summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libssl/src/apps/apps.c2220
-rw-r--r--src/lib/libssl/src/apps/apps.h285
-rw-r--r--src/lib/libssl/src/apps/asn1pars.c406
-rw-r--r--src/lib/libssl/src/apps/ca.c2743
-rw-r--r--src/lib/libssl/src/apps/ciphers.c194
-rw-r--r--src/lib/libssl/src/apps/cms.c1154
-rw-r--r--src/lib/libssl/src/apps/crl.c415
-rw-r--r--src/lib/libssl/src/apps/crl2p7.c314
-rw-r--r--src/lib/libssl/src/apps/dgst.c547
-rw-r--r--src/lib/libssl/src/apps/dh.c308
-rw-r--r--src/lib/libssl/src/apps/dhparam.c472
-rw-r--r--src/lib/libssl/src/apps/dsa.c332
-rw-r--r--src/lib/libssl/src/apps/dsaparam.c414
-rw-r--r--src/lib/libssl/src/apps/ec.c341
-rw-r--r--src/lib/libssl/src/apps/ecparam.c613
-rw-r--r--src/lib/libssl/src/apps/enc.c649
-rw-r--r--src/lib/libssl/src/apps/engine.c494
-rw-r--r--src/lib/libssl/src/apps/errstr.c108
-rw-r--r--src/lib/libssl/src/apps/gendh.c204
-rw-r--r--src/lib/libssl/src/apps/gendsa.c230
-rw-r--r--src/lib/libssl/src/apps/genpkey.c383
-rw-r--r--src/lib/libssl/src/apps/genrsa.c286
-rw-r--r--src/lib/libssl/src/apps/nseq.c162
-rw-r--r--src/lib/libssl/src/apps/ocsp.c1217
-rw-r--r--src/lib/libssl/src/apps/openssl.c639
-rw-r--r--src/lib/libssl/src/apps/passwd.c457
-rw-r--r--src/lib/libssl/src/apps/pkcs12.c913
-rw-r--r--src/lib/libssl/src/apps/pkcs7.c284
-rw-r--r--src/lib/libssl/src/apps/pkcs8.c367
-rw-r--r--src/lib/libssl/src/apps/pkey.c235
-rw-r--r--src/lib/libssl/src/apps/pkeyparam.c173
-rw-r--r--src/lib/libssl/src/apps/pkeyutl.c503
-rw-r--r--src/lib/libssl/src/apps/prime.c147
-rw-r--r--src/lib/libssl/src/apps/progs.h234
-rw-r--r--src/lib/libssl/src/apps/rand.c194
-rw-r--r--src/lib/libssl/src/apps/req.c1602
-rw-r--r--src/lib/libssl/src/apps/rsa.c392
-rw-r--r--src/lib/libssl/src/apps/rsautl.c341
-rw-r--r--src/lib/libssl/src/apps/s_apps.h147
-rw-r--r--src/lib/libssl/src/apps/s_cb.c854
-rw-r--r--src/lib/libssl/src/apps/s_client.c1507
-rw-r--r--src/lib/libssl/src/apps/s_server.c2154
-rw-r--r--src/lib/libssl/src/apps/s_socket.c351
-rw-r--r--src/lib/libssl/src/apps/s_time.c587
-rw-r--r--src/lib/libssl/src/apps/sess_id.c282
-rw-r--r--src/lib/libssl/src/apps/smime.c697
-rw-r--r--src/lib/libssl/src/apps/speed.c2170
-rw-r--r--src/lib/libssl/src/apps/spkac.c284
-rw-r--r--src/lib/libssl/src/apps/testdsa.h221
-rw-r--r--src/lib/libssl/src/apps/testrsa.h517
-rw-r--r--src/lib/libssl/src/apps/timeouts.h67
-rw-r--r--src/lib/libssl/src/apps/ts.c1102
-rw-r--r--src/lib/libssl/src/apps/verify.c339
-rw-r--r--src/lib/libssl/src/apps/version.c208
-rw-r--r--src/lib/libssl/src/apps/x509.c1160
55 files changed, 0 insertions, 33619 deletions
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c
deleted file mode 100644
index 7e7086a1c7..0000000000
--- a/src/lib/libssl/src/apps/apps.c
+++ /dev/null
@@ -1,2220 +0,0 @@
1/* $OpenBSD: apps.c,v 1.69 2014/07/25 06:05:31 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <sys/types.h>
113#include <sys/stat.h>
114#include <sys/times.h>
115
116#include <ctype.h>
117#include <errno.h>
118#include <stdio.h>
119#include <stdlib.h>
120#include <limits.h>
121#include <string.h>
122#include <strings.h>
123#include <unistd.h>
124
125#include "apps.h"
126
127#include <openssl/bn.h>
128#include <openssl/err.h>
129#include <openssl/pem.h>
130#include <openssl/pkcs12.h>
131#include <openssl/safestack.h>
132#include <openssl/ui.h>
133#include <openssl/x509.h>
134#include <openssl/x509v3.h>
135
136#ifndef OPENSSL_NO_ENGINE
137#include <openssl/engine.h>
138#endif
139
140#include <openssl/rsa.h>
141
142typedef struct {
143 const char *name;
144 unsigned long flag;
145 unsigned long mask;
146} NAME_EX_TBL;
147
148static UI_METHOD *ui_method = NULL;
149
150static int set_table_opts(unsigned long *flags, const char *arg,
151 const NAME_EX_TBL *in_tbl);
152static int set_multi_opts(unsigned long *flags, const char *arg,
153 const NAME_EX_TBL *in_tbl);
154
155#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
156/* Looks like this stuff is worth moving into separate function */
157static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
158 const char *key_descrip, int format);
159#endif
160
161int
162str2fmt(char *s)
163{
164 if (s == NULL)
165 return FORMAT_UNDEF;
166 if ((*s == 'D') || (*s == 'd'))
167 return (FORMAT_ASN1);
168 else if ((*s == 'T') || (*s == 't'))
169 return (FORMAT_TEXT);
170 else if ((*s == 'N') || (*s == 'n'))
171 return (FORMAT_NETSCAPE);
172 else if ((*s == 'S') || (*s == 's'))
173 return (FORMAT_SMIME);
174 else if ((*s == 'M') || (*s == 'm'))
175 return (FORMAT_MSBLOB);
176 else if ((*s == '1') ||
177 (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0) ||
178 (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
179 return (FORMAT_PKCS12);
180 else if ((*s == 'E') || (*s == 'e'))
181 return (FORMAT_ENGINE);
182 else if ((*s == 'P') || (*s == 'p')) {
183 if (s[1] == 'V' || s[1] == 'v')
184 return FORMAT_PVK;
185 else
186 return (FORMAT_PEM);
187 } else
188 return (FORMAT_UNDEF);
189}
190
191void
192program_name(char *in, char *out, int size)
193{
194 char *p;
195
196 p = strrchr(in, '/');
197 if (p != NULL)
198 p++;
199 else
200 p = in;
201 strlcpy(out, p, size);
202}
203
204int
205chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
206{
207 int num, i;
208 char *p;
209
210 *argc = 0;
211 *argv = NULL;
212
213 i = 0;
214 if (arg->count == 0) {
215 arg->count = 20;
216 arg->data = reallocarray(NULL, arg->count, sizeof(char *));
217 }
218 for (i = 0; i < arg->count; i++)
219 arg->data[i] = NULL;
220
221 num = 0;
222 p = buf;
223 for (;;) {
224 /* first scan over white space */
225 if (!*p)
226 break;
227 while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
228 p++;
229 if (!*p)
230 break;
231
232 /* The start of something good :-) */
233 if (num >= arg->count) {
234 char **tmp_p;
235 int tlen = arg->count + 20;
236 tmp_p = reallocarray(arg->data, tlen, sizeof(char *));
237 if (tmp_p == NULL)
238 return 0;
239 arg->data = tmp_p;
240 arg->count = tlen;
241 /* initialize newly allocated data */
242 for (i = num; i < arg->count; i++)
243 arg->data[i] = NULL;
244 }
245 arg->data[num++] = p;
246
247 /* now look for the end of this */
248 if ((*p == '\'') || (*p == '\"')) { /* scan for closing
249 * quote */
250 i = *(p++);
251 arg->data[num - 1]++; /* jump over quote */
252 while (*p && (*p != i))
253 p++;
254 *p = '\0';
255 } else {
256 while (*p && ((*p != ' ') &&
257 (*p != '\t') && (*p != '\n')))
258 p++;
259
260 if (*p == '\0')
261 p--;
262 else
263 *p = '\0';
264 }
265 p++;
266 }
267 *argc = num;
268 *argv = arg->data;
269 return (1);
270}
271
272int
273dump_cert_text(BIO *out, X509 *x)
274{
275 char *p;
276
277 p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
278 BIO_puts(out, "subject=");
279 BIO_puts(out, p);
280 free(p);
281
282 p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
283 BIO_puts(out, "\nissuer=");
284 BIO_puts(out, p);
285 BIO_puts(out, "\n");
286 free(p);
287
288 return 0;
289}
290
291static int
292ui_open(UI *ui)
293{
294 return UI_method_get_opener(UI_OpenSSL()) (ui);
295}
296
297static int
298ui_read(UI *ui, UI_STRING *uis)
299{
300 if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
301 UI_get0_user_data(ui)) {
302 switch (UI_get_string_type(uis)) {
303 case UIT_PROMPT:
304 case UIT_VERIFY:
305 {
306 const char *password =
307 ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
308 if (password && password[0] != '\0') {
309 UI_set_result(ui, uis, password);
310 return 1;
311 }
312 }
313 break;
314 default:
315 break;
316 }
317 }
318 return UI_method_get_reader(UI_OpenSSL()) (ui, uis);
319}
320
321static int
322ui_write(UI *ui, UI_STRING *uis)
323{
324 if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
325 UI_get0_user_data(ui)) {
326 switch (UI_get_string_type(uis)) {
327 case UIT_PROMPT:
328 case UIT_VERIFY:
329 {
330 const char *password =
331 ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
332 if (password && password[0] != '\0')
333 return 1;
334 }
335 break;
336 default:
337 break;
338 }
339 }
340 return UI_method_get_writer(UI_OpenSSL()) (ui, uis);
341}
342
343static int
344ui_close(UI *ui)
345{
346 return UI_method_get_closer(UI_OpenSSL()) (ui);
347}
348
349int
350setup_ui_method(void)
351{
352 ui_method = UI_create_method("OpenSSL application user interface");
353 UI_method_set_opener(ui_method, ui_open);
354 UI_method_set_reader(ui_method, ui_read);
355 UI_method_set_writer(ui_method, ui_write);
356 UI_method_set_closer(ui_method, ui_close);
357 return 0;
358}
359
360void
361destroy_ui_method(void)
362{
363 if (ui_method) {
364 UI_destroy_method(ui_method);
365 ui_method = NULL;
366 }
367}
368
369int
370password_callback(char *buf, int bufsiz, int verify, void *arg)
371{
372 PW_CB_DATA *cb_tmp = arg;
373 UI *ui = NULL;
374 int res = 0;
375 const char *prompt_info = NULL;
376 const char *password = NULL;
377 PW_CB_DATA *cb_data = (PW_CB_DATA *) cb_tmp;
378
379 if (cb_data) {
380 if (cb_data->password)
381 password = cb_data->password;
382 if (cb_data->prompt_info)
383 prompt_info = cb_data->prompt_info;
384 }
385 if (password) {
386 res = strlen(password);
387 if (res > bufsiz)
388 res = bufsiz;
389 memcpy(buf, password, res);
390 return res;
391 }
392 ui = UI_new_method(ui_method);
393 if (ui) {
394 int ok = 0;
395 char *buff = NULL;
396 int ui_flags = 0;
397 char *prompt = NULL;
398
399 prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
400
401 ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
402 UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
403
404 if (ok >= 0)
405 ok = UI_add_input_string(ui, prompt, ui_flags, buf,
406 PW_MIN_LENGTH, bufsiz - 1);
407 if (ok >= 0 && verify) {
408 buff = malloc(bufsiz);
409 ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
410 PW_MIN_LENGTH, bufsiz - 1, buf);
411 }
412 if (ok >= 0)
413 do {
414 ok = UI_process(ui);
415 } while (ok < 0 &&
416 UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
417
418 if (buff) {
419 OPENSSL_cleanse(buff, (unsigned int) bufsiz);
420 free(buff);
421 }
422 if (ok >= 0)
423 res = strlen(buf);
424 if (ok == -1) {
425 BIO_printf(bio_err, "User interface error\n");
426 ERR_print_errors(bio_err);
427 OPENSSL_cleanse(buf, (unsigned int) bufsiz);
428 res = 0;
429 }
430 if (ok == -2) {
431 BIO_printf(bio_err, "aborted!\n");
432 OPENSSL_cleanse(buf, (unsigned int) bufsiz);
433 res = 0;
434 }
435 UI_free(ui);
436 free(prompt);
437 }
438 return res;
439}
440
441static char *app_get_pass(BIO *err, char *arg, int keepbio);
442
443int
444app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
445{
446 int same;
447
448 if (!arg2 || !arg1 || strcmp(arg1, arg2))
449 same = 0;
450 else
451 same = 1;
452 if (arg1) {
453 *pass1 = app_get_pass(err, arg1, same);
454 if (!*pass1)
455 return 0;
456 } else if (pass1)
457 *pass1 = NULL;
458 if (arg2) {
459 *pass2 = app_get_pass(err, arg2, same ? 2 : 0);
460 if (!*pass2)
461 return 0;
462 } else if (pass2)
463 *pass2 = NULL;
464 return 1;
465}
466
467static char *
468app_get_pass(BIO *err, char *arg, int keepbio)
469{
470 char *tmp, tpass[APP_PASS_LEN];
471 static BIO *pwdbio = NULL;
472 const char *errstr = NULL;
473 int i;
474
475 if (!strncmp(arg, "pass:", 5))
476 return strdup(arg + 5);
477 if (!strncmp(arg, "env:", 4)) {
478 tmp = getenv(arg + 4);
479 if (!tmp) {
480 BIO_printf(err, "Can't read environment variable %s\n",
481 arg + 4);
482 return NULL;
483 }
484 return strdup(tmp);
485 }
486 if (!keepbio || !pwdbio) {
487 if (!strncmp(arg, "file:", 5)) {
488 pwdbio = BIO_new_file(arg + 5, "r");
489 if (!pwdbio) {
490 BIO_printf(err, "Can't open file %s\n",
491 arg + 5);
492 return NULL;
493 }
494 } else if (!strncmp(arg, "fd:", 3)) {
495 BIO *btmp;
496 i = strtonum(arg + 3, 0, INT_MAX, &errstr);
497 if (errstr) {
498 BIO_printf(err,
499 "Invalid file descriptor %s: %s\n",
500 arg, errstr);
501 return NULL;
502 }
503 pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
504 if (!pwdbio) {
505 BIO_printf(err,
506 "Can't access file descriptor %s\n",
507 arg + 3);
508 return NULL;
509 }
510 /*
511 * Can't do BIO_gets on an fd BIO so add a buffering
512 * BIO
513 */
514 btmp = BIO_new(BIO_f_buffer());
515 pwdbio = BIO_push(btmp, pwdbio);
516 } else if (!strcmp(arg, "stdin")) {
517 pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
518 if (!pwdbio) {
519 BIO_printf(err, "Can't open BIO for stdin\n");
520 return NULL;
521 }
522 } else {
523 BIO_printf(err, "Invalid password argument \"%s\"\n",
524 arg);
525 return NULL;
526 }
527 }
528 i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
529 if (keepbio != 1) {
530 BIO_free_all(pwdbio);
531 pwdbio = NULL;
532 }
533 if (i <= 0) {
534 BIO_printf(err, "Error reading password from BIO\n");
535 return NULL;
536 }
537 tmp = strchr(tpass, '\n');
538 if (tmp)
539 *tmp = 0;
540 return strdup(tpass);
541}
542
543int
544add_oid_section(BIO *err, CONF *conf)
545{
546 char *p;
547 STACK_OF(CONF_VALUE) *sktmp;
548 CONF_VALUE *cnf;
549 int i;
550
551 if (!(p = NCONF_get_string(conf, NULL, "oid_section"))) {
552 ERR_clear_error();
553 return 1;
554 }
555 if (!(sktmp = NCONF_get_section(conf, p))) {
556 BIO_printf(err, "problem loading oid section %s\n", p);
557 return 0;
558 }
559 for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
560 cnf = sk_CONF_VALUE_value(sktmp, i);
561 if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
562 BIO_printf(err, "problem creating object %s=%s\n",
563 cnf->name, cnf->value);
564 return 0;
565 }
566 }
567 return 1;
568}
569
570static int
571load_pkcs12(BIO *err, BIO *in, const char *desc, pem_password_cb *pem_cb,
572 void *cb_data, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
573{
574 const char *pass;
575 char tpass[PEM_BUFSIZE];
576 int len, ret = 0;
577 PKCS12 *p12;
578
579 p12 = d2i_PKCS12_bio(in, NULL);
580 if (p12 == NULL) {
581 BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);
582 goto die;
583 }
584 /* See if an empty password will do */
585 if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
586 pass = "";
587 else {
588 if (!pem_cb)
589 pem_cb = password_callback;
590 len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
591 if (len < 0) {
592 BIO_printf(err, "Passpharse callback error for %s\n",
593 desc);
594 goto die;
595 }
596 if (len < PEM_BUFSIZE)
597 tpass[len] = 0;
598 if (!PKCS12_verify_mac(p12, tpass, len)) {
599 BIO_printf(err,
600 "Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);
601 goto die;
602 }
603 pass = tpass;
604 }
605 ret = PKCS12_parse(p12, pass, pkey, cert, ca);
606
607die:
608 if (p12)
609 PKCS12_free(p12);
610 return ret;
611}
612
613X509 *
614load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
615 const char *cert_descrip)
616{
617 X509 *x = NULL;
618 BIO *cert;
619
620 if ((cert = BIO_new(BIO_s_file())) == NULL) {
621 ERR_print_errors(err);
622 goto end;
623 }
624 if (file == NULL) {
625 setvbuf(stdin, NULL, _IONBF, 0);
626 BIO_set_fp(cert, stdin, BIO_NOCLOSE);
627 } else {
628 if (BIO_read_filename(cert, file) <= 0) {
629 BIO_printf(err, "Error opening %s %s\n",
630 cert_descrip, file);
631 ERR_print_errors(err);
632 goto end;
633 }
634 }
635
636 if (format == FORMAT_ASN1)
637 x = d2i_X509_bio(cert, NULL);
638 else if (format == FORMAT_NETSCAPE) {
639 NETSCAPE_X509 *nx;
640 nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),
641 cert, NULL);
642 if (nx == NULL)
643 goto end;
644
645 if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data,
646 nx->header->length) != 0)) {
647 NETSCAPE_X509_free(nx);
648 BIO_printf(err,
649 "Error reading header on certificate\n");
650 goto end;
651 }
652 x = nx->cert;
653 nx->cert = NULL;
654 NETSCAPE_X509_free(nx);
655 } else if (format == FORMAT_PEM)
656 x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL);
657 else if (format == FORMAT_PKCS12) {
658 if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL,
659 NULL, &x, NULL))
660 goto end;
661 } else {
662 BIO_printf(err, "bad input format specified for %s\n",
663 cert_descrip);
664 goto end;
665 }
666
667end:
668 if (x == NULL) {
669 BIO_printf(err, "unable to load certificate\n");
670 ERR_print_errors(err);
671 }
672 BIO_free(cert);
673 return (x);
674}
675
676EVP_PKEY *
677load_key(BIO *err, const char *file, int format, int maybe_stdin,
678 const char *pass, ENGINE *e, const char *key_descrip)
679{
680 BIO *key = NULL;
681 EVP_PKEY *pkey = NULL;
682 PW_CB_DATA cb_data;
683
684 cb_data.password = pass;
685 cb_data.prompt_info = file;
686
687 if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
688 BIO_printf(err, "no keyfile specified\n");
689 goto end;
690 }
691#ifndef OPENSSL_NO_ENGINE
692 if (format == FORMAT_ENGINE) {
693 if (!e)
694 BIO_printf(err, "no engine specified\n");
695 else {
696 pkey = ENGINE_load_private_key(e, file,
697 ui_method, &cb_data);
698 if (!pkey) {
699 BIO_printf(err, "cannot load %s from engine\n",
700 key_descrip);
701 ERR_print_errors(err);
702 }
703 }
704 goto end;
705 }
706#endif
707 key = BIO_new(BIO_s_file());
708 if (key == NULL) {
709 ERR_print_errors(err);
710 goto end;
711 }
712 if (file == NULL && maybe_stdin) {
713 setvbuf(stdin, NULL, _IONBF, 0);
714 BIO_set_fp(key, stdin, BIO_NOCLOSE);
715 } else if (BIO_read_filename(key, file) <= 0) {
716 BIO_printf(err, "Error opening %s %s\n",
717 key_descrip, file);
718 ERR_print_errors(err);
719 goto end;
720 }
721 if (format == FORMAT_ASN1) {
722 pkey = d2i_PrivateKey_bio(key, NULL);
723 } else if (format == FORMAT_PEM) {
724 pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data);
725 }
726#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
727 else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
728 pkey = load_netscape_key(err, key, file, key_descrip, format);
729#endif
730 else if (format == FORMAT_PKCS12) {
731 if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data,
732 &pkey, NULL, NULL))
733 goto end;
734 }
735#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
736 else if (format == FORMAT_MSBLOB)
737 pkey = b2i_PrivateKey_bio(key);
738 else if (format == FORMAT_PVK)
739 pkey = b2i_PVK_bio(key, password_callback,
740 &cb_data);
741#endif
742 else {
743 BIO_printf(err, "bad input format specified for key file\n");
744 goto end;
745 }
746end:
747 BIO_free(key);
748 if (pkey == NULL) {
749 BIO_printf(err, "unable to load %s\n", key_descrip);
750 ERR_print_errors(err);
751 }
752 return (pkey);
753}
754
755EVP_PKEY *
756load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
757 const char *pass, ENGINE *e, const char *key_descrip)
758{
759 BIO *key = NULL;
760 EVP_PKEY *pkey = NULL;
761 PW_CB_DATA cb_data;
762
763 cb_data.password = pass;
764 cb_data.prompt_info = file;
765
766 if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
767 BIO_printf(err, "no keyfile specified\n");
768 goto end;
769 }
770#ifndef OPENSSL_NO_ENGINE
771 if (format == FORMAT_ENGINE) {
772 if (!e)
773 BIO_printf(bio_err, "no engine specified\n");
774 else
775 pkey = ENGINE_load_public_key(e, file,
776 ui_method, &cb_data);
777 goto end;
778 }
779#endif
780 key = BIO_new(BIO_s_file());
781 if (key == NULL) {
782 ERR_print_errors(err);
783 goto end;
784 }
785 if (file == NULL && maybe_stdin) {
786 setvbuf(stdin, NULL, _IONBF, 0);
787 BIO_set_fp(key, stdin, BIO_NOCLOSE);
788 } else if (BIO_read_filename(key, file) <= 0) {
789 BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
790 ERR_print_errors(err);
791 goto end;
792 }
793 if (format == FORMAT_ASN1) {
794 pkey = d2i_PUBKEY_bio(key, NULL);
795 }
796 else if (format == FORMAT_ASN1RSA) {
797 RSA *rsa;
798 rsa = d2i_RSAPublicKey_bio(key, NULL);
799 if (rsa) {
800 pkey = EVP_PKEY_new();
801 if (pkey)
802 EVP_PKEY_set1_RSA(pkey, rsa);
803 RSA_free(rsa);
804 } else
805 pkey = NULL;
806 } else if (format == FORMAT_PEMRSA) {
807 RSA *rsa;
808 rsa = PEM_read_bio_RSAPublicKey(key, NULL, password_callback, &cb_data);
809 if (rsa) {
810 pkey = EVP_PKEY_new();
811 if (pkey)
812 EVP_PKEY_set1_RSA(pkey, rsa);
813 RSA_free(rsa);
814 } else
815 pkey = NULL;
816 }
817 else if (format == FORMAT_PEM) {
818 pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data);
819 }
820#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
821 else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
822 pkey = load_netscape_key(err, key, file, key_descrip, format);
823#endif
824#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
825 else if (format == FORMAT_MSBLOB)
826 pkey = b2i_PublicKey_bio(key);
827#endif
828 else {
829 BIO_printf(err, "bad input format specified for key file\n");
830 goto end;
831 }
832
833end:
834 BIO_free(key);
835 if (pkey == NULL)
836 BIO_printf(err, "unable to load %s\n", key_descrip);
837 return (pkey);
838}
839
840#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
841static EVP_PKEY *
842load_netscape_key(BIO *err, BIO *key, const char *file,
843 const char *key_descrip, int format)
844{
845 EVP_PKEY *pkey;
846 BUF_MEM *buf;
847 RSA *rsa;
848 const unsigned char *p;
849 int size, i;
850
851 buf = BUF_MEM_new();
852 pkey = EVP_PKEY_new();
853 size = 0;
854 if (buf == NULL || pkey == NULL)
855 goto error;
856 for (;;) {
857 if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
858 goto error;
859 i = BIO_read(key, &(buf->data[size]), 1024 * 10);
860 size += i;
861 if (i == 0)
862 break;
863 if (i < 0) {
864 BIO_printf(err, "Error reading %s %s",
865 key_descrip, file);
866 goto error;
867 }
868 }
869 p = (unsigned char *) buf->data;
870 rsa = d2i_RSA_NET(NULL, &p, (long) size, NULL,
871 (format == FORMAT_IISSGC ? 1 : 0));
872 if (rsa == NULL)
873 goto error;
874 BUF_MEM_free(buf);
875 EVP_PKEY_set1_RSA(pkey, rsa);
876 return pkey;
877
878error:
879 BUF_MEM_free(buf);
880 EVP_PKEY_free(pkey);
881 return NULL;
882}
883#endif /* ndef OPENSSL_NO_RC4 */
884
885static int
886load_certs_crls(BIO *err, const char *file, int format, const char *pass,
887 ENGINE *e, const char *desc, STACK_OF(X509) **pcerts,
888 STACK_OF(X509_CRL) **pcrls)
889{
890 int i;
891 BIO *bio;
892 STACK_OF(X509_INFO) *xis = NULL;
893 X509_INFO *xi;
894 PW_CB_DATA cb_data;
895 int rv = 0;
896
897 cb_data.password = pass;
898 cb_data.prompt_info = file;
899
900 if (format != FORMAT_PEM) {
901 BIO_printf(err, "bad input format specified for %s\n", desc);
902 return 0;
903 }
904 if (file == NULL)
905 bio = BIO_new_fp(stdin, BIO_NOCLOSE);
906 else
907 bio = BIO_new_file(file, "r");
908
909 if (bio == NULL) {
910 BIO_printf(err, "Error opening %s %s\n",
911 desc, file ? file : "stdin");
912 ERR_print_errors(err);
913 return 0;
914 }
915 xis = PEM_X509_INFO_read_bio(bio, NULL, password_callback, &cb_data);
916
917 BIO_free(bio);
918
919 if (pcerts) {
920 *pcerts = sk_X509_new_null();
921 if (!*pcerts)
922 goto end;
923 }
924 if (pcrls) {
925 *pcrls = sk_X509_CRL_new_null();
926 if (!*pcrls)
927 goto end;
928 }
929 for (i = 0; i < sk_X509_INFO_num(xis); i++) {
930 xi = sk_X509_INFO_value(xis, i);
931 if (xi->x509 && pcerts) {
932 if (!sk_X509_push(*pcerts, xi->x509))
933 goto end;
934 xi->x509 = NULL;
935 }
936 if (xi->crl && pcrls) {
937 if (!sk_X509_CRL_push(*pcrls, xi->crl))
938 goto end;
939 xi->crl = NULL;
940 }
941 }
942
943 if (pcerts && sk_X509_num(*pcerts) > 0)
944 rv = 1;
945
946 if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
947 rv = 1;
948
949end:
950 if (xis)
951 sk_X509_INFO_pop_free(xis, X509_INFO_free);
952
953 if (rv == 0) {
954 if (pcerts) {
955 sk_X509_pop_free(*pcerts, X509_free);
956 *pcerts = NULL;
957 }
958 if (pcrls) {
959 sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
960 *pcrls = NULL;
961 }
962 BIO_printf(err, "unable to load %s\n",
963 pcerts ? "certificates" : "CRLs");
964 ERR_print_errors(err);
965 }
966 return rv;
967}
968
969STACK_OF(X509) *
970load_certs(BIO *err, const char *file, int format, const char *pass,
971 ENGINE *e, const char *desc)
972{
973 STACK_OF(X509) *certs;
974
975 if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
976 return NULL;
977 return certs;
978}
979
980STACK_OF(X509_CRL) *
981load_crls(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
982 const char *desc)
983{
984 STACK_OF(X509_CRL) *crls;
985
986 if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
987 return NULL;
988 return crls;
989}
990
991#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
992/* Return error for unknown extensions */
993#define X509V3_EXT_DEFAULT 0
994/* Print error for unknown extensions */
995#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
996/* ASN1 parse unknown extensions */
997#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
998/* BIO_dump unknown extensions */
999#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
1000
1001#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
1002 X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
1003
1004int
1005set_cert_ex(unsigned long *flags, const char *arg)
1006{
1007 static const NAME_EX_TBL cert_tbl[] = {
1008 {"compatible", X509_FLAG_COMPAT, 0xffffffffl},
1009 {"ca_default", X509_FLAG_CA, 0xffffffffl},
1010 {"no_header", X509_FLAG_NO_HEADER, 0},
1011 {"no_version", X509_FLAG_NO_VERSION, 0},
1012 {"no_serial", X509_FLAG_NO_SERIAL, 0},
1013 {"no_signame", X509_FLAG_NO_SIGNAME, 0},
1014 {"no_validity", X509_FLAG_NO_VALIDITY, 0},
1015 {"no_subject", X509_FLAG_NO_SUBJECT, 0},
1016 {"no_issuer", X509_FLAG_NO_ISSUER, 0},
1017 {"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
1018 {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
1019 {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
1020 {"no_aux", X509_FLAG_NO_AUX, 0},
1021 {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
1022 {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
1023 {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
1024 {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
1025 {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
1026 {NULL, 0, 0}
1027 };
1028 return set_multi_opts(flags, arg, cert_tbl);
1029}
1030
1031int
1032set_name_ex(unsigned long *flags, const char *arg)
1033{
1034 static const NAME_EX_TBL ex_tbl[] = {
1035 {"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
1036 {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
1037 {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
1038 {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
1039 {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
1040 {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
1041 {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
1042 {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
1043 {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
1044 {"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
1045 {"compat", XN_FLAG_COMPAT, 0xffffffffL},
1046 {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
1047 {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
1048 {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
1049 {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
1050 {"dn_rev", XN_FLAG_DN_REV, 0},
1051 {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
1052 {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
1053 {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
1054 {"align", XN_FLAG_FN_ALIGN, 0},
1055 {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
1056 {"space_eq", XN_FLAG_SPC_EQ, 0},
1057 {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
1058 {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
1059 {"oneline", XN_FLAG_ONELINE, 0xffffffffL},
1060 {"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
1061 {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
1062 {NULL, 0, 0}
1063 };
1064 return set_multi_opts(flags, arg, ex_tbl);
1065}
1066
1067int
1068set_ext_copy(int *copy_type, const char *arg)
1069{
1070 if (!strcasecmp(arg, "none"))
1071 *copy_type = EXT_COPY_NONE;
1072 else if (!strcasecmp(arg, "copy"))
1073 *copy_type = EXT_COPY_ADD;
1074 else if (!strcasecmp(arg, "copyall"))
1075 *copy_type = EXT_COPY_ALL;
1076 else
1077 return 0;
1078 return 1;
1079}
1080
1081int
1082copy_extensions(X509 *x, X509_REQ *req, int copy_type)
1083{
1084 STACK_OF(X509_EXTENSION) *exts = NULL;
1085 X509_EXTENSION *ext, *tmpext;
1086 ASN1_OBJECT *obj;
1087 int i, idx, ret = 0;
1088
1089 if (!x || !req || (copy_type == EXT_COPY_NONE))
1090 return 1;
1091 exts = X509_REQ_get_extensions(req);
1092
1093 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
1094 ext = sk_X509_EXTENSION_value(exts, i);
1095 obj = X509_EXTENSION_get_object(ext);
1096 idx = X509_get_ext_by_OBJ(x, obj, -1);
1097 /* Does extension exist? */
1098 if (idx != -1) {
1099 /* If normal copy don't override existing extension */
1100 if (copy_type == EXT_COPY_ADD)
1101 continue;
1102 /* Delete all extensions of same type */
1103 do {
1104 tmpext = X509_get_ext(x, idx);
1105 X509_delete_ext(x, idx);
1106 X509_EXTENSION_free(tmpext);
1107 idx = X509_get_ext_by_OBJ(x, obj, -1);
1108 } while (idx != -1);
1109 }
1110 if (!X509_add_ext(x, ext, -1))
1111 goto end;
1112 }
1113
1114 ret = 1;
1115
1116end:
1117 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
1118
1119 return ret;
1120}
1121
1122static int
1123set_multi_opts(unsigned long *flags, const char *arg,
1124 const NAME_EX_TBL *in_tbl)
1125{
1126 STACK_OF(CONF_VALUE) *vals;
1127 CONF_VALUE *val;
1128 int i, ret = 1;
1129
1130 if (!arg)
1131 return 0;
1132 vals = X509V3_parse_list(arg);
1133 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
1134 val = sk_CONF_VALUE_value(vals, i);
1135 if (!set_table_opts(flags, val->name, in_tbl))
1136 ret = 0;
1137 }
1138 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
1139 return ret;
1140}
1141
1142static int
1143set_table_opts(unsigned long *flags, const char *arg,
1144 const NAME_EX_TBL *in_tbl)
1145{
1146 char c;
1147 const NAME_EX_TBL *ptbl;
1148
1149 c = arg[0];
1150 if (c == '-') {
1151 c = 0;
1152 arg++;
1153 } else if (c == '+') {
1154 c = 1;
1155 arg++;
1156 } else
1157 c = 1;
1158
1159 for (ptbl = in_tbl; ptbl->name; ptbl++) {
1160 if (!strcasecmp(arg, ptbl->name)) {
1161 *flags &= ~ptbl->mask;
1162 if (c)
1163 *flags |= ptbl->flag;
1164 else
1165 *flags &= ~ptbl->flag;
1166 return 1;
1167 }
1168 }
1169 return 0;
1170}
1171
1172void
1173print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags)
1174{
1175 char *buf;
1176 char mline = 0;
1177 int indent = 0;
1178
1179 if (title)
1180 BIO_puts(out, title);
1181 if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
1182 mline = 1;
1183 indent = 4;
1184 }
1185 if (lflags == XN_FLAG_COMPAT) {
1186 buf = X509_NAME_oneline(nm, 0, 0);
1187 BIO_puts(out, buf);
1188 BIO_puts(out, "\n");
1189 free(buf);
1190 } else {
1191 if (mline)
1192 BIO_puts(out, "\n");
1193 X509_NAME_print_ex(out, nm, indent, lflags);
1194 BIO_puts(out, "\n");
1195 }
1196}
1197
1198X509_STORE *
1199setup_verify(BIO *bp, char *CAfile, char *CApath)
1200{
1201 X509_STORE *store;
1202 X509_LOOKUP *lookup;
1203
1204 if (!(store = X509_STORE_new()))
1205 goto end;
1206 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
1207 if (lookup == NULL)
1208 goto end;
1209 if (CAfile) {
1210 if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
1211 BIO_printf(bp, "Error loading file %s\n", CAfile);
1212 goto end;
1213 }
1214 } else
1215 X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
1216
1217 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1218 if (lookup == NULL)
1219 goto end;
1220 if (CApath) {
1221 if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
1222 BIO_printf(bp, "Error loading directory %s\n", CApath);
1223 goto end;
1224 }
1225 } else
1226 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
1227
1228 ERR_clear_error();
1229 return store;
1230
1231end:
1232 X509_STORE_free(store);
1233 return NULL;
1234}
1235
1236#ifndef OPENSSL_NO_ENGINE
1237/* Try to load an engine in a shareable library */
1238static ENGINE *
1239try_load_engine(BIO *err, const char *engine, int debug)
1240{
1241 ENGINE *e = ENGINE_by_id("dynamic");
1242
1243 if (e) {
1244 if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) ||
1245 !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
1246 ENGINE_free(e);
1247 e = NULL;
1248 }
1249 }
1250 return e;
1251}
1252
1253ENGINE *
1254setup_engine(BIO *err, const char *engine, int debug)
1255{
1256 ENGINE *e = NULL;
1257
1258 if (engine) {
1259 if (strcmp(engine, "auto") == 0) {
1260 BIO_printf(err, "enabling auto ENGINE support\n");
1261 ENGINE_register_all_complete();
1262 return NULL;
1263 }
1264 if ((e = ENGINE_by_id(engine)) == NULL &&
1265 (e = try_load_engine(err, engine, debug)) == NULL) {
1266 BIO_printf(err, "invalid engine \"%s\"\n", engine);
1267 ERR_print_errors(err);
1268 return NULL;
1269 }
1270 if (debug) {
1271 ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
1272 0, err, 0);
1273 }
1274 ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
1275 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
1276 BIO_printf(err, "can't use that engine\n");
1277 ERR_print_errors(err);
1278 ENGINE_free(e);
1279 return NULL;
1280 }
1281 BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
1282
1283 /* Free our "structural" reference. */
1284 ENGINE_free(e);
1285 }
1286 return e;
1287}
1288#endif
1289
1290int
1291load_config(BIO *err, CONF *cnf)
1292{
1293 static int load_config_called = 0;
1294
1295 if (load_config_called)
1296 return 1;
1297 load_config_called = 1;
1298 if (cnf == NULL)
1299 cnf = config;
1300 if (cnf == NULL)
1301 return 1;
1302
1303 OPENSSL_load_builtin_modules();
1304
1305 if (CONF_modules_load(cnf, NULL, 0) <= 0) {
1306 BIO_printf(err, "Error configuring OpenSSL\n");
1307 ERR_print_errors(err);
1308 return 0;
1309 }
1310 return 1;
1311}
1312
1313char *
1314make_config_name()
1315{
1316 const char *t = X509_get_default_cert_area();
1317 char *p;
1318
1319 if (asprintf(&p, "%s/openssl.cnf", t) == -1)
1320 return NULL;
1321 return p;
1322}
1323
1324static unsigned long
1325index_serial_hash(const OPENSSL_CSTRING *a)
1326{
1327 const char *n;
1328
1329 n = a[DB_serial];
1330 while (*n == '0')
1331 n++;
1332 return (lh_strhash(n));
1333}
1334
1335static int
1336index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
1337{
1338 const char *aa, *bb;
1339
1340 for (aa = a[DB_serial]; *aa == '0'; aa++)
1341 ;
1342 for (bb = b[DB_serial]; *bb == '0'; bb++)
1343 ;
1344 return (strcmp(aa, bb));
1345}
1346
1347static int
1348index_name_qual(char **a)
1349{
1350 return (a[0][0] == 'V');
1351}
1352
1353static unsigned long
1354index_name_hash(const OPENSSL_CSTRING *a)
1355{
1356 return (lh_strhash(a[DB_name]));
1357}
1358
1359int
1360index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
1361{
1362 return (strcmp(a[DB_name], b[DB_name]));
1363}
1364
1365static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
1366static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
1367static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
1368static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
1369
1370#define BSIZE 256
1371
1372BIGNUM *
1373load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
1374{
1375 BIO *in = NULL;
1376 BIGNUM *ret = NULL;
1377 char buf[1024];
1378 ASN1_INTEGER *ai = NULL;
1379
1380 ai = ASN1_INTEGER_new();
1381 if (ai == NULL)
1382 goto err;
1383
1384 if ((in = BIO_new(BIO_s_file())) == NULL) {
1385 ERR_print_errors(bio_err);
1386 goto err;
1387 }
1388 if (BIO_read_filename(in, serialfile) <= 0) {
1389 if (!create) {
1390 perror(serialfile);
1391 goto err;
1392 } else {
1393 ret = BN_new();
1394 if (ret == NULL || !rand_serial(ret, ai))
1395 BIO_printf(bio_err, "Out of memory\n");
1396 }
1397 } else {
1398 if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
1399 BIO_printf(bio_err, "unable to load number from %s\n",
1400 serialfile);
1401 goto err;
1402 }
1403 ret = ASN1_INTEGER_to_BN(ai, NULL);
1404 if (ret == NULL) {
1405 BIO_printf(bio_err,
1406 "error converting number from bin to BIGNUM\n");
1407 goto err;
1408 }
1409 }
1410
1411 if (ret && retai) {
1412 *retai = ai;
1413 ai = NULL;
1414 }
1415
1416err:
1417 if (in != NULL)
1418 BIO_free(in);
1419 if (ai != NULL)
1420 ASN1_INTEGER_free(ai);
1421 return (ret);
1422}
1423
1424int
1425save_serial(char *serialfile, char *suffix, BIGNUM *serial,
1426 ASN1_INTEGER **retai)
1427{
1428 char buf[1][BSIZE];
1429 BIO *out = NULL;
1430 int ret = 0, n;
1431 ASN1_INTEGER *ai = NULL;
1432 int j;
1433
1434 if (suffix == NULL)
1435 j = strlen(serialfile);
1436 else
1437 j = strlen(serialfile) + strlen(suffix) + 1;
1438 if (j >= BSIZE) {
1439 BIO_printf(bio_err, "file name too long\n");
1440 goto err;
1441 }
1442 if (suffix == NULL)
1443 n = strlcpy(buf[0], serialfile, BSIZE);
1444 else
1445 n = snprintf(buf[0], sizeof buf[0], "%s.%s",
1446 serialfile, suffix);
1447 if (n == -1 || n >= sizeof(buf[0])) {
1448 BIO_printf(bio_err, "serial too long\n");
1449 goto err;
1450 }
1451 out = BIO_new(BIO_s_file());
1452 if (out == NULL) {
1453 ERR_print_errors(bio_err);
1454 goto err;
1455 }
1456 if (BIO_write_filename(out, buf[0]) <= 0) {
1457 perror(serialfile);
1458 goto err;
1459 }
1460 if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
1461 BIO_printf(bio_err,
1462 "error converting serial to ASN.1 format\n");
1463 goto err;
1464 }
1465 i2a_ASN1_INTEGER(out, ai);
1466 BIO_puts(out, "\n");
1467 ret = 1;
1468 if (retai) {
1469 *retai = ai;
1470 ai = NULL;
1471 }
1472
1473err:
1474 if (out != NULL)
1475 BIO_free_all(out);
1476 if (ai != NULL)
1477 ASN1_INTEGER_free(ai);
1478 return (ret);
1479}
1480
1481int
1482rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
1483{
1484 char buf[5][BSIZE];
1485 int i, j;
1486
1487 i = strlen(serialfile) + strlen(old_suffix);
1488 j = strlen(serialfile) + strlen(new_suffix);
1489 if (i > j)
1490 j = i;
1491 if (j + 1 >= BSIZE) {
1492 BIO_printf(bio_err, "file name too long\n");
1493 goto err;
1494 }
1495 snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
1496 snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
1497
1498
1499 if (rename(serialfile, buf[1]) < 0 &&
1500 errno != ENOENT && errno != ENOTDIR) {
1501 BIO_printf(bio_err, "unable to rename %s to %s\n",
1502 serialfile, buf[1]);
1503 perror("reason");
1504 goto err;
1505 }
1506
1507
1508 if (rename(buf[0], serialfile) < 0) {
1509 BIO_printf(bio_err, "unable to rename %s to %s\n",
1510 buf[0], serialfile);
1511 perror("reason");
1512 rename(buf[1], serialfile);
1513 goto err;
1514 }
1515 return 1;
1516
1517err:
1518 return 0;
1519}
1520
1521int
1522rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
1523{
1524 BIGNUM *btmp;
1525 int ret = 0;
1526
1527 if (b)
1528 btmp = b;
1529 else
1530 btmp = BN_new();
1531
1532 if (!btmp)
1533 return 0;
1534
1535 if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
1536 goto error;
1537 if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
1538 goto error;
1539
1540 ret = 1;
1541
1542error:
1543 if (!b)
1544 BN_free(btmp);
1545
1546 return ret;
1547}
1548
1549CA_DB *
1550load_index(char *dbfile, DB_ATTR *db_attr)
1551{
1552 CA_DB *retdb = NULL;
1553 TXT_DB *tmpdb = NULL;
1554 BIO *in = BIO_new(BIO_s_file());
1555 CONF *dbattr_conf = NULL;
1556 char buf[1][BSIZE];
1557 long errorline = -1;
1558
1559 if (in == NULL) {
1560 ERR_print_errors(bio_err);
1561 goto err;
1562 }
1563 if (BIO_read_filename(in, dbfile) <= 0) {
1564 perror(dbfile);
1565 BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
1566 goto err;
1567 }
1568 if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
1569 goto err;
1570
1571 snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
1572 dbattr_conf = NCONF_new(NULL);
1573 if (NCONF_load(dbattr_conf, buf[0], &errorline) <= 0) {
1574 if (errorline > 0) {
1575 BIO_printf(bio_err,
1576 "error on line %ld of db attribute file '%s'\n",
1577 errorline, buf[0]);
1578 goto err;
1579 } else {
1580 NCONF_free(dbattr_conf);
1581 dbattr_conf = NULL;
1582 }
1583 }
1584 if ((retdb = malloc(sizeof(CA_DB))) == NULL) {
1585 fprintf(stderr, "Out of memory\n");
1586 goto err;
1587 }
1588 retdb->db = tmpdb;
1589 tmpdb = NULL;
1590 if (db_attr)
1591 retdb->attributes = *db_attr;
1592 else {
1593 retdb->attributes.unique_subject = 1;
1594 }
1595
1596 if (dbattr_conf) {
1597 char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
1598 if (p) {
1599 retdb->attributes.unique_subject = parse_yesno(p, 1);
1600 }
1601 }
1602
1603err:
1604 if (dbattr_conf)
1605 NCONF_free(dbattr_conf);
1606 if (tmpdb)
1607 TXT_DB_free(tmpdb);
1608 if (in)
1609 BIO_free_all(in);
1610 return retdb;
1611}
1612
1613int
1614index_index(CA_DB *db)
1615{
1616 if (!TXT_DB_create_index(db->db, DB_serial, NULL,
1617 LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) {
1618 BIO_printf(bio_err,
1619 "error creating serial number index:(%ld,%ld,%ld)\n",
1620 db->db->error, db->db->arg1, db->db->arg2);
1621 return 0;
1622 }
1623 if (db->attributes.unique_subject &&
1624 !TXT_DB_create_index(db->db, DB_name, index_name_qual,
1625 LHASH_HASH_FN(index_name), LHASH_COMP_FN(index_name))) {
1626 BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
1627 db->db->error, db->db->arg1, db->db->arg2);
1628 return 0;
1629 }
1630 return 1;
1631}
1632
1633int
1634save_index(const char *dbfile, const char *suffix, CA_DB *db)
1635{
1636 char buf[3][BSIZE];
1637 BIO *out = BIO_new(BIO_s_file());
1638 int j;
1639
1640 if (out == NULL) {
1641 ERR_print_errors(bio_err);
1642 goto err;
1643 }
1644 j = strlen(dbfile) + strlen(suffix);
1645 if (j + 6 >= BSIZE) {
1646 BIO_printf(bio_err, "file name too long\n");
1647 goto err;
1648 }
1649 snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
1650 snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
1651 snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
1652
1653
1654 if (BIO_write_filename(out, buf[0]) <= 0) {
1655 perror(dbfile);
1656 BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
1657 goto err;
1658 }
1659 j = TXT_DB_write(out, db->db);
1660 if (j <= 0)
1661 goto err;
1662
1663 BIO_free(out);
1664
1665 out = BIO_new(BIO_s_file());
1666
1667
1668 if (BIO_write_filename(out, buf[1]) <= 0) {
1669 perror(buf[2]);
1670 BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
1671 goto err;
1672 }
1673 BIO_printf(out, "unique_subject = %s\n",
1674 db->attributes.unique_subject ? "yes" : "no");
1675 BIO_free(out);
1676
1677 return 1;
1678
1679err:
1680 return 0;
1681}
1682
1683int
1684rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix)
1685{
1686 char buf[5][BSIZE];
1687 int i, j;
1688
1689 i = strlen(dbfile) + strlen(old_suffix);
1690 j = strlen(dbfile) + strlen(new_suffix);
1691 if (i > j)
1692 j = i;
1693 if (j + 6 >= BSIZE) {
1694 BIO_printf(bio_err, "file name too long\n");
1695 goto err;
1696 }
1697 snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
1698 snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
1699 snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
1700 snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
1701 snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
1702
1703
1704 if (rename(dbfile, buf[1]) < 0 && errno != ENOENT && errno != ENOTDIR) {
1705 BIO_printf(bio_err, "unable to rename %s to %s\n",
1706 dbfile, buf[1]);
1707 perror("reason");
1708 goto err;
1709 }
1710
1711
1712 if (rename(buf[0], dbfile) < 0) {
1713 BIO_printf(bio_err, "unable to rename %s to %s\n",
1714 buf[0], dbfile);
1715 perror("reason");
1716 rename(buf[1], dbfile);
1717 goto err;
1718 }
1719
1720
1721 if (rename(buf[4], buf[3]) < 0 && errno != ENOENT && errno != ENOTDIR) {
1722 BIO_printf(bio_err, "unable to rename %s to %s\n",
1723 buf[4], buf[3]);
1724 perror("reason");
1725 rename(dbfile, buf[0]);
1726 rename(buf[1], dbfile);
1727 goto err;
1728 }
1729
1730
1731 if (rename(buf[2], buf[4]) < 0) {
1732 BIO_printf(bio_err, "unable to rename %s to %s\n",
1733 buf[2], buf[4]);
1734 perror("reason");
1735 rename(buf[3], buf[4]);
1736 rename(dbfile, buf[0]);
1737 rename(buf[1], dbfile);
1738 goto err;
1739 }
1740 return 1;
1741
1742err:
1743 return 0;
1744}
1745
1746void
1747free_index(CA_DB *db)
1748{
1749 if (db) {
1750 if (db->db)
1751 TXT_DB_free(db->db);
1752 free(db);
1753 }
1754}
1755
1756int
1757parse_yesno(const char *str, int def)
1758{
1759 int ret = def;
1760
1761 if (str) {
1762 switch (*str) {
1763 case 'f': /* false */
1764 case 'F': /* FALSE */
1765 case 'n': /* no */
1766 case 'N': /* NO */
1767 case '0': /* 0 */
1768 ret = 0;
1769 break;
1770 case 't': /* true */
1771 case 'T': /* TRUE */
1772 case 'y': /* yes */
1773 case 'Y': /* YES */
1774 case '1': /* 1 */
1775 ret = 1;
1776 break;
1777 default:
1778 ret = def;
1779 break;
1780 }
1781 }
1782 return ret;
1783}
1784
1785/*
1786 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
1787 * where characters may be escaped by \
1788 */
1789X509_NAME *
1790parse_name(char *subject, long chtype, int multirdn)
1791{
1792 X509_NAME *name = NULL;
1793 size_t buflen, max_ne;
1794 char **ne_types, **ne_values;
1795 char *buf, *bp, *sp;
1796 int i, nid, ne_num = 0;
1797 int *mval;
1798
1799 /*
1800 * Buffer to copy the types and values into. Due to escaping the
1801 * copy can only become shorter.
