Check that specified engine is available"},
{"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
{"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "t", OPT_T, '-', "Check that specified engine is available" },
{ "pre", OPT_PRE, 's', "Run command against the ENGINE before loading it" },
{ "post", OPT_POST, 's', "Run command against the ENGINE after loading it" },
OPT_SECTION("Output"),
{"v", OPT_V, '-', "List 'control commands' For each specified engine"},
{"vv", OPT_VV, '-', "Also display each command's description"},
{"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
{"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
{"c", OPT_C, '-', "List the capabilities of specified engine"},
{"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
{OPT_MORE_STR, OPT_EOF, 1,
"Commands are like \"SO_PATH:/lib/libdriver.so\""},
{ "v", OPT_V, '-', "List 'control commands' For each specified engine" },
{ "vv", OPT_VV, '-', "Also display each command's description" },
{ "vvv", OPT_VVV, '-', "Also add the input flags for each command" },
{ "vvvv", OPT_VVVV, '-', "Also show internal input flags" },
{ "c", OPT_C, '-', "List the capabilities of specified engine" },
{ "tt", OPT_TT, '-', "Display error trace for unavailable engines" },
{ OPT_MORE_STR, OPT_EOF, 1,
"Commands are like \"SO_PATH:/lib/libdriver.so\"" },
OPT_PARAMETERS(),
{"engine", 0, 0, "ID of engine(s) to load"},
{NULL}
{ "engine", 0, 0, "ID of engine(s) to load" },
{ NULL }
};
static int append_buf(char **buf, int *size, const char *s)
@@ -133,9 +140,7 @@ static int util_flags(BIO *out, unsigned int flags, const char *indent)
started = 1;
}
/* Check for unknown flags */
flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
~ENGINE_CMD_FLAG_STRING &
~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
flags = flags & ~ENGINE_CMD_FLAG_NUMERIC & ~ENGINE_CMD_FLAG_STRING & ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
if (flags) {
if (started)
BIO_printf(out, "|");
@@ -157,9 +162,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
int flags;
int xpos = 0;
STACK_OF(OPENSSL_STRING) *cmds = NULL;
if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
0, NULL, NULL)) <= 0)) {
if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, 0, NULL, NULL)) <= 0)) {
return 1;
}
@@ -171,25 +174,30 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
int len;
/* Get the command input flags */
if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
NULL, NULL)) < 0)
NULL, NULL))
< 0)
goto err;
if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
/* Get the command name */
if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
NULL, NULL)) <= 0)
NULL, NULL))
<= 0)
goto err;
name = app_malloc(len + 1, "name buffer");
if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
NULL) <= 0)
NULL)
<= 0)
goto err;
/* Get the command description */
if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
NULL, NULL)) < 0)
NULL, NULL))
< 0)
goto err;
if (len > 0) {
desc = app_malloc(len + 1, "description buffer");
if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
NULL) <= 0)
NULL)
<= 0)
goto err;
}
/* Now decide on the output */
@@ -203,8 +211,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
/*
* We're just listing names, comma-delimited
*/
if ((xpos > (int)strlen(indent)) &&
(xpos + (int)strlen(name) > line_wrap)) {
if ((xpos > (int)strlen(indent)) && (xpos + (int)strlen(name) > line_wrap)) {
BIO_printf(out, "\n");
xpos = BIO_puts(out, indent);
}
@@ -212,7 +219,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
} else {
/* We're listing names plus descriptions */
BIO_printf(out, "%s: %s\n", name,
(desc == NULL) ? "<no description>" : desc);
(desc == NULL) ? "<no description>" : desc);
/* ... and sometimes input flags */
if ((verbose >= 3) && !util_flags(out, flags, indent))
goto err;
@@ -229,7 +236,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
if (xpos > 0)
BIO_printf(out, "\n");
ret = 1;
err:
err:
sk_OPENSSL_STRING_free(cmds);
OPENSSL_free(name);
OPENSSL_free(desc);
@@ -237,7 +244,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
}
static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
BIO *out, const char *indent)
BIO *out, const char *indent)
{
int loop, res, num = sk_OPENSSL_STRING_num(cmds);
@@ -249,7 +256,7 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
char buf[256];
const char *cmd, *arg;
cmd = sk_OPENSSL_STRING_value(cmds, loop);
res = 1; /* assume success */
res = 1; /* assume success */
/* Check if this command has no ":arg" */
if ((arg = strchr(cmd, ':')) == NULL) {
if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
@@ -261,7 +268,7 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
}
memcpy(buf, cmd, (int)(arg - cmd));
buf[arg - cmd] = '\0';
arg++; /* Move past the ":" */
arg++; /* Move past the ":" */
/* Call the command with the argument */
if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
res = 0;
@@ -288,7 +295,7 @@ static void util_store_cap(const OSSL_STORE_LOADER *loader, void *arg)
if (OSSL_STORE_LOADER_get0_engine(loader) == ctx->engine) {
char buf[256];
BIO_snprintf(buf, sizeof(buf), "STORE(%s)",
OSSL_STORE_LOADER_get0_scheme(loader));
OSSL_STORE_LOADER_get0_scheme(loader));
if (!append_buf(ctx->cap_buf, ctx->cap_size, buf))
ctx->ok = 0;
}
@@ -366,10 +373,10 @@ int engine_main(int argc, char **argv)
/* Any remaining arguments are engine names. */
argc = opt_num_rest();
argv = opt_rest();
for ( ; *argv; argv++) {
for (; *argv; argv++) {
if (**argv == '-') {
BIO_printf(bio_err, "%s: Cannot mix flags and engine names.\n",
prog);
prog);
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
}
@@ -396,7 +403,7 @@ int engine_main(int argc, char **argv)
util_do_cmds(e, pre_cmds, out, indent);
if (strcmp(ENGINE_get_id(e), id) != 0) {
BIO_printf(out, "Loaded: (%s) %s\n",
ENGINE_get_id(e), ENGINE_get_name(e));
ENGINE_get_id(e), ENGINE_get_name(e));
}
if (list_cap) {
int cap_size = 256;
@@ -431,7 +438,7 @@ int engine_main(int argc, char **argv)
if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
goto end;
skip_ciphers:
skip_ciphers:
fn_d = ENGINE_get_digests(e);
if (fn_d == NULL)
goto skip_digests;
@@ -440,7 +447,7 @@ int engine_main(int argc, char **argv)
if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
goto end;
skip_digests:
skip_digests:
fn_pk = ENGINE_get_pkey_meths(e);
if (fn_pk == NULL)
goto skip_pmeths;
@@ -448,19 +455,18 @@ int engine_main(int argc, char **argv)
for (k = 0; k < n; ++k)
if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
goto end;
skip_pmeths:
{
struct util_store_cap_data store_ctx;
skip_pmeths: {
struct util_store_cap_data store_ctx;
store_ctx.engine = e;
store_ctx.cap_buf = &cap_buf;
store_ctx.cap_size = &cap_size;
store_ctx.ok = 1;
store_ctx.engine = e;
store_ctx.cap_buf = &cap_buf;
store_ctx.cap_size = &cap_size;
store_ctx.ok = 1;
OSSL_STORE_do_all_loaders(util_store_cap, &store_ctx);
if (!store_ctx.ok)
goto end;
}
OSSL_STORE_do_all_loaders(util_store_cap, &store_ctx);
if (!store_ctx.ok)
goto end;
}
if (cap_buf != NULL && (*cap_buf != '\0'))
BIO_printf(out, " [%s]\n", cap_buf);
@@ -490,7 +496,7 @@ int engine_main(int argc, char **argv)
}
}
end:
end:
ERR_print_errors(bio_err);
sk_OPENSSL_CSTRING_free(engines);
+10 -7
View File
@@ -17,18 +17,20 @@
#include <openssl/ssl.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP
OPT_ERR = -1,
OPT_EOF = 0,
OPT_HELP
} OPTION_CHOICE;
const OPTIONS errstr_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_PARAMETERS(),
{"errnum", 0, 0, "Error number(s) to decode"},
{NULL}
{ "errnum", 0, 0, "Error number(s) to decode" },
{ NULL }
};
int errstr_main(int argc, char **argv)
@@ -57,7 +59,8 @@ int errstr_main(int argc, char **argv)
* we're still interested in SSL error strings
*/
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS,
NULL);
/* All remaining arg are error code. */
ret = 0;
@@ -69,6 +72,6 @@ int errstr_main(int argc, char **argv)
BIO_printf(bio_out, "%s\n", buf);
}
}
end:
end:
return ret;
}
+284 -240
View File
@@ -21,8 +21,8 @@
#define BUFSIZE 4096
/* Configuration file values */
#define VERSION_KEY "version"
#define VERSION_VAL "1"
#define VERSION_KEY "version"
#define VERSION_VAL "1"
#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN"
static OSSL_CALLBACK self_test_events;
@@ -33,15 +33,29 @@ static int quiet = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_IN, OPT_OUT, OPT_MODULE, OPT_PEDANTIC,
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
OPT_IN,
OPT_OUT,
OPT_MODULE,
OPT_PEDANTIC,
OPT_PROV_NAME,
OPT_SECTION_NAME,
OPT_MAC_NAME,
OPT_MACOPT,
OPT_VERIFY,
OPT_NO_LOG,
OPT_CORRUPT_DESC,
OPT_CORRUPT_TYPE,
OPT_QUIET,
OPT_CONFIG,
OPT_NO_CONDITIONAL_ERRORS,
OPT_NO_SECURITY_CHECKS,
OPT_TLS_PRF_EMS_CHECK, OPT_NO_SHORT_MAC,
OPT_DISALLOW_PKCS15_PADDING, OPT_RSA_PSS_SALTLEN_CHECK,
OPT_TLS_PRF_EMS_CHECK,
OPT_NO_SHORT_MAC,
OPT_DISALLOW_PKCS15_PADDING,
OPT_RSA_PSS_SALTLEN_CHECK,
OPT_DISALLOW_SIGNATURE_X931_PADDING,
OPT_HMAC_KEY_CHECK, OPT_KMAC_KEY_CHECK,
OPT_HMAC_KEY_CHECK,
OPT_KMAC_KEY_CHECK,
OPT_DISALLOW_DRGB_TRUNC_DIGEST,
OPT_SIGNATURE_DIGEST_CHECK,
OPT_HKDF_DIGEST_CHECK,
@@ -62,93 +76,94 @@ typedef enum OPTION_choice {
OPT_X942KDF_KEY_CHECK,
OPT_NO_PBKDF2_LOWER_BOUND_CHECK,
OPT_ECDH_COFACTOR_CHECK,
OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
OPT_SELF_TEST_ONLOAD,
OPT_SELF_TEST_ONINSTALL
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
{"verify", OPT_VERIFY, '-',
"Verify a config file instead of generating one"},
{"module", OPT_MODULE, '<', "File name of the provider module"},
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
{"section_name", OPT_SECTION_NAME, 's',
"FIPS Provider config section name (optional)"},
{"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
"Disable the ability of the fips module to enter an error state if"
" any conditional self tests fail"},
{"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
"Disable the run-time FIPS security checks in the module"},
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
"Forces self tests to always run on module load"},
{"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
"Forces self tests to run once on module installation"},
{"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
"Enable the run-time FIPS check for EMS during TLS1_PRF"},
{"no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output"},
{"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
"Disallow truncated digests with Hash and HMAC DRBGs"},
{"signature_digest_check", OPT_SIGNATURE_DIGEST_CHECK, '-',
"Enable checking for approved digests for signatures"},
{"hmac_key_check", OPT_HMAC_KEY_CHECK, '-', "Enable key check for HMAC"},
{"kmac_key_check", OPT_KMAC_KEY_CHECK, '-', "Enable key check for KMAC"},
{"hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
"Enable digest check for HKDF"},
{"tls13_kdf_digest_check", OPT_TLS13_KDF_DIGEST_CHECK, '-',
"Enable digest check for TLS13-KDF"},
{"tls1_prf_digest_check", OPT_TLS1_PRF_DIGEST_CHECK, '-',
"Enable digest check for TLS1-PRF"},
{"sshkdf_digest_check", OPT_SSHKDF_DIGEST_CHECK, '-',
"Enable digest check for SSHKDF"},
{"sskdf_digest_check", OPT_SSKDF_DIGEST_CHECK, '-',
"Enable digest check for SSKDF"},
{"x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
"Enable digest check for X963KDF"},
{"dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
"Disallow DSA signing"},
{"tdes_encrypt_disabled", OPT_DISALLOW_TDES_ENCRYPT, '-',
"Disallow Triple-DES encryption"},
{"rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
"Disallow PKCS#1 version 1.5 padding for RSA encryption"},
{"rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
"Enable salt length check for RSA-PSS signature operations"},
{"rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
"Disallow X931 Padding for RSA signing"},
{"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
"Enable key check for HKDF"},
{"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
"Enable key check for KBKDF"},
{"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
"Enable key check for TLS13-KDF"},
{"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
"Enable key check for TLS1-PRF"},
{"sshkdf_key_check", OPT_SSHKDF_KEY_CHECK, '-',
"Enable key check for SSHKDF"},
{"sskdf_key_check", OPT_SSKDF_KEY_CHECK, '-',
"Enable key check for SSKDF"},
{"x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
"Enable key check for X963KDF"},
{"x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
"Enable key check for X942KDF"},
{"no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
"Disable lower bound check for PBKDF2"},
{"ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
"Enable Cofactor check for ECDH"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance" },
{ "verify", OPT_VERIFY, '-',
"Verify a config file instead of generating one" },
{ "module", OPT_MODULE, '<', "File name of the provider module" },
{ "provider_name", OPT_PROV_NAME, 's', "FIPS provider name" },
{ "section_name", OPT_SECTION_NAME, 's',
"FIPS Provider config section name (optional)" },
{ "no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
"Disable the ability of the fips module to enter an error state if"
" any conditional self tests fail" },
{ "no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
"Disable the run-time FIPS security checks in the module" },
{ "self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
"Forces self tests to always run on module load" },
{ "self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
"Forces self tests to run once on module installation" },
{ "ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
"Enable the run-time FIPS check for EMS during TLS1_PRF" },
{ "no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output" },
{ "no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
"Disallow truncated digests with Hash and HMAC DRBGs" },
{ "signature_digest_check", OPT_SIGNATURE_DIGEST_CHECK, '-',
"Enable checking for approved digests for signatures" },
{ "hmac_key_check", OPT_HMAC_KEY_CHECK, '-', "Enable key check for HMAC" },
{ "kmac_key_check", OPT_KMAC_KEY_CHECK, '-', "Enable key check for KMAC" },
{ "hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
"Enable digest check for HKDF" },
{ "tls13_kdf_digest_check", OPT_TLS13_KDF_DIGEST_CHECK, '-',
"Enable digest check for TLS13-KDF" },
{ "tls1_prf_digest_check", OPT_TLS1_PRF_DIGEST_CHECK, '-',
"Enable digest check for TLS1-PRF" },
{ "sshkdf_digest_check", OPT_SSHKDF_DIGEST_CHECK, '-',
"Enable digest check for SSHKDF" },
{ "sskdf_digest_check", OPT_SSKDF_DIGEST_CHECK, '-',
"Enable digest check for SSKDF" },
{ "x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
"Enable digest check for X963KDF" },
{ "dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
"Disallow DSA signing" },
{ "tdes_encrypt_disabled", OPT_DISALLOW_TDES_ENCRYPT, '-',
"Disallow Triple-DES encryption" },
{ "rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
"Disallow PKCS#1 version 1.5 padding for RSA encryption" },
{ "rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
"Enable salt length check for RSA-PSS signature operations" },
{ "rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
"Disallow X931 Padding for RSA signing" },
{ "hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
"Enable key check for HKDF" },
{ "kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
"Enable key check for KBKDF" },
{ "tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
"Enable key check for TLS13-KDF" },
{ "tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
"Enable key check for TLS1-PRF" },
{ "sshkdf_key_check", OPT_SSHKDF_KEY_CHECK, '-',
"Enable key check for SSHKDF" },
{ "sskdf_key_check", OPT_SSKDF_KEY_CHECK, '-',
"Enable key check for SSKDF" },
{ "x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
"Enable key check for X963KDF" },
{ "x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
"Enable key check for X942KDF" },
{ "no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
"Disable lower bound check for PBKDF2" },
{ "ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
"Enable Cofactor check for ECDH" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input config file, used when verifying"},
{ "in", OPT_IN, '<', "Input config file, used when verifying" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output config file, used when generating"},
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form."},
{OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
{"config", OPT_CONFIG, '<', "The parent config to verify"},
{"quiet", OPT_QUIET, '-', "No messages, just exit status"},
{NULL}
{ "out", OPT_OUT, '>', "Output config file, used when generating" },
{ "mac_name", OPT_MAC_NAME, 's', "MAC name" },
{ "macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form." },
{ OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs" },
{ "noout", OPT_NO_LOG, '-', "Disable logging of self test events" },
{ "corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description" },
{ "corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type" },
{ "config", OPT_CONFIG, '<', "The parent config to verify" },
{ "quiet", OPT_QUIET, '-', "No messages, just exit status" },
{ NULL }
};
typedef struct {
@@ -186,70 +201,70 @@ typedef struct {
/* Pedantic FIPS compliance */
static const FIPS_OPTS pedantic_opts = {
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
1, /* hmac_key_check */
1, /* kmac_key_check */
1, /* tls_prf_ems_check */
1, /* no_short_mac */
1, /* drgb_no_trunc_dgst */
1, /* signature_digest_check */
1, /* hkdf_digest_check */
1, /* tls13_kdf_digest_check */
1, /* tls1_prf_digest_check */
1, /* sshkdf_digest_check */
1, /* sskdf_digest_check */
1, /* x963kdf_digest_check */
1, /* dsa_sign_disabled */
1, /* tdes_encrypt_disabled */
1, /* rsa_pkcs15_padding_disabled */
1, /* rsa_pss_saltlen_check */
1, /* sign_x931_padding_disabled */
1, /* hkdf_key_check */
1, /* kbkdf_key_check */
1, /* tls13_kdf_key_check */
1, /* tls1_prf_key_check */
1, /* sshkdf_key_check */
1, /* sskdf_key_check */
1, /* x963kdf_key_check */
1, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
1, /* ecdh_cofactor_check */
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
1, /* hmac_key_check */
1, /* kmac_key_check */
1, /* tls_prf_ems_check */
1, /* no_short_mac */
1, /* drgb_no_trunc_dgst */
1, /* signature_digest_check */
1, /* hkdf_digest_check */
1, /* tls13_kdf_digest_check */
1, /* tls1_prf_digest_check */
1, /* sshkdf_digest_check */
1, /* sskdf_digest_check */
1, /* x963kdf_digest_check */
1, /* dsa_sign_disabled */
1, /* tdes_encrypt_disabled */
1, /* rsa_pkcs15_padding_disabled */
1, /* rsa_pss_saltlen_check */
1, /* sign_x931_padding_disabled */
1, /* hkdf_key_check */
1, /* kbkdf_key_check */
1, /* tls13_kdf_key_check */
1, /* tls1_prf_key_check */
1, /* sshkdf_key_check */
1, /* sskdf_key_check */
1, /* x963kdf_key_check */
1, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
1, /* ecdh_cofactor_check */
};
/* Default FIPS settings for backward compatibility */
static FIPS_OPTS fips_opts = {
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
0, /* hmac_key_check */
0, /* kmac_key_check */
0, /* tls_prf_ems_check */
0, /* no_short_mac */
0, /* drgb_no_trunc_dgst */
0, /* signature_digest_check */
0, /* hkdf_digest_check */
0, /* tls13_kdf_digest_check */
0, /* tls1_prf_digest_check */
0, /* sshkdf_digest_check */
0, /* sskdf_digest_check */
0, /* x963kdf_digest_check */
0, /* dsa_sign_disabled */
0, /* tdes_encrypt_disabled */
0, /* rsa_pkcs15_padding_disabled */
0, /* rsa_pss_saltlen_check */
0, /* sign_x931_padding_disabled */
0, /* hkdf_key_check */
0, /* kbkdf_key_check */
0, /* tls13_kdf_key_check */
0, /* tls1_prf_key_check */
0, /* sshkdf_key_check */
0, /* sskdf_key_check */
0, /* x963kdf_key_check */
0, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
0, /* ecdh_cofactor_check */
1, /* self_test_onload */
1, /* conditional_errors */
1, /* security_checks */
0, /* hmac_key_check */
0, /* kmac_key_check */
0, /* tls_prf_ems_check */
0, /* no_short_mac */
0, /* drgb_no_trunc_dgst */
0, /* signature_digest_check */
0, /* hkdf_digest_check */
0, /* tls13_kdf_digest_check */
0, /* tls1_prf_digest_check */
0, /* sshkdf_digest_check */
0, /* sskdf_digest_check */
0, /* x963kdf_digest_check */
0, /* dsa_sign_disabled */
0, /* tdes_encrypt_disabled */
0, /* rsa_pkcs15_padding_disabled */
0, /* rsa_pss_saltlen_check */
0, /* sign_x931_padding_disabled */
0, /* hkdf_key_check */
0, /* kbkdf_key_check */
0, /* tls13_kdf_key_check */
0, /* tls1_prf_key_check */
0, /* sshkdf_key_check */
0, /* sskdf_key_check */
0, /* x963kdf_key_check */
0, /* x942kdf_key_check */
1, /* pbkdf2_lower_bound_check */
0, /* ecdh_cofactor_check */
};
static int check_non_pedantic_fips(int pedantic, const char *name)
@@ -262,7 +277,7 @@ static int check_non_pedantic_fips(int pedantic, const char *name)
}
static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
unsigned char *out, size_t *out_len)
unsigned char *out, size_t *out_len)
{
int ret = 0;
int i;
@@ -285,7 +300,7 @@ static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
}
static int load_fips_prov_and_run_self_test(const char *prov_name,
int *is_fips_140_2_prov)
int *is_fips_140_2_prov)
{
int ret = 0;
OSSL_PROVIDER *prov = NULL;
@@ -299,11 +314,11 @@ static int load_fips_prov_and_run_self_test(const char *prov_name,
}
if (!quiet) {
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
&name, sizeof(name));
&name, sizeof(name));
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
&vers, sizeof(vers));
&vers, sizeof(vers));
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
&build, sizeof(build));
&build, sizeof(build));
*p = OSSL_PARAM_construct_end();
if (!OSSL_PROVIDER_get_params(prov, params)) {
BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
@@ -317,7 +332,7 @@ static int load_fips_prov_and_run_self_test(const char *prov_name,
BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
} else {
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
&vers, sizeof(vers));
&vers, sizeof(vers));
*p = OSSL_PARAM_construct_end();
if (!OSSL_PROVIDER_get_params(prov, params)) {
BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
@@ -332,7 +347,7 @@ static int load_fips_prov_and_run_self_test(const char *prov_name,
}
static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
size_t len)
size_t len)
{
int ret;
char *hexstr = NULL;
@@ -346,13 +361,13 @@ static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
}
static int write_config_header(BIO *out, const char *prov_name,
const char *section)
const char *section)
{
return BIO_printf(out, "openssl_conf = openssl_init\n\n")
&& BIO_printf(out, "[openssl_init]\n")
&& BIO_printf(out, "providers = provider_section\n\n")
&& BIO_printf(out, "[provider_section]\n")
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
&& BIO_printf(out, "[openssl_init]\n")
&& BIO_printf(out, "providers = provider_section\n\n")
&& BIO_printf(out, "[provider_section]\n")
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
}
/*
@@ -363,96 +378,127 @@ static int write_config_header(BIO *out, const char *prov_name,
* Returns 1 if the config file is written otherwise it returns 0 on error.
*/
static int write_config_fips_section(BIO *out, const char *section,
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts,
unsigned char *install_mac,
size_t install_mac_len)
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts,
unsigned char *install_mac,
size_t install_mac_len)
{
int ret = 0;
if (BIO_printf(out, "[%s]\n", section) <= 0
|| BIO_printf(out, "activate = 1\n") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
VERSION_VAL) <= 0
VERSION_VAL)
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
opts->conditional_errors ? "1" : "0") <= 0
opts->conditional_errors ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS,
opts->security_checks ? "1" : "0") <= 0
opts->security_checks ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK,
opts->hmac_key_check ? "1": "0") <= 0
opts->hmac_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK,
opts->kmac_key_check ? "1": "0") <= 0
opts->kmac_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
opts->tls_prf_ems_check ? "1" : "0") <= 0
opts->tls_prf_ems_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
opts->no_short_mac ? "1" : "0") <= 0
opts->no_short_mac ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
opts->drgb_no_trunc_dgst ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK,
opts->signature_digest_check ? "1" : "0") <= 0
opts->signature_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
opts->hkdf_digest_check ? "1": "0") <= 0
opts->hkdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
opts->tls13_kdf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
opts->tls13_kdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
opts->tls1_prf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
opts->tls1_prf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
opts->sshkdf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
opts->sshkdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
opts->sskdf_digest_check ? "1": "0") <= 0
opts->sskdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
opts->x963kdf_digest_check ? "1": "0") <= 0
OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
opts->x963kdf_digest_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
opts->dsa_sign_disabled ? "1" : "0") <= 0
opts->dsa_sign_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
opts->tdes_encrypt_disabled ? "1" : "0") <= 0
opts->tdes_encrypt_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
opts->rsa_pkcs15_padding_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
opts->rsa_pss_saltlen_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
opts->sign_x931_padding_disabled ? "1" : "0") <= 0
OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
opts->sign_x931_padding_disabled ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK,
opts->hkdf_key_check ? "1": "0") <= 0
opts->hkdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
opts->kbkdf_key_check ? "1": "0") <= 0
opts->kbkdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
opts->tls13_kdf_key_check ? "1": "0") <= 0
OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
opts->tls13_kdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
opts->tls1_prf_key_check ? "1": "0") <= 0
opts->tls1_prf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
opts->sshkdf_key_check ? "1": "0") <= 0
opts->sshkdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
opts->sskdf_key_check ? "1": "0") <= 0
opts->sskdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
opts->x963kdf_key_check ? "1": "0") <= 0
opts->x963kdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X942KDF_KEY_CHECK,
opts->x942kdf_key_check ? "1": "0") <= 0
opts->x942kdf_key_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
opts->pbkdf2_lower_bound_check ? "1" : "0")
<= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
opts->ecdh_cofactor_check ? "1": "0") <= 0
opts->ecdh_cofactor_check ? "1" : "0")
<= 0
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
module_mac_len))
module_mac_len))
goto end;
if (install_mac != NULL
&& install_mac_len > 0
&& opts->self_test_onload == 0) {
&& install_mac_len > 0
&& opts->self_test_onload == 0) {
if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
install_mac_len)
install_mac_len)
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
INSTALL_STATUS_VAL) <= 0)
INSTALL_STATUS_VAL)
<= 0)
goto end;
}
ret = 1;
@@ -461,10 +507,10 @@ static int write_config_fips_section(BIO *out, const char *section,
}
static CONF *generate_config_and_load(const char *prov_name,
const char *section,
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts)
const char *section,
unsigned char *module_mac,
size_t module_mac_len,
const FIPS_OPTS *opts)
{
BIO *mem_bio = NULL;
CONF *conf = NULL;
@@ -474,8 +520,8 @@ static CONF *generate_config_and_load(const char *prov_name,
return 0;
if (!write_config_header(mem_bio, prov_name, section)
|| !write_config_fips_section(mem_bio, section,
module_mac, module_mac_len,
opts, NULL, 0))
module_mac, module_mac_len,
opts, NULL, 0))
goto end;
conf = app_load_config_bio(mem_bio, NULL);
@@ -510,8 +556,8 @@ static int verify_module_load(const char *parent_config_file)
* install_mac values, otherwise it returns 0.
*/
static int verify_config(const char *infile, const char *section,
unsigned char *module_mac, size_t module_mac_len,
unsigned char *install_mac, size_t install_mac_len)
unsigned char *module_mac, size_t module_mac_len,
unsigned char *install_mac, size_t install_mac_len)
{
int ret = 0;
char *s = NULL;
@@ -536,8 +582,8 @@ static int verify_config(const char *infile, const char *section,
}
buf1 = OPENSSL_hexstr2buf(s, &len);
if (buf1 == NULL
|| (size_t)len != module_mac_len
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
|| (size_t)len != module_mac_len
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
BIO_printf(bio_err, "Module integrity mismatch\n");
goto end;
}
@@ -554,8 +600,8 @@ static int verify_config(const char *infile, const char *section,
}
buf2 = OPENSSL_hexstr2buf(s, &len);
if (buf2 == NULL
|| (size_t)len != install_mac_len
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
|| (size_t)len != install_mac_len
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
BIO_printf(bio_err, "Install indicator status mismatch\n");
goto end;
}
@@ -598,7 +644,7 @@ int fipsinstall_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto cleanup;
case OPT_HELP:
@@ -773,7 +819,7 @@ int fipsinstall_main(int argc, char **argv)
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
if (!quiet) {
BIO_printf(bio_err, "FIPS provider is %s\n",
ret == 0 ? "available" : "not available");
ret == 0 ? "available" : "not available");
}
}
goto end;
@@ -792,8 +838,8 @@ int fipsinstall_main(int argc, char **argv)
}
if (self_test_log
|| self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)
|| self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)
OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL);
/* Use the default FIPS HMAC digest and key if not specified. */
@@ -826,8 +872,7 @@ int fipsinstall_main(int argc, char **argv)
if (opts != NULL) {
int ok = 1;
OSSL_PARAM *params =
app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
OSSL_PARAM *params = app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
if (params == NULL)
goto end;
@@ -853,7 +898,7 @@ int fipsinstall_main(int argc, char **argv)
/* Calculate the MAC for the indicator status - it may not be used */
mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
strlen(INSTALL_STATUS_VAL));
strlen(INSTALL_STATUS_VAL));
if (mem_bio == NULL) {
BIO_printf(bio_err, "Unable to create memory BIO\n");
goto end;
@@ -865,13 +910,13 @@ int fipsinstall_main(int argc, char **argv)
if (fips_opts.self_test_onload == 1)
install_mac_len = 0;
if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
install_mac, install_mac_len))
install_mac, install_mac_len))
goto end;
if (!quiet)
BIO_printf(bio_err, "VERIFY PASSED\n");
} else {
conf = generate_config_and_load(prov_name, section_name, module_mac,
module_mac_len, &fips_opts);
module_mac_len, &fips_opts);
if (conf == NULL)
goto end;
if (!load_fips_prov_and_run_self_test(prov_name, &is_fips_140_2_prov))
@@ -888,17 +933,16 @@ int fipsinstall_main(int argc, char **argv)
if (set_selftest_onload_option == 0 && is_fips_140_2_prov)
fips_opts.self_test_onload = 0;
fout =
out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
fout = out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
if (fout == NULL) {
BIO_printf(bio_err, "Failed to open file\n");
goto end;
}
if (!write_config_fips_section(fout, section_name,
module_mac, module_mac_len, &fips_opts,
install_mac, install_mac_len))
module_mac, module_mac_len, &fips_opts,
install_mac, install_mac_len))
goto end;
if (!quiet)
BIO_printf(bio_err, "INSTALL PASSED\n");
@@ -951,7 +995,7 @@ static int self_test_events(const OSSL_PARAM params[], void *arg)
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
BIO_printf(bio_err, "%s : (%s) : ", desc, type);
else if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
BIO_printf(bio_err, "%s\n", phase);
}
/*
@@ -959,13 +1003,13 @@ static int self_test_events(const OSSL_PARAM params[], void *arg)
* error is returned during the corrupt phase.
*/
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
&& (self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)) {
&& (self_test_corrupt_desc != NULL
|| self_test_corrupt_type != NULL)) {
if (self_test_corrupt_desc != NULL
&& strcmp(self_test_corrupt_desc, desc) != 0)
&& strcmp(self_test_corrupt_desc, desc) != 0)
goto end;
if (self_test_corrupt_type != NULL
&& strcmp(self_test_corrupt_type, type) != 0)
&& strcmp(self_test_corrupt_type, type) != 0)
goto end;
BIO_printf(bio_err, "%s ", phase);
goto err;
+24 -18
View File
@@ -24,31 +24,37 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_OUT,
OPT_PASSOUT,
OPT_ENGINE,
OPT_CIPHER,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS gendsa_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] dsaparam-file\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] dsaparam-file\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output the key to the specified file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "out", OPT_OUT, '>', "Output the key to the specified file" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{ "", OPT_CIPHER, '-', "Encrypt the output with any supported cipher" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
OPT_PARAMETERS(),
{"dsaparam-file", 0, 0, "File containing DSA parameters"},
{NULL}
{ "dsaparam-file", 0, 0, "File containing DSA parameters" },
{ NULL }
};
int gendsa_main(int argc, char **argv)
@@ -69,7 +75,7 @@ int gendsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -132,9 +138,9 @@ int gendsa_main(int argc, char **argv)
nbits = EVP_PKEY_get_bits(pkey);
if (nbits > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
if (ctx == NULL) {
@@ -157,10 +163,10 @@ int gendsa_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
end2:
end2:
BIO_free(in);
BIO_free_all(out);
EVP_PKEY_free(pkey);
+56 -41
View File
@@ -18,45 +18,57 @@
static int verbose = 1;
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
OSSL_LIB_CTX *libctx, const char *propq);
OSSL_LIB_CTX *libctx, const char *propq);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER,
OPT_VERBOSE, OPT_QUIET, OPT_CONFIG, OPT_OUTPUBKEY,
OPT_PROV_ENUM, OPT_R_ENUM
OPT_ENGINE,
OPT_OUTFORM,
OPT_OUT,
OPT_PASS,
OPT_PARAMFILE,
OPT_ALGORITHM,
OPT_PKEYOPT,
OPT_GENPARAM,
OPT_TEXT,
OPT_CIPHER,
OPT_VERBOSE,
OPT_QUIET,
OPT_CONFIG,
OPT_OUTPUBKEY,
OPT_PROV_ENUM,
OPT_R_ENUM
} OPTION_CHOICE;
const OPTIONS genpkey_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
{"verbose", OPT_VERBOSE, '-', "Output status while generating keys"},
{"quiet", OPT_QUIET, '-', "Do not output status while generating keys"},
{"pkeyopt", OPT_PKEYOPT, 's',
"Set the public key algorithm option as opt:value"},
OPT_CONFIG_OPTION,
{ "paramfile", OPT_PARAMFILE, '<', "Parameters file" },
{ "algorithm", OPT_ALGORITHM, 's', "The public key algorithm" },
{ "verbose", OPT_VERBOSE, '-', "Output status while generating keys" },
{ "quiet", OPT_QUIET, '-', "Do not output status while generating keys" },
{ "pkeyopt", OPT_PKEYOPT, 's',
"Set the public key algorithm option as opt:value" },
OPT_CONFIG_OPTION,
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output (private key) file"},
{"outpubkey", OPT_OUTPUBKEY, '>', "Output public key file"},
{"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
{"pass", OPT_PASS, 's', "Output file pass phrase source"},
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
{"text", OPT_TEXT, '-', "Print the private key in text"},
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
{ "out", OPT_OUT, '>', "Output (private key) file" },
{ "outpubkey", OPT_OUTPUBKEY, '>', "Output public key file" },
{ "outform", OPT_OUTFORM, 'F', "output format (DER or PEM)" },
{ "pass", OPT_PASS, 's', "Output file pass phrase source" },
{ "genparam", OPT_GENPARAM, '-', "Generate parameters, not key" },
{ "text", OPT_TEXT, '-', "Print the private key in text" },
{ "", OPT_CIPHER, '-', "Cipher to use to encrypt the key" },
OPT_PROV_OPTIONS,
OPT_R_OPTIONS,
/* This is deliberately last. */
{OPT_HELP_STR, 1, 1,
"Order of options may be important! See the documentation.\n"},
{NULL}
{ OPT_HELP_STR, 1, 1,
"Order of options may be important! See the documentation.\n" },
{ NULL }
};
static const char *param_datatype_2name(unsigned int type, int *ishex)
@@ -64,11 +76,17 @@ static const char *param_datatype_2name(unsigned int type, int *ishex)
*ishex = 0;
switch (type) {
case OSSL_PARAM_INTEGER: return "int";
case OSSL_PARAM_UNSIGNED_INTEGER: return "uint";
case OSSL_PARAM_REAL: return "float";
case OSSL_PARAM_OCTET_STRING: *ishex = 1; return "string";
case OSSL_PARAM_UTF8_STRING: return "string";
case OSSL_PARAM_INTEGER:
return "int";
case OSSL_PARAM_UNSIGNED_INTEGER:
return "uint";
case OSSL_PARAM_REAL:
return "float";
case OSSL_PARAM_OCTET_STRING:
*ishex = 1;
return "string";
case OSSL_PARAM_UTF8_STRING:
return "string";
default:
return NULL;
}
@@ -129,7 +147,7 @@ int genpkey_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -294,7 +312,7 @@ int genpkey_main(int argc, char **argv)
}
}
end:
end:
sk_OPENSSL_STRING_free(keyopt);
if (ret != 0) {
ERR_print_errors(bio_err);
@@ -303,13 +321,13 @@ int genpkey_main(int argc, char **argv)
rv = mem_bio_to_file(mem_outpubkey, outpubkeyfile, outformat, private);
if (!rv)
BIO_printf(bio_err, "Error writing to outpubkey: '%s'. Error: %s\n",
outpubkeyfile, strerror(errno));
outpubkeyfile, strerror(errno));
}
if (mem_out != NULL) {
rv = mem_bio_to_file(mem_out, outfile, outformat, private);
if (!rv)
BIO_printf(bio_err, "Error writing to outfile: '%s'. Error: %s\n",
outfile, strerror(errno));
outfile, strerror(errno));
}
}
EVP_PKEY_free(pkey);
@@ -324,7 +342,7 @@ int genpkey_main(int argc, char **argv)
}
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
OSSL_LIB_CTX *libctx, const char *propq)
OSSL_LIB_CTX *libctx, const char *propq)
{
BIO *pbio;
EVP_PKEY *pkey = NULL;
@@ -360,18 +378,17 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
*pctx = ctx;
return 1;
err:
err:
BIO_puts(bio_err, "Error initializing context\n");
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
return 0;
}
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq)
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY_CTX *ctx = NULL;
int pkey_id;
@@ -400,11 +417,9 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
*pctx = ctx;
return 1;
err:
err:
BIO_printf(bio_err, "Error initializing %s context\n", algname);
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(ctx);
return 0;
}
+34 -27
View File
@@ -34,43 +34,51 @@ typedef enum OPTION_choice {
#ifndef OPENSSL_NO_DEPRECATED_3_0
OPT_3,
#endif
OPT_F4, OPT_ENGINE,
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
OPT_F4,
OPT_ENGINE,
OPT_OUT,
OPT_PASSOUT,
OPT_CIPHER,
OPT_PRIMES,
OPT_VERBOSE,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS genrsa_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] numbits\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] numbits\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
#ifndef OPENSSL_NO_DEPRECATED_3_0
{"3", OPT_3, '-', "(deprecated) Use 3 for the E value"},
{ "3", OPT_3, '-', "(deprecated) Use 3 for the E value" },
#endif
{"F4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
{"f4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
{ "F4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value" },
{ "f4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output the key to specified file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
{ "out", OPT_OUT, '>', "Output the key to specified file" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "primes", OPT_PRIMES, 'p', "Specify number of primes" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
{ "traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys" },
{ "", OPT_CIPHER, '-', "Encrypt the output with any supported cipher" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Size of key in bits"},
{NULL}
{ "numbits", 0, 0, "Size of key in bits" },
{ NULL }
};
int genrsa_main(int argc, char **argv)
@@ -98,7 +106,7 @@ int genrsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -157,9 +165,9 @@ int genrsa_main(int argc, char **argv)
goto end;
if (num > OPENSSL_RSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, num);
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, num);
} else if (!opt_check_rest_arg(NULL)) {
goto opthelp;
}
@@ -180,7 +188,7 @@ int genrsa_main(int argc, char **argv)
goto end;
if (!init_gen_str(&ctx, "RSA", eng, 0, app_get0_libctx(),
app_get0_propq()))
app_get0_propq()))
goto end;
if (verbose)
@@ -227,7 +235,7 @@ int genrsa_main(int argc, char **argv)
}
if (traditional) {
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
NULL, passout))
NULL, passout))
goto end;
} else {
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
@@ -235,7 +243,7 @@ int genrsa_main(int argc, char **argv)
}
ret = 0;
end:
end:
BN_free(bn);
BN_GENCB_free(cb);
EVP_PKEY_CTX_free(ctx);
@@ -248,4 +256,3 @@ int genrsa_main(int argc, char **argv)
ERR_print_errors(bio_err);
return ret;
}
+2 -2
View File
@@ -8,9 +8,9 @@
*/
#ifndef OSSL_APPS_LIBCTX_H
# define OSSL_APPS_LIBCTX_H
#define OSSL_APPS_LIBCTX_H
# include <openssl/types.h>
#include <openssl/types.h>
OSSL_LIB_CTX *app_create_libctx(void);
OSSL_LIB_CTX *app_get0_libctx(void);
-1
View File
@@ -11,4 +11,3 @@
int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent);
void print_param_value(const OSSL_PARAM *p, int indent);
+123 -123
View File
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,42 +8,42 @@
*/
#ifndef OSSL_APPS_H
# define OSSL_APPS_H
#define OSSL_APPS_H
# include "internal/common.h" /* for HAS_PREFIX */
# include "internal/nelem.h"
# include <assert.h>
#include "internal/common.h" /* for HAS_PREFIX */
#include "internal/nelem.h"
#include <assert.h>
# include <stdarg.h>
# include <sys/types.h>
# ifndef OPENSSL_NO_POSIX_IO
# include <sys/stat.h>
# include <fcntl.h>
# endif
#include <stdarg.h>
#include <sys/types.h>
#ifndef OPENSSL_NO_POSIX_IO
#include <sys/stat.h>
#include <fcntl.h>
#endif
# include <openssl/e_os2.h>
# include <openssl/types.h>
# include <openssl/bio.h>
# include <openssl/x509.h>
# include <openssl/conf.h>
# include <openssl/txt_db.h>
# include <openssl/engine.h>
# include <openssl/ocsp.h>
# include <openssl/http.h>
# include <signal.h>
# include "apps_ui.h"
# include "opt.h"
# include "fmt.h"
# include "platform.h"
# include "engine_loader.h"
# include "app_libctx.h"
#include <openssl/e_os2.h>
#include <openssl/types.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
#include <openssl/conf.h>
#include <openssl/txt_db.h>
#include <openssl/engine.h>
#include <openssl/ocsp.h>
#include <openssl/http.h>
#include <signal.h>
#include "apps_ui.h"
#include "opt.h"
#include "fmt.h"
#include "platform.h"
#include "engine_loader.h"
#include "app_libctx.h"
/*
* quick macro when you need to pass an unsigned char instead of a char.
* this is true for some implementations of the is*() functions, for
* example.
*/
# define _UC(c) ((unsigned char)(c))
#define _UC(c) ((unsigned char)(c))
void app_RAND_load_conf(CONF *c, const char *section);
int app_RAND_write(void);
@@ -66,30 +66,30 @@ BIO *bio_open_default_quiet(const char *filename, char mode, int format);
int mem_bio_to_file(BIO *in, const char *filename, int format, int private);
char *app_conf_try_string(const CONF *cnf, const char *group, const char *name);
int app_conf_try_number(const CONF *conf, const char *group, const char *name,
long *result);
long *result);
CONF *app_load_config_bio(BIO *in, const char *filename);
# define app_load_config(filename) app_load_config_internal(filename, 0)
# define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
#define app_load_config(filename) app_load_config_internal(filename, 0)
#define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
CONF *app_load_config_internal(const char *filename, int quiet);
CONF *app_load_config_verbose(const char *filename, int verbose);
int app_load_modules(const CONF *config);
CONF *app_load_config_modules(const char *configfile);
void unbuffer(FILE *fp);
void wait_for_async(SSL *s);
# if defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_SYS_MSDOS)
int has_stdin_waiting(void);
# endif
#endif
void corrupt_signature(const ASN1_STRING *signature);
/* Helpers for setting X509v3 certificate fields notBefore and notAfter */
int check_cert_time_string(const char *time, const char *desc);
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
int days, int strict_compare_times);
int days, int strict_compare_times);
int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
long days, long hours, long secs);
long days, long hours, long secs);
typedef struct args_st {
int size;
@@ -106,7 +106,7 @@ int progress_cb(EVP_PKEY_CTX *ctx);
void dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, const X509_NAME *nm);
void print_bignum_var(BIO *, const BIGNUM *, const char *,
int, unsigned char *);
int, unsigned char *);
void print_array(BIO *, const char *, int, const unsigned char *);
int set_nameopt(const char *arg);
unsigned long get_nameopt(void);
@@ -120,52 +120,52 @@ int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
X509_REQ *load_csr(const char *file, int format, const char *desc);
X509_REQ *load_csr_autofmt(const char *infile, int format,
STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc);
STACK_OF(OPENSSL_STRING) *vfyopts, const char *desc);
X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc);
# define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
const char *pass, const char *desc);
#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
const char *desc);
const char *desc);
void cleanse(char *str);
void clear_free(char *str);
EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
const char *pass, ENGINE *e, const char *desc);
/* first try reading public key, on failure resort to loading private key */
EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *desc);
const char *pass, ENGINE *e, const char *desc);
EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
const char *keytype, const char *desc);
const char *keytype, const char *desc);
EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin,
const char *keytype, const char *desc,
int suppress_decode_errors);
const char *keytype, const char *desc,
int suppress_decode_errors);
char *next_item(char *opt); /* in list separated by comma and/or space */
int load_cert_certs(const char *uri,
X509 **pcert, STACK_OF(X509) **pcerts,
int exclude_http, const char *pass, const char *desc,
X509_VERIFY_PARAM *vpm);
X509 **pcert, STACK_OF(X509) **pcerts,
int exclude_http, const char *pass, const char *desc,
X509_VERIFY_PARAM *vpm);
STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
const char *desc, X509_VERIFY_PARAM *vpm);
const char *desc, X509_VERIFY_PARAM *vpm);
X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
X509_VERIFY_PARAM *vpm);
X509_VERIFY_PARAM *vpm);
int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
const char *pass, const char *desc);
const char *pass, const char *desc);
int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
const char *pass, const char *desc);
const char *pass, const char *desc);
int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
const char *pass, const char *desc, int quiet,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
EVP_PKEY **pparams,
X509 **pcert, STACK_OF(X509) **pcerts,
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
const char *pass, const char *desc, int quiet,
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
EVP_PKEY **pparams,
X509 **pcert, STACK_OF(X509) **pcerts,
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
__owur int ctx_set_verify_locations(SSL_CTX *ctx,
const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
# ifndef OPENSSL_NO_CT
#ifndef OPENSSL_NO_CT
/*
* Sets the file to load the Certificate Transparency log list from.
