openssl(1): drop support for netscape certificates and server gated keys.

ok inoguchi jsing
author: tb <> 2021-11-26 16:23:27 +0000
committer: tb <> 2021-11-26 16:23:27 +0000
commit: eb64c7bee2160f4a36331f01c39a47cc051d579a (patch)
tree: 7bd8cbabf8640714a399e92a9ab554171eba4abd /src
parent: c518419c83ad6d7d59312d37b14a4e606d06c667 (diff)
download: openbsd-eb64c7bee2160f4a36331f01c39a47cc051d579a.tar.gz
openbsd-eb64c7bee2160f4a36331f01c39a47cc051d579a.tar.bz2
openbsd-eb64c7bee2160f4a36331f01c39a47cc051d579a.zip
5 files changed, 12 insertions, 138 deletions
diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c
index 5e4e8d521c..392d3cc339 100644
--- a/src/usr.bin/openssl/apps.c
+++ b/src/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.60 2021/03/31 17:13:54 tb Exp $ */
+/* $OpenBSD: apps.c,v 1.61 2021/11/26 16:23:27 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -160,12 +160,6 @@ static int set_table_opts(unsigned long *flags, const char *arg,
 static int set_multi_opts(unsigned long *flags, const char *arg,
    const NAME_EX_TBL *in_tbl);
-#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-/* Looks like this stuff is worth moving into separate function */
-static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
-    const char *key_descrip, int format);
-#endif
 int
 str2fmt(char *s)
 {
@@ -175,8 +169,6 @@ str2fmt(char *s)
                return (FORMAT_ASN1);
        else if ((*s == 'T') || (*s == 't'))
                return (FORMAT_TEXT);
-        else if ((*s == 'N') || (*s == 'n'))
-                return (FORMAT_NETSCAPE);
        else if ((*s == 'S') || (*s == 's'))
                return (FORMAT_SMIME);
        else if ((*s == 'M') || (*s == 'm'))
@@ -612,24 +604,7 @@ load_cert(BIO *err, const char *file, int format, const char *pass,
        if (format == FORMAT_ASN1)
                x = d2i_X509_bio(cert, NULL);
-        else if (format == FORMAT_NETSCAPE) {
+        else if (format == FORMAT_PEM)
-                NETSCAPE_X509 *nx;
-                nx = ASN1_item_d2i_bio(&NETSCAPE_X509_it,
-                    cert, NULL);
-                if (nx == NULL)
-                        goto end;
-                if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data,
-                    nx->header->length) != 0)) {
-                        NETSCAPE_X509_free(nx);
-                        BIO_printf(err,
-                            "Error reading header on certificate\n");
-                        goto end;
-                }
-                x = nx->cert;
-                nx->cert = NULL;
-                NETSCAPE_X509_free(nx);
-        } else if (format == FORMAT_PEM)
                x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL);
        else if (format == FORMAT_PKCS12) {
                if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL,
@@ -684,10 +659,6 @@ load_key(BIO *err, const char *file, int format, int maybe_stdin,
        } else if (format == FORMAT_PEM) {
                pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data);
        }
-#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-        else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
-                pkey = load_netscape_key(err, key, file, key_descrip, format);
-#endif
        else if (format == FORMAT_PKCS12) {
                if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data,
                    &pkey, NULL, NULL))
@@ -768,10 +739,6 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
        else if (format == FORMAT_PEM) {
                pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data);
        }
-#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-        else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