1802 */
1803 buflen = strlen(subject) + 1;
1804 buf = malloc(buflen);
1805
1806 /* Maximum number of name elements. */
1807 max_ne = buflen / 2 + 1;
1808 ne_types = reallocarray(NULL, max_ne, sizeof(char *));
1809 ne_values = reallocarray(NULL, max_ne, sizeof(char *));
1810 mval = reallocarray(NULL, max_ne, sizeof(int));
1811
1812 if (buf == NULL || ne_types == NULL || ne_values == NULL ||
1813 mval == NULL) {
1814 BIO_printf(bio_err, "malloc error\n");
1815 goto error;
1816 }
1817
1818 bp = buf;
1819 sp = subject;
1820
1821 if (*subject != '/') {
1822 BIO_printf(bio_err, "Subject does not start with '/'.\n");
1823 goto error;
1824 }
1825
1826 /* Skip leading '/'. */
1827 sp++;
1828
1829 /* No multivalued RDN by default. */
1830 mval[ne_num] = 0;
1831
1832 while (*sp) {
1833 /* Collect type. */
1834 ne_types[ne_num] = bp;
1835 while (*sp) {
1836 /* is there anything to escape in the type...? */
1837 if (*sp == '\\') {
1838 if (*++sp)
1839 *bp++ = *sp++;
1840 else {
1841 BIO_printf(bio_err, "escape character "
1842 "at end of string\n");
1843 goto error;
1844 }
1845 } else if (*sp == '=') {
1846 sp++;
1847 *bp++ = '\0';
1848 break;
1849 } else
1850 *bp++ = *sp++;
1851 }
1852 if (!*sp) {
1853 BIO_printf(bio_err, "end of string encountered while "
1854 "processing type of subject name element #%d\n",
1855 ne_num);
1856 goto error;
1857 }
1858 ne_values[ne_num] = bp;
1859 while (*sp) {
1860 if (*sp == '\\') {
1861 if (*++sp)
1862 *bp++ = *sp++;
1863 else {
1864 BIO_printf(bio_err, "escape character "
1865 "at end of string\n");
1866 goto error;
1867 }
1868 } else if (*sp == '/') {
1869 sp++;
1870 /* no multivalued RDN by default */
1871 mval[ne_num + 1] = 0;
1872 break;
1873 } else if (*sp == '+' && multirdn) {
1874 /* a not escaped + signals a mutlivalued RDN */
1875 sp++;
1876 mval[ne_num + 1] = -1;
1877 break;
1878 } else
1879 *bp++ = *sp++;
1880 }
1881 *bp++ = '\0';
1882 ne_num++;
1883 }
1884
1885 if ((name = X509_NAME_new()) == NULL)
1886 goto error;
1887
1888 for (i = 0; i < ne_num; i++) {
1889 if ((nid = OBJ_txt2nid(ne_types[i])) == NID_undef) {
1890 BIO_printf(bio_err,
1891 "Subject Attribute %s has no known NID, skipped\n",
1892 ne_types[i]);
1893 continue;
1894 }
1895 if (!*ne_values[i]) {
1896 BIO_printf(bio_err, "No value provided for Subject "
1897 "Attribute %s, skipped\n", ne_types[i]);
1898 continue;
1899 }
1900 if (!X509_NAME_add_entry_by_NID(name, nid, chtype,
1901 (unsigned char *) ne_values[i], -1, -1, mval[i]))
1902 goto error;
1903 }
1904 goto done;
1905
1906error:
1907 X509_NAME_free(name);
1908 name = NULL;
1909
1910done:
1911 free(ne_values);
1912 free(ne_types);
1913 free(mval);
1914 free(buf);
1915
1916 return name;
1917}
1918
1919int
1920args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
1921 X509_VERIFY_PARAM **pm)
1922{
1923 ASN1_OBJECT *otmp = NULL;
1924 unsigned long flags = 0;
1925 int i;
1926 int purpose = 0, depth = -1;
1927 char **oldargs = *pargs;
1928 char *arg = **pargs, *argn = (*pargs)[1];
1929 time_t at_time = 0;
1930 const char *errstr = NULL;
1931
1932 if (!strcmp(arg, "-policy")) {
1933 if (!argn)
1934 *badarg = 1;
1935 else {
1936 otmp = OBJ_txt2obj(argn, 0);
1937 if (!otmp) {
1938 BIO_printf(err, "Invalid Policy \"%s\"\n",
1939 argn);
1940 *badarg = 1;
1941 }
1942 }
1943 (*pargs)++;
1944 } else if (strcmp(arg, "-purpose") == 0) {
1945 X509_PURPOSE *xptmp;
1946 if (!argn)
1947 *badarg = 1;
1948 else {
1949 i = X509_PURPOSE_get_by_sname(argn);
1950 if (i < 0) {
1951 BIO_printf(err, "unrecognized purpose\n");
1952 *badarg = 1;
1953 } else {
1954 xptmp = X509_PURPOSE_get0(i);
1955 purpose = X509_PURPOSE_get_id(xptmp);
1956 }
1957 }
1958 (*pargs)++;
1959 } else if (strcmp(arg, "-verify_depth") == 0) {
1960 if (!argn)
1961 *badarg = 1;
1962 else {
1963 depth = strtonum(argn, 1, INT_MAX, &errstr);
1964 if (errstr) {
1965 BIO_printf(err, "invalid depth %s: %s\n",
1966 argn, errstr);
1967 *badarg = 1;
1968 }
1969 }
1970 (*pargs)++;
1971 } else if (strcmp(arg, "-attime") == 0) {
1972 if (!argn)
1973 *badarg = 1;
1974 else {
1975 long long timestamp;
1976 /*
1977 * interpret the -attime argument as seconds since
1978 * Epoch
1979 */
1980 if (sscanf(argn, "%lli", &timestamp) != 1) {
1981 BIO_printf(bio_err,
1982 "Error parsing timestamp %s\n",
1983 argn);
1984 *badarg = 1;
1985 }
1986 /* XXX 2038 truncation */
1987 at_time = (time_t) timestamp;
1988 }
1989 (*pargs)++;
1990 } else if (!strcmp(arg, "-ignore_critical"))
1991 flags |= X509_V_FLAG_IGNORE_CRITICAL;
1992 else if (!strcmp(arg, "-issuer_checks"))
1993 flags |= X509_V_FLAG_CB_ISSUER_CHECK;
1994 else if (!strcmp(arg, "-crl_check"))
1995 flags |= X509_V_FLAG_CRL_CHECK;
1996 else if (!strcmp(arg, "-crl_check_all"))
1997 flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
1998 else if (!strcmp(arg, "-policy_check"))
1999 flags |= X509_V_FLAG_POLICY_CHECK;
2000 else if (!strcmp(arg, "-explicit_policy"))
2001 flags |= X509_V_FLAG_EXPLICIT_POLICY;
2002 else if (!strcmp(arg, "-inhibit_any"))
2003 flags |= X509_V_FLAG_INHIBIT_ANY;
2004 else if (!strcmp(arg, "-inhibit_map"))
2005 flags |= X509_V_FLAG_INHIBIT_MAP;
2006 else if (!strcmp(arg, "-x509_strict"))
2007 flags |= X509_V_FLAG_X509_STRICT;
2008 else if (!strcmp(arg, "-extended_crl"))
2009 flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
2010 else if (!strcmp(arg, "-use_deltas"))
2011 flags |= X509_V_FLAG_USE_DELTAS;
2012 else if (!strcmp(arg, "-policy_print"))
2013 flags |= X509_V_FLAG_NOTIFY_POLICY;
2014 else if (!strcmp(arg, "-check_ss_sig"))
2015 flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
2016 else
2017 return 0;
2018
2019 if (*badarg) {
2020 if (*pm)
2021 X509_VERIFY_PARAM_free(*pm);
2022 *pm = NULL;
2023 goto end;
2024 }
2025 if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) {
2026 *badarg = 1;
2027 goto end;
2028 }
2029 if (otmp)
2030 X509_VERIFY_PARAM_add0_policy(*pm, otmp);
2031 if (flags)
2032 X509_VERIFY_PARAM_set_flags(*pm, flags);
2033
2034 if (purpose)
2035 X509_VERIFY_PARAM_set_purpose(*pm, purpose);
2036
2037 if (depth >= 0)
2038 X509_VERIFY_PARAM_set_depth(*pm, depth);
2039
2040 if (at_time)
2041 X509_VERIFY_PARAM_set_time(*pm, at_time);
2042
2043end:
2044 (*pargs)++;
2045
2046 if (pargc)
2047 *pargc -= *pargs - oldargs;
2048
2049 return 1;
2050}
2051
2052/* Read whole contents of a BIO into an allocated memory buffer and
2053 * return it.
2054 */
2055
2056int
2057bio_to_mem(unsigned char **out, int maxlen, BIO *in)
2058{
2059 BIO *mem;
2060 int len, ret;
2061 unsigned char tbuf[1024];
2062
2063 mem = BIO_new(BIO_s_mem());
2064 if (!mem)
2065 return -1;
2066 for (;;) {
2067 if ((maxlen != -1) && maxlen < 1024)
2068 len = maxlen;
2069 else
2070 len = 1024;
2071 len = BIO_read(in, tbuf, len);
2072 if (len <= 0)
2073 break;
2074 if (BIO_write(mem, tbuf, len) != len) {
2075 BIO_free(mem);
2076 return -1;
2077 }
2078 maxlen -= len;
2079
2080 if (maxlen == 0)
2081 break;
2082 }
2083 ret = BIO_get_mem_data(mem, (char **) out);
2084 BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
2085 BIO_free(mem);
2086 return ret;
2087}
2088
2089int
2090pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
2091{
2092 int rv;
2093 char *stmp, *vtmp = NULL;
2094
2095 stmp = BUF_strdup(value);
2096 if (!stmp)
2097 return -1;
2098 vtmp = strchr(stmp, ':');
2099 if (vtmp) {
2100 *vtmp = 0;
2101 vtmp++;
2102 }
2103 rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
2104 free(stmp);
2105
2106 return rv;
2107}
2108
2109static void
2110nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
2111{
2112 X509_POLICY_NODE *node;
2113 int i;
2114
2115 BIO_printf(out, "%s Policies:", name);
2116 if (nodes) {
2117 BIO_puts(out, "\n");
2118 for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
2119 node = sk_X509_POLICY_NODE_value(nodes, i);
2120 X509_POLICY_NODE_print(out, node, 2);
2121 }
2122 } else
2123 BIO_puts(out, " <empty>\n");
2124}
2125
2126void
2127policies_print(BIO *out, X509_STORE_CTX *ctx)
2128{
2129 X509_POLICY_TREE *tree;
2130 int explicit_policy;
2131 int free_out = 0;
2132
2133 if (out == NULL) {
2134 out = BIO_new_fp(stderr, BIO_NOCLOSE);
2135 free_out = 1;
2136 }
2137 tree = X509_STORE_CTX_get0_policy_tree(ctx);
2138 explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
2139
2140 BIO_printf(out, "Require explicit Policy: %s\n",
2141 explicit_policy ? "True" : "False");
2142
2143 nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
2144 nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
2145 if (free_out)
2146 BIO_free(out);
2147}
2148
2149#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2150/* next_protos_parse parses a comma separated list of strings into a string
2151 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
2152 * outlen: (output) set to the length of the resulting buffer on success.
2153 * err: (maybe NULL) on failure, an error message line is written to this BIO.
2154 * in: a NUL termianted string like "abc,def,ghi"
2155 *
2156 * returns: a malloced buffer or NULL on failure.
2157 */
2158unsigned char *
2159next_protos_parse(unsigned short *outlen, const char *in)
2160{
2161 size_t len;
2162 unsigned char *out;
2163 size_t i, start = 0;
2164
2165 len = strlen(in);
2166 if (len >= 65535)
2167 return NULL;
2168
2169 out = malloc(strlen(in) + 1);
2170 if (!out)
2171 return NULL;
2172
2173 for (i = 0; i <= len; ++i) {
2174 if (i == len || in[i] == ',') {
2175 if (i - start > 255) {
2176 free(out);
2177 return NULL;
2178 }
2179 out[start] = i - start;
2180 start = i + 1;
2181 } else
2182 out[i + 1] = in[i];
2183 }
2184
2185 *outlen = len + 1;
2186 return out;
2187}
2188#endif
2189/* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
2190
2191double
2192app_tminterval(int stop, int usertime)
2193{
2194 double ret = 0;
2195 struct tms rus;
2196 clock_t now = times(&rus);
2197 static clock_t tmstart;
2198
2199 if (usertime)
2200 now = rus.tms_utime;
2201
2202 if (stop == TM_START)
2203 tmstart = now;
2204 else {
2205 long int tck = sysconf(_SC_CLK_TCK);
2206 ret = (now - tmstart) / (double) tck;
2207 }
2208
2209 return (ret);
2210}
2211
2212int
2213app_isdir(const char *name)
2214{
2215 struct stat st;
2216
2217 if (stat(name, &st) == 0)
2218 return S_ISDIR(st.st_mode);
2219 return -1;
2220}
diff --git a/src/lib/libssl/src/apps/apps.h b/src/lib/libssl/src/apps/apps.h
deleted file mode 100644
index 9d8725159b..0000000000
--- a/src/lib/libssl/src/apps/apps.h
+++ /dev/null
@@ -1,285 +0,0 @@
1/* $OpenBSD: apps.h,v 1.35 2014/07/11 09:24:44 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#ifndef HEADER_APPS_H
113#define HEADER_APPS_H
114
115#include <openssl/opensslconf.h>
116
117#include <openssl/bio.h>
118#include <openssl/conf.h>
119#include <openssl/lhash.h>
120#include <openssl/ossl_typ.h>
121#include <openssl/txt_db.h>
122#include <openssl/x509.h>
123
124#ifndef OPENSSL_NO_ENGINE
125#include <openssl/engine.h>
126#endif
127
128#ifndef OPENSSL_NO_OCSP
129#include <openssl/ocsp.h>
130#endif
131
132extern CONF *config;
133extern char *default_config_file;
134extern BIO *bio_err;
135
136typedef struct args_st {
137 char **data;
138 int count;
139} ARGS;
140
141#define PW_MIN_LENGTH 4
142typedef struct pw_cb_data {
143 const void *password;
144 const char *prompt_info;
145} PW_CB_DATA;
146
147int password_callback(char *buf, int bufsiz, int verify, void *cb_data);
148
149int setup_ui_method(void);
150void destroy_ui_method(void);
151
152int should_retry(int i);
153int args_from_file(char *file, int *argc, char **argv[]);
154int str2fmt(char *s);
155void program_name(char *in, char *out, int size);
156int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]);
157#ifdef HEADER_X509_H
158int dump_cert_text(BIO *out, X509 *x);
159void print_name(BIO *out, const char *title, X509_NAME *nm,
160 unsigned long lflags);
161#endif
162int set_cert_ex(unsigned long *flags, const char *arg);
163int set_name_ex(unsigned long *flags, const char *arg);
164int set_ext_copy(int *copy_type, const char *arg);
165int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
166int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
167int add_oid_section(BIO *err, CONF *conf);
168X509 *load_cert(BIO *err, const char *file, int format,
169 const char *pass, ENGINE *e, const char *cert_descrip);
170EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
171 const char *pass, ENGINE *e, const char *key_descrip);
172EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
173 const char *pass, ENGINE *e, const char *key_descrip);
174STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
175 const char *pass, ENGINE *e, const char *cert_descrip);
176STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
177 const char *pass, ENGINE *e, const char *cert_descrip);
178X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
179#ifndef OPENSSL_NO_ENGINE
180ENGINE *setup_engine(BIO *err, const char *engine, int debug);
181#endif
182
183#ifndef OPENSSL_NO_OCSP
184OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
185 char *host, char *path, char *port, int use_ssl,
186 STACK_OF(CONF_VALUE) *headers, int req_timeout);
187#endif
188
189int load_config(BIO *err, CONF *cnf);
190char *make_config_name(void);
191
192/* Functions defined in ca.c and also used in ocsp.c */
193int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
194 ASN1_GENERALIZEDTIME **pinvtm, const char *str);
195
196#define DB_type 0
197#define DB_exp_date 1
198#define DB_rev_date 2
199#define DB_serial 3 /* index - unique */
200#define DB_file 4
201#define DB_name 5 /* index - unique when active and not disabled */
202#define DB_NUMBER 6
203
204#define DB_TYPE_REV 'R'
205#define DB_TYPE_EXP 'E'
206#define DB_TYPE_VAL 'V'
207
208typedef struct db_attr_st {
209 int unique_subject;
210} DB_ATTR;
211typedef struct ca_db_st {
212 DB_ATTR attributes;
213 TXT_DB *db;
214} CA_DB;
215
216BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
217int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
218 ASN1_INTEGER **retai);
219int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
220int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
221CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
222int index_index(CA_DB *db);
223int save_index(const char *dbfile, const char *suffix, CA_DB *db);
224int rotate_index(const char *dbfile, const char *new_suffix,
225 const char *old_suffix);
226void free_index(CA_DB *db);
227#define index_name_cmp_noconst(a, b) \
228 index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
229 (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
230int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
231int parse_yesno(const char *str, int def);
232
233X509_NAME *parse_name(char *str, long chtype, int multirdn);
234int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
235 X509_VERIFY_PARAM **pm);
236void policies_print(BIO *out, X509_STORE_CTX *ctx);
237int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
238int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
239int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e,
240 int do_param);
241int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
242 STACK_OF(OPENSSL_STRING) *sigopts);
243int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
244 STACK_OF(OPENSSL_STRING) *sigopts);
245int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
246 STACK_OF(OPENSSL_STRING) *sigopts);
247
248#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
249unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
250#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
251
252#define FORMAT_UNDEF 0
253#define FORMAT_ASN1 1
254#define FORMAT_TEXT 2
255#define FORMAT_PEM 3
256#define FORMAT_NETSCAPE 4
257#define FORMAT_PKCS12 5
258#define FORMAT_SMIME 6
259#define FORMAT_ENGINE 7
260#define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid
261 * adding yet another param to load_*key() */
262#define FORMAT_PEMRSA 9 /* PEM RSAPubicKey format */
263#define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */
264#define FORMAT_MSBLOB 11 /* MS Key blob format */
265#define FORMAT_PVK 12 /* MS PVK file format */
266
267#define EXT_COPY_NONE 0
268#define EXT_COPY_ADD 1
269#define EXT_COPY_ALL 2
270
271#define NETSCAPE_CERT_HDR "certificate"
272
273#define APP_PASS_LEN 1024
274
275#define SERIAL_RAND_BITS 64
276
277int app_isdir(const char *);
278
279#define TM_START 0
280#define TM_STOP 1
281double app_tminterval (int stop, int usertime);
282
283#define OPENSSL_NO_SSL_INTERN
284
285#endif
diff --git a/src/lib/libssl/src/apps/asn1pars.c b/src/lib/libssl/src/apps/asn1pars.c
deleted file mode 100644
index 6df27cd6d0..0000000000
--- a/src/lib/libssl/src/apps/asn1pars.c
+++ /dev/null
@@ -1,406 +0,0 @@
1/* $OpenBSD: asn1pars.c,v 1.27 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* A nice addition from Dr Stephen Henson <steve@openssl.org> to
60 * add the -strparse option which parses nested binary structures
61 */
62
63#include <stdio.h>
64#include <stdlib.h>
65#include <limits.h>
66#include <string.h>
67
68#include "apps.h"
69
70#include <openssl/err.h>
71#include <openssl/evp.h>
72#include <openssl/pem.h>
73#include <openssl/x509.h>
74
75/* -inform arg - input format - default PEM (DER or PEM)
76 * -in arg - input file - default stdin
77 * -i - indent the details by depth
78 * -offset - where in the file to start
79 * -length - how many bytes to use
80 * -oid file - extra oid description file
81 */
82
83int asn1parse_main(int, char **);
84
85static int do_generate(BIO * bio, char *genstr, char *genconf, BUF_MEM * buf);
86
87int
88asn1parse_main(int argc, char **argv)
89{
90 int i, badops = 0, offset = 0, ret = 1, j;
91 unsigned int length = 0;
92 long num, tmplen;
93 BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
94 int informat, indent = 0, noout = 0, dump = 0;
95 char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile = NULL;
96 char *genstr = NULL, *genconf = NULL;
97 const char *errstr = NULL;
98 unsigned char *tmpbuf;
99 const unsigned char *ctmpbuf;
100 BUF_MEM *buf = NULL;
101 STACK_OF(OPENSSL_STRING) * osk = NULL;
102 ASN1_TYPE *at = NULL;
103
104 informat = FORMAT_PEM;
105
106 prog = argv[0];
107 argc--;
108 argv++;
109 if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) {
110 BIO_printf(bio_err, "Memory allocation failure\n");
111 goto end;
112 }
113 while (argc >= 1) {
114 if (strcmp(*argv, "-inform") == 0) {
115 if (--argc < 1)
116 goto bad;
117 informat = str2fmt(*(++argv));
118 } else if (strcmp(*argv, "-in") == 0) {
119 if (--argc < 1)
120 goto bad;
121 infile = *(++argv);
122 } else if (strcmp(*argv, "-out") == 0) {
123 if (--argc < 1)
124 goto bad;
125 derfile = *(++argv);
126 } else if (strcmp(*argv, "-i") == 0) {
127 indent = 1;
128 } else if (strcmp(*argv, "-noout") == 0)
129 noout = 1;
130 else if (strcmp(*argv, "-oid") == 0) {
131 if (--argc < 1)
132 goto bad;
133 oidfile = *(++argv);
134 } else if (strcmp(*argv, "-offset") == 0) {
135 if (--argc < 1)
136 goto bad;
137 offset = strtonum(*(++argv), 0, INT_MAX, &errstr);
138 if (errstr)
139 goto bad;
140 } else if (strcmp(*argv, "-length") == 0) {
141 if (--argc < 1)
142 goto bad;
143 length = strtonum(*(++argv), 1, UINT_MAX, &errstr);
144 if (errstr)
145 goto bad;
146 } else if (strcmp(*argv, "-dump") == 0) {
147 dump = -1;
148 } else if (strcmp(*argv, "-dlimit") == 0) {
149 if (--argc < 1)
150 goto bad;
151 dump = strtonum(*(++argv), 1, INT_MAX, &errstr);
152 if (errstr)
153 goto bad;
154 } else if (strcmp(*argv, "-strparse") == 0) {
155 if (--argc < 1)
156 goto bad;
157 sk_OPENSSL_STRING_push(osk, *(++argv));
158 } else if (strcmp(*argv, "-genstr") == 0) {
159 if (--argc < 1)
160 goto bad;
161 genstr = *(++argv);
162 } else if (strcmp(*argv, "-genconf") == 0) {
163 if (--argc < 1)
164 goto bad;
165 genconf = *(++argv);
166 } else {
167 BIO_printf(bio_err, "unknown option %s\n", *argv);
168 badops = 1;
169 break;
170 }
171 argc--;
172 argv++;
173 }
174
175 if (badops) {
176bad:
177 BIO_printf(bio_err, "%s [options] <infile\n", prog);
178 BIO_printf(bio_err, "where options are\n");
179 BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n");
180 BIO_printf(bio_err, " -in arg input file\n");
181 BIO_printf(bio_err, " -out arg output file (output format is always DER\n");
182 BIO_printf(bio_err, " -noout arg don't produce any output\n");
183 BIO_printf(bio_err, " -offset arg offset into file\n");
184 BIO_printf(bio_err, " -length arg length of section in file\n");
185 BIO_printf(bio_err, " -i indent entries\n");
186 BIO_printf(bio_err, " -dump dump unknown data in hex form\n");
187 BIO_printf(bio_err, " -dlimit arg dump the first arg bytes of unknown data in hex form\n");
188 BIO_printf(bio_err, " -oid file file of extra oid definitions\n");
189 BIO_printf(bio_err, " -strparse offset\n");
190 BIO_printf(bio_err, " a series of these can be used to 'dig' into multiple\n");
191 BIO_printf(bio_err, " ASN1 blob wrappings\n");
192 BIO_printf(bio_err, " -genstr str string to generate ASN1 structure from\n");
193 BIO_printf(bio_err, " -genconf file file to generate ASN1 structure from\n");
194 goto end;
195 }
196 ERR_load_crypto_strings();
197
198 in = BIO_new(BIO_s_file());
199 out = BIO_new(BIO_s_file());
200 if ((in == NULL) || (out == NULL)) {
201 ERR_print_errors(bio_err);
202 goto end;
203 }
204 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
205
206 if (oidfile != NULL) {
207 if (BIO_read_filename(in, oidfile) <= 0) {
208 BIO_printf(bio_err, "problems opening %s\n", oidfile);
209 ERR_print_errors(bio_err);
210 goto end;
211 }
212 OBJ_create_objects(in);
213 }
214 if (infile == NULL)
215 BIO_set_fp(in, stdin, BIO_NOCLOSE);
216 else {
217 if (BIO_read_filename(in, infile) <= 0) {
218 perror(infile);
219 goto end;
220 }
221 }
222
223 if (derfile) {
224 if (!(derout = BIO_new_file(derfile, "wb"))) {
225 BIO_printf(bio_err, "problems opening %s\n", derfile);
226 ERR_print_errors(bio_err);
227 goto end;
228 }
229 }
230 if ((buf = BUF_MEM_new()) == NULL)
231 goto end;
232 if (!BUF_MEM_grow(buf, BUFSIZ * 8))
233 goto end; /* Pre-allocate :-) */
234
235 if (genstr || genconf) {
236 num = do_generate(bio_err, genstr, genconf, buf);
237 if (num < 0) {
238 ERR_print_errors(bio_err);
239 goto end;
240 }
241 } else {
242
243 if (informat == FORMAT_PEM) {
244 BIO *tmp;
245
246 if ((b64 = BIO_new(BIO_f_base64())) == NULL)
247 goto end;
248 BIO_push(b64, in);
249 tmp = in;
250 in = b64;
251 b64 = tmp;
252 }
253 num = 0;
254 for (;;) {
255 if (!BUF_MEM_grow(buf, (int) num + BUFSIZ))
256 goto end;
257 i = BIO_read(in, &(buf->data[num]), BUFSIZ);
258 if (i <= 0)
259 break;
260 num += i;
261 }
262 }
263 str = buf->data;
264
265 /* If any structs to parse go through in sequence */
266
267 if (sk_OPENSSL_STRING_num(osk)) {
268 tmpbuf = (unsigned char *) str;
269 tmplen = num;
270 for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) {
271 ASN1_TYPE *atmp;
272 int typ;
273 j = strtonum(sk_OPENSSL_STRING_value(osk, i),
274 1, INT_MAX, &errstr);
275 if (errstr) {
276 BIO_printf(bio_err,
277 "'%s' is an invalid number: %s\n",
278 sk_OPENSSL_STRING_value(osk, i), errstr);
279 continue;
280 }
281 tmpbuf += j;
282 tmplen -= j;
283 atmp = at;
284 ctmpbuf = tmpbuf;
285 at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
286 ASN1_TYPE_free(atmp);
287 if (!at) {
288 BIO_printf(bio_err, "Error parsing structure\n");
289 ERR_print_errors(bio_err);
290 goto end;
291 }
292 typ = ASN1_TYPE_get(at);
293 if ((typ == V_ASN1_OBJECT) ||
294 (typ == V_ASN1_NULL)) {
295 BIO_printf(bio_err, "Can't parse %s type\n",
296 typ == V_ASN1_NULL ? "NULL" : "OBJECT");
297 ERR_print_errors(bio_err);
298 goto end;
299 }
300 /* hmm... this is a little evil but it works */
301 tmpbuf = at->value.asn1_string->data;
302 tmplen = at->value.asn1_string->length;
303 }
304 str = (char *) tmpbuf;
305 num = tmplen;
306 }
307 if (offset >= num) {
308 BIO_printf(bio_err, "Error: offset too large\n");
309 goto end;
310 }
311 num -= offset;
312
313 if ((length == 0) || ((long) length > num))
314 length = (unsigned int) num;
315 if (derout) {
316 if (BIO_write(derout, str + offset, length) != (int) length) {
317 BIO_printf(bio_err, "Error writing output\n");
318 ERR_print_errors(bio_err);
319 goto end;
320 }
321 }
322 if (!noout &&
323 !ASN1_parse_dump(out, (unsigned char *) &(str[offset]), length,
324 indent, dump)) {
325 ERR_print_errors(bio_err);
326 goto end;
327 }
328 ret = 0;
329end:
330 BIO_free(derout);
331 if (in != NULL)
332 BIO_free(in);
333 if (out != NULL)
334 BIO_free_all(out);
335 if (b64 != NULL)
336 BIO_free(b64);
337 if (ret != 0)
338 ERR_print_errors(bio_err);
339 if (buf != NULL)
340 BUF_MEM_free(buf);
341 if (at != NULL)
342 ASN1_TYPE_free(at);
343 if (osk != NULL)
344 sk_OPENSSL_STRING_free(osk);
345 OBJ_cleanup();
346
347 return (ret);
348}
349
350static int
351do_generate(BIO * bio, char *genstr, char *genconf, BUF_MEM * buf)
352{
353 CONF *cnf = NULL;
354 int len;
355 long errline;
356 unsigned char *p;
357 ASN1_TYPE *atyp = NULL;
358
359 if (genconf) {
360 cnf = NCONF_new(NULL);
361 if (!NCONF_load(cnf, genconf, &errline))
362 goto conferr;
363 if (!genstr)
364 genstr = NCONF_get_string(cnf, "default", "asn1");
365 if (!genstr) {
366 BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
367 goto err;
368 }
369 }
370 atyp = ASN1_generate_nconf(genstr, cnf);
371 NCONF_free(cnf);
372 cnf = NULL;
373
374 if (!atyp)
375 return -1;
376
377 len = i2d_ASN1_TYPE(atyp, NULL);
378
379 if (len <= 0)
380 goto err;
381
382 if (!BUF_MEM_grow(buf, len))
383 goto err;
384
385 p = (unsigned char *) buf->data;
386
387 i2d_ASN1_TYPE(atyp, &p);
388
389 ASN1_TYPE_free(atyp);
390 return len;
391
392conferr:
393
394 if (errline > 0)
395 BIO_printf(bio, "Error on line %ld of config file '%s'\n",
396 errline, genconf);
397 else
398 BIO_printf(bio, "Error loading config file '%s'\n", genconf);
399
400err:
401 NCONF_free(cnf);
402 ASN1_TYPE_free(atyp);
403
404 return -1;
405
406}
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
deleted file mode 100644
index ccb32bca19..0000000000
--- a/src/lib/libssl/src/apps/ca.c
+++ /dev/null
@@ -1,2743 +0,0 @@
1/* $OpenBSD: ca.c,v 1.65 2014/07/29 08:51:49 blambert Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61#include <sys/types.h>
62
63#include <ctype.h>
64#include <stdio.h>
65#include <stdlib.h>
66#include <limits.h>
67#include <string.h>
68#include <unistd.h>
69
70#include "apps.h"
71
72#include <openssl/bio.h>
73#include <openssl/bn.h>
74#include <openssl/conf.h>
75#include <openssl/err.h>
76#include <openssl/evp.h>
77#include <openssl/objects.h>
78#include <openssl/ocsp.h>
79#include <openssl/pem.h>
80#include <openssl/txt_db.h>
81#include <openssl/x509.h>
82#include <openssl/x509v3.h>
83
84#define BASE_SECTION "ca"
85
86#define ENV_DEFAULT_CA "default_ca"
87
88#define STRING_MASK "string_mask"
89#define UTF8_IN "utf8"
90
91#define ENV_DIR "dir"
92#define ENV_CERTS "certs"
93#define ENV_CRL_DIR "crl_dir"
94#define ENV_CA_DB "CA_DB"
95#define ENV_NEW_CERTS_DIR "new_certs_dir"
96#define ENV_CERTIFICATE "certificate"
97#define ENV_SERIAL "serial"
98#define ENV_CRLNUMBER "crlnumber"
99#define ENV_CRL "crl"
100#define ENV_PRIVATE_KEY "private_key"
101#define ENV_DEFAULT_DAYS "default_days"
102#define ENV_DEFAULT_STARTDATE "default_startdate"
103#define ENV_DEFAULT_ENDDATE "default_enddate"
104#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
105#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
106#define ENV_DEFAULT_MD "default_md"
107#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
108#define ENV_PRESERVE "preserve"
109#define ENV_POLICY "policy"
110#define ENV_EXTENSIONS "x509_extensions"
111#define ENV_CRLEXT "crl_extensions"
112#define ENV_MSIE_HACK "msie_hack"
113#define ENV_NAMEOPT "name_opt"
114#define ENV_CERTOPT "cert_opt"
115#define ENV_EXTCOPY "copy_extensions"
116#define ENV_UNIQUE_SUBJECT "unique_subject"
117
118#define ENV_DATABASE "database"
119
120/* Additional revocation information types */
121
122#define REV_NONE 0 /* No addditional information */
123#define REV_CRL_REASON 1 /* Value is CRL reason code */
124#define REV_HOLD 2 /* Value is hold instruction */
125#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
126#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
127
128static const char *ca_usage[] = {
129 "usage: ca args\n",
130 "\n",
131 " -verbose - Talk a lot while doing things\n",
132 " -config file - A config file\n",
133 " -name arg - The particular CA definition to use\n",
134 " -gencrl - Generate a new CRL\n",
135 " -crldays days - Days is when the next CRL is due\n",
136 " -crlhours hours - Hours is when the next CRL is due\n",
137 " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
138 " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
139 " -days arg - number of days to certify the certificate for\n",
140 " -md arg - md to use, one of md2, md5, sha or sha1\n",
141 " -policy arg - The CA 'policy' to support\n",
142 " -keyfile arg - private key file\n",
143 " -keyform arg - private key file format (PEM or ENGINE)\n",
144 " -key arg - key to decode the private key if it is encrypted\n",
145 " -cert file - The CA certificate\n",
146 " -selfsign - sign a certificate with the key associated with it\n",
147 " -in file - The input PEM encoded certificate request(s)\n",
148 " -out file - Where to put the output file(s)\n",
149 " -outdir dir - Where to put output certificates\n",
150 " -infiles .... - The last argument, requests to process\n",
151 " -spkac file - File contains DN and signed public key and challenge\n",
152 " -ss_cert file - File contains a self signed cert to sign\n",
153 " -preserveDN - Don't re-order the DN\n",
154 " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
155 " -batch - Don't ask questions\n",
156 " -msie_hack - msie modifications to handle all those universal strings\n",
157 " -revoke file - Revoke a certificate (given in file)\n",
158 " -subj arg - Use arg instead of request's subject\n",
159 " -utf8 - input characters are UTF8 (default ASCII)\n",
160 " -multivalue-rdn - enable support for multivalued RDNs\n",
161 " -extensions .. - Extension section (override value in config file)\n",
162 " -extfile file - Configuration file with X509v3 extentions to add\n",
163 " -crlexts .. - CRL extension section (override value in config file)\n",
164#ifndef OPENSSL_NO_ENGINE
165 " -engine e - use engine e, possibly a hardware device.\n",
166#endif
167 " -status serial - Shows certificate status given the serial number\n",
168 " -updatedb - Updates db for expired certificates\n",
169 NULL
170};
171
172static void lookup_fail(const char *name, const char *tag);
173static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
174 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
175 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
176 unsigned long chtype, int multirdn, int email_dn, char *startdate,
177 char *enddate, long days, int batch, char *ext_sect, CONF * conf,
178 int verbose, unsigned long certopt, unsigned long nameopt,
179 int default_op, int ext_copy, int selfsign);
180static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
181 X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
182 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
183 unsigned long chtype, int multirdn, int email_dn, char *startdate,
184 char *enddate, long days, int batch, char *ext_sect, CONF * conf,
185 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
186 int ext_copy, ENGINE * e);
187static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
188 X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
189 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
190 unsigned long chtype, int multirdn, int email_dn, char *startdate,
191 char *enddate, long days, char *ext_sect, CONF * conf, int verbose,
192 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
193static void write_new_certificate(BIO * bp, X509 * x, int output_der,
194 int notext);
195static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509,
196 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
197 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
198 unsigned long chtype, int multirdn, int email_dn, char *startdate,
199 char *enddate, long days, int batch, int verbose, X509_REQ * req,
200 char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt,
201 int default_op, int ext_copy, int selfsign);
202static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval);
203static int get_certificate_status(const char *ser_status, CA_DB * db);
204static int do_updatedb(CA_DB * db);
205static int check_time_format(const char *str);
206static char * bin2hex(unsigned char *, size_t);
207char *make_revocation_str(int rev_type, char *rev_arg);
208int make_revoked(X509_REVOKED * rev, const char *str);
209int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
210static CONF *conf = NULL;
211static CONF *extconf = NULL;
212static char *section = NULL;
213
214static int preserve = 0;
215static int msie_hack = 0;
216
217
218int ca_main(int, char **);
219
220int
221ca_main(int argc, char **argv)
222{
223 ENGINE *e = NULL;
224 char *key = NULL, *passargin = NULL;
225 int create_ser = 0;
226 int free_key = 0;
227 int total = 0;
228 int total_done = 0;
229 int badops = 0;
230 int ret = 1;
231 int email_dn = 1;
232 int req = 0;
233 int verbose = 0;
234 int gencrl = 0;
235 int dorevoke = 0;
236 int doupdatedb = 0;
237 long crldays = 0;
238 long crlhours = 0;
239 long crlsec = 0;
240 long errorline = -1;
241 char *configfile = NULL;
242 char *md = NULL;
243 char *policy = NULL;
244 char *keyfile = NULL;
245 char *certfile = NULL;
246 int keyform = FORMAT_PEM;
247 char *infile = NULL;
248 char *spkac_file = NULL;
249 char *ss_cert_file = NULL;
250 char *ser_status = NULL;
251 EVP_PKEY *pkey = NULL;
252 int output_der = 0;
253 char *outfile = NULL;
254 char *outdir = NULL;
255 char *serialfile = NULL;
256 char *crlnumberfile = NULL;
257 char *extensions = NULL;
258 char *extfile = NULL;
259 char *subj = NULL;
260 unsigned long chtype = MBSTRING_ASC;
261 int multirdn = 0;
262 char *tmp_email_dn = NULL;
263 char *crl_ext = NULL;
264 int rev_type = REV_NONE;
265 char *rev_arg = NULL;
266 BIGNUM *serial = NULL;
267 BIGNUM *crlnumber = NULL;
268 char *startdate = NULL;
269 char *enddate = NULL;
270 long days = 0;
271 int batch = 0;
272 int notext = 0;
273 unsigned long nameopt = 0, certopt = 0;
274 int default_op = 1;
275 int ext_copy = EXT_COPY_NONE;
276 int selfsign = 0;
277 X509 *x509 = NULL, *x509p = NULL;
278 X509 *x = NULL;
279 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
280 char *dbfile = NULL;
281 CA_DB *db = NULL;
282 X509_CRL *crl = NULL;
283 X509_REVOKED *r = NULL;
284 ASN1_TIME *tmptm;
285 ASN1_INTEGER *tmpser;
286 char *f;
287 const char *p;
288 char *const * pp;
289 int i, j;
290 const EVP_MD *dgst = NULL;
291 STACK_OF(CONF_VALUE) * attribs = NULL;
292 STACK_OF(X509) * cert_sk = NULL;
293 STACK_OF(OPENSSL_STRING) * sigopts = NULL;
294#define BSIZE 256
295 char buf[3][BSIZE];
296#ifndef OPENSSL_NO_ENGINE
297 char *engine = NULL;
298#endif
299 char *tofree = NULL;
300 const char *errstr = NULL;
301 DB_ATTR db_attr;
302
303 conf = NULL;
304 key = NULL;
305 section = NULL;
306
307 preserve = 0;
308 msie_hack = 0;
309
310 argc--;
311 argv++;
312 while (argc >= 1) {
313 if (strcmp(*argv, "-verbose") == 0)
314 verbose = 1;
315 else if (strcmp(*argv, "-config") == 0) {
316 if (--argc < 1)
317 goto bad;
318 configfile = *(++argv);
319 } else if (strcmp(*argv, "-name") == 0) {
320 if (--argc < 1)
321 goto bad;
322 section = *(++argv);
323 } else if (strcmp(*argv, "-subj") == 0) {
324 if (--argc < 1)
325 goto bad;
326 subj = *(++argv);
327 /* preserve=1; */
328 } else if (strcmp(*argv, "-utf8") == 0)
329 chtype = MBSTRING_UTF8;
330 else if (strcmp(*argv, "-create_serial") == 0)
331 create_ser = 1;
332 else if (strcmp(*argv, "-multivalue-rdn") == 0)
333 multirdn = 1;
334 else if (strcmp(*argv, "-startdate") == 0) {
335 if (--argc < 1)
336 goto bad;
337 startdate = *(++argv);
338 } else if (strcmp(*argv, "-enddate") == 0) {
339 if (--argc < 1)
340 goto bad;
341 enddate = *(++argv);
342 } else if (strcmp(*argv, "-days") == 0) {
343 if (--argc < 1)
344 goto bad;
345 days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
346 if (errstr)
347 goto bad;
348 } else if (strcmp(*argv, "-md") == 0) {
349 if (--argc < 1)
350 goto bad;
351 md = *(++argv);
352 } else if (strcmp(*argv, "-policy") == 0) {
353 if (--argc < 1)
354 goto bad;
355 policy = *(++argv);
356 } else if (strcmp(*argv, "-keyfile") == 0) {
357 if (--argc < 1)
358 goto bad;
359 keyfile = *(++argv);
360 } else if (strcmp(*argv, "-keyform") == 0) {
361 if (--argc < 1)
362 goto bad;
363 keyform = str2fmt(*(++argv));
364 } else if (strcmp(*argv, "-passin") == 0) {
365 if (--argc < 1)
366 goto bad;
367 passargin = *(++argv);
368 } else if (strcmp(*argv, "-key") == 0) {
369 if (--argc < 1)
370 goto bad;
371 key = *(++argv);
372 } else if (strcmp(*argv, "-cert") == 0) {
373 if (--argc < 1)
374 goto bad;
375 certfile = *(++argv);
376 } else if (strcmp(*argv, "-selfsign") == 0)
377 selfsign = 1;
378 else if (strcmp(*argv, "-in") == 0) {
379 if (--argc < 1)
380 goto bad;
381 infile = *(++argv);
382 req = 1;
383 } else if (strcmp(*argv, "-out") == 0) {
384 if (--argc < 1)
385 goto bad;
386 outfile = *(++argv);
387 } else if (strcmp(*argv, "-outdir") == 0) {
388 if (--argc < 1)
389 goto bad;
390 outdir = *(++argv);
391 } else if (strcmp(*argv, "-sigopt") == 0) {
392 if (--argc < 1)
393 goto bad;
394 if (!sigopts)
395 sigopts = sk_OPENSSL_STRING_new_null();
396 if (!sigopts ||
397 !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
398 goto bad;
399 } else if (strcmp(*argv, "-notext") == 0)
400 notext = 1;
401 else if (strcmp(*argv, "-batch") == 0)
402 batch = 1;
403 else if (strcmp(*argv, "-preserveDN") == 0)
404 preserve = 1;
405 else if (strcmp(*argv, "-noemailDN") == 0)
406 email_dn = 0;
407 else if (strcmp(*argv, "-gencrl") == 0)
408 gencrl = 1;
409 else if (strcmp(*argv, "-msie_hack") == 0)
410 msie_hack = 1;
411 else if (strcmp(*argv, "-crldays") == 0) {
412 if (--argc < 1)
413 goto bad;
414 crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
415 if (errstr)
416 goto bad;
417 } else if (strcmp(*argv, "-crlhours") == 0) {
418 if (--argc < 1)
419 goto bad;
420 crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
421 if (errstr)
422 goto bad;
423 } else if (strcmp(*argv, "-crlsec") == 0) {
424 if (--argc < 1)
425 goto bad;
426 crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
427 if (errstr)
428 goto bad;
429 } else if (strcmp(*argv, "-infiles") == 0) {
430 argc--;
431 argv++;
432 req = 1;
433 break;
434 } else if (strcmp(*argv, "-ss_cert") == 0) {
435 if (--argc < 1)
436 goto bad;
437 ss_cert_file = *(++argv);
438 req = 1;
439 } else if (strcmp(*argv, "-spkac") == 0) {
440 if (--argc < 1)
441 goto bad;
442 spkac_file = *(++argv);
443 req = 1;
444 } else if (strcmp(*argv, "-revoke") == 0) {
445 if (--argc < 1)
446 goto bad;
447 infile = *(++argv);
448 dorevoke = 1;
449 } else if (strcmp(*argv, "-extensions") == 0) {
450 if (--argc < 1)
451 goto bad;
452 extensions = *(++argv);
453 } else if (strcmp(*argv, "-extfile") == 0) {
454 if (--argc < 1)
455 goto bad;
456 extfile = *(++argv);
457 } else if (strcmp(*argv, "-status") == 0) {
458 if (--argc < 1)
459 goto bad;
460 ser_status = *(++argv);
461 } else if (strcmp(*argv, "-updatedb") == 0) {
462 doupdatedb = 1;
463 } else if (strcmp(*argv, "-crlexts") == 0) {
464 if (--argc < 1)
465 goto bad;
466 crl_ext = *(++argv);
467 } else if (strcmp(*argv, "-crl_reason") == 0) {
468 if (--argc < 1)
469 goto bad;
470 rev_arg = *(++argv);
471 rev_type = REV_CRL_REASON;
472 } else if (strcmp(*argv, "-crl_hold") == 0) {
473 if (--argc < 1)
474 goto bad;
475 rev_arg = *(++argv);
476 rev_type = REV_HOLD;
477 } else if (strcmp(*argv, "-crl_compromise") == 0) {
478 if (--argc < 1)
479 goto bad;
480 rev_arg = *(++argv);
481 rev_type = REV_KEY_COMPROMISE;
482 } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
483 if (--argc < 1)
484 goto bad;
485 rev_arg = *(++argv);
486 rev_type = REV_CA_COMPROMISE;
487 }
488#ifndef OPENSSL_NO_ENGINE
489 else if (strcmp(*argv, "-engine") == 0) {
490 if (--argc < 1)
491 goto bad;
492 engine = *(++argv);
493 }
494#endif
495 else {
496bad:
497 if (errstr)
498 BIO_printf(bio_err, "invalid argument %s: %s\n",
499 *argv, errstr);
500 else
501 BIO_printf(bio_err, "unknown option %s\n", *argv);
502 badops = 1;
503 break;
504 }
505 argc--;
506 argv++;
507 }
508
509 if (badops) {
510 const char **pp2;
511
512 for (pp2 = ca_usage; (*pp2 != NULL); pp2++)
513 BIO_printf(bio_err, "%s", *pp2);
514 goto err;
515 }
516 ERR_load_crypto_strings();
517
518 /*****************************************************************/
519 tofree = NULL;
520 if (configfile == NULL)
521 configfile = getenv("OPENSSL_CONF");
522 if (configfile == NULL)
523 configfile = getenv("SSLEAY_CONF");
524 if (configfile == NULL) {
525 if ((tofree = make_config_name()) == NULL) {
526 BIO_printf(bio_err, "error making config file name\n");
527 goto err;
528 }
529 configfile = tofree;
530 }
531 BIO_printf(bio_err, "Using configuration from %s\n", configfile);
532 conf = NCONF_new(NULL);
533 if (NCONF_load(conf, configfile, &errorline) <= 0) {
534 if (errorline <= 0)
535 BIO_printf(bio_err,
536 "error loading the config file '%s'\n",
537 configfile);
538 else
539 BIO_printf(bio_err,
540 "error on line %ld of config file '%s'\n",
541 errorline, configfile);
542 goto err;
543 }
544 free(tofree);
545 tofree = NULL;
546
547#ifndef OPENSSL_NO_ENGINE
548 e = setup_engine(bio_err, engine, 0);
549#endif
550
551 /* Lets get the config section we are using */
552 if (section == NULL) {
553 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
554 if (section == NULL) {
555 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
556 goto err;
557 }
558 }
559 if (conf != NULL) {
560 p = NCONF_get_string(conf, NULL, "oid_file");
561 if (p == NULL)
562 ERR_clear_error();
563 if (p != NULL) {
564 BIO *oid_bio;
565
566 oid_bio = BIO_new_file(p, "r");
567 if (oid_bio == NULL) {
568 /*
569 BIO_printf(bio_err,
570 "problems opening %s for extra oid's\n", p);
571 ERR_print_errors(bio_err);
572 */
573 ERR_clear_error();
574 } else {
575 OBJ_create_objects(oid_bio);
576 BIO_free(oid_bio);
577 }
578 }
579 if (!add_oid_section(bio_err, conf)) {
580 ERR_print_errors(bio_err);
581 goto err;
582 }
583 }
584 f = NCONF_get_string(conf, section, STRING_MASK);
585 if (!f)
586 ERR_clear_error();
587
588 if (f && !ASN1_STRING_set_default_mask_asc(f)) {
589 BIO_printf(bio_err,
590 "Invalid global string mask setting %s\n", f);
591 goto err;
592 }
593 if (chtype != MBSTRING_UTF8) {
594 f = NCONF_get_string(conf, section, UTF8_IN);
595 if (!f)
596 ERR_clear_error();
597 else if (!strcmp(f, "yes"))
598 chtype = MBSTRING_UTF8;
599 }
600 db_attr.unique_subject = 1;
601 p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
602 if (p) {
603 db_attr.unique_subject = parse_yesno(p, 1);
604 } else
605 ERR_clear_error();
606
607 in = BIO_new(BIO_s_file());
608 out = BIO_new(BIO_s_file());
609 Sout = BIO_new(BIO_s_file());
610 Cout = BIO_new(BIO_s_file());
611 if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
612 ERR_print_errors(bio_err);
613 goto err;
614 }
615 /*****************************************************************/
616 /* report status of cert with serial number given on command line */
617 if (ser_status) {
618 if ((dbfile = NCONF_get_string(conf, section,
619 ENV_DATABASE)) == NULL) {
620 lookup_fail(section, ENV_DATABASE);
621 goto err;
622 }
623 db = load_index(dbfile, &db_attr);
624 if (db == NULL)
625 goto err;
626
627 if (!index_index(db))
628 goto err;
629
630 if (get_certificate_status(ser_status, db) != 1)
631 BIO_printf(bio_err, "Error verifying serial %s!\n",
632 ser_status);
633 goto err;
634 }
635 /*****************************************************************/
636 /* we definitely need a private key, so let's get it */
637
638 if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
639 section, ENV_PRIVATE_KEY)) == NULL)) {
640 lookup_fail(section, ENV_PRIVATE_KEY);
641 goto err;
642 }
643 if (!key) {
644 free_key = 1;
645 if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) {
646 BIO_printf(bio_err, "Error getting password\n");
647 goto err;
648 }
649 }
650 pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
651 if (key)
652 OPENSSL_cleanse(key, strlen(key));
653 if (pkey == NULL) {
654 /* load_key() has already printed an appropriate message */
655 goto err;
656 }
657 /*****************************************************************/
658 /* we need a certificate */
659 if (!selfsign || spkac_file || ss_cert_file || gencrl) {
660 if ((certfile == NULL) &&
661 ((certfile = NCONF_get_string(conf,
662 section, ENV_CERTIFICATE)) == NULL)) {
663 lookup_fail(section, ENV_CERTIFICATE);
664 goto err;
665 }
666 x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
667 "CA certificate");
668 if (x509 == NULL)
669 goto err;
670
671 if (!X509_check_private_key(x509, pkey)) {
672 BIO_printf(bio_err,
673 "CA certificate and CA private key do not match\n");
674 goto err;
675 }
676 }
677 if (!selfsign)
678 x509p = x509;
679
680 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
681 if (f == NULL)
682 ERR_clear_error();
683 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
684 preserve = 1;
685 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
686 if (f == NULL)
687 ERR_clear_error();
688 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
689 msie_hack = 1;
690
691 f = NCONF_get_string(conf, section, ENV_NAMEOPT);
692
693 if (f) {
694 if (!set_name_ex(&nameopt, f)) {
695 BIO_printf(bio_err,
696 "Invalid name options: \"%s\"\n", f);
697 goto err;
698 }
699 default_op = 0;
700 } else
701 ERR_clear_error();
702
703 f = NCONF_get_string(conf, section, ENV_CERTOPT);
704
705 if (f) {
706 if (!set_cert_ex(&certopt, f)) {
707 BIO_printf(bio_err,
708 "Invalid certificate options: \"%s\"\n", f);
709 goto err;
710 }
711 default_op = 0;
712 } else
713 ERR_clear_error();
714
715 f = NCONF_get_string(conf, section, ENV_EXTCOPY);
716
717 if (f) {
718 if (!set_ext_copy(&ext_copy, f)) {
719 BIO_printf(bio_err,
720 "Invalid extension copy option: \"%s\"\n", f);
721 goto err;
722 }
723 } else
724 ERR_clear_error();
725
726 /*****************************************************************/
727 /* lookup where to write new certificates */
728 if ((outdir == NULL) && (req)) {
729
730 if ((outdir = NCONF_get_string(conf, section,
731 ENV_NEW_CERTS_DIR)) == NULL) {
732 BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n");
733 goto err;
734 }
735 /*
736 * outdir is a directory spec, but access() for VMS demands a
737 * filename. In any case, stat(), below, will catch the
738 * problem if outdir is not a directory spec, and the fopen()
739 * or open() will catch an error if there is no write access.
740 *
741 * Presumably, this problem could also be solved by using the
742 * DEC C routines to convert the directory syntax to Unixly,
743 * and give that to access(). However, time's too short to
744 * do that just now.