@@ -174,10 +174,10 @@ __owur int ctx_set_verify_locations(SSL_CTX *ctx,
*/
__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
# endif
#endif
ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug);
# define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
#define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
void release_engine(ENGINE *e);
int init_engine(ENGINE *e);
int finish_engine(ENGINE *e);
@@ -187,30 +187,30 @@ int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
const EVP_MD *get_digest_from_engine(const char *name);
const EVP_CIPHER *get_cipher_from_engine(const char *name);
# ifndef OPENSSL_NO_OCSP
#ifndef OPENSSL_NO_OCSP
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout);
# endif
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout);
#endif
/* Functions defined in ca.c and also used in ocsp.c */
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
# define DB_type 0
# define DB_exp_date 1
# define DB_rev_date 2
# define DB_serial 3 /* index - unique */
# define DB_file 4
# define DB_name 5 /* index - unique when active and not disabled */
# define DB_NUMBER 6
#define DB_type 0
#define DB_exp_date 1
#define DB_rev_date 2
#define DB_serial 3 /* index - unique */
#define DB_file 4
#define DB_name 5 /* index - unique when active and not disabled */
#define DB_NUMBER 6
# define DB_TYPE_REV 'R' /* Revoked */
# define DB_TYPE_EXP 'E' /* Expired */
# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
# define DB_TYPE_SUSP 'S' /* Suspended */
#define DB_TYPE_REV 'R' /* Revoked */
#define DB_TYPE_EXP 'E' /* Expired */
#define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
#define DB_TYPE_SUSP 'S' /* Suspended */
typedef struct db_attr_st {
int unique_subject;
@@ -219,9 +219,9 @@ typedef struct ca_db_st {
DB_ATTR attributes;
TXT_DB *db;
char *dbfname;
# ifndef OPENSSL_NO_POSIX_IO
#ifndef OPENSSL_NO_POSIX_IO
struct stat dbst;
# endif
#endif
} CA_DB;
extern int do_updatedb(CA_DB *db, time_t *now);
@@ -231,53 +231,53 @@ void *app_malloc(size_t sz, const char *what);
/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
BIGNUM *load_serial(const char *serialfile, int *exists, int create,
ASN1_INTEGER **retai);
ASN1_INTEGER **retai);
int save_serial(const char *serialfile, const char *suffix,
const BIGNUM *serial, ASN1_INTEGER **retai);
const BIGNUM *serial, ASN1_INTEGER **retai);
int rotate_serial(const char *serialfile, const char *new_suffix,
const char *old_suffix);
const char *old_suffix);
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
int index_index(CA_DB *db);
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
int rotate_index(const char *dbfile, const char *new_suffix,
const char *old_suffix);
const char *old_suffix);
void free_index(CA_DB *db);
# define index_name_cmp_noconst(a, b) \
#define index_name_cmp_noconst(a, b) \
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
int parse_yesno(const char *str, int def);
X509_NAME *parse_name(const char *str, int chtype, int multirdn,
const char *desc);
const char *desc);
void policies_print(X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
int x509_ctrl_string(X509 *x, const char *value);
int x509_req_ctrl_string(X509_REQ *x, const char *value);
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey);
int do_X509_sign(X509 *x, int force_v1, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts);
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *vfyopts);
STACK_OF(OPENSSL_STRING) *vfyopts);
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts);
STACK_OF(OPENSSL_STRING) *sigopts);
extern char *psk_key;
unsigned char *next_protos_parse(size_t *outlen, const char *in);
int check_cert_attributes(BIO *bio, X509 *x,
const char *checkhost, const char *checkemail,
const char *checkip, int print);
const char *checkhost, const char *checkemail,
const char *checkip, int print);
void store_setup_crl_download(X509_STORE *st);
@@ -289,38 +289,38 @@ typedef struct app_http_tls_info_st {
SSL_CTX *ssl_ctx;
} APP_HTTP_TLS_INFO;
BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
int connect, int detail);
int connect, int detail);
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info);
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it);
const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it);
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *path, const char *proxy,
const char *no_proxy, SSL_CTX *ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it);
# endif
const char *path, const char *proxy,
const char *no_proxy, SSL_CTX *ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it);
#endif
# define EXT_COPY_NONE 0
# define EXT_COPY_ADD 1
# define EXT_COPY_ALL 2
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
#define EXT_COPY_ALL 2
# define NETSCAPE_CERT_HDR "certificate"
#define NETSCAPE_CERT_HDR "certificate"
# define APP_PASS_LEN 1024
#define APP_PASS_LEN 1024
/*
* IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
* so that the first bit will never be one, so that the DER encoding
* rules won't force a leading octet.
*/
# define SERIAL_RAND_BITS 159
#define SERIAL_RAND_BITS 159
int app_isdir(const char *);
int app_access(const char *, int flag);
@@ -329,8 +329,8 @@ int fileno_stdout(void);
int raw_read_stdin(void *, int);
int raw_write_stdout(const void *, int);
# define TM_START 0
# define TM_STOP 1
#define TM_START 0
#define TM_STOP 1
double app_tminterval(int stop, int usertime);
void make_uppercase(char *string);
@@ -345,7 +345,7 @@ typedef struct verify_options_st {
extern VERIFY_CB_ARGS verify_args;
OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
const OSSL_PARAM *paramdefs);
const OSSL_PARAM *paramdefs);
void app_params_free(OSSL_PARAM *params);
int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name);
void app_providers_cleanup(void);
+2 -3
View File
@@ -8,10 +8,9 @@
*/
#ifndef OSSL_APPS_UI_H
# define OSSL_APPS_UI_H
#define OSSL_APPS_UI_H
# define PW_MIN_LENGTH 4
#define PW_MIN_LENGTH 4
typedef struct pw_cb_data {
const void *password;
const char *prompt_info;
+9 -9
View File
@@ -9,15 +9,15 @@
*/
#ifndef OSSL_APPS_CMP_MOCK_SRV_H
# define OSSL_APPS_CMP_MOCK_SRV_H
#define OSSL_APPS_CMP_MOCK_SRV_H
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CMP
#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_CMP
# include <openssl/cmp.h>
#include <openssl/cmp.h>
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
const char *propq);
const char *propq);
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
@@ -25,17 +25,17 @@ int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey);
int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl);
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *chain);
STACK_OF(X509) *chain);
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *caPubs);
STACK_OF(X509) *caPubs);
int ossl_cmp_mock_srv_set1_newWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_newWithOld(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text);
int fail_info, const char *text);
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
# endif /* !defined(OPENSSL_NO_CMP) */
#endif /* !defined(OPENSSL_NO_CMP) */
#endif /* !defined(OSSL_APPS_CMP_MOCK_SRV_H) */
+4 -4
View File
@@ -7,13 +7,13 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_ENGINE_LOADER_H
# define HEADER_ENGINE_LOADER_H
#define HEADER_ENGINE_LOADER_H
# include <openssl/store.h>
#include <openssl/store.h>
/* this is a private URI scheme */
# define ENGINE_SCHEME "org.openssl.engine"
# define ENGINE_SCHEME_COLON ENGINE_SCHEME ":"
#define ENGINE_SCHEME "org.openssl.engine"
#define ENGINE_SCHEME_COLON ENGINE_SCHEME ":"
int setup_engine_loader(void);
void destroy_engine_loader(void);
+16 -16
View File
@@ -23,22 +23,22 @@
* contents. The FORMAT_xxx macros are meant to express an intent with the
* file being read or created.
*/
# define B_FORMAT_TEXT 0x8000
# define FORMAT_UNDEF 0
# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
# define FORMAT_BINARY 2 /* Generic binary */
# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
# define FORMAT_ASN1 4 /* ASN.1/DER */
# define FORMAT_PEM (5 | B_FORMAT_TEXT)
# define FORMAT_PKCS12 6
# define FORMAT_SMIME (7 | B_FORMAT_TEXT)
# define FORMAT_ENGINE 8 /* Not really a file format */
# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPublicKey format */
# define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
# define FORMAT_MSBLOB 11 /* MS Key blob format */
# define FORMAT_PVK 12 /* MS PVK file format */
# define FORMAT_HTTP 13 /* Download using HTTP */
# define FORMAT_NSS 14 /* NSS keylog format */
#define B_FORMAT_TEXT 0x8000
#define FORMAT_UNDEF 0
#define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
#define FORMAT_BINARY 2 /* Generic binary */
#define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
#define FORMAT_ASN1 4 /* ASN.1/DER */
#define FORMAT_PEM (5 | B_FORMAT_TEXT)
#define FORMAT_PKCS12 6
#define FORMAT_SMIME (7 | B_FORMAT_TEXT)
#define FORMAT_ENGINE 8 /* Not really a file format */
#define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPublicKey format */
#define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
#define FORMAT_MSBLOB 11 /* MS Key blob format */
#define FORMAT_PVK 12 /* MS PVK file format */
#define FORMAT_HTTP 13 /* Download using HTTP */
#define FORMAT_NSS 14 /* NSS keylog format */
int FMT_istext(int format);
+11 -6
View File
@@ -8,16 +8,21 @@
*/
#ifndef OSSL_APPS_FUNCTION_H
# define OSSL_APPS_FUNCTION_H
#define OSSL_APPS_FUNCTION_H
# include <openssl/lhash.h>
# include "opt.h"
#include <openssl/lhash.h>
#include "opt.h"
#define DEPRECATED_NO_ALTERNATIVE "unknown"
#define DEPRECATED_NO_ALTERNATIVE "unknown"
typedef enum FUNC_TYPE {
FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
FT_md_alg, FT_cipher_alg
FT_none,
FT_general,
FT_md,
FT_cipher,
FT_pkey,
FT_md_alg,
FT_cipher_alg
} FUNC_TYPE;
typedef struct function_st {
+32 -32
View File
@@ -8,35 +8,35 @@
*/
#ifndef OSSL_HTTP_SERVER_H
# define OSSL_HTTP_SERVER_H
#define OSSL_HTTP_SERVER_H
# include "apps.h"
# include "log.h"
#include "apps.h"
#include "log.h"
# ifndef HAVE_FORK
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
# define HAVE_FORK 0
# else
# define HAVE_FORK 1
# endif
# endif
#ifndef HAVE_FORK
#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
#define HAVE_FORK 0
#else
#define HAVE_FORK 1
#endif
#endif
# if HAVE_FORK
# undef NO_FORK
# else
# define NO_FORK
# endif
#if HAVE_FORK
#undef NO_FORK
#else
#define NO_FORK
#endif
# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
# define HTTP_DAEMON
# include <sys/types.h>
# include <sys/wait.h>
# include <signal.h>
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
# endif
#define HTTP_DAEMON
#include <sys/types.h>
#include <sys/wait.h>
#include <signal.h>
#define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
#endif
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
/*-
* Initialize an HTTP server, setting up its listening BIO
* prog: the name of the current app
@@ -66,9 +66,9 @@ BIO *http_server_init(const char *prog, const char *port, int verbosity);
* The caller must free any non-NULL *preq, *ppath, and *pcbio pointers.
*/
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout);
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout);
/*-
* Send an ASN.1-formatted HTTP response
@@ -82,8 +82,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
* returns 1 on success, 0 on failure
*/
int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp);
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp);
/*-
* Send a trivial HTTP response, typically to report an error or OK
@@ -94,16 +94,16 @@ int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
* returns 1 on success, 0 on failure
*/
int http_server_send_status(const char *prog, BIO *cbio,
int status, const char *reason);
int status, const char *reason);
# endif
#endif
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
extern int n_responders;
extern int acfd;
void socket_timeout(int signum);
void spawn_loop(const char *prog);
# endif
#endif
#endif
+17 -17
View File
@@ -8,25 +8,25 @@
*/
#ifndef OSSL_APPS_LOG_H
# define OSSL_APPS_LOG_H
#define OSSL_APPS_LOG_H
# include <openssl/bio.h>
# if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) \
#include <openssl/bio.h>
#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) \
&& !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_POSIX_IO)
# include <syslog.h>
# else
# define LOG_EMERG 0
# define LOG_ALERT 1
# define LOG_CRIT 2
# define LOG_ERR 3
# define LOG_WARNING 4
# define LOG_NOTICE 5
# define LOG_INFO 6
# define LOG_DEBUG 7
# endif
#include <syslog.h>
#else
#define LOG_EMERG 0
#define LOG_ALERT 1
#define LOG_CRIT 2
#define LOG_ERR 3
#define LOG_WARNING 4
#define LOG_NOTICE 5
#define LOG_INFO 6
#define LOG_DEBUG 7
#endif
# undef LOG_TRACE
# define LOG_TRACE (LOG_DEBUG + 1)
#undef LOG_TRACE
#define LOG_TRACE (LOG_DEBUG + 1)
int log_set_verbosity(const char *prog, int level);
int log_get_verbosity(void);
@@ -45,6 +45,6 @@ int log_get_verbosity(void);
* returns nothing
*/
void trace_log_message(int category,
const char *prog, int level, const char *fmt, ...);
const char *prog, int level, const char *fmt, ...);
#endif /* OSSL_APPS_LOG_H */
+1 -1
View File
@@ -10,7 +10,7 @@
#include <openssl/safestack.h>
/* Standard comparing function for names */
int name_cmp(const char * const *a, const char * const *b);
int name_cmp(const char *const *a, const char *const *b);
/* collect_names is meant to be used with EVP_{type}_doall_names */
void collect_names(const char *name, void *vdata);
/* Sorts and prints a stack of names to |out| */
+289 -282
View File
@@ -19,301 +19,312 @@
/*
* Common verification options.
*/
# define OPT_V_ENUM \
OPT_V__FIRST=2000, \
OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
OPT_V__LAST
#define OPT_V_ENUM \
OPT_V__FIRST = 2000, \
OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
OPT_V__LAST
# define OPT_V_OPTIONS \
OPT_SECTION("Validation"), \
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
{ "purpose", OPT_V_PURPOSE, 's', \
"certificate chain purpose"}, \
{ "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
{ "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
"chain depth limit" }, \
{ "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
"chain authentication security level" }, \
{ "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
{ "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
"expected peer hostname" }, \
{ "verify_email", OPT_V_VERIFY_EMAIL, 's', \
"expected peer email" }, \
{ "verify_ip", OPT_V_VERIFY_IP, 's', \
"expected peer IP address" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"permit unhandled critical extensions"}, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
{ "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
"set policy variable require-explicit-policy"}, \
{ "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
"set policy variable inhibit-any-policy"}, \
{ "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
"set policy variable inhibit-policy-mapping"}, \
{ "x509_strict", OPT_V_X509_STRICT, '-', \
"disable certificate compatibility work-arounds"}, \
{ "extended_crl", OPT_V_EXTENDED_CRL, '-', \
"enable extended CRL features"}, \
{ "use_deltas", OPT_V_USE_DELTAS, '-', \
"use delta CRLs"}, \
{ "policy_print", OPT_V_POLICY_PRINT, '-', \
"print policy processing diagnostics"}, \
{ "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
"check root CA self-signatures"}, \
{ "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
"search trust store first (default)" }, \
{ "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
{ "suiteB_128", OPT_V_SUITEB_128, '-', \
"Suite B 128-bit mode allowing 192-bit algorithms"}, \
{ "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
"accept chains anchored by intermediate trust-store CAs"}, \
{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
#define OPT_V_OPTIONS \
OPT_SECTION("Validation"), \
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set" }, \
{ "purpose", OPT_V_PURPOSE, 's', \
"certificate chain purpose" }, \
{ "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name" }, \
{ "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
"chain depth limit" }, \
{ "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
"chain authentication security level" }, \
{ "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
{ "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
"expected peer hostname" }, \
{ "verify_email", OPT_V_VERIFY_EMAIL, 's', \
"expected peer email" }, \
{ "verify_ip", OPT_V_VERIFY_IP, 's', \
"expected peer IP address" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"permit unhandled critical extensions" }, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)" }, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks" }, \
{ "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
"set policy variable require-explicit-policy" }, \
{ "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
"set policy variable inhibit-any-policy" }, \
{ "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
"set policy variable inhibit-policy-mapping" }, \
{ "x509_strict", OPT_V_X509_STRICT, '-', \
"disable certificate compatibility work-arounds" }, \
{ "extended_crl", OPT_V_EXTENDED_CRL, '-', \
"enable extended CRL features" }, \
{ "use_deltas", OPT_V_USE_DELTAS, '-', \
"use delta CRLs" }, \
{ "policy_print", OPT_V_POLICY_PRINT, '-', \
"print policy processing diagnostics" }, \
{ "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
"check root CA self-signatures" }, \
{ "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
"search trust store first (default)" }, \
{ "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode" }, \
{ "suiteB_128", OPT_V_SUITEB_128, '-', \
"Suite B 128-bit mode allowing 192-bit algorithms" }, \
{ "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
"accept chains anchored by intermediate trust-store CAs" }, \
{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
{ "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
{ "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
# define OPT_V_CASES \
OPT_V__FIRST: case OPT_V__LAST: break; \
case OPT_V_POLICY: \
case OPT_V_PURPOSE: \
case OPT_V_VERIFY_NAME: \
case OPT_V_VERIFY_DEPTH: \
case OPT_V_VERIFY_AUTH_LEVEL: \
case OPT_V_ATTIME: \
case OPT_V_VERIFY_HOSTNAME: \
case OPT_V_VERIFY_EMAIL: \
case OPT_V_VERIFY_IP: \
case OPT_V_IGNORE_CRITICAL: \
case OPT_V_ISSUER_CHECKS: \
case OPT_V_CRL_CHECK: \
case OPT_V_CRL_CHECK_ALL: \
case OPT_V_POLICY_CHECK: \
case OPT_V_EXPLICIT_POLICY: \
case OPT_V_INHIBIT_ANY: \
case OPT_V_INHIBIT_MAP: \
case OPT_V_X509_STRICT: \
case OPT_V_EXTENDED_CRL: \
case OPT_V_USE_DELTAS: \
case OPT_V_POLICY_PRINT: \
case OPT_V_CHECK_SS_SIG: \
case OPT_V_TRUSTED_FIRST: \
case OPT_V_SUITEB_128_ONLY: \
case OPT_V_SUITEB_128: \
case OPT_V_SUITEB_192: \
case OPT_V_PARTIAL_CHAIN: \
case OPT_V_NO_ALT_CHAINS: \
case OPT_V_NO_CHECK_TIME: \
case OPT_V_ALLOW_PROXY_CERTS
#define OPT_V_CASES \
OPT_V__FIRST: \
case OPT_V__LAST: \
break; \
case OPT_V_POLICY: \
case OPT_V_PURPOSE: \
case OPT_V_VERIFY_NAME: \
case OPT_V_VERIFY_DEPTH: \
case OPT_V_VERIFY_AUTH_LEVEL: \
case OPT_V_ATTIME: \
case OPT_V_VERIFY_HOSTNAME: \
case OPT_V_VERIFY_EMAIL: \
case OPT_V_VERIFY_IP: \
case OPT_V_IGNORE_CRITICAL: \
case OPT_V_ISSUER_CHECKS: \
case OPT_V_CRL_CHECK: \
case OPT_V_CRL_CHECK_ALL: \
case OPT_V_POLICY_CHECK: \
case OPT_V_EXPLICIT_POLICY: \
case OPT_V_INHIBIT_ANY: \
case OPT_V_INHIBIT_MAP: \
case OPT_V_X509_STRICT: \
case OPT_V_EXTENDED_CRL: \
case OPT_V_USE_DELTAS: \
case OPT_V_POLICY_PRINT: \
case OPT_V_CHECK_SS_SIG: \
case OPT_V_TRUSTED_FIRST: \
case OPT_V_SUITEB_128_ONLY: \
case OPT_V_SUITEB_128: \
case OPT_V_SUITEB_192: \
case OPT_V_PARTIAL_CHAIN: \
case OPT_V_NO_ALT_CHAINS: \
case OPT_V_NO_CHECK_TIME: \
case OPT_V_ALLOW_PROXY_CERTS
/*
* Common "extended validation" options.
*/
# define OPT_X_ENUM \
OPT_X__FIRST=1000, \
OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
OPT_X_CERTFORM, OPT_X_KEYFORM, \
OPT_X__LAST
#define OPT_X_ENUM \
OPT_X__FIRST = 1000, \
OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
OPT_X_CERTFORM, OPT_X_KEYFORM, \
OPT_X__LAST
# define OPT_X_OPTIONS \
OPT_SECTION("Extended certificate"), \
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
"build certificate chain for the extended certificates"}, \
{ "xcertform", OPT_X_CERTFORM, 'F', \
#define OPT_X_OPTIONS \
OPT_SECTION("Extended certificate"), \
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates" }, \
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates" }, \
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates" }, \
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
"build certificate chain for the extended certificates" }, \
{ "xcertform", OPT_X_CERTFORM, 'F', \
"format of Extended certificate (PEM/DER/P12); has no effect" }, \
{ "xkeyform", OPT_X_KEYFORM, 'F', \
"format of Extended certificate's key (DER/PEM/P12); has no effect"}
{ "xkeyform", OPT_X_KEYFORM, 'F', \
"format of Extended certificate's key (DER/PEM/P12); has no effect" }
# define OPT_X_CASES \
OPT_X__FIRST: case OPT_X__LAST: break; \
case OPT_X_KEY: \
case OPT_X_CERT: \
case OPT_X_CHAIN: \
case OPT_X_CHAIN_BUILD: \
case OPT_X_CERTFORM: \
case OPT_X_KEYFORM
#define OPT_X_CASES \
OPT_X__FIRST: \
case OPT_X__LAST: \
break; \
case OPT_X_KEY: \
case OPT_X_CERT: \
case OPT_X_CHAIN: \
case OPT_X_CHAIN_BUILD: \
case OPT_X_CERTFORM: \
case OPT_X_KEYFORM
/*
* Common SSL options.
* Any changes here must be coordinated with ../ssl/ssl_conf.c
*/
# define OPT_S_ENUM \
OPT_S__FIRST=3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, \
OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PREFER_NO_DHE_KEX, \
OPT_S_PRIORITIZE_CHACHA, \
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, \
OPT_S_NO_EMS, \
OPT_S_NO_TX_CERT_COMP, \
OPT_S_NO_RX_CERT_COMP, \
OPT_S__LAST
#define OPT_S_ENUM \
OPT_S__FIRST = 3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, \
OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PREFER_NO_DHE_KEX, \
OPT_S_PRIORITIZE_CHACHA, \
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, \
OPT_S_NO_EMS, \
OPT_S_NO_TX_CERT_COMP, \
OPT_S_NO_RX_CERT_COMP, \
OPT_S__LAST
# define OPT_S_OPTIONS \
OPT_SECTION("TLS/SSL"), \
{"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
{"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
{"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
{"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
{"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, \
{"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
{"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{"no_tx_cert_comp", OPT_S_NO_TX_CERT_COMP, '-', "Disable sending TLSv1.3 compressed certificates" }, \
{"no_rx_cert_comp", OPT_S_NO_RX_CERT_COMP, '-', "Disable receiving TLSv1.3 compressed certificates" }, \
{"no_ticket", OPT_S_NOTICKET, '-', \
"Disable use of TLS session tickets"}, \
{"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
{"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
"Enable use of legacy renegotiation (dangerous)"}, \
{"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
"Allow client-initiated renegotiation" }, \
{"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
"Disable all renegotiation."}, \
{"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
"Allow initial connection to servers that don't support RI"}, \
{"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
"Disallow session resumption on renegotiation"}, \
{"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
"Disallow initial connection to servers that don't support RI"}, \
{"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \
"In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \
{"prefer_no_dhe_kex", OPT_S_PREFER_NO_DHE_KEX, '-', \
"In TLSv1.3 prefer non-(ec)dhe over (ec)dhe-based key exchange on resumption"}, \
{"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \
"Prioritize ChaCha ciphers when preferred by clients"}, \
{"strict", OPT_S_STRICT, '-', \
"Enforce strict certificate checks as per TLS standard"}, \
{"sigalgs", OPT_S_SIGALGS, 's', \
"Signature algorithms to support (colon-separated list)" }, \
{"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
"Signature algorithms to support for client certificate" \
" authentication (colon-separated list)" }, \
{"groups", OPT_S_GROUPS, 's', \
"Groups to advertise (colon-separated list)" }, \
{"curves", OPT_S_CURVES, 's', \
"Groups to advertise (colon-separated list)" }, \
{"named_curve", OPT_S_NAMEDCURVE, 's', \
"Elliptic curve used for ECDHE (server-side only)" }, \
{"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \
{"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
{"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
{"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
{"record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to."}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
"Perform all sorts of protocol violations for testing purposes"}, \
{"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
"Disable TLSv1.3 middlebox compat mode" }, \
{"no_etm", OPT_S_NO_ETM, '-', \
"Disable Encrypt-then-Mac extension"}, \
{"no_ems", OPT_S_NO_EMS, '-', \
"Disable Extended master secret extension"}
#define OPT_S_OPTIONS \
OPT_SECTION("TLS/SSL"), \
{ "no_ssl3", OPT_S_NOSSL3, '-', "Just disable SSLv3" }, \
{ "no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1" }, \
{ "no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
{ "no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2" }, \
{ "no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3" }, \
{ "bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility" }, \
{ "no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{ "comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{ "no_tx_cert_comp", OPT_S_NO_TX_CERT_COMP, '-', "Disable sending TLSv1.3 compressed certificates" }, \
{ "no_rx_cert_comp", OPT_S_NO_RX_CERT_COMP, '-', "Disable receiving TLSv1.3 compressed certificates" }, \
{ "no_ticket", OPT_S_NOTICKET, '-', \
"Disable use of TLS session tickets" }, \
{ "serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences" }, \
{ "legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
"Enable use of legacy renegotiation (dangerous)" }, \
{ "client_renegotiation", OPT_S_CLIENTRENEG, '-', \
"Allow client-initiated renegotiation" }, \
{ "no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
"Disable all renegotiation." }, \
{ "legacy_server_connect", OPT_S_LEGACYCONN, '-', \
"Allow initial connection to servers that don't support RI" }, \
{ "no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
"Disallow session resumption on renegotiation" }, \
{ "no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
"Disallow initial connection to servers that don't support RI" }, \
{ "allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \
"In TLSv1.3 allow non-(ec)dhe based key exchange on resumption" }, \
{ "prefer_no_dhe_kex", OPT_S_PREFER_NO_DHE_KEX, '-', \
"In TLSv1.3 prefer non-(ec)dhe over (ec)dhe-based key exchange on resumption" }, \
{ "prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \
"Prioritize ChaCha ciphers when preferred by clients" }, \
{ "strict", OPT_S_STRICT, '-', \
"Enforce strict certificate checks as per TLS standard" }, \
{ "sigalgs", OPT_S_SIGALGS, 's', \
"Signature algorithms to support (colon-separated list)" }, \
{ "client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
"Signature algorithms to support for client certificate" \
" authentication (colon-separated list)" }, \
{ "groups", OPT_S_GROUPS, 's', \
"Groups to advertise (colon-separated list)" }, \
{ "curves", OPT_S_CURVES, 's', \
"Groups to advertise (colon-separated list)" }, \
{ "named_curve", OPT_S_NAMEDCURVE, 's', \
"Elliptic curve used for ECDHE (server-side only)" }, \
{ "cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used" }, \
{ "ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used" }, \
{ "min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used" }, \
{ "max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used" }, \
{ "record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to." }, \
{ "debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
"Perform all sorts of protocol violations for testing purposes" }, \
{ "no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
"Disable TLSv1.3 middlebox compat mode" }, \
{ "no_etm", OPT_S_NO_ETM, '-', \
"Disable Encrypt-then-Mac extension" }, \
{ "no_ems", OPT_S_NO_EMS, '-', \
"Disable Extended master secret extension" }
# define OPT_S_CASES \
OPT_S__FIRST: case OPT_S__LAST: break; \
case OPT_S_NOSSL3: \
case OPT_S_NOTLS1: \
case OPT_S_NOTLS1_1: \
case OPT_S_NOTLS1_2: \
case OPT_S_NOTLS1_3: \
case OPT_S_BUGS: \
case OPT_S_NO_COMP: \
case OPT_S_COMP: \
case OPT_S_NO_TX_CERT_COMP: \
case OPT_S_NO_RX_CERT_COMP: \
case OPT_S_NOTICKET: \
case OPT_S_SERVERPREF: \
case OPT_S_LEGACYRENEG: \
case OPT_S_CLIENTRENEG: \
case OPT_S_LEGACYCONN: \
case OPT_S_ONRESUMP: \
case OPT_S_NOLEGACYCONN: \
case OPT_S_ALLOW_NO_DHE_KEX: \
case OPT_S_PREFER_NO_DHE_KEX: \
case OPT_S_PRIORITIZE_CHACHA: \
case OPT_S_STRICT: \
case OPT_S_SIGALGS: \
case OPT_S_CLIENTSIGALGS: \
case OPT_S_GROUPS: \
case OPT_S_CURVES: \
case OPT_S_NAMEDCURVE: \
case OPT_S_CIPHER: \
case OPT_S_CIPHERSUITES: \
case OPT_S_RECORD_PADDING: \
case OPT_S_NO_RENEGOTIATION: \
case OPT_S_MINPROTO: \
case OPT_S_MAXPROTO: \
case OPT_S_DEBUGBROKE: \
case OPT_S_NO_MIDDLEBOX: \
case OPT_S_NO_ETM: \
case OPT_S_NO_EMS
#define OPT_S_CASES \
OPT_S__FIRST: \
case OPT_S__LAST: \
break; \
case OPT_S_NOSSL3: \
case OPT_S_NOTLS1: \
case OPT_S_NOTLS1_1: \
case OPT_S_NOTLS1_2: \
case OPT_S_NOTLS1_3: \
case OPT_S_BUGS: \
case OPT_S_NO_COMP: \
case OPT_S_COMP: \
case OPT_S_NO_TX_CERT_COMP: \
case OPT_S_NO_RX_CERT_COMP: \
case OPT_S_NOTICKET: \
case OPT_S_SERVERPREF: \
case OPT_S_LEGACYRENEG: \
case OPT_S_CLIENTRENEG: \
case OPT_S_LEGACYCONN: \
case OPT_S_ONRESUMP: \
case OPT_S_NOLEGACYCONN: \
case OPT_S_ALLOW_NO_DHE_KEX: \
case OPT_S_PREFER_NO_DHE_KEX: \
case OPT_S_PRIORITIZE_CHACHA: \
case OPT_S_STRICT: \
case OPT_S_SIGALGS: \
case OPT_S_CLIENTSIGALGS: \
case OPT_S_GROUPS: \
case OPT_S_CURVES: \
case OPT_S_NAMEDCURVE: \
case OPT_S_CIPHER: \
case OPT_S_CIPHERSUITES: \
case OPT_S_RECORD_PADDING: \
case OPT_S_NO_RENEGOTIATION: \
case OPT_S_MINPROTO: \
case OPT_S_MAXPROTO: \
case OPT_S_DEBUGBROKE: \
case OPT_S_NO_MIDDLEBOX: \
case OPT_S_NO_ETM: \
case OPT_S_NO_EMS
#define IS_NO_PROT_FLAG(o) \
(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
|| o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
#define IS_NO_PROT_FLAG(o) \
(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
|| o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
/*
* Random state options.
*/
# define OPT_R_ENUM \
OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
#define OPT_R_ENUM \
OPT_R__FIRST = 1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
# define OPT_R_OPTIONS \
OPT_SECTION("Random state"), \
{"rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator"}, \
{"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
#define OPT_R_OPTIONS \
OPT_SECTION("Random state"), \
{ "rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator" }, \
{ "writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file" }
# define OPT_R_CASES \
OPT_R__FIRST: case OPT_R__LAST: break; \
case OPT_R_RAND: case OPT_R_WRITERAND
#define OPT_R_CASES \
OPT_R__FIRST: \
case OPT_R__LAST: \
break; \
case OPT_R_RAND: \
case OPT_R_WRITERAND
/*
* Provider options.
*/
# define OPT_PROV_ENUM \
OPT_PROV__FIRST=1600, \
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
OPT_PROV_PARAM, \
OPT_PROV__LAST
#define OPT_PROV_ENUM \
OPT_PROV__FIRST = 1600, \
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
OPT_PROV_PARAM, \
OPT_PROV__LAST
# define OPT_CONFIG_OPTION \
{ "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
#define OPT_CONFIG_OPTION \
{ "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
# define OPT_PROV_OPTIONS \
OPT_SECTION("Provider"), \
#define OPT_PROV_OPTIONS \
OPT_SECTION("Provider"), \
{ "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
{ "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
{ "provparam", OPT_PROV_PARAM, 's', "Set a provider key-value parameter" }, \
{ "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
{ "provparam", OPT_PROV_PARAM, 's', "Set a provider key-value parameter" }, \
{ "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
# define OPT_PROV_CASES \
OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
case OPT_PROV_PROVIDER: \
case OPT_PROV_PROVIDER_PATH: \
case OPT_PROV_PARAM: \
case OPT_PROV_PROPQUERY
#define OPT_PROV_CASES \
OPT_PROV__FIRST: \
case OPT_PROV__LAST: \
break; \
case OPT_PROV_PROVIDER: \
case OPT_PROV_PROVIDER_PATH: \
case OPT_PROV_PARAM: \
case OPT_PROV_PROPQUERY
/*
* Option parsing.
@@ -367,27 +378,24 @@ typedef struct string_int_pair_st {
} OPT_PAIR, STRINT_PAIR;
/* Flags to pass into opt_format; see FORMAT_xxx, below. */
# define OPT_FMT_PEM (1L << 1)
# define OPT_FMT_DER (1L << 2)
# define OPT_FMT_B64 (1L << 3)
# define OPT_FMT_PKCS12 (1L << 4)
# define OPT_FMT_SMIME (1L << 5)
# define OPT_FMT_ENGINE (1L << 6)
# define OPT_FMT_MSBLOB (1L << 7)
# define OPT_FMT_NSS (1L << 8)
# define OPT_FMT_TEXT (1L << 9)
# define OPT_FMT_HTTP (1L << 10)
# define OPT_FMT_PVK (1L << 11)
#define OPT_FMT_PEM (1L << 1)
#define OPT_FMT_DER (1L << 2)
#define OPT_FMT_B64 (1L << 3)
#define OPT_FMT_PKCS12 (1L << 4)
#define OPT_FMT_SMIME (1L << 5)
#define OPT_FMT_ENGINE (1L << 6)
#define OPT_FMT_MSBLOB (1L << 7)
#define OPT_FMT_NSS (1L << 8)
#define OPT_FMT_TEXT (1L << 9)
#define OPT_FMT_HTTP (1L << 10)
#define OPT_FMT_PVK (1L << 11)
# define OPT_FMT_PEMDER (OPT_FMT_PEM | OPT_FMT_DER)
# define OPT_FMT_ASN1 (OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64)
# define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
# define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
# define OPT_FMT_ANY ( \
OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64 | \
OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
#define OPT_FMT_PEMDER (OPT_FMT_PEM | OPT_FMT_DER)
#define OPT_FMT_ASN1 (OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64)
#define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
#define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
#define OPT_FMT_ANY ( \
OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64 | OPT_FMT_PKCS12 | OPT_FMT_SMIME | OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
/* Divide options into sections when displaying usage */
#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" }
@@ -440,5 +448,4 @@ int opt_check_rest_arg(const char *expected);
/* Returns non-zero if legacy paths are still available */
int opt_legacy_okay(void);
#endif /* OSSL_APPS_OPT_H */
+6 -6
View File
@@ -8,25 +8,25 @@
*/
#ifndef OSSL_APPS_PLATFORM_H
# define OSSL_APPS_PLATFORM_H
#define OSSL_APPS_PLATFORM_H
# include <openssl/e_os2.h>
#include <openssl/e_os2.h>
# if defined(OPENSSL_SYS_VMS) && defined(__DECC)
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
/*
* VMS C only for now, implemented in vms_decc_init.c
* If other C compilers forget to terminate argv with NULL, this function
* can be reused.
*/
char **copy_argv(int *argc, char *argv[]);
# endif
#endif
# ifdef _WIN32
#ifdef _WIN32
/*
* Win32-specific argv initialization that splits OS-supplied UNICODE
* command line string to array of UTF8-encoded strings.
*/
void win32_utf8argv(int *argc, char **argv[]);
# endif
#endif
#endif
+30 -30
View File
@@ -12,8 +12,8 @@
#include <openssl/ssl.h>
#include <openssl/srp.h>
#define PORT "4433"
#define PROTOCOL "tcp"
#define PORT "4433"
#define PROTOCOL "tcp"
#define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
(SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
@@ -22,48 +22,48 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
void get_sock_info_address(int asock, char **hostname, char **service);
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo);
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo);
int verify_callback(int ok, X509_STORE_CTX *ctx);
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain, int build_chain);
STACK_OF(X509) *chain, int build_chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_groups(BIO *out, SSL *s, int noshared);
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret);
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret);
int should_retry(int i);
void do_ssl_shutdown(SSL *ssl);
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
int argi, long argl, int ret, size_t *processed);
int argi, long argl, int ret, size_t *processed);
void apps_ssl_info_callback(const SSL *s, int where, int ret);
void msg_cb(int write_p, int version, int content_type, const void *buf,
size_t len, SSL *ssl, void *arg);
size_t len, SSL *ssl, void *arg);
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
int len, void *arg);
int len, void *arg);
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len);
unsigned int *cookie_len);
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
unsigned int cookie_len);
unsigned int cookie_len);
#ifdef __VMS /* 31 char symbol name limit */
# define generate_stateless_cookie_callback generate_stateless_cookie_cb
# define verify_stateless_cookie_callback verify_stateless_cookie_cb
#ifdef __VMS /* 31 char symbol name limit */
#define generate_stateless_cookie_callback generate_stateless_cookie_cb
#define verify_stateless_cookie_callback verify_stateless_cookie_cb
#endif
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
size_t *cookie_len);
size_t *cookie_len);
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
size_t cookie_len);
size_t cookie_len);
typedef struct ssl_excert_st SSL_EXCERT;
@@ -75,12 +75,12 @@ void print_verify_detail(SSL *s, BIO *bio);
void print_ssl_summary(SSL *s);
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
const char *vfyCAfile, const char *vfyCAstore,
const char *chCApath, const char *chCAfile,
const char *chCAstore, STACK_OF(X509_CRL) *crls,
int crl_download);
const char *vfyCAfile, const char *vfyCAstore,
const char *chCApath, const char *chCAfile,
const char *chCAstore, STACK_OF(X509_CRL) *crls,
int crl_download);
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
@@ -91,14 +91,14 @@ void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s);
typedef struct srp_arg_st {
char *srppassin;
char *srplogin;
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength; /* minimal size for N */
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength; /* minimal size for N */
} SRP_ARG;
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
int c_debug);
int c_debug);
void set_up_dummy_srp(SSL_CTX *ctx);
/* The server side SRP context that we pass to all SRP related callbacks */
@@ -109,6 +109,6 @@ typedef struct srpsrvparm_st {
} srpsrvparm;
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
char *srpuserseed, char *srp_verifier_file);
char *srpuserseed, char *srp_verifier_file);
void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
#endif /* OPENSSL_NO_SRP */
+6 -6
View File
@@ -9,23 +9,23 @@
*/
#ifndef OSSL_APPS_VMS_TERM_SOCK_H
# define OSSL_APPS_VMS_TERM_SOCK_H
#define OSSL_APPS_VMS_TERM_SOCK_H
/*
** Terminal Socket Function Codes
*/
# define TERM_SOCK_CREATE 1
# define TERM_SOCK_DELETE 2
#define TERM_SOCK_CREATE 1
#define TERM_SOCK_DELETE 2
/*
** Terminal Socket Status Codes
*/
# define TERM_SOCK_FAILURE 0
# define TERM_SOCK_SUCCESS 1
#define TERM_SOCK_FAILURE 0
#define TERM_SOCK_SUCCESS 1
/*
** Terminal Socket Prototype
*/
int TerminalSocket (int FunctionCode, int *ReturnSocket);
int TerminalSocket(int FunctionCode, int *ReturnSocket);
#endif
+23 -16
View File
@@ -13,27 +13,34 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS, OPT_WINDOWSCONTEXT
OPT_CONFIGDIR,
OPT_ENGINESDIR,
OPT_MODULESDIR,
OPT_DSOEXT,
OPT_DIRNAMESEP,
OPT_LISTSEP,
OPT_SEEDS,
OPT_CPUSETTINGS,
OPT_WINDOWSCONTEXT
} OPTION_CHOICE;
const OPTIONS info_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Output"),
{"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"},
{"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"},
{"modulesdir", OPT_MODULESDIR, '-',
"Default module directory (other than engine modules)"},
{"dsoext", OPT_DSOEXT, '-', "Configured extension for modules"},
{"dirnamesep", OPT_DIRNAMESEP, '-', "Directory-filename separator"},
{"listsep", OPT_LISTSEP, '-', "List separator character"},
{"seeds", OPT_SEEDS, '-', "Seed sources"},
{"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
{"windowscontext", OPT_WINDOWSCONTEXT, '-', "Windows install context"},
{NULL}
{ "configdir", OPT_CONFIGDIR, '-', "Default configuration file directory" },
{ "enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory" },
{ "modulesdir", OPT_MODULESDIR, '-',
"Default module directory (other than engine modules)" },
{ "dsoext", OPT_DSOEXT, '-', "Configured extension for modules" },
{ "dirnamesep", OPT_DIRNAMESEP, '-', "Directory-filename separator" },
{ "listsep", OPT_LISTSEP, '-', "List separator character" },
{ "seeds", OPT_SEEDS, '-', "Seed sources" },
{ "cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info" },
{ "windowscontext", OPT_WINDOWSCONTEXT, '-', "Windows install context" },
{ NULL }
};
int info_main(int argc, char **argv)
@@ -47,7 +54,7 @@ int info_main(int argc, char **argv)
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
default:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -106,6 +113,6 @@ int info_main(int argc, char **argv)
typedata = OPENSSL_info(type);
BIO_printf(bio_out, "%s\n", typedata == NULL ? "Undefined" : typedata);
ret = 0;
end:
end:
return ret;
}
+25 -20
View File
@@ -19,37 +19,42 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT,
OPT_CIPHER, OPT_DIGEST, OPT_MAC,
OPT_KDFOPT,
OPT_BIN,
OPT_KEYLEN,
OPT_OUT,
OPT_CIPHER,
OPT_DIGEST,
OPT_MAC,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS kdf_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form"},
{"cipher", OPT_CIPHER, 's', "Cipher"},
{"digest", OPT_DIGEST, 's', "Digest"},
{"mac", OPT_MAC, 's', "MAC"},
{OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n"},
{"keylen", OPT_KEYLEN, 's', "The size of the output derived key"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form" },
{ "cipher", OPT_CIPHER, 's', "Cipher" },
{ "digest", OPT_DIGEST, 's', "Digest" },
{ "mac", OPT_MAC, 's', "MAC" },
{ OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n" },
{ "keylen", OPT_KEYLEN, 's', "The size of the output derived key" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)"},
{ "out", OPT_OUT, '>', "Output to filename rather than stdout" },
{ "binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"kdf_name", 0, 0, "Name of the KDF algorithm"},
{NULL}
{ "kdf_name", 0, 0, "Name of the KDF algorithm" },
{ NULL }
};
static char *alloc_kdf_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
const char *name, const char *arg)
const char *name, const char *arg)
{
size_t len = strlen(name) + strlen(arg) + 2;
char *res;
@@ -85,7 +90,7 @@ int kdf_main(int argc, char **argv)
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
default:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto err;
case OPT_HELP:
@@ -139,7 +144,8 @@ int kdf_main(int argc, char **argv)
goto opthelp;
if ((kdf = EVP_KDF_fetch(app_get0_libctx(), argv[0],
app_get0_propq())) == NULL) {
app_get0_propq()))
== NULL) {
BIO_printf(bio_err, "Invalid KDF name %s\n", argv[0]);
goto opthelp;
}
@@ -150,8 +156,7 @@ int kdf_main(int argc, char **argv)
if (opts != NULL) {
int ok = 1;
OSSL_PARAM *params =
app_params_new_from_opts(opts, EVP_KDF_settable_ctx_params(kdf));
OSSL_PARAM *params = app_params_new_from_opts(opts, EVP_KDF_settable_ctx_params(kdf));
if (params == NULL)
goto err;
-1
View File
@@ -45,4 +45,3 @@ OSSL_LIB_CTX *app_create_libctx(void)
opt_printf_stderr("Failed to create library context\n");
return app_libctx;
}
+3 -4
View File
@@ -63,7 +63,7 @@ static int describe_param_type(char *buf, size_t bufsz, const OSSL_PARAM *param)
printed_len = BIO_snprintf(buf, bufsz, " (arbitrary size)");
else
printed_len = BIO_snprintf(buf, bufsz, " (max %zu bytes large)",
param->data_size);
param->data_size);
if (printed_len > 0) {
buf += printed_len;
bufsz -= printed_len;
@@ -85,7 +85,7 @@ int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent)
} else {
BIO_printf(bio_out, "%*s%s:\n", indent, "", thing);
for (; pdefs->key != NULL; pdefs++) {
char buf[200]; /* This should be ample space */
char buf[200]; /* This should be ample space */
describe_param_type(buf, sizeof(buf), pdefs);
BIO_printf(bio_out, "%*s %s\n", indent, "", buf);
@@ -125,8 +125,7 @@ void print_param_value(const OSSL_PARAM *p, int indent)
break;
default:
BIO_printf(bio_out, "unknown type (%u) of %zu bytes\n",
p->data_type, p->data_size);
p->data_type, p->data_size);
break;
}
}
+6 -6
View File
@@ -39,7 +39,7 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name)
if (prov == NULL) {
opt_printf_stderr("%s: unable to load provider %s\n"
"Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n",
opt_getprog(), provider_name);
opt_getprog(), provider_name);
ERR_print_errors(bio_err);
return 0;
}
@@ -92,7 +92,7 @@ static int opt_provider_param(const char *arg)
if ((copy = OPENSSL_strdup(arg)) == NULL
|| (p.val = strchr(copy, '=')) == NULL) {
opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
opt_getprog(), arg);
opt_getprog(), arg);
goto end;
}
@@ -118,7 +118,7 @@ static int opt_provider_param(const char *arg)
/* The key must not be empty */
if (*p.key == '\0') {
opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
opt_getprog(), arg);
opt_getprog(), arg);
goto end;
}
@@ -126,14 +126,14 @@ static int opt_provider_param(const char *arg)
ret = OSSL_PROVIDER_do_all(app_get0_libctx(), set_prov_param, (void *)&p);
if (ret == 0) {
opt_printf_stderr("%s: Error setting provider '%s' parameter '%s'\n",
opt_getprog(), p.name, p.key);
opt_getprog(), p.name, p.key);
} else if (p.found == 0) {
opt_printf_stderr("%s: No provider named '%s' is loaded\n",
opt_getprog(), p.name);
opt_getprog(), p.name);
ret = 0;
}
end:
end:
OPENSSL_free(copy);
return ret;
}
+2 -3
View File
@@ -89,11 +89,10 @@ int app_RAND_write(void)
ret = 0;
}
OPENSSL_free(save_rand_file);
save_rand_file = NULL;
save_rand_file = NULL;
return ret;
}
/*
* See comments in opt_verify for explanation of this.