-                pkey = load_netscape_key(err, key, file, key_descrip, format);
-#endif
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
        else if (format == FORMAT_MSBLOB)
                pkey = b2i_PublicKey_bio(key);
@@ -788,51 +755,6 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
        return (pkey);
 }
-#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-static EVP_PKEY *
-load_netscape_key(BIO *err, BIO *key, const char *file,
-    const char *key_descrip, int format)
-{
-        EVP_PKEY *pkey;
-        BUF_MEM *buf;
-        RSA *rsa;
-        const unsigned char *p;
-        int size, i;
-        buf = BUF_MEM_new();
-        pkey = EVP_PKEY_new();
-        size = 0;
-        if (buf == NULL || pkey == NULL)
-                goto error;
-        for (;;) {
-                if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
-                        goto error;
-                i = BIO_read(key, &(buf->data[size]), 1024 * 10);
-                size += i;
-                if (i == 0)
-                        break;
-                if (i < 0) {
-                        BIO_printf(err, "Error reading %s %s",
-                            key_descrip, file);
-                        goto error;
-                }
-        }
-        p = (unsigned char *) buf->data;
-        rsa = d2i_RSA_NET(NULL, &p, (long) size, NULL,
-            (format == FORMAT_IISSGC ? 1 : 0));
-        if (rsa == NULL)
-                goto error;
-        BUF_MEM_free(buf);
-        EVP_PKEY_set1_RSA(pkey, rsa);
-        return pkey;
- error:
-        BUF_MEM_free(buf);
-        EVP_PKEY_free(pkey);
-        return NULL;
-}
-#endif                          /* ndef OPENSSL_NO_RC4 */
 static int
 load_certs_crls(BIO *err, const char *file, int format, const char *pass,
    const char *desc, STACK_OF(X509) **pcerts,
diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h
index 4fda6420c8..e8116bfe44 100644
--- a/src/usr.bin/openssl/apps.h
+++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.29 2021/11/20 15:55:00 tb Exp $ */
+/* $OpenBSD: apps.h,v 1.30 2021/11/26 16:23:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -255,12 +255,10 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
 #define FORMAT_PEM      3
-#define FORMAT_NETSCAPE 4
 #define FORMAT_PKCS12   5
 #define FORMAT_SMIME    6
-#define FORMAT_IISSGC   8       /* XXX this stupid macro helps us to avoid
-                                 * adding yet another param to load_*key() */
 #define FORMAT_PEMRSA   9       /* PEM RSAPublicKey format */
 #define FORMAT_ASN1RSA  10      /* DER RSAPublicKey format */
 #define FORMAT_MSBLOB   11      /* MS Key blob format */
@@ -270,8 +268,6 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #define EXT_COPY_ADD    1
 #define EXT_COPY_ALL    2
-#define NETSCAPE_CERT_HDR       "certificate"
 #define APP_PASS_LEN    1024
 #define SERIAL_RAND_BITS        64
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 05f7e21cc9..7ebfb9c31f 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.133 2021/10/23 11:36:44 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.134 2021/11/26 16:23:27 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: November 26 2021 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -4105,7 +4105,6 @@ Any additional fields will be treated as though they were a
 .Op Fl pvk-none | pvk-strong | pvk-weak
 .Op Fl RSAPublicKey_in
 .Op Fl RSAPublicKey_out
-.Op Fl sgckey
 .Op Fl text
 .Ek
 .El
@@ -4177,9 +4176,6 @@ and
 except
 .Cm RSAPublicKey
 format is used instead.
-.It Fl sgckey
-Use the modified NET algorithm used with some versions of Microsoft IIS
-and SGC keys.
 .It Fl text
 Print the public/private key components in plain text.