745 */
746 if (access(outdir, R_OK | W_OK | X_OK) != 0) {
747 BIO_printf(bio_err,
748 "I am unable to access the %s directory\n", outdir);
749 perror(outdir);
750 goto err;
751 }
752 if (app_isdir(outdir) <= 0) {
753 BIO_printf(bio_err,
754 "%s need to be a directory\n", outdir);
755 perror(outdir);
756 goto err;
757 }
758 }
759 /*****************************************************************/
760 /* we need to load the database file */
761 if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
762 lookup_fail(section, ENV_DATABASE);
763 goto err;
764 }
765 db = load_index(dbfile, &db_attr);
766 if (db == NULL)
767 goto err;
768
769 /* Lets check some fields */
770 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
771 pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
772 if ((pp[DB_type][0] != DB_TYPE_REV) &&
773 (pp[DB_rev_date][0] != '\0')) {
774 BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1);
775 goto err;
776 }
777 if ((pp[DB_type][0] == DB_TYPE_REV) &&
778 !make_revoked(NULL, pp[DB_rev_date])) {
779 BIO_printf(bio_err, " in entry %d\n", i + 1);
780 goto err;
781 }
782 if (!check_time_format((char *) pp[DB_exp_date])) {
783 BIO_printf(bio_err, "entry %d: invalid expiry date\n",
784 i + 1);
785 goto err;
786 }
787 p = pp[DB_serial];
788 j = strlen(p);
789 if (*p == '-') {
790 p++;
791 j--;
792 }
793 if ((j & 1) || (j < 2)) {
794 BIO_printf(bio_err,
795 "entry %d: bad serial number length (%d)\n",
796 i + 1, j);
797 goto err;
798 }
799 while (*p) {
800 if (!(((*p >= '0') && (*p <= '9')) ||
801 ((*p >= 'A') && (*p <= 'F')) ||
802 ((*p >= 'a') && (*p <= 'f')))) {
803 BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p);
804 goto err;
805 }
806 p++;
807 }
808 }
809 if (verbose) {
810 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
811 TXT_DB_write(out, db->db);
812 BIO_printf(bio_err, "%d entries loaded from the database\n",
813 sk_OPENSSL_PSTRING_num(db->db->data));
814 BIO_printf(bio_err, "generating index\n");
815 }
816 if (!index_index(db))
817 goto err;
818
819 /*****************************************************************/
820 /* Update the db file for expired certificates */
821 if (doupdatedb) {
822 if (verbose)
823 BIO_printf(bio_err, "Updating %s ...\n", dbfile);
824
825 i = do_updatedb(db);
826 if (i == -1) {
827 BIO_printf(bio_err, "Malloc failure\n");
828 goto err;
829 } else if (i == 0) {
830 if (verbose)
831 BIO_printf(bio_err,
832 "No entries found to mark expired\n");
833 } else {
834 if (!save_index(dbfile, "new", db))
835 goto err;
836
837 if (!rotate_index(dbfile, "new", "old"))
838 goto err;
839
840 if (verbose)
841 BIO_printf(bio_err,
842 "Done. %d entries marked as expired\n", i);
843 }
844 }
845 /*****************************************************************/
846 /* Read extentions config file */
847 if (extfile) {
848 extconf = NCONF_new(NULL);
849 if (NCONF_load(extconf, extfile, &errorline) <= 0) {
850 if (errorline <= 0)
851 BIO_printf(bio_err,
852 "ERROR: loading the config file '%s'\n",
853 extfile);
854 else
855 BIO_printf(bio_err,
856 "ERROR: on line %ld of config file '%s'\n",
857 errorline, extfile);
858 ret = 1;
859 goto err;
860 }
861 if (verbose)
862 BIO_printf(bio_err,
863 "Successfully loaded extensions file %s\n",
864 extfile);
865
866 /* We can have sections in the ext file */
867 if (!extensions && !(extensions = NCONF_get_string(extconf,
868 "default", "extensions")))
869 extensions = "default";
870 }
871 /*****************************************************************/
872 if (req || gencrl) {
873 if (outfile != NULL) {
874 if (BIO_write_filename(Sout, outfile) <= 0) {
875 perror(outfile);
876 goto err;
877 }
878 } else {
879 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
880 }
881 }
882 if ((md == NULL) && ((md = NCONF_get_string(conf, section,
883 ENV_DEFAULT_MD)) == NULL)) {
884 lookup_fail(section, ENV_DEFAULT_MD);
885 goto err;
886 }
887 if (!strcmp(md, "default")) {
888 int def_nid;
889 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
890 BIO_puts(bio_err, "no default digest\n");
891 goto err;
892 }
893 md = (char *) OBJ_nid2sn(def_nid);
894 }
895 if ((dgst = EVP_get_digestbyname(md)) == NULL) {
896 BIO_printf(bio_err,
897 "%s is an unsupported message digest type\n", md);
898 goto err;
899 }
900 if (req) {
901 if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
902 section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
903 if (strcmp(tmp_email_dn, "no") == 0)
904 email_dn = 0;
905 }
906 if (verbose)
907 BIO_printf(bio_err, "message digest is %s\n",
908 OBJ_nid2ln(dgst->type));
909 if ((policy == NULL) && ((policy = NCONF_get_string(conf,
910 section, ENV_POLICY)) == NULL)) {
911 lookup_fail(section, ENV_POLICY);
912 goto err;
913 }
914 if (verbose)
915 BIO_printf(bio_err, "policy is %s\n", policy);
916
917 if ((serialfile = NCONF_get_string(conf, section,
918 ENV_SERIAL)) == NULL) {
919 lookup_fail(section, ENV_SERIAL);
920 goto err;
921 }
922 if (!extconf) {
923 /*
924 * no '-extfile' option, so we look for extensions in
925 * the main configuration file
926 */
927 if (!extensions) {
928 extensions = NCONF_get_string(conf, section,
929 ENV_EXTENSIONS);
930 if (!extensions)
931 ERR_clear_error();
932 }
933 if (extensions) {
934 /* Check syntax of file */
935 X509V3_CTX ctx;
936 X509V3_set_ctx_test(&ctx);
937 X509V3_set_nconf(&ctx, conf);
938 if (!X509V3_EXT_add_nconf(conf, &ctx,
939 extensions, NULL)) {
940 BIO_printf(bio_err,
941 "Error Loading extension section %s\n",
942 extensions);
943 ret = 1;
944 goto err;
945 }
946 }
947 }
948 if (startdate == NULL) {
949 startdate = NCONF_get_string(conf, section,
950 ENV_DEFAULT_STARTDATE);
951 if (startdate == NULL)
952 ERR_clear_error();
953 }
954 if (startdate && !ASN1_TIME_set_string(NULL, startdate)) {
955 BIO_printf(bio_err, "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
956 goto err;
957 }
958 if (startdate == NULL)
959 startdate = "today";
960
961 if (enddate == NULL) {
962 enddate = NCONF_get_string(conf, section,
963 ENV_DEFAULT_ENDDATE);
964 if (enddate == NULL)
965 ERR_clear_error();
966 }
967 if (enddate && !ASN1_TIME_set_string(NULL, enddate)) {
968 BIO_printf(bio_err, "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
969 goto err;
970 }
971 if (days == 0) {
972 if (!NCONF_get_number(conf, section,
973 ENV_DEFAULT_DAYS, &days))
974 days = 0;
975 }
976 if (!enddate && (days == 0)) {
977 BIO_printf(bio_err,
978 "cannot lookup how many days to certify for\n");
979 goto err;
980 }
981 if ((serial = load_serial(serialfile, create_ser, NULL)) ==
982 NULL) {
983 BIO_printf(bio_err,
984 "error while loading serial number\n");
985 goto err;
986 }
987 if (verbose) {
988 if (BN_is_zero(serial))
989 BIO_printf(bio_err,
990 "next serial number is 00\n");
991 else {
992 if ((f = BN_bn2hex(serial)) == NULL)
993 goto err;
994 BIO_printf(bio_err,
995 "next serial number is %s\n", f);
996 free(f);
997 }
998 }
999 if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
1000 BIO_printf(bio_err,
1001 "unable to find 'section' for %s\n", policy);
1002 goto err;
1003 }
1004 if ((cert_sk = sk_X509_new_null()) == NULL) {
1005 BIO_printf(bio_err, "Memory allocation failure\n");
1006 goto err;
1007 }
1008 if (spkac_file != NULL) {
1009 total++;
1010 j = certify_spkac(&x, spkac_file, pkey, x509, dgst,
1011 sigopts, attribs, db, serial, subj, chtype,
1012 multirdn, email_dn, startdate, enddate, days,
1013 extensions, conf, verbose, certopt, nameopt,
1014 default_op, ext_copy);
1015 if (j < 0)
1016 goto err;
1017 if (j > 0) {
1018 total_done++;
1019 BIO_printf(bio_err, "\n");
1020 if (!BN_add_word(serial, 1))
1021 goto err;
1022 if (!sk_X509_push(cert_sk, x)) {
1023 BIO_printf(bio_err,
1024 "Memory allocation failure\n");
1025 goto err;
1026 }
1027 if (outfile) {
1028 output_der = 1;
1029 batch = 1;
1030 }
1031 }
1032 }
1033 if (ss_cert_file != NULL) {
1034 total++;
1035 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
1036 sigopts, attribs, db, serial, subj, chtype,
1037 multirdn, email_dn, startdate, enddate, days, batch,
1038 extensions, conf, verbose, certopt, nameopt,
1039 default_op, ext_copy, e);
1040 if (j < 0)
1041 goto err;
1042 if (j > 0) {
1043 total_done++;
1044 BIO_printf(bio_err, "\n");
1045 if (!BN_add_word(serial, 1))
1046 goto err;
1047 if (!sk_X509_push(cert_sk, x)) {
1048 BIO_printf(bio_err,
1049 "Memory allocation failure\n");
1050 goto err;
1051 }
1052 }
1053 }
1054 if (infile != NULL) {
1055 total++;
1056 j = certify(&x, infile, pkey, x509p, dgst, sigopts,
1057 attribs, db, serial, subj, chtype, multirdn,
1058 email_dn, startdate, enddate, days, batch,
1059 extensions, conf, verbose, certopt, nameopt,
1060 default_op, ext_copy, selfsign);
1061 if (j < 0)
1062 goto err;
1063 if (j > 0) {
1064 total_done++;
1065 BIO_printf(bio_err, "\n");
1066 if (!BN_add_word(serial, 1))
1067 goto err;
1068 if (!sk_X509_push(cert_sk, x)) {
1069 BIO_printf(bio_err,
1070 "Memory allocation failure\n");
1071 goto err;
1072 }
1073 }
1074 }
1075 for (i = 0; i < argc; i++) {
1076 total++;
1077 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts,
1078 attribs, db, serial, subj, chtype, multirdn,
1079 email_dn, startdate, enddate, days, batch,
1080 extensions, conf, verbose, certopt, nameopt,
1081 default_op, ext_copy, selfsign);
1082 if (j < 0)
1083 goto err;
1084 if (j > 0) {
1085 total_done++;
1086 BIO_printf(bio_err, "\n");
1087 if (!BN_add_word(serial, 1))
1088 goto err;
1089 if (!sk_X509_push(cert_sk, x)) {
1090 BIO_printf(bio_err,
1091 "Memory allocation failure\n");
1092 goto err;
1093 }
1094 }
1095 }
1096 /*
1097 * we have a stack of newly certified certificates and a data
1098 * base and serial number that need updating
1099 */
1100
1101 if (sk_X509_num(cert_sk) > 0) {
1102 if (!batch) {
1103 BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
1104 (void) BIO_flush(bio_err);
1105 buf[0][0] = '\0';
1106 if (!fgets(buf[0], 10, stdin)) {
1107 BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
1108 ret = 0;
1109 goto err;
1110 }
1111 if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) {
1112 BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
1113 ret = 0;
1114 goto err;
1115 }
1116 }
1117 BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk));
1118
1119 if (!save_serial(serialfile, "new", serial, NULL))
1120 goto err;
1121
1122 if (!save_index(dbfile, "new", db))
1123 goto err;
1124 }
1125 if (verbose)
1126 BIO_printf(bio_err, "writing new certificates\n");
1127 for (i = 0; i < sk_X509_num(cert_sk); i++) {
1128 int k;
1129 char *serial;
1130 unsigned char *data;
1131
1132 x = sk_X509_value(cert_sk, i);
1133
1134 j = x->cert_info->serialNumber->length;
1135 data = (unsigned char *)x->cert_info->serialNumber->data;
1136 if (j > 0)
1137 serial = bin2hex(data, j);
1138 else
1139 serial = strdup("00");
1140 if (serial) {
1141 k = snprintf(buf[2], sizeof(buf[2]),
1142 "%s/%s.pem", outdir, serial);
1143 free(serial);
1144 if (k == -1 || k >= sizeof(buf[2])) {
1145 BIO_printf(bio_err,
1146 "certificate file name too long\n");
1147 goto err;
1148 }
1149 } else {
1150 BIO_printf(bio_err,
1151 "memory allocation failed\n");
1152 goto err;
1153 }
1154 if (verbose)
1155 BIO_printf(bio_err, "writing %s\n", buf[2]);
1156
1157 if (BIO_write_filename(Cout, buf[2]) <= 0) {
1158 perror(buf[2]);
1159 goto err;
1160 }
1161 write_new_certificate(Cout, x, 0, notext);
1162 write_new_certificate(Sout, x, output_der, notext);
1163 }
1164
1165 if (sk_X509_num(cert_sk)) {
1166 /* Rename the database and the serial file */
1167 if (!rotate_serial(serialfile, "new", "old"))
1168 goto err;
1169
1170 if (!rotate_index(dbfile, "new", "old"))
1171 goto err;
1172
1173 BIO_printf(bio_err, "Data Base Updated\n");
1174 }
1175 }
1176 /*****************************************************************/
1177 if (gencrl) {
1178 int crl_v2 = 0;
1179 if (!crl_ext) {
1180 crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
1181 if (!crl_ext)
1182 ERR_clear_error();
1183 }
1184 if (crl_ext) {
1185 /* Check syntax of file */
1186 X509V3_CTX ctx;
1187 X509V3_set_ctx_test(&ctx);
1188 X509V3_set_nconf(&ctx, conf);
1189 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
1190 BIO_printf(bio_err,
1191 "Error Loading CRL extension section %s\n",
1192 crl_ext);
1193 ret = 1;
1194 goto err;
1195 }
1196 }
1197 if ((crlnumberfile = NCONF_get_string(conf, section,
1198 ENV_CRLNUMBER)) != NULL)
1199 if ((crlnumber = load_serial(crlnumberfile, 0,
1200 NULL)) == NULL) {
1201 BIO_printf(bio_err,
1202 "error while loading CRL number\n");
1203 goto err;
1204 }
1205 if (!crldays && !crlhours && !crlsec) {
1206 if (!NCONF_get_number(conf, section,
1207 ENV_DEFAULT_CRL_DAYS, &crldays))
1208 crldays = 0;
1209 if (!NCONF_get_number(conf, section,
1210 ENV_DEFAULT_CRL_HOURS, &crlhours))
1211 crlhours = 0;
1212 ERR_clear_error();
1213 }
1214 if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
1215 BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
1216 goto err;
1217 }
1218 if (verbose)
1219 BIO_printf(bio_err, "making CRL\n");
1220 if ((crl = X509_CRL_new()) == NULL)
1221 goto err;
1222 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1223 goto err;
1224
1225 tmptm = ASN1_TIME_new();
1226 if (!tmptm)
1227 goto err;
1228 X509_gmtime_adj(tmptm, 0);
1229 X509_CRL_set_lastUpdate(crl, tmptm);
1230 if (!X509_time_adj_ex(tmptm, crldays,
1231 crlhours * 60 * 60 + crlsec, NULL)) {
1232 BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1233 goto err;
1234 }
1235 X509_CRL_set_nextUpdate(crl, tmptm);
1236
1237 ASN1_TIME_free(tmptm);
1238
1239 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1240 pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1241 if (pp[DB_type][0] == DB_TYPE_REV) {
1242 if ((r = X509_REVOKED_new()) == NULL)
1243 goto err;
1244 j = make_revoked(r, pp[DB_rev_date]);
1245 if (!j)
1246 goto err;
1247 if (j == 2)
1248 crl_v2 = 1;
1249 if (!BN_hex2bn(&serial, pp[DB_serial]))
1250 goto err;
1251 tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1252 BN_free(serial);
1253 serial = NULL;
1254 if (!tmpser)
1255 goto err;
1256 X509_REVOKED_set_serialNumber(r, tmpser);
1257 ASN1_INTEGER_free(tmpser);
1258 X509_CRL_add0_revoked(crl, r);
1259 }
1260 }
1261
1262 /*
1263 * sort the data so it will be written in serial number order
1264 */
1265 X509_CRL_sort(crl);
1266
1267 /* we now have a CRL */
1268 if (verbose)
1269 BIO_printf(bio_err, "signing CRL\n");
1270
1271 /* Add any extensions asked for */
1272
1273 if (crl_ext || crlnumberfile != NULL) {
1274 X509V3_CTX crlctx;
1275 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1276 X509V3_set_nconf(&crlctx, conf);
1277
1278 if (crl_ext)
1279 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1280 crl_ext, crl))
1281 goto err;
1282 if (crlnumberfile != NULL) {
1283 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1284 if (!tmpser)
1285 goto err;
1286 X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1287 tmpser, 0, 0);
1288 ASN1_INTEGER_free(tmpser);
1289 crl_v2 = 1;
1290 if (!BN_add_word(crlnumber, 1))
1291 goto err;
1292 }
1293 }
1294 if (crl_ext || crl_v2) {
1295 if (!X509_CRL_set_version(crl, 1))
1296 goto err; /* version 2 CRL */
1297 }
1298 if (crlnumberfile != NULL) /* we have a CRL number that
1299 * need updating */
1300 if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
1301 goto err;
1302
1303 if (crlnumber) {
1304 BN_free(crlnumber);
1305 crlnumber = NULL;
1306 }
1307 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts))
1308 goto err;
1309
1310 PEM_write_bio_X509_CRL(Sout, crl);
1311
1312 if (crlnumberfile != NULL) /* Rename the crlnumber file */
1313 if (!rotate_serial(crlnumberfile, "new", "old"))
1314 goto err;
1315
1316 }
1317 /*****************************************************************/
1318 if (dorevoke) {
1319 if (infile == NULL) {
1320 BIO_printf(bio_err, "no input files\n");
1321 goto err;
1322 } else {
1323 X509 *revcert;
1324 revcert = load_cert(bio_err, infile, FORMAT_PEM,
1325 NULL, e, infile);
1326 if (revcert == NULL)
1327 goto err;
1328 j = do_revoke(revcert, db, rev_type, rev_arg);
1329 if (j <= 0)
1330 goto err;
1331 X509_free(revcert);
1332
1333 if (!save_index(dbfile, "new", db))
1334 goto err;
1335
1336 if (!rotate_index(dbfile, "new", "old"))
1337 goto err;
1338
1339 BIO_printf(bio_err, "Data Base Updated\n");
1340 }
1341 }
1342 /*****************************************************************/
1343 ret = 0;
1344
1345err:
1346 free(tofree);
1347
1348 BIO_free_all(Cout);
1349 BIO_free_all(Sout);
1350 BIO_free_all(out);
1351 BIO_free_all(in);
1352
1353 if (cert_sk)
1354 sk_X509_pop_free(cert_sk, X509_free);
1355
1356 if (ret)
1357 ERR_print_errors(bio_err);
1358 if (free_key && key)
1359 free(key);
1360 BN_free(serial);
1361 BN_free(crlnumber);
1362 free_index(db);
1363 if (sigopts)
1364 sk_OPENSSL_STRING_free(sigopts);
1365 EVP_PKEY_free(pkey);
1366 if (x509)
1367 X509_free(x509);
1368 X509_CRL_free(crl);
1369 NCONF_free(conf);
1370 NCONF_free(extconf);
1371 OBJ_cleanup();
1372
1373 return (ret);
1374}
1375
1376static void
1377lookup_fail(const char *name, const char *tag)
1378{
1379 BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
1380}
1381
1382static int
1383certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1384 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1385 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1386 unsigned long chtype, int multirdn, int email_dn, char *startdate,
1387 char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1388 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1389 int ext_copy, int selfsign)
1390{
1391 X509_REQ *req = NULL;
1392 BIO *in = NULL;
1393 EVP_PKEY *pktmp = NULL;
1394 int ok = -1, i;
1395
1396 in = BIO_new(BIO_s_file());
1397
1398 if (BIO_read_filename(in, infile) <= 0) {
1399 perror(infile);
1400 goto err;
1401 }
1402 if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
1403 BIO_printf(bio_err, "Error reading certificate request in %s\n",
1404 infile);
1405 goto err;
1406 }
1407 if (verbose)
1408 X509_REQ_print(bio_err, req);
1409
1410 BIO_printf(bio_err, "Check that the request matches the signature\n");
1411
1412 if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1413 BIO_printf(bio_err,
1414 "Certificate request and CA private key do not match\n");
1415 ok = 0;
1416 goto err;
1417 }
1418 if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
1419 BIO_printf(bio_err, "error unpacking public key\n");
1420 goto err;
1421 }
1422 i = X509_REQ_verify(req, pktmp);
1423 EVP_PKEY_free(pktmp);
1424 if (i < 0) {
1425 ok = 0;
1426 BIO_printf(bio_err, "Signature verification problems....\n");
1427 goto err;
1428 }
1429 if (i == 0) {
1430 ok = 0;
1431 BIO_printf(bio_err,
1432 "Signature did not match the certificate request\n");
1433 goto err;
1434 } else
1435 BIO_printf(bio_err, "Signature ok\n");
1436
1437 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1438 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1439 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1440 ext_copy, selfsign);
1441
1442err:
1443 if (req != NULL)
1444 X509_REQ_free(req);
1445 if (in != NULL)
1446 BIO_free(in);
1447 return (ok);
1448}
1449
1450static int
1451certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1452 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1453 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1454 unsigned long chtype, int multirdn, int email_dn, char *startdate,
1455 char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1456 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1457 int ext_copy, ENGINE * e)
1458{
1459 X509 *req = NULL;
1460 X509_REQ *rreq = NULL;
1461 EVP_PKEY *pktmp = NULL;
1462 int ok = -1, i;
1463
1464 if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
1465 infile)) == NULL)
1466 goto err;
1467 if (verbose)
1468 X509_print(bio_err, req);
1469
1470 BIO_printf(bio_err, "Check that the request matches the signature\n");
1471
1472 if ((pktmp = X509_get_pubkey(req)) == NULL) {
1473 BIO_printf(bio_err, "error unpacking public key\n");
1474 goto err;
1475 }
1476 i = X509_verify(req, pktmp);
1477 EVP_PKEY_free(pktmp);
1478 if (i < 0) {
1479 ok = 0;
1480 BIO_printf(bio_err, "Signature verification problems....\n");
1481 goto err;
1482 }
1483 if (i == 0) {
1484 ok = 0;
1485 BIO_printf(bio_err,
1486 "Signature did not match the certificate\n");
1487 goto err;
1488 } else
1489 BIO_printf(bio_err, "Signature ok\n");
1490
1491 if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1492 goto err;
1493
1494 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1495 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1496 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1497 ext_copy, 0);
1498
1499err:
1500 if (rreq != NULL)
1501 X509_REQ_free(rreq);
1502 if (req != NULL)
1503 X509_free(req);
1504 return (ok);
1505}
1506
1507static int
1508do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1509 STACK_OF(OPENSSL_STRING) * sigopts, STACK_OF(CONF_VALUE) * policy,
1510 CA_DB * db, BIGNUM * serial, char *subj, unsigned long chtype, int multirdn,
1511 int email_dn, char *startdate, char *enddate, long days, int batch,
1512 int verbose, X509_REQ * req, char *ext_sect, CONF * lconf,
1513 unsigned long certopt, unsigned long nameopt, int default_op,
1514 int ext_copy, int selfsign)
1515{
1516 X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL;
1517 ASN1_UTCTIME *tm, *tmptm;
1518 ASN1_STRING *str, *str2;
1519 ASN1_OBJECT *obj;
1520 X509 *ret = NULL;
1521 X509_CINF *ci;
1522 X509_NAME_ENTRY *ne;
1523 X509_NAME_ENTRY *tne, *push;
1524 EVP_PKEY *pktmp;
1525 int ok = -1, i, j, last, nid;
1526 const char *p;
1527 CONF_VALUE *cv;
1528 OPENSSL_STRING row[DB_NUMBER];
1529 OPENSSL_STRING *irow = NULL;
1530 OPENSSL_STRING *rrow = NULL;
1531 char buf[25];
1532
1533 tmptm = ASN1_UTCTIME_new();
1534 if (tmptm == NULL) {
1535 BIO_printf(bio_err, "malloc error\n");
1536 return (0);
1537 }
1538 for (i = 0; i < DB_NUMBER; i++)
1539 row[i] = NULL;
1540
1541 if (subj) {
1542 X509_NAME *n = parse_name(subj, chtype, multirdn);
1543
1544 if (!n) {
1545 ERR_print_errors(bio_err);
1546 goto err;
1547 }
1548 X509_REQ_set_subject_name(req, n);
1549 req->req_info->enc.modified = 1;
1550 X509_NAME_free(n);
1551 }
1552 if (default_op)
1553 BIO_printf(bio_err,
1554 "The Subject's Distinguished Name is as follows\n");
1555
1556 name = X509_REQ_get_subject_name(req);
1557 for (i = 0; i < X509_NAME_entry_count(name); i++) {
1558 ne = X509_NAME_get_entry(name, i);
1559 str = X509_NAME_ENTRY_get_data(ne);
1560 obj = X509_NAME_ENTRY_get_object(ne);
1561
1562 if (msie_hack) {
1563 /* assume all type should be strings */
1564 nid = OBJ_obj2nid(ne->object);
1565
1566 if (str->type == V_ASN1_UNIVERSALSTRING)
1567 ASN1_UNIVERSALSTRING_to_string(str);
1568
1569 if ((str->type == V_ASN1_IA5STRING) &&
1570 (nid != NID_pkcs9_emailAddress))
1571 str->type = V_ASN1_T61STRING;
1572
1573 if ((nid == NID_pkcs9_emailAddress) &&
1574 (str->type == V_ASN1_PRINTABLESTRING))
1575 str->type = V_ASN1_IA5STRING;
1576 }
1577 /* If no EMAIL is wanted in the subject */
1578 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1579 continue;
1580
1581 /* check some things */
1582 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1583 (str->type != V_ASN1_IA5STRING)) {
1584 BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n");
1585 goto err;
1586 }
1587 if ((str->type != V_ASN1_BMPSTRING) &&
1588 (str->type != V_ASN1_UTF8STRING)) {
1589 j = ASN1_PRINTABLE_type(str->data, str->length);
1590 if (((j == V_ASN1_T61STRING) &&
1591 (str->type != V_ASN1_T61STRING)) ||
1592 ((j == V_ASN1_IA5STRING) &&
1593 (str->type == V_ASN1_PRINTABLESTRING))) {
1594 BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n");
1595 goto err;
1596 }
1597 }
1598 if (default_op)
1599 old_entry_print(bio_err, obj, str);
1600 }
1601
1602 /* Ok, now we check the 'policy' stuff. */
1603 if ((subject = X509_NAME_new()) == NULL) {
1604 BIO_printf(bio_err, "Memory allocation failure\n");
1605 goto err;
1606 }
1607 /* take a copy of the issuer name before we mess with it. */
1608 if (selfsign)
1609 CAname = X509_NAME_dup(name);
1610 else
1611 CAname = X509_NAME_dup(x509->cert_info->subject);
1612 if (CAname == NULL)
1613 goto err;
1614 str = str2 = NULL;
1615
1616 for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1617 cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1618 if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1619 BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name);
1620 goto err;
1621 }
1622 obj = OBJ_nid2obj(j);
1623
1624 last = -1;
1625 for (;;) {
1626 /* lookup the object in the supplied name list */
1627 j = X509_NAME_get_index_by_OBJ(name, obj, last);
1628 if (j < 0) {
1629 if (last != -1)
1630 break;
1631 tne = NULL;
1632 } else {
1633 tne = X509_NAME_get_entry(name, j);
1634 }
1635 last = j;
1636
1637 /* depending on the 'policy', decide what to do. */
1638 push = NULL;
1639 if (strcmp(cv->value, "optional") == 0) {
1640 if (tne != NULL)
1641 push = tne;
1642 } else if (strcmp(cv->value, "supplied") == 0) {
1643 if (tne == NULL) {
1644 BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name);
1645 goto err;
1646 } else
1647 push = tne;
1648 } else if (strcmp(cv->value, "match") == 0) {
1649 int last2;
1650
1651 if (tne == NULL) {
1652 BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name);
1653 goto err;
1654 }
1655 last2 = -1;
1656
1657again2:
1658 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1659 if ((j < 0) && (last2 == -1)) {
1660 BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name);
1661 goto err;
1662 }
1663 if (j >= 0) {
1664 push = X509_NAME_get_entry(CAname, j);
1665 str = X509_NAME_ENTRY_get_data(tne);
1666 str2 = X509_NAME_ENTRY_get_data(push);
1667 last2 = j;
1668 if (ASN1_STRING_cmp(str, str2) != 0)
1669 goto again2;
1670 }
1671 if (j < 0) {
1672 BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data));
1673 goto err;
1674 }
1675 } else {
1676 BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value);
1677 goto err;
1678 }
1679
1680 if (push != NULL) {
1681 if (!X509_NAME_add_entry(subject, push,
1682 -1, 0)) {
1683 if (push != NULL)
1684 X509_NAME_ENTRY_free(push);
1685 BIO_printf(bio_err,
1686 "Memory allocation failure\n");
1687 goto err;
1688 }
1689 }
1690 if (j < 0)
1691 break;
1692 }
1693 }
1694
1695 if (preserve) {
1696 X509_NAME_free(subject);
1697 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1698 subject = X509_NAME_dup(name);
1699 if (subject == NULL)
1700 goto err;
1701 }
1702 if (verbose)
1703 BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n");
1704
1705 /* Build the correct Subject if no e-mail is wanted in the subject */
1706 /*
1707 * and add it later on because of the method extensions are added
1708 * (altName)
1709 */
1710
1711 if (email_dn)
1712 dn_subject = subject;
1713 else {
1714 X509_NAME_ENTRY *tmpne;
1715 /*
1716 * Its best to dup the subject DN and then delete any email
1717 * addresses because this retains its structure.
1718 */
1719 if (!(dn_subject = X509_NAME_dup(subject))) {
1720 BIO_printf(bio_err, "Memory allocation failure\n");
1721 goto err;
1722 }
1723 while ((i = X509_NAME_get_index_by_NID(dn_subject,
1724 NID_pkcs9_emailAddress, -1)) >= 0) {
1725 tmpne = X509_NAME_get_entry(dn_subject, i);
1726 X509_NAME_delete_entry(dn_subject, i);
1727 X509_NAME_ENTRY_free(tmpne);
1728 }
1729 }
1730
1731 if (BN_is_zero(serial))
1732 row[DB_serial] = strdup("00");
1733 else
1734 row[DB_serial] = BN_bn2hex(serial);
1735 if (row[DB_serial] == NULL) {
1736 BIO_printf(bio_err, "Memory allocation failure\n");
1737 goto err;
1738 }
1739 if (db->attributes.unique_subject) {
1740 OPENSSL_STRING *crow = row;
1741
1742 rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
1743 if (rrow != NULL) {
1744 BIO_printf(bio_err,
1745 "ERROR:There is already a certificate for %s\n",
1746 row[DB_name]);
1747 }
1748 }
1749 if (rrow == NULL) {
1750 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1751 if (rrow != NULL) {
1752 BIO_printf(bio_err,
1753 "ERROR:Serial number %s has already been issued,\n",
1754 row[DB_serial]);
1755 BIO_printf(bio_err, " check the database/serial_file for corruption\n");
1756 }
1757 }
1758 if (rrow != NULL) {
1759 BIO_printf(bio_err,
1760 "The matching entry has the following details\n");
1761 if (rrow[DB_type][0] == 'E')
1762 p = "Expired";
1763 else if (rrow[DB_type][0] == 'R')
1764 p = "Revoked";
1765 else if (rrow[DB_type][0] == 'V')
1766 p = "Valid";
1767 else
1768 p = "\ninvalid type, Data base error\n";
1769 BIO_printf(bio_err, "Type :%s\n", p);
1770 if (rrow[DB_type][0] == 'R') {
1771 p = rrow[DB_exp_date];
1772 if (p == NULL)
1773 p = "undef";
1774 BIO_printf(bio_err, "Was revoked on:%s\n", p);
1775 }
1776 p = rrow[DB_exp_date];
1777 if (p == NULL)
1778 p = "undef";
1779 BIO_printf(bio_err, "Expires on :%s\n", p);
1780 p = rrow[DB_serial];
1781 if (p == NULL)
1782 p = "undef";
1783 BIO_printf(bio_err, "Serial Number :%s\n", p);
1784 p = rrow[DB_file];
1785 if (p == NULL)
1786 p = "undef";
1787 BIO_printf(bio_err, "File name :%s\n", p);
1788 p = rrow[DB_name];
1789 if (p == NULL)
1790 p = "undef";
1791 BIO_printf(bio_err, "Subject Name :%s\n", p);
1792 ok = -1; /* This is now a 'bad' error. */
1793 goto err;
1794 }
1795 /* We are now totally happy, lets make and sign the certificate */
1796 if (verbose)
1797 BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n");
1798
1799 if ((ret = X509_new()) == NULL)
1800 goto err;
1801 ci = ret->cert_info;
1802
1803#ifdef X509_V3
1804 /* Make it an X509 v3 certificate. */
1805 if (!X509_set_version(ret, 2))
1806 goto err;
1807#endif
1808
1809 if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
1810 goto err;
1811 if (selfsign) {
1812 if (!X509_set_issuer_name(ret, subject))
1813 goto err;
1814 } else {
1815 if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1816 goto err;
1817 }
1818
1819 if (strcmp(startdate, "today") == 0)
1820 X509_gmtime_adj(X509_get_notBefore(ret), 0);
1821 else
1822 ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
1823
1824 if (enddate == NULL)
1825 X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
1826 else
1827 ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
1828
1829 if (!X509_set_subject_name(ret, subject))
1830 goto err;
1831
1832 pktmp = X509_REQ_get_pubkey(req);
1833 i = X509_set_pubkey(ret, pktmp);
1834 EVP_PKEY_free(pktmp);
1835 if (!i)
1836 goto err;
1837
1838 /* Lets add the extensions, if there are any */
1839 if (ext_sect) {
1840 X509V3_CTX ctx;
1841 if (ci->version == NULL)
1842 if ((ci->version = ASN1_INTEGER_new()) == NULL)
1843 goto err;
1844 ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
1845
1846 /*
1847 * Free the current entries if any, there should not be any I
1848 * believe
1849 */
1850 if (ci->extensions != NULL)
1851 sk_X509_EXTENSION_pop_free(ci->extensions,
1852 X509_EXTENSION_free);
1853
1854 ci->extensions = NULL;
1855
1856 /* Initialize the context structure */
1857 if (selfsign)
1858 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
1859 else
1860 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
1861
1862 if (extconf) {
1863 if (verbose)
1864 BIO_printf(bio_err,
1865 "Extra configuration file found\n");
1866
1867 /* Use the extconf configuration db LHASH */
1868 X509V3_set_nconf(&ctx, extconf);
1869
1870 /* Test the structure (needed?) */
1871 /* X509V3_set_ctx_test(&ctx); */
1872
1873 /* Adds exts contained in the configuration file */
1874 if (!X509V3_EXT_add_nconf(extconf, &ctx,
1875 ext_sect, ret)) {
1876 BIO_printf(bio_err,
1877 "ERROR: adding extensions in section %s\n",
1878 ext_sect);
1879 ERR_print_errors(bio_err);
1880 goto err;
1881 }
1882 if (verbose)
1883 BIO_printf(bio_err, "Successfully added extensions from file.\n");
1884 } else if (ext_sect) {
1885 /* We found extensions to be set from config file */
1886 X509V3_set_nconf(&ctx, lconf);
1887
1888 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
1889 BIO_printf(bio_err,
1890 "ERROR: adding extensions in section %s\n",
1891 ext_sect);
1892 ERR_print_errors(bio_err);
1893 goto err;
1894 }
1895 if (verbose)
1896 BIO_printf(bio_err, "Successfully added extensions from config\n");
1897 }
1898 }
1899 /* Copy extensions from request (if any) */
1900
1901 if (!copy_extensions(ret, req, ext_copy)) {
1902 BIO_printf(bio_err, "ERROR: adding extensions from request\n");
1903 ERR_print_errors(bio_err);
1904 goto err;
1905 }
1906 /* Set the right value for the noemailDN option */
1907 if (email_dn == 0) {
1908 if (!X509_set_subject_name(ret, dn_subject))
1909 goto err;
1910 }
1911 if (!default_op) {
1912 BIO_printf(bio_err, "Certificate Details:\n");
1913 /*
1914 * Never print signature details because signature not
1915 * present
1916 */
1917 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
1918 X509_print_ex(bio_err, ret, nameopt, certopt);
1919 }
1920 BIO_printf(bio_err, "Certificate is to be certified until ");
1921 ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
1922 if (days)
1923 BIO_printf(bio_err, " (%ld days)", days);
1924 BIO_printf(bio_err, "\n");
1925
1926 if (!batch) {
1927
1928 BIO_printf(bio_err, "Sign the certificate? [y/n]:");
1929 (void) BIO_flush(bio_err);
1930 buf[0] = '\0';
1931 if (!fgets(buf, sizeof(buf) - 1, stdin)) {
1932 BIO_printf(bio_err,
1933 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1934 ok = 0;
1935 goto err;
1936 }
1937 if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
1938 BIO_printf(bio_err,
1939 "CERTIFICATE WILL NOT BE CERTIFIED\n");
1940 ok = 0;
1941 goto err;
1942 }
1943 }
1944 pktmp = X509_get_pubkey(ret);
1945 if (EVP_PKEY_missing_parameters(pktmp) &&
1946 !EVP_PKEY_missing_parameters(pkey))
1947 EVP_PKEY_copy_parameters(pktmp, pkey);
1948 EVP_PKEY_free(pktmp);
1949
1950 if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
1951 goto err;
1952
1953 /* We now just add it to the database */
1954 row[DB_type] = malloc(2);
1955
1956 tm = X509_get_notAfter(ret);
1957 row[DB_exp_date] = malloc(tm->length + 1);
1958 memcpy(row[DB_exp_date], tm->data, tm->length);
1959 row[DB_exp_date][tm->length] = '\0';
1960
1961 row[DB_rev_date] = NULL;
1962
1963 /* row[DB_serial] done already */
1964 row[DB_file] = malloc(8);
1965 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
1966
1967 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
1968 (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
1969 BIO_printf(bio_err, "Memory allocation failure\n");
1970 goto err;
1971 }
1972 (void) strlcpy(row[DB_file], "unknown", 8);
1973 row[DB_type][0] = 'V';
1974 row[DB_type][1] = '\0';
1975
1976 if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
1977 NULL) {
1978 BIO_printf(bio_err, "Memory allocation failure\n");
1979 goto err;
1980 }
1981 for (i = 0; i < DB_NUMBER; i++) {
1982 irow[i] = row[i];
1983 row[i] = NULL;
1984 }
1985 irow[DB_NUMBER] = NULL;
1986
1987 if (!TXT_DB_insert(db->db, irow)) {
1988 BIO_printf(bio_err, "failed to update database\n");
1989 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
1990 goto err;
1991 }
1992 ok = 1;
1993err:
1994 for (i = 0; i < DB_NUMBER; i++)
1995 free(row[i]);
1996
1997 if (CAname != NULL)
1998 X509_NAME_free(CAname);
1999 if (subject != NULL)
2000 X509_NAME_free(subject);
2001 if ((dn_subject != NULL) && !email_dn)
2002 X509_NAME_free(dn_subject);
2003 if (tmptm != NULL)
2004 ASN1_UTCTIME_free(tmptm);
2005 if (ok <= 0) {
2006 if (ret != NULL)
2007 X509_free(ret);
2008 ret = NULL;
2009 } else
2010 *xret = ret;
2011 return (ok);
2012}
2013
2014static void
2015write_new_certificate(BIO * bp, X509 * x, int output_der, int notext)
2016{
2017 if (output_der) {
2018 (void) i2d_X509_bio(bp, x);
2019 return;
2020 }
2021#if 0
2022 /* ??? Not needed since X509_print prints all this stuff anyway */
2023 f = X509_NAME_oneline(X509_get_issuer_name(x), buf, 256);
2024 BIO_printf(bp, "issuer :%s\n", f);
2025
2026 f = X509_NAME_oneline(X509_get_subject_name(x), buf, 256);
2027 BIO_printf(bp, "subject:%s\n", f);
2028
2029 BIO_puts(bp, "serial :");
2030 i2a_ASN1_INTEGER(bp, x->cert_info->serialNumber);
2031 BIO_puts(bp, "\n\n");
2032#endif
2033 if (!notext)
2034 X509_print(bp, x);
2035 PEM_write_bio_X509(bp, x);
2036}
2037
2038static int
2039certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2040 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
2041 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
2042 unsigned long chtype, int multirdn, int email_dn, char *startdate,
2043 char *enddate, long days, char *ext_sect, CONF * lconf, int verbose,
2044 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
2045{
2046 STACK_OF(CONF_VALUE) * sk = NULL;
2047 LHASH_OF(CONF_VALUE) * parms = NULL;
2048 X509_REQ *req = NULL;
2049 CONF_VALUE *cv = NULL;
2050 NETSCAPE_SPKI *spki = NULL;
2051 X509_REQ_INFO *ri;
2052 char *type, *buf;
2053 EVP_PKEY *pktmp = NULL;
2054 X509_NAME *n = NULL;
2055 X509_NAME_ENTRY *ne = NULL;
2056 int ok = -1, i, j;
2057 long errline;
2058 int nid;
2059
2060 /*
2061 * Load input file into a hash table. (This is just an easy
2062 * way to read and parse the file, then put it into a convenient
2063 * STACK format).
2064 */
2065 parms = CONF_load(NULL, infile, &errline);
2066 if (parms == NULL) {
2067 BIO_printf(bio_err, "error on line %ld of %s\n",
2068 errline, infile);
2069 ERR_print_errors(bio_err);
2070 goto err;
2071 }
2072 sk = CONF_get_section(parms, "default");
2073 if (sk_CONF_VALUE_num(sk) == 0) {
2074 BIO_printf(bio_err, "no name/value pairs found in %s\n",
2075 infile);
2076 CONF_free(parms);
2077 goto err;
2078 }
2079 /*
2080 * Now create a dummy X509 request structure. We don't actually
2081 * have an X509 request, but we have many of the components
2082 * (a public key, various DN components). The idea is that we
2083 * put these components into the right X509 request structure
2084 * and we can use the same code as if you had a real X509 request.
2085 */
2086 req = X509_REQ_new();
2087 if (req == NULL) {
2088 ERR_print_errors(bio_err);
2089 goto err;
2090 }
2091 /*
2092 * Build up the subject name set.
2093 */
2094 ri = req->req_info;
2095 n = ri->subject;
2096
2097 for (i = 0;; i++) {
2098 if (sk_CONF_VALUE_num(sk) <= i)
2099 break;
2100
2101 cv = sk_CONF_VALUE_value(sk, i);
2102 type = cv->name;
2103 /*
2104 * Skip past any leading X. X: X, etc to allow for multiple
2105 * instances
2106 */
2107 for (buf = cv->name; *buf; buf++) {
2108 if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2109 buf++;
2110 if (*buf)
2111 type = buf;
2112 break;
2113 }
2114 }
2115
2116 buf = cv->value;
2117 if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2118 if (strcmp(type, "SPKAC") == 0) {
2119 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2120 if (spki == NULL) {
2121 BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n");
2122 ERR_print_errors(bio_err);
2123 goto err;
2124 }
2125 }
2126 continue;
2127 }
2128 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2129 (unsigned char *)buf, -1, -1, 0))
2130 goto err;
2131 }
2132 if (spki == NULL) {
2133 BIO_printf(bio_err,
2134 "Netscape SPKAC structure not found in %s\n", infile);
2135 goto err;
2136 }
2137 /*
2138 * Now extract the key from the SPKI structure.
2139 */
2140
2141 BIO_printf(bio_err,
2142 "Check that the SPKAC request matches the signature\n");
2143
2144 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2145 BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2146 goto err;
2147 }
2148 j = NETSCAPE_SPKI_verify(spki, pktmp);
2149 if (j <= 0) {
2150 BIO_printf(bio_err,
2151 "signature verification failed on SPKAC public key\n");
2152 goto err;
2153 }
2154 BIO_printf(bio_err, "Signature ok\n");
2155
2156 X509_REQ_set_pubkey(req, pktmp);
2157 EVP_PKEY_free(pktmp);
2158 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2159 subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2160 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2161 ext_copy, 0);
2162
2163err:
2164 if (req != NULL)
2165 X509_REQ_free(req);
2166 if (parms != NULL)
2167 CONF_free(parms);
2168 if (spki != NULL)
2169 NETSCAPE_SPKI_free(spki);
2170 if (ne != NULL)
2171 X509_NAME_ENTRY_free(ne);
2172
2173 return (ok);
2174}
2175
2176static int
2177check_time_format(const char *str)
2178{
2179 return ASN1_TIME_set_string(NULL, str);
2180}
2181
2182static int
2183do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2184{
2185 ASN1_UTCTIME *tm = NULL;
2186 char *row[DB_NUMBER], **rrow, **irow;
2187 char *rev_str = NULL;
2188 BIGNUM *bn = NULL;
2189 int ok = -1, i;
2190
2191 for (i = 0; i < DB_NUMBER; i++)
2192 row[i] = NULL;
2193 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2194 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
2195 if (!bn)
2196 goto err;
2197 if (BN_is_zero(bn))
2198 row[DB_serial] = strdup("00");
2199 else
2200 row[DB_serial] = BN_bn2hex(bn);
2201 BN_free(bn);
2202 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2203 BIO_printf(bio_err, "Memory allocation failure\n");
2204 goto err;
2205 }
2206 /*
2207 * We have to lookup by serial number because name lookup skips
2208 * revoked certs
2209 */
2210 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2211 if (rrow == NULL) {
2212 BIO_printf(bio_err,
2213 "Adding Entry with serial number %s to DB for %s\n",
2214 row[DB_serial], row[DB_name]);
2215
2216 /* We now just add it to the database */
2217 row[DB_type] = malloc(2);
2218
2219 tm = X509_get_notAfter(x509);
2220 row[DB_exp_date] = malloc(tm->length + 1);
2221 memcpy(row[DB_exp_date], tm->data, tm->length);
2222 row[DB_exp_date][tm->length] = '\0';
2223
2224 row[DB_rev_date] = NULL;
2225
2226 /* row[DB_serial] done already */
2227 row[DB_file] = malloc(8);
2228
2229 /* row[DB_name] done already */
2230
2231 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2232 (row[DB_file] == NULL)) {
2233 BIO_printf(bio_err, "Memory allocation failure\n");
2234 goto err;
2235 }
2236 (void) strlcpy(row[DB_file], "unknown", 8);
2237 row[DB_type][0] = 'V';
2238 row[DB_type][1] = '\0';
2239
2240 if ((irow = reallocarray(NULL, sizeof(char *),
2241 (DB_NUMBER + 1))) == NULL) {
2242 BIO_printf(bio_err, "Memory allocation failure\n");
2243 goto err;
2244 }
2245 for (i = 0; i < DB_NUMBER; i++) {
2246 irow[i] = row[i];
2247 row[i] = NULL;
2248 }
2249 irow[DB_NUMBER] = NULL;
2250
2251 if (!TXT_DB_insert(db->db, irow)) {
2252 BIO_printf(bio_err, "failed to update database\n");
2253 BIO_printf(bio_err, "TXT_DB error number %ld\n",
2254 db->db->error);
2255 goto err;
2256 }
2257 /* Revoke Certificate */
2258 ok = do_revoke(x509, db, type, value);
2259
2260 goto err;
2261
2262 } else if (index_name_cmp_noconst(row, rrow)) {
2263 BIO_printf(bio_err, "ERROR:name does not match %s\n",
2264 row[DB_name]);
2265 goto err;
2266 } else if (rrow[DB_type][0] == 'R') {
2267 BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2268 row[DB_serial]);
2269 goto err;
2270 } else {
2271 BIO_printf(bio_err, "Revoking Certificate %s.\n",
2272 rrow[DB_serial]);
2273 rev_str = make_revocation_str(type, value);
2274 if (!rev_str) {
2275 BIO_printf(bio_err, "Error in revocation arguments\n");
2276 goto err;
2277 }
2278 rrow[DB_type][0] = 'R';
2279 rrow[DB_type][1] = '\0';
2280 rrow[DB_rev_date] = rev_str;
2281 }
2282 ok = 1;
2283
2284err:
2285 for (i = 0; i < DB_NUMBER; i++)
2286 free(row[i]);
2287
2288 return (ok);
2289}
2290
2291static int
2292get_certificate_status(const char *serial, CA_DB * db)
2293{
2294 char *row[DB_NUMBER], **rrow;
2295 int ok = -1, i;
2296
2297 /* Free Resources */
2298 for (i = 0; i < DB_NUMBER; i++)
2299 row[i] = NULL;
2300
2301 /* Malloc needed char spaces */
2302 row[DB_serial] = malloc(strlen(serial) + 2);
2303 if (row[DB_serial] == NULL) {
2304 BIO_printf(bio_err, "Malloc failure\n");
2305 goto err;
2306 }
2307 if (strlen(serial) % 2) {
2308 /* Set the first char to 0 */ ;
2309 row[DB_serial][0] = '0';
2310
2311 /* Copy String from serial to row[DB_serial] */
2312 memcpy(row[DB_serial] + 1, serial, strlen(serial));
2313 row[DB_serial][strlen(serial) + 1] = '\0';
2314 } else {
2315 /* Copy String from serial to row[DB_serial] */
2316 memcpy(row[DB_serial], serial, strlen(serial));
2317 row[DB_serial][strlen(serial)] = '\0';
2318 }
2319
2320 /* Make it Upper Case */
2321 for (i = 0; row[DB_serial][i] != '\0'; i++)
2322 row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);
2323
2324
2325 ok = 1;
2326
2327 /* Search for the certificate */
2328 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2329 if (rrow == NULL) {
2330 BIO_printf(bio_err, "Serial %s not present in db.\n",
2331 row[DB_serial]);
2332 ok = -1;
2333 goto err;
2334 } else if (rrow[DB_type][0] == 'V') {
2335 BIO_printf(bio_err, "%s=Valid (%c)\n",
2336 row[DB_serial], rrow[DB_type][0]);
2337 goto err;
2338 } else if (rrow[DB_type][0] == 'R') {
2339 BIO_printf(bio_err, "%s=Revoked (%c)\n",
2340 row[DB_serial], rrow[DB_type][0]);
2341 goto err;
2342 } else if (rrow[DB_type][0] == 'E') {
2343 BIO_printf(bio_err, "%s=Expired (%c)\n",
2344 row[DB_serial], rrow[DB_type][0]);
2345 goto err;
2346 } else if (rrow[DB_type][0] == 'S') {
2347 BIO_printf(bio_err, "%s=Suspended (%c)\n",
2348 row[DB_serial], rrow[DB_type][0]);
2349 goto err;
2350 } else {
2351 BIO_printf(bio_err, "%s=Unknown (%c).\n",
2352 row[DB_serial], rrow[DB_type][0]);
2353 ok = -1;
2354 }
2355
2356err:
2357 for (i = 0; i < DB_NUMBER; i++)
2358 free(row[i]);
2359
2360 return (ok);
2361}
2362
2363static int
2364do_updatedb(CA_DB * db)
2365{
2366 ASN1_UTCTIME *a_tm = NULL;
2367 int i, cnt = 0;
2368 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2369 char **rrow, *a_tm_s;
2370
2371 a_tm = ASN1_UTCTIME_new();
2372
2373 /* get actual time and make a string */
2374 a_tm = X509_gmtime_adj(a_tm, 0);
2375 a_tm_s = malloc(a_tm->length + 1);
2376 if (a_tm_s == NULL) {
2377 cnt = -1;
2378 goto err;
2379 }
2380 memcpy(a_tm_s, a_tm->data, a_tm->length);
2381 a_tm_s[a_tm->length] = '\0';
2382
2383 if (strncmp(a_tm_s, "49", 2) <= 0)
2384 a_y2k = 1;
2385 else
2386 a_y2k = 0;
2387
2388 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2389 rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2390
2391 if (rrow[DB_type][0] == 'V') {
2392 /* ignore entries that are not valid */
2393 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2394 db_y2k = 1;
2395 else
2396 db_y2k = 0;
2397
2398 if (db_y2k == a_y2k) {
2399 /* all on the same y2k side */
2400 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
2401 rrow[DB_type][0] = 'E';
2402 rrow[DB_type][1] = '\0';
2403 cnt++;
2404
2405 BIO_printf(bio_err, "%s=Expired\n",
2406 rrow[DB_serial]);
2407 }
2408 } else if (db_y2k < a_y2k) {
2409 rrow[DB_type][0] = 'E';
2410 rrow[DB_type][1] = '\0';
2411 cnt++;
2412
2413 BIO_printf(bio_err, "%s=Expired\n",
2414 rrow[DB_serial]);
2415 }
2416 }
2417 }
2418
2419err:
2420 ASN1_UTCTIME_free(a_tm);
2421 free(a_tm_s);
2422
2423 return (cnt);
2424}
2425
2426static const char *crl_reasons[] = {
2427 /* CRL reason strings */
2428 "unspecified",
2429 "keyCompromise",
2430 "CACompromise",
2431 "affiliationChanged",
2432 "superseded",
2433 "cessationOfOperation",
2434 "certificateHold",
2435 "removeFromCRL",
2436 /* Additional pseudo reasons */
2437 "holdInstruction",
2438 "keyTime",
2439 "CAkeyTime"
2440};
2441
2442#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2443
2444/* Given revocation information convert to a DB string.