*/
@@ -107,7 +106,7 @@ int opt_rand(int opt)
break;
case OPT_R_RAND:
if (randfiles == NULL
&& (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
&& (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
return 0;
if (!sk_OPENSSL_STRING_push(randfiles, opt_arg()))
return 0;
+24 -26
View File
@@ -38,53 +38,51 @@ static int x509_ctrl(void *object, int cmd, void *value, size_t value_n)
{
switch (cmd) {
#ifdef EVP_PKEY_CTRL_SET1_ID
case EVP_PKEY_CTRL_SET1_ID:
{
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
case EVP_PKEY_CTRL_SET1_ID: {
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate failed\n");
return 0;
}
X509_set0_distinguishing_id(object, v);
return 1;
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate failed\n");
return 0;
}
X509_set0_distinguishing_id(object, v);
return 1;
}
#endif
default:
break;
}
return -2; /* typical EVP_PKEY return for "unsupported" */
return -2; /* typical EVP_PKEY return for "unsupported" */
}
static int x509_req_ctrl(void *object, int cmd, void *value, size_t value_n)
{
switch (cmd) {
#ifdef EVP_PKEY_CTRL_SET1_ID
case EVP_PKEY_CTRL_SET1_ID:
{
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
case EVP_PKEY_CTRL_SET1_ID: {
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate signing request failed\n");
return 0;
}
X509_REQ_set0_distinguishing_id(object, v);
return 1;
if (v == NULL) {
BIO_printf(bio_err,
"error: setting distinguishing ID in certificate signing request failed\n");
return 0;
}
X509_REQ_set0_distinguishing_id(object, v);
return 1;
}
#endif
default:
break;
}
return -2; /* typical EVP_PKEY return for "unsupported" */
return -2; /* typical EVP_PKEY return for "unsupported" */
}
static int do_x509_ctrl_string(int (*ctrl)(void *object, int cmd,
void *value, size_t value_n),
void *object, const char *value)
void *value, size_t value_n),
void *object, const char *value)
{
int rv = 0;
char *stmp, *vtmp = NULL;
File diff suppressed because it is too large Load Diff
@@ -22,4 +22,3 @@ int opt_printf_stderr(const char *fmt, ...)
va_end(ap);
return ret;
}
+15 -22
View File
@@ -32,17 +32,14 @@ static int ui_read(UI *ui, UI_STRING *uis)
&& UI_get0_user_data(ui)) {
switch (UI_get_string_type(uis)) {
case UIT_PROMPT:
case UIT_VERIFY:
{
const char *password =
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
case UIT_VERIFY: {
const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
if (password != NULL) {
UI_set_result(ui, uis, password);
return 1;
}
if (password != NULL) {
UI_set_result(ui, uis, password);
return 1;
}
break;
} break;
case UIT_NONE:
case UIT_BOOLEAN:
case UIT_INFO:
@@ -67,15 +64,12 @@ static int ui_write(UI *ui, UI_STRING *uis)
&& UI_get0_user_data(ui)) {
switch (UI_get_string_type(uis)) {
case UIT_PROMPT:
case UIT_VERIFY:
{
const char *password =
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
case UIT_VERIFY: {
const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
if (password != NULL)
return 1;
}
break;
if (password != NULL)
return 1;
} break;
case UIT_NONE:
case UIT_BOOLEAN:
case UIT_INFO:
@@ -101,7 +95,7 @@ static int ui_close(UI *ui)
/* object_name defaults to prompt_info from ui user data if present */
static char *ui_prompt_construct(UI *ui, const char *phrase_desc,
const char *object_name)
const char *object_name)
{
PW_CB_DATA *cb_data = (PW_CB_DATA *)UI_get0_user_data(ui);
@@ -132,8 +126,7 @@ int setup_ui_method(void)
&& 0 == UI_method_set_reader(ui_method, ui_read)
&& 0 == UI_method_set_writer(ui_method, ui_write)
&& 0 == UI_method_set_closer(ui_method, ui_close)
&& 0 == UI_method_set_prompt_constructor(ui_method,
ui_prompt_construct);
&& 0 == UI_method_set_prompt_constructor(ui_method, ui_prompt_construct);
}
void destroy_ui_method(void)
@@ -190,12 +183,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data)
(void)UI_add_user_data(ui, cb_data);
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
PW_MIN_LENGTH, bufsiz - 1);
PW_MIN_LENGTH, bufsiz - 1);
if (ok >= 0 && verify) {
buff = ui_malloc(bufsiz, "password buffer");
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
PW_MIN_LENGTH, bufsiz - 1, buf);
PW_MIN_LENGTH, bufsiz - 1, buf);
}
if (ok >= 0)
do {
+161 -168
View File
@@ -17,21 +17,21 @@
/* the context for the CMP mock server */
typedef struct {
X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
EVP_PKEY *keyOut; /* Private key to be returned for central keygen */
X509_CRL *crlOut; /* CRL to be returned in genp for crls */
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
EVP_PKEY *keyOut; /* Private key to be returned for central keygen */
X509_CRL *crlOut; /* CRL to be returned in genp for crls */
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
int sendError; /* send error response on given request type */
OSSL_CMP_MSG *req; /* original request message during polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
int checkAfterTime; /* time the client should wait between polling */
int sendError; /* send error response on given request type */
OSSL_CMP_MSG *req; /* original request message during polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
int checkAfterTime; /* time the client should wait between polling */
} mock_srv_ctx;
static void mock_srv_ctx_free(mock_srv_ctx *ctx)
@@ -62,27 +62,27 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
err:
err:
mock_srv_ctx_free(ctx);
return NULL;
}
#define DEFINE_OSSL_SET1_CERT(FIELD) \
int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
X509 *cert) \
{ \
#define DEFINE_OSSL_SET1_CERT(FIELD) \
int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
X509 *cert) \
{ \
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \
\
if (ctx == NULL) { \
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
if (cert == NULL || X509_up_ref(cert)) { \
X509_free(ctx->FIELD); \
ctx->FIELD = cert; \
return 1; \
} \
return 0; \
\
if (ctx == NULL) { \
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
if (cert == NULL || X509_up_ref(cert)) { \
X509_free(ctx->FIELD); \
ctx->FIELD = cert; \
return 1; \
} \
return 0; \
}
DEFINE_OSSL_SET1_CERT(refCert)
@@ -104,7 +104,7 @@ int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey)
}
int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
X509_CRL *crl)
X509_CRL *crl)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -120,7 +120,7 @@ int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
}
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *chain)
STACK_OF(X509) *chain)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
STACK_OF(X509) *chain_copy = NULL;
@@ -137,7 +137,7 @@ int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
}
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *caPubs)
STACK_OF(X509) *caPubs)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
STACK_OF(X509) *caPubs_copy = NULL;
@@ -158,7 +158,7 @@ DEFINE_OSSL_SET1_CERT(newWithOld)
DEFINE_OSSL_SET1_CERT(oldWithNew)
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text)
int fail_info, const char *text)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
OSSL_CMP_PKISI *si;
@@ -249,7 +249,7 @@ static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req)
/* check for matching reference cert components, as far as given */
static int refcert_cmp(const X509 *refcert,
const X509_NAME *issuer, const ASN1_INTEGER *serial)
const X509_NAME *issuer, const ASN1_INTEGER *serial)
{
const X509_NAME *ref_issuer;
const ASN1_INTEGER *ref_serial;
@@ -264,7 +264,7 @@ static int refcert_cmp(const X509 *refcert,
/* reset the state that belongs to a transaction */
static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
ossl_unused const ASN1_OCTET_STRING *id)
ossl_unused const ASN1_OCTET_STRING *id)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -280,13 +280,13 @@ static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *cert_req,
ossl_unused int certReqId,
const OSSL_CRMF_MSG *crm,
const X509_REQ *p10cr,
X509 **certOut,
STACK_OF(X509) **chainOut,
STACK_OF(X509) **caPubs)
const OSSL_CMP_MSG *cert_req,
ossl_unused int certReqId,
const OSSL_CRMF_MSG *crm,
const X509_REQ *p10cr,
X509 **certOut,
STACK_OF(X509) **chainOut,
STACK_OF(X509) **caPubs)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
int bodytype, central_keygen;
@@ -294,7 +294,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
EVP_PKEY *keyOut = NULL;
if (ctx == NULL || cert_req == NULL
|| certOut == NULL || chainOut == NULL || caPubs == NULL) {
|| certOut == NULL || chainOut == NULL || caPubs == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
@@ -320,8 +320,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
/* accept cert profile for cr messages only with the configured name */
if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) {
STACK_OF(OSSL_CMP_ITAV) *itavs =
OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
STACK_OF(OSSL_CMP_ITAV) *itavs = OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
int i;
for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
@@ -340,8 +339,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
str = sk_ASN1_UTF8STRING_value(strs, 0);
if (str == NULL
|| (data =
(const char *)ASN1_STRING_get0_data(str)) == NULL) {
|| (data = (const char *)ASN1_STRING_get0_data(str)) == NULL) {
ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
}
@@ -356,7 +354,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
/* accept cert update request only for the reference cert, if given */
if (bodytype == OSSL_CMP_KUR
&& crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
&& crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
if (cid == NULL) {
@@ -364,15 +362,15 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
if (!refcert_cmp(ctx->refCert,
OSSL_CRMF_CERTID_get0_issuer(cid),
OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
OSSL_CRMF_CERTID_get0_issuer(cid),
OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
return NULL;
}
}
if (ctx->certOut != NULL
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
/* Should return a cert produced from request template, see FR #16054 */
goto err;
@@ -383,7 +381,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
&& (ctx->keyOut == NULL
|| (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
|| !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
1 /* priv */, keyOut))) {
1 /* priv */, keyOut))) {
EVP_PKEY_free(keyOut);
goto err;
}
@@ -393,17 +391,17 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
*/
if (ctx->chainOut != NULL
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
goto err;
if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */
&& (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
&& (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
goto err;
if (ctx->statusOut != NULL
&& (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
&& (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
goto err;
return si;
err:
err:
X509_free(*certOut);
*certOut = NULL;
OSSL_STACK_OF_X509_free(*chainOut);
@@ -414,9 +412,9 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *rr,
const X509_NAME *issuer,
const ASN1_INTEGER *serial)
const OSSL_CMP_MSG *rr,
const X509_NAME *issuer,
const ASN1_INTEGER *serial)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -425,7 +423,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return NULL;
}
@@ -433,9 +431,9 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
/* allow any RR derived from CSR which does not include issuer and serial */
if ((issuer != NULL || serial != NULL)
/* accept revocation only for the reference cert, if given */
&& !refcert_cmp(ctx->refCert, issuer, serial)) {
&& !refcert_cmp(ctx->refCert, issuer, serial)) {
ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
"wrong certificate to revoke");
"wrong certificate to revoke");
return NULL;
}
return OSSL_CMP_PKISI_dup(ctx->statusOut);
@@ -443,7 +441,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
/* return -1 for error, 0 for no update available */
static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
const X509_CRL *crl)
const X509_CRL *crl)
{
OSSL_CMP_CRLSTATUS *crlstatus;
DIST_POINT_NAME *dpn = NULL;
@@ -471,9 +469,9 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
return -1;
}
} else {
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
return -1; /* error according to RFC 9483 section 4.3.4 */
} else {
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
return -1; /* error according to RFC 9483 section 4.3.4 */
}
}
@@ -482,7 +480,7 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
}
static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
const OSSL_CMP_ITAV *req)
const OSSL_CMP_ITAV *req)
{
OSSL_CMP_ITAV *rsp = NULL;
@@ -490,81 +488,76 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
case NID_id_it_caCerts:
rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
break;
case NID_id_it_rootCaCert:
{
X509 *rootcacert = NULL;
case NID_id_it_rootCaCert: {
X509 *rootcacert = NULL;
if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
return NULL;
if (rootcacert != NULL
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
X509_get_subject_name(ctx->newWithNew)) != 0)
/* The subjects do not match */
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
else
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
}
break;
case NID_id_it_crlStatusList:
{
STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
int res = 0;
if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
return NULL;
res = check_client_crl(crlstatuslist, ctx->crlOut);
if (res < 0)
rsp = NULL;
else
rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
}
break;
case NID_id_it_certReqTemplate:
{
OSSL_CRMF_CERTTEMPLATE *reqtemp;
OSSL_CMP_ATAVS *keyspec = NULL;
X509_ALGOR *keyalg = NULL;
OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
int ok = 0;
if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
return NULL;
if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
X509_get_issuer_name(ctx->refCert),
NULL))
goto crt_err;
if ((keyalg = X509_ALGOR_new()) == NULL)
goto crt_err;
(void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
V_ASN1_UNDEF, NULL); /* cannot fail */
eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
&& OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
OSSL_CMP_ATAV_free(eckeyalg);
OSSL_CMP_ATAV_free(rsakeylen);
X509_ALGOR_free(keyalg);
if (!ok)
goto crt_err;
rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
return rsp;
crt_err:
OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
OSSL_CMP_ATAVS_free(keyspec);
if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
return NULL;
}
break;
if (rootcacert != NULL
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
X509_get_subject_name(ctx->newWithNew))
!= 0)
/* The subjects do not match */
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
else
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
} break;
case NID_id_it_crlStatusList: {
STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
int res = 0;
if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
return NULL;
res = check_client_crl(crlstatuslist, ctx->crlOut);
if (res < 0)
rsp = NULL;
else
rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
} break;
case NID_id_it_certReqTemplate: {
OSSL_CRMF_CERTTEMPLATE *reqtemp;
OSSL_CMP_ATAVS *keyspec = NULL;
X509_ALGOR *keyalg = NULL;
OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
int ok = 0;
if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
return NULL;
if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
X509_get_issuer_name(ctx->refCert),
NULL))
goto crt_err;
if ((keyalg = X509_ALGOR_new()) == NULL)
goto crt_err;
(void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
V_ASN1_UNDEF, NULL); /* cannot fail */
eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
&& OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
OSSL_CMP_ATAV_free(eckeyalg);
OSSL_CMP_ATAV_free(rsakeylen);
X509_ALGOR_free(keyalg);
if (!ok)
goto crt_err;
rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
return rsp;
crt_err:
OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
OSSL_CMP_ATAVS_free(keyspec);
return NULL;
} break;
default:
rsp = OSSL_CMP_ITAV_dup(req);
}
@@ -572,9 +565,9 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
}
static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *genm,
const STACK_OF(OSSL_CMP_ITAV) *in,
STACK_OF(OSSL_CMP_ITAV) **out)
const OSSL_CMP_MSG *genm,
const STACK_OF(OSSL_CMP_ITAV) *in,
STACK_OF(OSSL_CMP_ITAV) **out)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -583,8 +576,8 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
|| sk_OSSL_CMP_ITAV_num(in) > 1) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
|| sk_OSSL_CMP_ITAV_num(in) > 1) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@@ -602,14 +595,14 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
}
*out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
OSSL_CMP_ITAV_free);
OSSL_CMP_ITAV_free);
return *out != NULL;
}
static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
const OSSL_CMP_PKISI *statusInfo,
const ASN1_INTEGER *errorCode,
const OSSL_CMP_PKIFREETEXT *errorDetails)
const OSSL_CMP_PKISI *statusInfo,
const ASN1_INTEGER *errorCode,
const OSSL_CMP_PKIFREETEXT *errorDetails)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
char buf[OSSL_CMP_PKISI_BUFLEN];
@@ -628,7 +621,7 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
} else {
sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
BIO_printf(bio_err, "pkiStatusInfo: %s\n",
sibuf != NULL ? sibuf: "<invalid>");
sibuf != NULL ? sibuf : "<invalid>");
}
if (errorCode == NULL)
@@ -644,18 +637,18 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
if (i > 0)
BIO_printf(bio_err, ", ");
ASN1_STRING_print_ex(bio_err,
sk_ASN1_UTF8STRING_value(errorDetails, i),
ASN1_STRFLGS_ESC_QUOTE);
sk_ASN1_UTF8STRING_value(errorDetails, i),
ASN1_STRFLGS_ESC_QUOTE);
}
BIO_printf(bio_err, "\n");
}
}
static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *certConf,
ossl_unused int certReqId,
const ASN1_OCTET_STRING *certHash,
const OSSL_CMP_PKISI *si)
const OSSL_CMP_MSG *certConf,
ossl_unused int certReqId,
const ASN1_OCTET_STRING *certHash,
const OSSL_CMP_PKISI *si)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
ASN1_OCTET_STRING *digest;
@@ -665,8 +658,8 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
|| ctx->certOut == NULL) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
|| ctx->certOut == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@@ -684,22 +677,22 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
/* return 0 on failure, 1 on success, setting *req or otherwise *check_after */
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *pollReq,
ossl_unused int certReqId,
OSSL_CMP_MSG **req, int64_t *check_after)
const OSSL_CMP_MSG *pollReq,
ossl_unused int certReqId,
OSSL_CMP_MSG **req, int64_t *check_after)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
if (req != NULL)
*req = NULL;
if (ctx == NULL || pollReq == NULL
|| req == NULL || check_after == NULL) {
|| req == NULL || check_after == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@@ -725,11 +718,11 @@ OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
mock_srv_ctx *ctx = mock_srv_ctx_new();
if (srv_ctx != NULL && ctx != NULL
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
process_rr, process_genm, process_error,
process_certConf, process_pollReq)
&& OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
delayed_delivery, clean_transaction))
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
process_rr, process_genm, process_error,
process_certConf, process_pollReq)
&& OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
delayed_delivery, clean_transaction))
return srv_ctx;
mock_srv_ctx_free(ctx);
-1
View File
@@ -24,4 +24,3 @@ void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc)
dc->width = maxlen + 2;
dc->columns = (80 - 1) / dc->width;
}
+7 -8
View File
@@ -19,7 +19,7 @@
#include <openssl/types.h> /* Ensure we have the ENGINE type, regardless */
#include <openssl/err.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#include <openssl/engine.h>
#endif
#include "apps.h"
@@ -60,8 +60,8 @@ ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug)
if (debug)
(void)ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0,
(void *)get_ui_method(), 0, 1)
|| !ENGINE_set_default(e, methods)) {
(void *)get_ui_method(), 0, 1)
|| !ENGINE_set_default(e, methods)) {
BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e));
ERR_print_errors(bio_err);
ENGINE_free(e);
@@ -113,8 +113,7 @@ char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc)
BIO_printf(bio_err, "No engine key id specified for loading %s\n", desc);
} else {
const char *engineid = ENGINE_get_id(e);
size_t uri_sz =
sizeof(ENGINE_SCHEME_COLON) - 1
size_t uri_sz = sizeof(ENGINE_SCHEME_COLON) - 1
+ strlen(engineid)
+ 1 /* : */
+ strlen(key_id)
@@ -151,9 +150,9 @@ int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
else
#endif
/* We're only interested if it comes from an ENGINE */
if (tmpeng == NULL)
ameth = NULL;
/* We're only interested if it comes from an ENGINE */
if (tmpeng == NULL)
ameth = NULL;
ERR_pop_to_mark();
if (ameth == NULL)
+18 -20
View File
@@ -19,10 +19,10 @@
#ifndef OPENSSL_NO_ENGINE
# include <stdarg.h>
# include <string.h>
# include <openssl/engine.h>
# include <openssl/store.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/engine.h>
#include <openssl/store.h>
/*
* Support for legacy private engine keys via the 'org.openssl.engine:' scheme
@@ -36,10 +36,10 @@
/* Local definition of OSSL_STORE_LOADER_CTX */
struct ossl_store_loader_ctx_st {
ENGINE *e; /* Structural reference */
ENGINE *e; /* Structural reference */
char *keyid;
int expected;
int loaded; /* 0 = key not loaded yet, 1 = key loaded */
int loaded; /* 0 = key not loaded yet, 1 = key loaded */
};
static OSSL_STORE_LOADER_CTX *OSSL_STORE_LOADER_CTX_new(ENGINE *e, char *keyid)
@@ -63,9 +63,9 @@ static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx)
}
static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader,
const char *uri,
const UI_METHOD *ui_method,
void *ui_data)
const char *uri,
const UI_METHOD *ui_method,
void *ui_data)
{
const char *p = uri, *q;
ENGINE *e = NULL;
@@ -77,9 +77,9 @@ static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader,
/* Look for engine ID */
q = strchr(p, ':');
if (q != NULL /* There is both an engine ID and a key ID */
&& p[0] != ':' /* The engine ID is at least one character */
&& q[1] != '\0') { /* The key ID is at least one character */
if (q != NULL /* There is both an engine ID and a key ID */
&& p[0] != ':' /* The engine ID is at least one character */
&& q[1] != '\0') { /* The key ID is at least one character */
char engineid[256];
size_t engineid_l = q - p;
@@ -113,7 +113,7 @@ static int engine_expect(OSSL_STORE_LOADER_CTX *ctx, int expected)
}
static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx,
const UI_METHOD *ui_method, void *ui_data)
const UI_METHOD *ui_method, void *ui_data)
{
EVP_PKEY *pkey = NULL, *pubkey = NULL;
OSSL_STORE_INFO *info = NULL;
@@ -122,14 +122,12 @@ static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx,
if (ENGINE_init(ctx->e)) {
if (ctx->expected == 0
|| ctx->expected == OSSL_STORE_INFO_PKEY)
pkey =
ENGINE_load_private_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
pkey = ENGINE_load_private_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
if ((pkey == NULL && ctx->expected == 0)
|| ctx->expected == OSSL_STORE_INFO_PUBKEY)
pubkey =
ENGINE_load_public_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
pubkey = ENGINE_load_public_key(ctx->e, ctx->keyid,
(UI_METHOD *)ui_method, ui_data);
ENGINE_finish(ctx->e);
}
}
@@ -188,7 +186,7 @@ void destroy_engine_loader(void)
OSSL_STORE_LOADER_free(loader);
}
#else /* !OPENSSL_NO_ENGINE */
#else /* !OPENSSL_NO_ENGINE */
int setup_engine_loader(void)
{
+62 -63
View File
@@ -14,7 +14,7 @@
* On VMS, you need to define this to get the declaration of fileno(). The
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
*/
# define _POSIX_C_SOURCE 2
#define _POSIX_C_SOURCE 2
#endif
#include <ctype.h>
@@ -30,9 +30,9 @@
#define HTTP_PREFIX "HTTP/"
#define HTTP_VERSION_PATT "1." /* allow 1.x */
#define HTTP_PREFIX_VERSION HTTP_PREFIX""HTTP_VERSION_PATT
#define HTTP_1_0 HTTP_PREFIX_VERSION"0" /* "HTTP/1.0" */
#define HTTP_VERSION_STR " "HTTP_PREFIX_VERSION
#define HTTP_PREFIX_VERSION HTTP_PREFIX "" HTTP_VERSION_PATT
#define HTTP_1_0 HTTP_PREFIX_VERSION "0" /* "HTTP/1.0" */
#define HTTP_VERSION_STR " " HTTP_PREFIX_VERSION
#define log_HTTP(prog, level, text) \
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, "%s", text)
@@ -40,7 +40,7 @@
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, fmt, arg)
#define log_HTTP2(prog, level, fmt, arg1, arg2) \
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, fmt, arg1, arg2)
#define log_HTTP3(prog, level, fmt, a1, a2, a3) \
#define log_HTTP3(prog, level, fmt, a1, a2, a3) \
trace_log_message(OSSL_TRACE_CATEGORY_HTTP, prog, level, fmt, a1, a2, a3)
#ifdef HTTP_DAEMON
@@ -88,8 +88,8 @@ void spawn_loop(const char *prog)
if (setpgid(0, 0)) {
log_HTTP1(prog, LOG_CRIT,
"error detaching from parent process group: %s",
strerror(errno));
"error detaching from parent process group: %s",
strerror(errno));
exit(1);
}
kidpids = app_malloc(n_responders * sizeof(*kidpids), "child PID array");
@@ -117,32 +117,32 @@ void spawn_loop(const char *prog)
}
if (i >= n_responders) {
log_HTTP1(prog, LOG_CRIT,
"internal error: no matching child slot for pid: %ld",
(long)fpid);
"internal error: no matching child slot for pid: %ld",
(long)fpid);
killall(1, kidpids);
}
if (status != 0) {
if (WIFEXITED(status)) {
log_HTTP2(prog, LOG_WARNING,
"child process: %ld, exit status: %d",
(long)fpid, WEXITSTATUS(status));
"child process: %ld, exit status: %d",
(long)fpid, WEXITSTATUS(status));
} else if (WIFSIGNALED(status)) {
char *dumped = "";
# ifdef WCOREDUMP
#ifdef WCOREDUMP
if (WCOREDUMP(status))
dumped = " (core dumped)";
# endif
#endif
log_HTTP3(prog, LOG_WARNING,
"child process: %ld, term signal %d%s",
(long)fpid, WTERMSIG(status), dumped);
"child process: %ld, term signal %d%s",
(long)fpid, WTERMSIG(status), dumped);
}
OSSL_sleep(1000);
}
break;
} else if (errno != EINTR) {
log_HTTP1(prog, LOG_CRIT,
"waitpid() failed: %s", strerror(errno));
"waitpid() failed: %s", strerror(errno));
killall(1, kidpids);
}
}
@@ -165,7 +165,7 @@ void spawn_loop(const char *prog)
_exit(1);
}
return;
default: /* parent */
default: /* parent */
for (i = 0; i < n_responders; ++i) {
if (kidpids[i] == 0) {
kidpids[i] = fpid;
@@ -175,7 +175,7 @@ void spawn_loop(const char *prog)
}
if (i >= n_responders) {
log_HTTP(prog, LOG_CRIT,
"internal error: no free child slots");
"internal error: no free child slots");
killall(1, kidpids);
}
break;
@@ -228,7 +228,7 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
return acbio;
err:
err:
ERR_print_errors(bio_err);
BIO_free_all(acbio);
BIO_free(bufbio);
@@ -262,9 +262,9 @@ static int urldecode(char *p)
/* if *pcbio != NULL, continue given connected session, else accept new */
/* if found_keep_alive != NULL, return this way connection persistence state */
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout)
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
const char *prog, int accept_get, int timeout)
{
BIO *cbio = *pcbio, *getbio = NULL, *b64 = NULL;
int len;
@@ -286,7 +286,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
goto fatal;
}
log_HTTP1(prog, LOG_DEBUG,
"awaiting new connection on port %s ...", port);
"awaiting new connection on port %s ...", port);
OPENSSL_free(port);
if (BIO_do_accept(acbio) <= 0)
@@ -303,12 +303,12 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
goto out;
}
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
if (timeout > 0) {
(void)BIO_get_fd(cbio, &acfd);
alarm(timeout);
}
# endif
#endif
/* Read the request line. */
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
@@ -322,23 +322,23 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
}
if (((end = strchr(reqbuf, '\r')) != NULL && end[1] == '\n')
|| (end = strchr(reqbuf, '\n')) != NULL)
|| (end = strchr(reqbuf, '\n')) != NULL)
*end = '\0';
if (log_get_verbosity() < LOG_TRACE)
trace_log_message(-1, prog, LOG_INFO,
"received request, 1st line: %s", reqbuf);
"received request, 1st line: %s", reqbuf);
log_HTTP(prog, LOG_TRACE, "received request header:");
log_HTTP1(prog, LOG_TRACE, "%s", reqbuf);
if (end == NULL) {
log_HTTP(prog, LOG_WARNING,
"cannot parse HTTP header: missing end of line");
"cannot parse HTTP header: missing end of line");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
url = meth = reqbuf;
if ((accept_get && CHECK_AND_SKIP_PREFIX(url, "GET "))
|| CHECK_AND_SKIP_PREFIX(url, "POST ")) {
|| CHECK_AND_SKIP_PREFIX(url, "POST ")) {
/* Expecting (GET|POST) {sp} /URL {sp} HTTP/1.x */
url[-1] = '\0';
@@ -346,8 +346,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
url++;
if (*url != '/') {
log_HTTP2(prog, LOG_WARNING,
"invalid %s -- URL does not begin with '/': %s",
meth, url);
"invalid %s -- URL does not begin with '/': %s",
meth, url);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -359,8 +359,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
break;
if (!HAS_PREFIX(end, HTTP_VERSION_STR)) {
log_HTTP2(prog, LOG_WARNING,
"invalid %s -- bad HTTP/version string: %s",
meth, end + 1);
"invalid %s -- bad HTTP/version string: %s",
meth, end + 1);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -382,7 +382,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
len = urldecode(url);
if (len < 0) {
log_HTTP2(prog, LOG_WARNING,
"invalid %s request -- bad URL encoding: %s", meth, url);
"invalid %s request -- bad URL encoding: %s", meth, url);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -390,7 +390,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
if ((getbio = BIO_new_mem_buf(url, len)) == NULL
|| (b64 = BIO_new(BIO_f_base64())) == NULL) {
log_HTTP1(prog, LOG_ERR,
"could not allocate base64 bio with size = %d", len);
"could not allocate base64 bio with size = %d", len);
goto fatal;
}
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
@@ -398,8 +398,8 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
}
} else {
log_HTTP2(prog, LOG_WARNING,
"HTTP request does not begin with %sPOST: %s",
accept_get ? "GET or " : "", reqbuf);
"HTTP request does not begin with %sPOST: %s",
accept_get ? "GET or " : "", reqbuf);
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -425,11 +425,10 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
if (((end = strchr(inbuf, '\r')) != NULL && end[1] == '\n')
|| (end = strchr(inbuf, '\n')) != NULL)
*end = '\0';
log_HTTP1(prog, LOG_TRACE, "%s", *inbuf == '\0' ?
" " /* workaround for "" getting ignored */ : inbuf);
log_HTTP1(prog, LOG_TRACE, "%s", *inbuf == '\0' ? " " /* workaround for "" getting ignored */ : inbuf);
if (end == NULL) {
log_HTTP(prog, LOG_WARNING,
"error parsing HTTP header: missing end of line");
"error parsing HTTP header: missing end of line");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -441,7 +440,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
value = strchr(key, ':');
if (value == NULL) {
log_HTTP(prog, LOG_WARNING,
"error parsing HTTP header: missing ':'");
"error parsing HTTP header: missing ':'");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
goto out;
}
@@ -458,37 +457,37 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
}
}
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
/* Clear alarm before we close the client socket */
alarm(0);
timeout = 0;
# endif
#endif
/* Try to read and parse request */
req = ASN1_item_d2i_bio(it, getbio != NULL ? getbio : cbio, NULL);
if (req == NULL) {
log_HTTP(prog, LOG_WARNING,
"error parsing DER-encoded request content");
"error parsing DER-encoded request content");
(void)http_server_send_status(prog, cbio, 400, "Bad Request");
} else if (ppath != NULL && (*ppath = OPENSSL_strdup(url)) == NULL) {
log_HTTP1(prog, LOG_ERR,
"out of memory allocating %zu bytes", strlen(url) + 1);
"out of memory allocating %zu bytes", strlen(url) + 1);
ASN1_item_free(req, it);
goto fatal;
}
*preq = req;
out:
out:
BIO_free_all(getbio);
# ifdef HTTP_DAEMON
#ifdef HTTP_DAEMON
if (timeout > 0)
alarm(0);
acfd = (int)INVALID_SOCKET;
# endif
#endif
return ret;
fatal:
fatal:
(void)http_server_send_status(prog, cbio, 500, "Internal Server Error");
if (ppath != NULL) {
OPENSSL_free(*ppath);
@@ -502,23 +501,23 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
/* assumes that cbio does not do an encoding that changes the output length */
int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp)
const char *content_type,
const ASN1_ITEM *it, const ASN1_VALUE *resp)
{
char buf[200], *p;
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0" 200 OK\r\n%s"
"Content-type: %s\r\n"
"Content-Length: %d\r\n",
keep_alive ? "Connection: keep-alive\r\n" : "",
content_type,
ASN1_item_i2d(resp, NULL, it));
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0 " 200 OK\r\n%s"
"Content-type: %s\r\n"
"Content-Length: %d\r\n",
keep_alive ? "Connection: keep-alive\r\n" : "",
content_type,
ASN1_item_i2d(resp, NULL, it));
if (ret < 0 || (size_t)ret >= sizeof(buf))
return 0;
if (log_get_verbosity() < LOG_TRACE && (p = strchr(buf, '\r')) != NULL)
trace_log_message(-1, prog, LOG_INFO,
"sending response, 1st line: %.*s", (int)(p - buf),
buf);
"sending response, 1st line: %.*s", (int)(p - buf),
buf);
log_HTTP1(prog, LOG_TRACE, "sending response header:\n%s", buf);
ret = BIO_printf(cbio, "%s\r\n", buf) > 0
@@ -529,12 +528,12 @@ int http_server_send_asn1_resp(const char *prog, BIO *cbio, int keep_alive,
}
int http_server_send_status(const char *prog, BIO *cbio,
int status, const char *reason)
int status, const char *reason)
{
char buf[200];
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0" %d %s\r\n\r\n",
/* This implicitly cancels keep-alive */
status, reason);
int ret = BIO_snprintf(buf, sizeof(buf), HTTP_1_0 " %d %s\r\n\r\n",
/* This implicitly cancels keep-alive */
status, reason);
if (ret < 0 || (size_t)ret >= sizeof(buf))
return 0;
+4 -4
View File
@@ -17,7 +17,7 @@ int log_set_verbosity(const char *prog, int level)
{
if (level < LOG_EMERG || level > LOG_TRACE) {
trace_log_message(-1, prog, LOG_ERR,
"Invalid verbosity level %d", level);
"Invalid verbosity level %d", level);
return 0;
}
verbosity = level;
@@ -65,11 +65,11 @@ static void log_with_prefix(const char *prog, const char *fmt, va_list ap)
*/
#undef OSSL_NO_C99
#if !defined(__STDC_VERSION__) || __STDC_VERSION__ + 0 < 199900L
# define OSSL_NO_C99
#define OSSL_NO_C99
#endif
void trace_log_message(int category,
const char *prog, int level, const char *fmt, ...)
const char *prog, int level, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
@@ -103,6 +103,6 @@ void trace_log_message(int category,
ERR_print_errors_cb(print_syslog, &level);
} else
#endif
log_with_prefix(prog, fmt, ap);
log_with_prefix(prog, fmt, ap);
va_end(ap);
}
+1 -1
View File
@@ -13,7 +13,7 @@
#include "names.h"
#include "internal/e_os.h"
int name_cmp(const char * const *a, const char * const *b)
int name_cmp(const char *const *a, const char *const *b)
{
return OPENSSL_strcasecmp(*a, *b);
}
+107 -95
View File
@@ -17,7 +17,7 @@
#include "internal/numbers.h"
#include <string.h>
#if !defined(OPENSSL_SYS_MSDOS)
# include <unistd.h>
#include <unistd.h>
#endif
#include <stdlib.h>
@@ -56,7 +56,7 @@ const char *opt_path_end(const char *filename)
const char *p;
/* find the last '/', '\' or ':' */
for (p = filename + strlen(filename); --p > filename; )
for (p = filename + strlen(filename); --p > filename;)
if (*p == '/' || *p == '\\' || *p == ':') {
p++;
break;
@@ -74,8 +74,7 @@ char *opt_progname(const char *argv0)
/* Strip off trailing nonsense. */
n = strlen(p);
if (n > 4 &&
(strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
if (n > 4 && (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
n -= 4;
/* Copy over the name, in lowercase. */
@@ -178,8 +177,8 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
#endif
if (o->name == OPT_HELP_STR
|| o->name == OPT_MORE_STR
|| o->name == OPT_SECTION_STR)
|| o->name == OPT_MORE_STR
|| o->name == OPT_SECTION_STR)
continue;
#ifndef NDEBUG
i = o->valtype;
@@ -191,10 +190,26 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
else
OPENSSL_assert(o->retval == OPT_DUP || o->retval > OPT_PARAM);
switch (i) {
case 0: case '-': case '.':
case '/': case '<': case '>': case 'E': case 'F':
case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
case 'u': case 'c': case ':': case 'N': case 'A':
case 0:
case '-':
case '.':
case '/':
case '<':
case '>':
case 'E':
case 'F':
case 'M':
case 'U':
case 'f':
case 'l':
case 'n':
case 'p':
case 's':
case 'u':
case 'c':
case ':':
case 'N':
case 'A':
break;
default:
OPENSSL_assert(0);
@@ -209,7 +224,7 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
&& strcmp(o->name, next->name) == 0;
if (duplicated) {
opt_printf_stderr("%s: Internal error: duplicate option %s\n",
prog, o->name);
prog, o->name);
OPENSSL_assert(!duplicated);
}
}
@@ -225,18 +240,18 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
}
static OPT_PAIR formats[] = {
{"pem", OPT_FMT_PEM},
{"der", OPT_FMT_DER},
{"b64", OPT_FMT_B64},
{"pkcs12", OPT_FMT_PKCS12},
{"smime", OPT_FMT_SMIME},
{"engine", OPT_FMT_ENGINE},
{"msblob", OPT_FMT_MSBLOB},
{"nss", OPT_FMT_NSS},
{"text", OPT_FMT_TEXT},
{"http", OPT_FMT_HTTP},
{"pvk", OPT_FMT_PVK},
{NULL}
{ "pem", OPT_FMT_PEM },
{ "der", OPT_FMT_DER },
{ "b64", OPT_FMT_B64 },
{ "pkcs12", OPT_FMT_PKCS12 },
{ "smime", OPT_FMT_SMIME },
{ "engine", OPT_FMT_ENGINE },
{ "msblob", OPT_FMT_MSBLOB },
{ "nss", OPT_FMT_NSS },
{ "text", OPT_FMT_TEXT },
{ "http", OPT_FMT_HTTP },
{ "pvk", OPT_FMT_PVK },
{ NULL }
};
void opt_set_unknown_name(const char *name)
@@ -269,7 +284,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
case 'b':
if (s[1] == '\0'
|| strcmp(s, "B64") == 0 || strcmp(s, "b64") == 0
|| strcmp(s, "BASE64") == 0 || strcmp(s, "base64") == 0 ) {
|| strcmp(s, "BASE64") == 0 || strcmp(s, "base64") == 0) {
if ((flags & OPT_FMT_B64) == 0)
return opt_format_error(s, flags);
*result = FORMAT_BASE64;
@@ -337,7 +352,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
return opt_format_error(s, flags);
*result = FORMAT_PVK;
} else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0
|| strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
|| strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
if ((flags & OPT_FMT_PKCS12) == 0)
return opt_format_error(s, flags);
*result = FORMAT_PKCS12;
@@ -395,7 +410,8 @@ int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp)
ERR_set_mark();
if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name,
app_get0_propq())) != NULL
app_get0_propq()))
!= NULL
|| (opt_legacy_okay()
&& (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) {
ERR_pop_to_mark();
@@ -416,7 +432,7 @@ int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
int ret;
if (name == NULL)
return 1;
return 1;
if ((ret = opt_cipher_silent(name, cipherp)) == 0)
opt_printf_stderr("%s: Unknown option or cipher: %s\n", prog, name);
return ret;
@@ -424,13 +440,13 @@ int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
int opt_cipher(const char *name, EVP_CIPHER **cipherp)
{
int mode, ret = 0;
unsigned long int flags;
EVP_CIPHER *c = NULL;
int mode, ret = 0;
unsigned long int flags;
EVP_CIPHER *c = NULL;
if (name == NULL)
return 1;
if (opt_cipher_any(name, &c)) {
return 1;
if (opt_cipher_any(name, &c)) {
mode = EVP_CIPHER_get_mode(c);
flags = EVP_CIPHER_get_flags(c);
if (mode == EVP_CIPH_XTS_MODE) {
@@ -478,7 +494,7 @@ int opt_md(const char *name, EVP_MD **mdp)
return 1;
if ((ret = opt_md_silent(name, mdp)) == 0)
opt_printf_stderr("%s: Unknown option or message digest: %s\n",
prog, name);
prog, name);
return ret;
}
@@ -491,7 +507,7 @@ int opt_check_md(const char *name)
}
/* Look through a list of name/value pairs. */
int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
int opt_pair(const char *name, const OPT_PAIR *pairs, int *result)
{
const OPT_PAIR *pp;
@@ -530,7 +546,7 @@ int opt_int(const char *value, int *result)
*result = (int)l;
if (*result != l) {
opt_printf_stderr("%s: Value \"%s\" outside integer range\n",
prog, value);
prog, value);
return 0;
}
return 1;
@@ -552,15 +568,15 @@ static void opt_number_error(const char *v)
char *prefix;
char *name;
} b[] = {
{"0x", "a hexadecimal"},
{"0X", "a hexadecimal"},
{"0", "an octal"}
{ "0x", "a hexadecimal" },
{ "0X", "a hexadecimal" },
{ "0", "an octal" }
};
for (i = 0; i < OSSL_NELEM(b); i++) {
if (strncmp(v, b[i].prefix, strlen(b[i].prefix)) == 0) {
opt_printf_stderr("%s: Can't parse \"%s\" as %s number\n",
prog, v, b[i].name);
prog, v, b[i].name);
return;
}
}
@@ -578,9 +594,9 @@ int opt_long(const char *value, long *result)
errno = 0;
l = strtol(value, &endp, 0);
if (*endp
|| endp == value
|| ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
|| endp == value
|| ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -590,9 +606,7 @@ int opt_long(const char *value, long *result)
return 1;
}
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
defined(INTMAX_MAX) && defined(UINTMAX_MAX) && \
!defined(OPENSSL_NO_INTTYPES_H)
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && defined(INTMAX_MAX) && defined(UINTMAX_MAX) && !defined(OPENSSL_NO_INTTYPES_H)
/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
int opt_intmax(const char *value, ossl_intmax_t *result)
@@ -604,10 +618,10 @@ int opt_intmax(const char *value, ossl_intmax_t *result)
errno = 0;
m = strtoimax(value, &endp, 0);
if (*endp
|| endp == value
|| ((m == INTMAX_MAX || m == INTMAX_MIN)
&& errno == ERANGE)
|| (m == 0 && errno != 0)) {
|| endp == value
|| ((m == INTMAX_MAX || m == INTMAX_MIN)
&& errno == ERANGE)
|| (m == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -633,9 +647,9 @@ int opt_uintmax(const char *value, ossl_uintmax_t *result)
errno = 0;
m = strtoumax(value, &endp, 0);
if (*endp
|| endp == value
|| (m == UINTMAX_MAX && errno == ERANGE)
|| (m == 0 && errno != 0)) {
|| endp == value
|| (m == UINTMAX_MAX && errno == ERANGE)
|| (m == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -685,9 +699,9 @@ int opt_ulong(const char *value, unsigned long *result)
errno = 0;
l = strtoul(value, &endptr, 0);
if (*endptr
|| endptr == value
|| ((l == ULONG_MAX) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
|| endptr == value
|| ((l == ULONG_MAX) && errno == ERANGE)
|| (l == 0 && errno != 0)) {
opt_number_error(value);
errno = oerrno;
return 0;
@@ -729,7 +743,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
if (!X509_VERIFY_PARAM_add0_policy(vpm, otmp)) {
ASN1_OBJECT_free(otmp);
opt_printf_stderr("%s: Internal error adding Policy %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
break;
@@ -749,7 +763,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
opt_printf_stderr("%s: Internal error setting purpose %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
break;
@@ -757,7 +771,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
if (vtmp == NULL) {
opt_printf_stderr("%s: Invalid verify name %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set1(vpm, vtmp);
@@ -777,7 +791,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
return 0;
if (t != (time_t)t) {
opt_printf_stderr("%s: epoch time out of range %s\n",
prog, opt_arg());
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
@@ -805,8 +819,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
break;
case OPT_V_CRL_CHECK_ALL:
X509_VERIFY_PARAM_set_flags(vpm,
X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
break;
case OPT_V_POLICY_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
@@ -861,7 +874,6 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
break;
}
return 1;
}
void opt_begin(void)
@@ -911,14 +923,14 @@ int opt_next(void)
for (o = opts; o->name; ++o) {
/* If not this option, move on to the next one. */
if (!(strcmp(p, "h") == 0 && strcmp(o->name, "help") == 0)
&& strcmp(p, o->name) != 0)
&& strcmp(p, o->name) != 0)
continue;
/* If it doesn't take a value, make sure none was given. */
if (o->valtype == 0 || o->valtype == '-') {
if (arg) {
opt_printf_stderr("%s: Option -%s does not take a value\n",
prog, p);
prog, p);
return -1;
}
return o->retval;
@@ -928,7 +940,7 @@ int opt_next(void)
if (arg == NULL) {
if (argv[opt_index] == NULL) {
opt_printf_stderr("%s: Option -%s needs a value\n",
prog, o->name);
prog, o->name);
return -1;
}
arg = argv[opt_index++];
@@ -962,12 +974,12 @@ int opt_next(void)
return -1;
if (o->valtype == 'p' && ival <= 0) {
opt_printf_stderr("%s: Non-positive number \"%s\" for option -%s\n",
prog, arg, o->name);
prog, arg, o->name);
return -1;
}
if (o->valtype == 'N' && ival < 0) {
opt_printf_stderr("%s: Negative number \"%s\" for option -%s\n",
prog, arg, o->name);
prog, arg, o->name);
return -1;
}
break;
@@ -994,14 +1006,14 @@ int opt_next(void)
case 'A':
case 'a':
if (opt_format(arg,
o->valtype == 'c' ? OPT_FMT_PDS :
o->valtype == 'E' ? OPT_FMT_PDE :
o->valtype == 'F' ? OPT_FMT_PEMDER :
o->valtype == 'A' ? OPT_FMT_ASN1 :
OPT_FMT_ANY, &ival))
o->valtype == 'c' ? OPT_FMT_PDS : o->valtype == 'E' ? OPT_FMT_PDE
: o->valtype == 'F' ? OPT_FMT_PEMDER
: o->valtype == 'A' ? OPT_FMT_ASN1
: OPT_FMT_ANY,
&ival))
break;
opt_printf_stderr("%s: Invalid format \"%s\" for option -%s\n",
prog, arg, o->name);
prog, arg, o->name);
return -1;
}
@@ -1011,7 +1023,7 @@ int opt_next(void)
if (unknown != NULL) {
if (dunno != NULL) {
opt_printf_stderr("%s: Multiple %s or unknown options: -%s and -%s\n",
prog, unknown_name, dunno, p);
prog, unknown_name, dunno, p);
return -1;
}
dunno = p;
@@ -1083,7 +1095,7 @@ int opt_check_rest_arg(const char *expected)
opt_printf_stderr("%s: Extra option: \"%s\"\n", prog, opt);
else
opt_printf_stderr("%s: Extra (unknown) options: \"%s\" \"%s\"\n",
prog, opt_unknown(), opt);
prog, opt_unknown(), opt);
return 0;
}
@@ -1130,7 +1142,7 @@ static const char *valtype2param(const OPTIONS *o)
static void opt_print(const OPTIONS *o, int doingparams, int width)
{
const char* help;
const char *help;
char start[80 + 1];
int linelen, printlen;
@@ -1168,11 +1180,11 @@ static void opt_print(const OPTIONS *o, int doingparams, int width)
printlen = opt_printf_stderr(" %s", !doingparams ? "-" : "");
linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH;
printlen = opt_printf_stderr("%s" , o->name[0] ? o->name : "*");
printlen = opt_printf_stderr("%s", o->name[0] ? o->name : "*");
linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH;
if (o->valtype != '-') {
printlen = opt_printf_stderr(" %s" , valtype2param(o));
printlen = opt_printf_stderr(" %s", valtype2param(o));
linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH;
}
@@ -1229,52 +1241,52 @@ void opt_help(const OPTIONS *list)
/* opt_isdir section */
#ifdef _WIN32
# include <windows.h>
#include <windows.h>
int opt_isdir(const char *name)
{
DWORD attr;
# if defined(UNICODE) || defined(_UNICODE)
#if defined(UNICODE) || defined(_UNICODE)
size_t i, len_0 = strlen(name) + 1;
WCHAR tempname[MAX_PATH];
if (len_0 > MAX_PATH)
return -1;
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
#if !defined(_WIN32_WCE) || _WIN32_WCE >= 101
if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH))
# endif
#endif
for (i = 0; i < len_0; i++)
tempname[i] = (WCHAR)name[i];
attr = GetFileAttributes(tempname);
# else
#else
attr = GetFileAttributes(name);
# endif
#endif
if (attr == INVALID_FILE_ATTRIBUTES)
return -1;
return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0);
}
#else
# include <sys/stat.h>
# ifndef S_ISDIR
# if defined(_S_IFMT) && defined(_S_IFDIR)
# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
# else
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
# endif
# endif
#include <sys/stat.h>
#ifndef S_ISDIR
#if defined(_S_IFMT) && defined(_S_IFDIR)
#define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
#else
#define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
#endif
#endif
int opt_isdir(const char *name)
{
# if defined(S_ISDIR)
#if defined(S_ISDIR)
struct stat st;
if (stat(name, &st) == 0)
return S_ISDIR(st.st_mode);
else
return -1;
# else
#else
return -1;
# endif
#endif
}
#endif
File diff suppressed because it is too large Load Diff
+59 -56
View File
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -22,28 +22,28 @@
* needed to have fileno() declared correctly... So let's define u_int
*/
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
# define __U_INT
#define __U_INT
typedef unsigned int u_int;
#endif
#ifdef _WIN32
# include <process.h>
#include <process.h>
/* MSVC renamed some POSIX functions to have an underscore prefix. */
# ifdef _MSC_VER
# define getpid _getpid
# endif
#ifdef _MSC_VER
#define getpid _getpid
#endif
#endif
#ifndef OPENSSL_NO_SOCK
# include "internal/e_os.h"
# include "apps.h"
# include "s_apps.h"
# include "internal/sockets.h" /* for openssl_fdset() */
#include "internal/e_os.h"
#include "apps.h"
#include "s_apps.h"
#include "internal/sockets.h" /* for openssl_fdset() */
# include <openssl/bio.h>
# include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/err.h>
/* Keep track of our peer's address for the cookie callback */
BIO_ADDR *ourpeer = NULL;
@@ -73,9 +73,9 @@ BIO_ADDR *ourpeer = NULL;
* Returns 1 on success, 0 on failure.