 .El
diff --git a/src/usr.bin/openssl/rsa.c b/src/usr.bin/openssl/rsa.c
index 231674b5a6..0d331f6a9a 100644
--- a/src/usr.bin/openssl/rsa.c
+++ b/src/usr.bin/openssl/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.14 2019/07/14 03:30:46 guenther Exp $ */
+/* $OpenBSD: rsa.c,v 1.15 2021/11/26 16:23:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -88,7 +88,6 @@ static struct {
        int pubin;
        int pubout;
        int pvk_encr;
-        int sgckey;
        int text;
 } rsa_config;
@@ -215,12 +214,6 @@ static const struct option rsa_options[] = {
                .opt.value = &rsa_config.pubout,
        },
        {
-                .name = "sgckey",
-                .desc = "Use modified NET algorithm for IIS and SGC keys",
-                .type = OPTION_FLAG,
-                .opt.flag = &rsa_config.sgckey,
-        },
-        {
                .name = "text",
                .desc = "Print in plain text in addition to encoded",
                .type = OPTION_FLAG,
@@ -244,7 +237,7 @@ rsa_usage()
            "[-inform fmt]\n"
            "    [-modulus] [-noout] [-out file] [-outform fmt] "
            "[-passin src]\n"
-            "    [-passout src] [-pubin] [-pubout] [-sgckey] [-text]\n\n");
+            "    [-passout src] [-pubin] [-pubout] [-text]\n\n");
        options_usage(rsa_options);
        fprintf(stderr, "\n");
@@ -300,19 +293,14 @@ rsa_main(int argc, char **argv)
                                        tmpformat = FORMAT_PEMRSA;
                                else if (rsa_config.informat == FORMAT_ASN1)
                                        tmpformat = FORMAT_ASN1RSA;
-                        } else if (rsa_config.informat == FORMAT_NETSCAPE &&
+                        } else
-                            rsa_config.sgckey)
-                                tmpformat = FORMAT_IISSGC;
-                        else
                                tmpformat = rsa_config.informat;
                        pkey = load_pubkey(bio_err, rsa_config.infile,
                            tmpformat, 1, passin, "Public Key");
                } else
                        pkey = load_key(bio_err, rsa_config.infile,
-                            (rsa_config.informat == FORMAT_NETSCAPE &&
+                            rsa_config.informat, 1, passin, "Private Key");
-                            rsa_config.sgckey ? FORMAT_IISSGC :
-                            rsa_config.informat), 1, passin, "Private Key");
                if (pkey != NULL)
                        rsa = EVP_PKEY_get1_RSA(pkey);
@@ -380,25 +368,7 @@ rsa_main(int argc, char **argv)
                                i = i2d_RSA_PUBKEY_bio(out, rsa);
                } else
                        i = i2d_RSAPrivateKey_bio(out, rsa);
-        }
+        } else if (rsa_config.outformat == FORMAT_PEM) {
-#ifndef OPENSSL_NO_RC4
-        else if (rsa_config.outformat == FORMAT_NETSCAPE) {
-                unsigned char *p, *pp;
-                int size;
-                i = 1;
-                size = i2d_RSA_NET(rsa, NULL, NULL, rsa_config.sgckey);
-                if ((p = malloc(size)) == NULL) {
-                        BIO_printf(bio_err, "Memory allocation failure\n");
-                        goto end;
-                }
-                pp = p;
-                i2d_RSA_NET(rsa, &p, NULL, rsa_config.sgckey);
-                BIO_write(out, (char *) pp, size);
-                free(pp);
-        }
-#endif
-        else if (rsa_config.outformat == FORMAT_PEM) {
                if (rsa_config.pubout || rsa_config.pubin) {
                        if (rsa_config.pubout == 2)