2445 * The format of the string is:
2446 * revtime[,reason,extra]. Where 'revtime' is the
2447 * revocation time (the current time). 'reason' is the
2448 * optional CRL reason and 'extra' is any additional
2449 * argument
2450 */
2451
2452char *
2453make_revocation_str(int rev_type, char *rev_arg)
2454{
2455 char *other = NULL, *str;
2456 const char *reason = NULL;
2457 ASN1_OBJECT *otmp;
2458 ASN1_UTCTIME *revtm = NULL;
2459 int i;
2460 switch (rev_type) {
2461 case REV_NONE:
2462 break;
2463
2464 case REV_CRL_REASON:
2465 for (i = 0; i < 8; i++) {
2466 if (!strcasecmp(rev_arg, crl_reasons[i])) {
2467 reason = crl_reasons[i];
2468 break;
2469 }
2470 }
2471 if (reason == NULL) {
2472 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2473 return NULL;
2474 }
2475 break;
2476
2477 case REV_HOLD:
2478 /* Argument is an OID */
2479
2480 otmp = OBJ_txt2obj(rev_arg, 0);
2481 ASN1_OBJECT_free(otmp);
2482
2483 if (otmp == NULL) {
2484 BIO_printf(bio_err,
2485 "Invalid object identifier %s\n", rev_arg);
2486 return NULL;
2487 }
2488 reason = "holdInstruction";
2489 other = rev_arg;
2490 break;
2491
2492 case REV_KEY_COMPROMISE:
2493 case REV_CA_COMPROMISE:
2494
2495 /* Argument is the key compromise time */
2496 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2497 BIO_printf(bio_err,
2498 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2499 rev_arg);
2500 return NULL;
2501 }
2502 other = rev_arg;
2503 if (rev_type == REV_KEY_COMPROMISE)
2504 reason = "keyTime";
2505 else
2506 reason = "CAkeyTime";
2507
2508 break;
2509
2510 }
2511
2512 revtm = X509_gmtime_adj(NULL, 0);
2513 if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2514 reason ? "," : "", reason ? reason : "",
2515 other ? "," : "", other ? other : "") == -1)
2516 str = NULL;
2517 ASN1_UTCTIME_free(revtm);
2518 return str;
2519}
2520
2521/* Convert revocation field to X509_REVOKED entry
2522 * return code:
2523 * 0 error
2524 * 1 OK
2525 * 2 OK and some extensions added (i.e. V2 CRL)
2526 */
2527
2528int
2529make_revoked(X509_REVOKED * rev, const char *str)
2530{
2531 char *tmp = NULL;
2532 int reason_code = -1;
2533 int i, ret = 0;
2534 ASN1_OBJECT *hold = NULL;
2535 ASN1_GENERALIZEDTIME *comp_time = NULL;
2536 ASN1_ENUMERATED *rtmp = NULL;
2537
2538 ASN1_TIME *revDate = NULL;
2539
2540 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2541
2542 if (i == 0)
2543 goto err;
2544
2545 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2546 goto err;
2547
2548 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2549 rtmp = ASN1_ENUMERATED_new();
2550 if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2551 goto err;
2552 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2553 goto err;
2554 }
2555 if (rev && comp_time) {
2556 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2557 comp_time, 0, 0))
2558 goto err;
2559 }
2560 if (rev && hold) {
2561 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2562 hold, 0, 0))
2563 goto err;
2564 }
2565 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2566 ret = 2;
2567 else
2568 ret = 1;
2569
2570err:
2571 free(tmp);
2572
2573 ASN1_OBJECT_free(hold);
2574 ASN1_GENERALIZEDTIME_free(comp_time);
2575 ASN1_ENUMERATED_free(rtmp);
2576 ASN1_TIME_free(revDate);
2577
2578 return ret;
2579}
2580
2581int
2582old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str)
2583{
2584 char buf[25], *pbuf, *p;
2585 int j;
2586
2587 j = i2a_ASN1_OBJECT(bp, obj);
2588 pbuf = buf;
2589 for (j = 22 - j; j > 0; j--)
2590 *(pbuf++) = ' ';
2591 *(pbuf++) = ':';
2592 *(pbuf++) = '\0';
2593 BIO_puts(bp, buf);
2594
2595 if (str->type == V_ASN1_PRINTABLESTRING)
2596 BIO_printf(bp, "PRINTABLE:'");
2597 else if (str->type == V_ASN1_T61STRING)
2598 BIO_printf(bp, "T61STRING:'");
2599 else if (str->type == V_ASN1_IA5STRING)
2600 BIO_printf(bp, "IA5STRING:'");
2601 else if (str->type == V_ASN1_UNIVERSALSTRING)
2602 BIO_printf(bp, "UNIVERSALSTRING:'");
2603 else
2604 BIO_printf(bp, "ASN.1 %2d:'", str->type);
2605
2606 p = (char *) str->data;
2607 for (j = str->length; j > 0; j--) {
2608 if ((*p >= ' ') && (*p <= '~'))
2609 BIO_printf(bp, "%c", *p);
2610 else if (*p & 0x80)
2611 BIO_printf(bp, "\\0x%02X", *p);
2612 else if ((unsigned char) *p == 0xf7)
2613 BIO_printf(bp, "^?");
2614 else
2615 BIO_printf(bp, "^%c", *p + '@');
2616 p++;
2617 }
2618 BIO_printf(bp, "'\n");
2619 return 1;
2620}
2621
2622int
2623unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2624 ASN1_GENERALIZEDTIME ** pinvtm, const char *str)
2625{
2626 char *tmp = NULL;
2627 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2628 int reason_code = -1;
2629 int ret = 0;
2630 unsigned int i;
2631 ASN1_OBJECT *hold = NULL;
2632 ASN1_GENERALIZEDTIME *comp_time = NULL;
2633
2634 if ((tmp = strdup(str)) == NULL) {
2635 BIO_printf(bio_err, "malloc failed\n");
2636 goto err;
2637 }
2638 p = strchr(tmp, ',');
2639 rtime_str = tmp;
2640
2641 if (p) {
2642 *p = '\0';
2643 p++;
2644 reason_str = p;
2645 p = strchr(p, ',');
2646 if (p) {
2647 *p = '\0';
2648 arg_str = p + 1;
2649 }
2650 }
2651 if (prevtm) {
2652 *prevtm = ASN1_UTCTIME_new();
2653 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2654 BIO_printf(bio_err, "invalid revocation date %s\n",
2655 rtime_str);
2656 goto err;
2657 }
2658 }
2659 if (reason_str) {
2660 for (i = 0; i < NUM_REASONS; i++) {
2661 if (!strcasecmp(reason_str, crl_reasons[i])) {
2662 reason_code = i;
2663 break;
2664 }
2665 }
2666 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2667 BIO_printf(bio_err, "invalid reason code %s\n",
2668 reason_str);
2669 goto err;
2670 }
2671 if (reason_code == 7)
2672 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2673 else if (reason_code == 8) { /* Hold instruction */
2674 if (!arg_str) {
2675 BIO_printf(bio_err,
2676 "missing hold instruction\n");
2677 goto err;
2678 }
2679 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2680 hold = OBJ_txt2obj(arg_str, 0);
2681
2682 if (!hold) {
2683 BIO_printf(bio_err,
2684 "invalid object identifier %s\n", arg_str);
2685 goto err;
2686 }
2687 if (phold)
2688 *phold = hold;
2689 } else if ((reason_code == 9) || (reason_code == 10)) {
2690 if (!arg_str) {
2691 BIO_printf(bio_err,
2692 "missing compromised time\n");
2693 goto err;
2694 }
2695 comp_time = ASN1_GENERALIZEDTIME_new();
2696 if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
2697 arg_str)) {
2698 BIO_printf(bio_err,
2699 "invalid compromised time %s\n", arg_str);
2700 goto err;
2701 }
2702 if (reason_code == 9)
2703 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2704 else
2705 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2706 }
2707 }
2708 if (preason)
2709 *preason = reason_code;
2710 if (pinvtm)
2711 *pinvtm = comp_time;
2712 else
2713 ASN1_GENERALIZEDTIME_free(comp_time);
2714
2715 ret = 1;
2716
2717err:
2718 free(tmp);
2719
2720 if (!phold)
2721 ASN1_OBJECT_free(hold);
2722 if (!pinvtm)
2723 ASN1_GENERALIZEDTIME_free(comp_time);
2724
2725 return ret;
2726}
2727
2728static char *
2729bin2hex(unsigned char * data, size_t len)
2730{
2731 char *ret = NULL;
2732 char hex[] = "0123456789ABCDEF";
2733 int i;
2734
2735 if ((ret = malloc(len * 2 + 1))) {
2736 for (i = 0; i < len; i++) {
2737 ret[i * 2 + 0] = hex[data[i] >> 4];
2738 ret[i * 2 + 1] = hex[data[i] & 0x0F];
2739 }
2740 ret[len * 2] = '\0';
2741 }
2742 return ret;
2743}
diff --git a/src/lib/libssl/src/apps/ciphers.c b/src/lib/libssl/src/apps/ciphers.c
deleted file mode 100644
index 7eddf2faba..0000000000
--- a/src/lib/libssl/src/apps/ciphers.c
+++ /dev/null
@@ -1,194 +0,0 @@
1/* $OpenBSD: ciphers.c,v 1.27 2014/08/24 14:55:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/err.h>
66#include <openssl/ssl.h>
67
68static const char *ciphers_usage[] = {
69 "usage: ciphers args\n",
70 " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
71 " -V - even more verbose\n",
72 " -ssl3 - SSL3 mode\n",
73 " -tls1 - TLS1 mode\n",
74 NULL
75};
76
77int ciphers_main(int, char **);
78
79int
80ciphers_main(int argc, char **argv)
81{
82 int ret = 1, i;
83 int verbose = 0, Verbose = 0;
84 const char **pp;
85 const char *p;
86 int badops = 0;
87 SSL_CTX *ctx = NULL;
88 SSL *ssl = NULL;
89 char *ciphers = NULL;
90 const SSL_METHOD *meth = NULL;
91 STACK_OF(SSL_CIPHER) * sk;
92 BIO *STDout = NULL;
93 char *desc;
94
95 meth = SSLv3_server_method();
96
97 STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
98
99 argc--;
100 argv++;
101 while (argc >= 1) {
102 if (strcmp(*argv, "-v") == 0)
103 verbose = 1;
104 else if (strcmp(*argv, "-V") == 0)
105 verbose = Verbose = 1;
106 else if (strcmp(*argv, "-ssl3") == 0)
107 meth = SSLv3_client_method();
108 else if (strcmp(*argv, "-tls1") == 0)
109 meth = TLSv1_client_method();
110 else if ((strncmp(*argv, "-h", 2) == 0) ||
111 (strcmp(*argv, "-?") == 0)) {
112 badops = 1;
113 break;
114 } else {
115 ciphers = *argv;
116 }
117 argc--;
118 argv++;
119 }
120
121 if (badops) {
122 for (pp = ciphers_usage; (*pp != NULL); pp++)
123 BIO_printf(bio_err, "%s", *pp);
124 goto end;
125 }
126
127 ctx = SSL_CTX_new(meth);
128 if (ctx == NULL)
129 goto err;
130 if (ciphers != NULL) {
131 if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
132 BIO_printf(bio_err, "Error in cipher list\n");
133 goto err;
134 }
135 }
136 ssl = SSL_new(ctx);
137 if (ssl == NULL)
138 goto err;
139
140 if (!verbose) {
141 for (i = 0; ; i++) {
142 p = SSL_get_cipher_list(ssl, i);
143 if (p == NULL)
144 break;
145 if (i != 0)
146 BIO_printf(STDout, ":");
147 BIO_printf(STDout, "%s", p);
148 }
149 BIO_printf(STDout, "\n");
150 } else { /* verbose */
151 sk = SSL_get_ciphers(ssl);
152
153 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
154 SSL_CIPHER *c;
155
156 c = sk_SSL_CIPHER_value(sk, i);
157
158 if (Verbose) {
159 unsigned long id = SSL_CIPHER_get_id(c);
160 int id0 = (int) (id >> 24);
161 int id1 = (int) ((id >> 16) & 0xffL);
162 int id2 = (int) ((id >> 8) & 0xffL);
163 int id3 = (int) (id & 0xffL);
164
165 if ((id & 0xff000000L) == 0x02000000L)
166 BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
167 else if ((id & 0xff000000L) == 0x03000000L)
168 BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
169 else
170 BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
171 }
172 desc = SSL_CIPHER_description(c, NULL, 0);
173 BIO_puts(STDout, desc);
174 if (strcmp(desc, "OPENSSL_malloc Error") != 0)
175 free(desc);
176 }
177 }
178
179 ret = 0;
180 if (0) {
181err:
182 ERR_print_errors(bio_err);
183 }
184
185end:
186 if (ctx != NULL)
187 SSL_CTX_free(ctx);
188 if (ssl != NULL)
189 SSL_free(ssl);
190 if (STDout != NULL)
191 BIO_free_all(STDout);
192
193 return (ret);
194}
diff --git a/src/lib/libssl/src/apps/cms.c b/src/lib/libssl/src/apps/cms.c
deleted file mode 100644
index 91203bc719..0000000000
--- a/src/lib/libssl/src/apps/cms.c
+++ /dev/null
@@ -1,1154 +0,0 @@
1/* $OpenBSD: cms.c,v 1.20 2014/07/13 16:03:09 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 */
53
54/* CMS utility function */
55
56#include <stdio.h>
57#include <string.h>
58
59#include "apps.h"
60
61#ifndef OPENSSL_NO_CMS
62
63#include <openssl/cms.h>
64#include <openssl/crypto.h>
65#include <openssl/err.h>
66#include <openssl/pem.h>
67#include <openssl/x509_vfy.h>
68#include <openssl/x509v3.h>
69
70static int save_certs(char *signerfile, STACK_OF(X509) * signers);
71static int cms_cb(int ok, X509_STORE_CTX * ctx);
72static void receipt_request_print(BIO * out, CMS_ContentInfo * cms);
73static CMS_ReceiptRequest * make_receipt_request(
74 STACK_OF(OPENSSL_STRING) * rr_to, int rr_allorfirst,
75 STACK_OF(OPENSSL_STRING) * rr_from);
76
77#define SMIME_OP 0x10
78#define SMIME_IP 0x20
79#define SMIME_SIGNERS 0x40
80#define SMIME_ENCRYPT (1 | SMIME_OP)
81#define SMIME_DECRYPT (2 | SMIME_IP)
82#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
83#define SMIME_VERIFY (4 | SMIME_IP)
84#define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
85#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
86#define SMIME_DATAOUT (7 | SMIME_IP)
87#define SMIME_DATA_CREATE (8 | SMIME_OP)
88#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
89#define SMIME_DIGEST_CREATE (10 | SMIME_OP)
90#define SMIME_UNCOMPRESS (11 | SMIME_IP)
91#define SMIME_COMPRESS (12 | SMIME_OP)
92#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
93#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
94#define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
95#define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
96
97int verify_err = 0;
98
99int cms_main(int, char **);
100
101int
102cms_main(int argc, char **argv)
103{
104 ENGINE *e = NULL;
105 int operation = 0;
106 int ret = 0;
107 char **args;
108 const char *inmode = "r", *outmode = "w";
109 char *infile = NULL, *outfile = NULL, *rctfile = NULL;
110 char *signerfile = NULL, *recipfile = NULL;
111 STACK_OF(OPENSSL_STRING) * sksigners = NULL, *skkeys = NULL;
112 char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
113 char *certsoutfile = NULL;
114 const EVP_CIPHER *cipher = NULL;
115 CMS_ContentInfo *cms = NULL, *rcms = NULL;
116 X509_STORE *store = NULL;
117 X509 *cert = NULL, *recip = NULL, *signer = NULL;
118 EVP_PKEY *key = NULL;
119 STACK_OF(X509) * encerts = NULL, *other = NULL;
120 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
121 int badarg = 0;
122 int flags = CMS_DETACHED, noout = 0, print = 0;
123 int verify_retcode = 0;
124 int rr_print = 0, rr_allorfirst = -1;
125 STACK_OF(OPENSSL_STRING) * rr_to = NULL, *rr_from = NULL;
126 CMS_ReceiptRequest *rr = NULL;
127 char *to = NULL, *from = NULL, *subject = NULL;
128 char *CAfile = NULL, *CApath = NULL;
129 char *passargin = NULL, *passin = NULL;
130 const EVP_MD *sign_md = NULL;
131 int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
132 int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
133#ifndef OPENSSL_NO_ENGINE
134 char *engine = NULL;
135#endif
136 unsigned char *secret_key = NULL, *secret_keyid = NULL;
137 unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
138 size_t secret_keylen = 0, secret_keyidlen = 0;
139
140 ASN1_OBJECT *econtent_type = NULL;
141
142 X509_VERIFY_PARAM *vpm = NULL;
143
144 args = argv + 1;
145 ret = 1;
146
147 while (!badarg && *args && *args[0] == '-') {
148 if (!strcmp(*args, "-encrypt"))
149 operation = SMIME_ENCRYPT;
150 else if (!strcmp(*args, "-decrypt"))
151 operation = SMIME_DECRYPT;
152 else if (!strcmp(*args, "-sign"))
153 operation = SMIME_SIGN;
154 else if (!strcmp(*args, "-sign_receipt"))
155 operation = SMIME_SIGN_RECEIPT;
156 else if (!strcmp(*args, "-resign"))
157 operation = SMIME_RESIGN;
158 else if (!strcmp(*args, "-verify"))
159 operation = SMIME_VERIFY;
160 else if (!strcmp(*args, "-verify_retcode"))
161 verify_retcode = 1;
162 else if (!strcmp(*args, "-verify_receipt")) {
163 operation = SMIME_VERIFY_RECEIPT;
164 if (!args[1])
165 goto argerr;
166 args++;
167 rctfile = *args;
168 } else if (!strcmp(*args, "-cmsout"))
169 operation = SMIME_CMSOUT;
170 else if (!strcmp(*args, "-data_out"))
171 operation = SMIME_DATAOUT;
172 else if (!strcmp(*args, "-data_create"))
173 operation = SMIME_DATA_CREATE;
174 else if (!strcmp(*args, "-digest_verify"))
175 operation = SMIME_DIGEST_VERIFY;
176 else if (!strcmp(*args, "-digest_create"))
177 operation = SMIME_DIGEST_CREATE;
178 else if (!strcmp(*args, "-compress"))
179 operation = SMIME_COMPRESS;
180 else if (!strcmp(*args, "-uncompress"))
181 operation = SMIME_UNCOMPRESS;
182 else if (!strcmp(*args, "-EncryptedData_decrypt"))
183 operation = SMIME_ENCRYPTED_DECRYPT;
184 else if (!strcmp(*args, "-EncryptedData_encrypt"))
185 operation = SMIME_ENCRYPTED_ENCRYPT;
186#ifndef OPENSSL_NO_DES
187 else if (!strcmp(*args, "-des3"))
188 cipher = EVP_des_ede3_cbc();
189 else if (!strcmp(*args, "-des"))
190 cipher = EVP_des_cbc();
191#endif
192#ifndef OPENSSL_NO_RC2
193 else if (!strcmp(*args, "-rc2-40"))
194 cipher = EVP_rc2_40_cbc();
195 else if (!strcmp(*args, "-rc2-128"))
196 cipher = EVP_rc2_cbc();
197 else if (!strcmp(*args, "-rc2-64"))
198 cipher = EVP_rc2_64_cbc();
199#endif
200#ifndef OPENSSL_NO_AES
201 else if (!strcmp(*args, "-aes128"))
202 cipher = EVP_aes_128_cbc();
203 else if (!strcmp(*args, "-aes192"))
204 cipher = EVP_aes_192_cbc();
205 else if (!strcmp(*args, "-aes256"))
206 cipher = EVP_aes_256_cbc();
207#endif
208#ifndef OPENSSL_NO_CAMELLIA
209 else if (!strcmp(*args, "-camellia128"))
210 cipher = EVP_camellia_128_cbc();
211 else if (!strcmp(*args, "-camellia192"))
212 cipher = EVP_camellia_192_cbc();
213 else if (!strcmp(*args, "-camellia256"))
214 cipher = EVP_camellia_256_cbc();
215#endif
216 else if (!strcmp(*args, "-debug_decrypt"))
217 flags |= CMS_DEBUG_DECRYPT;
218 else if (!strcmp(*args, "-text"))
219 flags |= CMS_TEXT;
220 else if (!strcmp(*args, "-nointern"))
221 flags |= CMS_NOINTERN;
222 else if (!strcmp(*args, "-noverify") ||
223 !strcmp(*args, "-no_signer_cert_verify"))
224 flags |= CMS_NO_SIGNER_CERT_VERIFY;
225 else if (!strcmp(*args, "-nocerts"))
226 flags |= CMS_NOCERTS;
227 else if (!strcmp(*args, "-noattr"))
228 flags |= CMS_NOATTR;
229 else if (!strcmp(*args, "-nodetach"))
230 flags &= ~CMS_DETACHED;
231 else if (!strcmp(*args, "-nosmimecap"))
232 flags |= CMS_NOSMIMECAP;
233 else if (!strcmp(*args, "-binary"))
234 flags |= CMS_BINARY;
235 else if (!strcmp(*args, "-keyid"))
236 flags |= CMS_USE_KEYID;
237 else if (!strcmp(*args, "-nosigs"))
238 flags |= CMS_NOSIGS;
239 else if (!strcmp(*args, "-no_content_verify"))
240 flags |= CMS_NO_CONTENT_VERIFY;
241 else if (!strcmp(*args, "-no_attr_verify"))
242 flags |= CMS_NO_ATTR_VERIFY;
243 else if (!strcmp(*args, "-stream"))
244 flags |= CMS_STREAM;
245 else if (!strcmp(*args, "-indef"))
246 flags |= CMS_STREAM;
247 else if (!strcmp(*args, "-noindef"))
248 flags &= ~CMS_STREAM;
249 else if (!strcmp(*args, "-nooldmime"))
250 flags |= CMS_NOOLDMIMETYPE;
251 else if (!strcmp(*args, "-crlfeol"))
252 flags |= CMS_CRLFEOL;
253 else if (!strcmp(*args, "-noout"))
254 noout = 1;
255 else if (!strcmp(*args, "-receipt_request_print"))
256 rr_print = 1;
257 else if (!strcmp(*args, "-receipt_request_all"))
258 rr_allorfirst = 0;
259 else if (!strcmp(*args, "-receipt_request_first"))
260 rr_allorfirst = 1;
261 else if (!strcmp(*args, "-receipt_request_from")) {
262 if (!args[1])
263 goto argerr;
264 args++;
265 if (!rr_from)
266 rr_from = sk_OPENSSL_STRING_new_null();
267 sk_OPENSSL_STRING_push(rr_from, *args);
268 } else if (!strcmp(*args, "-receipt_request_to")) {
269 if (!args[1])
270 goto argerr;
271 args++;
272 if (!rr_to)
273 rr_to = sk_OPENSSL_STRING_new_null();
274 sk_OPENSSL_STRING_push(rr_to, *args);
275 } else if (!strcmp(*args, "-print")) {
276 noout = 1;
277 print = 1;
278 } else if (!strcmp(*args, "-secretkey")) {
279 long ltmp;
280 if (!args[1])
281 goto argerr;
282 args++;
283 secret_key = string_to_hex(*args, &ltmp);
284 if (!secret_key) {
285 BIO_printf(bio_err, "Invalid key %s\n", *args);
286 goto argerr;
287 }
288 secret_keylen = (size_t) ltmp;
289 } else if (!strcmp(*args, "-secretkeyid")) {
290 long ltmp;
291 if (!args[1])
292 goto argerr;
293 args++;
294 secret_keyid = string_to_hex(*args, &ltmp);
295 if (!secret_keyid) {
296 BIO_printf(bio_err, "Invalid id %s\n", *args);
297 goto argerr;
298 }
299 secret_keyidlen = (size_t) ltmp;
300 } else if (!strcmp(*args, "-pwri_password")) {
301 if (!args[1])
302 goto argerr;
303 args++;
304 pwri_pass = (unsigned char *) *args;
305 } else if (!strcmp(*args, "-econtent_type")) {
306 if (!args[1])
307 goto argerr;
308 args++;
309 econtent_type = OBJ_txt2obj(*args, 0);
310 if (!econtent_type) {
311 BIO_printf(bio_err, "Invalid OID %s\n", *args);
312 goto argerr;
313 }
314 }
315#ifndef OPENSSL_NO_ENGINE
316 else if (!strcmp(*args, "-engine")) {
317 if (!args[1])
318 goto argerr;
319 engine = *++args;
320 }
321#endif
322 else if (!strcmp(*args, "-passin")) {
323 if (!args[1])
324 goto argerr;
325 passargin = *++args;
326 } else if (!strcmp(*args, "-to")) {
327 if (!args[1])
328 goto argerr;
329 to = *++args;
330 } else if (!strcmp(*args, "-from")) {
331 if (!args[1])
332 goto argerr;
333 from = *++args;
334 } else if (!strcmp(*args, "-subject")) {
335 if (!args[1])
336 goto argerr;
337 subject = *++args;
338 } else if (!strcmp(*args, "-signer")) {
339 if (!args[1])
340 goto argerr;
341 /* If previous -signer argument add signer to list */
342
343 if (signerfile) {
344 if (!sksigners)
345 sksigners =
346 sk_OPENSSL_STRING_new_null();
347 sk_OPENSSL_STRING_push(sksigners, signerfile);
348 if (!keyfile)
349 keyfile = signerfile;
350 if (!skkeys)
351 skkeys = sk_OPENSSL_STRING_new_null();
352 sk_OPENSSL_STRING_push(skkeys, keyfile);
353 keyfile = NULL;
354 }
355 signerfile = *++args;
356 } else if (!strcmp(*args, "-recip")) {
357 if (!args[1])
358 goto argerr;
359 recipfile = *++args;
360 } else if (!strcmp(*args, "-certsout")) {
361 if (!args[1])
362 goto argerr;
363 certsoutfile = *++args;
364 } else if (!strcmp(*args, "-md")) {
365 if (!args[1])
366 goto argerr;
367 sign_md = EVP_get_digestbyname(*++args);
368 if (sign_md == NULL) {
369 BIO_printf(bio_err, "Unknown digest %s\n",
370 *args);
371 goto argerr;
372 }
373 } else if (!strcmp(*args, "-inkey")) {
374 if (!args[1])
375 goto argerr;
376 /* If previous -inkey arument add signer to list */
377 if (keyfile) {
378 if (!signerfile) {
379 BIO_puts(bio_err,
380 "Illegal -inkey without -signer\n");
381 goto argerr;
382 }
383 if (!sksigners)
384 sksigners =
385 sk_OPENSSL_STRING_new_null();
386 sk_OPENSSL_STRING_push(sksigners, signerfile);
387 signerfile = NULL;
388 if (!skkeys)
389 skkeys = sk_OPENSSL_STRING_new_null();
390 sk_OPENSSL_STRING_push(skkeys, keyfile);
391 }
392 keyfile = *++args;
393 } else if (!strcmp(*args, "-keyform")) {
394 if (!args[1])
395 goto argerr;
396 keyform = str2fmt(*++args);
397 } else if (!strcmp(*args, "-rctform")) {
398 if (!args[1])
399 goto argerr;
400 rctformat = str2fmt(*++args);
401 } else if (!strcmp(*args, "-certfile")) {
402 if (!args[1])
403 goto argerr;
404 certfile = *++args;
405 } else if (!strcmp(*args, "-CAfile")) {
406 if (!args[1])
407 goto argerr;
408 CAfile = *++args;
409 } else if (!strcmp(*args, "-CApath")) {
410 if (!args[1])
411 goto argerr;
412 CApath = *++args;
413 } else if (!strcmp(*args, "-in")) {
414 if (!args[1])
415 goto argerr;
416 infile = *++args;
417 } else if (!strcmp(*args, "-inform")) {
418 if (!args[1])
419 goto argerr;
420 informat = str2fmt(*++args);
421 } else if (!strcmp(*args, "-outform")) {
422 if (!args[1])
423 goto argerr;
424 outformat = str2fmt(*++args);
425 } else if (!strcmp(*args, "-out")) {
426 if (!args[1])
427 goto argerr;
428 outfile = *++args;
429 } else if (!strcmp(*args, "-content")) {
430 if (!args[1])
431 goto argerr;
432 contfile = *++args;
433 } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
434 continue;
435 else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
436 badarg = 1;
437 args++;
438 }
439
440 if (((rr_allorfirst != -1) || rr_from) && !rr_to) {
441 BIO_puts(bio_err, "No Signed Receipts Recipients\n");
442 goto argerr;
443 }
444 if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) {
445 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
446 goto argerr;
447 }
448 if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
449 BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
450 goto argerr;
451 }
452 if (operation & SMIME_SIGNERS) {
453 if (keyfile && !signerfile) {
454 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
455 goto argerr;
456 }
457 /* Check to see if any final signer needs to be appended */
458 if (signerfile) {
459 if (!sksigners)
460 sksigners = sk_OPENSSL_STRING_new_null();
461 sk_OPENSSL_STRING_push(sksigners, signerfile);
462 if (!skkeys)
463 skkeys = sk_OPENSSL_STRING_new_null();
464 if (!keyfile)
465 keyfile = signerfile;
466 sk_OPENSSL_STRING_push(skkeys, keyfile);
467 }
468 if (!sksigners) {
469 BIO_printf(bio_err,
470 "No signer certificate specified\n");
471 badarg = 1;
472 }
473 signerfile = NULL;
474 keyfile = NULL;
475 } else if (operation == SMIME_DECRYPT) {
476 if (!recipfile && !keyfile && !secret_key && !pwri_pass) {
477 BIO_printf(bio_err,
478 "No recipient certificate or key specified\n");
479 badarg = 1;
480 }
481 } else if (operation == SMIME_ENCRYPT) {
482 if (!*args && !secret_key && !pwri_pass) {
483 BIO_printf(bio_err,
484 "No recipient(s) certificate(s) specified\n");
485 badarg = 1;
486 }
487 } else if (!operation)
488 badarg = 1;
489
490 if (badarg) {
491argerr:
492 BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n");
493 BIO_printf(bio_err, "where options are\n");
494 BIO_printf(bio_err, "-encrypt encrypt message\n");
495 BIO_printf(bio_err, "-decrypt decrypt encrypted message\n");
496 BIO_printf(bio_err, "-sign sign message\n");
497 BIO_printf(bio_err, "-verify verify signed message\n");
498 BIO_printf(bio_err, "-cmsout output CMS structure\n");
499#ifndef OPENSSL_NO_DES
500 BIO_printf(bio_err, "-des3 encrypt with triple DES\n");
501 BIO_printf(bio_err, "-des encrypt with DES\n");
502#endif
503#ifndef OPENSSL_NO_RC2
504 BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
505 BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n");
506 BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n");
507#endif
508#ifndef OPENSSL_NO_AES
509 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
510 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
511#endif
512#ifndef OPENSSL_NO_CAMELLIA
513 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
514 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
515#endif
516 BIO_printf(bio_err, "-nointern don't search certificates in message for signer\n");
517 BIO_printf(bio_err, "-nosigs don't verify message signature\n");
518 BIO_printf(bio_err, "-noverify don't verify signers certificate\n");
519 BIO_printf(bio_err, "-nocerts don't include signers certificate when signing\n");
520 BIO_printf(bio_err, "-nodetach use opaque signing\n");
521 BIO_printf(bio_err, "-noattr don't include any signed attributes\n");
522 BIO_printf(bio_err, "-binary don't translate message to text\n");
523 BIO_printf(bio_err, "-certfile file other certificates file\n");
524 BIO_printf(bio_err, "-certsout file certificate output file\n");
525 BIO_printf(bio_err, "-signer file signer certificate file\n");
526 BIO_printf(bio_err, "-recip file recipient certificate file for decryption\n");
527 BIO_printf(bio_err, "-keyid use subject key identifier\n");
528 BIO_printf(bio_err, "-in file input file\n");
529 BIO_printf(bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
530 BIO_printf(bio_err, "-inkey file input private key (if not signer or recipient)\n");
531 BIO_printf(bio_err, "-keyform arg input private key format (PEM or ENGINE)\n");
532 BIO_printf(bio_err, "-out file output file\n");
533 BIO_printf(bio_err, "-outform arg output format SMIME (default), PEM or DER\n");
534 BIO_printf(bio_err, "-content file supply or override content for detached signature\n");
535 BIO_printf(bio_err, "-to addr to address\n");
536 BIO_printf(bio_err, "-from ad from address\n");
537 BIO_printf(bio_err, "-subject s subject\n");
538 BIO_printf(bio_err, "-text include or delete text MIME headers\n");
539 BIO_printf(bio_err, "-CApath dir trusted certificates directory\n");
540 BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
541 BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
542 BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
543#ifndef OPENSSL_NO_ENGINE
544 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
545#endif
546 BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
547 BIO_printf(bio_err, "cert.pem recipient certificate(s) for encryption\n");
548 goto end;
549 }
550#ifndef OPENSSL_NO_ENGINE
551 e = setup_engine(bio_err, engine, 0);
552#endif
553
554 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
555 BIO_printf(bio_err, "Error getting password\n");
556 goto end;
557 }
558 ret = 2;
559
560 if (!(operation & SMIME_SIGNERS))
561 flags &= ~CMS_DETACHED;
562
563 if (operation & SMIME_OP) {
564 if (outformat == FORMAT_ASN1)
565 outmode = "wb";
566 } else {
567 if (flags & CMS_BINARY)
568 outmode = "wb";
569 }
570
571 if (operation & SMIME_IP) {
572 if (informat == FORMAT_ASN1)
573 inmode = "rb";
574 } else {
575 if (flags & CMS_BINARY)
576 inmode = "rb";
577 }
578
579 if (operation == SMIME_ENCRYPT) {
580 if (!cipher) {
581#ifndef OPENSSL_NO_DES
582 cipher = EVP_des_ede3_cbc();
583#else
584 BIO_printf(bio_err, "No cipher selected\n");
585 goto end;
586#endif
587 }
588 if (secret_key && !secret_keyid) {
589 BIO_printf(bio_err, "No secret key id\n");
590 goto end;
591 }
592 if (*args)
593 encerts = sk_X509_new_null();
594 while (*args) {
595 if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
596 NULL, e, "recipient certificate file")))
597 goto end;
598 sk_X509_push(encerts, cert);
599 cert = NULL;
600 args++;
601 }
602 }
603 if (certfile) {
604 if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
605 e, "certificate file"))) {
606 ERR_print_errors(bio_err);
607 goto end;
608 }
609 }
610 if (recipfile && (operation == SMIME_DECRYPT)) {
611 if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
612 e, "recipient certificate file"))) {
613 ERR_print_errors(bio_err);
614 goto end;
615 }
616 }
617 if (operation == SMIME_SIGN_RECEIPT) {
618 if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
619 e, "receipt signer certificate file"))) {
620 ERR_print_errors(bio_err);
621 goto end;
622 }
623 }
624 if (operation == SMIME_DECRYPT) {
625 if (!keyfile)
626 keyfile = recipfile;
627 } else if ((operation == SMIME_SIGN) ||
628 (operation == SMIME_SIGN_RECEIPT)) {
629 if (!keyfile)
630 keyfile = signerfile;
631 } else
632 keyfile = NULL;
633
634 if (keyfile) {
635 key = load_key(bio_err, keyfile, keyform, 0, passin, e,
636 "signing key file");
637 if (!key)
638 goto end;
639 }
640 if (infile) {
641 if (!(in = BIO_new_file(infile, inmode))) {
642 BIO_printf(bio_err,
643 "Can't open input file %s\n", infile);
644 goto end;
645 }
646 } else
647 in = BIO_new_fp(stdin, BIO_NOCLOSE);
648
649 if (operation & SMIME_IP) {
650 if (informat == FORMAT_SMIME)
651 cms = SMIME_read_CMS(in, &indata);
652 else if (informat == FORMAT_PEM)
653 cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
654 else if (informat == FORMAT_ASN1)
655 cms = d2i_CMS_bio(in, NULL);
656 else {
657 BIO_printf(bio_err, "Bad input format for CMS file\n");
658 goto end;
659 }
660
661 if (!cms) {
662 BIO_printf(bio_err, "Error reading S/MIME message\n");
663 goto end;
664 }
665 if (contfile) {
666 BIO_free(indata);
667 if (!(indata = BIO_new_file(contfile, "rb"))) {
668 BIO_printf(bio_err,
669 "Can't read content file %s\n", contfile);
670 goto end;
671 }
672 }
673 if (certsoutfile) {
674 STACK_OF(X509) * allcerts;
675 allcerts = CMS_get1_certs(cms);
676 if (!save_certs(certsoutfile, allcerts)) {
677 BIO_printf(bio_err,
678 "Error writing certs to %s\n",
679 certsoutfile);
680 ret = 5;
681 goto end;
682 }
683 sk_X509_pop_free(allcerts, X509_free);
684 }
685 }
686 if (rctfile) {
687 char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
688 if (!(rctin = BIO_new_file(rctfile, rctmode))) {
689 BIO_printf(bio_err,
690 "Can't open receipt file %s\n", rctfile);
691 goto end;
692 }
693 if (rctformat == FORMAT_SMIME)
694 rcms = SMIME_read_CMS(rctin, NULL);
695 else if (rctformat == FORMAT_PEM)
696 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
697 else if (rctformat == FORMAT_ASN1)
698 rcms = d2i_CMS_bio(rctin, NULL);
699 else {
700 BIO_printf(bio_err, "Bad input format for receipt\n");
701 goto end;
702 }
703
704 if (!rcms) {
705 BIO_printf(bio_err, "Error reading receipt\n");
706 goto end;
707 }
708 }
709 if (outfile) {
710 if (!(out = BIO_new_file(outfile, outmode))) {
711 BIO_printf(bio_err,
712 "Can't open output file %s\n", outfile);
713 goto end;
714 }
715 } else {
716 out = BIO_new_fp(stdout, BIO_NOCLOSE);
717 }
718
719 if ((operation == SMIME_VERIFY) ||
720 (operation == SMIME_VERIFY_RECEIPT)) {
721 if (!(store = setup_verify(bio_err, CAfile, CApath)))
722 goto end;
723 X509_STORE_set_verify_cb(store, cms_cb);
724 if (vpm)
725 X509_STORE_set1_param(store, vpm);
726 }
727 ret = 3;
728
729 if (operation == SMIME_DATA_CREATE) {
730 cms = CMS_data_create(in, flags);
731 } else if (operation == SMIME_DIGEST_CREATE) {
732 cms = CMS_digest_create(in, sign_md, flags);
733 } else if (operation == SMIME_COMPRESS) {
734 cms = CMS_compress(in, -1, flags);
735 } else if (operation == SMIME_ENCRYPT) {
736 flags |= CMS_PARTIAL;
737 cms = CMS_encrypt(encerts, in, cipher, flags);
738 if (!cms)
739 goto end;
740 if (secret_key) {
741 if (!CMS_add0_recipient_key(cms, NID_undef, secret_key,
742 secret_keylen, secret_keyid, secret_keyidlen,
743 NULL, NULL, NULL))
744 goto end;
745 /* NULL these because call absorbs them */
746 secret_key = NULL;
747 secret_keyid = NULL;
748 }
749 if (pwri_pass) {
750 pwri_tmp = strdup(pwri_pass);
751 if (!pwri_tmp)
752 goto end;
753 if (!CMS_add0_recipient_password(cms, -1, NID_undef,
754 NID_undef, pwri_tmp, -1, NULL))
755 goto end;
756 pwri_tmp = NULL;
757 }
758 if (!(flags & CMS_STREAM)) {
759 if (!CMS_final(cms, in, NULL, flags))
760 goto end;
761 }
762 } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
763 cms = CMS_EncryptedData_encrypt(in, cipher, secret_key,
764 secret_keylen, flags);
765
766 } else if (operation == SMIME_SIGN_RECEIPT) {
767 CMS_ContentInfo *srcms = NULL;
768 STACK_OF(CMS_SignerInfo) * sis;
769 CMS_SignerInfo *si;
770 sis = CMS_get0_SignerInfos(cms);
771 if (!sis)
772 goto end;
773 si = sk_CMS_SignerInfo_value(sis, 0);
774 srcms = CMS_sign_receipt(si, signer, key, other, flags);
775 if (!srcms)
776 goto end;
777 CMS_ContentInfo_free(cms);
778 cms = srcms;
779 } else if (operation & SMIME_SIGNERS) {
780 int i;
781 /*
782 * If detached data content we enable streaming if S/MIME
783 * output format.
784 */
785 if (operation == SMIME_SIGN) {
786
787 if (flags & CMS_DETACHED) {
788 if (outformat == FORMAT_SMIME)
789 flags |= CMS_STREAM;
790 }
791 flags |= CMS_PARTIAL;
792 cms = CMS_sign(NULL, NULL, other, in, flags);
793 if (!cms)
794 goto end;
795 if (econtent_type)
796 CMS_set1_eContentType(cms, econtent_type);
797
798 if (rr_to) {
799 rr = make_receipt_request(rr_to, rr_allorfirst,
800 rr_from);
801 if (!rr) {
802 BIO_puts(bio_err,
803 "Signed Receipt Request Creation Error\n");
804 goto end;
805 }
806 }
807 } else
808 flags |= CMS_REUSE_DIGEST;
809 for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
810 CMS_SignerInfo *si;
811 signerfile = sk_OPENSSL_STRING_value(sksigners, i);
812 keyfile = sk_OPENSSL_STRING_value(skkeys, i);
813 signer = load_cert(bio_err, signerfile, FORMAT_PEM,
814 NULL, e, "signer certificate");
815 if (!signer)
816 goto end;
817 key = load_key(bio_err, keyfile, keyform, 0, passin, e,
818 "signing key file");
819 if (!key)
820 goto end;
821 si = CMS_add1_signer(cms, signer, key, sign_md, flags);
822 if (!si)
823 goto end;
824 if (rr && !CMS_add1_ReceiptRequest(si, rr))
825 goto end;
826 X509_free(signer);
827 signer = NULL;
828 EVP_PKEY_free(key);
829 key = NULL;
830 }
831 /* If not streaming or resigning finalize structure */
832 if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
833 if (!CMS_final(cms, in, NULL, flags))
834 goto end;
835 }
836 }
837 if (!cms) {
838 BIO_printf(bio_err, "Error creating CMS structure\n");
839 goto end;
840 }
841 ret = 4;
842 if (operation == SMIME_DECRYPT) {
843 if (flags & CMS_DEBUG_DECRYPT)
844 CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
845
846 if (secret_key) {
847 if (!CMS_decrypt_set1_key(cms, secret_key,
848 secret_keylen, secret_keyid, secret_keyidlen)) {
849 BIO_puts(bio_err,
850 "Error decrypting CMS using secret key\n");
851 goto end;
852 }
853 }
854 if (key) {
855 if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
856 BIO_puts(bio_err,
857 "Error decrypting CMS using private key\n");
858 goto end;
859 }
860 }
861 if (pwri_pass) {
862 if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
863 BIO_puts(bio_err,
864 "Error decrypting CMS using password\n");
865 goto end;
866 }
867 }
868 if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
869 BIO_printf(bio_err, "Error decrypting CMS structure\n");
870 goto end;
871 }
872 } else if (operation == SMIME_DATAOUT) {
873 if (!CMS_data(cms, out, flags))
874 goto end;
875 } else if (operation == SMIME_UNCOMPRESS) {
876 if (!CMS_uncompress(cms, indata, out, flags))
877 goto end;
878 } else if (operation == SMIME_DIGEST_VERIFY) {
879 if (CMS_digest_verify(cms, indata, out, flags) > 0)
880 BIO_printf(bio_err, "Verification successful\n");
881 else {
882 BIO_printf(bio_err, "Verification failure\n");
883 goto end;
884 }
885 } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
886 if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
887 indata, out, flags))
888 goto end;
889 } else if (operation == SMIME_VERIFY) {
890 if (CMS_verify(cms, other, store, indata, out, flags) > 0)
891 BIO_printf(bio_err, "Verification successful\n");
892 else {
893 BIO_printf(bio_err, "Verification failure\n");
894 if (verify_retcode)
895 ret = verify_err + 32;
896 goto end;
897 }
898 if (signerfile) {
899 STACK_OF(X509) * signers;
900 signers = CMS_get0_signers(cms);
901 if (!save_certs(signerfile, signers)) {
902 BIO_printf(bio_err,
903 "Error writing signers to %s\n",
904 signerfile);
905 ret = 5;
906 goto end;
907 }
908 sk_X509_free(signers);
909 }
910 if (rr_print)
911 receipt_request_print(bio_err, cms);
912
913 } else if (operation == SMIME_VERIFY_RECEIPT) {
914 if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
915 BIO_printf(bio_err, "Verification successful\n");
916 else {
917 BIO_printf(bio_err, "Verification failure\n");
918 goto end;
919 }
920 } else {
921 if (noout) {
922 if (print)
923 CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
924 } else if (outformat == FORMAT_SMIME) {
925 if (to)
926 BIO_printf(out, "To: %s\n", to);
927 if (from)
928 BIO_printf(out, "From: %s\n", from);
929 if (subject)
930 BIO_printf(out, "Subject: %s\n", subject);
931 if (operation == SMIME_RESIGN)
932 ret = SMIME_write_CMS(out, cms, indata, flags);
933 else
934 ret = SMIME_write_CMS(out, cms, in, flags);
935 } else if (outformat == FORMAT_PEM)
936 ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
937 else if (outformat == FORMAT_ASN1)
938 ret = i2d_CMS_bio_stream(out, cms, in, flags);
939 else {
940 BIO_printf(bio_err, "Bad output format for CMS file\n");
941 goto end;
942 }
943 if (ret <= 0) {
944 ret = 6;
945 goto end;
946 }
947 }
948 ret = 0;
949
950end:
951 if (ret)
952 ERR_print_errors(bio_err);
953 sk_X509_pop_free(encerts, X509_free);
954 sk_X509_pop_free(other, X509_free);
955 if (vpm)
956 X509_VERIFY_PARAM_free(vpm);
957 if (sksigners)
958 sk_OPENSSL_STRING_free(sksigners);
959 if (skkeys)
960 sk_OPENSSL_STRING_free(skkeys);
961 free(secret_key);
962 free(secret_keyid);
963 free(pwri_tmp);
964 if (econtent_type)
965 ASN1_OBJECT_free(econtent_type);
966 if (rr)
967 CMS_ReceiptRequest_free(rr);
968 if (rr_to)
969 sk_OPENSSL_STRING_free(rr_to);
970 if (rr_from)
971 sk_OPENSSL_STRING_free(rr_from);
972 X509_STORE_free(store);
973 X509_free(cert);
974 X509_free(recip);
975 X509_free(signer);
976 EVP_PKEY_free(key);
977 CMS_ContentInfo_free(cms);
978 CMS_ContentInfo_free(rcms);
979 BIO_free(rctin);
980 BIO_free(in);
981 BIO_free(indata);
982 BIO_free_all(out);
983 free(passin);
984 return (ret);
985}
986
987static int
988save_certs(char *signerfile, STACK_OF(X509) * signers)
989{
990 int i;
991 BIO *tmp;
992
993 if (!signerfile)
994 return 1;
995 tmp = BIO_new_file(signerfile, "w");
996 if (!tmp)
997 return 0;
998 for (i = 0; i < sk_X509_num(signers); i++)
999 PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
1000 BIO_free(tmp);
1001 return 1;
1002}
1003
1004/* Minimal callback just to output policy info (if any) */
1005
1006static int
1007cms_cb(int ok, X509_STORE_CTX * ctx)
1008{
1009 int error;
1010
1011 error = X509_STORE_CTX_get_error(ctx);
1012
1013 verify_err = error;
1014
1015 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
1016 ((error != X509_V_OK) || (ok != 2)))
1017 return ok;
1018
1019 policies_print(NULL, ctx);
1020
1021 return ok;
1022}
1023
1024static void
1025gnames_stack_print(BIO * out, STACK_OF(GENERAL_NAMES) * gns)
1026{
1027 STACK_OF(GENERAL_NAME) * gens;
1028 GENERAL_NAME *gen;
1029 int i, j;
1030
1031 for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
1032 gens = sk_GENERAL_NAMES_value(gns, i);
1033 for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
1034 gen = sk_GENERAL_NAME_value(gens, j);
1035 BIO_puts(out, " ");
1036 GENERAL_NAME_print(out, gen);
1037 BIO_puts(out, "\n");
1038 }
1039 }
1040 return;
1041}
1042
1043static void
1044receipt_request_print(BIO * out, CMS_ContentInfo * cms)
1045{
1046 STACK_OF(CMS_SignerInfo) * sis;
1047 CMS_SignerInfo *si;
1048 CMS_ReceiptRequest *rr;
1049 int allorfirst;
1050 STACK_OF(GENERAL_NAMES) * rto, *rlist;
1051 ASN1_STRING *scid;
1052 int i, rv;
1053
1054 sis = CMS_get0_SignerInfos(cms);
1055 for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
1056 si = sk_CMS_SignerInfo_value(sis, i);
1057 rv = CMS_get1_ReceiptRequest(si, &rr);
1058 BIO_printf(bio_err, "Signer %d:\n", i + 1);
1059 if (rv == 0)
1060 BIO_puts(bio_err, " No Receipt Request\n");
1061 else if (rv < 0) {
1062 BIO_puts(bio_err, " Receipt Request Parse Error\n");
1063 ERR_print_errors(bio_err);
1064 } else {
1065 char *id;
1066 int idlen;
1067 CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
1068 &rlist, &rto);
1069 BIO_puts(out, " Signed Content ID:\n");
1070 idlen = ASN1_STRING_length(scid);
1071 id = (char *) ASN1_STRING_data(scid);
1072 BIO_dump_indent(out, id, idlen, 4);
1073 BIO_puts(out, " Receipts From");
1074 if (rlist) {
1075 BIO_puts(out, " List:\n");
1076 gnames_stack_print(out, rlist);
1077 } else if (allorfirst == 1)
1078 BIO_puts(out, ": First Tier\n");
1079 else if (allorfirst == 0)
1080 BIO_puts(out, ": All\n");
1081 else
1082 BIO_printf(out, " Unknown (%d)\n", allorfirst);
1083 BIO_puts(out, " Receipts To:\n");
1084 gnames_stack_print(out, rto);
1085 }
1086 if (rr)
1087 CMS_ReceiptRequest_free(rr);
1088 }
1089}
1090
1091static STACK_OF(GENERAL_NAMES) *
1092make_names_stack(STACK_OF(OPENSSL_STRING) * ns)
1093{
1094 int i;
1095 STACK_OF(GENERAL_NAMES) * ret;
1096 GENERAL_NAMES *gens = NULL;
1097 GENERAL_NAME *gen = NULL;
1098 ret = sk_GENERAL_NAMES_new_null();
1099 if (!ret)
1100 goto err;
1101 for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
1102 char *str = sk_OPENSSL_STRING_value(ns, i);
1103 gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
1104 if (!gen)
1105 goto err;
1106 gens = GENERAL_NAMES_new();
1107 if (!gens)
1108 goto err;
1109 if (!sk_GENERAL_NAME_push(gens, gen))
1110 goto err;
1111 gen = NULL;
1112 if (!sk_GENERAL_NAMES_push(ret, gens))
1113 goto err;
1114 gens = NULL;
1115 }
1116
1117 return ret;
1118
1119err:
1120 if (ret)
1121 sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
1122 if (gens)
1123 GENERAL_NAMES_free(gens);
1124 if (gen)
1125 GENERAL_NAME_free(gen);
1126 return NULL;
1127}
1128
1129
1130static CMS_ReceiptRequest *
1131make_receipt_request(STACK_OF(OPENSSL_STRING) * rr_to, int rr_allorfirst,
1132 STACK_OF(OPENSSL_STRING) * rr_from)
1133{
1134 STACK_OF(GENERAL_NAMES) * rct_to, *rct_from;
1135 CMS_ReceiptRequest *rr;
1136
1137 rct_to = make_names_stack(rr_to);
1138 if (!rct_to)
1139 goto err;
1140 if (rr_from) {
1141 rct_from = make_names_stack(rr_from);
1142 if (!rct_from)
1143 goto err;
1144 } else
1145 rct_from = NULL;
1146 rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
1147 rct_to);
1148 return rr;
1149
1150err:
1151 return NULL;
1152}
1153
1154#endif
diff --git a/src/lib/libssl/src/apps/crl.c b/src/lib/libssl/src/apps/crl.c
deleted file mode 100644
index 57c87b67b7..0000000000
--- a/src/lib/libssl/src/apps/crl.c
+++ /dev/null
@@ -1,415 +0,0 @@
1/* $OpenBSD: crl.c,v 1.25 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/bio.h>
66#include <openssl/err.h>
67#include <openssl/pem.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70
71#define POSTFIX ".rvk"
72
73static const char *crl_usage[] = {
74 "usage: crl args\n",
75 "\n",
76 " -inform arg - input format - default PEM (DER or PEM)\n",
77 " -outform arg - output format - default PEM\n",
78 " -text - print out a text format version\n",
79 " -in arg - input file - default stdin\n",
80 " -out arg - output file - default stdout\n",
81 " -hash - print hash value\n",
82#ifndef OPENSSL_NO_MD5
83 " -hash_old - print old-style (MD5) hash value\n",
84#endif
85 " -fingerprint - print the crl fingerprint\n",
86 " -issuer - print issuer DN\n",
87 " -lastupdate - lastUpdate field\n",
88 " -nextupdate - nextUpdate field\n",
89 " -crlnumber - print CRL number\n",
90 " -noout - no CRL output\n",
91 " -CAfile name - verify CRL using certificates in file \"name\"\n",
92 " -CApath dir - verify CRL using certificates in \"dir\"\n",
93 " -nameopt arg - various certificate name options\n",
94 NULL
95};
96
97static X509_CRL *load_crl(char *file, int format);
98static BIO *bio_out = NULL;
99
100int crl_main(int, char **);
101
102int
103crl_main(int argc, char **argv)
104{
105 unsigned long nmflag = 0;
106 X509_CRL *x = NULL;
107 char *CAfile = NULL, *CApath = NULL;
108 int ret = 1, i, num, badops = 0;
109 BIO *out = NULL;
110 int informat, outformat;
111 char *infile = NULL, *outfile = NULL;
112 int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0,
113 text = 0;
114#ifndef OPENSSL_NO_MD5
115 int hash_old = 0;
116#endif
117 int fingerprint = 0, crlnumber = 0;
118 const char **pp;
119 X509_STORE *store = NULL;
120 X509_STORE_CTX ctx;
121 X509_LOOKUP *lookup = NULL;
122 X509_OBJECT xobj;
123 EVP_PKEY *pkey;
124 int do_ver = 0;
125 const EVP_MD *md_alg, *digest = EVP_sha1();
126
127 if (bio_out == NULL)
128 if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
129 BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
130 }
131 informat = FORMAT_PEM;
132 outformat = FORMAT_PEM;
133
134 argc--;
135 argv++;
136 num = 0;
137 while (argc >= 1) {
138#ifdef undef
139 if (strcmp(*argv, "-p") == 0) {
140 if (--argc < 1)
141 goto bad;
142 if (!args_from_file(++argv, Nargc, Nargv)) {
143 goto end;
144 }
145 }
146#endif
147 if (strcmp(*argv, "-inform") == 0) {
148 if (--argc < 1)
149 goto bad;
150 informat = str2fmt(*(++argv));
151 } else if (strcmp(*argv, "-outform") == 0) {
152 if (--argc < 1)
153 goto bad;
154 outformat = str2fmt(*(++argv));
155 } else if (strcmp(*argv, "-in") == 0) {
156 if (--argc < 1)
157 goto bad;
158 infile = *(++argv);
159 } else if (strcmp(*argv, "-out") == 0) {
160 if (--argc < 1)
161 goto bad;
162 outfile = *(++argv);
163 } else if (strcmp(*argv, "-CApath") == 0) {
164 if (--argc < 1)
165 goto bad;
166 CApath = *(++argv);
167 do_ver = 1;
168 } else if (strcmp(*argv, "-CAfile") == 0) {
169 if (--argc < 1)
170 goto bad;
171 CAfile = *(++argv);
172 do_ver = 1;
173 } else if (strcmp(*argv, "-verify") == 0)
174 do_ver = 1;
175 else if (strcmp(*argv, "-text") == 0)
176 text = 1;
177 else if (strcmp(*argv, "-hash") == 0)
178 hash = ++num;
179#ifndef OPENSSL_NO_MD5
180 else if (strcmp(*argv, "-hash_old") == 0)
181 hash_old = ++num;
182#endif
183 else if (strcmp(*argv, "-nameopt") == 0) {
184 if (--argc < 1)
185 goto bad;
186 if (!set_name_ex(&nmflag, *(++argv)))
187 goto bad;
188 } else if (strcmp(*argv, "-issuer") == 0)
189 issuer = ++num;
190 else if (strcmp(*argv, "-lastupdate") == 0)
191 lastupdate = ++num;
192 else if (strcmp(*argv, "-nextupdate") == 0)
193 nextupdate = ++num;
194 else if (strcmp(*argv, "-noout") == 0)
195 noout = ++num;
196 else if (strcmp(*argv, "-fingerprint") == 0)
197 fingerprint = ++num;
198 else if (strcmp(*argv, "-crlnumber") == 0)
199 crlnumber = ++num;
200 else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
201 /* ok */
202 digest = md_alg;
203 } else {
204 BIO_printf(bio_err, "unknown option %s\n", *argv);
205 badops = 1;
206 break;
207 }
208 argc--;
209 argv++;
210 }
211
212 if (badops) {
213bad:
214 for (pp = crl_usage; (*pp != NULL); pp++)
215 BIO_printf(bio_err, "%s", *pp);
216 goto end;
217 }
218 ERR_load_crypto_strings();
219 x = load_crl(infile, informat);
220 if (x == NULL) {
221 goto end;
222 }
223 if (do_ver) {
224 store = X509_STORE_new();
225 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
226 if (lookup == NULL)
227 goto end;
228 if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM))
229 X509_LOOKUP_load_file(lookup, NULL,
230 X509_FILETYPE_DEFAULT);
231
232 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
233 if (lookup == NULL)
234 goto end;
235 if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))
236 X509_LOOKUP_add_dir(lookup, NULL,
237 X509_FILETYPE_DEFAULT);
238 ERR_clear_error();
239
240 if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
241 BIO_printf(bio_err,
242 "Error initialising X509 store\n");
243 goto end;
244 }
245 i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
246 X509_CRL_get_issuer(x), &xobj);
247 if (i <= 0) {
248 BIO_printf(bio_err,
249 "Error getting CRL issuer certificate\n");
250 goto end;
251 }
252 pkey = X509_get_pubkey(xobj.data.x509);
253 X509_OBJECT_free_contents(&xobj);
254 if (!pkey) {
255 BIO_printf(bio_err,
256 "Error getting CRL issuer public key\n");
257 goto end;
258 }
259 i = X509_CRL_verify(x, pkey);
260 EVP_PKEY_free(pkey);
261 if (i < 0)
262 goto end;
263 if (i == 0)
264 BIO_printf(bio_err, "verify failure\n");
265 else
266 BIO_printf(bio_err, "verify OK\n");
267 }
268 if (num) {
269 for (i = 1; i <= num; i++) {
270 if (issuer == i) {
271 print_name(bio_out, "issuer=",
272 X509_CRL_get_issuer(x), nmflag);
273 }
274 if (crlnumber == i) {
275 ASN1_INTEGER *crlnum;
276 crlnum = X509_CRL_get_ext_d2i(x,
277 NID_crl_number, NULL, NULL);
278 BIO_printf(bio_out, "crlNumber=");
279 if (crlnum) {
280 i2a_ASN1_INTEGER(bio_out, crlnum);
281 ASN1_INTEGER_free(crlnum);
282 } else
283 BIO_puts(bio_out, "<NONE>");
284 BIO_printf(bio_out, "\n");
285 }
286 if (hash == i) {
287 BIO_printf(bio_out, "%08lx\n",
288 X509_NAME_hash(X509_CRL_get_issuer(x)));
289 }
290#ifndef OPENSSL_NO_MD5
291 if (hash_old == i) {
292 BIO_printf(bio_out, "%08lx\n",
293 X509_NAME_hash_old(X509_CRL_get_issuer(x)));
294 }
295#endif
296 if (lastupdate == i) {
297 BIO_printf(bio_out, "lastUpdate=");
298 ASN1_TIME_print(bio_out,
299 X509_CRL_get_lastUpdate(x));
300 BIO_printf(bio_out, "\n");
301 }
302 if (nextupdate == i) {
303 BIO_printf(bio_out, "nextUpdate=");
304 if (X509_CRL_get_nextUpdate(x))
305 ASN1_TIME_print(bio_out,
306 X509_CRL_get_nextUpdate(x));
307 else
308 BIO_printf(bio_out, "NONE");
309 BIO_printf(bio_out, "\n");
310 }
311 if (fingerprint == i) {
312 int j;
313 unsigned int n;
314 unsigned char md[EVP_MAX_MD_SIZE];
315
316 if (!X509_CRL_digest(x, digest, md, &n)) {
317 BIO_printf(bio_err, "out of memory\n");
318 goto end;
319 }
320 BIO_printf(bio_out, "%s Fingerprint=",
321 OBJ_nid2sn(EVP_MD_type(digest)));
322 for (j = 0; j < (int) n; j++) {
323 BIO_printf(bio_out, "%02X%c", md[j],
324 (j + 1 == (int)n) ? '\n' : ':');
325 }
326 }
327 }
328 }
329 out = BIO_new(BIO_s_file());
330 if (out == NULL) {
331 ERR_print_errors(bio_err);
332 goto end;
333 }
334 if (outfile == NULL) {
335 BIO_set_fp(out, stdout, BIO_NOCLOSE);
336 } else {
337 if (BIO_write_filename(out, outfile) <= 0) {
338 perror(outfile);
339 goto end;
340 }
341 }
342
343 if (text)
344 X509_CRL_print(out, x);
345
346 if (noout) {
347 ret = 0;
348 goto end;
349 }
350 if (outformat == FORMAT_ASN1)
351 i = (int) i2d_X509_CRL_bio(out, x);
352 else if (outformat == FORMAT_PEM)
353 i = PEM_write_bio_X509_CRL(out, x);
354 else {
355 BIO_printf(bio_err,
356 "bad output format specified for outfile\n");
357 goto end;
358 }
359 if (!i) {
360 BIO_printf(bio_err, "unable to write CRL\n");
361 goto end;
362 }
363 ret = 0;
364
365end:
366 BIO_free_all(out);
367 BIO_free_all(bio_out);
368 bio_out = NULL;
369 X509_CRL_free(x);
370 if (store) {
371 X509_STORE_CTX_cleanup(&ctx);
372 X509_STORE_free(store);
373 }
374
375 return (ret);
376}
377
378static X509_CRL *
379load_crl(char *infile, int format)
380{
381 X509_CRL *x = NULL;
382 BIO *in = NULL;
383
384 in = BIO_new(BIO_s_file());
385 if (in == NULL) {
386 ERR_print_errors(bio_err);
387 goto end;
388 }
389 if (infile == NULL)
390 BIO_set_fp(in, stdin, BIO_NOCLOSE);
391 else {
392 if (BIO_read_filename(in, infile) <= 0) {
393 perror(infile);
394 goto end;
395 }
396 }
397 if (format == FORMAT_ASN1)
398 x = d2i_X509_CRL_bio(in, NULL);
399 else if (format == FORMAT_PEM)
400 x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
401 else {
402 BIO_printf(bio_err,
403 "bad input format specified for input crl\n");
404 goto end;
405 }
406 if (x == NULL) {
407 BIO_printf(bio_err, "unable to load CRL\n");
408 ERR_print_errors(bio_err);
409 goto end;
410 }
411
412end:
413 BIO_free(in);
414 return (x);
415}
diff --git a/src/lib/libssl/src/apps/crl2p7.c b/src/lib/libssl/src/apps/crl2p7.c
deleted file mode 100644
index de638a7ce2..0000000000
--- a/src/lib/libssl/src/apps/crl2p7.c
+++ /dev/null
@@ -1,314 +0,0 @@
1/* $OpenBSD: crl2p7.c,v 1.20 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu>
60 * and donated 'to the cause' along with lots and lots of other fixes to
61 * the library. */
62
63#include <sys/types.h>
64
65#include <stdio.h>
66#include <string.h>
67
68#include "apps.h"
69
70#include <openssl/err.h>
71#include <openssl/evp.h>
72#include <openssl/objects.h>
73#include <openssl/pem.h>
74#include <openssl/pkcs7.h>
75#include <openssl/x509.h>
76
77static int add_certs_from_file(STACK_OF(X509) * stack, char *certfile);
78
79/* -inform arg - input format - default PEM (DER or PEM)
80 * -outform arg - output format - default PEM
81 * -in arg - input file - default stdin
82 * -out arg - output file - default stdout
83 */
84
85int crl2pkcs7_main(int, char **);
86
87int
88crl2pkcs7_main(int argc, char **argv)
89{
90 int i, badops = 0;
91 BIO *in = NULL, *out = NULL;
92 int informat, outformat;
93 char *infile, *outfile, *prog, *certfile;
94 PKCS7 *p7 = NULL;
95 PKCS7_SIGNED *p7s = NULL;
96 X509_CRL *crl = NULL;
97 STACK_OF(OPENSSL_STRING) * certflst = NULL;
98 STACK_OF(X509_CRL) * crl_stack = NULL;
99 STACK_OF(X509) * cert_stack = NULL;
100 int ret = 1, nocrl = 0;
101
102 infile = NULL;
103 outfile = NULL;
104 informat = FORMAT_PEM;
105 outformat = FORMAT_PEM;
106
107 prog = argv[0];
108 argc--;
109 argv++;
110 while (argc >= 1) {
111 if (strcmp(*argv, "-inform") == 0) {
112 if (--argc < 1)
113 goto bad;
114 informat = str2fmt(*(++argv));
115 } else if (strcmp(*argv, "-outform") == 0) {
116 if (--argc < 1)
117 goto bad;
118 outformat = str2fmt(*(++argv));
119 } else if (strcmp(*argv, "-in") == 0) {
120 if (--argc < 1)
121 goto bad;
122 infile = *(++argv);
123 } else if (strcmp(*argv, "-nocrl") == 0) {
124 nocrl = 1;
125 } else if (strcmp(*argv, "-out") == 0) {
126 if (--argc < 1)
127 goto bad;
128 outfile = *(++argv);
129 } else if (strcmp(*argv, "-certfile") == 0) {
130 if (--argc < 1)
131 goto bad;
132 if (!certflst)
133 certflst = sk_OPENSSL_STRING_new_null();
134 sk_OPENSSL_STRING_push(certflst, *(++argv));
135 } else {
136 BIO_printf(bio_err, "unknown option %s\n", *argv);
137 badops = 1;
138 break;
139 }
140 argc--;
141 argv++;
142 }
143
144 if (badops) {
145bad:
146 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
147 BIO_printf(bio_err, "where options are\n");
148 BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
149 BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
150 BIO_printf(bio_err, " -in arg input file\n");
151 BIO_printf(bio_err, " -out arg output file\n");
152 BIO_printf(bio_err, " -certfile arg certificates file of chain to a trusted CA\n");
153 BIO_printf(bio_err, " (can be used more than once)\n");
154 BIO_printf(bio_err, " -nocrl no crl to load, just certs from '-certfile'\n");
155 ret = 1;
156 goto end;
157 }
158 ERR_load_crypto_strings();
159
160 in = BIO_new(BIO_s_file());
161 out = BIO_new(BIO_s_file());
162 if ((in == NULL) || (out == NULL)) {
163 ERR_print_errors(bio_err);
164 goto end;
165 }
166 if (!nocrl) {
167 if (infile == NULL)
168 BIO_set_fp(in, stdin, BIO_NOCLOSE);
169 else {
170 if (BIO_read_filename(in, infile) <= 0) {
171 perror(infile);
172 goto end;
173 }
174 }
175
176 if (informat == FORMAT_ASN1)
177 crl = d2i_X509_CRL_bio(in, NULL);
178 else if (informat == FORMAT_PEM)
179 crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
180 else {
181 BIO_printf(bio_err,
182 "bad input format specified for input crl\n");
183 goto end;
184 }
185 if (crl == NULL) {
186 BIO_printf(bio_err, "unable to load CRL\n");
187 ERR_print_errors(bio_err);
188 goto end;
189 }
190 }
191 if ((p7 = PKCS7_new()) == NULL)
192 goto end;
193 if ((p7s = PKCS7_SIGNED_new()) == NULL)
194 goto end;
195 p7->type = OBJ_nid2obj(NID_pkcs7_signed);
196 p7->d.sign = p7s;
197 p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
198
199 if (!ASN1_INTEGER_set(p7s->version, 1))
200 goto end;
201 if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
202 goto end;
203 p7s->crl = crl_stack;
204 if (crl != NULL) {
205 sk_X509_CRL_push(crl_stack, crl);
206 crl = NULL; /* now part of p7 for freeing */
207 }
208 if ((cert_stack = sk_X509_new_null()) == NULL)
209 goto end;
210 p7s->cert = cert_stack;
211
212 if (certflst)
213 for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
214 certfile = sk_OPENSSL_STRING_value(certflst, i);
215 if (add_certs_from_file(cert_stack, certfile) < 0) {
216 BIO_printf(bio_err,
217 "error loading certificates\n");
218 ERR_print_errors(bio_err);
219 goto end;
220 }
221 }
222
223 sk_OPENSSL_STRING_free(certflst);
224
225 if (outfile == NULL) {
226 BIO_set_fp(out, stdout, BIO_NOCLOSE);
227 } else {
228 if (BIO_write_filename(out, outfile) <= 0) {
229 perror(outfile);
230 goto end;
231 }
232 }
233
234 if (outformat == FORMAT_ASN1)
235 i = i2d_PKCS7_bio(out, p7);
236 else if (outformat == FORMAT_PEM)
237 i = PEM_write_bio_PKCS7(out, p7);
238 else {
239 BIO_printf(bio_err,
240 "bad output format specified for outfile\n");
241 goto end;
242 }
243 if (!i) {
244 BIO_printf(bio_err, "unable to write pkcs7 object\n");
245 ERR_print_errors(bio_err);
246 goto end;
247 }
248 ret = 0;
249
250end:
251 if (in != NULL)
252 BIO_free(in);
253 if (out != NULL)
254 BIO_free_all(out);
255 if (p7 != NULL)
256 PKCS7_free(p7);
257 if (crl != NULL)
258 X509_CRL_free(crl);
259
260
261 return (ret);
262}
263
264/*
265 *----------------------------------------------------------------------
266 * int add_certs_from_file
267 *
268 * Read a list of certificates to be checked from a file.