*/
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret)
const char *bindhost, const char *bindport,
int family, int type, int protocol, int tfo, int doconn,
BIO_ADDR **ba_ret)
{
BIO_ADDRINFO *res = NULL;
BIO_ADDRINFO *bindaddr = NULL;
@@ -89,7 +89,7 @@ int init_client(int *sock, const char *host, const char *port,
return 0;
ret = BIO_lookup_ex(host, port, BIO_LOOKUP_CLIENT, family, type, protocol,
&res);
&res);
if (ret == 0) {
ERR_print_errors(bio_err);
return 0;
@@ -97,9 +97,9 @@ int init_client(int *sock, const char *host, const char *port,
if (bindhost != NULL || bindport != NULL) {
ret = BIO_lookup_ex(bindhost, bindport, BIO_LOOKUP_CLIENT,
family, type, protocol, &bindaddr);
family, type, protocol, &bindaddr);
if (ret == 0) {
ERR_print_errors (bio_err);
ERR_print_errors(bio_err);
goto out;
}
}
@@ -110,10 +110,10 @@ int init_client(int *sock, const char *host, const char *port,
* anything in the BIO_ADDRINFO chain that we haven't
* asked for. */
OPENSSL_assert((family == AF_UNSPEC
|| family == BIO_ADDRINFO_family(ai))
&& (type == 0 || type == BIO_ADDRINFO_socktype(ai))
&& (protocol == 0
|| protocol == BIO_ADDRINFO_protocol(ai)));
|| family == BIO_ADDRINFO_family(ai))
&& (type == 0 || type == BIO_ADDRINFO_socktype(ai))
&& (protocol == 0
|| protocol == BIO_ADDRINFO_protocol(ai)));
if (bindaddr != NULL) {
for (bi = bindaddr; bi != NULL; bi = BIO_ADDRINFO_next(bi)) {
@@ -126,7 +126,7 @@ int init_client(int *sock, const char *host, const char *port,
}
*sock = BIO_socket(BIO_ADDRINFO_family(ai), BIO_ADDRINFO_socktype(ai),
BIO_ADDRINFO_protocol(ai), 0);
BIO_ADDRINFO_protocol(ai), 0);
if (*sock == INVALID_SOCKET) {
/* Maybe the kernel doesn't support the socket family, even if
* BIO_lookup() added it in the returned result...
@@ -136,7 +136,7 @@ int init_client(int *sock, const char *host, const char *port,
if (bi != NULL) {
if (!BIO_bind(*sock, BIO_ADDRINFO_address(bi),
BIO_SOCK_REUSEADDR)) {
BIO_SOCK_REUSEADDR)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
break;
@@ -154,8 +154,9 @@ int init_client(int *sock, const char *host, const char *port,
BIO *tmpbio = BIO_new_dgram_sctp(*sock, BIO_NOCLOSE);
if (tmpbio == NULL) {
ERR_print_errors(bio_err);
return 0;
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
continue;
}
BIO_free(tmpbio);
}
@@ -192,13 +193,14 @@ int init_client(int *sock, const char *host, const char *port,
if (bindaddr != NULL && !found) {
BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
#ifdef AF_INET6
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
#endif
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
bindhost != NULL ? bindhost : "",
bindport != NULL ? ":" : "",
bindport != NULL ? bindport : "");
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 "
: BIO_ADDRINFO_family(res) == AF_UNIX ? "unix "
: "",
bindhost != NULL ? bindhost : "",
bindport != NULL ? ":" : "",
bindport != NULL ? bindport : "");
ERR_clear_error();
ret = 0;
}
@@ -217,7 +219,7 @@ int init_client(int *sock, const char *host, const char *port,
}
out:
if (bindaddr != NULL) {
BIO_ADDRINFO_free (bindaddr);
BIO_ADDRINFO_free(bindaddr);
}
BIO_ADDRINFO_free(res);
return ret;
@@ -233,7 +235,7 @@ void get_sock_info_address(int asock, char **hostname, char **service)
*service = NULL;
if ((info.addr = BIO_ADDR_new()) != NULL
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)) {
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)) {
if (hostname != NULL)
*hostname = BIO_ADDR_hostname_string(info.addr, 1);
if (service != NULL)
@@ -255,10 +257,11 @@ int report_server_accept(BIO *out, int asock, int with_address, int with_pid)
success = hostname != NULL && service != NULL;
if (success)
success = BIO_printf(out,
strchr(hostname, ':') == NULL
? /* IPv4 */ " %s:%s"
: /* IPv6 */ " [%s]:%s",
hostname, service) > 0;
strchr(hostname, ':') == NULL
? /* IPv4 */ " %s:%s"
: /* IPv6 */ " [%s]:%s",
hostname, service)
> 0;
else
(void)BIO_printf(out, "unknown:error\n");
OPENSSL_free(hostname);
@@ -293,9 +296,9 @@ int report_server_accept(BIO *out, int asock, int with_address, int with_pid)
* 0 on failure, something other on success.
*/
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo)
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo)
{
int asock = 0;
int sock;
@@ -313,7 +316,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
return 0;
if (!BIO_lookup_ex(host, port, BIO_LOOKUP_SERVER, family, type, protocol,
&res)) {
&res)) {
ERR_print_errors(bio_err);
return 0;
}
@@ -321,8 +324,8 @@ int do_server(int *accept_sock, const char *host, const char *port,
/* Admittedly, these checks are quite paranoid, we should not get
* anything in the BIO_ADDRINFO chain that we haven't asked for */
OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
&& (type == 0 || type == BIO_ADDRINFO_socktype(res))
&& (protocol == 0 || protocol == BIO_ADDRINFO_protocol(res)));
&& (type == 0 || type == BIO_ADDRINFO_socktype(res))
&& (protocol == 0 || protocol == BIO_ADDRINFO_protocol(res)));
sock_family = BIO_ADDRINFO_family(res);
sock_type = BIO_ADDRINFO_socktype(res);
@@ -335,10 +338,10 @@ int do_server(int *accept_sock, const char *host, const char *port,
if (sock_family == AF_INET6)
sock_options |= BIO_SOCK_V6_ONLY;
if (next != NULL
&& BIO_ADDRINFO_socktype(next) == sock_type
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
&& BIO_ADDRINFO_socktype(next) == sock_type
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
if (sock_family == AF_INET
&& BIO_ADDRINFO_family(next) == AF_INET6) {
&& BIO_ADDRINFO_family(next) == AF_INET6) {
/* In case AF_INET6 is returned but not supported by the
* kernel, retry with the first detected address family */
sock_family_fallback = sock_family;
@@ -346,7 +349,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
sock_family = AF_INET6;
sock_address = BIO_ADDRINFO_address(next);
} else if (sock_family == AF_INET6
&& BIO_ADDRINFO_family(next) == AF_INET) {
&& BIO_ADDRINFO_family(next) == AF_INET) {
sock_options &= ~BIO_SOCK_V6_ONLY;
}
}
@@ -377,6 +380,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
BIO *tmpbio = BIO_new_dgram_sctp(asock, BIO_NOCLOSE);
if (tmpbio == NULL) {
BIO_ADDRINFO_free(res);
BIO_closesocket(asock);
ERR_print_errors(bio_err);
goto end;
@@ -422,8 +426,6 @@ int do_server(int *accept_sock, const char *host, const char *port,
if (naccept != -1)
naccept--;
if (naccept == 0)
BIO_closesocket(asock);
BIO_set_tcp_ndelay(sock, 1);
i = (*cb)(sock, type, protocol, context);
@@ -446,12 +448,12 @@ int do_server(int *accept_sock, const char *host, const char *port,
* alerts are passed on...]
*/
timeout.tv_sec = 0;
timeout.tv_usec = 500000; /* some extreme round-trip */
timeout.tv_usec = 500000; /* some extreme round-trip */
do {
FD_ZERO(&readfds);
openssl_fdset(sock, &readfds);
} while (select(sock + 1, &readfds, NULL, NULL, &timeout) > 0
&& readsocket(sock, sink, sizeof(sink)) > 0);
&& readsocket(sock, sink, sizeof(sink)) > 0);
BIO_closesocket(sock);
} else {
@@ -463,15 +465,16 @@ int do_server(int *accept_sock, const char *host, const char *port,
if (i < 0 || naccept == 0) {
BIO_closesocket(asock);
asock = INVALID_SOCKET;
ret = i;
break;
}
}
end:
# ifdef AF_UNIX
end:
#ifdef AF_UNIX
if (family == AF_UNIX)
unlink(host);
# endif
#endif
BIO_ADDR_free(ourpeer);
ourpeer = NULL;
return ret;
@@ -498,4 +501,4 @@ void do_ssl_shutdown(SSL *ssl)
} while (ret < 0);
}
#endif /* OPENSSL_NO_SOCK */
#endif /* OPENSSL_NO_SOCK */
+21 -26
View File
@@ -29,16 +29,11 @@ static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
BN_CTX *bn_ctx = BN_CTX_new();
BIGNUM *p = BN_new();
BIGNUM *r = BN_new();
int ret =
g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
BN_check_prime(N, bn_ctx, NULL) == 1 &&
p != NULL && BN_rshift1(p, N) &&
int ret = g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && BN_check_prime(N, bn_ctx, NULL) == 1 && p != NULL && BN_rshift1(p, N) &&
/* p = (N-1)/2 */
BN_check_prime(p, bn_ctx, NULL) == 1 &&
r != NULL &&
BN_check_prime(p, bn_ctx, NULL) == 1 && r != NULL &&
/* verify g^((N-1)/2) == -1 (mod N) */
BN_mod_exp(r, g, p, N, bn_ctx) &&
BN_add_word(r, 1) && BN_cmp(r, N) == 0;
BN_mod_exp(r, g, p, N, bn_ctx) && BN_add_word(r, 1) && BN_cmp(r, N) == 0;
BN_free(r);
BN_free(p);
@@ -84,7 +79,7 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg)
if (srp_arg->amp == 1) {
if (srp_arg->debug)
BIO_printf(bio_err,
"SRP param N and g are not known params, going to check deeper.\n");
"SRP param N and g are not known params, going to check deeper.\n");
/*
* The srp_moregroups is a real debugging feature. Implementers
@@ -120,7 +115,7 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
}
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
int c_debug)
int c_debug)
{
if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg->srplogin)) {
BIO_printf(bio_err, "Unable to set SRP username\n");
@@ -144,7 +139,7 @@ static char *dummy_srp(SSL *ssl, void *arg)
void set_up_dummy_srp(SSL_CTX *ctx)
{
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
}
/*
@@ -157,7 +152,7 @@ void set_up_dummy_srp(SSL_CTX *ctx)
*/
static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
{
srpsrvparm *p = (srpsrvparm *) arg;
srpsrvparm *p = (srpsrvparm *)arg;
int ret = SSL3_AL_FATAL;
if (p->login == NULL && p->user == NULL) {
@@ -171,18 +166,18 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
goto err;
}
if (SSL_set_srp_server_param
(s, p->user->N, p->user->g, p->user->s, p->user->v,
p->user->info) < 0) {
if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
p->user->info)
< 0) {
*ad = SSL_AD_INTERNAL_ERROR;
goto err;
}
BIO_printf(bio_err,
"SRP parameters set: username = \"%s\" info=\"%s\"\n",
p->login, p->user->info);
"SRP parameters set: username = \"%s\" info=\"%s\"\n",
p->login, p->user->info);
ret = SSL_ERROR_NONE;
err:
err:
SRP_user_pwd_free(p->user);
p->user = NULL;
p->login = NULL;
@@ -190,7 +185,7 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
}
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
char *srpuserseed, char *srp_verifier_file)
char *srpuserseed, char *srp_verifier_file)
{
int ret;
@@ -202,12 +197,12 @@ int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
BIO_printf(bio_err, "Failed to initialize SRP verifier file\n");
return 0;
}
if ((ret =
SRP_VBASE_init(srp_callback_parm->vb,
srp_verifier_file)) != SRP_NO_ERROR) {
if ((ret = SRP_VBASE_init(srp_callback_parm->vb,
srp_verifier_file))
!= SRP_NO_ERROR) {
BIO_printf(bio_err,
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
srp_verifier_file, ret);
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
srp_verifier_file, ret);
return 0;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
@@ -221,11 +216,11 @@ void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out)
{
SRP_user_pwd_free(srp_callback_parm->user);
srp_callback_parm->user = SRP_VBASE_get1_by_user(srp_callback_parm->vb,
srp_callback_parm->login);
srp_callback_parm->login);
if (srp_callback_parm->user != NULL)
BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm->user->info);
srp_callback_parm->user->info);
else
BIO_printf(bio_s_out, "LOOKUP not successful\n");
}
+1 -1
View File
@@ -9,7 +9,7 @@
#include <stdlib.h>
#include <openssl/crypto.h>
#include "platform.h" /* for copy_argv() */
#include "platform.h" /* for copy_argv() */
char **newargv = NULL;
+248 -239
View File
@@ -9,107 +9,122 @@
*/
#ifdef __VMS
# define OPENSSL_SYS_VMS
# pragma message disable DOLLARID
#define OPENSSL_SYS_VMS
#pragma message disable DOLLARID
#include <openssl/opensslconf.h>
# include <openssl/opensslconf.h>
# if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
/*
* On VMS, you need to define this to get the declaration of fileno(). The
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
*/
# define _POSIX_C_SOURCE 2
# endif
#define _POSIX_C_SOURCE 2
#endif
# include <stdio.h>
#include <stdio.h>
# undef _POSIX_C_SOURCE
#undef _POSIX_C_SOURCE
# include <sys/types.h>
# include <sys/socket.h>
# include <netinet/in.h>
# include <inet.h>
# include <unistd.h>
# include <string.h>
# include <errno.h>
# include <starlet.h>
# include <iodef.h>
# ifdef __alpha
# include <iosbdef.h>
# else
typedef struct _iosb { /* Copied from IOSBDEF.H for Alpha */
# pragma __nomember_alignment
__union {
__struct {
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <inet.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <starlet.h>
#include <iodef.h>
#ifdef __alpha
#include <iosbdef.h>
#else
typedef struct _iosb { /* Copied from IOSBDEF.H for Alpha */
#pragma __nomember_alignment
__union
{
__struct
{
unsigned short int iosb$w_status; /* Final I/O status */
__union {
__struct { /* 16-bit byte count variant */
__union
{
__struct
{ /* 16-bit byte count variant */
unsigned short int iosb$w_bcnt; /* 16-bit byte count */
__union {
__union
{
unsigned int iosb$l_dev_depend; /* 32-bit device dependent info */
unsigned int iosb$l_pid; /* 32-bit pid */
} iosb$r_l;
} iosb$r_bcnt_16;
__struct { /* 32-bit byte count variant */
}
iosb$r_l;
}
iosb$r_bcnt_16;
__struct
{ /* 32-bit byte count variant */
unsigned int iosb$l_bcnt; /* 32-bit byte count (unaligned) */
unsigned short int iosb$w_dev_depend_high; /* 16-bit device dependent info */
} iosb$r_bcnt_32;
} iosb$r_devdepend;
} iosb$r_io_64;
__struct {
__union {
}
iosb$r_bcnt_32;
}
iosb$r_devdepend;
}
iosb$r_io_64;
__struct
{
__union
{
unsigned int iosb$l_getxxi_status; /* Final GETxxI status */
unsigned int iosb$l_reg_status; /* Final $Registry status */
} iosb$r_l_status;
}
iosb$r_l_status;
unsigned int iosb$l_reserved; /* Reserved field */
} iosb$r_get_64;
} iosb$r_io_get;
}
iosb$r_get_64;
}
iosb$r_io_get;
} IOSB;
# if !defined(__VAXC)
# define iosb$w_status iosb$r_io_get.iosb$r_io_64.iosb$w_status
# define iosb$w_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$w_bcnt
# define iosb$r_l iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$r_l
# define iosb$l_dev_depend iosb$r_l.iosb$l_dev_depend
# define iosb$l_pid iosb$r_l.iosb$l_pid
# define iosb$l_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$l_bcnt
# define iosb$w_dev_depend_high iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$w_dev_depend_high
# define iosb$l_getxxi_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_getxxi_status
# define iosb$l_reg_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_reg_status
# endif /* #if !defined(__VAXC) */
#if !defined(__VAXC)
#define iosb$w_status iosb$r_io_get.iosb$r_io_64.iosb$w_status
#define iosb$w_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$w_bcnt
#define iosb$r_l iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$r_l
#define iosb$l_dev_depend iosb$r_l.iosb$l_dev_depend
#define iosb$l_pid iosb$r_l.iosb$l_pid
#define iosb$l_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$l_bcnt
#define iosb$w_dev_depend_high iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$w_dev_depend_high
#define iosb$l_getxxi_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_getxxi_status
#define iosb$l_reg_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_reg_status
#endif /* #if !defined(__VAXC) */
# endif /* End of IOSBDEF */
#endif /* End of IOSBDEF */
# include <efndef.h>
# include <stdlib.h>
# include <ssdef.h>
# include <time.h>
# include <stdarg.h>
# include <descrip.h>
#include <efndef.h>
#include <stdlib.h>
#include <ssdef.h>
#include <time.h>
#include <stdarg.h>
#include <descrip.h>
# include "vms_term_sock.h"
#include "vms_term_sock.h"
# ifdef __alpha
#ifdef __alpha
static struct _iosb TerminalDeviceIosb;
# else
#else
IOSB TerminalDeviceIosb;
# endif
#endif
static char TerminalDeviceBuff[255 + 2];
static int TerminalSocketPair[2] = {0, 0};
static int TerminalSocketPair[2] = { 0, 0 };
static unsigned short TerminalDeviceChan = 0;
static int CreateSocketPair (int, int, int, int *);
static void SocketPairTimeoutAst (int);
static int TerminalDeviceAst (int);
static void LogMessage (char *, ...);
static int CreateSocketPair(int, int, int, int *);
static void SocketPairTimeoutAst(int);
static int TerminalDeviceAst(int);
static void LogMessage(char *, ...);
/*
** Socket Pair Timeout Value (must be 0-59 seconds)
*/
# define SOCKET_PAIR_TIMEOUT_VALUE 20
#define SOCKET_PAIR_TIMEOUT_VALUE 20
/*
** Socket Pair Timeout Block which is passed to timeout AST
@@ -119,55 +134,54 @@ typedef struct _SocketPairTimeoutBlock {
unsigned short SockChan2;
} SPTB;
# ifdef TERM_SOCK_TEST
#ifdef TERM_SOCK_TEST
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
int main (int argc, char *argv[], char *envp[])
int main(int argc, char *argv[], char *envp[])
{
char TermBuff[80];
int TermSock,
status,
len;
LogMessage ("Enter 'q' or 'Q' to quit ...");
while (OPENSSL_strcasecmp (TermBuff, "Q")) {
LogMessage("Enter 'q' or 'Q' to quit ...");
while (OPENSSL_strcasecmp(TermBuff, "Q")) {
/*
** Create the terminal socket
*/
status = TerminalSocket (TERM_SOCK_CREATE, &TermSock);
status = TerminalSocket(TERM_SOCK_CREATE, &TermSock);
if (status != TERM_SOCK_SUCCESS)
exit (1);
exit(1);
/*
** Process the terminal input
*/
LogMessage ("Waiting on terminal I/O ...\n");
len = recv (TermSock, TermBuff, sizeof(TermBuff), 0) ;
LogMessage("Waiting on terminal I/O ...\n");
len = recv(TermSock, TermBuff, sizeof(TermBuff), 0);
TermBuff[len] = '\0';
LogMessage ("Received terminal I/O [%s]", TermBuff);
LogMessage("Received terminal I/O [%s]", TermBuff);
/*
** Delete the terminal socket
*/
status = TerminalSocket (TERM_SOCK_DELETE, &TermSock);
status = TerminalSocket(TERM_SOCK_DELETE, &TermSock);
if (status != TERM_SOCK_SUCCESS)
exit (1);
exit(1);
}
return 1;
}
# endif
#endif
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
int TerminalSocket (int FunctionCode, int *ReturnSocket)
int TerminalSocket(int FunctionCode, int *ReturnSocket)
{
int status;
$DESCRIPTOR (TerminalDeviceDesc, "SYS$COMMAND");
$DESCRIPTOR(TerminalDeviceDesc, "SYS$COMMAND");
/*
** Process the requested function code
@@ -177,45 +191,45 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
/*
** Create a socket pair
*/
status = CreateSocketPair (AF_INET, SOCK_STREAM, 0, TerminalSocketPair);
status = CreateSocketPair(AF_INET, SOCK_STREAM, 0, TerminalSocketPair);
if (status == -1) {
LogMessage ("TerminalSocket: CreateSocketPair () - %08X", status);
LogMessage("TerminalSocket: CreateSocketPair () - %08X", status);
if (TerminalSocketPair[0])
close (TerminalSocketPair[0]);
close(TerminalSocketPair[0]);
if (TerminalSocketPair[1])
close (TerminalSocketPair[1]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Assign a channel to the terminal device
*/
status = sys$assign (&TerminalDeviceDesc,
&TerminalDeviceChan,
0, 0, 0);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$ASSIGN () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$assign(&TerminalDeviceDesc,
&TerminalDeviceChan,
0, 0, 0);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$ASSIGN () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Queue an async IO to the terminal device
*/
status = sys$qio (EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$QIO () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$qio(EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$QIO () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
@@ -229,30 +243,30 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
/*
** Cancel any pending IO on the terminal channel
*/
status = sys$cancel (TerminalDeviceChan);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$CANCEL () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$cancel(TerminalDeviceChan);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$CANCEL () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Deassign the terminal channel
*/
status = sys$dassgn (TerminalDeviceChan);
if (! (status & 1)) {
LogMessage ("TerminalSocket: SYS$DASSGN () - %08X", status);
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
status = sys$dassgn(TerminalDeviceChan);
if (!(status & 1)) {
LogMessage("TerminalSocket: SYS$DASSGN () - %08X", status);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
return TERM_SOCK_FAILURE;
}
/*
** Close the terminal socket pair
*/
close (TerminalSocketPair[0]);
close (TerminalSocketPair[1]);
close(TerminalSocketPair[0]);
close(TerminalSocketPair[1]);
/*
** Return the initialized socket
@@ -264,7 +278,7 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
/*
** Invalid function code
*/
LogMessage ("TerminalSocket: Invalid Function Code - %d", FunctionCode);
LogMessage("TerminalSocket: Invalid Function Code - %d", FunctionCode);
return TERM_SOCK_FAILURE;
break;
}
@@ -273,21 +287,20 @@ int TerminalSocket (int FunctionCode, int *ReturnSocket)
** Return success
*/
return TERM_SOCK_SUCCESS;
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static int CreateSocketPair (int SocketFamily,
int SocketType,
int SocketProtocol,
int *SocketPair)
static int CreateSocketPair(int SocketFamily,
int SocketType,
int SocketProtocol,
int *SocketPair)
{
struct dsc$descriptor AscTimeDesc = {0, DSC$K_DTYPE_T, DSC$K_CLASS_S, NULL};
static const char* LocalHostAddr = {"127.0.0.1"};
struct dsc$descriptor AscTimeDesc = { 0, DSC$K_DTYPE_T, DSC$K_CLASS_S, NULL };
static const char *LocalHostAddr = { "127.0.0.1" };
unsigned short TcpAcceptChan = 0,
TcpDeviceChan = 0;
TcpDeviceChan = 0;
unsigned long BinTimeBuff[2];
struct sockaddr_in sin;
char AscTimeBuff[32];
@@ -295,23 +308,23 @@ static int CreateSocketPair (int SocketFamily,
int status;
unsigned int slen;
# ifdef __alpha
#ifdef __alpha
struct _iosb iosb;
# else
#else
IOSB iosb;
# endif
#endif
int SockDesc1 = 0,
SockDesc2 = 0;
SPTB sptb;
$DESCRIPTOR (TcpDeviceDesc, "TCPIP$DEVICE");
$DESCRIPTOR(TcpDeviceDesc, "TCPIP$DEVICE");
/*
** Create a socket
*/
SockDesc1 = socket (SocketFamily, SocketType, 0);
SockDesc1 = socket(SocketFamily, SocketType, 0);
if (SockDesc1 < 0) {
LogMessage ("CreateSocketPair: socket () - %d", errno);
LogMessage("CreateSocketPair: socket () - %d", errno);
return -1;
}
@@ -319,28 +332,28 @@ static int CreateSocketPair (int SocketFamily,
** Initialize the socket information
*/
slen = sizeof(sin);
memset ((char *) &sin, 0, slen);
memset((char *)&sin, 0, slen);
sin.sin_family = SocketFamily;
sin.sin_addr.s_addr = inet_addr (LocalHostAddr);
sin.sin_addr.s_addr = inet_addr(LocalHostAddr);
sin.sin_port = 0;
/*
** Bind the socket to the local IP
*/
status = bind (SockDesc1, (struct sockaddr *) &sin, slen);
status = bind(SockDesc1, (struct sockaddr *)&sin, slen);
if (status < 0) {
LogMessage ("CreateSocketPair: bind () - %d", errno);
close (SockDesc1);
LogMessage("CreateSocketPair: bind () - %d", errno);
close(SockDesc1);
return -1;
}
/*
** Get the socket name so we can save the port number
*/
status = getsockname (SockDesc1, (struct sockaddr *) &sin, &slen);
status = getsockname(SockDesc1, (struct sockaddr *)&sin, &slen);
if (status < 0) {
LogMessage ("CreateSocketPair: getsockname () - %d", errno);
close (SockDesc1);
LogMessage("CreateSocketPair: getsockname () - %d", errno);
close(SockDesc1);
return -1;
} else
LocalHostPort = sin.sin_port;
@@ -348,18 +361,18 @@ static int CreateSocketPair (int SocketFamily,
/*
** Setup a listen for the socket
*/
listen (SockDesc1, 5);
listen(SockDesc1, 5);
/*
** Get the binary (64-bit) time of the specified timeout value
*/
BIO_snprintf(AscTimeBuff, sizeof(AscTimeBuff), "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
AscTimeDesc.dsc$w_length = strlen (AscTimeBuff);
AscTimeDesc.dsc$w_length = strlen(AscTimeBuff);
AscTimeDesc.dsc$a_pointer = AscTimeBuff;
status = sys$bintim (&AscTimeDesc, BinTimeBuff);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$BINTIM () - %08X", status);
close (SockDesc1);
status = sys$bintim(&AscTimeDesc, BinTimeBuff);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$BINTIM () - %08X", status);
close(SockDesc1);
return -1;
}
@@ -367,87 +380,87 @@ static int CreateSocketPair (int SocketFamily,
** Assign another channel to the TCP/IP device for the accept.
** This is the channel that ends up being connected to.
*/
status = sys$assign (&TcpDeviceDesc, &TcpDeviceChan, 0, 0, 0);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$ASSIGN () - %08X", status);
close (SockDesc1);
status = sys$assign(&TcpDeviceDesc, &TcpDeviceChan, 0, 0, 0);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$ASSIGN () - %08X", status);
close(SockDesc1);
return -1;
}
/*
** Get the channel of the first socket for the accept
*/
TcpAcceptChan = decc$get_sdc (SockDesc1);
TcpAcceptChan = decc$get_sdc(SockDesc1);
/*
** Perform the accept using $QIO so we can do this asynchronously
*/
status = sys$qio (EFN$C_ENF,
TcpAcceptChan,
IO$_ACCESS | IO$M_ACCEPT,
&iosb,
0, 0, 0, 0, 0,
&TcpDeviceChan,
0, 0);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$QIO () - %08X", status);
close (SockDesc1);
sys$dassgn (TcpDeviceChan);
status = sys$qio(EFN$C_ENF,
TcpAcceptChan,
IO$_ACCESS | IO$M_ACCEPT,
&iosb,
0, 0, 0, 0, 0,
&TcpDeviceChan,
0, 0);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$QIO () - %08X", status);
close(SockDesc1);
sys$dassgn(TcpDeviceChan);
return -1;
}
/*
** Create the second socket to do the connect
*/
SockDesc2 = socket (SocketFamily, SocketType, 0);
SockDesc2 = socket(SocketFamily, SocketType, 0);
if (SockDesc2 < 0) {
LogMessage ("CreateSocketPair: socket () - %d", errno);
sys$cancel (TcpAcceptChan);
close (SockDesc1);
sys$dassgn (TcpDeviceChan);
return (-1) ;
LogMessage("CreateSocketPair: socket () - %d", errno);
sys$cancel(TcpAcceptChan);
close(SockDesc1);
sys$dassgn(TcpDeviceChan);
return (-1);
}
/*
** Setup the Socket Pair Timeout Block
*/
sptb.SockChan1 = TcpAcceptChan;
sptb.SockChan2 = decc$get_sdc (SockDesc2);
sptb.SockChan2 = decc$get_sdc(SockDesc2);
/*
** Before we block on the connect, set a timer that can cancel I/O on our
** two sockets if it never connects.
*/
status = sys$setimr (EFN$C_ENF,
BinTimeBuff,
SocketPairTimeoutAst,
&sptb,
0);
if (! (status & 1)) {
LogMessage ("CreateSocketPair: SYS$SETIMR () - %08X", status);
sys$cancel (TcpAcceptChan);
close (SockDesc1);
close (SockDesc2);
sys$dassgn (TcpDeviceChan);
status = sys$setimr(EFN$C_ENF,
BinTimeBuff,
SocketPairTimeoutAst,
&sptb,
0);
if (!(status & 1)) {
LogMessage("CreateSocketPair: SYS$SETIMR () - %08X", status);
sys$cancel(TcpAcceptChan);
close(SockDesc1);
close(SockDesc2);
sys$dassgn(TcpDeviceChan);
return -1;
}
/*
** Now issue the connect
*/
memset ((char *) &sin, 0, sizeof(sin)) ;
memset((char *)&sin, 0, sizeof(sin));
sin.sin_family = SocketFamily;
sin.sin_addr.s_addr = inet_addr (LocalHostAddr) ;
sin.sin_port = LocalHostPort ;
sin.sin_addr.s_addr = inet_addr(LocalHostAddr);
sin.sin_port = LocalHostPort;
status = connect (SockDesc2, (struct sockaddr *) &sin, sizeof(sin));
status = connect(SockDesc2, (struct sockaddr *)&sin, sizeof(sin));
if (status < 0) {
LogMessage ("CreateSocketPair: connect () - %d", errno);
sys$cantim (&sptb, 0);
sys$cancel (TcpAcceptChan);
close (SockDesc1);
close (SockDesc2);
sys$dassgn (TcpDeviceChan);
LogMessage("CreateSocketPair: connect () - %d", errno);
sys$cantim(&sptb, 0);
sys$cancel(TcpAcceptChan);
close(SockDesc1);
close(SockDesc2);
sys$dassgn(TcpDeviceChan);
return -1;
}
@@ -456,18 +469,18 @@ static int CreateSocketPair (int SocketFamily,
** (SS$_ABORT), then we probably canceled it from the AST routine - so log
** a timeout.
*/
status = sys$synch (EFN$C_ENF, &iosb);
if (! (iosb.iosb$w_status & 1)) {
status = sys$synch(EFN$C_ENF, &iosb);
if (!(iosb.iosb$w_status & 1)) {
if (iosb.iosb$w_status == SS$_ABORT)
LogMessage ("CreateSocketPair: SYS$QIO(iosb) timeout");
LogMessage("CreateSocketPair: SYS$QIO(iosb) timeout");
else {
LogMessage ("CreateSocketPair: SYS$QIO(iosb) - %d",
iosb.iosb$w_status);
sys$cantim (&sptb, 0);
LogMessage("CreateSocketPair: SYS$QIO(iosb) - %d",
iosb.iosb$w_status);
sys$cantim(&sptb, 0);
}
close (SockDesc1);
close (SockDesc2);
sys$dassgn (TcpDeviceChan);
close(SockDesc1);
close(SockDesc2);
sys$dassgn(TcpDeviceChan);
return -1;
}
@@ -476,34 +489,32 @@ static int CreateSocketPair (int SocketFamily,
** I/O channel to a socket fd, close the listener socket and return the
** connected pair.
*/
sys$cantim (&sptb, 0);
sys$cantim(&sptb, 0);
close (SockDesc1) ;
SocketPair[0] = SockDesc2 ;
SocketPair[1] = socket_fd (TcpDeviceChan);
return (0) ;
close(SockDesc1);
SocketPair[0] = SockDesc2;
SocketPair[1] = socket_fd(TcpDeviceChan);
return (0);
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static void SocketPairTimeoutAst (int astparm)
static void SocketPairTimeoutAst(int astparm)
{
SPTB *sptb = (SPTB *) astparm;
SPTB *sptb = (SPTB *)astparm;
sys$cancel (sptb->SockChan2); /* Cancel the connect() */
sys$cancel (sptb->SockChan1); /* Cancel the accept() */
sys$cancel(sptb->SockChan2); /* Cancel the connect() */
sys$cancel(sptb->SockChan1); /* Cancel the accept() */
return;
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static int TerminalDeviceAst (int astparm)
static int TerminalDeviceAst(int astparm)
{
int status;
@@ -511,41 +522,40 @@ static int TerminalDeviceAst (int astparm)
** Terminate the terminal buffer
*/
TerminalDeviceBuff[TerminalDeviceIosb.iosb$w_bcnt] = '\0';
strcat (TerminalDeviceBuff, "\n");
strcat(TerminalDeviceBuff, "\n");
/*
** Send the data read from the terminal device through the socket pair
*/
send (TerminalSocketPair[0], TerminalDeviceBuff,
TerminalDeviceIosb.iosb$w_bcnt + 1, 0);
send(TerminalSocketPair[0], TerminalDeviceBuff,
TerminalDeviceIosb.iosb$w_bcnt + 1, 0);
/*
** Queue another async IO to the terminal device
*/
status = sys$qio (EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 1,
0, 0, 0, 0);
status = sys$qio(EFN$C_ENF,
TerminalDeviceChan,
IO$_READVBLK,
&TerminalDeviceIosb,
TerminalDeviceAst,
0,
TerminalDeviceBuff,
sizeof(TerminalDeviceBuff) - 2,
0, 0, 0, 0);
/*
** Return status
*/
return status;
}
/*----------------------------------------------------------------------------*/
/* */
/*----------------------------------------------------------------------------*/
static void LogMessage (char *msg, ...)
static void LogMessage(char *msg, ...)
{
char *Month[] = {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
char *Month[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
static unsigned int pid = 0;
va_list args;
time_t CurTime;
@@ -556,36 +566,35 @@ static void LogMessage (char *msg, ...)
** Get the process pid
*/
if (pid == 0)
pid = getpid ();
pid = getpid();
/*
** Convert the current time into local time
*/
CurTime = time (NULL);
LocTime = localtime (&CurTime);
CurTime = time(NULL);
LocTime = localtime(&CurTime);
/*
** Format the message buffer
*/
BIO_snprintf(MsgBuff, sizeof(MsgBuff), "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
LocTime->tm_mday, Month[LocTime->tm_mon],
(LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
LocTime->tm_sec, pid, msg);
LocTime->tm_mday, Month[LocTime->tm_mon],
(LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
LocTime->tm_sec, pid, msg);
/*
** Get any variable arguments and add them to the print of the message
** buffer
*/
va_start (args, msg);
vfprintf (stderr, MsgBuff, args);
va_end (args);
va_start(args, msg);
vfprintf(stderr, MsgBuff, args);
va_end(args);
/*
** Flush standard error output
*/
fsync (fileno (stderr));
fsync(fileno(stderr));
return;
}
#endif
+15 -13
View File
@@ -81,18 +81,18 @@ static int process_glob(WCHAR *wstr, int wlen)
break;
if (i == wlen)
return 0; /* definitely not a glob */
return 0; /* definitely not a glob */
saved_char = wstr[wlen];
wstr[wlen] = L'\0';
h = FindFirstFileW(wstr, &data);
wstr[wlen] = saved_char;
if (h == INVALID_HANDLE_VALUE)
return 0; /* not a valid glob, just pass... */
return 0; /* not a valid glob, just pass... */
if (slash)
udlen = WideCharToMultiByte(CP_UTF8, 0, wstr, slash,
NULL, 0, NULL, NULL);
NULL, 0, NULL, NULL);
else
udlen = 0;
@@ -104,8 +104,7 @@ static int process_glob(WCHAR *wstr, int wlen)
* skip over . and ..
*/
if (data.cFileName[0] == L'.') {
if ((data.cFileName[1] == L'\0') ||
(data.cFileName[1] == L'.' && data.cFileName[2] == L'\0'))
if ((data.cFileName[1] == L'\0') || (data.cFileName[1] == L'.' && data.cFileName[2] == L'\0'))
continue;
}
@@ -117,7 +116,7 @@ static int process_glob(WCHAR *wstr, int wlen)
* so that |uflen| covers even trailing '\0'.
*/
uflen = WideCharToMultiByte(CP_UTF8, 0, data.cFileName, -1,
NULL, 0, NULL, NULL);
NULL, 0, NULL, NULL);
arg = malloc(udlen + uflen);
if (arg == NULL)
@@ -125,10 +124,10 @@ static int process_glob(WCHAR *wstr, int wlen)
if (udlen)
WideCharToMultiByte(CP_UTF8, 0, wstr, slash,
arg, udlen, NULL, NULL);
arg, udlen, NULL, NULL);
WideCharToMultiByte(CP_UTF8, 0, data.cFileName, -1,
arg + udlen, uflen, NULL, NULL);
arg + udlen, uflen, NULL, NULL);
newargv[newargc++] = arg;
} while (FindNextFileW(h, &data));
@@ -154,7 +153,8 @@ void win32_utf8argv(int *argc, char **argv[])
return;
wcmdline = GetCommandLineW();
if (wcmdline == NULL) return;
if (wcmdline == NULL)
return;
/*
* make a copy of the command line, since we might have to modify it...