                                i = PEM_write_bio_RSAPublicKey(out, rsa);
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index 5ee478b050..978f097efa 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.25 2021/10/23 15:44:39 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.26 2021/11/26 16:23:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1298,16 +1298,6 @@ x509_main(int argc, char **argv)
                        i = PEM_write_bio_X509_AUX(out, x);
                else
                        i = PEM_write_bio_X509(out, x);
-        } else if (x509_config.outformat == FORMAT_NETSCAPE) {
-                NETSCAPE_X509 nx;
-                ASN1_OCTET_STRING hdr;
-                hdr.data = (unsigned char *) NETSCAPE_CERT_HDR;
-                hdr.length = strlen(NETSCAPE_CERT_HDR);
-                nx.header = &hdr;
-                nx.cert = x;
-                i = ASN1_item_i2d_bio(&NETSCAPE_X509_it, out, &nx);
        } else {
                BIO_printf(bio_err,
                    "bad output format specified for outfile\n");
author	tb <>	2021-11-26 16:23:27 +0000
committer	tb <>	2021-11-26 16:23:27 +0000
commit	eb64c7bee2160f4a36331f01c39a47cc051d579a (patch)
tree	7bd8cbabf8640714a399e92a9ab554171eba4abd /src
parent	c518419c83ad6d7d59312d37b14a4e606d06c667 (diff)
download	openbsd-eb64c7bee2160f4a36331f01c39a47cc051d579a.tar.gz openbsd-eb64c7bee2160f4a36331f01c39a47cc051d579a.tar.bz2 openbsd-eb64c7bee2160f4a36331f01c39a47cc051d579a.zip

diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c index 5e4e8d521c..392d3cc339 100644 --- a/src/usr.bin/openssl/apps.c +++ b/src/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: apps.c,v 1.60 2021/03/31 17:13:54 tb Exp $ */	1	/* $OpenBSD: apps.c,v 1.61 2021/11/26 16:23:27 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -160,12 +160,6 @@ static int set_table_opts(unsigned long flags, const char arg,
160	static int set_multi_opts(unsigned long flags, const char arg,	160	static int set_multi_opts(unsigned long flags, const char arg,
161	const NAME_EX_TBL *in_tbl);	161	const NAME_EX_TBL *in_tbl);
162		162
163	#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
164	/* Looks like this stuff is worth moving into separate function */
165	static EVP_PKEY load_netscape_key(BIO err, BIO key, const char file,
166	const char *key_descrip, int format);
167	#endif
168
169	int	163	int
170	str2fmt(char *s)	164	str2fmt(char *s)
171	{	165	{
@@ -175,8 +169,6 @@ str2fmt(char *s)
175	return (FORMAT_ASN1);	169	return (FORMAT_ASN1);
176	else if ((s == 'T') \|\| (s == 't'))	170	else if ((s == 'T') \|\| (s == 't'))
177	return (FORMAT_TEXT);	171	return (FORMAT_TEXT);
178	else if ((s == 'N') \|\| (s == 'n'))
179	return (FORMAT_NETSCAPE);
180	else if ((s == 'S') \|\| (s == 's'))	172	else if ((s == 'S') \|\| (s == 's'))
181	return (FORMAT_SMIME);	173	return (FORMAT_SMIME);
182	else if ((s == 'M') \|\| (s == 'm'))	174	else if ((s == 'M') \|\| (s == 'm'))
@@ -612,24 +604,7 @@ load_cert(BIO err, const char file, int format, const char *pass,
612		604
613	if (format == FORMAT_ASN1)	605	if (format == FORMAT_ASN1)
614	x = d2i_X509_bio(cert, NULL);	606	x = d2i_X509_bio(cert, NULL);
615	else if (format == FORMAT_NETSCAPE) {	607	else if (format == FORMAT_PEM)
616	NETSCAPE_X509 *nx;
617	nx = ASN1_item_d2i_bio(&NETSCAPE_X509_it,
618	cert, NULL);
619	if (nx == NULL)
620	goto end;
621
622	if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data,
623	nx->header->length) != 0)) {
624	NETSCAPE_X509_free(nx);
625	BIO_printf(err,
626	"Error reading header on certificate\n");
627	goto end;
628	}
629	x = nx->cert;
630	nx->cert = NULL;
631	NETSCAPE_X509_free(nx);
632	} else if (format == FORMAT_PEM)