269 *
270 * Results:
271 * number of certs added if successful, -1 if not.
272 *----------------------------------------------------------------------
273 */
274static int
275add_certs_from_file(STACK_OF(X509) * stack, char *certfile)
276{
277 BIO *in = NULL;
278 int count = 0;
279 int ret = -1;
280 STACK_OF(X509_INFO) * sk = NULL;
281 X509_INFO *xi;
282
283 in = BIO_new(BIO_s_file());
284 if ((in == NULL) || (BIO_read_filename(in, certfile) <= 0)) {
285 BIO_printf(bio_err, "error opening the file, %s\n", certfile);
286 goto end;
287 }
288 /* This loads from a file, a stack of x509/crl/pkey sets */
289 sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
290 if (sk == NULL) {
291 BIO_printf(bio_err, "error reading the file, %s\n", certfile);
292 goto end;
293 }
294 /* scan over it and pull out the CRL's */
295 while (sk_X509_INFO_num(sk)) {
296 xi = sk_X509_INFO_shift(sk);
297 if (xi->x509 != NULL) {
298 sk_X509_push(stack, xi->x509);
299 xi->x509 = NULL;
300 count++;
301 }
302 X509_INFO_free(xi);
303 }
304
305 ret = count;
306
307end:
308 /* never need to free x */
309 if (in != NULL)
310 BIO_free(in);
311 if (sk != NULL)
312 sk_X509_INFO_free(sk);
313 return (ret);
314}
diff --git a/src/lib/libssl/src/apps/dgst.c b/src/lib/libssl/src/apps/dgst.c
deleted file mode 100644
index e19b959077..0000000000
--- a/src/lib/libssl/src/apps/dgst.c
+++ /dev/null
@@ -1,547 +0,0 @@
1/* $OpenBSD: dgst.c,v 1.39 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/bio.h>
66#include <openssl/err.h>
67#include <openssl/evp.h>
68#include <openssl/hmac.h>
69#include <openssl/objects.h>
70#include <openssl/pem.h>
71#include <openssl/x509.h>
72
73#define BUFSIZE 1024*8
74
75int
76do_fp(BIO * out, unsigned char *buf, BIO * bp, int sep, int binout,
77 EVP_PKEY * key, unsigned char *sigin, int siglen,
78 const char *sig_name, const char *md_name,
79 const char *file, BIO * bmd);
80
81static void
82list_md_fn(const EVP_MD * m, const char *from, const char *to, void *arg)
83{
84 const char *mname;
85 /* Skip aliases */
86 if (!m)
87 return;
88 mname = OBJ_nid2ln(EVP_MD_type(m));
89 /* Skip shortnames */
90 if (strcmp(from, mname))
91 return;
92 /* Skip clones */
93 if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
94 return;
95 if (strchr(mname, ' '))
96 mname = EVP_MD_name(m);
97 BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
98 mname, mname);
99}
100
101int dgst_main(int, char **);
102
103int
104dgst_main(int argc, char **argv)
105{
106 ENGINE *e = NULL;
107 unsigned char *buf = NULL;
108 int i, err = 1;
109 const EVP_MD *md = NULL, *m;
110 BIO *in = NULL, *inp;
111 BIO *bmd = NULL;
112 BIO *out = NULL;
113#define PROG_NAME_SIZE 39
114 char pname[PROG_NAME_SIZE + 1];
115 int separator = 0;
116 int debug = 0;
117 int keyform = FORMAT_PEM;
118 const char *outfile = NULL, *keyfile = NULL;
119 const char *sigfile = NULL;
120 int out_bin = -1, want_pub = 0, do_verify = 0;
121 EVP_PKEY *sigkey = NULL;
122 unsigned char *sigbuf = NULL;
123 int siglen = 0;
124 char *passargin = NULL, *passin = NULL;
125#ifndef OPENSSL_NO_ENGINE
126 char *engine = NULL;
127#endif
128 char *hmac_key = NULL;
129 char *mac_name = NULL;
130 STACK_OF(OPENSSL_STRING) * sigopts = NULL, *macopts = NULL;
131
132 if ((buf = malloc(BUFSIZE)) == NULL) {
133 BIO_printf(bio_err, "out of memory\n");
134 goto end;
135 }
136
137 /* first check the program name */
138 program_name(argv[0], pname, sizeof pname);
139
140 md = EVP_get_digestbyname(pname);
141
142 argc--;
143 argv++;
144 while (argc > 0) {
145 if ((*argv)[0] != '-')
146 break;
147 if (strcmp(*argv, "-c") == 0)
148 separator = 1;
149 else if (strcmp(*argv, "-r") == 0)
150 separator = 2;
151 else if (strcmp(*argv, "-out") == 0) {
152 if (--argc < 1)
153 break;
154 outfile = *(++argv);
155 } else if (strcmp(*argv, "-sign") == 0) {
156 if (--argc < 1)
157 break;
158 keyfile = *(++argv);
159 } else if (!strcmp(*argv, "-passin")) {
160 if (--argc < 1)
161 break;
162 passargin = *++argv;
163 } else if (strcmp(*argv, "-verify") == 0) {
164 if (--argc < 1)
165 break;
166 keyfile = *(++argv);
167 want_pub = 1;
168 do_verify = 1;
169 } else if (strcmp(*argv, "-prverify") == 0) {
170 if (--argc < 1)
171 break;
172 keyfile = *(++argv);
173 do_verify = 1;
174 } else if (strcmp(*argv, "-signature") == 0) {
175 if (--argc < 1)
176 break;
177 sigfile = *(++argv);
178 } else if (strcmp(*argv, "-keyform") == 0) {
179 if (--argc < 1)
180 break;
181 keyform = str2fmt(*(++argv));
182 }
183#ifndef OPENSSL_NO_ENGINE
184 else if (strcmp(*argv, "-engine") == 0) {
185 if (--argc < 1)
186 break;
187 engine = *(++argv);
188 e = setup_engine(bio_err, engine, 0);
189 }
190#endif
191 else if (strcmp(*argv, "-hex") == 0)
192 out_bin = 0;
193 else if (strcmp(*argv, "-binary") == 0)
194 out_bin = 1;
195 else if (strcmp(*argv, "-d") == 0)
196 debug = 1;
197 else if (!strcmp(*argv, "-hmac")) {
198 if (--argc < 1)
199 break;
200 hmac_key = *++argv;
201 } else if (!strcmp(*argv, "-mac")) {
202 if (--argc < 1)
203 break;
204 mac_name = *++argv;
205 } else if (strcmp(*argv, "-sigopt") == 0) {
206 if (--argc < 1)
207 break;
208 if (!sigopts)
209 sigopts = sk_OPENSSL_STRING_new_null();
210 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
211 break;
212 } else if (strcmp(*argv, "-macopt") == 0) {
213 if (--argc < 1)
214 break;
215 if (!macopts)
216 macopts = sk_OPENSSL_STRING_new_null();
217 if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
218 break;
219 } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
220 md = m;
221 else
222 break;
223 argc--;
224 argv++;
225 }
226
227
228 if (do_verify && !sigfile) {
229 BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
230 goto end;
231 }
232 if ((argc > 0) && (argv[0][0] == '-')) { /* bad option */
233 BIO_printf(bio_err, "unknown option '%s'\n", *argv);
234 BIO_printf(bio_err, "options are\n");
235 BIO_printf(bio_err, "-c to output the digest with separating colons\n");
236 BIO_printf(bio_err, "-r to output the digest in coreutils format\n");
237 BIO_printf(bio_err, "-d to output debug info\n");
238 BIO_printf(bio_err, "-hex output as hex dump\n");
239 BIO_printf(bio_err, "-binary output in binary form\n");
240 BIO_printf(bio_err, "-sign file sign digest using private key in file\n");
241 BIO_printf(bio_err, "-verify file verify a signature using public key in file\n");
242 BIO_printf(bio_err, "-prverify file verify a signature using private key in file\n");
243 BIO_printf(bio_err, "-keyform arg key file format (PEM or ENGINE)\n");
244 BIO_printf(bio_err, "-out filename output to filename rather than stdout\n");
245 BIO_printf(bio_err, "-signature file signature to verify\n");
246 BIO_printf(bio_err, "-sigopt nm:v signature parameter\n");
247 BIO_printf(bio_err, "-hmac key create hashed MAC with key\n");
248 BIO_printf(bio_err, "-mac algorithm create MAC (not neccessarily HMAC)\n");
249 BIO_printf(bio_err, "-macopt nm:v MAC algorithm parameters or key\n");
250#ifndef OPENSSL_NO_ENGINE
251 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
252#endif
253
254 EVP_MD_do_all_sorted(list_md_fn, bio_err);
255 goto end;
256 }
257 in = BIO_new(BIO_s_file());
258 bmd = BIO_new(BIO_f_md());
259 if (debug) {
260 BIO_set_callback(in, BIO_debug_callback);
261 /* needed for windows 3.1 */
262 BIO_set_callback_arg(in, (char *) bio_err);
263 }
264 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
265 BIO_printf(bio_err, "Error getting password\n");
266 goto end;
267 }
268 if ((in == NULL) || (bmd == NULL)) {
269 ERR_print_errors(bio_err);
270 goto end;
271 }
272 if (out_bin == -1) {
273 if (keyfile)
274 out_bin = 1;
275 else
276 out_bin = 0;
277 }
278
279 if (outfile) {
280 if (out_bin)
281 out = BIO_new_file(outfile, "wb");
282 else
283 out = BIO_new_file(outfile, "w");
284 } else {
285 out = BIO_new_fp(stdout, BIO_NOCLOSE);
286 }
287
288 if (!out) {
289 BIO_printf(bio_err, "Error opening output file %s\n",
290 outfile ? outfile : "(stdout)");
291 ERR_print_errors(bio_err);
292 goto end;
293 }
294 if ((!!mac_name + !!keyfile + !!hmac_key) > 1) {
295 BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
296 goto end;
297 }
298 if (keyfile) {
299 if (want_pub)
300 sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
301 e, "key file");
302 else
303 sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
304 e, "key file");
305 if (!sigkey) {
306 /*
307 * load_[pub]key() has already printed an appropriate
308 * message
309 */
310 goto end;
311 }
312 }
313 if (mac_name) {
314 EVP_PKEY_CTX *mac_ctx = NULL;
315 int r = 0;
316 if (!init_gen_str(bio_err, &mac_ctx, mac_name, e, 0))
317 goto mac_end;
318 if (macopts) {
319 char *macopt;
320 for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
321 macopt = sk_OPENSSL_STRING_value(macopts, i);
322 if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
323 BIO_printf(bio_err,
324 "MAC parameter error \"%s\"\n",
325 macopt);
326 ERR_print_errors(bio_err);
327 goto mac_end;
328 }
329 }
330 }
331 if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) {
332 BIO_puts(bio_err, "Error generating key\n");
333 ERR_print_errors(bio_err);
334 goto mac_end;
335 }
336 r = 1;
337mac_end:
338 if (mac_ctx)
339 EVP_PKEY_CTX_free(mac_ctx);
340 if (r == 0)
341 goto end;
342 }
343 if (hmac_key) {
344 sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
345 (unsigned char *) hmac_key, -1);
346 if (!sigkey)
347 goto end;
348 }
349 if (sigkey) {
350 EVP_MD_CTX *mctx = NULL;
351 EVP_PKEY_CTX *pctx = NULL;
352 int r;
353 if (!BIO_get_md_ctx(bmd, &mctx)) {
354 BIO_printf(bio_err, "Error getting context\n");
355 ERR_print_errors(bio_err);
356 goto end;
357 }
358 if (do_verify)
359 r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
360 else
361 r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
362 if (!r) {
363 BIO_printf(bio_err, "Error setting context\n");
364 ERR_print_errors(bio_err);
365 goto end;
366 }
367 if (sigopts) {
368 char *sigopt;
369 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
370 sigopt = sk_OPENSSL_STRING_value(sigopts, i);
371 if (pkey_ctrl_string(pctx, sigopt) <= 0) {
372 BIO_printf(bio_err,
373 "parameter error \"%s\"\n",
374 sigopt);
375 ERR_print_errors(bio_err);
376 goto end;
377 }
378 }
379 }
380 }
381 /* we use md as a filter, reading from 'in' */
382 else {
383 if (md == NULL)
384 md = EVP_md5();
385 if (!BIO_set_md(bmd, md)) {
386 BIO_printf(bio_err, "Error setting digest %s\n", pname);
387 ERR_print_errors(bio_err);
388 goto end;
389 }
390 }
391
392 if (sigfile && sigkey) {
393 BIO *sigbio;
394 sigbio = BIO_new_file(sigfile, "rb");
395 siglen = EVP_PKEY_size(sigkey);
396 sigbuf = malloc(siglen);
397 if (!sigbio) {
398 BIO_printf(bio_err, "Error opening signature file %s\n",
399 sigfile);
400 ERR_print_errors(bio_err);
401 goto end;
402 }
403 siglen = BIO_read(sigbio, sigbuf, siglen);
404 BIO_free(sigbio);
405 if (siglen <= 0) {
406 BIO_printf(bio_err, "Error reading signature file %s\n",
407 sigfile);
408 ERR_print_errors(bio_err);
409 goto end;
410 }
411 }
412 inp = BIO_push(bmd, in);
413
414 if (md == NULL) {
415 EVP_MD_CTX *tctx;
416 BIO_get_md_ctx(bmd, &tctx);
417 md = EVP_MD_CTX_md(tctx);
418 }
419 if (argc == 0) {
420 BIO_set_fp(in, stdin, BIO_NOCLOSE);
421 err = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
422 siglen, NULL, NULL, "stdin", bmd);
423 } else {
424 const char *md_name = NULL, *sig_name = NULL;
425 if (!out_bin) {
426 if (sigkey) {
427 const EVP_PKEY_ASN1_METHOD *ameth;
428 ameth = EVP_PKEY_get0_asn1(sigkey);
429 if (ameth)
430 EVP_PKEY_asn1_get0_info(NULL, NULL,
431 NULL, NULL, &sig_name, ameth);
432 }
433 md_name = EVP_MD_name(md);
434 }
435 err = 0;
436 for (i = 0; i < argc; i++) {
437 int r;
438 if (BIO_read_filename(in, argv[i]) <= 0) {
439 perror(argv[i]);
440 err++;
441 continue;
442 } else {
443 r = do_fp(out, buf, inp, separator, out_bin,
444 sigkey, sigbuf, siglen, sig_name, md_name,
445 argv[i], bmd);
446 }
447 if (r)
448 err = r;
449 (void) BIO_reset(bmd);
450 }
451 }
452
453end:
454 if (buf != NULL) {
455 OPENSSL_cleanse(buf, BUFSIZE);
456 free(buf);
457 }
458 if (in != NULL)
459 BIO_free(in);
460 free(passin);
461 BIO_free_all(out);
462 EVP_PKEY_free(sigkey);
463 if (sigopts)
464 sk_OPENSSL_STRING_free(sigopts);
465 if (macopts)
466 sk_OPENSSL_STRING_free(macopts);
467 free(sigbuf);
468 if (bmd != NULL)
469 BIO_free(bmd);
470
471 return (err);
472}
473
474int
475do_fp(BIO * out, unsigned char *buf, BIO * bp, int sep, int binout,
476 EVP_PKEY * key, unsigned char *sigin, int siglen,
477 const char *sig_name, const char *md_name,
478 const char *file, BIO * bmd)
479{
480 size_t len;
481 int i;
482
483 for (;;) {
484 i = BIO_read(bp, (char *) buf, BUFSIZE);
485 if (i < 0) {
486 BIO_printf(bio_err, "Read Error in %s\n", file);
487 ERR_print_errors(bio_err);
488 return 1;
489 }
490 if (i == 0)
491 break;
492 }
493 if (sigin) {
494 EVP_MD_CTX *ctx;
495 BIO_get_md_ctx(bp, &ctx);
496 i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int) siglen);
497 if (i > 0)
498 BIO_printf(out, "Verified OK\n");
499 else if (i == 0) {
500 BIO_printf(out, "Verification Failure\n");
501 return 1;
502 } else {
503 BIO_printf(bio_err, "Error Verifying Data\n");
504 ERR_print_errors(bio_err);
505 return 1;
506 }
507 return 0;
508 }
509 if (key) {
510 EVP_MD_CTX *ctx;
511 BIO_get_md_ctx(bp, &ctx);
512 len = BUFSIZE;
513 if (!EVP_DigestSignFinal(ctx, buf, &len)) {
514 BIO_printf(bio_err, "Error Signing Data\n");
515 ERR_print_errors(bio_err);
516 return 1;
517 }
518 } else {
519 len = BIO_gets(bp, (char *) buf, BUFSIZE);
520 if ((int) len < 0) {
521 ERR_print_errors(bio_err);
522 return 1;
523 }
524 }
525
526 if (binout)
527 BIO_write(out, buf, len);
528 else if (sep == 2) {
529 for (i = 0; i < (int) len; i++)
530 BIO_printf(out, "%02x", buf[i]);
531 BIO_printf(out, " *%s\n", file);
532 } else {
533 if (sig_name)
534 BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
535 else if (md_name)
536 BIO_printf(out, "%s(%s)= ", md_name, file);
537 else
538 BIO_printf(out, "(%s)= ", file);
539 for (i = 0; i < (int) len; i++) {
540 if (sep && (i != 0))
541 BIO_printf(out, ":");
542 BIO_printf(out, "%02x", buf[i]);
543 }
544 BIO_printf(out, "\n");
545 }
546 return 0;
547}
diff --git a/src/lib/libssl/src/apps/dh.c b/src/lib/libssl/src/apps/dh.c
deleted file mode 100644
index ce000820f0..0000000000
--- a/src/lib/libssl/src/apps/dh.c
+++ /dev/null
@@ -1,308 +0,0 @@
1/* $OpenBSD: dh.c,v 1.26 2014/07/25 06:05:31 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
60
61#ifndef OPENSSL_NO_DH
62
63#include <stdio.h>
64#include <stdlib.h>
65#include <string.h>
66#include <time.h>
67
68#include "apps.h"
69
70#include <openssl/bio.h>
71#include <openssl/bn.h>
72#include <openssl/err.h>
73#include <openssl/dh.h>
74#include <openssl/pem.h>
75#include <openssl/x509.h>
76
77/* -inform arg - input format - default PEM (DER or PEM)
78 * -outform arg - output format - default PEM
79 * -in arg - input file - default stdin
80 * -out arg - output file - default stdout
81 * -check - check the parameters are ok
82 * -noout
83 * -text
84 * -C
85 */
86
87int dh_main(int, char **);
88
89int
90dh_main(int argc, char **argv)
91{
92 DH *dh = NULL;
93 int i, badops = 0, text = 0;
94 BIO *in = NULL, *out = NULL;
95 int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
96 char *infile, *outfile, *prog;
97#ifndef OPENSSL_NO_ENGINE
98 char *engine;
99#endif
100
101#ifndef OPENSSL_NO_ENGINE
102 engine = NULL;
103#endif
104 infile = NULL;
105 outfile = NULL;
106 informat = FORMAT_PEM;
107 outformat = FORMAT_PEM;
108
109 prog = argv[0];
110 argc--;
111 argv++;
112 while (argc >= 1) {
113 if (strcmp(*argv, "-inform") == 0) {
114 if (--argc < 1)
115 goto bad;
116 informat = str2fmt(*(++argv));
117 } else if (strcmp(*argv, "-outform") == 0) {
118 if (--argc < 1)
119 goto bad;
120 outformat = str2fmt(*(++argv));
121 } else if (strcmp(*argv, "-in") == 0) {
122 if (--argc < 1)
123 goto bad;
124 infile = *(++argv);
125 } else if (strcmp(*argv, "-out") == 0) {
126 if (--argc < 1)
127 goto bad;
128 outfile = *(++argv);
129 }
130#ifndef OPENSSL_NO_ENGINE
131 else if (strcmp(*argv, "-engine") == 0) {
132 if (--argc < 1)
133 goto bad;
134 engine = *(++argv);
135 }
136#endif
137 else if (strcmp(*argv, "-check") == 0)
138 check = 1;
139 else if (strcmp(*argv, "-text") == 0)
140 text = 1;
141 else if (strcmp(*argv, "-C") == 0)
142 C = 1;
143 else if (strcmp(*argv, "-noout") == 0)
144 noout = 1;
145 else {
146 BIO_printf(bio_err, "unknown option %s\n", *argv);
147 badops = 1;
148 break;
149 }
150 argc--;
151 argv++;
152 }
153
154 if (badops) {
155bad:
156 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
157 BIO_printf(bio_err, "where options are\n");
158 BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n");
159 BIO_printf(bio_err, " -outform arg output format - one of DER PEM\n");
160 BIO_printf(bio_err, " -in arg input file\n");
161 BIO_printf(bio_err, " -out arg output file\n");
162 BIO_printf(bio_err, " -check check the DH parameters\n");
163 BIO_printf(bio_err, " -text print a text form of the DH parameters\n");
164 BIO_printf(bio_err, " -C Output C code\n");
165 BIO_printf(bio_err, " -noout no output\n");
166#ifndef OPENSSL_NO_ENGINE
167 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
168#endif
169 goto end;
170 }
171 ERR_load_crypto_strings();
172
173#ifndef OPENSSL_NO_ENGINE
174 setup_engine(bio_err, engine, 0);
175#endif
176
177 in = BIO_new(BIO_s_file());
178 out = BIO_new(BIO_s_file());
179 if ((in == NULL) || (out == NULL)) {
180 ERR_print_errors(bio_err);
181 goto end;
182 }
183 if (infile == NULL)
184 BIO_set_fp(in, stdin, BIO_NOCLOSE);
185 else {
186 if (BIO_read_filename(in, infile) <= 0) {
187 perror(infile);
188 goto end;
189 }
190 }
191 if (outfile == NULL) {
192 BIO_set_fp(out, stdout, BIO_NOCLOSE);
193 } else {
194 if (BIO_write_filename(out, outfile) <= 0) {
195 perror(outfile);
196 goto end;
197 }
198 }
199
200 if (informat == FORMAT_ASN1)
201 dh = d2i_DHparams_bio(in, NULL);
202 else if (informat == FORMAT_PEM)
203 dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
204 else {
205 BIO_printf(bio_err, "bad input format specified\n");
206 goto end;
207 }
208 if (dh == NULL) {
209 BIO_printf(bio_err, "unable to load DH parameters\n");
210 ERR_print_errors(bio_err);
211 goto end;
212 }
213 if (text) {
214 DHparams_print(out, dh);
215#ifdef undef
216 printf("p=");
217 BN_print(stdout, dh->p);
218 printf("\ng=");
219 BN_print(stdout, dh->g);
220 printf("\n");
221 if (dh->length != 0)
222 printf("recommended private length=%ld\n", dh->length);
223#endif
224 }
225 if (check) {
226 if (!DH_check(dh, &i)) {
227 ERR_print_errors(bio_err);
228 goto end;
229 }
230 if (i & DH_CHECK_P_NOT_PRIME)
231 printf("p value is not prime\n");
232 if (i & DH_CHECK_P_NOT_SAFE_PRIME)
233 printf("p value is not a safe prime\n");
234 if (i & DH_UNABLE_TO_CHECK_GENERATOR)
235 printf("unable to check the generator value\n");
236 if (i & DH_NOT_SUITABLE_GENERATOR)
237 printf("the g value is not a generator\n");
238 if (i == 0)
239 printf("DH parameters appear to be ok.\n");
240 }
241 if (C) {
242 unsigned char *data;
243 int len, l, bits;
244
245 len = BN_num_bytes(dh->p);
246 bits = BN_num_bits(dh->p);
247 data = malloc(len);
248 if (data == NULL) {
249 perror("malloc");
250 goto end;
251 }
252 l = BN_bn2bin(dh->p, data);
253 printf("static unsigned char dh%d_p[] = {", bits);
254 for (i = 0; i < l; i++) {
255 if ((i % 12) == 0)
256 printf("\n\t");
257 printf("0x%02X, ", data[i]);
258 }
259 printf("\n\t};\n");
260
261 l = BN_bn2bin(dh->g, data);
262 printf("static unsigned char dh%d_g[] = {", bits);
263 for (i = 0; i < l; i++) {
264 if ((i % 12) == 0)
265 printf("\n\t");
266 printf("0x%02X, ", data[i]);
267 }
268 printf("\n\t};\n\n");
269
270 printf("DH *get_dh%d()\n\t{\n", bits);
271 printf("\tDH *dh;\n\n");
272 printf("\tif ((dh = DH_new()) == NULL) return(NULL);\n");
273 printf("\tdh->p = BN_bin2bn(dh%d_p, sizeof(dh%d_p), NULL);\n",
274 bits, bits);
275 printf("\tdh->g = BN_bin2bn(dh%d_g, sizeof(dh%d_g), NULL);\n",
276 bits, bits);
277 printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
278 printf("\t\treturn(NULL);\n");
279 printf("\treturn(dh);\n\t}\n");
280 free(data);
281 }
282 if (!noout) {
283 if (outformat == FORMAT_ASN1)
284 i = i2d_DHparams_bio(out, dh);
285 else if (outformat == FORMAT_PEM)
286 i = PEM_write_bio_DHparams(out, dh);
287 else {
288 BIO_printf(bio_err, "bad output format specified for outfile\n");
289 goto end;
290 }
291 if (!i) {
292 BIO_printf(bio_err, "unable to write DH parameters\n");
293 ERR_print_errors(bio_err);
294 goto end;
295 }
296 }
297 ret = 0;
298
299end:
300 BIO_free(in);
301 if (out != NULL)
302 BIO_free_all(out);
303 if (dh != NULL)
304 DH_free(dh);
305
306 return (ret);
307}
308#endif
diff --git a/src/lib/libssl/src/apps/dhparam.c b/src/lib/libssl/src/apps/dhparam.c
deleted file mode 100644
index 1c41ff6e1b..0000000000
--- a/src/lib/libssl/src/apps/dhparam.c
+++ /dev/null
@@ -1,472 +0,0 @@
1/* $OpenBSD: dhparam.c,v 1.34 2014/07/25 06:05:31 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
113
114#ifndef OPENSSL_NO_DH
115
116#include <stdio.h>
117#include <stdlib.h>
118#include <string.h>
119#include <time.h>
120
121#include "apps.h"
122
123#include <openssl/bio.h>
124#include <openssl/bn.h>
125#include <openssl/err.h>
126#include <openssl/dh.h>
127#include <openssl/pem.h>
128#include <openssl/x509.h>
129
130#include <openssl/dsa.h>
131
132#define DEFBITS 512
133
134/* -inform arg - input format - default PEM (DER or PEM)
135 * -outform arg - output format - default PEM
136 * -in arg - input file - default stdin
137 * -out arg - output file - default stdout
138 * -dsaparam - read or generate DSA parameters, convert to DH
139 * -check - check the parameters are ok
140 * -noout
141 * -text
142 * -C
143 */
144
145static int dh_cb(int p, int n, BN_GENCB * cb);
146
147int dhparam_main(int, char **);
148
149int
150dhparam_main(int argc, char **argv)
151{
152 DH *dh = NULL;
153 int i, badops = 0, text = 0;
154 int dsaparam = 0;
155 BIO *in = NULL, *out = NULL;
156 int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
157 char *infile, *outfile, *prog;
158#ifndef OPENSSL_NO_ENGINE
159 char *engine = NULL;
160#endif
161 int num = 0, g = 0;
162
163 infile = NULL;
164 outfile = NULL;
165 informat = FORMAT_PEM;
166 outformat = FORMAT_PEM;
167
168 prog = argv[0];
169 argc--;
170 argv++;
171 while (argc >= 1) {
172 if (strcmp(*argv, "-inform") == 0) {
173 if (--argc < 1)
174 goto bad;
175 informat = str2fmt(*(++argv));
176 } else if (strcmp(*argv, "-outform") == 0) {
177 if (--argc < 1)
178 goto bad;
179 outformat = str2fmt(*(++argv));
180 } else if (strcmp(*argv, "-in") == 0) {
181 if (--argc < 1)
182 goto bad;
183 infile = *(++argv);
184 } else if (strcmp(*argv, "-out") == 0) {
185 if (--argc < 1)
186 goto bad;
187 outfile = *(++argv);
188 }
189#ifndef OPENSSL_NO_ENGINE
190 else if (strcmp(*argv, "-engine") == 0) {
191 if (--argc < 1)
192 goto bad;
193 engine = *(++argv);
194 }
195#endif
196 else if (strcmp(*argv, "-check") == 0)
197 check = 1;
198 else if (strcmp(*argv, "-text") == 0)
199 text = 1;
200 else if (strcmp(*argv, "-dsaparam") == 0)
201 dsaparam = 1;
202 else if (strcmp(*argv, "-C") == 0)
203 C = 1;
204 else if (strcmp(*argv, "-noout") == 0)
205 noout = 1;
206 else if (strcmp(*argv, "-2") == 0)
207 g = 2;
208 else if (strcmp(*argv, "-5") == 0)
209 g = 5;
210 else if (((sscanf(*argv, "%d", &num) == 0) || (num <= 0)))
211 goto bad;
212 argv++;
213 argc--;
214 }
215
216 if (badops) {
217bad:
218 BIO_printf(bio_err, "%s [options] [numbits]\n", prog);
219 BIO_printf(bio_err, "where options are\n");
220 BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n");
221 BIO_printf(bio_err, " -outform arg output format - one of DER PEM\n");
222 BIO_printf(bio_err, " -in arg input file\n");
223 BIO_printf(bio_err, " -out arg output file\n");
224 BIO_printf(bio_err, " -dsaparam read or generate DSA parameters, convert to DH\n");
225 BIO_printf(bio_err, " -check check the DH parameters\n");
226 BIO_printf(bio_err, " -text print a text form of the DH parameters\n");
227 BIO_printf(bio_err, " -C Output C code\n");
228 BIO_printf(bio_err, " -2 generate parameters using 2 as the generator value\n");
229 BIO_printf(bio_err, " -5 generate parameters using 5 as the generator value\n");
230 BIO_printf(bio_err, " numbits number of bits in to generate (default 512)\n");
231#ifndef OPENSSL_NO_ENGINE
232 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
233#endif
234 BIO_printf(bio_err, " -noout no output\n");
235 goto end;
236 }
237 ERR_load_crypto_strings();
238
239#ifndef OPENSSL_NO_ENGINE
240 setup_engine(bio_err, engine, 0);
241#endif
242
243 if (g && !num)
244 num = DEFBITS;
245
246 if (dsaparam) {
247 if (g) {
248 BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n");
249 goto end;
250 }
251 } else
252 {
253 /* DH parameters */
254 if (num && !g)
255 g = 2;
256 }
257
258 if (num) {
259
260 BN_GENCB cb;
261 BN_GENCB_set(&cb, dh_cb, bio_err);
262 if (dsaparam) {
263 DSA *dsa = DSA_new();
264
265 BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", num);
266 if (!dsa || !DSA_generate_parameters_ex(dsa, num,
267 NULL, 0, NULL, NULL, &cb)) {
268 if (dsa)
269 DSA_free(dsa);
270 ERR_print_errors(bio_err);
271 goto end;
272 }
273 dh = DSA_dup_DH(dsa);
274 DSA_free(dsa);
275 if (dh == NULL) {
276 ERR_print_errors(bio_err);
277 goto end;
278 }
279 } else
280 {
281 dh = DH_new();
282 BIO_printf(bio_err, "Generating DH parameters, %d bit long safe prime, generator %d\n", num, g);
283 BIO_printf(bio_err, "This is going to take a long time\n");
284 if (!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) {
285 ERR_print_errors(bio_err);
286 goto end;
287 }
288 }
289 } else {
290
291 in = BIO_new(BIO_s_file());
292 if (in == NULL) {
293 ERR_print_errors(bio_err);
294 goto end;
295 }
296 if (infile == NULL)
297 BIO_set_fp(in, stdin, BIO_NOCLOSE);
298 else {
299 if (BIO_read_filename(in, infile) <= 0) {
300 perror(infile);
301 goto end;
302 }
303 }
304
305 if (informat != FORMAT_ASN1 && informat != FORMAT_PEM) {
306 BIO_printf(bio_err, "bad input format specified\n");
307 goto end;
308 }
309 if (dsaparam) {
310 DSA *dsa;
311
312 if (informat == FORMAT_ASN1)
313 dsa = d2i_DSAparams_bio(in, NULL);
314 else /* informat == FORMAT_PEM */
315 dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
316
317 if (dsa == NULL) {
318 BIO_printf(bio_err, "unable to load DSA parameters\n");
319 ERR_print_errors(bio_err);
320 goto end;
321 }
322 dh = DSA_dup_DH(dsa);
323 DSA_free(dsa);
324 if (dh == NULL) {
325 ERR_print_errors(bio_err);
326 goto end;
327 }
328 } else
329 {
330 if (informat == FORMAT_ASN1)
331 dh = d2i_DHparams_bio(in, NULL);
332 else /* informat == FORMAT_PEM */
333 dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
334
335 if (dh == NULL) {
336 BIO_printf(bio_err, "unable to load DH parameters\n");
337 ERR_print_errors(bio_err);
338 goto end;
339 }
340 }
341
342 /* dh != NULL */
343 }
344
345 out = BIO_new(BIO_s_file());
346 if (out == NULL) {
347 ERR_print_errors(bio_err);
348 goto end;
349 }
350 if (outfile == NULL) {
351 BIO_set_fp(out, stdout, BIO_NOCLOSE);
352 } else {
353 if (BIO_write_filename(out, outfile) <= 0) {
354 perror(outfile);
355 goto end;
356 }
357 }
358
359
360 if (text) {
361 DHparams_print(out, dh);
362 }
363 if (check) {
364 if (!DH_check(dh, &i)) {
365 ERR_print_errors(bio_err);
366 goto end;
367 }
368 if (i & DH_CHECK_P_NOT_PRIME)
369 printf("p value is not prime\n");
370 if (i & DH_CHECK_P_NOT_SAFE_PRIME)
371 printf("p value is not a safe prime\n");
372 if (i & DH_UNABLE_TO_CHECK_GENERATOR)
373 printf("unable to check the generator value\n");
374 if (i & DH_NOT_SUITABLE_GENERATOR)
375 printf("the g value is not a generator\n");
376 if (i == 0)
377 printf("DH parameters appear to be ok.\n");
378 }
379 if (C) {
380 unsigned char *data;
381 int len, l, bits;
382
383 len = BN_num_bytes(dh->p);
384 bits = BN_num_bits(dh->p);
385 data = malloc(len);
386 if (data == NULL) {
387 perror("malloc");
388 goto end;
389 }
390 printf("#ifndef HEADER_DH_H\n"
391 "#include <openssl/dh.h>\n"
392 "#endif\n");
393 printf("DH *get_dh%d()\n\t{\n", bits);
394
395 l = BN_bn2bin(dh->p, data);
396 printf("\tstatic unsigned char dh%d_p[] = {", bits);
397 for (i = 0; i < l; i++) {
398 if ((i % 12) == 0)
399 printf("\n\t\t");
400 printf("0x%02X, ", data[i]);
401 }
402 printf("\n\t\t};\n");
403
404 l = BN_bn2bin(dh->g, data);
405 printf("\tstatic unsigned char dh%d_g[] = {", bits);
406 for (i = 0; i < l; i++) {
407 if ((i % 12) == 0)
408 printf("\n\t\t");
409 printf("0x%02X, ", data[i]);
410 }
411 printf("\n\t\t};\n");
412
413 printf("\tDH *dh;\n\n");
414 printf("\tif ((dh = DH_new()) == NULL) return(NULL);\n");
415 printf("\tdh->p = BN_bin2bn(dh%d_p, sizeof(dh%d_p), NULL);\n",
416 bits, bits);
417 printf("\tdh->g = BN_bin2bn(dh%d_g, sizeof(dh%d_g), NULL);\n",
418 bits, bits);
419 printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
420 printf("\t\t{ DH_free(dh); return(NULL); }\n");
421 if (dh->length)
422 printf("\tdh->length = %ld;\n", dh->length);
423 printf("\treturn(dh);\n\t}\n");
424 free(data);
425 }
426 if (!noout) {
427 if (outformat == FORMAT_ASN1)
428 i = i2d_DHparams_bio(out, dh);
429 else if (outformat == FORMAT_PEM)
430 i = PEM_write_bio_DHparams(out, dh);
431 else {
432 BIO_printf(bio_err, "bad output format specified for outfile\n");
433 goto end;
434 }
435 if (!i) {
436 BIO_printf(bio_err, "unable to write DH parameters\n");
437 ERR_print_errors(bio_err);
438 goto end;
439 }
440 }
441 ret = 0;
442
443end:
444 BIO_free(in);
445 if (out != NULL)
446 BIO_free_all(out);
447 if (dh != NULL)
448 DH_free(dh);
449
450 return (ret);
451}
452
453/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
454static int
455dh_cb(int p, int n, BN_GENCB * cb)
456{
457 char c = '*';
458
459 if (p == 0)
460 c = '.';
461 if (p == 1)
462 c = '+';
463 if (p == 2)
464 c = '*';
465 if (p == 3)
466 c = '\n';
467 BIO_write(cb->arg, &c, 1);
468 (void) BIO_flush(cb->arg);
469 return 1;
470}
471
472#endif
diff --git a/src/lib/libssl/src/apps/dsa.c b/src/lib/libssl/src/apps/dsa.c
deleted file mode 100644
index 2b90d4fb1a..0000000000
--- a/src/lib/libssl/src/apps/dsa.c
+++ /dev/null
@@ -1,332 +0,0 @@
1/* $OpenBSD: dsa.c,v 1.29 2014/07/25 06:05:31 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
60
61
62#include <stdio.h>
63#include <stdlib.h>
64#include <time.h>
65#include <string.h>
66
67#include "apps.h"
68
69#include <openssl/bio.h>
70#include <openssl/bn.h>
71#include <openssl/dsa.h>
72#include <openssl/err.h>
73#include <openssl/evp.h>
74#include <openssl/pem.h>
75#include <openssl/x509.h>
76
77/* -inform arg - input format - default PEM (one of DER, NET or PEM)
78 * -outform arg - output format - default PEM
79 * -in arg - input file - default stdin
80 * -out arg - output file - default stdout
81 * -des - encrypt output if PEM format with DES in cbc mode
82 * -des3 - encrypt output if PEM format
83 * -idea - encrypt output if PEM format
84 * -aes128 - encrypt output if PEM format
85 * -aes192 - encrypt output if PEM format
86 * -aes256 - encrypt output if PEM format
87 * -camellia128 - encrypt output if PEM format
88 * -camellia192 - encrypt output if PEM format
89 * -camellia256 - encrypt output if PEM format
90 * -seed - encrypt output if PEM format
91 * -text - print a text version
92 * -modulus - print the DSA public key
93 */
94
95int dsa_main(int, char **);
96
97int
98dsa_main(int argc, char **argv)
99{
100 ENGINE *e = NULL;
101 int ret = 1;
102 DSA *dsa = NULL;
103 int i, badops = 0;
104 const EVP_CIPHER *enc = NULL;
105 BIO *in = NULL, *out = NULL;
106 int informat, outformat, text = 0, noout = 0;
107 int pubin = 0, pubout = 0;
108 char *infile, *outfile, *prog;
109#ifndef OPENSSL_NO_ENGINE
110 char *engine;
111#endif
112 char *passargin = NULL, *passargout = NULL;
113 char *passin = NULL, *passout = NULL;
114 int modulus = 0;
115
116 int pvk_encr = 2;
117
118#ifndef OPENSSL_NO_ENGINE
119 engine = NULL;
120#endif
121 infile = NULL;
122 outfile = NULL;
123 informat = FORMAT_PEM;
124 outformat = FORMAT_PEM;
125
126 prog = argv[0];
127 argc--;
128 argv++;
129 while (argc >= 1) {
130 if (strcmp(*argv, "-inform") == 0) {
131 if (--argc < 1)
132 goto bad;
133 informat = str2fmt(*(++argv));
134 } else if (strcmp(*argv, "-outform") == 0) {
135 if (--argc < 1)
136 goto bad;
137 outformat = str2fmt(*(++argv));
138 } else if (strcmp(*argv, "-in") == 0) {
139 if (--argc < 1)
140 goto bad;
141 infile = *(++argv);
142 } else if (strcmp(*argv, "-out") == 0) {
143 if (--argc < 1)
144 goto bad;
145 outfile = *(++argv);
146 } else if (strcmp(*argv, "-passin") == 0) {
147 if (--argc < 1)
148 goto bad;
149 passargin = *(++argv);
150 } else if (strcmp(*argv, "-passout") == 0) {
151 if (--argc < 1)
152 goto bad;
153 passargout = *(++argv);
154 }
155#ifndef OPENSSL_NO_ENGINE
156 else if (strcmp(*argv, "-engine") == 0) {
157 if (--argc < 1)
158 goto bad;
159 engine = *(++argv);
160 }
161#endif
162 else if (strcmp(*argv, "-pvk-strong") == 0)
163 pvk_encr = 2;
164 else if (strcmp(*argv, "-pvk-weak") == 0)
165 pvk_encr = 1;
166 else if (strcmp(*argv, "-pvk-none") == 0)
167 pvk_encr = 0;
168 else if (strcmp(*argv, "-noout") == 0)
169 noout = 1;
170 else if (strcmp(*argv, "-text") == 0)
171 text = 1;
172 else if (strcmp(*argv, "-modulus") == 0)
173 modulus = 1;
174 else if (strcmp(*argv, "-pubin") == 0)
175 pubin = 1;
176 else if (strcmp(*argv, "-pubout") == 0)
177 pubout = 1;
178 else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
179 BIO_printf(bio_err, "unknown option %s\n", *argv);
180 badops = 1;
181 break;
182 }
183 argc--;
184 argv++;
185 }
186
187 if (badops) {
188bad:
189 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
190 BIO_printf(bio_err, "where options are\n");
191 BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
192 BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
193 BIO_printf(bio_err, " -in arg input file\n");
194 BIO_printf(bio_err, " -passin arg input file pass phrase source\n");
195 BIO_printf(bio_err, " -out arg output file\n");
196 BIO_printf(bio_err, " -passout arg output file pass phrase source\n");
197#ifndef OPENSSL_NO_ENGINE
198 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
199#endif
200 BIO_printf(bio_err, " -des encrypt PEM output with cbc des\n");
201 BIO_printf(bio_err, " -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
202#ifndef OPENSSL_NO_IDEA
203 BIO_printf(bio_err, " -idea encrypt PEM output with cbc idea\n");
204#endif
205#ifndef OPENSSL_NO_AES
206 BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
207 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
208#endif
209#ifndef OPENSSL_NO_CAMELLIA
210 BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
211 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
212#endif
213 BIO_printf(bio_err, " -text print the key in text\n");
214 BIO_printf(bio_err, " -noout don't print key out\n");
215 BIO_printf(bio_err, " -modulus print the DSA public value\n");
216 goto end;
217 }
218 ERR_load_crypto_strings();
219
220#ifndef OPENSSL_NO_ENGINE
221 e = setup_engine(bio_err, engine, 0);
222#endif
223
224 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
225 BIO_printf(bio_err, "Error getting passwords\n");
226 goto end;
227 }
228 in = BIO_new(BIO_s_file());
229 out = BIO_new(BIO_s_file());
230 if ((in == NULL) || (out == NULL)) {
231 ERR_print_errors(bio_err);
232 goto end;
233 }
234 if (infile == NULL)
235 BIO_set_fp(in, stdin, BIO_NOCLOSE);
236 else {
237 if (BIO_read_filename(in, infile) <= 0) {
238 perror(infile);
239 goto end;
240 }
241 }
242
243 BIO_printf(bio_err, "read DSA key\n");
244
245 {
246 EVP_PKEY *pkey;
247
248 if (pubin)
249 pkey = load_pubkey(bio_err, infile, informat, 1,
250 passin, e, "Public Key");
251 else
252 pkey = load_key(bio_err, infile, informat, 1,
253 passin, e, "Private Key");
254
255 if (pkey) {
256 dsa = EVP_PKEY_get1_DSA(pkey);
257 EVP_PKEY_free(pkey);
258 }
259 }
260 if (dsa == NULL) {
261 BIO_printf(bio_err, "unable to load Key\n");
262 ERR_print_errors(bio_err);
263 goto end;
264 }
265 if (outfile == NULL) {
266 BIO_set_fp(out, stdout, BIO_NOCLOSE);
267 } else {
268 if (BIO_write_filename(out, outfile) <= 0) {
269 perror(outfile);
270 goto end;
271 }
272 }
273
274 if (text) {
275 if (!DSA_print(out, dsa, 0)) {
276 perror(outfile);
277 ERR_print_errors(bio_err);
278 goto end;
279 }
280 }
281 if (modulus) {
282 fprintf(stdout, "Public Key=");
283 BN_print(out, dsa->pub_key);
284 fprintf(stdout, "\n");
285 }
286 if (noout)
287 goto end;
288 BIO_printf(bio_err, "writing DSA key\n");
289 if (outformat == FORMAT_ASN1) {
290 if (pubin || pubout)
291 i = i2d_DSA_PUBKEY_bio(out, dsa);
292 else
293 i = i2d_DSAPrivateKey_bio(out, dsa);
294 } else if (outformat == FORMAT_PEM) {
295 if (pubin || pubout)
296 i = PEM_write_bio_DSA_PUBKEY(out, dsa);
297 else
298 i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
299 NULL, 0, NULL, passout);
300#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
301 } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
302 EVP_PKEY *pk;
303 pk = EVP_PKEY_new();
304 EVP_PKEY_set1_DSA(pk, dsa);
305 if (outformat == FORMAT_PVK)
306 i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
307 else if (pubin || pubout)
308 i = i2b_PublicKey_bio(out, pk);
309 else
310 i = i2b_PrivateKey_bio(out, pk);
311 EVP_PKEY_free(pk);
312#endif
313 } else {
314 BIO_printf(bio_err, "bad output format specified for outfile\n");
315 goto end;
316 }
317 if (i <= 0) {
318 BIO_printf(bio_err, "unable to write private key\n");
319 ERR_print_errors(bio_err);
320 } else
321 ret = 0;
322end:
323 BIO_free(in);
324 if (out != NULL)
325 BIO_free_all(out);
326 if (dsa != NULL)
327 DSA_free(dsa);
328 free(passin);
329 free(passout);
330
331 return (ret);
332}
diff --git a/src/lib/libssl/src/apps/dsaparam.c b/src/lib/libssl/src/apps/dsaparam.c
deleted file mode 100644
index 46f41a57fb..0000000000
--- a/src/lib/libssl/src/apps/dsaparam.c
+++ /dev/null
@@ -1,414 +0,0 @@
1/* $OpenBSD: dsaparam.c,v 1.35 2014/07/25 06:05:31 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
60
61/* Until the key-gen callbacks are modified to use newer prototypes, we allow
62 * deprecated functions for openssl-internal code */
63#ifdef OPENSSL_NO_DEPRECATED
64#undef OPENSSL_NO_DEPRECATED
65#endif
66
67
68#include <stdio.h>
69#include <stdlib.h>
70#include <string.h>
71#include <time.h>
72
73#include "apps.h"
74
75#include <openssl/bio.h>
76#include <openssl/bn.h>
77#include <openssl/err.h>
78#include <openssl/dsa.h>
79#include <openssl/pem.h>
80#include <openssl/x509.h>
81
82/* -inform arg - input format - default PEM (DER or PEM)
83 * -outform arg - output format - default PEM
84 * -in arg - input file - default stdin
85 * -out arg - output file - default stdout
86 * -noout
87 * -text
88 * -C
89 * -noout
90 * -genkey
91 * #ifdef GENCB_TEST
92 * -timebomb n - interrupt keygen after <n> seconds
93 * #endif
94 */
95
96#ifdef GENCB_TEST
97
98static int stop_keygen_flag = 0;
99
100static void
101timebomb_sigalarm(int foo)
102{
103 stop_keygen_flag = 1;
104}
105
106#endif
107
108static int dsa_cb(int p, int n, BN_GENCB * cb);
109
110int dsaparam_main(int, char **);
111
112int
113dsaparam_main(int argc, char **argv)
114{
115 DSA *dsa = NULL;
116 int i, badops = 0, text = 0;
117 BIO *in = NULL, *out = NULL;
118 int informat, outformat, noout = 0, C = 0, ret = 1;
119 char *infile, *outfile, *prog;
120 int numbits = -1, num, genkey = 0;
121#ifndef OPENSSL_NO_ENGINE
122 char *engine = NULL;
123#endif
124#ifdef GENCB_TEST
125 const char *errstr = NULL;
126 int timebomb = 0;
127#endif
128
129 infile = NULL;
130 outfile = NULL;
131 informat = FORMAT_PEM;
132 outformat = FORMAT_PEM;
133
134 prog = argv[0];
135 argc--;
136 argv++;
137 while (argc >= 1) {
138 if (strcmp(*argv, "-inform") == 0) {
139 if (--argc < 1)
140 goto bad;
141 informat = str2fmt(*(++argv));
142 } else if (strcmp(*argv, "-outform") == 0) {
143 if (--argc < 1)
144 goto bad;
145 outformat = str2fmt(*(++argv));
146 } else if (strcmp(*argv, "-in") == 0) {
147 if (--argc < 1)
148 goto bad;
149 infile = *(++argv);
150 } else if (strcmp(*argv, "-out") == 0) {
151 if (--argc < 1)
152 goto bad;
153 outfile = *(++argv);
154 }
155#ifndef OPENSSL_NO_ENGINE
156 else if (strcmp(*argv, "-engine") == 0) {
157 if (--argc < 1)
158 goto bad;
159 engine = *(++argv);
160 }
161#endif
162#ifdef GENCB_TEST
163 else if (strcmp(*argv, "-timebomb") == 0) {
164 if (--argc < 1)
165 goto bad;
166 timebomb = strtonum(*(++argv), 0, INT_MAX, &errstr);
167 if (errstr)
168 goto bad;
169 }
170#endif
171 else if (strcmp(*argv, "-text") == 0)
172 text = 1;
173 else if (strcmp(*argv, "-C") == 0)
174 C = 1;
175 else if (strcmp(*argv, "-genkey") == 0) {
176 genkey = 1;
177 } else if (strcmp(*argv, "-noout") == 0)
178 noout = 1;
179 else if (sscanf(*argv, "%d", &num) == 1) {
180 /* generate a key */
181 numbits = num;
182 } else {
183 BIO_printf(bio_err, "unknown option %s\n", *argv);
184 badops = 1;
185 break;
186 }
187 argc--;
188 argv++;
189 }
190
191 if (badops) {
192bad:
193 BIO_printf(bio_err, "%s [options] [bits] <infile >outfile\n", prog);
194 BIO_printf(bio_err, "where options are\n");
195 BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
196 BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
197 BIO_printf(bio_err, " -in arg input file\n");
198 BIO_printf(bio_err, " -out arg output file\n");
199 BIO_printf(bio_err, " -text print as text\n");
200 BIO_printf(bio_err, " -C Output C code\n");
201 BIO_printf(bio_err, " -noout no output\n");
202 BIO_printf(bio_err, " -genkey generate a DSA key\n");
203#ifndef OPENSSL_NO_ENGINE
204 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
205#endif
206#ifdef GENCB_TEST
207 BIO_printf(bio_err, " -timebomb n interrupt keygen after <n> seconds\n");
208#endif
209 BIO_printf(bio_err, " number number of bits to use for generating private key\n");
210 goto end;
211 }
212 ERR_load_crypto_strings();
213
214 in = BIO_new(BIO_s_file());
215 out = BIO_new(BIO_s_file());
216 if ((in == NULL) || (out == NULL)) {
217 ERR_print_errors(bio_err);
218 goto end;
219 }
220 if (infile == NULL)
221 BIO_set_fp(in, stdin, BIO_NOCLOSE);
222 else {
223 if (BIO_read_filename(in, infile) <= 0) {
224 perror(infile);
225 goto end;
226 }
227 }
228 if (outfile == NULL) {
229 BIO_set_fp(out, stdout, BIO_NOCLOSE);
230 } else {
231 if (BIO_write_filename(out, outfile) <= 0) {
232 perror(outfile);
233 goto end;
234 }
235 }
236
237#ifndef OPENSSL_NO_ENGINE
238 setup_engine(bio_err, engine, 0);
239#endif
240
241 if (numbits > 0) {
242 BN_GENCB cb;
243 BN_GENCB_set(&cb, dsa_cb, bio_err);
244 dsa = DSA_new();
245 if (!dsa) {
246 BIO_printf(bio_err, "Error allocating DSA object\n");
247 goto end;
248 }
249 BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", num);
250 BIO_printf(bio_err, "This could take some time\n");
251#ifdef GENCB_TEST
252 if (timebomb > 0) {
253 struct sigaction act;
254 act.sa_handler = timebomb_sigalarm;
255 act.sa_flags = 0;
256 BIO_printf(bio_err, "(though I'll stop it if not done within %d secs)\n",
257 timebomb);
258 if (sigaction(SIGALRM, &act, NULL) != 0) {
259 BIO_printf(bio_err, "Error, couldn't set SIGALRM handler\n");
260 goto end;
261 }
262 alarm(timebomb);
263 }
264#endif
265 if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, &cb)) {
266#ifdef GENCB_TEST
267 if (stop_keygen_flag) {
268 BIO_printf(bio_err, "DSA key generation time-stopped\n");
269 /* This is an asked-for behaviour! */
270 ret = 0;
271 goto end;
272 }
273#endif
274 ERR_print_errors(bio_err);
275 BIO_printf(bio_err, "Error, DSA key generation failed\n");
276 goto end;
277 }
278 } else if (informat == FORMAT_ASN1)
279 dsa = d2i_DSAparams_bio(in, NULL);
280 else if (informat == FORMAT_PEM)
281 dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
282 else {
283 BIO_printf(bio_err, "bad input format specified\n");
284 goto end;
285 }
286 if (dsa == NULL) {
287 BIO_printf(bio_err, "unable to load DSA parameters\n");
288 ERR_print_errors(bio_err);
289 goto end;
290 }
291 if (text) {
292 DSAparams_print(out, dsa);
293 }
294 if (C) {
295 unsigned char *data;
296 int l, len, bits_p;
297
298 len = BN_num_bytes(dsa->p);
299 bits_p = BN_num_bits(dsa->p);
300 data = malloc(len + 20);
301 if (data == NULL) {
302 perror("malloc");
303 goto end;
304 }
305 l = BN_bn2bin(dsa->p, data);
306 printf("static unsigned char dsa%d_p[] = {", bits_p);
307 for (i = 0; i < l; i++) {
308 if ((i % 12) == 0)
309 printf("\n\t");
310 printf("0x%02X, ", data[i]);
311 }
312 printf("\n\t};\n");
313
314 l = BN_bn2bin(dsa->q, data);
315 printf("static unsigned char dsa%d_q[] = {", bits_p);
316 for (i = 0; i < l; i++) {
317 if ((i % 12) == 0)
318 printf("\n\t");
319 printf("0x%02X, ", data[i]);
320 }
321 printf("\n\t};\n");
322
323 l = BN_bn2bin(dsa->g, data);
324 printf("static unsigned char dsa%d_g[] = {", bits_p);
325 for (i = 0; i < l; i++) {
326 if ((i % 12) == 0)
327 printf("\n\t");
328 printf("0x%02X, ", data[i]);
329 }
330 free(data);
331 printf("\n\t};\n\n");
332
333 printf("DSA *get_dsa%d()\n\t{\n", bits_p);
334 printf("\tDSA *dsa;\n\n");
335 printf("\tif ((dsa = DSA_new()) == NULL) return(NULL);\n");
336 printf("\tdsa->p = BN_bin2bn(dsa%d_p, sizeof(dsa%d_p), NULL);\n",
337 bits_p, bits_p);
338 printf("\tdsa->q = BN_bin2bn(dsa%d_q, sizeof(dsa%d_q), NULL);\n",
339 bits_p, bits_p);
340 printf("\tdsa->g = BN_bin2bn(dsa%d_g, sizeof(dsa%d_g), NULL);\n",
341 bits_p, bits_p);
342 printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
343 printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
344 printf("\treturn(dsa);\n\t}\n");
345 }
346 if (!noout) {
347 if (outformat == FORMAT_ASN1)
348 i = i2d_DSAparams_bio(out, dsa);
349 else if (outformat == FORMAT_PEM)
350 i = PEM_write_bio_DSAparams(out, dsa);
351 else {
352 BIO_printf(bio_err, "bad output format specified for outfile\n");
353 goto end;
354 }
355 if (!i) {
356 BIO_printf(bio_err, "unable to write DSA parameters\n");
357 ERR_print_errors(bio_err);
358 goto end;
359 }
360 }
361 if (genkey) {
362 DSA *dsakey;
363
364 if ((dsakey = DSAparams_dup(dsa)) == NULL)
365 goto end;
366 if (!DSA_generate_key(dsakey)) {
367 ERR_print_errors(bio_err);
368 DSA_free(dsakey);
369 goto end;
370 }
371 if (outformat == FORMAT_ASN1)
372 i = i2d_DSAPrivateKey_bio(out, dsakey);
373 else if (outformat == FORMAT_PEM)
374 i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL, NULL);
375 else {
376 BIO_printf(bio_err, "bad output format specified for outfile\n");
377 DSA_free(dsakey);
378 goto end;
379 }
380 DSA_free(dsakey);
381 }
382 ret = 0;
383
384end:
385 BIO_free(in);
386 if (out != NULL)
387 BIO_free_all(out);
388 if (dsa != NULL)
389 DSA_free(dsa);
390
391 return (ret);
392}
393
394static int
395dsa_cb(int p, int n, BN_GENCB * cb)
396{
397 char c = '*';
398
399 if (p == 0)
400 c = '.';
401 if (p == 1)
402 c = '+';
403 if (p == 2)
404 c = '*';
405 if (p == 3)
406 c = '\n';
407 BIO_write(cb->arg, &c, 1);
408 (void) BIO_flush(cb->arg);
409#ifdef GENCB_TEST
410 if (stop_keygen_flag)
411 return 0;
412#endif
413 return 1;
414}
diff --git a/src/lib/libssl/src/apps/ec.c b/src/lib/libssl/src/apps/ec.c
deleted file mode 100644
index 82a98dd21f..0000000000
--- a/src/lib/libssl/src/apps/ec.c
+++ /dev/null
@@ -1,341 +0,0 @@
1/* $OpenBSD: ec.c,v 1.17 2014/07/25 06:05:32 doug Exp $ */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/opensslconf.h>
60
61#ifndef OPENSSL_NO_EC
62
63#include <stdio.h>
64#include <stdlib.h>
65#include <string.h>
66
67#include "apps.h"
68
69#include <openssl/bio.h>
70#include <openssl/err.h>
71#include <openssl/evp.h>
72#include <openssl/pem.h>
73
74/* -inform arg - input format - default PEM (one of DER, NET or PEM)
75 * -outform arg - output format - default PEM
76 * -in arg - input file - default stdin
77 * -out arg - output file - default stdout
78 * -des - encrypt output if PEM format with DES in cbc mode
79 * -text - print a text version
80 * -param_out - print the elliptic curve parameters
81 * -conv_form arg - specifies the point encoding form
82 * -param_enc arg - specifies the parameter encoding
83 */
84
85int ec_main(int, char **);
86
87int
88ec_main(int argc, char **argv)
89{
90 int ret = 1;
91 EC_KEY *eckey = NULL;
92 const EC_GROUP *group;
93 int i, badops = 0;
94 const EVP_CIPHER *enc = NULL;
95 BIO *in = NULL, *out = NULL;
96 int informat, outformat, text = 0, noout = 0;
97 int pubin = 0, pubout = 0, param_out = 0;
98 char *infile, *outfile, *prog, *engine;
99 char *passargin = NULL, *passargout = NULL;
100 char *passin = NULL, *passout = NULL;
101 point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
102 int new_form = 0;
103 int asn1_flag = OPENSSL_EC_NAMED_CURVE;
104 int new_asn1_flag = 0;
105
106 engine = NULL;
107 infile = NULL;
108 outfile = NULL;
109 informat = FORMAT_PEM;
110 outformat = FORMAT_PEM;
111
112 prog = argv[0];
113 argc--;
114 argv++;
115 while (argc >= 1) {
116 if (strcmp(*argv, "-inform") == 0) {
117 if (--argc < 1)
118 goto bad;
119 informat = str2fmt(*(++argv));
120 } else if (strcmp(*argv, "-outform") == 0) {
121 if (--argc < 1)
122 goto bad;
123 outformat = str2fmt(*(++argv));
124 } else if (strcmp(*argv, "-in") == 0) {
125 if (--argc < 1)
126 goto bad;
127 infile = *(++argv);
128 } else if (strcmp(*argv, "-out") == 0) {
129 if (--argc < 1)
130 goto bad;
131 outfile = *(++argv);
132 } else if (strcmp(*argv, "-passin") == 0) {
133 if (--argc < 1)
134 goto bad;
135 passargin = *(++argv);
136 } else if (strcmp(*argv, "-passout") == 0) {
137 if (--argc < 1)
138 goto bad;
139 passargout = *(++argv);
140 } else if (strcmp(*argv, "-engine") == 0) {
141 if (--argc < 1)
142 goto bad;
143 engine = *(++argv);
144 } else if (strcmp(*argv, "-noout") == 0)
145 noout = 1;
146 else if (strcmp(*argv, "-text") == 0)
147 text = 1;
148 else if (strcmp(*argv, "-conv_form") == 0) {
149 if (--argc < 1)
150 goto bad;
151 ++argv;
152 new_form = 1;
153 if (strcmp(*argv, "compressed") == 0)
154 form = POINT_CONVERSION_COMPRESSED;
155 else if (strcmp(*argv, "uncompressed") == 0)
156 form = POINT_CONVERSION_UNCOMPRESSED;
157 else if (strcmp(*argv, "hybrid") == 0)
158 form = POINT_CONVERSION_HYBRID;
159 else
160 goto bad;
161 } else if (strcmp(*argv, "-param_enc") == 0) {
162 if (--argc < 1)
163 goto bad;
164 ++argv;
165 new_asn1_flag = 1;
166 if (strcmp(*argv, "named_curve") == 0)
167 asn1_flag = OPENSSL_EC_NAMED_CURVE;
168 else if (strcmp(*argv, "explicit") == 0)
169 asn1_flag = 0;
170 else
171 goto bad;
172 } else if (strcmp(*argv, "-param_out") == 0)
173 param_out = 1;
174 else if (strcmp(*argv, "-pubin") == 0)
175 pubin = 1;
176 else if (strcmp(*argv, "-pubout") == 0)
177 pubout = 1;
178 else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
179 BIO_printf(bio_err, "unknown option %s\n", *argv);
180 badops = 1;
181 break;
182 }
183 argc--;
184 argv++;
185 }
186
187 if (badops) {
188bad:
189 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
190 BIO_printf(bio_err, "where options are\n");
191 BIO_printf(bio_err, " -inform arg input format - "
192 "DER or PEM\n");
193 BIO_printf(bio_err, " -outform arg output format - "
194 "DER or PEM\n");
195 BIO_printf(bio_err, " -in arg input file\n");
196 BIO_printf(bio_err, " -passin arg input file pass "
197 "phrase source\n");
198 BIO_printf(bio_err, " -out arg output file\n");
199 BIO_printf(bio_err, " -passout arg output file pass "
200 "phrase source\n");
201 BIO_printf(bio_err, " -engine e use engine e, "
202 "possibly a hardware device.\n");
203 BIO_printf(bio_err, " -des encrypt PEM output, "
204 "instead of 'des' every other \n"
205 " cipher "
206 "supported by OpenSSL can be used\n");
207 BIO_printf(bio_err, " -text print the key\n");
208 BIO_printf(bio_err, " -noout don't print key out\n");
209 BIO_printf(bio_err, " -param_out print the elliptic "
210 "curve parameters\n");
211 BIO_printf(bio_err, " -conv_form arg specifies the "
212 "point conversion form \n");
213 BIO_printf(bio_err, " possible values:"
214 " compressed\n");
215 BIO_printf(bio_err, " "
216 " uncompressed (default)\n");
217 BIO_printf(bio_err, " "
218 " hybrid\n");
219 BIO_printf(bio_err, " -param_enc arg specifies the way"
220 " the ec parameters are encoded\n");
221 BIO_printf(bio_err, " in the asn1 der "
222 "encoding\n");
223 BIO_printf(bio_err, " possible values:"
224 " named_curve (default)\n");
225 BIO_printf(bio_err, " "
226 "explicit\n");
227 goto end;
228 }
229 ERR_load_crypto_strings();
230
231#ifndef OPENSSL_NO_ENGINE
232 setup_engine(bio_err, engine, 0);
233#endif
234
235 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
236 BIO_printf(bio_err, "Error getting passwords\n");
237 goto end;
238 }
239 in = BIO_new(BIO_s_file());
240 out = BIO_new(BIO_s_file());
241 if ((in == NULL) || (out == NULL)) {
242 ERR_print_errors(bio_err);
243 goto end;
244 }
245 if (infile == NULL)
246 BIO_set_fp(in, stdin, BIO_NOCLOSE);
247 else {
248 if (BIO_read_filename(in, infile) <= 0) {
249 perror(infile);
250 goto end;
251 }
252 }
253
254 BIO_printf(bio_err, "read EC key\n");
255 if (informat == FORMAT_ASN1) {
256 if (pubin)
257 eckey = d2i_EC_PUBKEY_bio(in, NULL);
258 else
259 eckey = d2i_ECPrivateKey_bio(in, NULL);
260 } else if (informat == FORMAT_PEM) {
261 if (pubin)
262 eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL,
263 NULL);
264 else
265 eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL,
266 passin);
267 } else {
268 BIO_printf(bio_err, "bad input format specified for key\n");
269 goto end;
270 }
271 if (eckey == NULL) {
272 BIO_printf(bio_err, "unable to load Key\n");
273 ERR_print_errors(bio_err);
274 goto end;
275 }
276 if (outfile == NULL) {
277 BIO_set_fp(out, stdout, BIO_NOCLOSE);
278 } else {
279 if (BIO_write_filename(out, outfile) <= 0) {
280 perror(outfile);
281 goto end;
282 }
283 }
284
285 group = EC_KEY_get0_group(eckey);
286
287 if (new_form)
288 EC_KEY_set_conv_form(eckey, form);
289
290 if (new_asn1_flag)
291 EC_KEY_set_asn1_flag(eckey, asn1_flag);
292
293 if (text)
294 if (!EC_KEY_print(out, eckey, 0)) {
295 perror(outfile);
296 ERR_print_errors(bio_err);
297 goto end;
298 }
299 if (noout) {
300 ret = 0;
301 goto end;
302 }
303 BIO_printf(bio_err, "writing EC key\n");
304 if (outformat == FORMAT_ASN1) {
305 if (param_out)
306 i = i2d_ECPKParameters_bio(out, group);
307 else if (pubin || pubout)
308 i = i2d_EC_PUBKEY_bio(out, eckey);
309 else
310 i = i2d_ECPrivateKey_bio(out, eckey);
311 } else if (outformat == FORMAT_PEM) {
312 if (param_out)
313 i = PEM_write_bio_ECPKParameters(out, group);
314 else if (pubin || pubout)
315 i = PEM_write_bio_EC_PUBKEY(out, eckey);
316 else
317 i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
318 NULL, 0, NULL, passout);
319 } else {
320 BIO_printf(bio_err, "bad output format specified for "
321 "outfile\n");
322 goto end;
323 }
324
325 if (!i) {
326 BIO_printf(bio_err, "unable to write private key\n");
327 ERR_print_errors(bio_err);
328 } else
329 ret = 0;
330end:
331 BIO_free(in);
332 if (out)
333 BIO_free_all(out);
334 if (eckey)
335 EC_KEY_free(eckey);
336 free(passin);
337 free(passout);
338
339 return (ret);
340}
341#endif
diff --git a/src/lib/libssl/src/apps/ecparam.c b/src/lib/libssl/src/apps/ecparam.c
deleted file mode 100644
index 9f7c287d9c..0000000000
--- a/src/lib/libssl/src/apps/ecparam.c
+++ /dev/null
@@ -1,613 +0,0 @@
1/* $OpenBSD: ecparam.c,v 1.24 2014/07/25 06:05:32 doug Exp $ */
2/*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 *
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above.
66 *
67 * The elliptic curve binary polynomial software is originally written by
68 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
69 *
70 */
71
72#include <openssl/opensslconf.h>
73
74#ifndef OPENSSL_NO_EC
75
76#include <stdio.h>
77#include <stdlib.h>
78#include <string.h>
79#include <time.h>
80
81#include "apps.h"
82
83#include <openssl/bio.h>
84#include <openssl/bn.h>
85#include <openssl/ec.h>
86#include <openssl/err.h>
87#include <openssl/pem.h>
88#include <openssl/x509.h>
89
90/* -inform arg - input format - default PEM (DER or PEM)
91 * -outform arg - output format - default PEM
92 * -in arg - input file - default stdin
93 * -out arg - output file - default stdout
94 * -noout - do not print the ec parameter
95 * -text - print the ec parameters in text form
96 * -check - validate the ec parameters
97 * -C - print a 'C' function creating the parameters
98 * -name arg - use the ec parameters with 'short name' name
99 * -list_curves - prints a list of all currently available curve 'short names'
100 * -conv_form arg - specifies the point conversion form
101 * - possible values: compressed
102 * uncompressed (default)
103 * hybrid
104 * -param_enc arg - specifies the way the ec parameters are encoded
105 * in the asn1 der encoding
106 * possible values: named_curve (default)
107 * explicit
108 * -no_seed - if 'explicit' parameters are chosen do not use the seed
109 * -genkey - generate ec key
110 * -engine e - use engine e, possibly a hardware device
111 */
112
113
114static int ecparam_print_var(BIO *, BIGNUM *, const char *, int, unsigned char *);
115
116int ecparam_main(int, char **);
117
118int
119ecparam_main(int argc, char **argv)
120{
121 EC_GROUP *group = NULL;
122 point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
123 int new_form = 0;
124 int asn1_flag = OPENSSL_EC_NAMED_CURVE;
125 int new_asn1_flag = 0;
126 char *curve_name = NULL;
127 int list_curves = 0, no_seed = 0, check = 0, badops = 0, text = 0,
128 i, genkey = 0;
129 char *infile = NULL, *outfile = NULL, *prog;
130 BIO *in = NULL, *out = NULL;
131 int informat, outformat, noout = 0, C = 0, ret = 1;
132 char *engine = NULL;
133
134 BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, *ec_gen = NULL,
135 *ec_order = NULL, *ec_cofactor = NULL;
136 unsigned char *buffer = NULL;
137
138 informat = FORMAT_PEM;
139 outformat = FORMAT_PEM;
140
141 prog = argv[0];
142 argc--;
143 argv++;
144 while (argc >= 1) {
145 if (strcmp(*argv, "-inform") == 0) {
146 if (--argc < 1)
147 goto bad;
148 informat = str2fmt(*(++argv));
149 } else if (strcmp(*argv, "-outform") == 0) {
150 if (--argc < 1)
151 goto bad;
152 outformat = str2fmt(*(++argv));
153 } else if (strcmp(*argv, "-in") == 0) {
154 if (--argc < 1)
155 goto bad;
156 infile = *(++argv);
157 } else if (strcmp(*argv, "-out") == 0) {
158 if (--argc < 1)
159 goto bad;
160 outfile = *(++argv);
161 } else if (strcmp(*argv, "-text") == 0)
162 text = 1;
163 else if (strcmp(*argv, "-C") == 0)
164 C = 1;
165 else if (strcmp(*argv, "-check") == 0)
166 check = 1;
167 else if (strcmp(*argv, "-name") == 0) {
168 if (--argc < 1)
169 goto bad;
170 curve_name = *(++argv);
171 } else if (strcmp(*argv, "-list_curves") == 0)
172 list_curves = 1;
173 else if (strcmp(*argv, "-conv_form") == 0) {
174 if (--argc < 1)
175 goto bad;
176 ++argv;
177 new_form = 1;
178 if (strcmp(*argv, "compressed") == 0)
179 form = POINT_CONVERSION_COMPRESSED;
180 else if (strcmp(*argv, "uncompressed") == 0)
181 form = POINT_CONVERSION_UNCOMPRESSED;
182 else if (strcmp(*argv, "hybrid") == 0)
183 form = POINT_CONVERSION_HYBRID;
184 else
185 goto bad;
186 } else if (strcmp(*argv, "-param_enc") == 0) {
187 if (--argc < 1)
188 goto bad;
189 ++argv;
190 new_asn1_flag = 1;
191 if (strcmp(*argv, "named_curve") == 0)
192 asn1_flag = OPENSSL_EC_NAMED_CURVE;
193 else if (strcmp(*argv, "explicit") == 0)
194 asn1_flag = 0;
195 else
196 goto bad;
197 } else if (strcmp(*argv, "-no_seed") == 0)
198 no_seed = 1;
199 else if (strcmp(*argv, "-noout") == 0)
200 noout = 1;
201 else if (strcmp(*argv, "-genkey") == 0) {
202 genkey = 1;
203 } else if (strcmp(*argv, "-engine") == 0) {
204 if (--argc < 1)
205 goto bad;
206 engine = *(++argv);
207 } else {
208 BIO_printf(bio_err, "unknown option %s\n", *argv);
209 badops = 1;
210 break;
211 }
212 argc--;
213 argv++;
214 }
215
216 if (badops) {
217bad:
218 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
219 BIO_printf(bio_err, "where options are\n");
220 BIO_printf(bio_err, " -inform arg input format - "
221 "default PEM (DER or PEM)\n");
222 BIO_printf(bio_err, " -outform arg output format - "
223 "default PEM\n");
224 BIO_printf(bio_err, " -in arg input file - "
225 "default stdin\n");
226 BIO_printf(bio_err, " -out arg output file - "
227 "default stdout\n");
228 BIO_printf(bio_err, " -noout do not print the "
229 "ec parameter\n");
230 BIO_printf(bio_err, " -text print the ec "
231 "parameters in text form\n");
232 BIO_printf(bio_err, " -check validate the ec "
233 "parameters\n");
234 BIO_printf(bio_err, " -C print a 'C' "
235 "function creating the parameters\n");
236 BIO_printf(bio_err, " -name arg use the "
237 "ec parameters with 'short name' name\n");
238 BIO_printf(bio_err, " -list_curves prints a list of "
239 "all currently available curve 'short names'\n");
240 BIO_printf(bio_err, " -conv_form arg specifies the "
241 "point conversion form \n");
242 BIO_printf(bio_err, " possible values:"
243 " compressed\n");
244 BIO_printf(bio_err, " "
245 " uncompressed (default)\n");
246 BIO_printf(bio_err, " "
247 " hybrid\n");
248 BIO_printf(bio_err, " -param_enc arg specifies the way"
249 " the ec parameters are encoded\n");
250 BIO_printf(bio_err, " in the asn1 der "
251 "encoding\n");
252 BIO_printf(bio_err, " possible values:"
253 " named_curve (default)\n");
254 BIO_printf(bio_err, " "
255 " explicit\n");
256 BIO_printf(bio_err, " -no_seed if 'explicit'"
257 " parameters are chosen do not"
258 " use the seed\n");
259 BIO_printf(bio_err, " -genkey generate ec"
260 " key\n");
261 BIO_printf(bio_err, " -engine e use engine e, "
262 "possibly a hardware device\n");
263 goto end;
264 }
265 ERR_load_crypto_strings();
266
267 in = BIO_new(BIO_s_file());
268 out = BIO_new(BIO_s_file());
269 if ((in == NULL) || (out == NULL)) {
270 ERR_print_errors(bio_err);
271 goto end;
272 }
273 if (infile == NULL)
274 BIO_set_fp(in, stdin, BIO_NOCLOSE);
275 else {
276 if (BIO_read_filename(in, infile) <= 0) {
277 perror(infile);
278 goto end;
279 }
280 }
281 if (outfile == NULL) {
282 BIO_set_fp(out, stdout, BIO_NOCLOSE);
283 } else {
284 if (BIO_write_filename(out, outfile) <= 0) {
285 perror(outfile);
286 goto end;
287 }
288 }
289
290#ifndef OPENSSL_NO_ENGINE
291 setup_engine(bio_err, engine, 0);
292#endif
293
294 if (list_curves) {
295 EC_builtin_curve *curves = NULL;
296 size_t crv_len = 0;
297 size_t n = 0;
298
299 crv_len = EC_get_builtin_curves(NULL, 0);
300
301 curves = reallocarray(NULL, crv_len, sizeof(EC_builtin_curve));
302
303 if (curves == NULL)
304 goto end;
305
306 if (!EC_get_builtin_curves(curves, crv_len)) {
307 free(curves);
308 goto end;
309 }
310 for (n = 0; n < crv_len; n++) {
311 const char *comment;
312 const char *sname;
313 comment = curves[n].comment;
314 sname = OBJ_nid2sn(curves[n].nid);
315 if (comment == NULL)
316 comment = "CURVE DESCRIPTION NOT AVAILABLE";
317 if (sname == NULL)
318 sname = "";
319
320 BIO_printf(out, " %-10s: ", sname);
321 BIO_printf(out, "%s\n", comment);
322 }
323
324 free(curves);
325 ret = 0;
326 goto end;
327 }
328 if (curve_name != NULL) {
329 int nid;
330
331 /*
332 * workaround for the SECG curve names secp192r1 and
333 * secp256r1 (which are the same as the curves prime192v1 and
334 * prime256v1 defined in X9.62)
335 */
336 if (!strcmp(curve_name, "secp192r1")) {
337 BIO_printf(bio_err, "using curve name prime192v1 "
338 "instead of secp192r1\n");
339 nid = NID_X9_62_prime192v1;
340 } else if (!strcmp(curve_name, "secp256r1")) {
341 BIO_printf(bio_err, "using curve name prime256v1 "
342 "instead of secp256r1\n");
343 nid = NID_X9_62_prime256v1;
344 } else
345 nid = OBJ_sn2nid(curve_name);
346
347 if (nid == 0) {
348 BIO_printf(bio_err, "unknown curve name (%s)\n",
349 curve_name);
350 goto end;
351 }
352 group = EC_GROUP_new_by_curve_name(nid);
353 if (group == NULL) {
354 BIO_printf(bio_err, "unable to create curve (%s)\n",
355 curve_name);
356 goto end;
357 }
358 EC_GROUP_set_asn1_flag(group, asn1_flag);
359 EC_GROUP_set_point_conversion_form(group, form);
360 } else if (informat == FORMAT_ASN1) {
361 group = d2i_ECPKParameters_bio(in, NULL);
362 } else if (informat == FORMAT_PEM) {
363 group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
364 } else {
365 BIO_printf(bio_err, "bad input format specified\n");
366 goto end;
367 }
368
369 if (group == NULL) {
370 BIO_printf(bio_err,
371 "unable to load elliptic curve parameters\n");
372 ERR_print_errors(bio_err);
373 goto end;
374 }
375 if (new_form)
376 EC_GROUP_set_point_conversion_form(group, form);
377
378 if (new_asn1_flag)
379 EC_GROUP_set_asn1_flag(group, asn1_flag);
380
381 if (no_seed) {
382 EC_GROUP_set_seed(group, NULL, 0);
383 }
384 if (text) {
385 if (!ECPKParameters_print(out, group, 0))
386 goto end;
387 }
388 if (check) {
389 if (group == NULL)
390 BIO_printf(bio_err, "no elliptic curve parameters\n");
391 BIO_printf(bio_err, "checking elliptic curve parameters: ");
392 if (!EC_GROUP_check(group, NULL)) {
393 BIO_printf(bio_err, "failed\n");
394 ERR_print_errors(bio_err);
395 } else
396 BIO_printf(bio_err, "ok\n");
397
398 }
399 if (C) {
400 size_t buf_len = 0, tmp_len = 0;
401 const EC_POINT *point;
402 int is_prime, len = 0;
403 const EC_METHOD *meth = EC_GROUP_method_of(group);
404
405 if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
406 (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
407 (ec_order = BN_new()) == NULL ||
408 (ec_cofactor = BN_new()) == NULL) {
409 perror("malloc");
410 goto end;
411 }
412 is_prime = (EC_METHOD_get_field_type(meth) ==
413 NID_X9_62_prime_field);
414
415 if (is_prime) {
416 if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a,
417 ec_b, NULL))
418 goto end;
419 } else {
420 /* TODO */
421 goto end;
422 }
423
424 if ((point = EC_GROUP_get0_generator(group)) == NULL)
425 goto end;
426 if (!EC_POINT_point2bn(group, point,
427 EC_GROUP_get_point_conversion_form(group), ec_gen,
428 NULL))
429 goto end;
430 if (!EC_GROUP_get_order(group, ec_order, NULL))
431 goto end;
432 if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
433 goto end;
434
435 if (!ec_p || !ec_a || !ec_b || !ec_gen ||
436 !ec_order || !ec_cofactor)
437 goto end;
438
439 len = BN_num_bits(ec_order);
440
441 if ((tmp_len = (size_t) BN_num_bytes(ec_p)) > buf_len)
442 buf_len = tmp_len;
443 if ((tmp_len = (size_t) BN_num_bytes(ec_a)) > buf_len)
444 buf_len = tmp_len;
445 if ((tmp_len = (size_t) BN_num_bytes(ec_b)) > buf_len)
446 buf_len = tmp_len;
447 if ((tmp_len = (size_t) BN_num_bytes(ec_gen)) > buf_len)
448 buf_len = tmp_len;
449 if ((tmp_len = (size_t) BN_num_bytes(ec_order)) > buf_len)
450 buf_len = tmp_len;
451 if ((tmp_len = (size_t) BN_num_bytes(ec_cofactor)) > buf_len)
452 buf_len = tmp_len;
453
454 buffer = malloc(buf_len);
455
456 if (buffer == NULL) {
457 perror("malloc");
458 goto end;
459 }
460 ecparam_print_var(out, ec_p, "ec_p", len, buffer);
461 ecparam_print_var(out, ec_a, "ec_a", len, buffer);
462 ecparam_print_var(out, ec_b, "ec_b", len, buffer);
463 ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
464 ecparam_print_var(out, ec_order, "ec_order", len, buffer);
465 ecparam_print_var(out, ec_cofactor, "ec_cofactor", len,
466 buffer);
467
468 BIO_printf(out, "\n\n");
469
470 BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
471 BIO_printf(out, "\tint ok=0;\n");
472 BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
473 BIO_printf(out, "\tEC_POINT *point = NULL;\n");
474 BIO_printf(out, "\tBIGNUM *tmp_1 = NULL, *tmp_2 = NULL, "
475 "*tmp_3 = NULL;\n\n");
476 BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
477 "sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
478 "goto err;\n", len, len);
479 BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
480 "sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
481 "goto err;\n", len, len);
482 BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
483 "sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
484 "goto err;\n", len, len);
485 if (is_prime) {
486 BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
487 "GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
488 "\n\t\tgoto err;\n\n");
489 } else {
490 /* TODO */
491 goto end;
492 }
493 BIO_printf(out, "\t/* build generator */\n");
494 BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
495 "sizeof(ec_gen_%d), tmp_1)) == NULL)"
496 "\n\t\tgoto err;\n", len, len);
497 BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
498 "NULL, NULL);\n");
499 BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
500 BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
501 "sizeof(ec_order_%d), tmp_2)) == NULL)"
502 "\n\t\tgoto err;\n", len, len);
503 BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
504 "sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
505 "\n\t\tgoto err;\n", len, len);
506 BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
507 " tmp_2, tmp_3))\n\t\tgoto err;\n");
508 BIO_printf(out, "\n\tok=1;\n");
509 BIO_printf(out, "err:\n");
510 BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
511 BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
512 BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
513 BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
514 BIO_printf(out, "\tif (!ok)\n");
515 BIO_printf(out, "\t\t{\n");
516 BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
517 BIO_printf(out, "\t\tgroup = NULL;\n");
518 BIO_printf(out, "\t\t}\n");
519 BIO_printf(out, "\treturn(group);\n\t}\n");
520 }
521 if (!noout) {
522 if (outformat == FORMAT_ASN1)
523 i = i2d_ECPKParameters_bio(out, group);
524 else if (outformat == FORMAT_PEM)
525 i = PEM_write_bio_ECPKParameters(out, group);
526 else {
527 BIO_printf(bio_err, "bad output format specified for"
528 " outfile\n");
529 goto end;
530 }
531 if (!i) {
532 BIO_printf(bio_err, "unable to write elliptic "
533 "curve parameters\n");
534 ERR_print_errors(bio_err);
535 goto end;
536 }
537 }
538 if (genkey) {
539 EC_KEY *eckey = EC_KEY_new();
540
541 if (eckey == NULL)
542 goto end;
543
544 if (EC_KEY_set_group(eckey, group) == 0) {
545 EC_KEY_free(eckey);
546 goto end;
547 }
548
549 if (!EC_KEY_generate_key(eckey)) {
550 EC_KEY_free(eckey);
551 goto end;
552 }
553 if (outformat == FORMAT_ASN1)
554 i = i2d_ECPrivateKey_bio(out, eckey);
555 else if (outformat == FORMAT_PEM)
556 i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
557 NULL, 0, NULL, NULL);
558 else {
559 BIO_printf(bio_err, "bad output format specified "
560 "for outfile\n");
561 EC_KEY_free(eckey);
562 goto end;
563 }
564 EC_KEY_free(eckey);
565 }
566 ret = 0;
567end:
568 if (ec_p)
569 BN_free(ec_p);
570 if (ec_a)
571 BN_free(ec_a);
572 if (ec_b)
573 BN_free(ec_b);
574 if (ec_gen)
575 BN_free(ec_gen);
576 if (ec_order)
577 BN_free(ec_order);
578 if (ec_cofactor)
579 BN_free(ec_cofactor);
580 free(buffer);
581 BIO_free(in);
582 if (out != NULL)
583 BIO_free_all(out);
584 if (group != NULL)
585 EC_GROUP_free(group);
586
587 return (ret);
588}
589
590static int
591ecparam_print_var(BIO * out, BIGNUM * in, const char *var,
592 int len, unsigned char *buffer)
593{
594 BIO_printf(out, "static unsigned char %s_%d[] = {", var, len);
595 if (BN_is_zero(in))
596 BIO_printf(out, "\n\t0x00");
597 else {
598 int i, l;
599
600 l = BN_bn2bin(in, buffer);
601 for (i = 0; i < l - 1; i++) {
602 if ((i % 12) == 0)
603 BIO_printf(out, "\n\t");
604 BIO_printf(out, "0x%02X,", buffer[i]);
605 }
606 if ((i % 12) == 0)
607 BIO_printf(out, "\n\t");
608 BIO_printf(out, "0x%02X", buffer[i]);
609 }
610 BIO_printf(out, "\n\t};\n\n");
611 return 1;
612}
613#endif
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c
deleted file mode 100644
index d1943bfa22..0000000000
--- a/src/lib/libssl/src/apps/enc.c
+++ /dev/null
@@ -1,649 +0,0 @@
1/* $OpenBSD: enc.c,v 1.39 2014/07/25 06:05:32 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <ctype.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <string.h>
63
64#include "apps.h"
65
66#include <openssl/bio.h>
67#include <openssl/comp.h>
68#include <openssl/err.h>
69#include <openssl/evp.h>
70#include <openssl/objects.h>
71#include <openssl/pem.h>
72#include <openssl/rand.h>
73#include <openssl/x509.h>
74
75int set_hex(char *in, unsigned char *out, int size);
76
77#define SIZE (512)
78#define BSIZE (8*1024)
79#define PROG enc_main
80
81static void
82show_ciphers(const OBJ_NAME * name, void *bio_)
83{
84 BIO *bio = bio_;
85 static int n;
86
87 if (!islower((unsigned char) *name->name))
88 return;
89
90 BIO_printf(bio, "-%-25s", name->name);
91 if (++n == 3) {
92 BIO_printf(bio, "\n");
93 n = 0;
94 } else
95 BIO_printf(bio, " ");
96}
97
98int enc_main(int, char **);
99
100int
101enc_main(int argc, char **argv)
102{
103 static const char magic[] = "Salted__";
104 char mbuf[sizeof magic - 1];
105 char *strbuf = NULL;
106 unsigned char *buff = NULL, *bufsize = NULL;
107 int bsize = BSIZE, verbose = 0;
108 int ret = 1, inl;
109 int nopad = 0;
110 unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
111 unsigned char salt[PKCS5_SALT_LEN];
112 char *str = NULL, *passarg = NULL, *pass = NULL;
113 char *hkey = NULL, *hiv = NULL, *hsalt = NULL;
114 char *md = NULL;
115 int enc = 1, printkey = 0, i, base64 = 0;
116#ifdef ZLIB
117 int do_zlib = 0;
118 BIO *bzl = NULL;
119#endif
120 int debug = 0, olb64 = 0, nosalt = 0;
121 const EVP_CIPHER *cipher = NULL, *c;
122 EVP_CIPHER_CTX *ctx = NULL;
123 char *inf = NULL, *outf = NULL;
124 BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = NULL,
125 *wbio = NULL;
126#define PROG_NAME_SIZE 39
127 char pname[PROG_NAME_SIZE + 1];
128#ifndef OPENSSL_NO_ENGINE
129 char *engine = NULL;
130#endif
131 const EVP_MD *dgst = NULL;
132
133 /* first check the program name */
134 program_name(argv[0], pname, sizeof pname);
135 if (strcmp(pname, "base64") == 0)
136 base64 = 1;
137#ifdef ZLIB
138 if (strcmp(pname, "zlib") == 0)
139 do_zlib = 1;
140#endif
141
142 cipher = EVP_get_cipherbyname(pname);
143#ifdef ZLIB
144 if (!do_zlib && !base64 && (cipher == NULL)
145 && (strcmp(pname, "enc") != 0))
146#else
147 if (!base64 && (cipher == NULL) && (strcmp(pname, "enc") != 0))
148#endif
149 {
150 BIO_printf(bio_err, "%s is an unknown cipher\n", pname);
151 goto bad;
152 }
153 argc--;
154 argv++;
155 while (argc >= 1) {
156 if (strcmp(*argv, "-e") == 0)
157 enc = 1;
158 else if (strcmp(*argv, "-in") == 0) {
159 if (--argc < 1)
160 goto bad;
161 inf = *(++argv);
162 } else if (strcmp(*argv, "-out") == 0) {
163 if (--argc < 1)
164 goto bad;
165 outf = *(++argv);
166 } else if (strcmp(*argv, "-pass") == 0) {
167 if (--argc < 1)
168 goto bad;
169 passarg = *(++argv);
170 }
171#ifndef OPENSSL_NO_ENGINE
172 else if (strcmp(*argv, "-engine") == 0) {
173 if (--argc < 1)
174 goto bad;
175 engine = *(++argv);
176 }
177#endif
178 else if (strcmp(*argv, "-d") == 0)
179 enc = 0;
180 else if (strcmp(*argv, "-p") == 0)
181 printkey = 1;
182 else if (strcmp(*argv, "-v") == 0)
183 verbose = 1;
184 else if (strcmp(*argv, "-nopad") == 0)
185 nopad = 1;
186 else if (strcmp(*argv, "-salt") == 0)
187 nosalt = 0;
188 else if (strcmp(*argv, "-nosalt") == 0)
189 nosalt = 1;
190 else if (strcmp(*argv, "-debug") == 0)
191 debug = 1;
192 else if (strcmp(*argv, "-P") == 0)
193 printkey = 2;
194 else if (strcmp(*argv, "-A") == 0)
195 olb64 = 1;
196 else if (strcmp(*argv, "-a") == 0)
197 base64 = 1;
198 else if (strcmp(*argv, "-base64") == 0)
199 base64 = 1;
200#ifdef ZLIB
201 else if (strcmp(*argv, "-z") == 0)
202 do_zlib = 1;
203#endif
204 else if (strcmp(*argv, "-bufsize") == 0) {
205 if (--argc < 1)
206 goto bad;
207 bufsize = (unsigned char *) *(++argv);
208 } else if (strcmp(*argv, "-k") == 0) {
209 if (--argc < 1)
210 goto bad;
211 str = *(++argv);
212 } else if (strcmp(*argv, "-kfile") == 0) {
213 static char buf[128];
214 FILE *infile;
215 char *file;
216
217 if (--argc < 1)
218 goto bad;
219 file = *(++argv);
220 infile = fopen(file, "r");
221 if (infile == NULL) {
222 BIO_printf(bio_err, "unable to read key from '%s'\n",
223 file);
224 goto bad;
225 }
226 buf[0] = '\0';
227 if (!fgets(buf, sizeof buf, infile)) {
228 BIO_printf(bio_err, "unable to read key from '%s'\n",
229 file);
230 fclose(infile);
231 goto bad;
232 }
233 fclose(infile);
234 i = strlen(buf);
235 if ((i > 0) &&
236 ((buf[i - 1] == '\n') || (buf[i - 1] == '\r')))
237 buf[--i] = '\0';
238 if ((i > 0) &&
239 ((buf[i - 1] == '\n') || (buf[i - 1] == '\r')))
240 buf[--i] = '\0';
241 if (i < 1) {
242 BIO_printf(bio_err, "zero length password\n");
243 goto bad;
244 }
245 str = buf;
246 } else if (strcmp(*argv, "-K") == 0) {
247 if (--argc < 1)
248 goto bad;
249 hkey = *(++argv);
250 } else if (strcmp(*argv, "-S") == 0) {
251 if (--argc < 1)
252 goto bad;
253 hsalt = *(++argv);
254 } else if (strcmp(*argv, "-iv") == 0) {
255 if (--argc < 1)
256 goto bad;
257 hiv = *(++argv);
258 } else if (strcmp(*argv, "-md") == 0) {
259 if (--argc < 1)
260 goto bad;
261 md = *(++argv);
262 } else if ((argv[0][0] == '-') &&
263 ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) {
264 cipher = c;
265 } else if (strcmp(*argv, "-none") == 0)
266 cipher = NULL;
267 else {
268 BIO_printf(bio_err, "unknown option '%s'\n", *argv);
269 bad:
270 BIO_printf(bio_err, "options are\n");
271 BIO_printf(bio_err, "%-14s input file\n", "-in <file>");
272 BIO_printf(bio_err, "%-14s output file\n", "-out <file>");
273 BIO_printf(bio_err, "%-14s pass phrase source\n", "-pass <arg>");
274 BIO_printf(bio_err, "%-14s encrypt\n", "-e");
275 BIO_printf(bio_err, "%-14s decrypt\n", "-d");
276 BIO_printf(bio_err, "%-14s base64 encode/decode, depending on encryption flag\n", "-a/-base64");
277 BIO_printf(bio_err, "%-14s passphrase is the next argument\n", "-k");
278 BIO_printf(bio_err, "%-14s passphrase is the first line of the file argument\n", "-kfile");
279 BIO_printf(bio_err, "%-14s the next argument is the md to use to create a key\n", "-md");
280 BIO_printf(bio_err, "%-14s from a passphrase. One of md2, md5, sha or sha1\n", "");
281 BIO_printf(bio_err, "%-14s salt in hex is the next argument\n", "-S");
282 BIO_printf(bio_err, "%-14s key/iv in hex is the next argument\n", "-K/-iv");
283 BIO_printf(bio_err, "%-14s print the iv/key (then exit if -P)\n", "-[pP]");
284 BIO_printf(bio_err, "%-14s buffer size\n", "-bufsize <n>");
285 BIO_printf(bio_err, "%-14s disable standard block padding\n", "-nopad");
286#ifndef OPENSSL_NO_ENGINE
287 BIO_printf(bio_err, "%-14s use engine e, possibly a hardware device.\n", "-engine e");
288#endif
289
290 BIO_printf(bio_err, "Cipher Types\n");
291 OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
292 show_ciphers,
293 bio_err);
294 BIO_printf(bio_err, "\n");
295
296 goto end;
297 }
298 argc--;
299 argv++;
300 }
301
302#ifndef OPENSSL_NO_ENGINE
303 setup_engine(bio_err, engine, 0);
304#endif
305
306 if (md && (dgst = EVP_get_digestbyname(md)) == NULL) {
307 BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
308 goto end;
309 }
310 if (dgst == NULL) {
311 dgst = EVP_md5();
312 }
313 if (bufsize != NULL) {
314 unsigned long n;
315
316 for (n = 0; *bufsize; bufsize++) {
317 i = *bufsize;
318 if ((i <= '9') && (i >= '0'))
319 n = n * 10 + i - '0';
320 else if (i == 'k') {
321 n *= 1024;
322 bufsize++;
323 break;
324 }
325 }
326 if (*bufsize != '\0') {
327 BIO_printf(bio_err, "invalid 'bufsize' specified.\n");
328 goto end;
329 }
330 /* It must be large enough for a base64 encoded line */
331 if (base64 && n < 80)
332 n = 80;
333
334 bsize = (int) n;
335 if (verbose)
336 BIO_printf(bio_err, "bufsize=%d\n", bsize);
337 }
338 strbuf = malloc(SIZE);
339 buff = malloc(EVP_ENCODE_LENGTH(bsize));
340 if ((buff == NULL) || (strbuf == NULL)) {
341 BIO_printf(bio_err, "malloc failure %ld\n", (long) EVP_ENCODE_LENGTH(bsize));
342 goto end;
343 }
344 in = BIO_new(BIO_s_file());
345 out = BIO_new(BIO_s_file());
346 if ((in == NULL) || (out == NULL)) {
347 ERR_print_errors(bio_err);
348 goto end;
349 }
350 if (debug) {
351 BIO_set_callback(in, BIO_debug_callback);
352 BIO_set_callback(out, BIO_debug_callback);
353 BIO_set_callback_arg(in, (char *) bio_err);
354 BIO_set_callback_arg(out, (char *) bio_err);
355 }
356 if (inf == NULL) {
357 if (bufsize != NULL)
358 setvbuf(stdin, (char *) NULL, _IONBF, 0);
359 BIO_set_fp(in, stdin, BIO_NOCLOSE);
360 } else {
361 if (BIO_read_filename(in, inf) <= 0) {
362 perror(inf);
363 goto end;
364 }
365 }
366
367 if (!str && passarg) {
368 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
369 BIO_printf(bio_err, "Error getting password\n");
370 goto end;
371 }
372 str = pass;
373 }
374 if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
375 for (;;) {
376 char buf[200];
377 int ret;
378
379 ret = snprintf(buf, sizeof buf, "enter %s %s password:",
380 OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
381 (enc) ? "encryption" : "decryption");
382 if (ret == -1 || ret >= sizeof buf) {
383 BIO_printf(bio_err, "Password prompt too long\n");
384 goto end;
385 }
386 strbuf[0] = '\0';
387 i = EVP_read_pw_string((char *) strbuf, SIZE, buf, enc);
388 if (i == 0) {
389 if (strbuf[0] == '\0') {
390 ret = 1;
391 goto end;
392 }
393 str = strbuf;
394 break;
395 }
396 if (i < 0) {
397 BIO_printf(bio_err, "bad password read\n");
398 goto end;
399 }
400 }
401 }
402 if (outf == NULL) {
403 BIO_set_fp(out, stdout, BIO_NOCLOSE);
404 if (bufsize != NULL)
405 setvbuf(stdout, (char *) NULL, _IONBF, 0);
406 } else {
407 if (BIO_write_filename(out, outf) <= 0) {
408 perror(outf);
409 goto end;
410 }
411 }
412
413 rbio = in;
414 wbio = out;
415
416#ifdef ZLIB
417
418 if (do_zlib) {
419 if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
420 goto end;
421 if (enc)
422 wbio = BIO_push(bzl, wbio);
423 else
424 rbio = BIO_push(bzl, rbio);
425 }
426#endif
427
428 if (base64) {
429 if ((b64 = BIO_new(BIO_f_base64())) == NULL)
430 goto end;
431 if (debug) {
432 BIO_set_callback(b64, BIO_debug_callback);
433 BIO_set_callback_arg(b64, (char *) bio_err);
434 }
435 if (olb64)
436 BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
437 if (enc)
438 wbio = BIO_push(b64, wbio);
439 else
440 rbio = BIO_push(b64, rbio);
441 }
442 if (cipher != NULL) {
443 /*
444 * Note that str is NULL if a key was passed on the command
445 * line, so we get no salt in that case. Is this a bug?