@@ -178,7 +178,7 @@ void win32_utf8argv(int *argc, char **argv[])
*/
warg = wend = p;
while (*p != L'\0'
&& (in_quote || (*p != L' ' && *p != L'\t'))) {
&& (in_quote || (*p != L' ' && *p != L'\t'))) {
switch (*p) {
case L'\\':
/*
@@ -259,7 +259,7 @@ void win32_utf8argv(int *argc, char **argv[])
ulen = 0;
if (wlen > 0) {
ulen = WideCharToMultiByte(CP_UTF8, 0, warg, wlen,
NULL, 0, NULL, NULL);
NULL, 0, NULL, NULL);
if (ulen <= 0)
continue;
}
@@ -272,7 +272,7 @@ void win32_utf8argv(int *argc, char **argv[])
if (wlen > 0)
WideCharToMultiByte(CP_UTF8, 0, warg, wlen,
arg, ulen, NULL, NULL);
arg, ulen, NULL, NULL);
arg[ulen] = '\0';
newargv[newargc++] = arg;
@@ -303,5 +303,7 @@ void win32_utf8argv(int *argc, char **argv[])
}
#else
void win32_utf8argv(int *argc, char **argv[])
{ return; }
{
return;
}
#endif
+310 -294
View File
File diff suppressed because it is too large Load Diff
+22 -18
View File
@@ -18,42 +18,46 @@
#include <openssl/core_names.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
#define BUFSIZE 1024 * 8
typedef enum OPTION_choice {
OPT_COMMON,
OPT_MACOPT, OPT_BIN, OPT_IN, OPT_OUT,
OPT_CIPHER, OPT_DIGEST,
OPT_MACOPT,
OPT_BIN,
OPT_IN,
OPT_OUT,
OPT_CIPHER,
OPT_DIGEST,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS mac_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] mac_name\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] mac_name\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form"},
{"cipher", OPT_CIPHER, 's', "Cipher"},
{"digest", OPT_DIGEST, 's', "Digest"},
{OPT_MORE_STR, 1, '-', "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form" },
{ "cipher", OPT_CIPHER, 's', "Cipher" },
{ "digest", OPT_DIGEST, 's', "Digest" },
{ OPT_MORE_STR, 1, '-', "See 'PARAMETER NAMES' in the EVP_MAC_ docs" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file to MAC (default is stdin)"},
{ "in", OPT_IN, '<', "Input file to MAC (default is stdin)" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
{"binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)"},
{ "out", OPT_OUT, '>', "Output to filename rather than stdout" },
{ "binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"mac_name", 0, 0, "MAC algorithm"},
{NULL}
{ "mac_name", 0, 0, "MAC algorithm" },
{ NULL }
};
static char *alloc_mac_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
const char *name, const char *arg)
const char *name, const char *arg)
{
size_t len = strlen(name) + strlen(arg) + 2;
char *res;
@@ -95,7 +99,7 @@ int mac_main(int argc, char **argv)
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
default:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto err;
case OPT_HELP:
@@ -155,7 +159,7 @@ int mac_main(int argc, char **argv)
int ok = 1;
params = app_params_new_from_opts(opts,
EVP_MAC_settable_ctx_params(mac));
EVP_MAC_settable_ctx_params(mac));
if (params == NULL)
goto err;
+12 -10
View File
@@ -16,23 +16,25 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_TOSEQ, OPT_IN, OPT_OUT,
OPT_TOSEQ,
OPT_IN,
OPT_OUT,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS nseq_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{ "in", OPT_IN, '<', "Input file" },
OPT_SECTION("Output"),
{"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
{"out", OPT_OUT, '>', "Output file"},
{ "toseq", OPT_TOSEQ, '-', "Output NS Sequence file" },
{ "out", OPT_OUT, '>', "Output file" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int nseq_main(int argc, char **argv)
@@ -49,7 +51,7 @@ int nseq_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -97,7 +99,7 @@ int nseq_main(int argc, char **argv)
if (!sk_X509_num(seq->certs)) {
BIO_printf(bio_err, "%s: Error reading certs file %s\n",
prog, infile);
prog, infile);
ERR_print_errors(bio_err);
goto end;
}
@@ -109,7 +111,7 @@ int nseq_main(int argc, char **argv)
seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL);
if (seq == NULL) {
BIO_printf(bio_err, "%s: Error reading sequence file %s\n",
prog, infile);
prog, infile);
ERR_print_errors(bio_err);
goto end;
}
@@ -120,7 +122,7 @@ int nseq_main(int argc, char **argv)
PEM_write_bio_X509(out, x509);
}
ret = 0;
end:
end:
BIO_free(in);
BIO_free_all(out);
NETSCAPE_CERT_SEQUENCE_free(seq);
+255 -207
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2026 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,8 +10,8 @@
#include <openssl/opensslconf.h>
#ifdef OPENSSL_SYS_VMS
/* So fd_set and friends get properly defined on OpenVMS */
# define _XOPEN_SOURCE_EXTENDED
/* So fd_set and friends get properly defined on OpenVMS */
#define _XOPEN_SOURCE_EXTENDED
#endif
#include <stdio.h>
@@ -44,33 +44,33 @@ int setpgid(pid_t pid, pid_t pgid)
pid_t fork(void)
{
errno = ENOSYS;
return (pid_t) -1;
return (pid_t)-1;
}
#endif
/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
#define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md);
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout);
int timeout);
static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp);
static char *prog;
@@ -80,131 +80,175 @@ static int index_changed(CA_DB *);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
OPT_OUTFILE,
OPT_TIMEOUT,
OPT_URL,
OPT_HOST,
OPT_PORT,
#ifndef OPENSSL_NO_SOCK
OPT_PROXY, OPT_NO_PROXY,
OPT_PROXY,
OPT_NO_PROXY,
#endif
OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE,
OPT_NOCAPATH, OPT_NOCASTORE,
OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER,
OPT_IGNORE_ERR,
OPT_NOVERIFY,
OPT_NONCE,
OPT_NO_NONCE,
OPT_RESP_NO_CERTS,
OPT_RESP_KEY_ID,
OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY,
OPT_NO_CERT_VERIFY,
OPT_NO_CHAIN,
OPT_NO_CERT_CHECKS,
OPT_NO_EXPLICIT,
OPT_TRUST_OTHER,
OPT_NO_INTERN,
OPT_BADSIG,
OPT_TEXT,
OPT_REQ_TEXT,
OPT_RESP_TEXT,
OPT_REQIN,
OPT_RESPIN,
OPT_SIGNER,
OPT_VAFILE,
OPT_SIGN_OTHER,
OPT_VERIFY_OTHER,
OPT_CAFILE,
OPT_CAPATH,
OPT_CASTORE,
OPT_NOCAFILE,
OPT_NOCAPATH,
OPT_NOCASTORE,
OPT_VALIDITY_PERIOD,
OPT_STATUS_AGE,
OPT_SIGNKEY,
OPT_REQOUT,
OPT_RESPOUT,
OPT_PATH,
OPT_ISSUER,
OPT_CERT,
OPT_SERIAL,
OPT_INDEX,
OPT_CA,
OPT_NMIN,
OPT_REQUEST,
OPT_NDAYS,
OPT_RSIGNER,
OPT_RKEY,
OPT_ROTHER,
OPT_RMD,
OPT_RSIGOPT,
OPT_HEADER,
OPT_PASSIN,
OPT_RCID,
OPT_V_ENUM,
OPT_MD,
OPT_MULTI, OPT_PROV_ENUM
OPT_MULTI,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ocsp_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running" },
{ "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
{ "CApath", OPT_CAPATH, '<', "Trusted certificates directory" },
{ "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
OPT_SECTION("Responder"),
{"timeout", OPT_TIMEOUT, 'p',
"Connection timeout (in seconds) to the OCSP responder"},
{"resp_no_certs", OPT_RESP_NO_CERTS, '-',
"Don't include any certificates in response"},
{ "timeout", OPT_TIMEOUT, 'p',
"Connection timeout (in seconds) to the OCSP responder" },
{ "resp_no_certs", OPT_RESP_NO_CERTS, '-',
"Don't include any certificates in response" },
#ifdef HTTP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
{ "multi", OPT_MULTI, 'p', "run multiple responder processes" },
#endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
{"badsig", OPT_BADSIG, '-',
"Corrupt last byte of loaded OCSP response signature (for test)"},
{"CA", OPT_CA, '<', "CA certificates"},
{"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
{"nrequest", OPT_REQUEST, 'p',
"Number of requests to accept (default unlimited)"},
{"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
{"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
{"sign_other", OPT_SIGN_OTHER, '<',
"Additional certificates to include in signed request"},
{"index", OPT_INDEX, '<', "Certificate status index file"},
{"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
{"rsigner", OPT_RSIGNER, '<',
"Responder certificate to sign responses with"},
{"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
{"passin", OPT_PASSIN, 's', "Responder key pass phrase source"},
{"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
{"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
{"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},
{"header", OPT_HEADER, 's', "key=value header to add"},
{"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"},
{"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
{ "no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request" },
{ "badsig", OPT_BADSIG, '-',
"Corrupt last byte of loaded OCSP response signature (for test)" },
{ "CA", OPT_CA, '<', "CA certificates" },
{ "nmin", OPT_NMIN, 'p', "Number of minutes before next update" },
{ "nrequest", OPT_REQUEST, 'p',
"Number of requests to accept (default unlimited)" },
{ "reqin", OPT_REQIN, 's', "File with the DER-encoded request" },
{ "signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with" },
{ "sign_other", OPT_SIGN_OTHER, '<',
"Additional certificates to include in signed request" },
{ "index", OPT_INDEX, '<', "Certificate status index file" },
{ "ndays", OPT_NDAYS, 'p', "Number of days before next update" },
{ "rsigner", OPT_RSIGNER, '<',
"Responder certificate to sign responses with" },
{ "rkey", OPT_RKEY, '<', "Responder key to sign responses with" },
{ "passin", OPT_PASSIN, 's', "Responder key pass phrase source" },
{ "rother", OPT_ROTHER, '<', "Other certificates to include in response" },
{ "rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response" },
{ "rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form" },
{ "header", OPT_HEADER, 's', "key=value header to add" },
{ "rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response" },
{ "", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )" },
OPT_SECTION("Client"),
{"url", OPT_URL, 's', "Responder URL"},
{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
{"port", OPT_PORT, 'N', "Port to run responder on"},
{"path", OPT_PATH, 's', "Path to use in OCSP request"},
{ "url", OPT_URL, 's', "Responder URL" },
{ "host", OPT_HOST, 's', "TCP/IP hostname:port to connect to" },
{ "port", OPT_PORT, 'N', "Port to run responder on" },
{ "path", OPT_PATH, 's', "Path to use in OCSP request" },
#ifndef OPENSSL_NO_SOCK
{"proxy", OPT_PROXY, 's',
"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
{"no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for"},
{OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
{ "proxy", OPT_PROXY, 's',
"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored" },
{ "no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for" },
{ OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none" },
#endif
{"out", OPT_OUTFILE, '>', "Output filename"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
{"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
"Don't check signature on response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"},
{"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
"Don't check signing certificate"},
{"text", OPT_TEXT, '-', "Print text form of request and response"},
{"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
{"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
{"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate"},
{"no_explicit", OPT_NO_EXPLICIT, '-',
"Do not explicitly check the chain, just verify the root"},
{"trust_other", OPT_TRUST_OTHER, '-',
"Don't verify additional certificates"},
{"no_intern", OPT_NO_INTERN, '-',
"Don't search certificates contained in response for signer"},
{"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
{"verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer"},
{"cert", OPT_CERT, '<',
"Certificate to check; may be given multiple times"},
{"serial", OPT_SERIAL, 's',
"Serial number to check; may be given multiple times"},
{"validity_period", OPT_VALIDITY_PERIOD, 'u',
"Maximum validity discrepancy in seconds"},
{"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
{"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
{"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
{"issuer", OPT_ISSUER, '<', "Issuer certificate"},
{"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
{ "out", OPT_OUTFILE, '>', "Output filename" },
{ "noverify", OPT_NOVERIFY, '-', "Don't verify response at all" },
{ "nonce", OPT_NONCE, '-', "Add OCSP nonce to request" },
{ "no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request" },
{ "no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
"Don't check signature on response" },
{ "resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID" },
{ "no_cert_verify", OPT_NO_CERT_VERIFY, '-',
"Don't check signing certificate" },
{ "text", OPT_TEXT, '-', "Print text form of request and response" },
{ "req_text", OPT_REQ_TEXT, '-', "Print text form of request" },
{ "resp_text", OPT_RESP_TEXT, '-', "Print text form of response" },
{ "no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response" },
{ "no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate" },
{ "no_explicit", OPT_NO_EXPLICIT, '-',
"Do not explicitly check the chain, just verify the root" },
{ "trust_other", OPT_TRUST_OTHER, '-',
"Don't verify additional certificates" },
{ "no_intern", OPT_NO_INTERN, '-',
"Don't search certificates contained in response for signer" },
{ "respin", OPT_RESPIN, 's', "File with the DER-encoded response" },
{ "VAfile", OPT_VAFILE, '<', "Validator certificates file" },
{ "verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer" },
{ "cert", OPT_CERT, '<',
"Certificate to check; may be given multiple times" },
{ "serial", OPT_SERIAL, 's',
"Serial number to check; may be given multiple times" },
{ "validity_period", OPT_VALIDITY_PERIOD, 'u',
"Maximum validity discrepancy in seconds" },
{ "signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with" },
{ "reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request" },
{ "respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response" },
{ "issuer", OPT_ISSUER, '<', "Issuer certificate" },
{ "status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds" },
OPT_V_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int ocsp_main(int argc, char **argv)
@@ -253,8 +297,8 @@ int ocsp_main(int argc, char **argv)
OPTION_CHOICE o;
if ((reqnames = sk_OPENSSL_STRING_new_null()) == NULL
|| (ids = sk_OCSP_CERTID_new_null()) == NULL
|| (vpm = X509_VERIFY_PARAM_new()) == NULL)
|| (ids = sk_OCSP_CERTID_new_null()) == NULL
|| (vpm = X509_VERIFY_PARAM_new()) == NULL)
goto end;
opt_set_unknown_name("digest");
@@ -263,7 +307,7 @@ int ocsp_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -284,8 +328,8 @@ int ocsp_main(int argc, char **argv)
OPENSSL_free(tpath);
thost = tport = tpath = NULL;
if (!OSSL_HTTP_parse_url(opt_arg(), &use_ssl, NULL /* userinfo */,
&host, &port, NULL /* port_num */,
&path, NULL /* qry */, NULL /* frag */)) {
&host, &port, NULL /* port_num */,
&path, NULL /* qry */, NULL /* frag */)) {
BIO_printf(bio_err, "%s Error parsing -url argument\n", prog);
goto end;
}
@@ -485,7 +529,7 @@ int ocsp_main(int argc, char **argv)
case OPT_ROTHER:
rcertfile = opt_arg();
break;
case OPT_RMD: /* Response MessageDigest */
case OPT_RMD: /* Response MessageDigest */
respdigname = opt_arg();
break;
case OPT_RSIGOPT:
@@ -513,8 +557,8 @@ int ocsp_main(int argc, char **argv)
case OPT_MD:
if (trailing_md) {
BIO_printf(bio_err,
"%s: Digest must be before -cert or -serial\n",
prog);
"%s: Digest must be before -cert or -serial\n",
prog);
goto opthelp;
}
if (!opt_md(opt_unknown(), &cert_id_md))
@@ -539,7 +583,7 @@ int ocsp_main(int argc, char **argv)
if (trailing_md) {
BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
prog);
prog);
goto opthelp;
}
@@ -591,7 +635,7 @@ int ocsp_main(int argc, char **argv)
goto end;
if (rcertfile != NULL) {
if (!load_certs(rcertfile, 0, &rother, NULL,
"responder other certificates"))
"responder other certificates"))
goto end;
}
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
@@ -599,7 +643,7 @@ int ocsp_main(int argc, char **argv)
goto end;
}
rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL,
"responder private key");
"responder private key");
if (rkey == NULL)
goto end;
}
@@ -607,7 +651,7 @@ int ocsp_main(int argc, char **argv)
if (ridx_filename != NULL
&& (rkey == NULL || rsigner == NULL || rca_certs == NULL)) {
BIO_printf(bio_err,
"Responder mode requires certificate, key, and CA.\n");
"Responder mode requires certificate, key, and CA.\n");
goto end;
}
@@ -631,7 +675,7 @@ int ocsp_main(int argc, char **argv)
if (acbio != NULL)
trace_log_message(-1, prog,
LOG_INFO, "waiting for OCSP client connections...");
LOG_INFO, "waiting for OCSP client connections...");
redo_accept:
@@ -646,8 +690,8 @@ int ocsp_main(int argc, char **argv)
} else {
free_index(newrdb);
trace_log_message(-1, prog,
LOG_ERR, "error reloading updated index: %s",
ridx_filename);
LOG_ERR, "error reloading updated index: %s",
ridx_filename);
}
}
#endif
@@ -659,9 +703,8 @@ int ocsp_main(int argc, char **argv)
if (req == NULL) {
if (res == 1) {
resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL);
resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL);
if (resp != NULL)
send_ocsp_response(cbio, resp);
}
@@ -691,16 +734,16 @@ int ocsp_main(int argc, char **argv)
}
if (sign_certfile != NULL) {
if (!load_certs(sign_certfile, 0, &sign_other, NULL,
"signer certificates"))
"signer certificates"))
goto end;
}
key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL,
"signer private key");
"signer private key");
if (key == NULL)
goto end;
if (!OCSP_request_sign(req, signer, key, NULL,
sign_other, sign_flags)) {
sign_other, sign_flags)) {
BIO_printf(bio_err, "Error signing OCSP request\n");
goto end;
}
@@ -723,8 +766,8 @@ int ocsp_main(int argc, char **argv)
if (rdb != NULL) {
make_ocsp_response(bio_err, &resp, req, rdb, rca_certs, rsigner, rkey,
rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
badsig, resp_certid_md);
rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
badsig, resp_certid_md);
if (resp == NULL)
goto end;
if (cbio != NULL)
@@ -732,12 +775,12 @@ int ocsp_main(int argc, char **argv)
} else if (host != NULL) {
#ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
use_ssl, headers, req_timeout);
use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
#else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported\n");
"Error creating connect BIO - sockets not supported\n");
goto end;
#endif
} else if (respin != NULL) {
@@ -755,7 +798,7 @@ int ocsp_main(int argc, char **argv)
goto end;
}
done_resp:
done_resp:
if (respout != NULL) {
derbio = bio_open_default(respout, 'w', FORMAT_ASN1);
@@ -769,7 +812,7 @@ int ocsp_main(int argc, char **argv)
i = OCSP_response_status(resp);
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
OCSP_response_status_str(i), i);
if (!ignore_err)
goto end;
}
@@ -800,7 +843,7 @@ int ocsp_main(int argc, char **argv)
if (store == NULL) {
store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore);
CAstore, noCAstore);
if (!store)
goto end;
}
@@ -808,7 +851,7 @@ int ocsp_main(int argc, char **argv)
X509_STORE_set1_param(store, vpm);
if (verify_certfile != NULL) {
if (!load_certs(verify_certfile, 0, &verify_other, NULL,
"validator certificates"))
"validator certificates"))
goto end;
}
@@ -849,7 +892,7 @@ int ocsp_main(int argc, char **argv)
if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
ret = 1;
end:
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
@@ -904,8 +947,8 @@ static int index_changed(CA_DB *rdb)
#endif
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
{
OCSP_CERTID *id;
@@ -924,14 +967,14 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
goto err;
return 1;
err:
err:
BIO_printf(bio_err, "Error Creating OCSP request\n");
return 0;
}
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids)
{
OCSP_CERTID *id;
const X509_NAME *iname;
@@ -961,15 +1004,15 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
goto err;
return 1;
err:
err:
BIO_printf(bio_err, "Error Creating OCSP request\n");
return 0;
}
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage)
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage)
{
OCSP_CERTID *id;
const char *name;
@@ -989,7 +1032,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
BIO_printf(out, "%s: ", name);
if (!OCSP_resp_find_status(bs, id, &status, &reason,
&rev, &thisupd, &nextupd)) {
&rev, &thisupd, &nextupd)) {
BIO_puts(out, "ERROR: No Status found.\n");
ret = 0;
continue;
@@ -1029,12 +1072,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
}
static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md)
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig,
const EVP_MD *resp_md)
{
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid;
@@ -1046,8 +1089,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
id_count = OCSP_request_onereq_count(req);
if (id_count <= 0) {
*resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
goto end;
}
@@ -1079,13 +1121,19 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
if (cert_id_md == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
NULL);
goto end;
}
for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) {
X509 *ca_cert = sk_X509_value(ca, jj);
OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert);
if (ca_id == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
goto end;
}
if (OCSP_id_issuer_cmp(ca_id, cid) == 0) {
found = 1;
if (resp_md != NULL)
@@ -1101,18 +1149,18 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
if (!found) {
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
continue;
}
if (inf == NULL) {
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd);
} else if (inf[DB_type][0] == DB_TYPE_VAL) {
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_GOOD,
0, NULL, thisupd, nextupd);
V_OCSP_CERTSTATUS_GOOD,
0, NULL, thisupd, nextupd);
} else if (inf[DB_type][0] == DB_TYPE_REV) {
ASN1_OBJECT *inst = NULL;
ASN1_TIME *revtm = NULL;
@@ -1122,20 +1170,20 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
single = OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm, thisupd, nextupd);
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm, thisupd, nextupd);
if (single == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
NULL);
goto end;
}
if (invtm != NULL)
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
invtm, 0, 0);
invtm, 0, 0);
else if (inst != NULL)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_hold_instruction_code, inst,
0, 0);
NID_hold_instruction_code, inst,
0, 0);
ASN1_OBJECT_free(inst);
ASN1_TIME_free(revtm);
ASN1_GENERALIZEDTIME_free(invtm);
@@ -1157,7 +1205,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
BIO_printf(err, "parameter error \"%s\"\n", sigopt);
ERR_print_errors(bio_err);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
NULL);
goto end;
}
}
@@ -1173,7 +1221,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
end:
end:
EVP_MD_CTX_free(mctx);
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
@@ -1188,8 +1236,8 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
for (i = 0; i < DB_NUMBER; i++)
row[i] = NULL;
bn = ASN1_INTEGER_to_BN(ser, NULL);
OPENSSL_assert(bn); /* FIXME: should report an error at this
* point and abort */
OPENSSL_assert(bn); /* FIXME: should report an error at this
* point and abort */
if (BN_is_zero(bn)) {
itmp = OPENSSL_strdup("00");
OPENSSL_assert(itmp);
@@ -1204,16 +1252,16 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
}
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout)
int timeout)
{
#ifndef OPENSSL_NO_SOCK
return http_server_get_asn1_req(ASN1_ITEM_rptr(OCSP_REQUEST),
(ASN1_VALUE **)preq, NULL, pcbio, acbio,
NULL /* found_keep_alive */,
prog, 1 /* accept_get */, timeout);
(ASN1_VALUE **)preq, NULL, pcbio, acbio,
NULL /* found_keep_alive */,
prog, 1 /* accept_get */, timeout);
#else
BIO_printf(bio_err,
"Error getting OCSP request - sockets not supported\n");
"Error getting OCSP request - sockets not supported\n");
*preq = NULL;
return 0;
#endif
@@ -1223,23 +1271,23 @@ static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp)
{
#ifndef OPENSSL_NO_SOCK
return http_server_send_asn1_resp(prog, cbio,
0 /* no keep-alive */,
"application/ocsp-response",
ASN1_ITEM_rptr(OCSP_RESPONSE),
(const ASN1_VALUE *)resp);
0 /* no keep-alive */,
"application/ocsp-response",
ASN1_ITEM_rptr(OCSP_RESPONSE),
(const ASN1_VALUE *)resp);
#else
BIO_printf(bio_err,
"Error sending OCSP response - sockets not supported\n");
"Error sending OCSP response - sockets not supported\n");
return 0;
#endif
}
#ifndef OPENSSL_NO_SOCK
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
const char *port, const char *path,
const char *proxy, const char *no_proxy,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
SSL_CTX *ctx = NULL;
OCSP_RESPONSE *resp = NULL;
@@ -1254,15 +1302,15 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
resp = (OCSP_RESPONSE *)
app_http_post_asn1(host, port, path, proxy, no_proxy,
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
"application/ocsp-response",
req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE));
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
"application/ocsp-response",
req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE));
if (resp == NULL)
BIO_printf(bio_err, "Error querying OCSP responder\n");
end:
end:
SSL_CTX_free(ctx);
return resp;
}
+35 -31
View File
@@ -21,12 +21,12 @@
#include <openssl/pem.h>
#include <openssl/ssl.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#include <openssl/engine.h>
#endif
#include <openssl/err.h>
/* Needed to get the other O_xxx flags. */
#ifdef OPENSSL_SYS_VMS
# include <unixio.h>
#include <unixio.h>
#endif
#include "apps.h"
#include "progs.h"
@@ -49,7 +49,7 @@ static void warn_deprecated(const FUNCTION *fp)
{
if (fp->deprecated_version != NULL)
BIO_printf(bio_err, "The command %s was deprecated in version %s.",
fp->name, fp->deprecated_version);
fp->name, fp->deprecated_version);
else
BIO_printf(bio_err, "The command %s is deprecated.", fp->name);
if (strcmp(fp->deprecated_alternative, DEPRECATED_NO_ALTERNATIVE) != 0)
@@ -66,7 +66,8 @@ static int apps_startup(void)
/* Set non-default library initialisation settings */
if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN
| OPENSSL_INIT_LOAD_CONFIG, NULL))
| OPENSSL_INIT_LOAD_CONFIG,
NULL))
return 0;
(void)setup_ui_method();
@@ -96,15 +97,14 @@ static void apps_shutdown(void)
destroy_ui_method();
}
#ifndef OPENSSL_NO_TRACE
typedef struct tracedata_st {
BIO *bio;
unsigned int ingroup:1;
unsigned int ingroup : 1;
} tracedata;
static size_t internal_trace_cb(const char *buf, size_t cnt,
int category, int cmd, void *vdata)
int category, int cmd, void *vdata)
{
int ret = 0;
tracedata *trace_data = vdata;
@@ -122,8 +122,8 @@ static size_t internal_trace_cb(const char *buf, size_t cnt,
tid = CRYPTO_THREAD_get_current_id();
hex = OPENSSL_buf2hexstr((const unsigned char *)&tid, sizeof(tid));
BIO_snprintf(buffer, sizeof(buffer), "TRACE[%s]:%s: ",
hex == NULL ? "<null>" : hex,
OSSL_trace_get_category_name(category));
hex == NULL ? "<null>" : hex,
OSSL_trace_get_category_name(category));
OPENSSL_free(hex);
BIO_set_prefix(trace_data->bio, buffer);
break;
@@ -181,12 +181,13 @@ static void setup_trace_category(int category)
|| bio == NULL
|| (trace_data->bio = channel) == NULL
|| OSSL_trace_set_callback(category, internal_trace_cb,
trace_data) == 0
trace_data)
== 0
|| sk_tracedata_push(trace_data_stack, trace_data) == 0) {
fprintf(stderr,
"warning: unable to setup trace callback for category '%s'.\n",
OSSL_trace_get_category_name(category));
"warning: unable to setup trace callback for category '%s'.\n",
OSSL_trace_get_category_name(category));
OSSL_trace_set_callback(category, NULL, NULL);
BIO_free_all(channel);
@@ -222,7 +223,7 @@ static void setup_trace(const char *str)
setup_trace_category(category);
} else {
fprintf(stderr,
"warning: unknown trace category: '%s'.\n", item);
"warning: unknown trace category: '%s'.\n", item);
}
}
}
@@ -265,10 +266,10 @@ int main(int argc, char *argv[])
#endif
if ((fname = "apps_startup", !apps_startup())
|| (fname = "prog_init", (prog = prog_init()) == NULL)) {
|| (fname = "prog_init", (prog = prog_init()) == NULL)) {
BIO_printf(bio_err,
"FATAL: Startup failure (dev note: %s()) for %s\n",
fname, argv[0]);
"FATAL: Startup failure (dev note: %s()) for %s\n",
fname, argv[0]);
ERR_print_errors(bio_err);
ret = 1;
goto end;
@@ -293,7 +294,8 @@ int main(int argc, char *argv[])
argc--;
argv++;
opt_appname(argc == 1 || global_help ? "help" : global_version ? "version" : argv[0]);
opt_appname(argc == 1 || global_help ? "help" : global_version ? "version"
: argv[0]);
} else {
argv[0] = pname;
}
@@ -302,13 +304,13 @@ int main(int argc, char *argv[])
* If there's no command, assume "help". If there's an override for help
* or version run those, otherwise run the command given.
*/
ret = (argc == 0) || global_help
? do_cmd(prog, 1, help_argv)
: global_version
? do_cmd(prog, 1, version_argv)
: do_cmd(prog, argc, argv);
ret = (argc == 0) || global_help
? do_cmd(prog, 1, help_argv)
: global_version
? do_cmd(prog, 1, version_argv)
: do_cmd(prog, argc, argv);
end:
end:
OPENSSL_free(default_config_file);
lh_FUNCTION_free(prog);
OPENSSL_free(arg.argv);
@@ -323,18 +325,20 @@ int main(int argc, char *argv[])
}
typedef enum HELP_CHOICE {
OPT_hERR = -1, OPT_hEOF = 0, OPT_hHELP
OPT_hERR = -1,
OPT_hEOF = 0,
OPT_hHELP
} HELP_CHOICE;
const OPTIONS help_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: help [options] [command]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: help [options] [command]\n" },
OPT_SECTION("General"),
{"help", OPT_hHELP, '-', "Display this summary"},
{ "help", OPT_hHELP, '-', "Display this summary" },
OPT_PARAMETERS(),
{"command", 0, 0, "Name of command to display help (optional)"},
{NULL}
{ "command", 0, 0, "Name of command to display help (optional)" },
{ NULL }
};
int help_main(int argc, char **argv)
@@ -389,11 +393,11 @@ int help_main(int argc, char **argv)
if (tp == FT_md) {
i = 1;
BIO_printf(bio_err,
"\nMessage Digest commands (see the `dgst' command for more details)\n");
"\nMessage Digest commands (see the `dgst' command for more details)\n");
} else if (tp == FT_cipher) {
i = 1;
BIO_printf(bio_err,
"\nCipher commands (see the `enc' command for more details)\n");
"\nCipher commands (see the `enc' command for more details)\n");
}
}
BIO_printf(bio_err, "%-*s", dc.width, fp->name);
@@ -442,7 +446,7 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
}
BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n",
argv[0]);
argv[0]);
return 1;
}
+128 -122
View File
@@ -17,7 +17,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# include <openssl/des.h>
#include <openssl/des.h>
#endif
#include <openssl/md5.h>
#include <openssl/sha.h>
@@ -46,48 +46,58 @@ typedef enum {
} passwd_modes;
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode);
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_IN,
OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
OPT_1, OPT_5, OPT_6, OPT_AIXMD5, OPT_SALT, OPT_STDIN,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_NOVERIFY,
OPT_QUIET,
OPT_TABLE,
OPT_REVERSE,
OPT_APR1,
OPT_1,
OPT_5,
OPT_6,
OPT_AIXMD5,
OPT_SALT,
OPT_STDIN,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS passwd_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [password]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [password]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Read passwords from file"},
{"noverify", OPT_NOVERIFY, '-',
"Never verify when reading password from terminal"},
{"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
{ "in", OPT_IN, '<', "Read passwords from file" },
{ "noverify", OPT_NOVERIFY, '-',
"Never verify when reading password from terminal" },
{ "stdin", OPT_STDIN, '-', "Read passwords from stdin" },
OPT_SECTION("Output"),
{"quiet", OPT_QUIET, '-', "No warnings"},
{"table", OPT_TABLE, '-', "Format output as table"},
{"reverse", OPT_REVERSE, '-', "Switch table columns"},
{ "quiet", OPT_QUIET, '-', "No warnings" },
{ "table", OPT_TABLE, '-', "Format output as table" },
{ "reverse", OPT_REVERSE, '-', "Switch table columns" },
OPT_SECTION("Cryptographic"),
{"salt", OPT_SALT, 's', "Use provided salt"},
{"6", OPT_6, '-', "SHA512-based password algorithm"},
{"5", OPT_5, '-', "SHA256-based password algorithm"},
{"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
{"1", OPT_1, '-', "MD5-based password algorithm"},
{"aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm"},
{ "salt", OPT_SALT, 's', "Use provided salt" },
{ "6", OPT_6, '-', "SHA512-based password algorithm" },
{ "5", OPT_5, '-', "SHA256-based password algorithm" },
{ "apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant" },
{ "1", OPT_1, '-', "MD5-based password algorithm" },
{ "aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"password", 0, 0, "Password text to digest (optional)"},
{NULL}
{ "password", 0, 0, "Password text to digest (optional)" },
{ NULL }
};
int passwd_main(int argc, char **argv)
@@ -112,7 +122,7 @@ int passwd_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -223,8 +233,7 @@ int passwd_main(int argc, char **argv)
passwd_malloc_size = pw_maxlen + 2;
/* longer than necessary so that we can warn about truncation */
passwd = passwd_malloc =
app_malloc(passwd_malloc_size, "password buffer");
passwd = passwd_malloc = app_malloc(passwd_malloc_size, "password buffer");
}
if ((in == NULL) && (passwds == NULL)) {
@@ -240,9 +249,9 @@ int passwd_main(int argc, char **argv)
passwds = passwds_static;
if (in == NULL) {
if (EVP_read_pw_string
(passwd_malloc, passwd_malloc_size, "Password: ",
!(passed_salt || in_noverify)) != 0)
if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ",
!(passed_salt || in_noverify))
!= 0)
goto end;
}
passwds[0] = passwd_malloc;
@@ -257,10 +266,10 @@ int passwd_main(int argc, char **argv)
assert(passwds != NULL);
assert(*passwds != NULL);
do { /* loop over list of passwords */
do { /* loop over list of passwords */
passwd = *passwds++;
if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out,
quiet, table, reverse, pw_maxlen, mode))
quiet, table, reverse, pw_maxlen, mode))
goto end;
} while (*passwds != NULL);
} else {
@@ -273,7 +282,7 @@ int passwd_main(int argc, char **argv)
if (r > 0) {
char *c = (strchr(passwd, '\n'));
if (c != NULL) {
*c = 0; /* truncate at newline */
*c = 0; /* truncate at newline */
} else {
/* ignore rest of line */
char trash[BUFSIZ];
@@ -282,9 +291,8 @@ int passwd_main(int argc, char **argv)
while ((r > 0) && (!strchr(trash, '\n')));
}
if (!do_passwd
(passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
table, reverse, pw_maxlen, mode))
if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
table, reverse, pw_maxlen, mode))
goto end;
}
done = (r <= 0);
@@ -292,7 +300,7 @@ int passwd_main(int argc, char **argv)
}
ret = 0;
end:
end:
#if 0
ERR_print_errors(bio_err);
#endif
@@ -316,8 +324,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
/* "$apr1$..salt..$.......md5hash..........\0" */
static char out_buf[6 + 9 + 24 + 2];
unsigned char buf[MD5_DIGEST_LENGTH];
char ascii_magic[5]; /* "apr1" plus '\0' */
char ascii_salt[9]; /* Max 8 chars plus '\0' */
char ascii_magic[5]; /* "apr1" plus '\0' */
char ascii_salt[9]; /* Max 8 chars plus '\0' */
char *ascii_passwd = NULL;
char *salt_out;
int n;
@@ -331,7 +339,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
magic_len = strlen(magic);
OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic));
#ifdef CHARSET_EBCDIC
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
ebcdic2ascii(ascii_magic, ascii_magic, magic_len);
#endif
@@ -353,7 +361,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
if (magic_len > 0) {
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
if (magic_len > 4) /* assert it's "1" or "apr1" */
if (magic_len > 4) /* assert it's "1" or "apr1" */
goto err;
OPENSSL_strlcat(out_buf, ascii_magic, sizeof(out_buf));
@@ -381,7 +389,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
if (!EVP_DigestUpdate(md, ascii_dollar, 1)
|| !EVP_DigestUpdate(md, ascii_magic, magic_len)
|| !EVP_DigestUpdate(md, ascii_dollar, 1))
goto err;
goto err;
if (!EVP_DigestUpdate(md, ascii_salt, salt_len))
goto err;
@@ -415,8 +423,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
goto err;
if (!EVP_DigestUpdate(md2,
(i & 1) ? (const unsigned char *)passwd : buf,
(i & 1) ? passwd_len : sizeof(buf)))
(i & 1) ? (const unsigned char *)passwd : buf,
(i & 1) ? passwd_len : sizeof(buf)))
goto err;
if (i % 3) {
if (!EVP_DigestUpdate(md2, ascii_salt, salt_len))
@@ -427,11 +435,11 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
goto err;
}
if (!EVP_DigestUpdate(md2,
(i & 1) ? buf : (const unsigned char *)passwd,
(i & 1) ? sizeof(buf) : passwd_len))
goto err;
(i & 1) ? buf : (const unsigned char *)passwd,
(i & 1) ? sizeof(buf) : passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
goto err;
}
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
@@ -446,14 +454,14 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
/* silly output permutation */
for (dest = 0, source = 0; dest < 14;
dest++, source = (source + 6) % 17)
dest++, source = (source + 6) % 17)
buf_perm[dest] = buf[source];
buf_perm[14] = buf[5];
buf_perm[15] = buf[11];
# ifndef PEDANTIC /* Unfortunately, this generates a "no
* effect" warning */
#ifndef PEDANTIC /* Unfortunately, this generates a "no \
* effect" warning */
assert(16 == sizeof(buf_perm));
# endif
#endif
output = salt_out + salt_len;
assert(output == out_buf + strlen(out_buf));
@@ -462,10 +470,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
for (i = 0; i < 15; i += 3) {
*output++ = cov_2char[buf_perm[i + 2] & 0x3f];
*output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
(buf_perm[i + 2] >> 6)];
*output++ = cov_2char[((buf_perm[i] & 3) << 4) |
(buf_perm[i + 1] >> 4)];
*output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) | (buf_perm[i + 2] >> 6)];
*output++ = cov_2char[((buf_perm[i] & 3) << 4) | (buf_perm[i + 1] >> 4)];
*output++ = cov_2char[buf_perm[i] >> 2];
}
assert(i == 15);
@@ -480,7 +486,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
return out_buf;
err:
err:
OPENSSL_free(ascii_passwd);
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
@@ -497,13 +503,13 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
/* Prefix for optional rounds specification. */
static const char rounds_prefix[] = "rounds=";
/* Maximum salt string length. */
# define SALT_LEN_MAX 16
#define SALT_LEN_MAX 16
/* Default number of rounds if not explicitly specified. */
# define ROUNDS_DEFAULT 5000
#define ROUNDS_DEFAULT 5000
/* Minimum number of rounds. */
# define ROUNDS_MIN 1000
#define ROUNDS_MIN 1000
/* Maximum number of rounds. */
# define ROUNDS_MAX 999999999
#define ROUNDS_MAX 999999999
/* "$6$rounds=<N>$......salt......$...shahash(up to 86 chars)...\0" */
static char out_buf[3 + 17 + 17 + 86 + 1];
@@ -511,13 +517,13 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
unsigned char temp_buf[SHA512_DIGEST_LENGTH];
size_t buf_size = 0;
char ascii_magic[2];
char ascii_salt[17]; /* Max 16 chars plus '\0' */
char ascii_salt[17]; /* Max 16 chars plus '\0' */
char *ascii_passwd = NULL;
size_t n;
EVP_MD_CTX *md = NULL, *md2 = NULL;
const EVP_MD *sha = NULL;
size_t passwd_len, salt_len, magic_len;
unsigned int rounds = ROUNDS_DEFAULT; /* Default */
unsigned int rounds = ROUNDS_DEFAULT; /* Default */
char rounds_custom = 0;
char *p_bytes = NULL;
char *s_bytes = NULL;
@@ -546,7 +552,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
if (strncmp(salt, rounds_prefix, sizeof(rounds_prefix) - 1) == 0) {
const char *num = salt + sizeof(rounds_prefix) - 1;
char *endp;
unsigned long int srounds = strtoul (num, &endp, 10);
unsigned long int srounds = strtoul(num, &endp, 10);
if (*endp == '$') {
salt = endp + 1;
if (srounds > ROUNDS_MAX)
@@ -563,7 +569,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic));
#ifdef CHARSET_EBCDIC
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
ebcdic2ascii(ascii_magic, ascii_magic, magic_len);
#endif
@@ -592,7 +598,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
BIO_snprintf(tmp_buf, sizeof(tmp_buf), "rounds=%u", rounds);
#ifdef CHARSET_EBCDIC
/* In case we're really on a ASCII based platform and just pretend */
if (tmp_buf[0] != 0x72) /* ASCII 'r' */
if (tmp_buf[0] != 0x72) /* ASCII 'r' */
ebcdic2ascii(tmp_buf, tmp_buf, strlen(tmp_buf));
#endif
OPENSSL_strlcat(out_buf, tmp_buf, sizeof(out_buf));
@@ -630,8 +636,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
n = passwd_len;
while (n) {
if (!EVP_DigestUpdate(md,
(n & 1) ? buf : (const unsigned char *)passwd,
(n & 1) ? buf_size : passwd_len))
(n & 1) ? buf : (const unsigned char *)passwd,
(n & 1) ? buf_size : passwd_len))
goto err;
n >>= 1;
}
@@ -676,8 +682,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
if (!EVP_DigestInit_ex(md2, sha, NULL))
goto err;
if (!EVP_DigestUpdate(md2,
(n & 1) ? (const unsigned char *)p_bytes : buf,
(n & 1) ? passwd_len : buf_size))
(n & 1) ? (const unsigned char *)p_bytes : buf,
(n & 1) ? passwd_len : buf_size))
goto err;
if (n % 3) {
if (!EVP_DigestUpdate(md2, s_bytes, salt_len))
@@ -688,11 +694,11 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
goto err;
}
if (!EVP_DigestUpdate(md2,
(n & 1) ? buf : (const unsigned char *)p_bytes,
(n & 1) ? buf_size : passwd_len))
goto err;
(n & 1) ? buf : (const unsigned char *)p_bytes,
(n & 1) ? buf_size : passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
goto err;
}
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
@@ -706,53 +712,53 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
cp = out_buf + strlen(out_buf);
*cp++ = ascii_dollar[0];
# define b64_from_24bit(B2, B1, B0, N) \
do { \
unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
int i = (N); \
while (i-- > 0) { \
*cp++ = cov_2char[w & 0x3f]; \
w >>= 6; \
} \
#define b64_from_24bit(B2, B1, B0, N) \
do { \
unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
int i = (N); \
while (i-- > 0) { \
*cp++ = cov_2char[w & 0x3f]; \
w >>= 6; \
} \
} while (0)
switch (magic[0]) {
case '5':
b64_from_24bit (buf[0], buf[10], buf[20], 4);
b64_from_24bit (buf[21], buf[1], buf[11], 4);
b64_from_24bit (buf[12], buf[22], buf[2], 4);
b64_from_24bit (buf[3], buf[13], buf[23], 4);
b64_from_24bit (buf[24], buf[4], buf[14], 4);
b64_from_24bit (buf[15], buf[25], buf[5], 4);
b64_from_24bit (buf[6], buf[16], buf[26], 4);
b64_from_24bit (buf[27], buf[7], buf[17], 4);
b64_from_24bit (buf[18], buf[28], buf[8], 4);
b64_from_24bit (buf[9], buf[19], buf[29], 4);
b64_from_24bit (0, buf[31], buf[30], 3);
b64_from_24bit(buf[0], buf[10], buf[20], 4);
b64_from_24bit(buf[21], buf[1], buf[11], 4);
b64_from_24bit(buf[12], buf[22], buf[2], 4);
b64_from_24bit(buf[3], buf[13], buf[23], 4);
b64_from_24bit(buf[24], buf[4], buf[14], 4);
b64_from_24bit(buf[15], buf[25], buf[5], 4);
b64_from_24bit(buf[6], buf[16], buf[26], 4);
b64_from_24bit(buf[27], buf[7], buf[17], 4);
b64_from_24bit(buf[18], buf[28], buf[8], 4);
b64_from_24bit(buf[9], buf[19], buf[29], 4);
b64_from_24bit(0, buf[31], buf[30], 3);
break;
case '6':
b64_from_24bit (buf[0], buf[21], buf[42], 4);
b64_from_24bit (buf[22], buf[43], buf[1], 4);
b64_from_24bit (buf[44], buf[2], buf[23], 4);
b64_from_24bit (buf[3], buf[24], buf[45], 4);
b64_from_24bit (buf[25], buf[46], buf[4], 4);
b64_from_24bit (buf[47], buf[5], buf[26], 4);
b64_from_24bit (buf[6], buf[27], buf[48], 4);
b64_from_24bit (buf[28], buf[49], buf[7], 4);
b64_from_24bit (buf[50], buf[8], buf[29], 4);
b64_from_24bit (buf[9], buf[30], buf[51], 4);
b64_from_24bit (buf[31], buf[52], buf[10], 4);
b64_from_24bit (buf[53], buf[11], buf[32], 4);
b64_from_24bit (buf[12], buf[33], buf[54], 4);
b64_from_24bit (buf[34], buf[55], buf[13], 4);
b64_from_24bit (buf[56], buf[14], buf[35], 4);
b64_from_24bit (buf[15], buf[36], buf[57], 4);
b64_from_24bit (buf[37], buf[58], buf[16], 4);
b64_from_24bit (buf[59], buf[17], buf[38], 4);
b64_from_24bit (buf[18], buf[39], buf[60], 4);
b64_from_24bit (buf[40], buf[61], buf[19], 4);
b64_from_24bit (buf[62], buf[20], buf[41], 4);
b64_from_24bit (0, 0, buf[63], 2);
b64_from_24bit(buf[0], buf[21], buf[42], 4);
b64_from_24bit(buf[22], buf[43], buf[1], 4);
b64_from_24bit(buf[44], buf[2], buf[23], 4);
b64_from_24bit(buf[3], buf[24], buf[45], 4);
b64_from_24bit(buf[25], buf[46], buf[4], 4);
b64_from_24bit(buf[47], buf[5], buf[26], 4);
b64_from_24bit(buf[6], buf[27], buf[48], 4);
b64_from_24bit(buf[28], buf[49], buf[7], 4);
b64_from_24bit(buf[50], buf[8], buf[29], 4);
b64_from_24bit(buf[9], buf[30], buf[51], 4);
b64_from_24bit(buf[31], buf[52], buf[10], 4);
b64_from_24bit(buf[53], buf[11], buf[32], 4);
b64_from_24bit(buf[12], buf[33], buf[54], 4);
b64_from_24bit(buf[34], buf[55], buf[13], 4);
b64_from_24bit(buf[56], buf[14], buf[35], 4);
b64_from_24bit(buf[15], buf[36], buf[57], 4);
b64_from_24bit(buf[37], buf[58], buf[16], 4);
b64_from_24bit(buf[59], buf[17], buf[38], 4);
b64_from_24bit(buf[18], buf[39], buf[60], 4);
b64_from_24bit(buf[40], buf[61], buf[19], 4);
b64_from_24bit(buf[62], buf[20], buf[41], 4);
b64_from_24bit(0, 0, buf[63], 2);
break;
default:
goto err;
@@ -764,7 +770,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
return out_buf;
err:
err:
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
OPENSSL_free(p_bytes);
@@ -774,8 +780,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
}
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode)
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode)
{
char *hash = NULL;
@@ -803,10 +809,10 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
for (i = 0; i < saltlen; i++)
(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
(*salt_p)[i] = 0;
# ifdef CHARSET_EBCDIC
#ifdef CHARSET_EBCDIC
/* The password encryption function will convert back to ASCII */
ascii2ebcdic(*salt_p, *salt_p, saltlen);
# endif
#endif
}
assert(*salt_p != NULL);
@@ -818,8 +824,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
* XXX: really we should know how to print a size_t, not cast it
*/
BIO_printf(bio_err,
"Warning: truncating password to %u characters\n",
(unsigned)pw_maxlen);
"Warning: truncating password to %u characters\n",
(unsigned)pw_maxlen);
passwd[pw_maxlen] = 0;
}
assert(strlen(passwd) <= pw_maxlen);
@@ -841,6 +847,6 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
BIO_printf(out, "%s\n", hash);
return 1;
end:
end:
return 0;
}
+205 -164
View File
@@ -1,5 +1,5 @@
/*
* Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2026 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -23,11 +23,11 @@
#include <openssl/kdf.h>
#include <openssl/rand.h>
#define NOKEYS 0x1
#define NOCERTS 0x2
#define INFO 0x4
#define CLCERTS 0x8
#define CACERTS 0x10
#define NOKEYS 0x1
#define NOCERTS 0x2
#define INFO 0x4
#define CLCERTS 0x8
#define CACERTS 0x10
#define PASSWD_BUF_SIZE 2048
@@ -37,20 +37,20 @@
BIO_printf(bio_err, "Warning: -%s option ignored without -export\n", opt);
static int get_cert_chain(X509 *cert, X509_STORE *store,
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain);
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain);
int dump_certs_keys_p12(BIO *out, const PKCS12 *p12,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc);
int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags,
const char *pass, int passlen,
int options, char *pempass, const EVP_CIPHER *enc);
const char *pass, int passlen,
int options, char *pempass, const EVP_CIPHER *enc);
void print_attribute(BIO *out, const ASN1_TYPE *av);
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name);
const char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
static int alg_print(const X509_ALGOR *alg);
int cert_load(BIO *in, STACK_OF(X509) *sk);
@@ -59,18 +59,58 @@ static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS,
OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER,
OPT_CIPHER,
OPT_NOKEYS,
OPT_KEYEX,
OPT_KEYSIG,
OPT_NOCERTS,
OPT_CLCERTS,
OPT_CACERTS,
OPT_NOOUT,
OPT_INFO,
OPT_CHAIN,
OPT_TWOPASS,
OPT_NOMACVER,
#ifndef OPENSSL_NO_DES
OPT_DESCERT,
#endif
OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_MACSALTLEN,
OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS,
OPT_NAME, OPT_CSP, OPT_CANAME,
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, OPT_PBMAC1_PBKDF2, OPT_PBMAC1_PBKDF2_MD,
OPT_EXPORT,
OPT_ITER,
OPT_NOITER,
OPT_MACITER,
OPT_NOMACITER,
OPT_MACSALTLEN,
OPT_NOMAC,
OPT_LMK,
OPT_NODES,
OPT_NOENC,
OPT_MACALG,
OPT_CERTPBE,
OPT_KEYPBE,
OPT_INKEY,
OPT_CERTFILE,
OPT_UNTRUSTED,
OPT_PASSCERTS,
OPT_NAME,
OPT_CSP,
OPT_CANAME,
OPT_IN,
OPT_OUT,
OPT_PASSIN,
OPT_PASSOUT,
OPT_PASSWORD,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_ENGINE,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_JDKTRUST,
OPT_PBMAC1_PBKDF2,
OPT_PBMAC1_PBKDF2_MD,
#ifndef OPENSSL_NO_DES
OPT_LEGACY_ALG
#endif
@@ -78,85 +118,85 @@ typedef enum OPTION_choice {
const OPTIONS pkcs12_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"password", OPT_PASSWORD, 's', "Set PKCS#12 import/export password source"},
{"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
{"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
{"nocerts", OPT_NOCERTS, '-', "Don't output certificates"},
{"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "in", OPT_IN, '<', "Input file" },
{ "out", OPT_OUT, '>', "Output file" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "password", OPT_PASSWORD, 's', "Set PKCS#12 import/export password source" },
{ "twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords" },
{ "nokeys", OPT_NOKEYS, '-', "Don't output private keys" },
{ "nocerts", OPT_NOCERTS, '-', "Don't output certificates" },
{ "noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input" },
#ifndef OPENSSL_NO_DES
{"legacy", OPT_LEGACY_ALG, '-',
# ifdef OPENSSL_NO_RC2
"Use legacy encryption algorithm 3DES_CBC for keys and certs"
# else
"Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs"
# endif
{ "legacy", OPT_LEGACY_ALG, '-',
#ifdef OPENSSL_NO_RC2
"Use legacy encryption algorithm 3DES_CBC for keys and certs"
#else
"Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs"
#endif
},
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
OPT_R_OPTIONS,
OPT_SECTION("PKCS#12 import (parsing PKCS#12)"),
{"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
{"nomacver", OPT_NOMACVER, '-', "Don't verify integrity MAC"},
{"clcerts", OPT_CLCERTS, '-', "Only output client certificates"},
{"cacerts", OPT_CACERTS, '-', "Only output CA certificates"},
{"", OPT_CIPHER, '-', "Any supported cipher for output encryption"},
{"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
{"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
{ "info", OPT_INFO, '-', "Print info about PKCS#12 structure" },
{ "nomacver", OPT_NOMACVER, '-', "Don't verify integrity MAC" },
{ "clcerts", OPT_CLCERTS, '-', "Only output client certificates" },
{ "cacerts", OPT_CACERTS, '-', "Only output CA certificates" },
{ "", OPT_CIPHER, '-', "Any supported cipher for output encryption" },
{ "noenc", OPT_NOENC, '-', "Don't encrypt private keys" },
{ "nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated" },
OPT_SECTION("PKCS#12 output (export)"),
{"export", OPT_EXPORT, '-', "Create PKCS12 file"},
{"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"},
{"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"},
{"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"},
{"chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert,"},
{OPT_MORE_STR, 0, 0,
"which is the 1st cert from -in matching the private key (if given)"},
{"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"},
{"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{"name", OPT_NAME, 's', "Use name as friendly name"},
{"caname", OPT_CANAME, 's',
"Use name as CA friendly name (can be repeated)"},
{"CSP", OPT_CSP, 's', "Microsoft CSP name"},
{"LMK", OPT_LMK, '-',
"Add local machine keyset attribute to private key"},
{"keyex", OPT_KEYEX, '-', "Set key type to MS key exchange"},
{"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"},
{"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"},
{"certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"},
{ "export", OPT_EXPORT, '-', "Create PKCS12 file" },
{ "inkey", OPT_INKEY, 's', "Private key, else read from -in input file" },
{ "certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output" },
{ "passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source" },
{ "chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert," },
{ OPT_MORE_STR, 0, 0,
"which is the 1st cert from -in matching the private key (if given)" },
{ "untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building" },
{ "CAfile", OPT_CAFILE, '<', "PEM-format file of CA's" },
{ "CApath", OPT_CAPATH, '/', "PEM-format directory of CA's" },
{ "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
{ "name", OPT_NAME, 's', "Use name as friendly name" },
{ "caname", OPT_CANAME, 's',
"Use name as CA friendly name (can be repeated)" },
{ "CSP", OPT_CSP, 's', "Microsoft CSP name" },
{ "LMK", OPT_LMK, '-',
"Add local machine keyset attribute to private key" },
{ "keyex", OPT_KEYEX, '-', "Set key type to MS key exchange" },
{ "keysig", OPT_KEYSIG, '-', "Set key type to MS key signature" },
{ "keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)" },
{ "certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)" },
#ifndef OPENSSL_NO_DES
{"descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"},
{ "descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)" },
#endif
{"macalg", OPT_MACALG, 's',
"Digest algorithm to use in MAC (default SHA256)"},
{"pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC"},
{"pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)"},
{"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"},
{"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
{"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)"},
{"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
{"macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC"},
{"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
{"jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility"},
{NULL}
{ "macalg", OPT_MACALG, 's',
"Digest algorithm to use in MAC (default SHA256)" },
{ "pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC" },
{ "pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)" },
{ "iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC" },
{ "noiter", OPT_NOITER, '-', "Don't use encryption iteration" },
{ "nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)" },
{ "maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility" },
{ "macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC" },
{ "nomac", OPT_NOMAC, '-', "Don't generate MAC" },
{ "jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility" },
{ NULL }
};
int pkcs12_main(int argc, char **argv)
@@ -197,7 +237,7 @@ int pkcs12_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -399,7 +439,7 @@ int pkcs12_main(int argc, char **argv)
WARN_EXPORT("cacerts");
if (enc != default_enc)
BIO_printf(bio_err,
"Warning: output encryption option -%s ignored with -export\n", enc_name);
"Warning: output encryption option -%s ignored with -export\n", enc_name);
} else {
if (keyname != NULL)
WARN_NO_EXPORT("inkey");
@@ -462,11 +502,11 @@ int pkcs12_main(int argc, char **argv)
}
if (cert_pbe == NID_undef) {
/* Adapt default algorithm */
# ifndef OPENSSL_NO_RC2
#ifndef OPENSSL_NO_RC2
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
# else
#else
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
#endif
}
if (key_pbe == NID_undef)
@@ -524,7 +564,7 @@ int pkcs12_main(int argc, char **argv)
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
if (EVP_read_pw_string(
macpass, sizeof(macpass), "Enter MAC Password:", export_pkcs12)) {
macpass, sizeof(macpass), "Enter MAC Password:", export_pkcs12)) {
BIO_printf(bio_err, "Can't read Password\n");
goto end;
}
@@ -557,10 +597,8 @@ int pkcs12_main(int argc, char **argv)
if (!(options & NOKEYS)) {
key = load_key(keyname ? keyname : infile,
FORMAT_PEM, 1, passin, e,
keyname ?