633	x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL);	608	x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL);
634	else if (format == FORMAT_PKCS12) {	609	else if (format == FORMAT_PKCS12) {
635	if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL,	610	if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL,
@@ -684,10 +659,6 @@ load_key(BIO err, const char file, int format, int maybe_stdin,
684	} else if (format == FORMAT_PEM) {	659	} else if (format == FORMAT_PEM) {
685	pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data);	660	pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data);
686	}	661	}
687	#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
688	else if (format == FORMAT_NETSCAPE \|\| format == FORMAT_IISSGC)
689	pkey = load_netscape_key(err, key, file, key_descrip, format);
690	#endif
691	else if (format == FORMAT_PKCS12) {	662	else if (format == FORMAT_PKCS12) {
692	if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data,	663	if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data,
693	&pkey, NULL, NULL))	664	&pkey, NULL, NULL))
@@ -768,10 +739,6 @@ load_pubkey(BIO err, const char file, int format, int maybe_stdin,
768	else if (format == FORMAT_PEM) {	739	else if (format == FORMAT_PEM) {
769	pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data);	740	pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data);
770	}	741	}
771	#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
772	else if (format == FORMAT_NETSCAPE \|\| format == FORMAT_IISSGC)
773	pkey = load_netscape_key(err, key, file, key_descrip, format);
774	#endif
775	#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)	742	#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
776	else if (format == FORMAT_MSBLOB)	743	else if (format == FORMAT_MSBLOB)
777	pkey = b2i_PublicKey_bio(key);	744	pkey = b2i_PublicKey_bio(key);
@@ -788,51 +755,6 @@ load_pubkey(BIO err, const char file, int format, int maybe_stdin,
788	return (pkey);	755	return (pkey);
789	}	756	}
790		757
791	#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
792	static EVP_PKEY *
793	load_netscape_key(BIO err, BIO key, const char *file,
794	const char *key_descrip, int format)
795	{
796	EVP_PKEY *pkey;
797	BUF_MEM *buf;
798	RSA *rsa;
799	const unsigned char *p;
800	int size, i;
801
802	buf = BUF_MEM_new();
803	pkey = EVP_PKEY_new();
804	size = 0;
805	if (buf == NULL \|\| pkey == NULL)
806	goto error;
807	for (;;) {
808	if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
809	goto error;
810	i = BIO_read(key, &(buf->data[size]), 1024 * 10);
811	size += i;
812	if (i == 0)
813	break;
814	if (i < 0) {
815	BIO_printf(err, "Error reading %s %s",
816	key_descrip, file);
817	goto error;
818	}
819	}
820	p = (unsigned char *) buf->data;
821	rsa = d2i_RSA_NET(NULL, &p, (long) size, NULL,
822	(format == FORMAT_IISSGC ? 1 : 0));
823	if (rsa == NULL)
824	goto error;
825	BUF_MEM_free(buf);
826	EVP_PKEY_set1_RSA(pkey, rsa);
827	return pkey;
828
829	error:
830	BUF_MEM_free(buf);
831	EVP_PKEY_free(pkey);
832	return NULL;
833	}
834	#endif /* ndef OPENSSL_NO_RC4 */
835
836	static int	758	static int
837	load_certs_crls(BIO err, const char file, int format, const char *pass,	759	load_certs_crls(BIO err, const char file, int format, const char *pass,
838	const char desc, STACK_OF(X509) *pcerts,	760	const char desc, STACK_OF(X509) *pcerts,


diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h index 4fda6420c8..e8116bfe44 100644 --- a/src/usr.bin/openssl/apps.h +++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: apps.h,v 1.29 2021/11/20 15:55:00 tb Exp $ */	1	/* $OpenBSD: apps.h,v 1.30 2021/11/26 16:23:27 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -255,12 +255,10 @@ unsigned char next_protos_parse(unsigned short outlen, const char *in);