446 */
447 if (str != NULL) {
448 /*
449 * Salt handling: if encrypting generate a salt and
450 * write to output BIO. If decrypting read salt from
451 * input BIO.
452 */
453 unsigned char *sptr;
454 if (nosalt)
455 sptr = NULL;
456 else {
457 if (enc) {
458 if (hsalt) {
459 if (!set_hex(hsalt, salt, sizeof salt)) {
460 BIO_printf(bio_err,
461 "invalid hex salt value\n");
462 goto end;
463 }
464 } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
465 goto end;
466 /*
467 * If -P option then don't bother
468 * writing
469 */
470 if ((printkey != 2)
471 && (BIO_write(wbio, magic,
472 sizeof magic - 1) != sizeof magic - 1
473 || BIO_write(wbio,
474 (char *) salt,
475 sizeof salt) != sizeof salt)) {
476 BIO_printf(bio_err, "error writing output file\n");
477 goto end;
478 }
479 } else if (BIO_read(rbio, mbuf, sizeof mbuf) != sizeof mbuf
480 || BIO_read(rbio,
481 (unsigned char *) salt,
482 sizeof salt) != sizeof salt) {
483 BIO_printf(bio_err, "error reading input file\n");
484 goto end;
485 } else if (memcmp(mbuf, magic, sizeof magic - 1)) {
486 BIO_printf(bio_err, "bad magic number\n");
487 goto end;
488 }
489 sptr = salt;
490 }
491
492 EVP_BytesToKey(cipher, dgst, sptr,
493 (unsigned char *) str,
494 strlen(str), 1, key, iv);
495 /*
496 * zero the complete buffer or the string passed from
497 * the command line bug picked up by Larry J. Hughes
498 * Jr. <hughes@indiana.edu>
499 */
500 if (str == strbuf)
501 OPENSSL_cleanse(str, SIZE);
502 else
503 OPENSSL_cleanse(str, strlen(str));
504 }
505 if ((hiv != NULL) && !set_hex(hiv, iv, sizeof iv)) {
506 BIO_printf(bio_err, "invalid hex iv value\n");
507 goto end;
508 }
509 if ((hiv == NULL) && (str == NULL)
510 && EVP_CIPHER_iv_length(cipher) != 0) {
511 /*
512 * No IV was explicitly set and no IV was generated
513 * during EVP_BytesToKey. Hence the IV is undefined,
514 * making correct decryption impossible.
515 */
516 BIO_printf(bio_err, "iv undefined\n");
517 goto end;
518 }
519 if ((hkey != NULL) && !set_hex(hkey, key, sizeof key)) {
520 BIO_printf(bio_err, "invalid hex key value\n");
521 goto end;
522 }
523 if ((benc = BIO_new(BIO_f_cipher())) == NULL)
524 goto end;
525
526 /*
527 * Since we may be changing parameters work on the encryption
528 * context rather than calling BIO_set_cipher().
529 */
530
531 BIO_get_cipher_ctx(benc, &ctx);
532
533 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
534 BIO_printf(bio_err, "Error setting cipher %s\n",
535 EVP_CIPHER_name(cipher));
536 ERR_print_errors(bio_err);
537 goto end;
538 }
539 if (nopad)
540 EVP_CIPHER_CTX_set_padding(ctx, 0);
541
542 if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
543 BIO_printf(bio_err, "Error setting cipher %s\n",
544 EVP_CIPHER_name(cipher));
545 ERR_print_errors(bio_err);
546 goto end;
547 }
548 if (debug) {
549 BIO_set_callback(benc, BIO_debug_callback);
550 BIO_set_callback_arg(benc, (char *) bio_err);
551 }
552 if (printkey) {
553 if (!nosalt) {
554 printf("salt=");
555 for (i = 0; i < (int) sizeof(salt); i++)
556 printf("%02X", salt[i]);
557 printf("\n");
558 }
559 if (cipher->key_len > 0) {
560 printf("key=");
561 for (i = 0; i < cipher->key_len; i++)
562 printf("%02X", key[i]);
563 printf("\n");
564 }
565 if (cipher->iv_len > 0) {
566 printf("iv =");
567 for (i = 0; i < cipher->iv_len; i++)
568 printf("%02X", iv[i]);
569 printf("\n");
570 }
571 if (printkey == 2) {
572 ret = 0;
573 goto end;
574 }
575 }
576 }
577 /* Only encrypt/decrypt as we write the file */
578 if (benc != NULL)
579 wbio = BIO_push(benc, wbio);
580
581 for (;;) {
582 inl = BIO_read(rbio, (char *) buff, bsize);
583 if (inl <= 0)
584 break;
585 if (BIO_write(wbio, (char *) buff, inl) != inl) {
586 BIO_printf(bio_err, "error writing output file\n");
587 goto end;
588 }
589 }
590 if (!BIO_flush(wbio)) {
591 BIO_printf(bio_err, "bad decrypt\n");
592 goto end;
593 }
594 ret = 0;
595 if (verbose) {
596 BIO_printf(bio_err, "bytes read :%8ld\n", BIO_number_read(in));
597 BIO_printf(bio_err, "bytes written:%8ld\n", BIO_number_written(out));
598 }
599end:
600 ERR_print_errors(bio_err);
601 free(strbuf);
602 free(buff);
603 BIO_free(in);
604 if (out != NULL)
605 BIO_free_all(out);
606 BIO_free(benc);
607 BIO_free(b64);
608#ifdef ZLIB
609 BIO_free(bzl);
610#endif
611 free(pass);
612
613 return (ret);
614}
615
616int
617set_hex(char *in, unsigned char *out, int size)
618{
619 int i, n;
620 unsigned char j;
621
622 n = strlen(in);
623 if (n > (size * 2)) {
624 BIO_printf(bio_err, "hex string is too long\n");
625 return (0);
626 }
627 memset(out, 0, size);
628 for (i = 0; i < n; i++) {
629 j = (unsigned char) *in;
630 *(in++) = '\0';
631 if (j == 0)
632 break;
633 if ((j >= '0') && (j <= '9'))
634 j -= '0';
635 else if ((j >= 'A') && (j <= 'F'))
636 j = j - 'A' + 10;
637 else if ((j >= 'a') && (j <= 'f'))
638 j = j - 'a' + 10;
639 else {
640 BIO_printf(bio_err, "non-hex digit\n");
641 return (0);
642 }
643 if (i & 1)
644 out[i / 2] |= j;
645 else
646 out[i / 2] = (j << 4);
647 }
648 return (1);
649}
diff --git a/src/lib/libssl/src/apps/engine.c b/src/lib/libssl/src/apps/engine.c
deleted file mode 100644
index 4b33ee45ce..0000000000
--- a/src/lib/libssl/src/apps/engine.c
+++ /dev/null
@@ -1,494 +0,0 @@
1/* $OpenBSD: engine.c,v 1.27 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#ifndef OPENSSL_NO_ENGINE
66#include <openssl/engine.h>
67#include <openssl/err.h>
68#include <openssl/ssl.h>
69
70static const char *engine_usage[] = {
71 "usage: engine opts [engine ...]\n",
72 " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
73 " -vv will additionally display each command's description\n",
74 " -vvv will also add the input flags for each command\n",
75 " -vvvv will also show internal input flags\n",
76 " -c - for each engine, also list the capabilities\n",
77 " -t[t] - for each engine, check that they are really available\n",
78 " -tt will display error trace for unavailable engines\n",
79 " -pre <cmd> - runs command 'cmd' against the ENGINE before any attempts\n",
80 " to load it (if -t is used)\n",
81 " -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
82 " (only used if -t is also provided)\n",
83 " NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
84 " line, or all supported ENGINEs if none are specified.\n",
85 " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
86 " argument \"/lib/libdriver.so\".\n",
87 NULL
88};
89
90static void
91identity(char *ptr)
92{
93 return;
94}
95
96static int
97append_buf(char **buf, const char *s, int *size, int step)
98{
99 int l = strlen(s);
100
101 if (*buf == NULL) {
102 *size = step;
103 *buf = malloc(*size);
104 if (*buf == NULL)
105 return 0;
106 **buf = '\0';
107 }
108 if (**buf != '\0')
109 l += 2; /* ", " */
110
111 if (strlen(*buf) + strlen(s) >= (unsigned int) *size) {
112 *size += step;
113 *buf = realloc(*buf, *size);
114 }
115 if (*buf == NULL)
116 return 0;
117
118 if (**buf != '\0')
119 strlcat(*buf, ", ", *size);
120 strlcat(*buf, s, *size);
121
122 return 1;
123}
124
125static int
126util_flags(BIO * bio_out, unsigned int flags, const char *indent)
127{
128 int started = 0, err = 0;
129 /* Indent before displaying input flags */
130 BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
131 if (flags == 0) {
132 BIO_printf(bio_out, "<no flags>\n");
133 return 1;
134 }
135 /*
136 * If the object is internal, mark it in a way that shows instead of
137 * having it part of all the other flags, even if it really is.
138 */
139 if (flags & ENGINE_CMD_FLAG_INTERNAL) {
140 BIO_printf(bio_out, "[Internal] ");
141 }
142 if (flags & ENGINE_CMD_FLAG_NUMERIC) {
143 BIO_printf(bio_out, "NUMERIC");
144 started = 1;
145 }
146 /*
147 * Now we check that no combinations of the mutually exclusive
148 * NUMERIC, STRING, and NO_INPUT flags have been used. Future flags
149 * that can be OR'd together with these would need to added after
150 * these to preserve the testing logic.
151 */
152 if (flags & ENGINE_CMD_FLAG_STRING) {
153 if (started) {
154 BIO_printf(bio_out, "|");
155 err = 1;
156 }
157 BIO_printf(bio_out, "STRING");
158 started = 1;
159 }
160 if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
161 if (started) {
162 BIO_printf(bio_out, "|");
163 err = 1;
164 }
165 BIO_printf(bio_out, "NO_INPUT");
166 started = 1;
167 }
168 /* Check for unknown flags */
169 flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
170 ~ENGINE_CMD_FLAG_STRING &
171 ~ENGINE_CMD_FLAG_NO_INPUT &
172 ~ENGINE_CMD_FLAG_INTERNAL;
173 if (flags) {
174 if (started)
175 BIO_printf(bio_out, "|");
176 BIO_printf(bio_out, "<0x%04X>", flags);
177 }
178 if (err)
179 BIO_printf(bio_out, " <illegal flags!>");
180 BIO_printf(bio_out, "\n");
181 return 1;
182}
183
184static int
185util_verbose(ENGINE * e, int verbose, BIO * bio_out, const char *indent)
186{
187 static const int line_wrap = 78;
188 int num;
189 int ret = 0;
190 char *name = NULL;
191 char *desc = NULL;
192 int flags;
193 int xpos = 0;
194 STACK_OF(OPENSSL_STRING) * cmds = NULL;
195 if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
196 ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
197 0, NULL, NULL)) <= 0)) {
198#if 0
199 BIO_printf(bio_out, "%s<no control commands>\n", indent);
200#endif
201 return 1;
202 }
203 cmds = sk_OPENSSL_STRING_new_null();
204
205 if (!cmds)
206 goto err;
207 do {
208 int len;
209 /* Get the command input flags */
210 if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
211 NULL, NULL)) < 0)
212 goto err;
213 if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
214 /* Get the command name */
215 if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
216 NULL, NULL)) <= 0)
217 goto err;
218 if ((name = malloc(len + 1)) == NULL)
219 goto err;
220 if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
221 NULL) <= 0)
222 goto err;
223 /* Get the command description */
224 if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
225 NULL, NULL)) < 0)
226 goto err;
227 if (len > 0) {
228 if ((desc = malloc(len + 1)) == NULL)
229 goto err;
230 if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
231 NULL) <= 0)
232 goto err;
233 }
234 /* Now decide on the output */
235 if (xpos == 0)
236 /* Do an indent */
237 xpos = BIO_puts(bio_out, indent);
238 else
239 /* Otherwise prepend a ", " */
240 xpos += BIO_printf(bio_out, ", ");
241 if (verbose == 1) {
242 /* We're just listing names, comma-delimited */
243 if ((xpos > (int) strlen(indent)) &&
244 (xpos + (int) strlen(name) > line_wrap)) {
245 BIO_printf(bio_out, "\n");
246 xpos = BIO_puts(bio_out, indent);
247 }
248 xpos += BIO_printf(bio_out, "%s", name);
249 } else {
250 /* We're listing names plus descriptions */
251 BIO_printf(bio_out, "%s: %s\n", name,
252 (desc == NULL) ? "<no description>" : desc);
253 /* ... and sometimes input flags */
254 if ((verbose >= 3) && !util_flags(bio_out, flags,
255 indent))
256 goto err;
257 xpos = 0;
258 }
259 }
260 free(name);
261 name = NULL;
262 free(desc);
263 desc = NULL;
264
265 /* Move to the next command */
266 num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE,
267 num, NULL, NULL);
268 } while (num > 0);
269 if (xpos > 0)
270 BIO_printf(bio_out, "\n");
271 ret = 1;
272err:
273 if (cmds)
274 sk_OPENSSL_STRING_pop_free(cmds, identity);
275 free(name);
276 free(desc);
277 return ret;
278}
279
280static void
281util_do_cmds(ENGINE * e, STACK_OF(OPENSSL_STRING) * cmds,
282 BIO * bio_out, const char *indent)
283{
284 int loop, res, num = sk_OPENSSL_STRING_num(cmds);
285
286 if (num < 0) {
287 BIO_printf(bio_out, "[Error]: internal stack error\n");
288 return;
289 }
290 for (loop = 0; loop < num; loop++) {
291 char buf[256];
292 const char *cmd, *arg;
293 cmd = sk_OPENSSL_STRING_value(cmds, loop);
294 res = 1; /* assume success */
295 /* Check if this command has no ":arg" */
296 if ((arg = strstr(cmd, ":")) == NULL) {
297 if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
298 res = 0;
299 } else {
300 if ((int) (arg - cmd) > 254) {
301 BIO_printf(bio_out, "[Error]: command name too long\n");
302 return;
303 }
304 memcpy(buf, cmd, (int) (arg - cmd));
305 buf[arg - cmd] = '\0';
306 arg++; /* Move past the ":" */
307 /* Call the command with the argument */
308 if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
309 res = 0;
310 }
311 if (res)
312 BIO_printf(bio_out, "[Success]: %s\n", cmd);
313 else {
314 BIO_printf(bio_out, "[Failure]: %s\n", cmd);
315 ERR_print_errors(bio_out);
316 }
317 }
318}
319
320int engine_main(int, char **);
321
322int
323engine_main(int argc, char **argv)
324{
325 int ret = 1, i;
326 const char **pp;
327 int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
328 ENGINE *e;
329 STACK_OF(OPENSSL_STRING) * engines = sk_OPENSSL_STRING_new_null();
330 STACK_OF(OPENSSL_STRING) * pre_cmds = sk_OPENSSL_STRING_new_null();
331 STACK_OF(OPENSSL_STRING) * post_cmds = sk_OPENSSL_STRING_new_null();
332 int badops = 1;
333 BIO *bio_out = NULL;
334 const char *indent = " ";
335
336 bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
337
338 argc--;
339 argv++;
340 while (argc >= 1) {
341 if (strncmp(*argv, "-v", 2) == 0) {
342 if (strspn(*argv + 1, "v") < strlen(*argv + 1))
343 goto skip_arg_loop;
344 if ((verbose = strlen(*argv + 1)) > 4)
345 goto skip_arg_loop;
346 } else if (strcmp(*argv, "-c") == 0)
347 list_cap = 1;
348 else if (strncmp(*argv, "-t", 2) == 0) {
349 test_avail = 1;
350 if (strspn(*argv + 1, "t") < strlen(*argv + 1))
351 goto skip_arg_loop;
352 if ((test_avail_noise = strlen(*argv + 1) - 1) > 1)
353 goto skip_arg_loop;
354 } else if (strcmp(*argv, "-pre") == 0) {
355 argc--;
356 argv++;
357 if (argc == 0)
358 goto skip_arg_loop;
359 sk_OPENSSL_STRING_push(pre_cmds, *argv);
360 } else if (strcmp(*argv, "-post") == 0) {
361 argc--;
362 argv++;
363 if (argc == 0)
364 goto skip_arg_loop;
365 sk_OPENSSL_STRING_push(post_cmds, *argv);
366 } else if ((strncmp(*argv, "-h", 2) == 0) ||
367 (strcmp(*argv, "-?") == 0))
368 goto skip_arg_loop;
369 else
370 sk_OPENSSL_STRING_push(engines, *argv);
371 argc--;
372 argv++;
373 }
374 /* Looks like everything went OK */
375 badops = 0;
376skip_arg_loop:
377
378 if (badops) {
379 for (pp = engine_usage; (*pp != NULL); pp++)
380 BIO_printf(bio_err, "%s", *pp);
381 goto end;
382 }
383 if (sk_OPENSSL_STRING_num(engines) == 0) {
384 for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
385 sk_OPENSSL_STRING_push(engines, (char *) ENGINE_get_id(e));
386 }
387 }
388 for (i = 0; i < sk_OPENSSL_STRING_num(engines); i++) {
389 const char *id = sk_OPENSSL_STRING_value(engines, i);
390 if ((e = ENGINE_by_id(id)) != NULL) {
391 const char *name = ENGINE_get_name(e);
392 /* Do "id" first, then "name". Easier to auto-parse. */
393 BIO_printf(bio_out, "(%s) %s\n", id, name);
394 util_do_cmds(e, pre_cmds, bio_out, indent);
395 if (strcmp(ENGINE_get_id(e), id) != 0) {
396 BIO_printf(bio_out, "Loaded: (%s) %s\n",
397 ENGINE_get_id(e), ENGINE_get_name(e));
398 }
399 if (list_cap) {
400 int cap_size = 256;
401 char *cap_buf = NULL;
402 int k, n;
403 const int *nids;
404 ENGINE_CIPHERS_PTR fn_c;
405 ENGINE_DIGESTS_PTR fn_d;
406 ENGINE_PKEY_METHS_PTR fn_pk;
407
408 if (ENGINE_get_RSA(e) != NULL
409 && !append_buf(&cap_buf, "RSA",
410 &cap_size, 256))
411 goto end;
412 if (ENGINE_get_DSA(e) != NULL
413 && !append_buf(&cap_buf, "DSA",
414 &cap_size, 256))
415 goto end;
416 if (ENGINE_get_DH(e) != NULL
417 && !append_buf(&cap_buf, "DH",
418 &cap_size, 256))
419 goto end;
420 if (ENGINE_get_RAND(e) != NULL
421 && !append_buf(&cap_buf, "RAND",
422 &cap_size, 256))
423 goto end;
424
425 fn_c = ENGINE_get_ciphers(e);
426 if (!fn_c)
427 goto skip_ciphers;
428 n = fn_c(e, NULL, &nids, 0);
429 for (k = 0; k < n; ++k)
430 if (!append_buf(&cap_buf,
431 OBJ_nid2sn(nids[k]),
432 &cap_size, 256))
433 goto end;
434
435 skip_ciphers:
436 fn_d = ENGINE_get_digests(e);
437 if (!fn_d)
438 goto skip_digests;
439 n = fn_d(e, NULL, &nids, 0);
440 for (k = 0; k < n; ++k)
441 if (!append_buf(&cap_buf,
442 OBJ_nid2sn(nids[k]),
443 &cap_size, 256))
444 goto end;
445
446 skip_digests:
447 fn_pk = ENGINE_get_pkey_meths(e);
448 if (!fn_pk)
449 goto skip_pmeths;
450 n = fn_pk(e, NULL, &nids, 0);
451 for (k = 0; k < n; ++k)
452 if (!append_buf(&cap_buf,
453 OBJ_nid2sn(nids[k]),
454 &cap_size, 256))
455 goto end;
456 skip_pmeths:
457 if (cap_buf && (*cap_buf != '\0'))
458 BIO_printf(bio_out, " [%s]\n", cap_buf);
459
460 free(cap_buf);
461 }
462 if (test_avail) {
463 BIO_printf(bio_out, "%s", indent);
464 if (ENGINE_init(e)) {
465 BIO_printf(bio_out, "[ available ]\n");
466 util_do_cmds(e, post_cmds, bio_out, indent);
467 ENGINE_finish(e);
468 } else {
469 BIO_printf(bio_out, "[ unavailable ]\n");
470 if (test_avail_noise)
471 ERR_print_errors_fp(stdout);
472 ERR_clear_error();
473 }
474 }
475 if ((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
476 goto end;
477 ENGINE_free(e);
478 } else
479 ERR_print_errors(bio_err);
480 }
481
482 ret = 0;
483end:
484
485 ERR_print_errors(bio_err);
486 sk_OPENSSL_STRING_pop_free(engines, identity);
487 sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
488 sk_OPENSSL_STRING_pop_free(post_cmds, identity);
489 if (bio_out != NULL)
490 BIO_free_all(bio_out);
491
492 return (ret);
493}
494#endif
diff --git a/src/lib/libssl/src/apps/errstr.c b/src/lib/libssl/src/apps/errstr.c
deleted file mode 100644
index 2f4087d122..0000000000
--- a/src/lib/libssl/src/apps/errstr.c
+++ /dev/null
@@ -1,108 +0,0 @@
1/* $OpenBSD: errstr.c,v 1.19 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/bio.h>
66#include <openssl/err.h>
67#include <openssl/lhash.h>
68#include <openssl/ssl.h>
69
70int errstr_main(int, char **);
71
72int
73errstr_main(int argc, char **argv)
74{
75 int i, ret = 0;
76 char buf[256];
77 unsigned long l;
78
79 if ((argc > 1) && (strcmp(argv[1], "-stats") == 0)) {
80 BIO *out = NULL;
81
82 out = BIO_new(BIO_s_file());
83 if ((out != NULL) && BIO_set_fp(out, stdout, BIO_NOCLOSE)) {
84 lh_ERR_STRING_DATA_node_stats_bio(
85 ERR_get_string_table(), out);
86 lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(),
87 out);
88 lh_ERR_STRING_DATA_node_usage_stats_bio(
89 ERR_get_string_table(), out);
90 }
91 if (out != NULL)
92 BIO_free_all(out);
93 argc--;
94 argv++;
95 }
96 for (i = 1; i < argc; i++) {
97 if (sscanf(argv[i], "%lx", &l)) {
98 ERR_error_string_n(l, buf, sizeof buf);
99 printf("%s\n", buf);
100 } else {
101 printf("%s: bad error code\n", argv[i]);
102 printf("usage: errstr [-stats] <errno> ...\n");
103 ret++;
104 }
105 }
106
107 return (ret);
108}
diff --git a/src/lib/libssl/src/apps/gendh.c b/src/lib/libssl/src/apps/gendh.c
deleted file mode 100644
index 2cce6cf50b..0000000000
--- a/src/lib/libssl/src/apps/gendh.c
+++ /dev/null
@@ -1,204 +0,0 @@
1/* $OpenBSD: gendh.c,v 1.28 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h>
60
61/* Until the key-gen callbacks are modified to use newer prototypes, we allow
62 * deprecated functions for openssl-internal code */
63#ifdef OPENSSL_NO_DEPRECATED
64#undef OPENSSL_NO_DEPRECATED
65#endif
66
67#ifndef OPENSSL_NO_DH
68
69#include <sys/types.h>
70#include <sys/stat.h>
71
72#include <stdio.h>
73#include <string.h>
74
75#include "apps.h"
76
77#include <openssl/bio.h>
78#include <openssl/bn.h>
79#include <openssl/dh.h>
80#include <openssl/err.h>
81#include <openssl/pem.h>
82#include <openssl/rand.h>
83#include <openssl/x509.h>
84
85#define DEFBITS 512
86
87static int dh_cb(int p, int n, BN_GENCB * cb);
88
89int gendh_main(int, char **);
90
91int
92gendh_main(int argc, char **argv)
93{
94 BN_GENCB cb;
95 DH *dh = NULL;
96 int ret = 1, num = DEFBITS;
97 int g = 2;
98 char *outfile = NULL;
99#ifndef OPENSSL_NO_ENGINE
100 char *engine = NULL;
101#endif
102 BIO *out = NULL;
103
104 BN_GENCB_set(&cb, dh_cb, bio_err);
105
106 argv++;
107 argc--;
108 for (;;) {
109 if (argc <= 0)
110 break;
111 if (strcmp(*argv, "-out") == 0) {
112 if (--argc < 1)
113 goto bad;
114 outfile = *(++argv);
115 } else if (strcmp(*argv, "-2") == 0)
116 g = 2;
117 /*
118 * else if (strcmp(*argv,"-3") == 0) g=3;
119 */
120 else if (strcmp(*argv, "-5") == 0)
121 g = 5;
122#ifndef OPENSSL_NO_ENGINE
123 else if (strcmp(*argv, "-engine") == 0) {
124 if (--argc < 1)
125 goto bad;
126 engine = *(++argv);
127 }
128#endif
129 else
130 break;
131 argv++;
132 argc--;
133 }
134 if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) {
135bad:
136 BIO_printf(bio_err, "usage: gendh [args] [numbits]\n");
137 BIO_printf(bio_err, " -out file - output the key to 'file\n");
138 BIO_printf(bio_err, " -2 - use 2 as the generator value\n");
139 /*
140 * BIO_printf(bio_err," -3 - use 3 as the generator
141 * value\n");
142 */
143 BIO_printf(bio_err, " -5 - use 5 as the generator value\n");
144#ifndef OPENSSL_NO_ENGINE
145 BIO_printf(bio_err, " -engine e - use engine e, possibly a hardware device.\n");
146#endif
147 goto end;
148 }
149#ifndef OPENSSL_NO_ENGINE
150 setup_engine(bio_err, engine, 0);
151#endif
152
153 out = BIO_new(BIO_s_file());
154 if (out == NULL) {
155 ERR_print_errors(bio_err);
156 goto end;
157 }
158 if (outfile == NULL) {
159 BIO_set_fp(out, stdout, BIO_NOCLOSE);
160 } else {
161 if (BIO_write_filename(out, outfile) <= 0) {
162 perror(outfile);
163 goto end;
164 }
165 }
166
167 BIO_printf(bio_err, "Generating DH parameters, %d bit long safe prime, generator %d\n", num, g);
168 BIO_printf(bio_err, "This is going to take a long time\n");
169
170 if (((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, num, g, &cb))
171 goto end;
172
173 if (!PEM_write_bio_DHparams(out, dh))
174 goto end;
175 ret = 0;
176end:
177 if (ret != 0)
178 ERR_print_errors(bio_err);
179 if (out != NULL)
180 BIO_free_all(out);
181 if (dh != NULL)
182 DH_free(dh);
183
184 return (ret);
185}
186
187static int
188dh_cb(int p, int n, BN_GENCB * cb)
189{
190 char c = '*';
191
192 if (p == 0)
193 c = '.';
194 if (p == 1)
195 c = '+';
196 if (p == 2)
197 c = '*';
198 if (p == 3)
199 c = '\n';
200 BIO_write(cb->arg, &c, 1);
201 (void) BIO_flush(cb->arg);
202 return 1;
203}
204#endif
diff --git a/src/lib/libssl/src/apps/gendsa.c b/src/lib/libssl/src/apps/gendsa.c
deleted file mode 100644
index d45e237103..0000000000
--- a/src/lib/libssl/src/apps/gendsa.c
+++ /dev/null
@@ -1,230 +0,0 @@
1/* $OpenBSD: gendsa.c,v 1.31 2014/07/25 06:05:32 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
60
61
62#include <sys/types.h>
63#include <sys/stat.h>
64
65#include <stdio.h>
66#include <string.h>
67
68#include "apps.h"
69
70#include <openssl/bio.h>
71#include <openssl/bn.h>
72#include <openssl/dsa.h>
73#include <openssl/err.h>
74#include <openssl/pem.h>
75#include <openssl/x509.h>
76
77#define DEFBITS 512
78
79int gendsa_main(int, char **);
80
81int
82gendsa_main(int argc, char **argv)
83{
84 DSA *dsa = NULL;
85 int ret = 1;
86 char *outfile = NULL;
87 char *dsaparams = NULL;
88 char *passargout = NULL, *passout = NULL;
89 BIO *out = NULL, *in = NULL;
90 const EVP_CIPHER *enc = NULL;
91#ifndef OPENSSL_NO_ENGINE
92 char *engine = NULL;
93#endif
94
95 argv++;
96 argc--;
97 for (;;) {
98 if (argc <= 0)
99 break;
100 if (strcmp(*argv, "-out") == 0) {
101 if (--argc < 1)
102 goto bad;
103 outfile = *(++argv);
104 } else if (strcmp(*argv, "-passout") == 0) {
105 if (--argc < 1)
106 goto bad;
107 passargout = *(++argv);
108 }
109#ifndef OPENSSL_NO_ENGINE
110 else if (strcmp(*argv, "-engine") == 0) {
111 if (--argc < 1)
112 goto bad;
113 engine = *(++argv);
114 }
115#endif
116 else if (strcmp(*argv, "-") == 0)
117 goto bad;
118#ifndef OPENSSL_NO_DES
119 else if (strcmp(*argv, "-des") == 0)
120 enc = EVP_des_cbc();
121 else if (strcmp(*argv, "-des3") == 0)
122 enc = EVP_des_ede3_cbc();
123#endif
124#ifndef OPENSSL_NO_IDEA
125 else if (strcmp(*argv, "-idea") == 0)
126 enc = EVP_idea_cbc();
127#endif
128#ifndef OPENSSL_NO_AES
129 else if (strcmp(*argv, "-aes128") == 0)
130 enc = EVP_aes_128_cbc();
131 else if (strcmp(*argv, "-aes192") == 0)
132 enc = EVP_aes_192_cbc();
133 else if (strcmp(*argv, "-aes256") == 0)
134 enc = EVP_aes_256_cbc();
135#endif
136#ifndef OPENSSL_NO_CAMELLIA
137 else if (strcmp(*argv, "-camellia128") == 0)
138 enc = EVP_camellia_128_cbc();
139 else if (strcmp(*argv, "-camellia192") == 0)
140 enc = EVP_camellia_192_cbc();
141 else if (strcmp(*argv, "-camellia256") == 0)
142 enc = EVP_camellia_256_cbc();
143#endif
144 else if (**argv != '-' && dsaparams == NULL) {
145 dsaparams = *argv;
146 } else
147 goto bad;
148 argv++;
149 argc--;
150 }
151
152 if (dsaparams == NULL) {
153bad:
154 BIO_printf(bio_err, "usage: gendsa [args] dsaparam-file\n");
155 BIO_printf(bio_err, " -out file - output the key to 'file'\n");
156#ifndef OPENSSL_NO_DES
157 BIO_printf(bio_err, " -des - encrypt the generated key with DES in cbc mode\n");
158 BIO_printf(bio_err, " -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
159#endif
160#ifndef OPENSSL_NO_IDEA
161 BIO_printf(bio_err, " -idea - encrypt the generated key with IDEA in cbc mode\n");
162#endif
163#ifndef OPENSSL_NO_AES
164 BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
165 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
166#endif
167#ifndef OPENSSL_NO_CAMELLIA
168 BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
169 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
170#endif
171#ifndef OPENSSL_NO_ENGINE
172 BIO_printf(bio_err, " -engine e - use engine e, possibly a hardware device.\n");
173#endif
174 BIO_printf(bio_err, " dsaparam-file\n");
175 BIO_printf(bio_err, " - a DSA parameter file as generated by the dsaparam command\n");
176 goto end;
177 }
178#ifndef OPENSSL_NO_ENGINE
179 setup_engine(bio_err, engine, 0);
180#endif
181
182 if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
183 BIO_printf(bio_err, "Error getting password\n");
184 goto end;
185 }
186 in = BIO_new(BIO_s_file());
187 if (!(BIO_read_filename(in, dsaparams))) {
188 perror(dsaparams);
189 goto end;
190 }
191 if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
192 BIO_printf(bio_err, "unable to load DSA parameter file\n");
193 goto end;
194 }
195 BIO_free(in);
196 in = NULL;
197
198 out = BIO_new(BIO_s_file());
199 if (out == NULL)
200 goto end;
201
202 if (outfile == NULL) {
203 BIO_set_fp(out, stdout, BIO_NOCLOSE);
204 } else {
205 if (BIO_write_filename(out, outfile) <= 0) {
206 perror(outfile);
207 goto end;
208 }
209 }
210
211 BIO_printf(bio_err, "Generating DSA key, %d bits\n",
212 BN_num_bits(dsa->p));
213 if (!DSA_generate_key(dsa))
214 goto end;
215
216 if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
217 goto end;
218 ret = 0;
219end:
220 if (ret != 0)
221 ERR_print_errors(bio_err);
222 BIO_free(in);
223 if (out != NULL)
224 BIO_free_all(out);
225 if (dsa != NULL)
226 DSA_free(dsa);
227 free(passout);
228
229 return (ret);
230}
diff --git a/src/lib/libssl/src/apps/genpkey.c b/src/lib/libssl/src/apps/genpkey.c
deleted file mode 100644
index 23e32e49f0..0000000000
--- a/src/lib/libssl/src/apps/genpkey.c
+++ /dev/null
@@ -1,383 +0,0 @@
1/* $OpenBSD: genpkey.c,v 1.13 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include "apps.h"
63
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/pem.h>
67
68#ifndef OPENSSL_NO_ENGINE
69#include <openssl/engine.h>
70#endif
71
72static int
73init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file,
74 ENGINE * e);
75static int genpkey_cb(EVP_PKEY_CTX * ctx);
76
77
78int genpkey_main(int, char **);
79
80int
81genpkey_main(int argc, char **argv)
82{
83 ENGINE *e = NULL;
84 char **args, *outfile = NULL;
85 char *passarg = NULL;
86 BIO *in = NULL, *out = NULL;
87 const EVP_CIPHER *cipher = NULL;
88 int outformat;
89 int text = 0;
90 EVP_PKEY *pkey = NULL;
91 EVP_PKEY_CTX *ctx = NULL;
92 char *pass = NULL;
93 int badarg = 0;
94 int ret = 1, rv;
95
96 int do_param = 0;
97
98 outformat = FORMAT_PEM;
99
100 ERR_load_crypto_strings();
101 OpenSSL_add_all_algorithms();
102 args = argv + 1;
103 while (!badarg && *args && *args[0] == '-') {
104 if (!strcmp(*args, "-outform")) {
105 if (args[1]) {
106 args++;
107 outformat = str2fmt(*args);
108 } else
109 badarg = 1;
110 } else if (!strcmp(*args, "-pass")) {
111 if (!args[1])
112 goto bad;
113 passarg = *(++args);
114 }
115#ifndef OPENSSL_NO_ENGINE
116 else if (strcmp(*args, "-engine") == 0) {
117 if (!args[1])
118 goto bad;
119 e = setup_engine(bio_err, *(++args), 0);
120 }
121#endif
122 else if (!strcmp(*args, "-paramfile")) {
123 if (!args[1])
124 goto bad;
125 args++;
126 if (do_param == 1)
127 goto bad;
128 if (!init_keygen_file(bio_err, &ctx, *args, e))
129 goto end;
130 } else if (!strcmp(*args, "-out")) {
131 if (args[1]) {
132 args++;
133 outfile = *args;
134 } else
135 badarg = 1;
136 } else if (strcmp(*args, "-algorithm") == 0) {
137 if (!args[1])
138 goto bad;
139 if (!init_gen_str(bio_err, &ctx, *(++args), e, do_param))
140 goto end;
141 } else if (strcmp(*args, "-pkeyopt") == 0) {
142 if (!args[1])
143 goto bad;
144 if (!ctx) {
145 BIO_puts(bio_err, "No keytype specified\n");
146 goto bad;
147 } else if (pkey_ctrl_string(ctx, *(++args)) <= 0) {
148 BIO_puts(bio_err, "parameter setting error\n");
149 ERR_print_errors(bio_err);
150 goto end;
151 }
152 } else if (strcmp(*args, "-genparam") == 0) {
153 if (ctx)
154 goto bad;
155 do_param = 1;
156 } else if (strcmp(*args, "-text") == 0)
157 text = 1;
158 else {
159 cipher = EVP_get_cipherbyname(*args + 1);
160 if (!cipher) {
161 BIO_printf(bio_err, "Unknown cipher %s\n",
162 *args + 1);
163 badarg = 1;
164 }
165 if (do_param == 1)
166 badarg = 1;
167 }
168 args++;
169 }
170
171 if (!ctx)
172 badarg = 1;
173
174 if (badarg) {
175bad:
176 BIO_printf(bio_err, "Usage: genpkey [options]\n");
177 BIO_printf(bio_err, "where options may be\n");
178 BIO_printf(bio_err, "-out file output file\n");
179 BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
180 BIO_printf(bio_err, "-pass arg output file pass phrase source\n");
181 BIO_printf(bio_err, "-<cipher> use cipher <cipher> to encrypt the key\n");
182#ifndef OPENSSL_NO_ENGINE
183 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
184#endif
185 BIO_printf(bio_err, "-paramfile file parameters file\n");
186 BIO_printf(bio_err, "-algorithm alg the public key algorithm\n");
187 BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n"
188 " to value <value>\n");
189 BIO_printf(bio_err, "-genparam generate parameters, not key\n");
190 BIO_printf(bio_err, "-text print the in text\n");
191 BIO_printf(bio_err, "NB: options order may be important! See the manual page.\n");
192 goto end;
193 }
194 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
195 BIO_puts(bio_err, "Error getting password\n");
196 goto end;
197 }
198 if (outfile) {
199 if (!(out = BIO_new_file(outfile, "wb"))) {
200 BIO_printf(bio_err,
201 "Can't open output file %s\n", outfile);
202 goto end;
203 }
204 } else {
205 out = BIO_new_fp(stdout, BIO_NOCLOSE);
206 }
207
208 EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
209 EVP_PKEY_CTX_set_app_data(ctx, bio_err);
210
211 if (do_param) {
212 if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
213 BIO_puts(bio_err, "Error generating parameters\n");
214 ERR_print_errors(bio_err);
215 goto end;
216 }
217 } else {
218 if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
219 BIO_puts(bio_err, "Error generating key\n");
220 ERR_print_errors(bio_err);
221 goto end;
222 }
223 }
224
225 if (do_param)
226 rv = PEM_write_bio_Parameters(out, pkey);
227 else if (outformat == FORMAT_PEM)
228 rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0,
229 NULL, pass);
230 else if (outformat == FORMAT_ASN1)
231 rv = i2d_PrivateKey_bio(out, pkey);
232 else {
233 BIO_printf(bio_err, "Bad format specified for key\n");
234 goto end;
235 }
236
237 if (rv <= 0) {
238 BIO_puts(bio_err, "Error writing key\n");
239 ERR_print_errors(bio_err);
240 }
241 if (text) {
242 if (do_param)
243 rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
244 else
245 rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
246
247 if (rv <= 0) {
248 BIO_puts(bio_err, "Error printing key\n");
249 ERR_print_errors(bio_err);
250 }
251 }
252 ret = 0;
253
254end:
255 if (pkey)
256 EVP_PKEY_free(pkey);
257 if (ctx)
258 EVP_PKEY_CTX_free(ctx);
259 if (out)
260 BIO_free_all(out);
261 BIO_free(in);
262 free(pass);
263
264 return ret;
265}
266
267static int
268init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx,
269 const char *file, ENGINE * e)
270{
271 BIO *pbio;
272 EVP_PKEY *pkey = NULL;
273 EVP_PKEY_CTX *ctx = NULL;
274 if (*pctx) {
275 BIO_puts(err, "Parameters already set!\n");
276 return 0;
277 }
278 pbio = BIO_new_file(file, "r");
279 if (!pbio) {
280 BIO_printf(err, "Can't open parameter file %s\n", file);
281 return 0;
282 }
283 pkey = PEM_read_bio_Parameters(pbio, NULL);
284 BIO_free(pbio);
285
286 if (!pkey) {
287 BIO_printf(bio_err, "Error reading parameter file %s\n", file);
288 return 0;
289 }
290 ctx = EVP_PKEY_CTX_new(pkey, e);
291 if (!ctx)
292 goto err;
293 if (EVP_PKEY_keygen_init(ctx) <= 0)
294 goto err;
295 EVP_PKEY_free(pkey);
296 *pctx = ctx;
297 return 1;
298
299err:
300 BIO_puts(err, "Error initializing context\n");
301 ERR_print_errors(err);
302 if (ctx)
303 EVP_PKEY_CTX_free(ctx);
304 if (pkey)
305 EVP_PKEY_free(pkey);
306 return 0;
307
308}
309
310int
311init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx,
312 const char *algname, ENGINE * e, int do_param)
313{
314 EVP_PKEY_CTX *ctx = NULL;
315 const EVP_PKEY_ASN1_METHOD *ameth;
316 ENGINE *tmpeng = NULL;
317 int pkey_id;
318
319 if (*pctx) {
320 BIO_puts(err, "Algorithm already set!\n");
321 return 0;
322 }
323 ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
324
325#ifndef OPENSSL_NO_ENGINE
326 if (!ameth && e)
327 ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
328#endif
329
330 if (!ameth) {
331 BIO_printf(bio_err, "Algorithm %s not found\n", algname);
332 return 0;
333 }
334 ERR_clear_error();
335
336 EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
337#ifndef OPENSSL_NO_ENGINE
338 if (tmpeng)
339 ENGINE_finish(tmpeng);
340#endif
341 ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
342
343 if (!ctx)
344 goto err;
345 if (do_param) {
346 if (EVP_PKEY_paramgen_init(ctx) <= 0)
347 goto err;
348 } else {
349 if (EVP_PKEY_keygen_init(ctx) <= 0)
350 goto err;
351 }
352
353 *pctx = ctx;
354 return 1;
355
356err:
357 BIO_printf(err, "Error initializing %s context\n", algname);
358 ERR_print_errors(err);
359 if (ctx)
360 EVP_PKEY_CTX_free(ctx);
361 return 0;
362
363}
364
365static int
366genpkey_cb(EVP_PKEY_CTX * ctx)
367{
368 char c = '*';
369 BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
370 int p;
371 p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
372 if (p == 0)
373 c = '.';
374 if (p == 1)
375 c = '+';
376 if (p == 2)
377 c = '*';
378 if (p == 3)
379 c = '\n';
380 BIO_write(b, &c, 1);
381 (void) BIO_flush(b);
382 return 1;
383}
diff --git a/src/lib/libssl/src/apps/genrsa.c b/src/lib/libssl/src/apps/genrsa.c
deleted file mode 100644
index 9115a0b3a8..0000000000
--- a/src/lib/libssl/src/apps/genrsa.c
+++ /dev/null
@@ -1,286 +0,0 @@
1/* $OpenBSD: genrsa.c,v 1.37 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h>
60
61/* Until the key-gen callbacks are modified to use newer prototypes, we allow
62 * deprecated functions for openssl-internal code */
63#ifdef OPENSSL_NO_DEPRECATED
64#undef OPENSSL_NO_DEPRECATED
65#endif
66
67
68#include <sys/types.h>
69#include <sys/stat.h>
70
71#include <stdio.h>
72#include <string.h>
73
74#include "apps.h"
75
76#include <openssl/bio.h>
77#include <openssl/bn.h>
78#include <openssl/err.h>
79#include <openssl/evp.h>
80#include <openssl/pem.h>
81#include <openssl/rand.h>
82#include <openssl/rsa.h>
83#include <openssl/x509.h>
84
85#define DEFBITS 2048
86
87static int genrsa_cb(int p, int n, BN_GENCB * cb);
88
89int genrsa_main(int, char **);
90
91int
92genrsa_main(int argc, char **argv)
93{
94 BN_GENCB cb;
95#ifndef OPENSSL_NO_ENGINE
96 ENGINE *e = NULL;
97#endif
98 int ret = 1;
99 int i, num = DEFBITS;
100 long l;
101 const EVP_CIPHER *enc = NULL;
102 unsigned long f4 = RSA_F4;
103 char *outfile = NULL;
104 char *passargout = NULL, *passout = NULL;
105#ifndef OPENSSL_NO_ENGINE
106 char *engine = NULL;
107#endif
108 BIO *out = NULL;
109 BIGNUM *bn = BN_new();
110 RSA *rsa = NULL;
111
112 if (!bn)
113 goto err;
114
115 BN_GENCB_set(&cb, genrsa_cb, bio_err);
116
117 if ((out = BIO_new(BIO_s_file())) == NULL) {
118 BIO_printf(bio_err, "unable to create BIO for output\n");
119 goto err;
120 }
121 argv++;
122 argc--;
123 for (;;) {
124 if (argc <= 0)
125 break;
126 if (strcmp(*argv, "-out") == 0) {
127 if (--argc < 1)
128 goto bad;
129 outfile = *(++argv);
130 } else if (strcmp(*argv, "-3") == 0)
131 f4 = 3;
132 else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
133 f4 = RSA_F4;
134#ifndef OPENSSL_NO_ENGINE
135 else if (strcmp(*argv, "-engine") == 0) {
136 if (--argc < 1)
137 goto bad;
138 engine = *(++argv);
139 }
140#endif
141#ifndef OPENSSL_NO_DES
142 else if (strcmp(*argv, "-des") == 0)
143 enc = EVP_des_cbc();
144 else if (strcmp(*argv, "-des3") == 0)
145 enc = EVP_des_ede3_cbc();
146#endif
147#ifndef OPENSSL_NO_IDEA
148 else if (strcmp(*argv, "-idea") == 0)
149 enc = EVP_idea_cbc();
150#endif
151#ifndef OPENSSL_NO_AES
152 else if (strcmp(*argv, "-aes128") == 0)
153 enc = EVP_aes_128_cbc();
154 else if (strcmp(*argv, "-aes192") == 0)
155 enc = EVP_aes_192_cbc();
156 else if (strcmp(*argv, "-aes256") == 0)
157 enc = EVP_aes_256_cbc();
158#endif
159#ifndef OPENSSL_NO_CAMELLIA
160 else if (strcmp(*argv, "-camellia128") == 0)
161 enc = EVP_camellia_128_cbc();
162 else if (strcmp(*argv, "-camellia192") == 0)
163 enc = EVP_camellia_192_cbc();
164 else if (strcmp(*argv, "-camellia256") == 0)
165 enc = EVP_camellia_256_cbc();
166#endif
167 else if (strcmp(*argv, "-passout") == 0) {
168 if (--argc < 1)
169 goto bad;
170 passargout = *(++argv);
171 } else
172 break;
173 argv++;
174 argc--;
175 }
176 if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) {
177bad:
178 BIO_printf(bio_err, "usage: genrsa [args] [numbits]\n");
179 BIO_printf(bio_err, " -des encrypt the generated key with DES in cbc mode\n");
180 BIO_printf(bio_err, " -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
181#ifndef OPENSSL_NO_IDEA
182 BIO_printf(bio_err, " -idea encrypt the generated key with IDEA in cbc mode\n");
183#endif
184#ifndef OPENSSL_NO_AES
185 BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
186 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
187#endif
188#ifndef OPENSSL_NO_CAMELLIA
189 BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
190 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
191#endif
192 BIO_printf(bio_err, " -out file output the key to 'file\n");
193 BIO_printf(bio_err, " -passout arg output file pass phrase source\n");
194 BIO_printf(bio_err, " -f4 use F4 (0x10001) for the E value\n");
195 BIO_printf(bio_err, " -3 use 3 for the E value\n");
196#ifndef OPENSSL_NO_ENGINE
197 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
198#endif
199 goto err;
200 }
201 ERR_load_crypto_strings();
202
203 if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
204 BIO_printf(bio_err, "Error getting password\n");
205 goto err;
206 }
207#ifndef OPENSSL_NO_ENGINE
208 e = setup_engine(bio_err, engine, 0);
209#endif
210
211 if (outfile == NULL) {
212 BIO_set_fp(out, stdout, BIO_NOCLOSE);
213 } else {
214 if (BIO_write_filename(out, outfile) <= 0) {
215 perror(outfile);
216 goto err;
217 }
218 }
219
220 BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
221 num);
222#ifdef OPENSSL_NO_ENGINE
223 rsa = RSA_new();
224#else
225 rsa = RSA_new_method(e);
226#endif
227 if (!rsa)
228 goto err;
229
230 if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
231 goto err;
232
233 /*
234 * We need to do the following for when the base number size is <
235 * long, esp windows 3.1 :-(.