"private key from -inkey file" :
"private key from -in file");
FORMAT_PEM, 1, passin, e,
keyname ? "private key from -inkey file" : "private key from -in file");
if (key == NULL)
goto export_end;
}
@@ -568,7 +606,7 @@ int pkcs12_main(int argc, char **argv)
/* Load all certs in input file */
if (!(options & NOCERTS)) {
if (!load_certs(infile, 1, &certs, passin,
"certificates from -in file"))
"certificates from -in file"))
goto export_end;
if (sk_X509_num(certs) < 1) {
BIO_printf(bio_err, "No certificate in -in file %s\n", infile);
@@ -591,8 +629,8 @@ int pkcs12_main(int argc, char **argv)
}
if (ee_cert == NULL) {
BIO_printf(bio_err,
"No cert in -in file '%s' matches private key\n",
infile);
"No cert in -in file '%s' matches private key\n",
infile);
goto export_end;
}
}
@@ -601,7 +639,7 @@ int pkcs12_main(int argc, char **argv)
/* Load any untrusted certificates for chain building */
if (untrusted != NULL) {
if (!load_certs(untrusted, 0, &untrusted_certs, passcerts,
"untrusted certificates"))
"untrusted certificates"))
goto export_end;
}
@@ -618,13 +656,13 @@ int pkcs12_main(int argc, char **argv)
if (ee_cert_tmp == NULL) {
BIO_printf(bio_err,
"No end entity certificate to check with -chain\n");
"No end entity certificate to check with -chain\n");
goto export_end;
}
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore))
== NULL)
CAstore, noCAstore))
== NULL)
goto export_end;
vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
@@ -635,15 +673,14 @@ int pkcs12_main(int argc, char **argv)
/* Remove from chain2 the first (end entity) certificate */
X509_free(sk_X509_shift(chain2));
/* Add the remaining certs (except for duplicates) */
add_certs = X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF
| X509_ADD_FLAG_NO_DUP);
add_certs = X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP);
OSSL_STACK_OF_X509_free(chain2);
if (!add_certs)
goto export_end;
} else {
if (vret != X509_V_ERR_UNSPECIFIED)
BIO_printf(bio_err, "Error getting chain: %s\n",
X509_verify_cert_error_string(vret));
X509_verify_cert_error_string(vret));
goto export_end;
}
}
@@ -651,7 +688,7 @@ int pkcs12_main(int argc, char **argv)
/* Add any extra certificates asked for */
if (certfile != NULL) {
if (!load_certs(certfile, 0, &certs, passcerts,
"extra certificates from -certfile"))
"extra certificates from -certfile"))
goto export_end;
}
@@ -663,8 +700,8 @@ int pkcs12_main(int argc, char **argv)
if (csp_name != NULL && key != NULL)
EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
MBSTRING_ASC, (unsigned char *)csp_name,
-1);
MBSTRING_ASC, (unsigned char *)csp_name,
-1);
if (add_lmk && key != NULL)
EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
@@ -674,7 +711,7 @@ int pkcs12_main(int argc, char **argv)
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
if (EVP_read_pw_string(pass, sizeof(pass),
"Enter Export Password:", 1)) {
"Enter Export Password:", 1)) {
BIO_printf(bio_err, "Can't read Password\n");
goto export_end;
}
@@ -693,13 +730,13 @@ int pkcs12_main(int argc, char **argv)
}
p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs,
key_pbe, cert_pbe, iter, -1, keytype,
app_get0_libctx(), app_get0_propq(),
jdk_trust, (void*)obj);
key_pbe, cert_pbe, iter, -1, keytype,
app_get0_libctx(), app_get0_propq(),
jdk_trust, (void *)obj);
if (p12 == NULL) {
BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n",
outfile);
outfile);
goto export_end;
}
@@ -711,8 +748,8 @@ int pkcs12_main(int argc, char **argv)
if (maciter != -1) {
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
macmd, pbmac1_pbkdf2_md)) {
macsaltlen, maciter,
macmd, pbmac1_pbkdf2_md)) {
BIO_printf(bio_err, "Error creating PBMAC1\n");
goto export_end;
}
@@ -720,7 +757,7 @@ int pkcs12_main(int argc, char **argv)
if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) {
BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n");
BIO_printf(bio_err,
"Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n");
"Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n");
goto export_end;
}
}
@@ -735,7 +772,7 @@ int pkcs12_main(int argc, char **argv)
ret = 0;
export_end:
export_end:
EVP_PKEY_free(key);
EVP_MD_free(macmd);
@@ -745,7 +782,6 @@ int pkcs12_main(int argc, char **argv)
ASN1_OBJECT_free(obj);
ERR_print_errors(bio_err);
goto end;
}
in = bio_open_default(infile, 'r', FORMAT_PKCS12);
@@ -766,7 +802,7 @@ int pkcs12_main(int argc, char **argv)
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
if (EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:",
0)) {
0)) {
BIO_printf(bio_err, "Can't read Password\n");
goto end;
}
@@ -803,10 +839,10 @@ int pkcs12_main(int argc, char **argv)
int prfnid;
BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n",
ASN1_INTEGER_get(pbkdf2_param->iter));
ASN1_INTEGER_get(pbkdf2_param->iter));
BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n",
ASN1_INTEGER_get(pbkdf2_param->keylength),
ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
ASN1_INTEGER_get(pbkdf2_param->keylength),
ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
if (pbkdf2_param->prf == NULL) {
prfnid = NID_hmacWithSHA1;
} else {
@@ -818,10 +854,10 @@ int pkcs12_main(int argc, char **argv)
PBKDF2PARAM_free(pbkdf2_param);
} else {
BIO_printf(bio_err, ", Iteration %ld\n",
tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n",
tmac != NULL ? ASN1_STRING_length(tmac) : 0L,
tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
tmac != NULL ? ASN1_STRING_length(tmac) : 0L,
tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
}
}
@@ -842,7 +878,7 @@ int pkcs12_main(int argc, char **argv)
EVP_KDF *pkcs12kdf;
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
app_get0_propq());
app_get0_propq());
if (pkcs12kdf == NULL) {
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
@@ -876,6 +912,12 @@ int pkcs12_main(int argc, char **argv)
if (utmp == NULL)
goto end;
badpass = OPENSSL_uni2utf8(utmp, utmplen);
if (badpass == NULL) {
BIO_printf(bio_err, "Verbatim password did not match, and fallback conversion to UTF-8 failed\n"
"The password entered or the input encoding may be wrong\n");
OPENSSL_free(utmp);
goto end;
}
OPENSSL_free(utmp);
if (!PKCS12_verify_mac(p12, badpass, -1)) {
BIO_printf(bio_err, "Mac verify error: invalid password?\n");
@@ -889,7 +931,7 @@ int pkcs12_main(int argc, char **argv)
}
}
dump:
dump:
assert(private);
out = bio_open_owner(outfile, FORMAT_PEM, private);
@@ -902,7 +944,7 @@ int pkcs12_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
PKCS12_free(p12);
release_engine(e);
BIO_free(in);
@@ -925,10 +967,10 @@ static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg)
return 1;
/* Get the current attrs */
attrs = (STACK_OF(X509_ATTRIBUTE)*)PKCS12_SAFEBAG_get0_attrs(bag);
attrs = (STACK_OF(X509_ATTRIBUTE) *)PKCS12_SAFEBAG_get0_attrs(bag);
/* Create a new attr for the JDK Trusted Usage and add it */
attr = X509_ATTRIBUTE_create(NID_oracle_jdk_trustedkeyusage, V_ASN1_OBJECT, (ASN1_OBJECT*)cbarg);
attr = X509_ATTRIBUTE_create(NID_oracle_jdk_trustedkeyusage, V_ASN1_OBJECT, (ASN1_OBJECT *)cbarg);
/* Add the new attr, if attrs is NULL, it'll be initialised */
X509at_add1_attr(&attrs, attr);
@@ -941,8 +983,8 @@ static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg)
}
int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
int passlen, int options, char *pempass,
const EVP_CIPHER *enc)
int passlen, int options, char *pempass,
const EVP_CIPHER *enc)
{
STACK_OF(PKCS7) *asafes = NULL;
int i, bagnid;
@@ -976,7 +1018,7 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
if (bags == NULL)
goto err;
if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
options, pempass, enc)) {
options, pempass, enc)) {
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
goto err;
}
@@ -984,28 +1026,28 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
}
ret = 1;
err:
err:
sk_PKCS7_pop_free(asafes, PKCS7_free);
return ret;
}
int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
{
int i;
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
if (!dump_certs_pkeys_bag(out,
sk_PKCS12_SAFEBAG_value(bags, i),
pass, passlen, options, pempass, enc))
sk_PKCS12_SAFEBAG_value(bags, i),
pass, passlen, options, pempass, enc))
return 0;
}
return 1;
}
int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
const char *pass, int passlen, int options,
char *pempass, const EVP_CIPHER *enc)
{
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
@@ -1091,7 +1133,7 @@ int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
BIO_printf(bio_err, "Safe Contents bag\n");
print_attribs(out, attrs, "Bag Attributes");
return dump_certs_pkeys_bags(out, PKCS12_SAFEBAG_get0_safes(bag),
pass, passlen, options, pempass, enc);
pass, passlen, options, pempass, enc);
default:
BIO_printf(bio_err, "Warning unsupported bag type: ");
@@ -1105,8 +1147,8 @@ int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
/* Given a single certificate return a verified chain or NULL if error */
static int get_cert_chain(X509 *cert, X509_STORE *store,
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain)
STACK_OF(X509) *untrusted_certs,
STACK_OF(X509) **chain)
{
X509_STORE_CTX *store_ctx = NULL;
STACK_OF(X509) *chn = NULL;
@@ -1114,15 +1156,14 @@ static int get_cert_chain(X509 *cert, X509_STORE *store,
store_ctx = X509_STORE_CTX_new_ex(app_get0_libctx(), app_get0_propq());
if (store_ctx == NULL) {
i = X509_V_ERR_UNSPECIFIED;
i = X509_V_ERR_UNSPECIFIED;
goto end;
}
if (!X509_STORE_CTX_init(store_ctx, store, cert, untrusted_certs)) {
i = X509_V_ERR_UNSPECIFIED;
i = X509_V_ERR_UNSPECIFIED;
goto end;
}
if (X509_verify_cert(store_ctx) > 0)
chn = X509_STORE_CTX_get1_chain(store_ctx);
else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0)
@@ -1165,7 +1206,7 @@ static int alg_print(const X509_ALGOR *alg)
X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
encnid = OBJ_obj2nid(aoid);
BIO_printf(bio_err, ", %s, %s", OBJ_nid2ln(pbenid),
OBJ_nid2sn(encnid));
OBJ_nid2sn(encnid));
/* If KDF is PBKDF2 decode parameters */
if (pbenid == NID_id_pbkdf2) {
PBKDF2PARAM *kdf = NULL;
@@ -1184,7 +1225,7 @@ static int alg_print(const X509_ALGOR *alg)
prfnid = OBJ_obj2nid(aoid);
}
BIO_printf(bio_err, ", Iteration %ld, PRF %s",
ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
PBKDF2PARAM_free(kdf);
#ifndef OPENSSL_NO_SCRYPT
} else if (pbenid == NID_id_scrypt) {
@@ -1197,11 +1238,11 @@ static int alg_print(const X509_ALGOR *alg)
goto done;
}
BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, "
"Block size(r): %ld, Parallelism(p): %ld",
ASN1_STRING_length(kdf->salt),
ASN1_INTEGER_get(kdf->costParameter),
ASN1_INTEGER_get(kdf->blockSize),
ASN1_INTEGER_get(kdf->parallelizationParameter));
"Block size(r): %ld, Parallelism(p): %ld",
ASN1_STRING_length(kdf->salt),
ASN1_INTEGER_get(kdf->costParameter),
ASN1_INTEGER_get(kdf->blockSize),
ASN1_INTEGER_get(kdf->parallelizationParameter));
SCRYPT_PARAMS_free(kdf);
#endif
}
@@ -1216,7 +1257,7 @@ static int alg_print(const X509_ALGOR *alg)
BIO_printf(bio_err, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
PBEPARAM_free(pbe);
}
done:
done:
BIO_puts(bio_err, "\n");
return 1;
}
@@ -1249,25 +1290,25 @@ void print_attribute(BIO *out, const ASN1_TYPE *av)
switch (av->type) {
case V_ASN1_BMPSTRING:
value = OPENSSL_uni2asc(av->value.bmpstring->data,
av->value.bmpstring->length);
av->value.bmpstring->length);
BIO_printf(out, "%s\n", value);
OPENSSL_free(value);
break;
case V_ASN1_UTF8STRING:
BIO_printf(out, "%.*s\n", av->value.utf8string->length,
av->value.utf8string->data);
av->value.utf8string->data);
break;
case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
av->value.octet_string->length);
BIO_printf(out, "\n");
break;
case V_ASN1_BIT_STRING:
hex_prin(out, av->value.bit_string->data,
av->value.bit_string->length);
av->value.bit_string->length);
BIO_printf(out, "\n");
break;
@@ -1289,7 +1330,7 @@ void print_attribute(BIO *out, const ASN1_TYPE *av)
/* Generalised attribute print: handle PKCS#8 and bag attributes */
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name)
const char *name)
{
X509_ATTRIBUTE *attr;
ASN1_TYPE *av;
+27 -19
View File
@@ -22,35 +22,43 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT,
OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_QUIET,
OPT_ENGINE, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_NOOUT,
OPT_TEXT,
OPT_PRINT,
OPT_PRINT_CERTS,
OPT_QUIET,
OPT_ENGINE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs7_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format - DER or PEM" },
OPT_SECTION("Output"),
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't output encoded data"},
{"text", OPT_TEXT, '-', "Print full details of certificates"},
{"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"},
{"print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input"},
{"quiet", OPT_QUIET, '-',
"When used with -print_certs, it produces a cleaner output"},
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "out", OPT_OUT, '>', "Output file" },
{ "noout", OPT_NOOUT, '-', "Don't output encoded data" },
{ "text", OPT_TEXT, '-', "Print full details of certificates" },
{ "print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure" },
{ "print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input" },
{ "quiet", OPT_QUIET, '-',
"When used with -print_certs, it produces a cleaner output" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkcs7_main(int argc, char **argv)
@@ -69,7 +77,7 @@ int pkcs7_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -215,7 +223,7 @@ int pkcs7_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
PKCS7_free(p7);
release_engine(e);
BIO_free(in);
+53 -39
View File
@@ -22,54 +22,69 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT,
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_TOPK8,
OPT_NOITER,
OPT_NOCRYPT,
#ifndef OPENSSL_NO_SCRYPT
OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
OPT_SCRYPT,
OPT_SCRYPT_N,
OPT_SCRYPT_R,
OPT_SCRYPT_P,
#endif
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
OPT_V2,
OPT_V1,
OPT_V2PRF,
OPT_ITER,
OPT_PASSIN,
OPT_PASSOUT,
OPT_TRADITIONAL,
OPT_SALTLEN,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs8_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
{"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
{"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"},
{ "v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher" },
{ "v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher" },
{ "v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'F', "Input format (DER or PEM)" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
{"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"},
{"iter", OPT_ITER, 'p', "Specify the iteration count"},
{"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
{"saltlen", OPT_SALTLEN, 'p', "Specify the salt length (in bytes)"},
{OPT_MORE_STR, 0, 0, "Default: 8 (For PBE1) or 16 (for PBE2)"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)" },
{ "topk8", OPT_TOPK8, '-', "Output PKCS8 file" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "traditional", OPT_TRADITIONAL, '-', "use traditional format private key" },
{ "iter", OPT_ITER, 'p', "Specify the iteration count" },
{ "noiter", OPT_NOITER, '-', "Use 1 as iteration count" },
{ "saltlen", OPT_SALTLEN, 'p', "Specify the salt length (in bytes)" },
{ OPT_MORE_STR, 0, 0, "Default: 8 (For PBE1) or 16 (for PBE2)" },
#ifndef OPENSSL_NO_SCRYPT
OPT_SECTION("Scrypt"),
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
{"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
{"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
{"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
{ "scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm" },
{ "scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter" },
{ "scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter" },
{ "scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter" },
#endif
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkcs8_main(int argc, char **argv)
@@ -100,7 +115,7 @@ int pkcs8_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -148,7 +163,7 @@ int pkcs8_main(int argc, char **argv)
pbe_nid = OBJ_txt2nid(opt_arg());
if (pbe_nid == NID_undef) {
BIO_printf(bio_err,
"%s: Unknown PBE algorithm %s\n", prog, opt_arg());
"%s: Unknown PBE algorithm %s\n", prog, opt_arg());
goto opthelp;
}
break;
@@ -156,14 +171,14 @@ int pkcs8_main(int argc, char **argv)
pbe_nid = OBJ_txt2nid(opt_arg());
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
BIO_printf(bio_err,
"%s: Unknown PRF algorithm %s\n", prog, opt_arg());
"%s: Unknown PRF algorithm %s\n", prog, opt_arg());
goto opthelp;
}
if (cipher == NULL)
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
break;
case OPT_ITER:
iter = opt_int_arg();
iter = opt_int_arg();
break;
case OPT_PASSIN:
passinarg = opt_arg();
@@ -224,7 +239,7 @@ int pkcs8_main(int argc, char **argv)
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
in = bio_open_default(infile, 'r',
informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
if (in == NULL)
goto end;
@@ -255,11 +270,11 @@ int pkcs8_main(int argc, char **argv)
#ifndef OPENSSL_NO_SCRYPT
if (scrypt_N && scrypt_r && scrypt_p)
pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, saltlen, NULL,
scrypt_N, scrypt_r, scrypt_p);
scrypt_N, scrypt_r, scrypt_p);
else
#endif
pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, saltlen, NULL,
pbe_nid);
pbe_nid);
} else {
pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, saltlen);
}
@@ -274,8 +289,7 @@ int pkcs8_main(int argc, char **argv)
/* To avoid bit rot */
#ifndef OPENSSL_NO_UI_CONSOLE
p8pass = pass;
if (EVP_read_pw_string
(pass, sizeof(pass), "Enter Encryption Password:", 1)) {
if (EVP_read_pw_string(pass, sizeof(pass), "Enter Encryption Password:", 1)) {
X509_ALGOR_free(pbe);
goto end;
}
@@ -366,7 +380,7 @@ int pkcs8_main(int argc, char **argv)
if (outformat == FORMAT_PEM) {
if (traditional)
PEM_write_bio_PrivateKey_traditional(out, pkey, NULL, NULL, 0,
NULL, passout);
NULL, passout);
else
PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
} else if (outformat == FORMAT_ASN1) {
@@ -377,7 +391,7 @@ int pkcs8_main(int argc, char **argv)
}
ret = 0;
end:
end:
X509_SIG_free(p8);
PKCS8_PRIV_KEY_INFO_free(p8inf);
EVP_PKEY_free(pkey);
+57 -43
View File
@@ -19,50 +19,64 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
OPT_TEXT, OPT_NOOUT, OPT_CIPHER, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM,
OPT_INFORM,
OPT_OUTFORM,
OPT_PASSIN,
OPT_PASSOUT,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_PUBIN,
OPT_PUBOUT,
OPT_TEXT_PUB,
OPT_TEXT,
OPT_NOOUT,
OPT_CIPHER,
OPT_TRADITIONAL,
OPT_CHECK,
OPT_PUB_CHECK,
OPT_EC_PARAM_ENC,
OPT_EC_CONV_FORM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkey_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_PROV_OPTIONS,
{"check", OPT_CHECK, '-', "Check key consistency"},
{"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
{ "check", OPT_CHECK, '-', "Check key consistency" },
{ "pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency" },
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
{"inform", OPT_INFORM, 'f',
"Key input format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Key input pass phrase source"},
{"pubin", OPT_PUBIN, '-',
"Read only public components from key input"},
{ "in", OPT_IN, 's', "Input key" },
{ "inform", OPT_INFORM, 'f',
"Key input format (ENGINE, other values ignored)" },
{ "passin", OPT_PASSIN, 's', "Key input pass phrase source" },
{ "pubin", OPT_PUBIN, '-',
"Read only public components from key input" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file for encoded and/or text output"},
{"outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)"},
{"", OPT_CIPHER, '-', "Any supported cipher to be used for encryption"},
{"passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private key PEM output"},
{"pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components"},
{"noout", OPT_NOOUT, '-', "Do not output the key in encoded form"},
{"text", OPT_TEXT, '-', "Output key components in plaintext"},
{"text_pub", OPT_TEXT_PUB, '-',
"Output only public key components in text form"},
{"ec_conv_form", OPT_EC_CONV_FORM, 's',
"Specifies the EC point conversion form in the encoding"},
{"ec_param_enc", OPT_EC_PARAM_ENC, 's',
"Specifies the way the EC parameters are encoded"},
{ "out", OPT_OUT, '>', "Output file for encoded and/or text output" },
{ "outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)" },
{ "", OPT_CIPHER, '-', "Any supported cipher to be used for encryption" },
{ "passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source" },
{ "traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private key PEM output" },
{ "pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components" },
{ "noout", OPT_NOOUT, '-', "Do not output the key in encoded form" },
{ "text", OPT_TEXT, '-', "Output key components in plaintext" },
{ "text_pub", OPT_TEXT_PUB, '-',
"Output only public key components in text form" },
{ "ec_conv_form", OPT_EC_CONV_FORM, 's',
"Specifies the EC point conversion form in the encoding" },
{ "ec_param_enc", OPT_EC_PARAM_ENC, 's',
"Specifies the way the EC parameters are encoded" },
{NULL}
{ NULL }
};
int pkey_main(int argc, char **argv)
@@ -89,7 +103,7 @@ int pkey_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -177,10 +191,10 @@ int pkey_main(int argc, char **argv)
if (text && text_pub)
BIO_printf(bio_err,
"Warning: The -text option is ignored with -text_pub\n");
"Warning: The -text option is ignored with -text_pub\n");
if (traditional && (noout || outformat != FORMAT_PEM))
BIO_printf(bio_err,
"Warning: The -traditional is ignored since there is no PEM output\n");
"Warning: The -traditional is ignored since there is no PEM output\n");
/* -pubout and -text is the same as -text_pub */
if (!text_pub && pubout && text) {
@@ -195,11 +209,11 @@ int pkey_main(int argc, char **argv)
if (cipher == NULL) {
if (passoutarg != NULL)
BIO_printf(bio_err,
"Warning: The -passout option is ignored without a cipher option\n");
"Warning: The -passout option is ignored without a cipher option\n");
} else {
if (noout || outformat != FORMAT_PEM) {
BIO_printf(bio_err,
"Error: Cipher options are supported only for PEM output\n");
"Error: Cipher options are supported only for PEM output\n");
goto end;
}
}
@@ -228,11 +242,11 @@ int pkey_main(int argc, char **argv)
if (asn1_encoding != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
asn1_encoding, 0);
asn1_encoding, 0);
if (point_format != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
point_format, 0);
*p = OSSL_PARAM_construct_end();
if (EVP_PKEY_set_params(pkey, params) <= 0)
goto end;
@@ -275,19 +289,19 @@ int pkey_main(int argc, char **argv)
assert(private);
if (traditional) {
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, cipher,
NULL, 0, NULL,
passout))
NULL, 0, NULL,
passout))
goto end;
} else {
if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout))
NULL, 0, NULL, passout))
goto end;
}
}
} else if (outformat == FORMAT_ASN1) {
if (text || text_pub) {
BIO_printf(bio_err,
"Error: Text output cannot be combined with DER output\n");
"Error: Text output cannot be combined with DER output\n");
goto end;
}
if (pubout) {
@@ -315,7 +329,7 @@ int pkey_main(int argc, char **argv)
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(ctx);
+18 -14
View File
@@ -18,29 +18,33 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT,
OPT_ENGINE, OPT_CHECK,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_NOOUT,
OPT_ENGINE,
OPT_CHECK,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkeyparam_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"check", OPT_CHECK, '-', "Check key param consistency"},
{ "check", OPT_CHECK, '-', "Check key param consistency" },
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{ "in", OPT_IN, '<', "Input file" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"text", OPT_TEXT, '-', "Print parameters as text"},
{"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
{ "out", OPT_OUT, '>', "Output file" },
{ "text", OPT_TEXT, '-', "Print parameters as text" },
{ "noout", OPT_NOOUT, '-', "Don't output encoded parameters" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkeyparam_main(int argc, char **argv)
@@ -58,7 +62,7 @@ int pkeyparam_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -98,7 +102,7 @@ int pkeyparam_main(int argc, char **argv)
if (in == NULL)
goto end;
pkey = PEM_read_bio_Parameters_ex(in, NULL, app_get0_libctx(),
app_get0_propq());
app_get0_propq());
if (pkey == NULL) {
BIO_printf(bio_err, "Error reading parameters\n");
ERR_print_errors(bio_err);
@@ -111,7 +115,7 @@ int pkeyparam_main(int argc, char **argv)
if (check) {
if (e == NULL)
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey,
app_get0_propq());
app_get0_propq());
else
ctx = EVP_PKEY_CTX_new(pkey, e);
if (ctx == NULL) {
@@ -142,7 +146,7 @@ int pkeyparam_main(int argc, char **argv)
ret = EXIT_SUCCESS;
end:
end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
release_engine(e);
+138 -119
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,33 +15,33 @@
#include <openssl/evp.h>
#include <sys/stat.h>
#define KEY_NONE 0
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
#define KEY_NONE 0
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
static EVP_PKEY *get_pkey(const char *kdfalg,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e);
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e);
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY *pkey /* ownership is passed to ctx */,
EVP_MD_CTX *mctx, const char *digestname,
const char *kemop, OSSL_LIB_CTX *libctx, const char *propq);
int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY *pkey /* ownership is passed to ctx */,
EVP_MD_CTX *mctx, const char *digestname,
const char *kemop, OSSL_LIB_CTX *libctx, const char *propq);
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE *e);
ENGINE *e);
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *psecretlen);
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *psecretlen);
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, size_t siglen,
unsigned char **out, size_t *poutlen);
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, size_t siglen,
unsigned char **out, size_t *poutlen);
static int only_nomd(EVP_PKEY *pkey)
{
@@ -56,70 +56,95 @@ static int only_nomd(EVP_PKEY *pkey)
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP,
OPT_ENGINE,
OPT_ENGINE_IMPL,
OPT_IN,
OPT_OUT,
OPT_PUBIN,
OPT_CERTIN,
OPT_ASN1PARSE,
OPT_HEXDUMP,
OPT_SIGN,
OPT_VERIFY,
OPT_VERIFYRECOVER,
OPT_REV,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_DERIVE,
OPT_SIGFILE,
OPT_INKEY,
OPT_PEERKEY,
OPT_PASSIN,
OPT_PEERFORM,
OPT_KEYFORM,
OPT_PKEYOPT,
OPT_PKEYOPT_PASSIN,
OPT_KDF,
OPT_KDFLEN,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_DECAP,
OPT_ENCAP,
OPT_SECOUT,
OPT_KEMOP,
OPT_CONFIG,
OPT_RAWIN, OPT_DIGEST
OPT_RAWIN,
OPT_DIGEST
} OPTION_CHOICE;
const OPTIONS pkeyutl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for crypto operations"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
{ "engine_impl", OPT_ENGINE_IMPL, '-',
"Also use engine given by -engine for crypto operations" },
#endif
{"sign", OPT_SIGN, '-', "Sign input data with private key"},
{"verify", OPT_VERIFY, '-', "Verify with public key"},
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
{"derive", OPT_DERIVE, '-', "Derive shared secret from own and peer (EC)DH keys"},
{"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
{"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
{ "sign", OPT_SIGN, '-', "Sign input data with private key" },
{ "verify", OPT_VERIFY, '-', "Verify with public key" },
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key" },
{ "derive", OPT_DERIVE, '-', "Derive shared secret from own and peer (EC)DH keys" },
{ "decap", OPT_DECAP, '-', "Decapsulate shared secret" },
{ "encap", OPT_ENCAP, '-', "Encapsulate shared secret" },
OPT_CONFIG_OPTION,
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file - default stdin"},
{"inkey", OPT_INKEY, 's', "Input key, by default private key"},
{"pubin", OPT_PUBIN, '-', "Input key is a public key"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
{"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"},
{"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
{"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{ "in", OPT_IN, '<', "Input file - default stdin" },
{ "inkey", OPT_INKEY, 's', "Input key, by default private key" },
{ "pubin", OPT_PUBIN, '-', "Input key is a public key" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation" },
{ "peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)" },
{ "certin", OPT_CERTIN, '-', "Input is a cert with a public key" },
{ "rev", OPT_REV, '-', "Reverse the order of the input buffer" },
{ "sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)" },
{ "keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
{"asn1parse", OPT_ASN1PARSE, '-',
"parse the output as ASN.1 data to check its DER encoding and print errors"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{"verifyrecover", OPT_VERIFYRECOVER, '-',
"Verify RSA signature, recovering original signature input data"},
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "secret", OPT_SECOUT, '>', "File to store secret on encapsulation" },
{ "asn1parse", OPT_ASN1PARSE, '-',
"parse the output as ASN.1 data to check its DER encoding and print errors" },
{ "hexdump", OPT_HEXDUMP, '-', "Hex dump output" },
{ "verifyrecover", OPT_VERIFYRECOVER, '-',
"Verify RSA signature, recovering original signature input data" },
OPT_SECTION("Signing/Derivation/Encapsulation"),
{"rawin", OPT_RAWIN, '-',
"Indicate that the signature/verification input data is not yet hashed"},
{"digest", OPT_DIGEST, 's',
"The digest algorithm to use for signing/verifying raw input data. Implies -rawin"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
{"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
"Public key option that is read as a passphrase argument opt:passphrase"},
{"kdf", OPT_KDF, 's', "Use KDF algorithm"},
{"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
{"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"},
{ "rawin", OPT_RAWIN, '-',
"Indicate that the signature/verification input data is not yet hashed" },
{ "digest", OPT_DIGEST, 's',
"The digest algorithm to use for signing/verifying raw input data. Implies -rawin" },
{ "pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value" },
{ "pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
"Public key option that is read as a passphrase argument opt:passphrase" },
{ "kdf", OPT_KDF, 's', "Use KDF algorithm" },
{ "kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length" },
{ "kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int pkeyutl_main(int argc, char **argv)
@@ -156,7 +181,7 @@ int pkeyutl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -263,17 +288,13 @@ int pkeyutl_main(int argc, char **argv)
rev = 1;
break;
case OPT_PKEYOPT:
if ((pkeyopts == NULL &&
(pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
if ((pkeyopts == NULL && (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) || sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
BIO_puts(bio_err, "out of memory\n");
goto end;
}
break;
case OPT_PKEYOPT_PASSIN:
if ((pkeyopts_passin == NULL &&
(pkeyopts_passin = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(pkeyopts_passin, opt_arg()) == 0) {
if ((pkeyopts_passin == NULL && (pkeyopts_passin = sk_OPENSSL_STRING_new_null()) == NULL) || sk_OPENSSL_STRING_push(pkeyopts_passin, opt_arg()) == 0) {
BIO_puts(bio_err, "out of memory\n");
goto end;
}
@@ -300,20 +321,20 @@ int pkeyutl_main(int argc, char **argv)
if (kdfalg != NULL) {
if (kdflen == 0) {
BIO_printf(bio_err,
"%s: no KDF length given (-kdflen parameter).\n", prog);
"%s: no KDF length given (-kdflen parameter).\n", prog);
goto opthelp;
}
} else if (inkey == NULL) {
BIO_printf(bio_err,
"%s: no private key given (-inkey parameter).\n", prog);
"%s: no private key given (-inkey parameter).\n", prog);
goto opthelp;
} else if (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE) {
BIO_printf(bio_err,
"%s: -peerkey option not allowed without -derive.\n", prog);
"%s: -peerkey option not allowed without -derive.\n", prog);
goto opthelp;
} else if (peerkey == NULL && pkey_op == EVP_PKEY_OP_DERIVE) {
BIO_printf(bio_err,
"%s: missing -peerkey option for -derive operation.\n", prog);
"%s: missing -peerkey option for -derive operation.\n", prog);
goto opthelp;
}
@@ -334,15 +355,15 @@ int pkeyutl_main(int argc, char **argv)
const char *alg = EVP_PKEY_get0_type_name(pkey);
BIO_printf(bio_err,
"%s: -digest (prehash) is not supported with %s\n",
prog, alg != NULL ? alg : "(unknown key type)");
"%s: -digest (prehash) is not supported with %s\n",
prog, alg != NULL ? alg : "(unknown key type)");
goto end;
}
rawin = 1;
}
} else if (digestname != NULL || rawin) {
BIO_printf(bio_err,
"%s: -digest and -rawin can only be used with -sign or -verify\n", prog);
"%s: -digest and -rawin can only be used with -sign or -verify\n", prog);
goto opthelp;
}
@@ -358,7 +379,7 @@ int pkeyutl_main(int argc, char **argv)
}
}
ctx = init_ctx(kdfalg, &keysize, pkey_op, e, engine_impl, rawin, pkey,
mctx, digestname, kemop, libctx, app_get0_propq());
mctx, digestname, kemop, libctx, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
goto end;
@@ -376,7 +397,7 @@ int pkeyutl_main(int argc, char **argv)
if (pkey_ctrl_string(ctx, opt) <= 0) {
BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
prog, opt);
prog, opt);
goto end;
}
}
@@ -397,7 +418,7 @@ int pkeyutl_main(int argc, char **argv)
BIO_snprintf(passwd_buf, sizeof(passwd_buf), "Enter %s: ", opt);
r = EVP_read_pw_string(passwd_buf, sizeof(passwd_buf) - 1,
passwd_buf, 0);
passwd_buf, 0);
if (r < 0) {
if (r == -2)
BIO_puts(bio_err, "user abort\n");
@@ -425,7 +446,7 @@ int pkeyutl_main(int argc, char **argv)
if (EVP_PKEY_CTX_ctrl_str(ctx, opt, passwd) <= 0) {
BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
prog, opt);
prog, opt);
OPENSSL_free(passwd);
goto end;
}
@@ -435,13 +456,13 @@ int pkeyutl_main(int argc, char **argv)
if (sigfile != NULL && (pkey_op != EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"%s: Signature file specified for non verify\n", prog);
"%s: Signature file specified for non verify\n", prog);
goto end;
}
if (sigfile == NULL && (pkey_op == EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"%s: No signature file specified for verify\n", prog);
"%s: No signature file specified for verify\n", prog);
goto end;
}
@@ -460,7 +481,8 @@ int pkeyutl_main(int argc, char **argv)
if (secoutfile != NULL) {
BIO_printf(bio_err, "%s: Decapsulation produces only a shared "
"secret and no output. The '-out' option "
"is not applicable.\n", prog);
"is not applicable.\n",
prog);
goto end;
}
if ((out = bio_open_owner(outfile, 'w', FORMAT_BINARY)) == NULL)
@@ -525,9 +547,9 @@ int pkeyutl_main(int argc, char **argv)
&& (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) {
if (buf_inlen > EVP_MAX_MD_SIZE) {
BIO_printf(bio_err,
"Error: The non-raw input data length %zd is too long - "
"max supported hashed size is %d\n",
buf_inlen, EVP_MAX_MD_SIZE);
"Error: The non-raw input data length %zd is too long - "
"max supported hashed size is %d\n",
buf_inlen, EVP_MAX_MD_SIZE);
goto end;
}
}
@@ -535,7 +557,7 @@ int pkeyutl_main(int argc, char **argv)
if (pkey_op == EVP_PKEY_OP_VERIFY) {
if (rawin) {
rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, sig, siglen,
NULL, 0);
NULL, 0);
} else {
rv = EVP_PKEY_verify(ctx, sig, siglen, buf_in, buf_inlen);
}
@@ -550,7 +572,7 @@ int pkeyutl_main(int argc, char **argv)
if (rawin) {
/* rawin allocates the buffer in do_raw_keyop() */
rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0,
&buf_out, (size_t *)&buf_outlen);
&buf_out, (size_t *)&buf_outlen);
} else {
if (kdflen != 0) {
buf_outlen = kdflen;
@@ -560,8 +582,7 @@ int pkeyutl_main(int argc, char **argv)
buf_in, buf_inlen, NULL, &secretlen);
}
if (rv > 0
&& (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE
&& pkey_op != EVP_PKEY_OP_DECAPSULATE))
&& (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE && pkey_op != EVP_PKEY_OP_DECAPSULATE))
&& (buf_outlen > 0 || pkey_op == EVP_PKEY_OP_DECAPSULATE)) {
if (buf_outlen > 0)
buf_out = app_malloc(buf_outlen, "buffer output");
@@ -594,7 +615,7 @@ int pkeyutl_main(int argc, char **argv)
if (secretlen > 0)
BIO_write(secout ? secout : out, secret, secretlen);
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
EVP_MD_CTX_free(mctx);
@@ -616,15 +637,15 @@ int pkeyutl_main(int argc, char **argv)
}
static EVP_PKEY *get_pkey(const char *kdfalg,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e)
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e)
{
EVP_PKEY *pkey = NULL;
char *passin = NULL;
X509 *x;
if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
|| (pkey_op == EVP_PKEY_OP_DERIVE))
|| (pkey_op == EVP_PKEY_OP_DERIVE))
&& (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
BIO_printf(bio_err, "A private key is needed for this operation\n");
return NULL;
@@ -652,18 +673,17 @@ static EVP_PKEY *get_pkey(const char *kdfalg,
case KEY_NONE:
break;
}
OPENSSL_free(passin);
return pkey;
}
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY *pkey /* ownership is passed to ctx */,
EVP_MD_CTX *mctx, const char *digestname,
const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY *pkey /* ownership is passed to ctx */,
EVP_MD_CTX *mctx, const char *digestname,
const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY_CTX *ctx = NULL;
ENGINE *impl = NULL;
@@ -681,7 +701,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
kdfnid = OBJ_ln2nid(kdfalg);
if (kdfnid == NID_undef) {
BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n",
kdfalg);
kdfalg);
return NULL;
}
}
@@ -709,12 +729,12 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
switch (pkey_op) {
case EVP_PKEY_OP_SIGN:
rv = EVP_DigestSignInit_ex(mctx, NULL, digestname, libctx, propq,
pkey, NULL);
pkey, NULL);
break;
case EVP_PKEY_OP_VERIFY:
rv = EVP_DigestVerifyInit_ex(mctx, NULL, digestname, libctx, propq,
pkey, NULL);
pkey, NULL);
break;
}
@@ -767,7 +787,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
}
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE *e)
ENGINE *e)
{
EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx);
EVP_PKEY *peer = NULL;
@@ -783,8 +803,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
}
if (strcmp(EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey)) != 0) {
BIO_printf(bio_err,
"Type of peer public key: %s does not match type of private key: %s\n",
EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey));
"Type of peer public key: %s does not match type of private key: %s\n",
EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey));
ret = 0;
} else {
ret = EVP_PKEY_derive_set_peer(ctx, peer) > 0;
@@ -795,9 +815,9 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
}
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *pseclen)
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen,
unsigned char *secret, size_t *pseclen)
{
int rv = 0;
@@ -829,7 +849,6 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
case EVP_PKEY_OP_DECAPSULATE:
rv = EVP_PKEY_decapsulate(ctx, secret, pseclen, in, inlen);
break;
}
return rv;
}
@@ -837,9 +856,9 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
#define TBUF_MAXSIZE 2048
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, size_t siglen,
unsigned char **out, size_t *poutlen)
EVP_PKEY *pkey, BIO *in,
int filesize, unsigned char *sig, size_t siglen,
unsigned char **out, size_t *poutlen)
{
int rv = 0;
unsigned char tbuf[TBUF_MAXSIZE];
@@ -850,7 +869,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
if (only_nomd(pkey)) {
if (filesize < 0) {
BIO_printf(bio_err,
"Error: unable to determine file size for oneshot operation\n");
"Error: unable to determine file size for oneshot operation\n");
goto end;
}
mbuf = app_malloc(filesize, "oneshot sign/verify buffer");
@@ -920,7 +939,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
break;
}
end:
end:
OPENSSL_free(mbuf);
return rv;
}
+26 -19
View File
@@ -15,7 +15,11 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS,
OPT_HEX,
OPT_GENERATE,
OPT_BITS,
OPT_SAFE,
OPT_CHECKS,
OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -28,33 +32,36 @@ static int check_num(const char *s, const int is_hex)
*/
if (is_hex) {
for (i = 0; ('0' <= s[i] && s[i] <= '9')
|| ('A' <= s[i] && s[i] <= 'F')
|| ('a' <= s[i] && s[i] <= 'f'); i++);
|| ('A' <= s[i] && s[i] <= 'F')
|| ('a' <= s[i] && s[i] <= 'f');
i++)
;
} else {
for (i = 0; '0' <= s[i] && s[i] <= '9'; i++);
for (i = 0; '0' <= s[i] && s[i] <= '9'; i++)
;
}
return s[i] == 0;
}
const OPTIONS prime_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"bits", OPT_BITS, 'p', "Size of number in bits"},
{"checks", OPT_CHECKS, 'p', "Number of checks"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "bits", OPT_BITS, 'p', "Size of number in bits" },
{ "checks", OPT_CHECKS, 'p', "Number of checks" },
OPT_SECTION("Output"),
{"hex", OPT_HEX, '-', "Hex output"},
{"generate", OPT_GENERATE, '-', "Generate a prime"},
{"safe", OPT_SAFE, '-',
"When used with -generate, generate a safe prime"},
{ "hex", OPT_HEX, '-', "Hex output" },
{ "generate", OPT_GENERATE, '-', "Generate a prime" },
{ "safe", OPT_SAFE, '-',
"When used with -generate, generate a safe prime" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"number", 0, 0, "Number(s) to check for primality if not generating"},
{NULL}
{ "number", 0, 0, "Number(s) to check for primality if not generating" },
{ NULL }
};
int prime_main(int argc, char **argv)
@@ -69,7 +76,7 @@ int prime_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -133,7 +140,7 @@ int prime_main(int argc, char **argv)
BIO_printf(bio_out, "%s\n", s);
OPENSSL_free(s);
} else {
for ( ; *argv; argv++) {
for (; *argv; argv++) {
int r = check_num(argv[0], hex);
if (r)
@@ -151,13 +158,13 @@ int prime_main(int argc, char **argv)
goto end;
}
BIO_printf(bio_out, " (%s) %s prime\n",
argv[0],
r == 1 ? "is" : "is not");
argv[0],
r == 1 ? "is" : "is not");
}
}
ret = 0;
end:
end:
BN_free(bn);
return ret;
}
+5 -2
View File
@@ -19,7 +19,10 @@ die "Unrecognised option, must be -C or -H\n"
unless ($opt eq '-H' || $opt eq '-C');
my %commands = ();
my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
# I think it is best reconsidered in favour of just a table
# of commands instead of this fragile regex. There really are not that
# many commands.
my $cmdre = qr/^\s*(int\s+|)\s*([a-z_][a-z0-9_]*)_main\s*\(\s*int\s+argc\s*,/;
my $apps_openssl = shift @ARGV;
my $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH} || time())]->[5] + 1900;
@@ -36,7 +39,7 @@ foreach my $filename (@openssl_source) {
open F, $filename or die "Couldn't open $filename: $!\n";
foreach ( grep /$cmdre/, <F> ) {
my @foo = /$cmdre/;
$commands{$1} = 1;
$commands{$2} = 1;
}
close F;
}
+20 -16
View File
@@ -20,30 +20,34 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUT, OPT_ENGINE, OPT_BASE64, OPT_HEX,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_OUT,
OPT_ENGINE,
OPT_BASE64,
OPT_HEX,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rand_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] num[K|M|G|T]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] num[K|M|G|T]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"base64", OPT_BASE64, '-', "Base64 encode output"},
{"hex", OPT_HEX, '-', "Hex encode output"},
{ "out", OPT_OUT, '>', "Output file" },
{ "base64", OPT_BASE64, '-', "Base64 encode output" },
{ "hex", OPT_HEX, '-', "Hex encode output" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"num", 0, 0, "Number of bytes to generate"},
{NULL}
{ "num", 0, 0, "Number of bytes to generate" },
{ NULL }
};
int rand_main(int argc, char **argv)
@@ -63,7 +67,7 @@ int rand_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -124,7 +128,7 @@ int rand_main(int argc, char **argv)
*/
while (argv[0][factoridx]) {
if (!isdigit((int)(argv[0][factoridx]))) {
switch(argv[0][factoridx]) {
switch (argv[0][factoridx]) {
case 'K':
shift = 10;
break;
@@ -139,7 +143,7 @@ int rand_main(int argc, char **argv)
break;
default:
BIO_printf(bio_err, "Invalid size suffix %s\n",
&argv[0][factoridx]);
&argv[0][factoridx]);
goto opthelp;
}
break;
@@ -149,7 +153,7 @@ int rand_main(int argc, char **argv)
if (shift != 0 && strlen(&argv[0][factoridx]) != 1) {
BIO_printf(bio_err, "Invalid size suffix %s\n",
&argv[0][factoridx]);
&argv[0][factoridx]);
goto opthelp;
}
}
@@ -164,7 +168,7 @@ int rand_main(int argc, char **argv)
/* check for overflow */
if ((UINT64_MAX >> shift) < (size_t)num) {
BIO_printf(bio_err, "%lu bytes with suffix overflows\n",
num);
num);
goto opthelp;
}
scaled_num = num << shift;
@@ -219,7 +223,7 @@ int rand_main(int argc, char **argv)
ret = 0;
end:
end:
if (ret != 0)
ERR_print_errors(bio_err);
OPENSSL_free(buf);
+87 -85
View File
@@ -12,15 +12,14 @@
#include "apps.h"
#include "progs.h"
#if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) || \
(defined(__VMS) && defined(__DECC) && __CRTL_VER >= 80300000)
# include <unistd.h>
# include <stdio.h>
# include <limits.h>
# include <errno.h>
# include <string.h>
# include <ctype.h>
# include <sys/stat.h>
#if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) || (defined(__VMS) && defined(__DECC) && __CRTL_VER >= 80300000)
#include <unistd.h>
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#include <string.h>
#include <ctype.h>
#include <sys/stat.h>
/*
* Make sure that the processing of symbol names is treated the same as when
@@ -28,32 +27,32 @@
* include/openssl/__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H),
* but not for internal headers.