255	#define FORMAT_ASN1 1	255	#define FORMAT_ASN1 1
256	#define FORMAT_TEXT 2	256	#define FORMAT_TEXT 2
257	#define FORMAT_PEM 3	257	#define FORMAT_PEM 3
258	#define FORMAT_NETSCAPE 4	258
259	#define FORMAT_PKCS12 5	259	#define FORMAT_PKCS12 5
260	#define FORMAT_SMIME 6	260	#define FORMAT_SMIME 6
261		261
262	#define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid
263	* adding yet another param to load_key() /
264	#define FORMAT_PEMRSA 9 /* PEM RSAPublicKey format */	262	#define FORMAT_PEMRSA 9 /* PEM RSAPublicKey format */
265	#define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */	263	#define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
266	#define FORMAT_MSBLOB 11 /* MS Key blob format */	264	#define FORMAT_MSBLOB 11 /* MS Key blob format */
@@ -270,8 +268,6 @@ unsigned char next_protos_parse(unsigned short outlen, const char *in);
270	#define EXT_COPY_ADD 1	268	#define EXT_COPY_ADD 1
271	#define EXT_COPY_ALL 2	269	#define EXT_COPY_ALL 2
272		270
273	#define NETSCAPE_CERT_HDR "certificate"
274
275	#define APP_PASS_LEN 1024	271	#define APP_PASS_LEN 1024
276		272
277	#define SERIAL_RAND_BITS 64	273	#define SERIAL_RAND_BITS 64


diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 05f7e21cc9..7ebfb9c31f 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.133 2021/10/23 11:36:44 tb Exp $	1	.\" $OpenBSD: openssl.1,v 1.134 2021/11/26 16:23:27 tb Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: October 23 2021 $	113	.Dd $Mdocdate: November 26 2021 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -4105,7 +4105,6 @@ Any additional fields will be treated as though they were a
4105	.Op Fl pvk-none \| pvk-strong \| pvk-weak	4105	.Op Fl pvk-none \| pvk-strong \| pvk-weak
4106	.Op Fl RSAPublicKey_in	4106	.Op Fl RSAPublicKey_in
4107	.Op Fl RSAPublicKey_out	4107	.Op Fl RSAPublicKey_out
4108	.Op Fl sgckey
4109	.Op Fl text	4108	.Op Fl text
4110	.Ek	4109	.Ek
4111	.El	4110	.El
@@ -4177,9 +4176,6 @@ and
4177	except	4176	except
4178	.Cm RSAPublicKey	4177	.Cm RSAPublicKey
4179	format is used instead.	4178	format is used instead.
4180	.It Fl sgckey
4181	Use the modified NET algorithm used with some versions of Microsoft IIS
4182	and SGC keys.
4183	.It Fl text	4179	.It Fl text
4184	Print the public/private key components in plain text.	4180	Print the public/private key components in plain text.
4185	.El	4181	.El


diff --git a/src/usr.bin/openssl/rsa.c b/src/usr.bin/openssl/rsa.c index 231674b5a6..0d331f6a9a 100644 --- a/src/usr.bin/openssl/rsa.c +++ b/src/usr.bin/openssl/rsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa.c,v 1.14 2019/07/14 03:30:46 guenther Exp $ */	1	/* $OpenBSD: rsa.c,v 1.15 2021/11/26 16:23:27 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -88,7 +88,6 @@ static struct {
88	int pubin;	88	int pubin;
89	int pubout;	89	int pubout;
90	int pvk_encr;	90	int pvk_encr;
91	int sgckey;
92	int text;	91	int text;
93	} rsa_config;	92	} rsa_config;
94		93
@@ -215,12 +214,6 @@ static const struct option rsa_options[] = {
215	.opt.value = &rsa_config.pubout,	214	.opt.value = &rsa_config.pubout,
216	},	215	},
217	{	216	{
218	.name = "sgckey",
219	.desc = "Use modified NET algorithm for IIS and SGC keys",
220	.type = OPTION_FLAG,
221	.opt.flag = &rsa_config.sgckey,
222	},
223	{
224	.name = "text",	217	.name = "text",
225	.desc = "Print in plain text in addition to encoded",	218	.desc = "Print in plain text in addition to encoded",
226	.type = OPTION_FLAG,	219	.type = OPTION_FLAG,
@@ -244,7 +237,7 @@ rsa_usage()
244	"[-inform fmt]\n"	237	"[-inform fmt]\n"
245	" [-modulus] [-noout] [-out file] [-outform fmt] "	238	" [-modulus] [-noout] [-out file] [-outform fmt] "
246	"[-passin src]\n"	239	"[-passin src]\n"
247	" [-passout src] [-pubin] [-pubout] [-sgckey] [-text]\n\n");	240	" [-passout src] [-pubin] [-pubout] [-text]\n\n");
248	options_usage(rsa_options);	241	options_usage(rsa_options);
249	fprintf(stderr, "\n");	242	fprintf(stderr, "\n");
250		243
@@ -300,19 +293,14 @@ rsa_main(int argc, char **argv)
300	tmpformat = FORMAT_PEMRSA;	293	tmpformat = FORMAT_PEMRSA;
301	else if (rsa_config.informat == FORMAT_ASN1)	294	else if (rsa_config.informat == FORMAT_ASN1)
302	tmpformat = FORMAT_ASN1RSA;	295	tmpformat = FORMAT_ASN1RSA;
303	} else if (rsa_config.informat == FORMAT_NETSCAPE &&	296	} else
304	rsa_config.sgckey)
305	tmpformat = FORMAT_IISSGC;
306	else
307	tmpformat = rsa_config.informat;	297	tmpformat = rsa_config.informat;
308		298
309	pkey = load_pubkey(bio_err, rsa_config.infile,	299	pkey = load_pubkey(bio_err, rsa_config.infile,
310	tmpformat, 1, passin, "Public Key");	300	tmpformat, 1, passin, "Public Key");
311	} else	301	} else
312	pkey = load_key(bio_err, rsa_config.infile,	302	pkey = load_key(bio_err, rsa_config.infile,
313	(rsa_config.informat == FORMAT_NETSCAPE &&	303	rsa_config.informat, 1, passin, "Private Key");
314	rsa_config.sgckey ? FORMAT_IISSGC :
315	rsa_config.informat), 1, passin, "Private Key");
316		304
317	if (pkey != NULL)	305	if (pkey != NULL)
318	rsa = EVP_PKEY_get1_RSA(pkey);	306	rsa = EVP_PKEY_get1_RSA(pkey);
@@ -380,25 +368,7 @@ rsa_main(int argc, char **argv)
380	i = i2d_RSA_PUBKEY_bio(out, rsa);	368	i = i2d_RSA_PUBKEY_bio(out, rsa);
381	} else	369	} else
382	i = i2d_RSAPrivateKey_bio(out, rsa);	370	i = i2d_RSAPrivateKey_bio(out, rsa);
383	}	371	} else if (rsa_config.outformat == FORMAT_PEM) {
384	#ifndef OPENSSL_NO_RC4
385	else if (rsa_config.outformat == FORMAT_NETSCAPE) {
386	unsigned char p, pp;
387	int size;
388
389	i = 1;
390	size = i2d_RSA_NET(rsa, NULL, NULL, rsa_config.sgckey);
391	if ((p = malloc(size)) == NULL) {
392	BIO_printf(bio_err, "Memory allocation failure\n");
393	goto end;
394	}
395	pp = p;
396	i2d_RSA_NET(rsa, &p, NULL, rsa_config.sgckey);
397	BIO_write(out, (char *) pp, size);
398	free(pp);
399	}
400	#endif
401	else if (rsa_config.outformat == FORMAT_PEM) {
402	if (rsa_config.pubout \|\| rsa_config.pubin) {	372	if (rsa_config.pubout \|\| rsa_config.pubin) {
403	if (rsa_config.pubout == 2)	373	if (rsa_config.pubout == 2)
404	i = PEM_write_bio_RSAPublicKey(out, rsa);	374	i = PEM_write_bio_RSAPublicKey(out, rsa);


diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c index 5ee478b050..978f097efa 100644 --- a/src/usr.bin/openssl/x509.c +++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509.c,v 1.25 2021/10/23 15:44:39 tb Exp $ */	1	/* $OpenBSD: x509.c,v 1.26 2021/11/26 16:23:27 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1298,16 +1298,6 @@ x509_main(int argc, char **argv)
1298	i = PEM_write_bio_X509_AUX(out, x);	1298	i = PEM_write_bio_X509_AUX(out, x);
1299	else	1299	else
1300	i = PEM_write_bio_X509(out, x);	1300	i = PEM_write_bio_X509(out, x);
1301	} else if (x509_config.outformat == FORMAT_NETSCAPE) {
1302	NETSCAPE_X509 nx;
1303	ASN1_OCTET_STRING hdr;
1304
1305	hdr.data = (unsigned char *) NETSCAPE_CERT_HDR;
1306	hdr.length = strlen(NETSCAPE_CERT_HDR);
1307	nx.header = &hdr;
1308	nx.cert = x;
1309
1310	i = ASN1_item_i2d_bio(&NETSCAPE_X509_it, out, &nx);
1311	} else {	1301	} else {
1312	BIO_printf(bio_err,	1302	BIO_printf(bio_err,
1313	"bad output format specified for outfile\n");	1303	"bad output format specified for outfile\n");