*/
# ifdef __VMS
# pragma names save
# pragma names as_is,shortened
# endif
#ifdef __VMS
#pragma names save
#pragma names as_is, shortened
#endif
# include "internal/o_dir.h"
#include "internal/o_dir.h"
# ifdef __VMS
# pragma names restore
# endif
#ifdef __VMS
#pragma names restore
#endif
# include <openssl/evp.h>
# include <openssl/pem.h>
# include <openssl/x509.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
# ifndef PATH_MAX
# define PATH_MAX 4096
# endif
# define MAX_COLLISIONS 256
#ifndef PATH_MAX
#define PATH_MAX 4096
#endif
#define MAX_COLLISIONS 256
# if defined(OPENSSL_SYS_VXWORKS)
#if defined(OPENSSL_SYS_VXWORKS)
/*
* VxWorks has no symbolic links
*/
# define lstat(path, buf) stat(path, buf)
#define lstat(path, buf) stat(path, buf)
int symlink(const char *target, const char *linkpath)
{
@@ -66,7 +65,7 @@ ssize_t readlink(const char *pathname, char *buf, size_t bufsiz)
errno = ENOSYS;
return -1;
}
# endif
#endif
typedef struct hentry_st {
struct hentry_st *next;
@@ -86,14 +85,16 @@ typedef struct bucket_st {
enum Type {
/* Keep in sync with |suffixes|, below. */
TYPE_CERT=0, TYPE_CRL=1
TYPE_CERT = 0,
TYPE_CRL = 1
};
enum Hash {
HASH_OLD, HASH_NEW, HASH_BOTH
HASH_OLD,
HASH_NEW,
HASH_BOTH
};
static int evpmdsize;
static const EVP_MD *evpmd;
static int remove_links = 1;
@@ -103,7 +104,6 @@ static BUCKET *hash_table[257];
static const char *suffixes[] = { "", "r" };
static const char *extensions[] = { "pem", "crt", "cer", "crl" };
static void bit_set(unsigned char *set, unsigned int bit)
{
set[bit >> 3] |= 1 << (bit & 0x7);
@@ -114,13 +114,12 @@ static int bit_isset(unsigned char *set, unsigned int bit)
return set[bit >> 3] & (1 << (bit & 0x7));
}
/*
* Process an entry; return number of errors.
*/
static int add_entry(enum Type type, unsigned int hash, const char *filename,
const unsigned char *digest, int need_symlink,
unsigned short old_id)
const unsigned char *digest, int need_symlink,
unsigned short old_id)
{
static BUCKET nilbucket;
static HENTRY nilhentry;
@@ -143,9 +142,9 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
for (ep = bp->first_entry; ep; ep = ep->next) {
if (digest && memcmp(digest, ep->digest, (size_t)evpmdsize) == 0) {
BIO_printf(bio_err,
"%s: warning: skipping duplicate %s in %s\n",
opt_getprog(),
type == TYPE_CERT ? "certificate" : "CRL", filename);
"%s: warning: skipping duplicate %s in %s\n",
opt_getprog(),
type == TYPE_CERT ? "certificate" : "CRL", filename);
return 0;
}
if (strcmp(filename, ep->filename) == 0) {
@@ -158,8 +157,8 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
if (ep == NULL) {
if (bp->num_needed >= MAX_COLLISIONS) {
BIO_printf(bio_err,
"%s: error: hash table overflow for %s\n",
opt_getprog(), filename);
"%s: error: hash table overflow for %s\n",
opt_getprog(), filename);
return 1;
}
ep = app_malloc(sizeof(*ep), "collision bucket");
@@ -212,7 +211,8 @@ static int handle_symlink(const char *filename, const char *fullpath)
return -1;
for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--)
if (OPENSSL_strncasecmp(&filename[i],
suffixes[type], strlen(suffixes[type])) == 0)
suffixes[type], strlen(suffixes[type]))
== 0)
break;
i += strlen(suffixes[type]);
@@ -234,7 +234,7 @@ static int handle_symlink(const char *filename, const char *fullpath)
*/
static int do_file(const char *filename, const char *fullpath, enum Hash h)
{
STACK_OF (X509_INFO) *inf = NULL;
STACK_OF(X509_INFO) *inf = NULL;
X509_INFO *x;
const X509_NAME *name = NULL;
BIO *b;
@@ -256,7 +256,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
/* Does it have X.509 data in it? */
if ((b = BIO_new_file(fullpath, "r")) == NULL) {
BIO_printf(bio_err, "%s: error: skipping %s, cannot open file\n",
opt_getprog(), filename);
opt_getprog(), filename);
errs++;
goto end;
}
@@ -267,9 +267,9 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
if (sk_X509_INFO_num(inf) != 1) {
BIO_printf(bio_err,
"%s: warning: skipping %s, "
"it does not contain exactly one certificate or CRL\n",
opt_getprog(), filename);
"%s: warning: skipping %s, "
"it does not contain exactly one certificate or CRL\n",
opt_getprog(), filename);
/* This is not an error. */
goto end;
}
@@ -297,21 +297,20 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
if (name != NULL) {
if (h == HASH_NEW || h == HASH_BOTH) {
int ok;
unsigned long hash_value =
X509_NAME_hash_ex(name,
app_get0_libctx(), app_get0_propq(), &ok);
unsigned long hash_value = X509_NAME_hash_ex(name,
app_get0_libctx(), app_get0_propq(), &ok);
if (ok) {
errs += add_entry(type, hash_value, filename, digest, 1, ~0);
} else {
BIO_printf(bio_err, "%s: error calculating SHA1 hash value\n",
opt_getprog());
opt_getprog());
errs++;
}
}
if ((h == HASH_OLD) || (h == HASH_BOTH))
errs += add_entry(type, X509_NAME_hash_old(name),
filename, digest, 1, ~0);
filename, digest, 1, ~0);
}
end:
@@ -328,17 +327,17 @@ static int ends_with_dirsep(const char *path)
{
if (*path != '\0')
path += strlen(path) - 1;
# if defined __VMS
#if defined __VMS
if (*path == ']' || *path == '>' || *path == ':')
return 1;
# elif defined _WIN32
#elif defined _WIN32
if (*path == '\\')
return 1;
# endif
#endif
return *path == '/';
}
static int sk_strcmp(const char * const *a, const char * const *b)
static int sk_strcmp(const char *const *a, const char *const *b)
{
return strcmp(*a, *b);
}
@@ -382,7 +381,7 @@ static int do_dir(const char *dirname, enum Hash h)
size_t fname_len = strlen(filename);
if ((copy = OPENSSL_strdup(filename)) == NULL
|| sk_OPENSSL_STRING_push(files, copy) == 0) {
|| sk_OPENSSL_STRING_push(files, copy) == 0) {
OPENSSL_free(copy);
OPENSSL_DIR_end(&d);
BIO_puts(bio_err, "out of memory\n");
@@ -402,7 +401,8 @@ static int do_dir(const char *dirname, enum Hash h)
for (n = 0; n < numfiles; ++n) {
filename = sk_OPENSSL_STRING_value(files, n);
if (BIO_snprintf(buf, buflen, "%s%s%s",
dirname, pathsep, filename) >= buflen)
dirname, pathsep, filename)
>= buflen)
continue;
if (lstat(buf, &st) < 0)
continue;
@@ -425,47 +425,47 @@ static int do_dir(const char *dirname, enum Hash h)
if (ep->old_id < bp->num_needed) {
/* Link exists, and is used as-is */
BIO_snprintf(buf, buflen, "%08x.%s%d", bp->hash,
suffixes[bp->type], ep->old_id);
suffixes[bp->type], ep->old_id);
if (verbose)
BIO_printf(bio_out, "link %s -> %s\n",
ep->filename, buf);
ep->filename, buf);
} else if (ep->need_symlink) {
/* New link needed (it may replace something) */
while (bit_isset(idmask, nextid))
nextid++;
BIO_snprintf(buf, buflen, "%s%s%08x.%s%d",
dirname, pathsep, bp->hash,
suffixes[bp->type], nextid);
dirname, pathsep, bp->hash,
suffixes[bp->type], nextid);
if (verbose)
BIO_printf(bio_out, "link %s -> %s\n",
ep->filename, &buf[dirlen]);
ep->filename, &buf[dirlen]);
if (unlink(buf) < 0 && errno != ENOENT) {
BIO_printf(bio_err,
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
errs++;
}
if (symlink(ep->filename, buf) < 0) {
BIO_printf(bio_err,
"%s: Can't symlink %s, %s\n",
opt_getprog(), ep->filename,
strerror(errno));
"%s: Can't symlink %s, %s\n",
opt_getprog(), ep->filename,
strerror(errno));
errs++;
}
bit_set(idmask, nextid);
} else if (remove_links) {
/* Link to be deleted */
BIO_snprintf(buf, buflen, "%s%s%08x.%s%d",
dirname, pathsep, bp->hash,
suffixes[bp->type], ep->old_id);
dirname, pathsep, bp->hash,
suffixes[bp->type], ep->old_id);
if (verbose)
BIO_printf(bio_out, "unlink %s\n",
&buf[dirlen]);
&buf[dirlen]);
if (unlink(buf) < 0 && errno != ENOENT) {
BIO_printf(bio_err,
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
"%s: Can't unlink %s, %s\n",
opt_getprog(), buf, strerror(errno));
errs++;
}
}
@@ -477,7 +477,7 @@ static int do_dir(const char *dirname, enum Hash h)
hash_table[i] = NULL;
}
err:
err:
sk_OPENSSL_STRING_pop_free(files, str_free);
OPENSSL_free(buf);
return errs;
@@ -485,31 +485,33 @@ static int do_dir(const char *dirname, enum Hash h)
typedef enum OPTION_choice {
OPT_COMMON,
OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE,
OPT_COMPAT,
OPT_OLD,
OPT_N,
OPT_VERBOSE,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rehash_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [directory...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [directory...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"h", OPT_HELP, '-', "Display this summary"},
{"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"},
{"old", OPT_OLD, '-', "Use old-style hash to generate links"},
{"n", OPT_N, '-', "Do not remove existing links"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "h", OPT_HELP, '-', "Display this summary" },
{ "compat", OPT_COMPAT, '-', "Create both new- and old-style hash links" },
{ "old", OPT_OLD, '-', "Use old-style hash to generate links" },
{ "n", OPT_N, '-', "Do not remove existing links" },
OPT_SECTION("Output"),
{"v", OPT_VERBOSE, '-', "Verbose output"},
{ "v", OPT_VERBOSE, '-', "Verbose output" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"directory", 0, 0, "One or more directories to process (optional)"},
{NULL}
{ "directory", 0, 0, "One or more directories to process (optional)" },
{ NULL }
};
int rehash_main(int argc, char **argv)
{
const char *env, *prog;
@@ -575,13 +577,13 @@ int rehash_main(int argc, char **argv)
errs += do_dir(X509_get_default_cert_dir(), h);
}
end:
end:
return errs;
}
#else
const OPTIONS rehash_options[] = {
{NULL}
{ NULL }
};
int rehash_main(int argc, char **argv)
+254 -225
View File
@@ -28,51 +28,51 @@
#include <openssl/lhash.h>
#include <openssl/rsa.h>
#ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
#include <openssl/dsa.h>
#endif
#include "internal/e_os.h" /* For isatty() */
#include "internal/e_os.h" /* For isatty() */
#define BITS "default_bits"
#define KEYFILE "default_keyfile"
#define PROMPT "prompt"
#define BITS "default_bits"
#define KEYFILE "default_keyfile"
#define PROMPT "prompt"
#define DISTINGUISHED_NAME "distinguished_name"
#define ATTRIBUTES "attributes"
#define V3_EXTENSIONS "x509_extensions"
#define REQ_EXTENSIONS "req_extensions"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define ATTRIBUTES "attributes"
#define V3_EXTENSIONS "x509_extensions"
#define REQ_EXTENSIONS "req_extensions"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define DEFAULT_KEY_LENGTH 2048
#define MIN_KEY_LENGTH 512
#define DEFAULT_DAYS 30 /* default certificate validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
#define EXT_COPY_UNSET -1
#define MIN_KEY_LENGTH 512
#define DEFAULT_DAYS 30 /* default certificate validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
#define EXT_COPY_UNSET -1
static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
int mutlirdn, int attribs, unsigned long chtype);
int mutlirdn, int attribs, unsigned long chtype);
static int prompt_info(X509_REQ *req,
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype);
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype);
static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
STACK_OF(CONF_VALUE) *attr, int attribs,
unsigned long chtype);
STACK_OF(CONF_VALUE) *attr, int attribs,
unsigned long chtype);
static int add_attribute_object(X509_REQ *req, char *text, const char *def,
char *value, int nid, int n_min, int n_max,
unsigned long chtype);
char *value, int nid, int n_min, int n_max,
unsigned long chtype);
static int add_DN_object(X509_NAME *n, char *text, const char *def,
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval);
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval);
static int build_data(char *text, const char *def, char *value,
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2);
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2);
static int req_check_len(int len, int n_min, int n_max);
static int check_end(const char *str, const char *end);
static int join(char buf[], size_t buf_size, const char *name,
const char *tail, const char *desc);
const char *tail, const char *desc);
static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine);
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine);
static const char *section = "req";
static CONF *req_conf = NULL;
@@ -82,99 +82,138 @@ static int batch = 0;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CIPHER,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT,
OPT_X509, OPT_X509V1, OPT_CA, OPT_CAKEY,
OPT_MULTIVALUE_RDN, OPT_NOT_BEFORE, OPT_NOT_AFTER, OPT_DAYS, OPT_SET_SERIAL,
OPT_COPY_EXTENSIONS, OPT_EXTENSIONS, OPT_REQEXTS, OPT_ADDEXT,
OPT_PRECERT, OPT_MD,
OPT_SECTION, OPT_QUIET,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_KEYGEN_ENGINE,
OPT_KEY,
OPT_PUBKEY,
OPT_NEW,
OPT_CONFIG,
OPT_KEYFORM,
OPT_IN,
OPT_OUT,
OPT_KEYOUT,
OPT_PASSIN,
OPT_PASSOUT,
OPT_NEWKEY,
OPT_PKEYOPT,
OPT_SIGOPT,
OPT_VFYOPT,
OPT_BATCH,
OPT_NEWHDR,
OPT_MODULUS,
OPT_VERIFY,
OPT_NOENC,
OPT_NODES,
OPT_NOOUT,
OPT_VERBOSE,
OPT_UTF8,
OPT_NAMEOPT,
OPT_REQOPT,
OPT_SUBJ,
OPT_SUBJECT,
OPT_TEXT,
OPT_X509,
OPT_X509V1,
OPT_CA,
OPT_CAKEY,
OPT_MULTIVALUE_RDN,
OPT_NOT_BEFORE,
OPT_NOT_AFTER,
OPT_DAYS,
OPT_SET_SERIAL,
OPT_COPY_EXTENSIONS,
OPT_EXTENSIONS,
OPT_REQEXTS,
OPT_ADDEXT,
OPT_PRECERT,
OPT_MD,
OPT_SECTION,
OPT_QUIET,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS req_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
{ "keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations" },
#endif
{"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
{"inform", OPT_INFORM, 'F',
"CSR input format to use (PEM or DER; by default try PEM first)"},
{"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},
{ "in", OPT_IN, '<', "X.509 request input file (default stdin)" },
{ "inform", OPT_INFORM, 'F',
"CSR input format to use (PEM or DER; by default try PEM first)" },
{ "verify", OPT_VERIFY, '-', "Verify self-signature on the request" },
OPT_SECTION("Certificate"),
{"new", OPT_NEW, '-', "New request"},
{"config", OPT_CONFIG, '<', "Request template file"},
{"section", OPT_SECTION, 's', "Config section to use (default \"req\")"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"reqopt", OPT_REQOPT, 's', "Various request text options"},
{"text", OPT_TEXT, '-', "Text form of request"},
{"x509", OPT_X509, '-',
"Output an X.509 certificate structure instead of a cert request"},
{"x509v1", OPT_X509V1, '-', "Request cert generation with X.509 version 1"},
{"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"},
{"CAkey", OPT_CAKEY, 's',
"Issuer private key to use with -CA; default is -CA arg"},
{OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
{"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"},
{"subject", OPT_SUBJECT, '-',
"Print the subject of the output request or cert"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Deprecated; multi-valued RDNs support is always on."},
{"not_before", OPT_NOT_BEFORE, 's',
"[CC]YYMMDDHHMMSSZ value for notBefore certificate field"},
{"not_after", OPT_NOT_AFTER, 's',
"[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
{"days", OPT_DAYS, 'p', "Number of days certificate is valid for"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions from request when using -x509"},
{"extensions", OPT_EXTENSIONS, 's',
"Cert or request extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's', "An alias for -extensions"},
{"addext", OPT_ADDEXT, 's',
"Additional cert extension key=value pair (may be given more than once)"},
{"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"},
{ "new", OPT_NEW, '-', "New request" },
{ "config", OPT_CONFIG, '<', "Request template file" },
{ "section", OPT_SECTION, 's', "Config section to use (default \"req\")" },
{ "utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)" },
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "reqopt", OPT_REQOPT, 's', "Various request text options" },
{ "text", OPT_TEXT, '-', "Text form of request" },
{ "x509", OPT_X509, '-',
"Output an X.509 certificate structure instead of a cert request" },
{ "x509v1", OPT_X509V1, '-', "Request cert generation with X.509 version 1" },
{ "CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509" },
{ "CAkey", OPT_CAKEY, 's',
"Issuer private key to use with -CA; default is -CA arg" },
{ OPT_MORE_STR, 1, 1, "(Required by some CA's)" },
{ "subj", OPT_SUBJ, 's', "Set or modify subject of request or cert" },
{ "subject", OPT_SUBJECT, '-',
"Print the subject of the output request or cert" },
{ "multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Deprecated; multi-valued RDNs support is always on." },
{ "not_before", OPT_NOT_BEFORE, 's',
"[CC]YYMMDDHHMMSSZ value for notBefore certificate field" },
{ "not_after", OPT_NOT_AFTER, 's',
"[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days" },
{ "days", OPT_DAYS, 'p', "Number of days certificate is valid for" },
{ "set_serial", OPT_SET_SERIAL, 's', "Serial number to use" },
{ "copy_extensions", OPT_COPY_EXTENSIONS, 's',
"copy extensions from request when using -x509" },
{ "extensions", OPT_EXTENSIONS, 's',
"Cert or request extension section (override value in config file)" },
{ "reqexts", OPT_REQEXTS, 's', "An alias for -extensions" },
{ "addext", OPT_ADDEXT, 's',
"Additional cert extension key=value pair (may be given more than once)" },
{ "precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)" },
OPT_SECTION("Keys and Signing"),
{"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to write private key to"},
{"passin", OPT_PASSIN, 's', "Private key and certificate password source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"newkey", OPT_NEWKEY, 's',
"Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
{"", OPT_MD, '-', "Any supported digest"},
{ "key", OPT_KEY, 's', "Key for signing, and to include unless -in given" },
{ "keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)" },
{ "pubkey", OPT_PUBKEY, '-', "Output public key" },
{ "keyout", OPT_KEYOUT, '>', "File to write private key to" },
{ "passin", OPT_PASSIN, 's', "Private key and certificate password source" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "newkey", OPT_NEWKEY, 's',
"Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>" },
{ "pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value" },
{ "sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form" },
{ "vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form" },
{ "", OPT_MD, '-', "Any supported digest" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
{"batch", OPT_BATCH, '-',
"Do not ask anything during request generation"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"quiet", OPT_QUIET, '-', "Terse output"},
{"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
{"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
{"noout", OPT_NOOUT, '-', "Do not output REQ"},
{"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
{"modulus", OPT_MODULUS, '-', "RSA modulus"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'F', "Output format - DER or PEM" },
{ "batch", OPT_BATCH, '-',
"Do not ask anything during request generation" },
{ "verbose", OPT_VERBOSE, '-', "Verbose output" },
{ "quiet", OPT_QUIET, '-', "Terse output" },
{ "noenc", OPT_NOENC, '-', "Don't encrypt private keys" },
{ "nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated" },
{ "noout", OPT_NOOUT, '-', "Do not output REQ" },
{ "newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines" },
{ "modulus", OPT_MODULUS, '-', "RSA modulus" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
/*
@@ -283,7 +322,7 @@ int req_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -360,7 +399,7 @@ int req_main(int argc, char **argv)
if (pkeyopts == NULL)
pkeyopts = sk_OPENSSL_STRING_new_null();
if (pkeyopts == NULL
|| !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
|| !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
goto opthelp;
break;
case OPT_SIGOPT:
@@ -439,7 +478,7 @@ int req_main(int argc, char **argv)
days = atoi(opt_arg());
if (days <= UNSET_DAYS) {
BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",
prog);
prog);
goto end;
}
break;
@@ -464,7 +503,7 @@ int req_main(int argc, char **argv)
case OPT_COPY_EXTENSIONS:
if (!set_ext_copy(&ext_copy, opt_arg())) {
BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n",
opt_arg());
opt_arg());
goto end;
}
break;
@@ -526,7 +565,7 @@ int req_main(int argc, char **argv)
newreq = 1;
else if (!newreq && isatty(fileno_stdin()))
BIO_printf(bio_err,
"Warning: Will read cert request from stdin since no -in option is given\n");
"Warning: Will read cert request from stdin since no -in option is given\n");
}
if (!app_passwd(passargin, passargout, &passin, &passout)) {
@@ -539,7 +578,7 @@ int req_main(int argc, char **argv)
if (addext_bio != NULL) {
if (verbose)
BIO_printf(bio_err,
"Using additional configuration from -addext options\n");
"Using additional configuration from -addext options\n");
if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
goto end;
}
@@ -554,7 +593,7 @@ int req_main(int argc, char **argv)
if (oid_bio == NULL) {
if (verbose)
BIO_printf(bio_err,
"Problems opening '%s' for extra OIDs\n", p);
"Problems opening '%s' for extra OIDs\n", p);
} else {
OBJ_create_objects(oid_bio);
BIO_free(oid_bio);
@@ -577,7 +616,7 @@ int req_main(int argc, char **argv)
if (extsect == NULL)
extsect = app_conf_try_string(req_conf, section,
gen_x509 ? V3_EXTENSIONS : REQ_EXTENSIONS);
gen_x509 ? V3_EXTENSIONS : REQ_EXTENSIONS);
if (extsect != NULL) {
/* Check syntax of extension section in config file */
X509V3_CTX ctx;
@@ -586,8 +625,8 @@ int req_main(int argc, char **argv)
X509V3_set_nconf(&ctx, req_conf);
if (!X509V3_EXT_add_nconf(req_conf, &ctx, extsect, NULL)) {
BIO_printf(bio_err,
"Error checking %s extension section %s\n",
gen_x509 ? "x509" : "request", extsect);
"Error checking %s extension section %s\n",
gen_x509 ? "x509" : "request", extsect);
goto end;
}
}
@@ -604,12 +643,10 @@ int req_main(int argc, char **argv)
}
if (passin == NULL)
passin = nofree_passin =
app_conf_try_string(req_conf, section, "input_password");
passin = nofree_passin = app_conf_try_string(req_conf, section, "input_password");
if (passout == NULL)
passout = nofree_passout =
app_conf_try_string(req_conf, section, "output_password");
passout = nofree_passout = app_conf_try_string(req_conf, section, "output_password");
p = app_conf_try_string(req_conf, section, STRING_MASK);
if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) {
@@ -631,7 +668,7 @@ int req_main(int argc, char **argv)
}
if (keyalg != NULL && pkey != NULL) {
BIO_printf(bio_err,
"Warning: Not generating key via given -newkey option since -key is given\n");
"Warning: Not generating key via given -newkey option since -key is given\n");
/* Better throw an error in this case */
}
if (newreq && pkey == NULL) {
@@ -649,7 +686,7 @@ int req_main(int argc, char **argv)
|| EVP_PKEY_CTX_is_a(genctx, "RSA-PSS")
|| EVP_PKEY_CTX_is_a(genctx, "DSA"))) {
BIO_printf(bio_err, "Private key length too short, needs to be at least %d bits, not %ld.\n",
MIN_KEY_LENGTH, newkey_len);
MIN_KEY_LENGTH, newkey_len);
goto end;
}
@@ -657,17 +694,17 @@ int req_main(int argc, char **argv)
&& (EVP_PKEY_CTX_is_a(genctx, "RSA")
|| EVP_PKEY_CTX_is_a(genctx, "RSA-PSS")))
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len);
"Warning: It is not recommended to use more than %d bit for RSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len);
#ifndef OPENSSL_NO_DSA
if (EVP_PKEY_CTX_is_a(genctx, "DSA")
&& newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS)
&& newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len);
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
" Your key size is %ld! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len);
#endif
if (pkeyopts != NULL) {
@@ -703,7 +740,7 @@ int req_main(int argc, char **argv)
else
BIO_printf(bio_err, "'%s'\n", keyout);
}
out = bio_open_owner(keyout, outformat, newreq);
out = bio_open_owner(keyout, outformat, 1);
if (out == NULL)
goto end;
@@ -716,11 +753,10 @@ int req_main(int argc, char **argv)
cipher = NULL;
i = 0;
loop:
loop:
if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout)) {
if ((ERR_GET_REASON(ERR_peek_error()) ==
PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
NULL, 0, NULL, passout)) {
if ((ERR_GET_REASON(ERR_peek_error()) == PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
ERR_clear_error();
i++;
goto loop;
@@ -737,20 +773,20 @@ int req_main(int argc, char **argv)
* where characters may be escaped by \
*/
if (subj != NULL
&& (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
&& (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
goto end;
if (!newreq) {
if (keyfile != NULL)
BIO_printf(bio_err,
"Warning: Not placing -key in cert or request since request is used\n");
"Warning: Not placing -key in cert or request since request is used\n");
req = load_csr_autofmt(infile /* if NULL, reads from stdin */,
informat, vfyopts, "X509 request");
informat, vfyopts, "X509 request");
if (req == NULL)
goto end;
} else if (infile != NULL) {
BIO_printf(bio_err,
"Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
"Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
/* Better throw an error in this case, as done in the x509 app */
}
@@ -759,30 +795,32 @@ int req_main(int argc, char **argv)
if (CAkeyfile != NULL) {
if (CAfile == NULL) {
BIO_printf(bio_err,
"Warning: Ignoring -CAkey option since no -CA option is given\n");
"Warning: Ignoring -CAkey option since no -CA option is given\n");
} else {
if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e,
CAkeyfile != CAfile
? "issuer private key from -CAkey arg"
: "issuer private key from -CA arg")) == NULL)
0, passin, e,
CAkeyfile != CAfile
? "issuer private key from -CAkey arg"
: "issuer private key from -CA arg"))
== NULL)
goto end;
}
}
if (CAfile != NULL) {
if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
"issuer cert from -CA arg")) == NULL)
"issuer cert from -CA arg"))
== NULL)
goto end;
if (!X509_check_private_key(CAcert, CAkey)) {
BIO_printf(bio_err,
"Issuer CA certificate and key do not match\n");
"Issuer CA certificate and key do not match\n");
goto end;
}
}
if (newreq || gen_x509) {
if (CAcert == NULL && pkey == NULL) {
BIO_printf(bio_err, "Must provide a signature key using -key or"
" provide -CA / -CAkey\n");
" provide -CA / -CAkey\n");
goto end;
}
@@ -802,17 +840,16 @@ int req_main(int argc, char **argv)
EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey;
X509V3_CTX ext_ctx;
X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) :
X509_REQ_get_subject_name(req);
X509_NAME *n_subj = fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req);
X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : X509_REQ_get_subject_name(req);
X509_NAME *n_subj = fsubj != NULL ? fsubj : X509_REQ_get_subject_name(req);
if (CAcert != NULL && keyfile != NULL)
BIO_printf(bio_err,
"Warning: Not using -key or -newkey for signing since -CA option is given\n");
"Warning: Not using -key or -newkey for signing since -CA option is given\n");
if ((new_x509 = X509_new_ex(app_get0_libctx(),
app_get0_propq())) == NULL)
app_get0_propq()))
== NULL)
goto end;
if (serial != NULL) {
@@ -828,7 +865,7 @@ int req_main(int argc, char **argv)
if (days == UNSET_DAYS)
days = DEFAULT_DAYS;
else if (not_after != NULL)
BIO_printf(bio_err,"Warning: -not_after option overriding -days option\n");
BIO_printf(bio_err, "Warning: -not_after option overriding -days option\n");
if (!set_cert_times(new_x509, not_before, not_after, days, 1))
goto end;
if (!X509_set_subject_name(new_x509, n_subj))
@@ -845,14 +882,14 @@ int req_main(int argc, char **argv)
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509,
new_x509, NULL, NULL, X509V3_CTX_REPLACE);
new_x509, NULL, NULL, X509V3_CTX_REPLACE);
/* prepare fallback for AKID, but only if issuer cert == new_x509 */
if (CAcert == NULL) {
if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key))
goto end;
if (!cert_matches_key(new_x509, issuer_key))
BIO_printf(bio_err,
"Warning: Signature key and public key of cert do not match\n");
"Warning: Signature key and public key of cert do not match\n");
}
X509V3_set_nconf(&ext_ctx, req_conf);
@@ -860,12 +897,12 @@ int req_main(int argc, char **argv)
if (extsect != NULL
&& !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extsect, new_x509)) {
BIO_printf(bio_err, "Error adding x509 extensions from section %s\n",
extsect);
extsect);
goto end;
}
if (addext_conf != NULL
&& !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
new_x509)) {
new_x509)) {
BIO_printf(bio_err, "Error adding x509 extensions defined via -addext\n");
goto end;
}
@@ -873,14 +910,15 @@ int req_main(int argc, char **argv)
/* If a pre-cert was requested, we need to add a poison extension */
if (precert) {
if (X509_add1_ext_i2d(new_x509, NID_ct_precert_poison,
NULL, 1, 0) != 1) {
NULL, 1, 0)
!= 1) {
BIO_printf(bio_err, "Error adding poison extension\n");
goto end;
}
}
i = do_X509_sign(new_x509, x509v1, issuer_key, digest, sigopts,
&ext_ctx);
&ext_ctx);
if (!i)
goto end;
} else {
@@ -888,7 +926,7 @@ int req_main(int argc, char **argv)
if (precert) {
BIO_printf(bio_err,
"Warning: Ignoring -precert flag since no cert is produced\n");
"Warning: Ignoring -precert flag since no cert is produced\n");
}
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, X509V3_CTX_REPLACE);
@@ -898,12 +936,12 @@ int req_main(int argc, char **argv)
if (extsect != NULL
&& !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, extsect, req)) {
BIO_printf(bio_err, "Error adding request extensions from section %s\n",
extsect);
extsect);
goto end;
}
if (addext_conf != NULL
&& !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
req)) {
req)) {
BIO_printf(bio_err, "Error adding request extensions defined via -addext\n");
goto end;
}
@@ -944,7 +982,7 @@ int req_main(int argc, char **argv)
goto end;
if (i == 0) {
BIO_printf(bio_err, "Certificate request self-signature verify failure\n");
goto end;
goto end;
} else /* i > 0 */
BIO_printf(bio_out, "Certificate request self-signature verify OK\n");
}
@@ -955,9 +993,8 @@ int req_main(int argc, char **argv)
}
out = bio_open_default(outfile,
keyout != NULL && outfile != NULL &&
strcmp(keyout, outfile) == 0 ? 'a' : 'w',
outformat);
keyout != NULL && outfile != NULL && strcmp(keyout, outfile) == 0 ? 'a' : 'w',
outformat);
if (out == NULL)
goto end;
@@ -987,9 +1024,7 @@ int req_main(int argc, char **argv)
}
if (subject) {
print_name(out, "subject=", gen_x509
? X509_get_subject_name(new_x509)
: X509_REQ_get_subject_name(req));
print_name(out, "subject=", gen_x509 ? X509_get_subject_name(new_x509) : X509_REQ_get_subject_name(req));
}
if (modulus) {
@@ -1040,7 +1075,7 @@ int req_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
if (ret) {
ERR_print_errors(bio_err);
}
@@ -1074,7 +1109,7 @@ int req_main(int argc, char **argv)
}
static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
int multirdn, int attribs, unsigned long chtype)
int multirdn, int attribs, unsigned long chtype)
{
int ret = 0, i;
char no_prompt = 0;
@@ -1113,7 +1148,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
else
i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
chtype);
chtype);
if (!i)
goto err;
@@ -1121,14 +1156,14 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
goto err;
ret = 1;
err:
err:
return ret;
}
static int prompt_info(X509_REQ *req,
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype)
STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
int attribs, unsigned long chtype)
{
int i;
char *p, *q;
@@ -1142,22 +1177,22 @@ static int prompt_info(X509_REQ *req,
if (!batch) {
BIO_printf(bio_err,
"You are about to be asked to enter information that will be incorporated\n");
"You are about to be asked to enter information that will be incorporated\n");
BIO_printf(bio_err, "into your certificate request.\n");
BIO_printf(bio_err,
"What you are about to enter is what is called a Distinguished Name or a DN.\n");
"What you are about to enter is what is called a Distinguished Name or a DN.\n");
BIO_printf(bio_err,
"There are quite a few fields but you can leave some blank\n");
"There are quite a few fields but you can leave some blank\n");
BIO_printf(bio_err,
"For some fields there will be a default value,\n");
"For some fields there will be a default value,\n");
BIO_printf(bio_err,
"If you enter '.', the field will be left blank.\n");
"If you enter '.', the field will be left blank.\n");
BIO_printf(bio_err, "-----\n");
}
if (sk_CONF_VALUE_num(dn_sk)) {
i = -1;
start:
start:
for (;;) {
i++;
if (sk_CONF_VALUE_num(dn_sk) <= i)
@@ -1166,8 +1201,7 @@ static int prompt_info(X509_REQ *req,
v = sk_CONF_VALUE_value(dn_sk, i);
p = q = NULL;
type = v->name;
if (!check_end(type, "_min") || !check_end(type, "_max") ||
!check_end(type, "_default") || !check_end(type, "_value"))
if (!check_end(type, "_min") || !check_end(type, "_max") || !check_end(type, "_default") || !check_end(type, "_value"))
continue;
/*
* Skip past any leading X. X: X, etc to allow for multiple
@@ -1210,7 +1244,7 @@ static int prompt_info(X509_REQ *req,
n_max = -1;
if (!add_DN_object(subj, v->value, def, value, nid,
n_min, n_max, chtype, mval))
n_min, n_max, chtype, mval))
return 0;
}
if (X509_NAME_entry_count(subj) == 0) {
@@ -1222,13 +1256,13 @@ static int prompt_info(X509_REQ *req,
if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
&& (!batch)) {
BIO_printf(bio_err,
"\nPlease enter the following 'extra' attributes\n");
"\nPlease enter the following 'extra' attributes\n");
BIO_printf(bio_err,
"to be sent with your certificate request\n");
"to be sent with your certificate request\n");
}
i = -1;
start2:
start2:
for (;;) {
i++;
if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
@@ -1260,8 +1294,8 @@ static int prompt_info(X509_REQ *req,
n_max = -1;
if (!add_attribute_object(req,
v->value, def, value, nid, n_min,
n_max, chtype))
v->value, def, value, nid, n_min,
n_max, chtype))
return 0;
}
}
@@ -1271,12 +1305,11 @@ static int prompt_info(X509_REQ *req,
}
return 1;
}
static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
STACK_OF(CONF_VALUE) *attr_sk, int attribs,
unsigned long chtype)
STACK_OF(CONF_VALUE) *attr_sk, int attribs,
unsigned long chtype)
{
int i, spec_char, plus_char;
char *p, *q;
@@ -1299,7 +1332,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
spec_char = (*p == ':' || *p == ',' || *p == '.');
#else
spec_char = (*p == os_toascii[':'] || *p == os_toascii[',']
|| *p == os_toascii['.']);
|| *p == os_toascii['.']);
#endif
if (spec_char) {
p++;
@@ -1320,10 +1353,9 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
mval = 0;
}
if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
(unsigned char *)v->value, -1, -1,
mval))
(unsigned char *)v->value, -1, -1,
mval))
return 0;
}
if (!X509_NAME_entry_count(subj)) {
@@ -1334,7 +1366,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
v = sk_CONF_VALUE_value(attr_sk, i);
if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
(unsigned char *)v->value, -1))
(unsigned char *)v->value, -1))
return 0;
}
}
@@ -1342,40 +1374,40 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
}
static int add_DN_object(X509_NAME *n, char *text, const char *def,
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval)
char *value, int nid, int n_min, int n_max,
unsigned long chtype, int mval)
{
int ret = 0;
char buf[1024];
ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
"DN value", "DN default");
"DN value", "DN default");
if ((ret == 0) || (ret == 1))
return ret;
ret = 1;
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
(unsigned char *)buf, -1, -1, mval))
(unsigned char *)buf, -1, -1, mval))
ret = 0;
return ret;
}
static int add_attribute_object(X509_REQ *req, char *text, const char *def,
char *value, int nid, int n_min,
int n_max, unsigned long chtype)
char *value, int nid, int n_min,
int n_max, unsigned long chtype)
{
int ret = 0;
char buf[1024];
ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
"Attribute value", "Attribute default");
"Attribute value", "Attribute default");
if ((ret == 0) || (ret == 1))
return ret;
ret = 1;
if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
(unsigned char *)buf, -1)) {
(unsigned char *)buf, -1)) {
BIO_printf(bio_err, "Error adding attribute\n");
ret = 0;
}
@@ -1384,11 +1416,11 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def,
}
static int build_data(char *text, const char *def, char *value,
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2)
int n_min, int n_max, char *buf, const int buf_size,
const char *desc1, const char *desc2)
{
int i;
start:
start:
if (!batch)
BIO_printf(bio_err, "%s [%s]:", text, def);
(void)BIO_flush(bio_err);
@@ -1439,12 +1471,12 @@ static int req_check_len(int len, int n_min, int n_max)
{
if (n_min > 0 && len < n_min) {
BIO_printf(bio_err,
"String too short, must be at least %d bytes long\n", n_min);
"String too short, must be at least %d bytes long\n", n_min);
return 0;
}
if (n_max >= 0 && len > n_max) {
BIO_printf(bio_err,
"String too long, must be at most %d bytes long\n", n_max);
"String too long, must be at most %d bytes long\n", n_max);
return 0;
}
return 1;
@@ -1469,7 +1501,7 @@ static int check_end(const char *str, const char *end)
* overflow and producing an error message if there is.
*/
static int join(char buf[], size_t buf_size, const char *name,
const char *tail, const char *desc)
const char *tail, const char *desc)
{
const size_t name_len = strlen(name), tail_len = strlen(tail);
@@ -1483,8 +1515,8 @@ static int join(char buf[], size_t buf_size, const char *name,
}
static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine)
char **pkeytype, long *pkeylen,
ENGINE *keygen_engine)
{
EVP_PKEY_CTX *gctx = NULL;
EVP_PKEY *param = NULL;
@@ -1520,8 +1552,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
expect_paramfile = 1;
if (p == NULL) {
BIO_printf(bio_err,
"Parameter file requested but no path given: %s\n",
gstr);
"Parameter file requested but no path given: %s\n",
gstr);
return NULL;
}
} else {
@@ -1604,19 +1636,19 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
gctx = EVP_PKEY_CTX_new(param, keygen_engine);
else
gctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
param, app_get0_propq());
param, app_get0_propq());
*pkeylen = EVP_PKEY_get_bits(param);
EVP_PKEY_free(param);
} else {
if (keygen_engine != NULL) {
int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype,
keygen_engine);
keygen_engine);
if (pkey_id != NID_undef)
gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine);
} else {
gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(),
*pkeytype, app_get0_propq());
*pkeytype, app_get0_propq());
}
}
@@ -1630,16 +1662,14 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
EVP_PKEY_CTX_free(gctx);
return NULL;
}
if (keylen == -1 && (EVP_PKEY_CTX_is_a(gctx, "RSA")
|| EVP_PKEY_CTX_is_a(gctx, "RSA-PSS")))
if (keylen == -1 && (EVP_PKEY_CTX_is_a(gctx, "RSA") || EVP_PKEY_CTX_is_a(gctx, "RSA-PSS")))
keylen = *pkeylen;
if (keylen != -1) {
OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
size_t bits = keylen;
params[0] =
OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_BITS, &bits);
params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_BITS, &bits);
if (EVP_PKEY_CTX_set_params(gctx, params) <= 0) {
BIO_puts(bio_err, "Error setting keysize\n");
EVP_PKEY_CTX_free(gctx);
@@ -1649,4 +1679,3 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
return gctx;
}
+59 -44
View File
@@ -34,63 +34,78 @@
#include <openssl/core_dispatch.h>
#ifndef OPENSSL_NO_RC4
# define DEFAULT_PVK_ENCR_STRENGTH 2
#define DEFAULT_PVK_ENCR_STRENGTH 2
#else
# define DEFAULT_PVK_ENCR_STRENGTH 0
#define DEFAULT_PVK_ENCR_STRENGTH 0
#endif
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN,
OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT,
OPT_INFORM,
OPT_OUTFORM,
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_PUBIN,
OPT_PUBOUT,
OPT_PASSOUT,
OPT_PASSIN,
OPT_RSAPUBKEY_IN,
OPT_RSAPUBKEY_OUT,
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER,
OPT_PROV_ENUM, OPT_TRADITIONAL
OPT_PVK_NONE,
OPT_PVK_WEAK,
OPT_PVK_STRONG,
OPT_NOOUT,
OPT_TEXT,
OPT_MODULUS,
OPT_CHECK,
OPT_CIPHER,
OPT_PROV_ENUM,
OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS rsa_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"check", OPT_CHECK, '-', "Verify key consistency"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "check", OPT_CHECK, '-', "Verify key consistency" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file"},
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
{"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "in", OPT_IN, 's', "Input file" },
{ "inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)" },
{ "pubin", OPT_PUBIN, '-', "Expect a public key in input file" },
{ "RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
{"pubout", OPT_PUBOUT, '-', "Output a public key"},
{"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK" },
{ "pubout", OPT_PUBOUT, '-', "Output a public key" },
{ "RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
{ "noout", OPT_NOOUT, '-', "Don't print key out" },
{ "text", OPT_TEXT, '-', "Print the key in text" },
{ "modulus", OPT_MODULUS, '-', "Print the RSA key modulus" },
{ "traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys" },
#ifndef OPENSSL_NO_RC4
OPT_SECTION("PVK"),
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
{ "pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)" },
{ "pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level" },
{ "pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding" },
#endif
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
static int try_legacy_encoding(EVP_PKEY *pkey, int outformat, int pubout,
BIO *out)
BIO *out)
{
int ret = 0;
#ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -109,10 +124,10 @@ static int try_legacy_encoding(EVP_PKEY *pkey, int outformat, int pubout,
ret = PEM_write_bio_RSAPublicKey(out, rsa) > 0;
else
ret = PEM_write_bio_RSA_PUBKEY(out, rsa) > 0;
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
ret = i2b_PublicKey_bio(out, pkey) > 0;
# endif
#endif
}
#endif
@@ -145,7 +160,7 @@ int rsa_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -187,9 +202,9 @@ int rsa_main(int argc, char **argv)
case OPT_RSAPUBKEY_OUT:
pubout = 2;
break;
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
pvk_encr = (o - OPT_PVK_NONE);
break;
case OPT_NOOUT:
@@ -338,7 +353,7 @@ int rsa_main(int argc, char **argv)
} else {
assert(private);
selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
}
/* For DER based output, select the desired output structure */
@@ -359,8 +374,8 @@ int rsa_main(int argc, char **argv)
/* Now, perform the encoding */
ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection,
output_type, output_structure,
NULL);
output_type, output_structure,
NULL);
if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
if ((!pubout && !pubin)
|| !try_legacy_encoding(pkey, outformat, pubout, out))
@@ -380,8 +395,8 @@ int rsa_main(int argc, char **argv)
if (passout != NULL)
/* When passout given, override the passphrase prompter */
OSSL_ENCODER_CTX_set_passphrase(ectx,
(const unsigned char *)passout,
strlen(passout));
(const unsigned char *)passout,
strlen(passout));
}
/* PVK is a bit special... */
@@ -401,7 +416,7 @@ int rsa_main(int argc, char **argv)
goto end;
}
ret = 0;
end:
end:
OSSL_ENCODER_CTX_free(ectx);
release_engine(e);
BIO_free_all(out);
+54 -37
View File
@@ -16,57 +16,73 @@
#include <openssl/pem.h>
#include <openssl/rsa.h>
#define RSA_SIGN 1
#define RSA_VERIFY 2
#define RSA_ENCRYPT 3
#define RSA_DECRYPT 4
#define RSA_SIGN 1
#define RSA_VERIFY 2
#define RSA_ENCRYPT 3
#define RSA_DECRYPT 4
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP,
OPT_RSA_RAW, OPT_OAEP, OPT_PKCS, OPT_X931,
OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_ENGINE,
OPT_IN,
OPT_OUT,
OPT_ASN1PARSE,
OPT_HEXDUMP,
OPT_RSA_RAW,
OPT_OAEP,
OPT_PKCS,
OPT_X931,
OPT_SIGN,
OPT_VERIFY,
OPT_REV,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_PUBIN,
OPT_CERTIN,
OPT_INKEY,
OPT_PASSIN,
OPT_KEYFORM,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rsautl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"sign", OPT_SIGN, '-', "Sign with private key"},
{"verify", OPT_VERIFY, '-', "Verify with public key"},
{"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "sign", OPT_SIGN, '-', "Sign with private key" },
{ "verify", OPT_VERIFY, '-', "Verify with public key" },
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt with public key" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt with private key" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"inkey", OPT_INKEY, 's', "Input key, by default an RSA private key"},
{"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"},
{"pubin", OPT_PUBIN, '-', "Input key is an RSA public pkey"},
{"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
{"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "in", OPT_IN, '<', "Input file" },
{ "inkey", OPT_INKEY, 's', "Input key, by default an RSA private key" },
{ "keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)" },
{ "pubin", OPT_PUBIN, '-', "Input key is an RSA public pkey" },
{ "certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key" },
{ "rev", OPT_REV, '-', "Reverse the order of the input buffer" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"raw", OPT_RSA_RAW, '-', "Use no padding"},
{"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"},
{"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
{"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
{"asn1parse", OPT_ASN1PARSE, '-',
"Run output through asn1parse; useful with -verify"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{ "out", OPT_OUT, '>', "Output file" },
{ "raw", OPT_RSA_RAW, '-', "Use no padding" },
{ "pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)" },
{ "x931", OPT_X931, '-', "Use ANSI X9.31 padding" },
{ "oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP" },
{ "asn1parse", OPT_ASN1PARSE, '-',
"Run output through asn1parse; useful with -verify" },
{ "hexdump", OPT_HEXDUMP, '-', "Hex dump output" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int rsautl_main(int argc, char **argv)
@@ -90,7 +106,7 @@ int rsautl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -245,7 +261,8 @@ int rsautl_main(int argc, char **argv)
rv = EVP_PKEY_verify_recover_init(ctx) > 0
&& EVP_PKEY_CTX_set_rsa_padding(ctx, pad) > 0
&& EVP_PKEY_verify_recover(ctx, rsa_out, &rsa_outlen,
rsa_in, rsa_inlen) > 0;
rsa_in, rsa_inlen)
> 0;
break;
case RSA_SIGN:
rv = EVP_PKEY_sign_init(ctx) > 0
@@ -279,7 +296,7 @@ int rsautl_main(int argc, char **argv)
} else {
BIO_write(out, rsa_out, rsa_outlen);
}
end:
end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
release_engine(e);
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
+91 -67
View File
@@ -24,10 +24,10 @@
#include <openssl/err.h>
#include "internal/sockets.h"
#if !defined(OPENSSL_SYS_MSDOS)
# include <unistd.h>
#include <unistd.h>
#endif
#define SSL_CONNECT_NAME "localhost:4433"
#define SSL_CONNECT_NAME "localhost:4433"
#define SECONDS 30
#define SECONDSSTR "30"
@@ -44,68 +44,86 @@ static const size_t fmt_http_get_cmd_size = sizeof(fmt_http_get_cmd) - 2;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_CONNECT, OPT_CIPHER, OPT_CIPHERSUITES, OPT_CERT, OPT_NAMEOPT, OPT_KEY,
OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
OPT_CONNECT,
OPT_CIPHER,
OPT_CIPHERSUITES,
OPT_CERT,
OPT_NAMEOPT,
OPT_KEY,
OPT_CAPATH,
OPT_CAFILE,
OPT_CASTORE,
OPT_NOCAPATH,
OPT_NOCAFILE,
OPT_NOCASTORE,
OPT_NEW,
OPT_REUSE,
OPT_BUGS,
OPT_VERIFY,
OPT_TIME,
OPT_SSL3,
OPT_WWW,
OPT_TLS1,
OPT_TLS1_1,
OPT_TLS1_2,
OPT_TLS1_3,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS s_time_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{ "help", OPT_HELP, '-', "Display this summary" },
OPT_SECTION("Connection"),
{"connect", OPT_CONNECT, 's',
"Where to connect as post:port (default is " SSL_CONNECT_NAME ")"},
{"new", OPT_NEW, '-', "Just time new connections"},
{"reuse", OPT_REUSE, '-', "Just time connection reuse"},
{"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
{"cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used"},
{"ciphersuites", OPT_CIPHERSUITES, 's',
"Specify TLSv1.3 ciphersuites to be used"},
{ "connect", OPT_CONNECT, 's',
"Where to connect as post:port (default is " SSL_CONNECT_NAME ")" },
{ "new", OPT_NEW, '-', "Just time new connections" },
{ "reuse", OPT_REUSE, '-', "Just time connection reuse" },
{ "bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility" },
{ "cipher", OPT_CIPHER, 's', "TLSv1.2 and below cipher list to be used" },
{ "ciphersuites", OPT_CIPHERSUITES, 's',
"Specify TLSv1.3 ciphersuites to be used" },
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
{ "ssl3", OPT_SSL3, '-', "Just use SSLv3" },
#endif
#ifndef OPENSSL_NO_TLS1
{"tls1", OPT_TLS1, '-', "Just use TLSv1.0"},
{ "tls1", OPT_TLS1, '-', "Just use TLSv1.0" },
#endif
#ifndef OPENSSL_NO_TLS1_1
{"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
{ "tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1" },
#endif
#ifndef OPENSSL_NO_TLS1_2
{"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
{ "tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2" },
#endif
#ifndef OPENSSL_NO_TLS1_3
{"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
{ "tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3" },
#endif
{"verify", OPT_VERIFY, 'p',
"Turn on peer certificate verification, set depth"},
{"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
{"www", OPT_WWW, 's', "Fetch specified page from the site"},
{ "verify", OPT_VERIFY, 'p',
"Turn on peer certificate verification, set depth" },
{ "time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR },
{ "www", OPT_WWW, 's', "Fetch specified page from the site" },
OPT_SECTION("Certificate"),
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store URI"},
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "cert", OPT_CERT, '<', "Cert file to use, PEM format assumed" },
{ "key", OPT_KEY, '<', "File with key, PEM; default is -cert file" },
{ "cafile", OPT_CAFILE, '<', "PEM format file of CA's" },
{ "CAfile", OPT_CAFILE, '<', "PEM format file of CA's" },
{ "CApath", OPT_CAPATH, '/', "PEM format directory of CA's" },
{ "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store URI" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
#define START 0
#define STOP 1
#define START 0
#define STOP 1
static double tm_Time_F(int s)
{
@@ -137,7 +155,7 @@ int s_time_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -156,7 +174,7 @@ int s_time_main(int argc, char **argv)
case OPT_VERIFY:
verify_args.depth = opt_int_arg();
BIO_printf(bio_err, "%s: verify depth is %d\n",
prog, verify_args.depth);
prog, verify_args.depth);
break;
case OPT_CERT:
certfile = opt_arg();
@@ -259,7 +277,7 @@ int s_time_main(int argc, char **argv)
goto end;
if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) {
CAstore, noCAstore)) {
ERR_print_errors(bio_err);
goto end;
}
@@ -281,7 +299,7 @@ int s_time_main(int argc, char **argv)
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd,
www_path);
www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
@@ -310,19 +328,17 @@ int s_time_main(int argc, char **argv)
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);
printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);
/*
* Now loop and time connections using the same session id over and over
*/
next:
next:
if (!(perform & 2)) {
ret = 0;
goto end;
@@ -364,7 +380,7 @@ int s_time_main(int argc, char **argv)
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd,
www_path);
www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
@@ -391,19 +407,17 @@ int s_time_main(int argc, char **argv)
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
if (nConn > 0)
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
printf("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
else
printf("0 connections in %ld real seconds\n",
(long)time(NULL) - finishtime + maxtime);
(long)time(NULL) - finishtime + maxtime);
ret = 0;
end:
end:
SSL_free(scon);
SSL_CTX_free(ctx);
return ret;
@@ -422,7 +436,7 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
return NULL;
if (BIO_set_conn_hostname(conn, host) <= 0
|| BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) <= 0) {
|| BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) <= 0) {
BIO_free(conn);
return NULL;
}
@@ -435,6 +449,16 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
}
} else {
serverCon = scon;
/*
* Reset the SSL object before reusing it for a new connection.
* This clears prior handshake and I/O state while keeping
* configuration inherited from the SSL_CTX.
*/
if (!SSL_clear(serverCon)) {
ERR_print_errors(bio_err);
BIO_free(conn);
return NULL;
}
SSL_set_connect_state(serverCon);
}
@@ -446,7 +470,7 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
BIO_printf(bio_err, "ERROR\n");
if (verify_args.error != X509_V_OK)
BIO_printf(bio_err, "verify error:%s\n",
X509_verify_cert_error_string(verify_args.error));
X509_verify_cert_error_string(verify_args.error));
else
ERR_print_errors(bio_err);
if (scon == NULL)
@@ -459,12 +483,12 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
struct linger no_linger;
int fd;
no_linger.l_onoff = 1;
no_linger.l_onoff = 1;
no_linger.l_linger = 0;
fd = SSL_get_fd(serverCon);
if (fd >= 0)
(void)setsockopt(fd, SOL_SOCKET, SO_LINGER, (char*)&no_linger,
sizeof(no_linger));
(void)setsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&no_linger,
sizeof(no_linger));
}
#endif
+24 -18
View File
@@ -20,27 +20,33 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
OPT_TEXT, OPT_CERT, OPT_NOOUT, OPT_CONTEXT
OPT_INFORM,
OPT_OUTFORM,
OPT_IN,
OPT_OUT,
OPT_TEXT,
OPT_CERT,
OPT_NOOUT,
OPT_CONTEXT
} OPTION_CHOICE;
const OPTIONS sess_id_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"context", OPT_CONTEXT, 's', "Set the session ID context"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "context", OPT_CONTEXT, 's', "Set the session ID context" },
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input file - default stdin"},
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
{ "in", OPT_IN, 's', "Input file - default stdin" },
{ "inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (PEM, DER or NSS)"},
{"text", OPT_TEXT, '-', "Print ssl session id details"},
{"cert", OPT_CERT, '-', "Output certificate "},
{"noout", OPT_NOOUT, '-', "Don't output the encoded session info"},
{NULL}
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "outform", OPT_OUTFORM, 'f',
"Output format - default PEM (PEM, DER or NSS)" },
{ "text", OPT_TEXT, '-', "Print ssl session id details" },
{ "cert", OPT_CERT, '-', "Output certificate " },
{ "noout", OPT_NOOUT, '-', "Don't output the encoded session info" },
{ NULL }
};
static SSL_SESSION *load_sess_id(char *file, int format);
@@ -60,7 +66,7 @@ int sess_id_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -73,7 +79,7 @@ int sess_id_main(int argc, char **argv)
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER | OPT_FMT_NSS,
&outformat))
&outformat))
goto opthelp;
break;
case OPT_IN:
@@ -114,7 +120,7 @@ int sess_id_main(int argc, char **argv)
goto end;
}
if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context,
ctx_len)) {
ctx_len)) {
BIO_printf(bio_err, "Error setting id context\n");
goto end;
}
@@ -167,7 +173,7 @@ int sess_id_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
BIO_free_all(out);
SSL_SESSION_free(x);
return ret;
@@ -191,7 +197,7 @@ static SSL_SESSION *load_sess_id(char *infile, int format)
goto end;
}
end:
end:
BIO_free(in);
return x;
}
+19 -19
View File
@@ -21,18 +21,20 @@ typedef enum OPTION_choice {
OPT_COMMON,
OPT_PROV_ENUM,
OPT_CIPHER,
OPT_SKEYOPT, OPT_SKEYMGMT, OPT_GENKEY
OPT_SKEYOPT,
OPT_SKEYMGMT,
OPT_GENKEY
} OPTION_CHOICE;
const OPTIONS skeyutl_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque keys handling"},
{"skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque keys handling"},
{"genkey", OPT_GENKEY, '-', "Generate an opaque symmetric key"},
{"cipher", OPT_CIPHER, 's', "The cipher to generate key for"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque keys handling" },
{ "skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque keys handling" },
{ "genkey", OPT_GENKEY, '-', "Generate an opaque symmetric key" },
{ "cipher", OPT_CIPHER, 's', "The cipher to generate key for" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int skeyutl_main(int argc, char **argv)
@@ -52,7 +54,7 @@ int skeyutl_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -66,9 +68,7 @@ int skeyutl_main(int argc, char **argv)
ciphername = opt_arg();
break;
case OPT_SKEYOPT:
if ((skeyopts == NULL &&
(skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
if ((skeyopts == NULL && (skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) || sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
BIO_printf(bio_err, "%s: out of memory\n", prog);
goto end;
}
@@ -96,26 +96,26 @@ int skeyutl_main(int argc, char **argv)
OSSL_PARAM *params = NULL;
mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
app_get0_propq());
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
app_get0_propq());
if (mgmt == NULL)
goto end;
params = app_params_new_from_opts(skeyopts,
EVP_SKEYMGMT_get0_gen_settable_params(mgmt));
EVP_SKEYMGMT_get0_gen_settable_params(mgmt));
skey = EVP_SKEY_generate(app_get0_libctx(),
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
app_get0_propq(), params);
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
app_get0_propq(), params);
OSSL_PARAM_free(params);
if (skey == NULL) {
BIO_printf(bio_err, "Error creating opaque key for skeymgmt %s\n",
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
ERR_print_errors(bio_err);
} else {
const char *key_name = EVP_SKEY_get0_key_id(skey);
BIO_printf(bio_out, "An opaque key identified by %s is created\n",
key_name ? key_name : "<unknown>");
key_name ? key_name : "<unknown>");
BIO_printf(bio_out, "Provider: %s\n", EVP_SKEY_get0_provider_name(skey));
BIO_printf(bio_out, "Key management: %s\n", EVP_SKEY_get0_skeymgmt_name(skey));
ret = 0;
@@ -125,7 +125,7 @@ int skeyutl_main(int argc, char **argv)
BIO_printf(bio_err, "Key generation is the only supported operation as of now\n");
}
end:
end:
ERR_print_errors(bio_err);
sk_OPENSSL_STRING_free(skeyopts);
EVP_SKEYMGMT_free(mgmt);
+130 -95
View File
@@ -22,114 +22,149 @@
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int smime_cb(int ok, X509_STORE_CTX *ctx);
#define SMIME_OP 0x10
#define SMIME_IP 0x20
#define SMIME_SIGNERS 0x40
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP)
#define SMIME_OP 0x10
#define SMIME_IP 0x20
#define SMIME_SIGNERS 0x40
#define SMIME_ENCRYPT (1 | SMIME_OP)
#define SMIME_DECRYPT (2 | SMIME_IP)
#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
#define SMIME_VERIFY (4 | SMIME_IP)
#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP)
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENCRYPT, OPT_DECRYPT, OPT_SIGN, OPT_RESIGN, OPT_VERIFY,
OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN,
OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP,
OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF,
OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN,
OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_CONFIG,
OPT_ENCRYPT,
OPT_DECRYPT,
OPT_SIGN,
OPT_RESIGN,
OPT_VERIFY,
OPT_PK7OUT,
OPT_TEXT,
OPT_NOINTERN,
OPT_NOVERIFY,
OPT_NOCHAIN,
OPT_NOCERTS,
OPT_NOATTR,
OPT_NODETACH,
OPT_NOSMIMECAP,
OPT_BINARY,
OPT_NOSIGS,
OPT_STREAM,
OPT_INDEF,
OPT_NOINDEF,
OPT_CRLFEOL,
OPT_ENGINE,
OPT_PASSIN,
OPT_TO,
OPT_FROM,
OPT_SUBJECT,
OPT_SIGNER,
OPT_RECIP,
OPT_MD,
OPT_CIPHER,
OPT_INKEY,
OPT_KEYFORM,
OPT_CERTFILE,
OPT_CAFILE,
OPT_CAPATH,
OPT_CASTORE,
OPT_NOCAFILE,
OPT_NOCAPATH,
OPT_NOCASTORE,
OPT_R_ENUM,
OPT_PROV_ENUM,
OPT_CONFIG,
OPT_V_ENUM,
OPT_IN, OPT_INFORM, OPT_OUT,
OPT_OUTFORM, OPT_CONTENT
OPT_IN,
OPT_INFORM,
OPT_OUT,
OPT_OUTFORM,
OPT_CONTENT
} OPTION_CHOICE;
const OPTIONS smime_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<', "Input file"},
{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER"},
{"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
{"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "in", OPT_IN, '<', "Input file" },
{ "inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER" },
{ "out", OPT_OUT, '>', "Output file" },
{ "outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER" },
{ "inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)" },
{ "keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
{"stream", OPT_STREAM, '-', "Enable CMS streaming" },
{"indef", OPT_INDEF, '-', "Same as -stream" },
{"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
{ "stream", OPT_STREAM, '-', "Enable CMS streaming" },
{ "indef", OPT_INDEF, '-', "Same as -stream" },
{ "noindef", OPT_NOINDEF, '-', "Disable CMS streaming" },
OPT_CONFIG_OPTION,
OPT_SECTION("Action"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
{"sign", OPT_SIGN, '-', "Sign message"},
{"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
{"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"},
{ "encrypt", OPT_ENCRYPT, '-', "Encrypt message" },
{ "decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message" },
{ "sign", OPT_SIGN, '-', "Sign message" },
{ "resign", OPT_RESIGN, '-', "Resign a signed message" },
{ "verify", OPT_VERIFY, '-', "Verify signed message" },
{ "pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure" },
OPT_SECTION("Signing/Encryption"),
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
{"nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer"},
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"binary", OPT_BINARY, '-', "Don't translate message to text"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"nocerts", OPT_NOCERTS, '-',
"Don't include signers certificate when signing"},
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "md", OPT_MD, 's', "Digest algorithm to use when signing or resigning" },
{ "", OPT_CIPHER, '-', "Any supported cipher" },
{ "nointern", OPT_NOINTERN, '-',
"Don't search certificates in message for signer" },
{ "nodetach", OPT_NODETACH, '-', "Use opaque signing" },
{ "noattr", OPT_NOATTR, '-', "Don't include any signed attributes" },
{ "binary", OPT_BINARY, '-', "Don't translate message to text" },
{ "signer", OPT_SIGNER, 's', "Signer certificate file" },
{ "content", OPT_CONTENT, '<',
"Supply or override content for detached signature" },
{ "nocerts", OPT_NOCERTS, '-',
"Don't include signers certificate when signing" },
OPT_SECTION("Verification/Decryption"),
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
{ "nosigs", OPT_NOSIGS, '-', "Don't verify message signature" },
{ "noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate" },
{"certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing"},
{OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying"},
{"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
{ "certfile", OPT_CERTFILE, '<',
"Extra signer and intermediate CA certificates to include when signing" },
{ OPT_MORE_STR, 0, 0,
"or to use as preferred signer certs and for chain building when verifying" },
{ "recip", OPT_RECIP, '<', "Recipient certificate file for decryption" },
OPT_SECTION("Email"),
{"to", OPT_TO, 's', "To address"},
{"from", OPT_FROM, 's', "From address"},
{"subject", OPT_SUBJECT, 's', "Subject"},
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
{ "to", OPT_TO, 's', "To address" },
{ "from", OPT_FROM, 's', "From address" },
{ "subject", OPT_SUBJECT, 's', "Subject" },
{ "text", OPT_TEXT, '-', "Include or delete text MIME headers" },
{ "nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute" },
OPT_SECTION("Certificate chain"),
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},
{ "CApath", OPT_CAPATH, '/', "Trusted certificates directory" },
{ "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
{ "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory" },
{ "no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store" },
{ "nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
{ "crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only" },
OPT_R_OPTIONS,
OPT_V_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cert", 0, 0, "Recipient certs, used when encrypting"},
{NULL}
{ "cert", 0, 0, "Recipient certs, used when encrypting" },
{ NULL }
};
static const char *operation_name(int operation)
@@ -152,11 +187,10 @@ static const char *operation_name(int operation)
}
}
#define SET_OPERATION(op) \
((operation != 0 && (operation != (op))) \
? 0 * BIO_printf(bio_err, "%s: Cannot use -%s together with -%s\n", \
prog, operation_name(op), operation_name(operation)) \
: (operation = (op)))
#define SET_OPERATION(op) \
((operation != 0 && (operation != (op))) \
? 0 * BIO_printf(bio_err, "%s: Cannot use -%s together with -%s\n", prog, operation_name(op), operation_name(operation)) \
: (operation = (op)))
int smime_main(int argc, char **argv)
{
@@ -179,8 +213,7 @@ int smime_main(int argc, char **argv)
OPTION_CHOICE o;
int noCApath = 0, noCAfile = 0, noCAstore = 0;
int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
FORMAT_UNDEF;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = FORMAT_UNDEF;
int vpmtouched = 0, rv = 0;
ENGINE *e = NULL;
const char *mime_eol = "\n";
@@ -195,7 +228,7 @@ int smime_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -342,7 +375,7 @@ int smime_main(int argc, char **argv)
if (keyfile != NULL) {
if (signerfile == NULL) {
BIO_printf(bio_err,
"%s: Must have -signer before -inkey\n", prog);
"%s: Must have -signer before -inkey\n", prog);
goto opthelp;
}
if (sksigners == NULL
@@ -407,14 +440,14 @@ int smime_main(int argc, char **argv)
goto opthelp;
}
if (!opt_cipher_any(ciphername, &cipher))
goto opthelp;
goto opthelp;
if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
goto opthelp;
}
if (!operation) {
BIO_puts(bio_err,
"No operation (-encrypt|-sign|...) specified\n");
"No operation (-encrypt|-sign|...) specified\n");
goto opthelp;
}
@@ -446,7 +479,7 @@ int smime_main(int argc, char **argv)
} else if (operation == SMIME_DECRYPT) {
if (recipfile == NULL && keyfile == NULL) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
"No recipient certificate or key specified\n");
goto opthelp;
}
} else if (operation == SMIME_ENCRYPT) {
@@ -484,7 +517,7 @@ int smime_main(int argc, char **argv)
goto end;
while (*argv != NULL) {
cert = load_cert(*argv, FORMAT_UNDEF,
"recipient certificate file");
"recipient certificate file");
if (cert == NULL)
goto end;
if (!sk_X509_push(encerts, cert))
@@ -503,7 +536,8 @@ int smime_main(int argc, char **argv)
if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
if ((recip = load_cert(recipfile, FORMAT_UNDEF,
"recipient certificate file")) == NULL) {
"recipient certificate file"))
== NULL) {
ERR_print_errors(bio_err);
goto end;
}
@@ -567,7 +601,8 @@ int smime_main(int argc, char **argv)
if (operation == SMIME_VERIFY) {
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
CAstore, noCAstore)) == NULL)
CAstore, noCAstore))
== NULL)
goto end;
X509_STORE_set_verify_cb(store, smime_cb);
if (vpmtouched)
@@ -685,7 +720,7 @@ int smime_main(int argc, char **argv)
}
}
ret = 0;
end:
end:
if (ret)
ERR_print_errors(bio_err);
OSSL_STACK_OF_X509_free(encerts);
File diff suppressed because it is too large Load Diff
+33 -23
View File
@@ -22,38 +22,48 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT,
OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC,
OPT_SPKSECT, OPT_KEYFORM, OPT_DIGEST,
OPT_NOOUT,
OPT_PUBKEY,
OPT_VERIFY,
OPT_IN,
OPT_OUT,
OPT_ENGINE,
OPT_KEY,
OPT_CHALLENGE,
OPT_PASSIN,
OPT_SPKAC,
OPT_SPKSECT,
OPT_KEYFORM,
OPT_DIGEST,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS spkac_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"spksect", OPT_SPKSECT, 's',
"Specify the name of an SPKAC-dedicated section of configuration"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "spksect", OPT_SPKSECT, 's',
"Specify the name of an SPKAC-dedicated section of configuration" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input file"},
{"key", OPT_KEY, '<', "Create SPKAC using private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"challenge", OPT_CHALLENGE, 's', "Challenge string"},
{"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
{ "in", OPT_IN, '<', "Input file" },
{ "key", OPT_KEY, '<', "Create SPKAC using private key" },
{ "keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "challenge", OPT_CHALLENGE, 's', "Challenge string" },
{ "spkac", OPT_SPKAC, 's', "Alternative SPKAC name" },
OPT_SECTION("Output"),
{"digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" },
{"out", OPT_OUT, '>', "Output file"},
{"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"verify", OPT_VERIFY, '-', "Verify SPKAC signature"},
{ "digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" },
{ "out", OPT_OUT, '>', "Output file" },
{ "noout", OPT_NOOUT, '-', "Don't print SPKAC" },
{ "pubkey", OPT_PUBKEY, '-', "Output public key" },
{ "verify", OPT_VERIFY, '-', "Verify SPKAC signature" },
OPT_PROV_OPTIONS,
{NULL}
{ NULL }
};
int spkac_main(int argc, char **argv)
@@ -78,7 +88,7 @@ int spkac_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -146,7 +156,7 @@ int spkac_main(int argc, char **argv)
goto end;
pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL,
keyformat, 1, passin, e, "private key");
keyformat, 1, passin, e, "private key");
if (pkey == NULL)
goto end;
spki = NETSCAPE_SPKI_new();
@@ -154,7 +164,7 @@ int spkac_main(int argc, char **argv)
goto end;
if (challenge != NULL
&& !ASN1_STRING_set(spki->spkac->challenge,
challenge, (int)strlen(challenge)))
challenge, (int)strlen(challenge)))
goto end;
if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) {
BIO_printf(bio_err, "Error setting public key\n");
@@ -221,7 +231,7 @@ int spkac_main(int argc, char **argv)
ret = 0;
end:
end:
EVP_MD_free(md);
NCONF_free(conf);
NETSCAPE_SPKI_free(spki);
+97 -95
View File
@@ -28,12 +28,11 @@
#include "apps.h"
#include "progs.h"
#define BASE_SECTION "srp"
#define BASE_SECTION "srp"
#define CONFIG_FILE "openssl.cnf"
#define ENV_DATABASE "srpvfile"
#define ENV_DEFAULT_SRP "default_srp"
#define ENV_DATABASE "srpvfile"
#define ENV_DEFAULT_SRP "default_srp"
static int get_index(CA_DB *db, char *id, char type)
{
@@ -86,9 +85,8 @@ static void print_user(CA_DB *db, int userindex, int verbose)
if (pp[DB_srptype][0] != 'I') {
print_entry(db, userindex, verbose, "User entry");
print_entry(db, get_index(db, pp[DB_srpgN], 'I'), verbose,
"g N entry");
"g N entry");
}
}
}
@@ -120,8 +118,8 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
}
static char *srp_verify_user(const char *user, const char *srp_verifier,
char *srp_usersalt, const char *g, const char *N,
const char *passin, int verbose)
char *srp_usersalt, const char *g, const char *N,
const char *passin, int verbose)
{
char password[1025];
PW_CB_DATA cb_tmp;
@@ -132,19 +130,20 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
cb_tmp.prompt_info = user;
cb_tmp.password = passin;
len = password_callback(password, sizeof(password)-1, 0, &cb_tmp);
len = password_callback(password, sizeof(password) - 1, 0, &cb_tmp);
if (len > 0) {
password[len] = 0;
if (verbose)
BIO_printf(bio_err,
"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, srp_verifier, srp_usersalt, g, N);
"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, srp_verifier, srp_usersalt, g, N);
if (verbose > 1)
BIO_printf(bio_err, "Pass %s\n", password);
OPENSSL_assert(srp_usersalt != NULL);
if ((gNid = SRP_create_verifier(user, password, &srp_usersalt,
&verifier, N, g)) == NULL) {
&verifier, N, g))
== NULL) {
BIO_printf(bio_err, "Internal error validating SRP verifier\n");
} else {
if (strcmp(verifier, srp_verifier))
@@ -157,8 +156,8 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
}
static char *srp_create_user(char *user, char **srp_verifier,
char **srp_usersalt, char *g, char *N,
char *passout, int verbose)
char **srp_usersalt, char *g, char *N,
char *passout, int verbose)
{
char password[1025];
PW_CB_DATA cb_tmp;
@@ -168,14 +167,15 @@ static char *srp_create_user(char *user, char **srp_verifier,
cb_tmp.prompt_info = user;
cb_tmp.password = passout;
len = password_callback(password, sizeof(password)-1, 1, &cb_tmp);
len = password_callback(password, sizeof(password) - 1, 1, &cb_tmp);
if (len > 0) {
password[len] = 0;
if (verbose)
BIO_printf(bio_err, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, g, N);
user, g, N);
if ((gNid = SRP_create_verifier(user, password, &salt,
srp_verifier, N, g)) == NULL) {
srp_verifier, N, g))
== NULL) {
BIO_printf(bio_err, "Internal error creating SRP verifier\n");
} else {
*srp_usersalt = salt;
@@ -183,50 +183,61 @@ static char *srp_create_user(char *user, char **srp_verifier,
OPENSSL_cleanse(password, len);
if (verbose > 1)
BIO_printf(bio_err, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n",
gNid, salt, *srp_verifier);
gNid, salt, *srp_verifier);
}
return gNid;
}
typedef enum OPTION_choice {
OPT_COMMON,
OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD,
OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO,
OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM, OPT_PROV_ENUM
OPT_VERBOSE,
OPT_CONFIG,
OPT_NAME,
OPT_SRPVFILE,
OPT_ADD,
OPT_DELETE,
OPT_MODIFY,
OPT_LIST,
OPT_GN,
OPT_USERINFO,
OPT_PASSIN,
OPT_PASSOUT,
OPT_ENGINE,
OPT_R_ENUM,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS srp_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [user...]\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] [user...]\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"},
{"config", OPT_CONFIG, '<', "A config file"},
{"name", OPT_NAME, 's', "The particular srp definition to use"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "verbose", OPT_VERBOSE, '-', "Talk a lot while doing things" },
{ "config", OPT_CONFIG, '<', "A config file" },
{ "name", OPT_NAME, 's', "The particular srp definition to use" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Action"),
{"add", OPT_ADD, '-', "Add a user and SRP verifier"},
{"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
{"delete", OPT_DELETE, '-', "Delete user from verifier file"},
{"list", OPT_LIST, '-', "List users"},
{ "add", OPT_ADD, '-', "Add a user and SRP verifier" },
{ "modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user" },
{ "delete", OPT_DELETE, '-', "Delete user from verifier file" },
{ "list", OPT_LIST, '-', "List users" },
OPT_SECTION("Configuration"),
{"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"},
{"gn", OPT_GN, 's', "Set g and N values to be used for new verifier"},
{"userinfo", OPT_USERINFO, 's', "Additional info to be set for user"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{ "srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name" },
{ "gn", OPT_GN, 's', "Set g and N values to be used for new verifier" },
{ "userinfo", OPT_USERINFO, 's', "Additional info to be set for user" },
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
{ "passout", OPT_PASSOUT, 's', "Output file pass phrase source" },
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"user", 0, 0, "Username(s) to process (optional)"},
{NULL}
{ "user", 0, 0, "Username(s) to process (optional)" },
{ NULL }
};
int srp_main(int argc, char **argv)
@@ -248,7 +259,7 @@ int srp_main(int argc, char **argv)
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -273,8 +284,8 @@ int srp_main(int argc, char **argv)
case OPT_LIST:
if (mode != OPT_ERR) {
BIO_printf(bio_err,
"%s: Only one of -add/-delete/-modify/-list\n",
prog);
"%s: Only one of -add/-delete/-modify/-list\n",
prog);
goto opthelp;
}
mode = o;
@@ -314,12 +325,12 @@ int srp_main(int argc, char **argv)
if (srpvfile != NULL && configfile != NULL) {
BIO_printf(bio_err,
"-srpvfile and -configfile cannot be specified together.\n");
"-srpvfile and -configfile cannot be specified together.\n");
goto end;
}
if (mode == OPT_ERR) {
BIO_printf(bio_err,
"Exactly one of the options -add, -delete, -modify -list must be specified.\n");
"Exactly one of the options -add, -delete, -modify -list must be specified.\n");
goto opthelp;
}
if (mode == OPT_DELETE || mode == OPT_MODIFY || mode == OPT_ADD) {
@@ -331,7 +342,7 @@ int srp_main(int argc, char **argv)
}
if ((passinarg != NULL || passoutarg != NULL) && argc != 1) {
BIO_printf(bio_err,
"-passin, -passout arguments only valid with one user.\n");
"-passin, -passout arguments only valid with one user.\n");
goto opthelp;
}
@@ -354,8 +365,8 @@ int srp_main(int argc, char **argv)
if (section == NULL) {
if (verbose)
BIO_printf(bio_err,
"trying to read " ENV_DEFAULT_SRP
" in " BASE_SECTION "\n");
"trying to read " ENV_DEFAULT_SRP
" in " BASE_SECTION "\n");
section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_SRP);
if (section == NULL)
@@ -366,8 +377,8 @@ int srp_main(int argc, char **argv)
if (verbose)
BIO_printf(bio_err,
"trying to read " ENV_DATABASE " in section \"%s\"\n",
section);
"trying to read " ENV_DATABASE " in section \"%s\"\n",
section);
srpvfile = lookup_conf(conf, section, ENV_DATABASE);
if (srpvfile == NULL)
@@ -376,7 +387,7 @@ int srp_main(int argc, char **argv)
if (verbose)
BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n",
srpvfile);
srpvfile);
db = load_index(srpvfile, NULL);
if (db == NULL) {
@@ -431,14 +442,13 @@ int srp_main(int argc, char **argv)
print_user(db, i, 1);
} else if (userindex < 0) {
BIO_printf(bio_err,
"user \"%s\" does not exist, ignored. t\n", user);
"user \"%s\" does not exist, ignored. t\n", user);
errors++;
}
} else if (mode == OPT_ADD) {
if (userindex >= 0) {
/* reactivation of a new user */
char **row =
sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
row[DB_srptype][0] = 'V';
@@ -449,16 +459,14 @@ int srp_main(int argc, char **argv)
row[DB_srpverifier] = NULL;
row[DB_srpsalt] = NULL;
row[DB_srpinfo] = NULL;
if (!
(gNid =
srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : gN,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : gN,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
BIO_printf(bio_err,
"Cannot create srp verifier for user \"%s\", operation abandoned .\n",
user);
"Cannot create srp verifier for user \"%s\", operation abandoned .\n",
user);
errors++;
goto end;
}
@@ -487,18 +495,17 @@ int srp_main(int argc, char **argv)
} else if (mode == OPT_MODIFY) {
if (userindex < 0) {
BIO_printf(bio_err,
"user \"%s\" does not exist, operation ignored.\n",
user);
"user \"%s\" does not exist, operation ignored.\n",
user);
errors++;
} else {
char **row =
sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char type = row[DB_srptype][0];
if (type == 'v') {
BIO_printf(bio_err,
"user \"%s\" already updated, operation ignored.\n",
user);
"user \"%s\" already updated, operation ignored.\n",
user);
errors++;
} else {
char *gNid;
@@ -508,40 +515,35 @@ int srp_main(int argc, char **argv)
char **irow = NULL;
if (verbose)
BIO_printf(bio_err,
"Verifying password for user \"%s\"\n",
user);
if ((user_gN =
get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
irow =
sk_OPENSSL_PSTRING_value(db->db->data,
userindex);
"Verifying password for user \"%s\"\n",
user);
if ((user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
irow = sk_OPENSSL_PSTRING_value(db->db->data,
userindex);
if (!srp_verify_user
(user, row[DB_srpverifier], row[DB_srpsalt],
irow ? irow[DB_srpsalt] : row[DB_srpgN],
irow ? irow[DB_srpverifier] : NULL, passin,
verbose)) {
if (!srp_verify_user(user, row[DB_srpverifier], row[DB_srpsalt],
irow ? irow[DB_srpsalt] : row[DB_srpgN],
irow ? irow[DB_srpverifier] : NULL, passin,
verbose)) {
BIO_printf(bio_err,
"Invalid password for user \"%s\", operation abandoned.\n",
user);
"Invalid password for user \"%s\", operation abandoned.\n",
user);
errors++;
goto end;
}
}
if (verbose)
BIO_printf(bio_err, "Password for user \"%s\" ok.\n",
user);
user);
if (!
(gNid =
srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : NULL,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]),
&(row[DB_srpsalt]),
gNrow ? gNrow[DB_srpsalt] : NULL,
gNrow ? gNrow[DB_srpverifier] : NULL,
passout, verbose))) {
BIO_printf(bio_err,
"Cannot create srp verifier for user \"%s\", operation abandoned.\n",
user);
"Cannot create srp verifier for user \"%s\", operation abandoned.\n",
user);
errors++;
goto end;
}
@@ -565,8 +567,8 @@ int srp_main(int argc, char **argv)
} else if (mode == OPT_DELETE) {
if (userindex < 0) {
BIO_printf(bio_err,
"user \"%s\" does not exist, operation ignored. t\n",
user);
"user \"%s\" does not exist, operation ignored. t\n",
user);
errors++;
} else {
char **xpp = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
@@ -612,7 +614,7 @@ int srp_main(int argc, char **argv)
}
ret = (errors != 0);
end:
end:
if (errors != 0)
if (verbose)
BIO_printf(bio_err, "User errors %d.\n", errors);
+84 -75
View File
@@ -14,59 +14,69 @@
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/store.h>
#include <openssl/x509v3.h> /* s2i_ASN1_INTEGER */
#include <openssl/x509v3.h> /* s2i_ASN1_INTEGER */
static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, const char *outfile,
const char *prog, OSSL_LIB_CTX *libctx);
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, const char *outfile,
const char *prog, OSSL_LIB_CTX *libctx);
static BIO *out = NULL;
typedef enum OPTION_choice {
OPT_COMMON,
OPT_ENGINE, OPT_OUT, OPT_PASSIN,
OPT_NOOUT, OPT_TEXT, OPT_RECURSIVE,
OPT_SEARCHFOR_CERTS, OPT_SEARCHFOR_KEYS, OPT_SEARCHFOR_CRLS,
OPT_CRITERION_SUBJECT, OPT_CRITERION_ISSUER, OPT_CRITERION_SERIAL,
OPT_CRITERION_FINGERPRINT, OPT_CRITERION_ALIAS,
OPT_MD, OPT_PROV_ENUM
OPT_ENGINE,
OPT_OUT,
OPT_PASSIN,
OPT_NOOUT,
OPT_TEXT,
OPT_RECURSIVE,
OPT_SEARCHFOR_CERTS,
OPT_SEARCHFOR_KEYS,
OPT_SEARCHFOR_CRLS,
OPT_CRITERION_SUBJECT,
OPT_CRITERION_ISSUER,
OPT_CRITERION_SERIAL,
OPT_CRITERION_FINGERPRINT,
OPT_CRITERION_ALIAS,
OPT_MD,
OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS storeutl_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\n"},
{ OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\n" },
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"", OPT_MD, '-', "Any supported digest"},
{ "help", OPT_HELP, '-', "Display this summary" },
{ "", OPT_MD, '-', "Any supported digest" },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{ "engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device" },
#endif
OPT_SECTION("Search"),
{"certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only"},
{"keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only"},
{"crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only"},
{"subject", OPT_CRITERION_SUBJECT, 's', "Search by subject"},
{"issuer", OPT_CRITERION_ISSUER, 's', "Search by issuer and serial, issuer name"},
{"serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number"},
{"fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex"},
{"alias", OPT_CRITERION_ALIAS, 's', "Search by alias"},
{"r", OPT_RECURSIVE, '-', "Recurse through names"},
{ "certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only" },
{ "keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only" },
{ "crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only" },
{ "subject", OPT_CRITERION_SUBJECT, 's', "Search by subject" },
{ "issuer", OPT_CRITERION_ISSUER, 's', "Search by issuer and serial, issuer name" },
{ "serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number" },
{ "fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex" },
{ "alias", OPT_CRITERION_ALIAS, 's', "Search by alias" },
{ "r", OPT_RECURSIVE, '-', "Recurse through names" },
OPT_SECTION("Input"),
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{ "passin", OPT_PASSIN, 's', "Input file pass phrase source" },
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"text", OPT_TEXT, '-', "Print a text form of the objects"},
{"noout", OPT_NOOUT, '-', "No PEM output, just status"},
{ "out", OPT_OUT, '>', "Output file - default stdout" },
{ "text", OPT_TEXT, '-', "Print a text form of the objects" },
{ "noout", OPT_NOOUT, '-', "No PEM output, just status" },
OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"uri", 0, 0, "URI of the store object"},
{NULL}
{ "uri", 0, 0, "URI of the store object" },
{ NULL }
};
int storeutl_main(int argc, char *argv[])
@@ -94,7 +104,7 @@ int storeutl_main(int argc, char *argv[])
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
@@ -121,7 +131,7 @@ int storeutl_main(int argc, char *argv[])
case OPT_SEARCHFOR_CRLS:
if (expected != 0) {
BIO_printf(bio_err, "%s: only one search type can be given.\n",
prog);
prog);
goto end;
}
{
@@ -129,9 +139,9 @@ int storeutl_main(int argc, char *argv[])
enum OPTION_choice choice;
int type;
} map[] = {
{OPT_SEARCHFOR_CERTS, OSSL_STORE_INFO_CERT},
{OPT_SEARCHFOR_KEYS, OSSL_STORE_INFO_PKEY},
{OPT_SEARCHFOR_CRLS, OSSL_STORE_INFO_CRL},
{ OPT_SEARCHFOR_CERTS, OSSL_STORE_INFO_CERT },
{ OPT_SEARCHFOR_KEYS, OSSL_STORE_INFO_PKEY },
{ OPT_SEARCHFOR_CRLS, OSSL_STORE_INFO_CRL },
};
size_t i;
@@ -151,13 +161,13 @@ int storeutl_main(int argc, char *argv[])
case OPT_CRITERION_SUBJECT:
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_NAME;
if (subject != NULL) {
BIO_printf(bio_err, "%s: subject already given.\n",
prog);
prog);
goto end;
}
subject = parse_name(opt_arg(), MBSTRING_UTF8, 1, "subject");
@@ -168,13 +178,13 @@ int storeutl_main(int argc, char *argv[])
if (criterion != 0
&& criterion != OSSL_STORE_SEARCH_BY_ISSUER_SERIAL) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
if (issuer != NULL) {
BIO_printf(bio_err, "%s: issuer already given.\n",
prog);
prog);
goto end;
}
issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1, "issuer");
@@ -185,31 +195,31 @@ int storeutl_main(int argc, char *argv[])
if (criterion != 0
&& criterion != OSSL_STORE_SEARCH_BY_ISSUER_SERIAL) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
if (serial != NULL) {
BIO_printf(bio_err, "%s: serial number already given.\n",
prog);
prog);
goto end;
}
if ((serial = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) {
BIO_printf(bio_err, "%s: can't parse serial number argument.\n",
prog);
prog);
goto end;
}
break;
case OPT_CRITERION_FINGERPRINT:
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT;
if (fingerprint != NULL) {
BIO_printf(bio_err, "%s: fingerprint already given.\n",
prog);
prog);
goto end;
}
{
@@ -218,8 +228,8 @@ int storeutl_main(int argc, char *argv[])
if ((fingerprint = OPENSSL_hexstr2buf(opt_arg(), &tmplen))
== NULL) {
BIO_printf(bio_err,
"%s: can't parse fingerprint argument.\n",
prog);
"%s: can't parse fingerprint argument.\n",
prog);
goto end;
}
fingerprintlen = (size_t)tmplen;
@@ -228,18 +238,18 @@ int storeutl_main(int argc, char *argv[])
case OPT_CRITERION_ALIAS:
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
prog);
goto end;
}
criterion = OSSL_STORE_SEARCH_BY_ALIAS;
if (alias != NULL) {
BIO_printf(bio_err, "%s: alias already given.\n",
prog);
prog);
goto end;
}
if ((alias = OPENSSL_strdup(opt_arg())) == NULL) {
BIO_printf(bio_err, "%s: can't parse alias argument.\n",
prog);
prog);
goto end;
}
break;
@@ -275,8 +285,8 @@ int storeutl_main(int argc, char *argv[])
case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
if (issuer == NULL || serial == NULL) {
BIO_printf(bio_err,
"%s: both -issuer and -serial must be given.\n",
prog);
"%s: both -issuer and -serial must be given.\n",
prog);
goto end;
}
if ((search = OSSL_STORE_SEARCH_by_issuer_serial(issuer, serial))
@@ -287,8 +297,8 @@ int storeutl_main(int argc, char *argv[])
break;
case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
if ((search = OSSL_STORE_SEARCH_by_key_fingerprint(digest,
fingerprint,
fingerprintlen))
fingerprint,
fingerprintlen))
== NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -311,10 +321,10 @@ int storeutl_main(int argc, char *argv[])
pw_cb_data.prompt_info = argv[0];
ret = process(argv[0], get_ui_method(), &pw_cb_data,
expected, criterion, search,
text, noout, recursive, 0, outfile, prog, libctx);
expected, criterion, search,
text, noout, recursive, 0, outfile, prog, libctx);
end:
end:
EVP_MD_free(digest);
OPENSSL_free(fingerprint);
OPENSSL_free(alias);
@@ -350,15 +360,15 @@ static int indent_printf(int indent, BIO *bio, const char *format, ...)
}
static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, const char *outfile,
const char *prog, OSSL_LIB_CTX *libctx)
int expected, int criterion, OSSL_STORE_SEARCH *search,
int text, int noout, int recursive, int indent, const char *outfile,
const char *prog, OSSL_LIB_CTX *libctx)
{
OSSL_STORE_CTX *store_ctx = NULL;
int ret = 1, items = 0;
if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata,
NULL, NULL, NULL))
NULL, NULL, NULL))
== NULL) {
BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri);
ERR_print_errors(bio_err);
@@ -375,8 +385,8 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
if (criterion != 0) {
if (!OSSL_STORE_supports_search(store_ctx, criterion)) {
BIO_printf(bio_err,
"%s: the store scheme doesn't support the given search criteria.\n",
prog);
"%s: the store scheme doesn't support the given search criteria.\n",
prog);
goto end2;
}
@@ -392,8 +402,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
for (;;) {
OSSL_STORE_INFO *info = OSSL_STORE_load(store_ctx);
int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
const char *infostr =
info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
const char *infostr = info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
if (info == NULL) {
if (OSSL_STORE_error(store_ctx)) {
@@ -411,8 +420,8 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
break;
BIO_printf(bio_err,
"ERROR: OSSL_STORE_load() returned NULL without "
"eof or error indications\n");
"ERROR: OSSL_STORE_load() returned NULL without "
"eof or error indications\n");
BIO_printf(bio_err, " This is an error in the loader\n");
ERR_print_errors(bio_err);
ret++;
@@ -423,7 +432,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
const char *name = OSSL_STORE_INFO_get0_NAME(info);
const char *desc = OSSL_STORE_INFO_get0_NAME_description(info);
indent_printf(indent, bio_out, "%d: %s: %s\n", items, infostr,
name);
name);
if (desc != NULL)
indent_printf(indent, bio_out, "%s\n", desc);
} else {
@@ -447,33 +456,33 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
if (recursive) {
const char *suburi = OSSL_STORE_INFO_get0_NAME(info);
ret += process(suburi, uimeth, uidata,
expected, criterion, search,
text, noout, recursive, indent + 2, outfile, prog,
libctx);
expected, criterion, search,
text, noout, recursive, indent + 2, outfile, prog,
libctx);
}
break;
case OSSL_STORE_INFO_PARAMS:
if (text)
EVP_PKEY_print_params(out, OSSL_STORE_INFO_get0_PARAMS(info),
0, NULL);
0, NULL);
if (!noout)
PEM_write_bio_Parameters(out,
OSSL_STORE_INFO_get0_PARAMS(info));
OSSL_STORE_INFO_get0_PARAMS(info));
break;
case OSSL_STORE_INFO_PUBKEY:
if (text)
EVP_PKEY_print_public(out, OSSL_STORE_INFO_get0_PUBKEY(info),
0, NULL);
0, NULL);
if (!noout)
PEM_write_bio_PUBKEY(out, OSSL_STORE_INFO_get0_PUBKEY(info));
break;
case OSSL_STORE_INFO_PKEY:
if (text)
EVP_PKEY_print_private(out, OSSL_STORE_INFO_get0_PKEY(info),
0, NULL);
0, NULL);
if (!noout)
PEM_write_bio_PrivateKey(out, OSSL_STORE_INFO_get0_PKEY(info),
NULL, NULL, 0, NULL, NULL);
NULL, NULL, 0, NULL, NULL);
break;
case OSSL_STORE_INFO_CERT:
if (text)
@@ -497,7 +506,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
}
indent_printf(indent, out, "Total found: %d\n", items);
end2:
end2:
if (!OSSL_STORE_close(store_ctx)) {
ERR_print_errors(bio_err);
ret++;
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
+4 -4
View File
@@ -8,10 +8,10 @@
*/
#ifndef OSSL_APPS_TIMEOUTS_H
# define OSSL_APPS_TIMEOUTS_H
#define OSSL_APPS_TIMEOUTS_H
/* numbers in us */
# define DGRAM_RCV_TIMEOUT 250000
# define DGRAM_SND_TIMEOUT 250000
#define DGRAM_RCV_TIMEOUT 250000
#define DGRAM_SND_TIMEOUT 250000
#endif /* ! OSSL_APPS_TIMEOUTS_H */
#endif /* ! OSSL_APPS_TIMEOUTS_H */

Some files were not shown because too many files have changed in this diff Show More