236 */
237 l = 0L;
238 for (i = 0; i < rsa->e->top; i++) {
239#ifndef _LP64
240 l <<= BN_BITS4;
241 l <<= BN_BITS4;
242#endif
243 l += rsa->e->d[i];
244 }
245 BIO_printf(bio_err, "e is %ld (0x%lX)\n", l, l);
246 {
247 PW_CB_DATA cb_data;
248 cb_data.password = passout;
249 cb_data.prompt_info = outfile;
250 if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
251 password_callback, &cb_data))
252 goto err;
253 }
254
255 ret = 0;
256err:
257 if (bn)
258 BN_free(bn);
259 if (rsa)
260 RSA_free(rsa);
261 if (out)
262 BIO_free_all(out);
263 free(passout);
264 if (ret != 0)
265 ERR_print_errors(bio_err);
266
267 return (ret);
268}
269
270static int
271genrsa_cb(int p, int n, BN_GENCB * cb)
272{
273 char c = '*';
274
275 if (p == 0)
276 c = '.';
277 if (p == 1)
278 c = '+';
279 if (p == 2)
280 c = '*';
281 if (p == 3)
282 c = '\n';
283 BIO_write(cb->arg, &c, 1);
284 (void) BIO_flush(cb->arg);
285 return 1;
286}
diff --git a/src/lib/libssl/src/apps/nseq.c b/src/lib/libssl/src/apps/nseq.c
deleted file mode 100644
index 154b6a5685..0000000000
--- a/src/lib/libssl/src/apps/nseq.c
+++ /dev/null
@@ -1,162 +0,0 @@
1/* $OpenBSD: nseq.c,v 1.16 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include "apps.h"
63
64#include <openssl/err.h>
65#include <openssl/pem.h>
66
67int nseq_main(int, char **);
68
69int
70nseq_main(int argc, char **argv)
71{
72 char **args, *infile = NULL, *outfile = NULL;
73 BIO *in = NULL, *out = NULL;
74 int toseq = 0;
75 X509 *x509 = NULL;
76 NETSCAPE_CERT_SEQUENCE *seq = NULL;
77 int i, ret = 1;
78 int badarg = 0;
79
80 ERR_load_crypto_strings();
81
82 args = argv + 1;
83 while (!badarg && *args && *args[0] == '-') {
84 if (!strcmp(*args, "-toseq"))
85 toseq = 1;
86 else if (!strcmp(*args, "-in")) {
87 if (args[1]) {
88 args++;
89 infile = *args;
90 } else
91 badarg = 1;
92 } else if (!strcmp(*args, "-out")) {
93 if (args[1]) {
94 args++;
95 outfile = *args;
96 } else
97 badarg = 1;
98 } else
99 badarg = 1;
100 args++;
101 }
102
103 if (badarg) {
104 BIO_printf(bio_err, "Netscape certificate sequence utility\n");
105 BIO_printf(bio_err, "Usage nseq [options]\n");
106 BIO_printf(bio_err, "where options are\n");
107 BIO_printf(bio_err, "-in file input file\n");
108 BIO_printf(bio_err, "-out file output file\n");
109 BIO_printf(bio_err, "-toseq output NS Sequence file\n");
110 return (1);
111 }
112 if (infile) {
113 if (!(in = BIO_new_file(infile, "r"))) {
114 BIO_printf(bio_err,
115 "Can't open input file %s\n", infile);
116 goto end;
117 }
118 } else
119 in = BIO_new_fp(stdin, BIO_NOCLOSE);
120
121 if (outfile) {
122 if (!(out = BIO_new_file(outfile, "w"))) {
123 BIO_printf(bio_err,
124 "Can't open output file %s\n", outfile);
125 goto end;
126 }
127 } else {
128 out = BIO_new_fp(stdout, BIO_NOCLOSE);
129 }
130 if (toseq) {
131 seq = NETSCAPE_CERT_SEQUENCE_new();
132 seq->certs = sk_X509_new_null();
133 while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
134 sk_X509_push(seq->certs, x509);
135
136 if (!sk_X509_num(seq->certs)) {
137 BIO_printf(bio_err, "Error reading certs file %s\n", infile);
138 ERR_print_errors(bio_err);
139 goto end;
140 }
141 PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq);
142 ret = 0;
143 goto end;
144 }
145 if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
146 BIO_printf(bio_err, "Error reading sequence file %s\n", infile);
147 ERR_print_errors(bio_err);
148 goto end;
149 }
150 for (i = 0; i < sk_X509_num(seq->certs); i++) {
151 x509 = sk_X509_value(seq->certs, i);
152 dump_cert_text(out, x509);
153 PEM_write_bio_X509(out, x509);
154 }
155 ret = 0;
156end:
157 BIO_free(in);
158 BIO_free_all(out);
159 NETSCAPE_CERT_SEQUENCE_free(seq);
160
161 return (ret);
162}
diff --git a/src/lib/libssl/src/apps/ocsp.c b/src/lib/libssl/src/apps/ocsp.c
deleted file mode 100644
index b28f160d9a..0000000000
--- a/src/lib/libssl/src/apps/ocsp.c
+++ /dev/null
@@ -1,1217 +0,0 @@
1/* $OpenBSD: ocsp.c,v 1.31 2014/08/24 16:07:29 bcook Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef OPENSSL_NO_OCSP
59
60#include <sys/select.h>
61
62#include <stdio.h>
63#include <stdlib.h>
64#include <limits.h>
65#include <string.h>
66#include <time.h>
67
68/* Needs to be included before the openssl headers! */
69#include "apps.h"
70
71#include <openssl/bn.h>
72#include <openssl/crypto.h>
73#include <openssl/err.h>
74#include <openssl/evp.h>
75#include <openssl/ssl.h>
76#include <openssl/x509v3.h>
77
78/* Maximum leeway in validity period: default 5 minutes */
79#define MAX_VALIDITY_PERIOD (5 * 60)
80
81static int
82add_ocsp_cert(OCSP_REQUEST ** req, X509 * cert, const EVP_MD * cert_id_md, X509 * issuer,
83 STACK_OF(OCSP_CERTID) * ids);
84static int add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X509 * issuer,
85 STACK_OF(OCSP_CERTID) * ids);
86static int print_ocsp_summary(BIO * out, OCSP_BASICRESP * bs, OCSP_REQUEST * req,
87 STACK_OF(OPENSSL_STRING) * names,
88 STACK_OF(OCSP_CERTID) * ids, long nsec,
89 long maxage);
90
91static int make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db,
92 X509 * ca, X509 * rcert, EVP_PKEY * rkey,
93 STACK_OF(X509) * rother, unsigned long flags,
94 int nmin, int ndays);
95
96static char **lookup_serial(CA_DB * db, ASN1_INTEGER * ser);
97static BIO *init_responder(char *port);
98static int do_responder(OCSP_REQUEST ** preq, BIO ** pcbio, BIO * acbio, char *port);
99static int send_ocsp_response(BIO * cbio, OCSP_RESPONSE * resp);
100static OCSP_RESPONSE *query_responder(BIO * err, BIO * cbio, char *path,
101 STACK_OF(CONF_VALUE) * headers,
102 OCSP_REQUEST * req, int req_timeout);
103
104
105int ocsp_main(int, char **);
106
107int
108ocsp_main(int argc, char **argv)
109{
110 ENGINE *e = NULL;
111 char **args;
112 char *host = NULL, *port = NULL, *path = "/";
113 char *reqin = NULL, *respin = NULL;
114 char *reqout = NULL, *respout = NULL;
115 char *signfile = NULL, *keyfile = NULL;
116 char *rsignfile = NULL, *rkeyfile = NULL;
117 char *outfile = NULL;
118 int add_nonce = 1, noverify = 0, use_ssl = -1;
119 STACK_OF(CONF_VALUE) * headers = NULL;
120 OCSP_REQUEST *req = NULL;
121 OCSP_RESPONSE *resp = NULL;
122 OCSP_BASICRESP *bs = NULL;
123 X509 *issuer = NULL, *cert = NULL;
124 X509 *signer = NULL, *rsigner = NULL;
125 EVP_PKEY *key = NULL, *rkey = NULL;
126 BIO *acbio = NULL, *cbio = NULL;
127 BIO *derbio = NULL;
128 BIO *out = NULL;
129 int req_timeout = -1;
130 int req_text = 0, resp_text = 0;
131 long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
132 char *CAfile = NULL, *CApath = NULL;
133 X509_STORE *store = NULL;
134 STACK_OF(X509) * sign_other = NULL, *verify_other = NULL, *rother = NULL;
135 char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
136 unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
137 int ret = 1;
138 int accept_count = -1;
139 int badarg = 0;
140 int i;
141 int ignore_err = 0;
142 STACK_OF(OPENSSL_STRING) * reqnames = NULL;
143 STACK_OF(OCSP_CERTID) * ids = NULL;
144 X509 *rca_cert = NULL;
145 char *ridx_filename = NULL;
146 char *rca_filename = NULL;
147 CA_DB *rdb = NULL;
148 int nmin = 0, ndays = -1;
149 const EVP_MD *cert_id_md = NULL;
150 const char *errstr = NULL;
151
152 args = argv + 1;
153 reqnames = sk_OPENSSL_STRING_new_null();
154 ids = sk_OCSP_CERTID_new_null();
155 while (!badarg && *args && *args[0] == '-') {
156 if (!strcmp(*args, "-out")) {
157 if (args[1]) {
158 args++;
159 outfile = *args;
160 } else
161 badarg = 1;
162 } else if (!strcmp(*args, "-timeout")) {
163 if (args[1]) {
164 args++;
165 req_timeout = strtonum(*args, 0,
166 INT_MAX, &errstr);
167 if (errstr) {
168 BIO_printf(bio_err,
169 "Illegal timeout value %s: %s\n",
170 *args, errstr);
171 badarg = 1;
172 }
173 } else
174 badarg = 1;
175 } else if (!strcmp(*args, "-url")) {
176 if (args[1]) {
177 args++;
178 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
179 BIO_printf(bio_err, "Error parsing URL\n");
180 badarg = 1;
181 }
182 } else
183 badarg = 1;
184 } else if (!strcmp(*args, "-host")) {
185 if (args[1]) {
186 args++;
187 host = *args;
188 } else
189 badarg = 1;
190 } else if (!strcmp(*args, "-port")) {
191 if (args[1]) {
192 args++;
193 port = *args;
194 } else
195 badarg = 1;
196 } else if (!strcmp(*args, "-header")) {
197 if (args[1] && args[2]) {
198 if (!X509V3_add_value(args[1], args[2], &headers))
199 goto end;
200 args += 2;
201 } else
202 badarg = 1;
203 } else if (!strcmp(*args, "-ignore_err"))
204 ignore_err = 1;
205 else if (!strcmp(*args, "-noverify"))
206 noverify = 1;
207 else if (!strcmp(*args, "-nonce"))
208 add_nonce = 2;
209 else if (!strcmp(*args, "-no_nonce"))
210 add_nonce = 0;
211 else if (!strcmp(*args, "-resp_no_certs"))
212 rflags |= OCSP_NOCERTS;
213 else if (!strcmp(*args, "-resp_key_id"))
214 rflags |= OCSP_RESPID_KEY;
215 else if (!strcmp(*args, "-no_certs"))
216 sign_flags |= OCSP_NOCERTS;
217 else if (!strcmp(*args, "-no_signature_verify"))
218 verify_flags |= OCSP_NOSIGS;
219 else if (!strcmp(*args, "-no_cert_verify"))
220 verify_flags |= OCSP_NOVERIFY;
221 else if (!strcmp(*args, "-no_chain"))
222 verify_flags |= OCSP_NOCHAIN;
223 else if (!strcmp(*args, "-no_cert_checks"))
224 verify_flags |= OCSP_NOCHECKS;
225 else if (!strcmp(*args, "-no_explicit"))
226 verify_flags |= OCSP_NOEXPLICIT;
227 else if (!strcmp(*args, "-trust_other"))
228 verify_flags |= OCSP_TRUSTOTHER;
229 else if (!strcmp(*args, "-no_intern"))
230 verify_flags |= OCSP_NOINTERN;
231 else if (!strcmp(*args, "-text")) {
232 req_text = 1;
233 resp_text = 1;
234 } else if (!strcmp(*args, "-req_text"))
235 req_text = 1;
236 else if (!strcmp(*args, "-resp_text"))
237 resp_text = 1;
238 else if (!strcmp(*args, "-reqin")) {
239 if (args[1]) {
240 args++;
241 reqin = *args;
242 } else
243 badarg = 1;
244 } else if (!strcmp(*args, "-respin")) {
245 if (args[1]) {
246 args++;
247 respin = *args;
248 } else
249 badarg = 1;
250 } else if (!strcmp(*args, "-signer")) {
251 if (args[1]) {
252 args++;
253 signfile = *args;
254 } else
255 badarg = 1;
256 } else if (!strcmp(*args, "-VAfile")) {
257 if (args[1]) {
258 args++;
259 verify_certfile = *args;
260 verify_flags |= OCSP_TRUSTOTHER;
261 } else
262 badarg = 1;
263 } else if (!strcmp(*args, "-sign_other")) {
264 if (args[1]) {
265 args++;
266 sign_certfile = *args;
267 } else
268 badarg = 1;
269 } else if (!strcmp(*args, "-verify_other")) {
270 if (args[1]) {
271 args++;
272 verify_certfile = *args;
273 } else
274 badarg = 1;
275 } else if (!strcmp(*args, "-CAfile")) {
276 if (args[1]) {
277 args++;
278 CAfile = *args;
279 } else
280 badarg = 1;
281 } else if (!strcmp(*args, "-CApath")) {
282 if (args[1]) {
283 args++;
284 CApath = *args;
285 } else
286 badarg = 1;
287 } else if (!strcmp(*args, "-validity_period")) {
288 if (args[1]) {
289 args++;
290 nsec = strtonum(*args, 0, LONG_MAX, &errstr);
291 if (errstr) {
292 BIO_printf(bio_err,
293 "Illegal validity period %s: %s\n",
294 *args, errstr);
295 badarg = 1;
296 }
297 } else
298 badarg = 1;
299 } else if (!strcmp(*args, "-status_age")) {
300 if (args[1]) {
301 args++;
302 maxage = strtonum(*args, 0, LONG_MAX, &errstr);
303 if (errstr) {
304 BIO_printf(bio_err,
305 "Illegal validity age %s: %s\n",
306 *args, errstr);
307 badarg = 1;
308 }
309 } else
310 badarg = 1;
311 } else if (!strcmp(*args, "-signkey")) {
312 if (args[1]) {
313 args++;
314 keyfile = *args;
315 } else
316 badarg = 1;
317 } else if (!strcmp(*args, "-reqout")) {
318 if (args[1]) {
319 args++;
320 reqout = *args;
321 } else
322 badarg = 1;
323 } else if (!strcmp(*args, "-respout")) {
324 if (args[1]) {
325 args++;
326 respout = *args;
327 } else
328 badarg = 1;
329 } else if (!strcmp(*args, "-path")) {
330 if (args[1]) {
331 args++;
332 path = *args;
333 } else
334 badarg = 1;
335 } else if (!strcmp(*args, "-issuer")) {
336 if (args[1]) {
337 args++;
338 X509_free(issuer);
339 issuer = load_cert(bio_err, *args, FORMAT_PEM,
340 NULL, e, "issuer certificate");
341 if (!issuer)
342 goto end;
343 } else
344 badarg = 1;
345 } else if (!strcmp(*args, "-cert")) {
346 if (args[1]) {
347 args++;
348 X509_free(cert);
349 cert = load_cert(bio_err, *args, FORMAT_PEM,
350 NULL, e, "certificate");
351 if (!cert)
352 goto end;
353 if (!cert_id_md)
354 cert_id_md = EVP_sha1();
355 if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
356 goto end;
357 if (!sk_OPENSSL_STRING_push(reqnames, *args))
358 goto end;
359 } else
360 badarg = 1;
361 } else if (!strcmp(*args, "-serial")) {
362 if (args[1]) {
363 args++;
364 if (!cert_id_md)
365 cert_id_md = EVP_sha1();
366 if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
367 goto end;
368 if (!sk_OPENSSL_STRING_push(reqnames, *args))
369 goto end;
370 } else
371 badarg = 1;
372 } else if (!strcmp(*args, "-index")) {
373 if (args[1]) {
374 args++;
375 ridx_filename = *args;
376 } else
377 badarg = 1;
378 } else if (!strcmp(*args, "-CA")) {
379 if (args[1]) {
380 args++;
381 rca_filename = *args;
382 } else
383 badarg = 1;
384 } else if (!strcmp(*args, "-nmin")) {
385 if (args[1]) {
386 args++;
387 nmin = strtonum(*args, 0, INT_MAX, &errstr);
388 if (errstr) {
389 BIO_printf(bio_err,
390 "Illegal update period %s: %s\n",
391 *args, errstr);
392 badarg = 1;
393 }
394 }
395 if (ndays == -1)
396 ndays = 0;
397 else
398 badarg = 1;
399 } else if (!strcmp(*args, "-nrequest")) {
400 if (args[1]) {
401 args++;
402 accept_count = strtonum(*args, 0, INT_MAX, &errstr);
403 if (errstr) {
404 BIO_printf(bio_err,
405 "Illegal accept count %s: %s\n",
406 *args, errstr);
407 badarg = 1;
408 }
409 } else
410 badarg = 1;
411 } else if (!strcmp(*args, "-ndays")) {
412 if (args[1]) {
413 args++;
414 ndays = strtonum(*args, 0, INT_MAX, &errstr);
415 if (errstr) {
416 BIO_printf(bio_err,
417 "Illegal update period %s: %s\n",
418 *args, errstr);
419 badarg = 1;
420 }
421 } else
422 badarg = 1;
423 } else if (!strcmp(*args, "-rsigner")) {
424 if (args[1]) {
425 args++;
426 rsignfile = *args;
427 } else
428 badarg = 1;
429 } else if (!strcmp(*args, "-rkey")) {
430 if (args[1]) {
431 args++;
432 rkeyfile = *args;
433 } else
434 badarg = 1;
435 } else if (!strcmp(*args, "-rother")) {
436 if (args[1]) {
437 args++;
438 rcertfile = *args;
439 } else
440 badarg = 1;
441 } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
442 badarg = 1;
443 }
444 args++;
445 }
446
447 /* Have we anything to do? */
448 if (!req && !reqin && !respin && !(port && ridx_filename))
449 badarg = 1;
450
451 if (badarg) {
452 BIO_printf(bio_err, "OCSP utility\n");
453 BIO_printf(bio_err, "Usage ocsp [options]\n");
454 BIO_printf(bio_err, "where options are\n");
455 BIO_printf(bio_err, "-out file output filename\n");
456 BIO_printf(bio_err, "-issuer file issuer certificate\n");
457 BIO_printf(bio_err, "-cert file certificate to check\n");
458 BIO_printf(bio_err, "-serial n serial number to check\n");
459 BIO_printf(bio_err, "-signer file certificate to sign OCSP request with\n");
460 BIO_printf(bio_err, "-signkey file private key to sign OCSP request with\n");
461 BIO_printf(bio_err, "-sign_other file additional certificates to include in signed request\n");
462 BIO_printf(bio_err, "-no_certs don't include any certificates in signed request\n");
463 BIO_printf(bio_err, "-req_text print text form of request\n");
464 BIO_printf(bio_err, "-resp_text print text form of response\n");
465 BIO_printf(bio_err, "-text print text form of request and response\n");
466 BIO_printf(bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
467 BIO_printf(bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
468 BIO_printf(bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
469 BIO_printf(bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
470 BIO_printf(bio_err, "-nonce add OCSP nonce to request\n");
471 BIO_printf(bio_err, "-no_nonce don't add OCSP nonce to request\n");
472 BIO_printf(bio_err, "-url URL OCSP responder URL\n");
473 BIO_printf(bio_err, "-host host:n send OCSP request to host on port n\n");
474 BIO_printf(bio_err, "-path path to use in OCSP request\n");
475 BIO_printf(bio_err, "-CApath dir trusted certificates directory\n");
476 BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
477 BIO_printf(bio_err, "-VAfile file validator certificates file\n");
478 BIO_printf(bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
479 BIO_printf(bio_err, "-status_age n maximum status age in seconds\n");
480 BIO_printf(bio_err, "-noverify don't verify response at all\n");
481 BIO_printf(bio_err, "-verify_other file additional certificates to search for signer\n");
482 BIO_printf(bio_err, "-trust_other don't verify additional certificates\n");
483 BIO_printf(bio_err, "-no_intern don't search certificates contained in response for signer\n");
484 BIO_printf(bio_err, "-no_signature_verify don't check signature on response\n");
485 BIO_printf(bio_err, "-no_cert_verify don't check signing certificate\n");
486 BIO_printf(bio_err, "-no_chain don't chain verify response\n");
487 BIO_printf(bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
488 BIO_printf(bio_err, "-port num port to run responder on\n");
489 BIO_printf(bio_err, "-index file certificate status index file\n");
490 BIO_printf(bio_err, "-CA file CA certificate\n");
491 BIO_printf(bio_err, "-rsigner file responder certificate to sign responses with\n");
492 BIO_printf(bio_err, "-rkey file responder key to sign responses with\n");
493 BIO_printf(bio_err, "-rother file other certificates to include in response\n");
494 BIO_printf(bio_err, "-resp_no_certs don't include any certificates in response\n");
495 BIO_printf(bio_err, "-nmin n number of minutes before next update\n");
496 BIO_printf(bio_err, "-ndays n number of days before next update\n");
497 BIO_printf(bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
498 BIO_printf(bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
499 BIO_printf(bio_err, "-<dgst alg> use specified digest in the request\n");
500 goto end;
501 }
502 if (outfile)
503 out = BIO_new_file(outfile, "w");
504 else
505 out = BIO_new_fp(stdout, BIO_NOCLOSE);
506
507 if (!out) {
508 BIO_printf(bio_err, "Error opening output file\n");
509 goto end;
510 }
511 if (!req && (add_nonce != 2))
512 add_nonce = 0;
513
514 if (!req && reqin) {
515 derbio = BIO_new_file(reqin, "rb");
516 if (!derbio) {
517 BIO_printf(bio_err, "Error Opening OCSP request file\n");
518 goto end;
519 }
520 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
521 BIO_free(derbio);
522 if (!req) {
523 BIO_printf(bio_err, "Error reading OCSP request\n");
524 goto end;
525 }
526 }
527 if (!req && port) {
528 acbio = init_responder(port);
529 if (!acbio)
530 goto end;
531 }
532 if (rsignfile && !rdb) {
533 if (!rkeyfile)
534 rkeyfile = rsignfile;
535 rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
536 NULL, e, "responder certificate");
537 if (!rsigner) {
538 BIO_printf(bio_err, "Error loading responder certificate\n");
539 goto end;
540 }
541 rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
542 NULL, e, "CA certificate");
543 if (rcertfile) {
544 rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
545 NULL, e, "responder other certificates");
546 if (!rother)
547 goto end;
548 }
549 rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
550 "responder private key");
551 if (!rkey)
552 goto end;
553 }
554 if (acbio)
555 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
556
557redo_accept:
558
559 if (acbio) {
560 if (!do_responder(&req, &cbio, acbio, port))
561 goto end;
562 if (!req) {
563 resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
564 send_ocsp_response(cbio, resp);
565 goto done_resp;
566 }
567 }
568 if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) {
569 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
570 goto end;
571 }
572 if (req && add_nonce)
573 OCSP_request_add1_nonce(req, NULL, -1);
574
575 if (signfile) {
576 if (!keyfile)
577 keyfile = signfile;
578 signer = load_cert(bio_err, signfile, FORMAT_PEM,
579 NULL, e, "signer certificate");
580 if (!signer) {
581 BIO_printf(bio_err, "Error loading signer certificate\n");
582 goto end;
583 }
584 if (sign_certfile) {
585 sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
586 NULL, e, "signer certificates");
587 if (!sign_other)
588 goto end;
589 }
590 key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
591 "signer private key");
592 if (!key)
593 goto end;
594
595 if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags)) {
596 BIO_printf(bio_err, "Error signing OCSP request\n");
597 goto end;
598 }
599 }
600 if (req_text && req)
601 OCSP_REQUEST_print(out, req, 0);
602
603 if (reqout) {
604 derbio = BIO_new_file(reqout, "wb");
605 if (!derbio) {
606 BIO_printf(bio_err, "Error opening file %s\n", reqout);
607 goto end;
608 }
609 i2d_OCSP_REQUEST_bio(derbio, req);
610 BIO_free(derbio);
611 }
612 if (ridx_filename && (!rkey || !rsigner || !rca_cert)) {
613 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
614 goto end;
615 }
616 if (ridx_filename && !rdb) {
617 rdb = load_index(ridx_filename, NULL);
618 if (!rdb)
619 goto end;
620 if (!index_index(rdb))
621 goto end;
622 }
623 if (rdb) {
624 i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
625 if (cbio)
626 send_ocsp_response(cbio, resp);
627 } else if (host) {
628 resp = process_responder(bio_err, req, host, path,
629 port, use_ssl, headers, req_timeout);
630 if (!resp)
631 goto end;
632 } else if (respin) {
633 derbio = BIO_new_file(respin, "rb");
634 if (!derbio) {
635 BIO_printf(bio_err, "Error Opening OCSP response file\n");
636 goto end;
637 }
638 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
639 BIO_free(derbio);
640 if (!resp) {
641 BIO_printf(bio_err, "Error reading OCSP response\n");
642 goto end;
643 }
644 } else {
645 ret = 0;
646 goto end;
647 }
648
649done_resp:
650
651 if (respout) {
652 derbio = BIO_new_file(respout, "wb");
653 if (!derbio) {
654 BIO_printf(bio_err, "Error opening file %s\n", respout);
655 goto end;
656 }
657 i2d_OCSP_RESPONSE_bio(derbio, resp);
658 BIO_free(derbio);
659 }
660 i = OCSP_response_status(resp);
661
662 if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
663 BIO_printf(out, "Responder Error: %s (%d)\n",
664 OCSP_response_status_str(i), i);
665 if (ignore_err)
666 goto redo_accept;
667 ret = 0;
668 goto end;
669 }
670 if (resp_text)
671 OCSP_RESPONSE_print(out, resp, 0);
672
673 /* If running as responder don't verify our own response */
674 if (cbio) {
675 if (accept_count > 0)
676 accept_count--;
677 /* Redo if more connections needed */
678 if (accept_count) {
679 BIO_free_all(cbio);
680 cbio = NULL;
681 OCSP_REQUEST_free(req);
682 req = NULL;
683 OCSP_RESPONSE_free(resp);
684 resp = NULL;
685 goto redo_accept;
686 }
687 goto end;
688 }
689 if (!store)
690 store = setup_verify(bio_err, CAfile, CApath);
691 if (!store)
692 goto end;
693 if (verify_certfile) {
694 verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
695 NULL, e, "validator certificate");
696 if (!verify_other)
697 goto end;
698 }
699 bs = OCSP_response_get1_basic(resp);
700
701 if (!bs) {
702 BIO_printf(bio_err, "Error parsing response\n");
703 goto end;
704 }
705 if (!noverify) {
706 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
707 if (i == -1)
708 BIO_printf(bio_err, "WARNING: no nonce in response\n");
709 else {
710 BIO_printf(bio_err, "Nonce Verify error\n");
711 goto end;
712 }
713 }
714 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
715 if (i < 0)
716 i = OCSP_basic_verify(bs, NULL, store, 0);
717
718 if (i <= 0) {
719 BIO_printf(bio_err, "Response Verify Failure\n");
720 ERR_print_errors(bio_err);
721 } else
722 BIO_printf(bio_err, "Response verify OK\n");
723
724 }
725 if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
726 goto end;
727
728 ret = 0;
729
730end:
731 ERR_print_errors(bio_err);
732 X509_free(signer);
733 X509_STORE_free(store);
734 EVP_PKEY_free(key);
735 EVP_PKEY_free(rkey);
736 X509_free(issuer);
737 X509_free(cert);
738 X509_free(rsigner);
739 X509_free(rca_cert);
740 free_index(rdb);
741 BIO_free_all(cbio);
742 BIO_free_all(acbio);
743 BIO_free(out);
744 OCSP_REQUEST_free(req);
745 OCSP_RESPONSE_free(resp);
746 OCSP_BASICRESP_free(bs);
747 sk_OPENSSL_STRING_free(reqnames);
748 sk_OCSP_CERTID_free(ids);
749 sk_X509_pop_free(sign_other, X509_free);
750 sk_X509_pop_free(verify_other, X509_free);
751 sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
752
753 if (use_ssl != -1) {
754 free(host);
755 free(port);
756 free(path);
757 }
758 return (ret);
759}
760
761static int
762add_ocsp_cert(OCSP_REQUEST ** req, X509 * cert, const EVP_MD * cert_id_md, X509 * issuer,
763 STACK_OF(OCSP_CERTID) * ids)
764{
765 OCSP_CERTID *id;
766 if (!issuer) {
767 BIO_printf(bio_err, "No issuer certificate specified\n");
768 return 0;
769 }
770 if (!*req)
771 *req = OCSP_REQUEST_new();
772 if (!*req)
773 goto err;
774 id = OCSP_cert_to_id(cert_id_md, cert, issuer);
775 if (!id || !sk_OCSP_CERTID_push(ids, id))
776 goto err;
777 if (!OCSP_request_add0_id(*req, id))
778 goto err;
779 return 1;
780
781err:
782 BIO_printf(bio_err, "Error Creating OCSP request\n");
783 return 0;
784}
785
786static int
787add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X509 * issuer,
788 STACK_OF(OCSP_CERTID) * ids)
789{
790 OCSP_CERTID *id;
791 X509_NAME *iname;
792 ASN1_BIT_STRING *ikey;
793 ASN1_INTEGER *sno;
794 if (!issuer) {
795 BIO_printf(bio_err, "No issuer certificate specified\n");
796 return 0;
797 }
798 if (!*req)
799 *req = OCSP_REQUEST_new();
800 if (!*req)
801 goto err;
802 iname = X509_get_subject_name(issuer);
803 ikey = X509_get0_pubkey_bitstr(issuer);
804 sno = s2i_ASN1_INTEGER(NULL, serial);
805 if (!sno) {
806 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
807 return 0;
808 }
809 id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
810 ASN1_INTEGER_free(sno);
811 if (!id || !sk_OCSP_CERTID_push(ids, id))
812 goto err;
813 if (!OCSP_request_add0_id(*req, id))
814 goto err;
815 return 1;
816
817err:
818 BIO_printf(bio_err, "Error Creating OCSP request\n");
819 return 0;
820}
821
822static int
823print_ocsp_summary(BIO * out, OCSP_BASICRESP * bs, OCSP_REQUEST * req,
824 STACK_OF(OPENSSL_STRING) * names,
825 STACK_OF(OCSP_CERTID) * ids, long nsec,
826 long maxage)
827{
828 OCSP_CERTID *id;
829 char *name;
830 int i;
831
832 int status, reason;
833
834 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
835
836 if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids))
837 return 1;
838
839 for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
840 id = sk_OCSP_CERTID_value(ids, i);
841 name = sk_OPENSSL_STRING_value(names, i);
842 BIO_printf(out, "%s: ", name);
843
844 if (!OCSP_resp_find_status(bs, id, &status, &reason,
845 &rev, &thisupd, &nextupd)) {
846 BIO_puts(out, "ERROR: No Status found.\n");
847 continue;
848 }
849 /*
850 * Check validity: if invalid write to output BIO so we know
851 * which response this refers to.
852 */
853 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
854 BIO_puts(out, "WARNING: Status times invalid.\n");
855 ERR_print_errors(out);
856 }
857 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
858
859 BIO_puts(out, "\tThis Update: ");
860 ASN1_GENERALIZEDTIME_print(out, thisupd);
861 BIO_puts(out, "\n");
862
863 if (nextupd) {
864 BIO_puts(out, "\tNext Update: ");
865 ASN1_GENERALIZEDTIME_print(out, nextupd);
866 BIO_puts(out, "\n");
867 }
868 if (status != V_OCSP_CERTSTATUS_REVOKED)
869 continue;
870
871 if (reason != -1)
872 BIO_printf(out, "\tReason: %s\n",
873 OCSP_crl_reason_str(reason));
874
875 BIO_puts(out, "\tRevocation Time: ");
876 ASN1_GENERALIZEDTIME_print(out, rev);
877 BIO_puts(out, "\n");
878 }
879
880 return 1;
881}
882
883
884static int
885make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db,
886 X509 * ca, X509 * rcert, EVP_PKEY * rkey,
887 STACK_OF(X509) * rother, unsigned long flags,
888 int nmin, int ndays)
889{
890 ASN1_TIME *thisupd = NULL, *nextupd = NULL;
891 OCSP_CERTID *cid, *ca_id = NULL;
892 OCSP_BASICRESP *bs = NULL;
893 int i, id_count, ret = 1;
894
895 id_count = OCSP_request_onereq_count(req);
896
897 if (id_count <= 0) {
898 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
899 goto end;
900 }
901 bs = OCSP_BASICRESP_new();
902 thisupd = X509_gmtime_adj(NULL, 0);
903 if (ndays != -1)
904 nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
905
906 /* Examine each certificate id in the request */
907 for (i = 0; i < id_count; i++) {
908 OCSP_ONEREQ *one;
909 ASN1_INTEGER *serial;
910 char **inf;
911 ASN1_OBJECT *cert_id_md_oid;
912 const EVP_MD *cert_id_md;
913 one = OCSP_request_onereq_get0(req, i);
914 cid = OCSP_onereq_get0_id(one);
915
916 OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
917
918 cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
919 if (!cert_id_md) {
920 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
921 NULL);
922 goto end;
923 }
924 if (ca_id)
925 OCSP_CERTID_free(ca_id);
926 ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
927
928 /* Is this request about our CA? */
929 if (OCSP_id_issuer_cmp(ca_id, cid)) {
930 OCSP_basic_add1_status(bs, cid,
931 V_OCSP_CERTSTATUS_UNKNOWN,
932 0, NULL,
933 thisupd, nextupd);
934 continue;
935 }
936 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
937 inf = lookup_serial(db, serial);
938 if (!inf)
939 OCSP_basic_add1_status(bs, cid,
940 V_OCSP_CERTSTATUS_UNKNOWN,
941 0, NULL,
942 thisupd, nextupd);
943 else if (inf[DB_type][0] == DB_TYPE_VAL)
944 OCSP_basic_add1_status(bs, cid,
945 V_OCSP_CERTSTATUS_GOOD,
946 0, NULL,
947 thisupd, nextupd);
948 else if (inf[DB_type][0] == DB_TYPE_REV) {
949 ASN1_OBJECT *inst = NULL;
950 ASN1_TIME *revtm = NULL;
951 ASN1_GENERALIZEDTIME *invtm = NULL;
952 OCSP_SINGLERESP *single;
953 int reason = -1;
954 unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
955 single = OCSP_basic_add1_status(bs, cid,
956 V_OCSP_CERTSTATUS_REVOKED,
957 reason, revtm,
958 thisupd, nextupd);
959 if (invtm)
960 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
961 else if (inst)
962 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
963 ASN1_OBJECT_free(inst);
964 ASN1_TIME_free(revtm);
965 ASN1_GENERALIZEDTIME_free(invtm);
966 }
967 }
968
969 OCSP_copy_nonce(bs, req);
970
971 OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
972
973 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
974
975end:
976 ASN1_TIME_free(thisupd);
977 ASN1_TIME_free(nextupd);
978 OCSP_CERTID_free(ca_id);
979 OCSP_BASICRESP_free(bs);
980 return ret;
981
982}
983
984static char **
985lookup_serial(CA_DB * db, ASN1_INTEGER * ser)
986{
987 int i;
988 BIGNUM *bn = NULL;
989 char *itmp, *row[DB_NUMBER], **rrow;
990 for (i = 0; i < DB_NUMBER; i++)
991 row[i] = NULL;
992 bn = ASN1_INTEGER_to_BN(ser, NULL);
993 OPENSSL_assert(bn); /* FIXME: should report an error at this
994 * point and abort */
995 if (BN_is_zero(bn))
996 itmp = strdup("00");
997 else
998 itmp = BN_bn2hex(bn);
999 row[DB_serial] = itmp;
1000 BN_free(bn);
1001 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1002 free(itmp);
1003 return rrow;
1004}
1005
1006/* Quick and dirty OCSP server: read in and parse input request */
1007
1008static BIO *
1009init_responder(char *port)
1010{
1011 BIO *acbio = NULL, *bufbio = NULL;
1012 bufbio = BIO_new(BIO_f_buffer());
1013 if (!bufbio)
1014 goto err;
1015 acbio = BIO_new_accept(port);
1016 if (!acbio)
1017 goto err;
1018 BIO_set_accept_bios(acbio, bufbio);
1019 bufbio = NULL;
1020
1021 if (BIO_do_accept(acbio) <= 0) {
1022 BIO_printf(bio_err, "Error setting up accept BIO\n");
1023 ERR_print_errors(bio_err);
1024 goto err;
1025 }
1026 return acbio;
1027
1028err:
1029 BIO_free_all(acbio);
1030 BIO_free(bufbio);
1031 return NULL;
1032}
1033
1034static int
1035do_responder(OCSP_REQUEST ** preq, BIO ** pcbio, BIO * acbio, char *port)
1036{
1037 int have_post = 0, len;
1038 OCSP_REQUEST *req = NULL;
1039 char inbuf[1024];
1040 BIO *cbio = NULL;
1041
1042 if (BIO_do_accept(acbio) <= 0) {
1043 BIO_printf(bio_err, "Error accepting connection\n");
1044 ERR_print_errors(bio_err);
1045 return 0;
1046 }
1047 cbio = BIO_pop(acbio);
1048 *pcbio = cbio;
1049
1050 for (;;) {
1051 len = BIO_gets(cbio, inbuf, sizeof inbuf);
1052 if (len <= 0)
1053 return 1;
1054 /* Look for "POST" signalling start of query */
1055 if (!have_post) {
1056 if (strncmp(inbuf, "POST", 4)) {
1057 BIO_printf(bio_err, "Invalid request\n");
1058 return 1;
1059 }
1060 have_post = 1;
1061 }
1062 /* Look for end of headers */
1063 if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1064 break;
1065 }
1066
1067 /* Try to read OCSP request */
1068
1069 req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1070
1071 if (!req) {
1072 BIO_printf(bio_err, "Error parsing OCSP request\n");
1073 ERR_print_errors(bio_err);
1074 }
1075 *preq = req;
1076
1077 return 1;
1078
1079}
1080
1081static int
1082send_ocsp_response(BIO * cbio, OCSP_RESPONSE * resp)
1083{
1084 static const char http_resp[] =
1085 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1086 "Content-Length: %d\r\n\r\n";
1087 if (!cbio)
1088 return 0;
1089 BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1090 i2d_OCSP_RESPONSE_bio(cbio, resp);
1091 (void) BIO_flush(cbio);
1092 return 1;
1093}
1094
1095static OCSP_RESPONSE *
1096query_responder(BIO * err, BIO * cbio, char *path,
1097 STACK_OF(CONF_VALUE) * headers,
1098 OCSP_REQUEST * req, int req_timeout)
1099{
1100 int fd;
1101 int rv;
1102 int i;
1103 OCSP_REQ_CTX *ctx = NULL;
1104 OCSP_RESPONSE *rsp = NULL;
1105 fd_set confds;
1106 struct timeval tv;
1107
1108 if (req_timeout != -1)
1109 BIO_set_nbio(cbio, 1);
1110
1111 rv = BIO_do_connect(cbio);
1112
1113 if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
1114 BIO_puts(err, "Error connecting BIO\n");
1115 return NULL;
1116 }
1117 if (BIO_get_fd(cbio, &fd) <= 0) {
1118 BIO_puts(err, "Can't get connection fd\n");
1119 goto err;
1120 }
1121 if (req_timeout != -1 && rv <= 0) {
1122 FD_ZERO(&confds);
1123 FD_SET(fd, &confds);
1124 tv.tv_usec = 0;
1125 tv.tv_sec = req_timeout;
1126 rv = select(fd + 1, NULL, &confds, NULL, &tv);
1127 if (rv == 0) {
1128 BIO_puts(err, "Timeout on connect\n");
1129 return NULL;
1130 }
1131 }
1132 ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
1133 if (!ctx)
1134 return NULL;
1135
1136 for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
1137 CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
1138 if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
1139 goto err;
1140 }
1141
1142 if (!OCSP_REQ_CTX_set1_req(ctx, req))
1143 goto err;
1144
1145 for (;;) {
1146 rv = OCSP_sendreq_nbio(&rsp, ctx);
1147 if (rv != -1)
1148 break;
1149 if (req_timeout == -1)
1150 continue;
1151 FD_ZERO(&confds);
1152 FD_SET(fd, &confds);
1153 tv.tv_usec = 0;
1154 tv.tv_sec = req_timeout;
1155 if (BIO_should_read(cbio))
1156 rv = select(fd + 1, &confds, NULL, NULL, &tv);
1157 else if (BIO_should_write(cbio))
1158 rv = select(fd + 1, NULL, &confds, NULL, &tv);
1159 else {
1160 BIO_puts(err, "Unexpected retry condition\n");
1161 goto err;
1162 }
1163 if (rv == 0) {
1164 BIO_puts(err, "Timeout on request\n");
1165 break;
1166 }
1167 if (rv == -1) {
1168 BIO_puts(err, "Select error\n");
1169 break;
1170 }
1171 }
1172err:
1173 if (ctx)
1174 OCSP_REQ_CTX_free(ctx);
1175
1176 return rsp;
1177}
1178
1179OCSP_RESPONSE *
1180process_responder(BIO * err, OCSP_REQUEST * req,
1181 char *host, char *path, char *port, int use_ssl,
1182 STACK_OF(CONF_VALUE) * headers,
1183 int req_timeout)
1184{
1185 BIO *cbio = NULL;
1186 SSL_CTX *ctx = NULL;
1187 OCSP_RESPONSE *resp = NULL;
1188 cbio = BIO_new_connect(host);
1189 if (!cbio) {
1190 BIO_printf(err, "Error creating connect BIO\n");
1191 goto end;
1192 }
1193 if (port)
1194 BIO_set_conn_port(cbio, port);
1195 if (use_ssl == 1) {
1196 BIO *sbio;
1197 ctx = SSL_CTX_new(SSLv23_client_method());
1198 if (ctx == NULL) {
1199 BIO_printf(err, "Error creating SSL context.\n");
1200 goto end;
1201 }
1202 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1203 sbio = BIO_new_ssl(ctx, 1);
1204 cbio = BIO_push(sbio, cbio);
1205 }
1206 resp = query_responder(err, cbio, path, headers, req, req_timeout);
1207 if (!resp)
1208 BIO_printf(bio_err, "Error querying OCSP responder\n");
1209end:
1210 if (cbio)
1211 BIO_free_all(cbio);
1212 if (ctx)
1213 SSL_CTX_free(ctx);
1214 return resp;
1215}
1216
1217#endif
diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c
deleted file mode 100644
index 3852f937f6..0000000000
--- a/src/lib/libssl/src/apps/openssl.c
+++ /dev/null
@@ -1,639 +0,0 @@
1/* $OpenBSD: openssl.c,v 1.43 2014/07/18 18:01:26 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <err.h>
113#include <signal.h>
114#include <stdio.h>
115#include <string.h>
116#include <stdlib.h>
117
118#include "apps.h"
119
120#include <openssl/bio.h>
121#include <openssl/conf.h>
122#include <openssl/crypto.h>
123#include <openssl/err.h>
124#include <openssl/lhash.h>
125#include <openssl/pem.h>
126#include <openssl/rand.h>
127#include <openssl/ssl.h>
128#include <openssl/x509.h>
129
130#ifndef OPENSSL_NO_ENGINE
131#include <openssl/engine.h>
132#endif
133
134#include "progs.h"
135#include "s_apps.h"
136
137static void openssl_startup(void);
138static void openssl_shutdown(void);
139
140/* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
141 * base prototypes (we cast each variable inside the function to the required
142 * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper
143 * functions. */
144
145static LHASH_OF(FUNCTION) *prog_init(void);
146static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]);
147static void list_pkey(BIO * out);
148static void list_cipher(BIO * out);
149static void list_md(BIO * out);
150char *default_config_file = NULL;
151
152CONF *config = NULL;
153BIO *bio_err = NULL;
154
155static void
156lock_dbg_cb(int mode, int type, const char *file, int line)
157{
158 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
159 const char *errstr = NULL;
160 int rw;
161
162 rw = mode & (CRYPTO_READ | CRYPTO_WRITE);
163 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) {
164 errstr = "invalid mode";
165 goto err;
166 }
167 if (type < 0 || type >= CRYPTO_NUM_LOCKS) {
168 errstr = "type out of bounds";
169 goto err;
170 }
171 if (mode & CRYPTO_LOCK) {
172 if (modes[type]) {
173 errstr = "already locked";
174 /*
175 * must not happen in a single-threaded program
176 * (would deadlock)
177 */
178 goto err;
179 }
180 modes[type] = rw;
181 } else if (mode & CRYPTO_UNLOCK) {
182 if (!modes[type]) {
183 errstr = "not locked";
184 goto err;
185 }
186 if (modes[type] != rw) {
187 errstr = (rw == CRYPTO_READ) ?
188 "CRYPTO_r_unlock on write lock" :
189 "CRYPTO_w_unlock on read lock";
190 }
191 modes[type] = 0;
192 } else {
193 errstr = "invalid mode";
194 goto err;
195 }
196
197err:
198 if (errstr) {
199 /* we cannot use bio_err here */
200 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
201 errstr, mode, type, file, line);
202 }
203}
204
205static void
206openssl_startup(void)
207{
208 signal(SIGPIPE, SIG_IGN);
209
210 CRYPTO_malloc_init();
211 OpenSSL_add_all_algorithms();
212 SSL_library_init();
213 SSL_load_error_strings();
214
215#ifndef OPENSSL_NO_ENGINE
216 ENGINE_load_builtin_engines();
217#endif
218
219 setup_ui_method();
220}
221
222static void
223openssl_shutdown(void)
224{
225 CONF_modules_unload(1);
226 destroy_ui_method();
227 OBJ_cleanup();
228 EVP_cleanup();
229
230#ifndef OPENSSL_NO_ENGINE
231 ENGINE_cleanup();
232#endif
233
234 CRYPTO_cleanup_all_ex_data();
235 ERR_remove_thread_state(NULL);
236 RAND_cleanup();
237 ERR_free_strings();
238}
239
240int
241main(int argc, char **argv)
242{
243 ARGS arg;
244#define PROG_NAME_SIZE 39
245 char pname[PROG_NAME_SIZE + 1];
246 FUNCTION f, *fp;
247 const char *prompt;
248 char buf[1024];
249 char *to_free = NULL;
250 int n, i, ret = 0;
251 char *p;
252 LHASH_OF(FUNCTION) * prog = NULL;
253 long errline;
254
255 arg.data = NULL;
256 arg.count = 0;
257
258 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
259 if (bio_err == NULL) {
260 fprintf(stderr, "openssl: failed to initialise bio_err\n");
261 exit(1);
262 }
263
264 CRYPTO_set_locking_callback(lock_dbg_cb);
265
266 openssl_startup();
267
268 /* Lets load up our environment a little */
269 p = getenv("OPENSSL_CONF");
270 if (p == NULL)
271 p = getenv("SSLEAY_CONF");
272 if (p == NULL) {
273 p = to_free = make_config_name();
274 if (p == NULL) {
275 BIO_printf(bio_err, "error making config file name\n");
276 goto end;
277 }
278 }
279
280 default_config_file = p;
281
282 config = NCONF_new(NULL);
283 i = NCONF_load(config, p, &errline);
284 if (i == 0) {
285 if (ERR_GET_REASON(ERR_peek_last_error()) ==
286 CONF_R_NO_SUCH_FILE) {
287 BIO_printf(bio_err,
288 "WARNING: can't open config file: %s\n", p);
289 ERR_clear_error();
290 NCONF_free(config);
291 config = NULL;
292 } else {
293 ERR_print_errors(bio_err);
294 NCONF_free(config);
295 exit(1);
296 }
297 }
298
299 if (!load_config(bio_err, NULL)) {
300 BIO_printf(bio_err, "failed to load configuration\n");
301 goto end;
302 }
303
304 prog = prog_init();
305
306 /* first check the program name */
307 program_name(argv[0], pname, sizeof pname);
308
309 f.name = pname;
310 fp = lh_FUNCTION_retrieve(prog, &f);
311 if (fp != NULL) {
312 argv[0] = pname;
313 ret = fp->func(argc, argv);
314 goto end;
315 }
316 /*
317 * ok, now check that there are not arguments, if there are, run with
318 * them, shifting the ssleay off the front
319 */
320 if (argc != 1) {
321 argc--;
322 argv++;
323 ret = do_cmd(prog, argc, argv);
324 if (ret < 0)
325 ret = 0;
326 goto end;
327 }
328 /* ok, lets enter the old 'OpenSSL>' mode */
329
330 for (;;) {
331 ret = 0;
332 p = buf;
333 n = sizeof buf;
334 i = 0;
335 for (;;) {
336 p[0] = '\0';
337 if (i++)
338 prompt = ">";
339 else
340 prompt = "OpenSSL> ";
341 fputs(prompt, stdout);
342 fflush(stdout);
343 if (!fgets(p, n, stdin))
344 goto end;
345 if (p[0] == '\0')
346 goto end;
347 i = strlen(p);
348 if (i <= 1)
349 break;
350 if (p[i - 2] != '\\')
351 break;
352 i -= 2;
353 p += i;
354 n -= i;
355 }
356 if (!chopup_args(&arg, buf, &argc, &argv))
357 break;
358
359 ret = do_cmd(prog, argc, argv);
360 if (ret < 0) {
361 ret = 0;
362 goto end;
363 }
364 if (ret != 0)
365 BIO_printf(bio_err, "error in %s\n", argv[0]);
366 (void) BIO_flush(bio_err);
367 }
368 BIO_printf(bio_err, "bad exit\n");
369 ret = 1;
370
371end:
372 free(to_free);
373
374 if (config != NULL) {
375 NCONF_free(config);
376 config = NULL;
377 }
378 if (prog != NULL)
379 lh_FUNCTION_free(prog);
380 free(arg.data);
381
382 openssl_shutdown();
383
384 if (bio_err != NULL) {
385 BIO_free(bio_err);
386 bio_err = NULL;
387 }
388 return (ret);
389}
390
391#define LIST_STANDARD_COMMANDS "list-standard-commands"
392#define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands"
393#define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms"
394#define LIST_CIPHER_COMMANDS "list-cipher-commands"
395#define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms"
396#define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms"
397
398
399static int
400do_cmd(LHASH_OF(FUNCTION) * prog, int argc, char *argv[])
401{
402 FUNCTION f, *fp;
403 int i, ret = 1, tp, nl;
404
405 if ((argc <= 0) || (argv[0] == NULL)) {
406 ret = 0;
407 goto end;
408 }
409 f.name = argv[0];
410 fp = lh_FUNCTION_retrieve(prog, &f);
411 if (fp == NULL) {
412 if (EVP_get_digestbyname(argv[0])) {
413 f.type = FUNC_TYPE_MD;
414 f.func = dgst_main;
415 fp = &f;
416 } else if (EVP_get_cipherbyname(argv[0])) {
417 f.type = FUNC_TYPE_CIPHER;
418 f.func = enc_main;
419 fp = &f;
420 }
421 }
422 if (fp != NULL) {
423 ret = fp->func(argc, argv);
424 } else if ((strncmp(argv[0], "no-", 3)) == 0) {
425 BIO *bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
426 f.name = argv[0] + 3;
427 ret = (lh_FUNCTION_retrieve(prog, &f) != NULL);
428 if (!ret)
429 BIO_printf(bio_stdout, "%s\n", argv[0]);
430 else
431 BIO_printf(bio_stdout, "%s\n", argv[0] + 3);
432 BIO_free_all(bio_stdout);
433 goto end;
434 } else if ((strcmp(argv[0], "quit") == 0) ||
435 (strcmp(argv[0], "q") == 0) ||
436 (strcmp(argv[0], "exit") == 0) ||
437 (strcmp(argv[0], "bye") == 0)) {
438 ret = -1;
439 goto end;
440 } else if ((strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0) ||
441 (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0) ||
442 (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) ||
443 (strcmp(argv[0], LIST_CIPHER_COMMANDS) == 0) ||
444 (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0) ||
445 (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0)) {
446 int list_type;
447 BIO *bio_stdout;
448
449 if (strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0)
450 list_type = FUNC_TYPE_GENERAL;
451 else if (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0)
452 list_type = FUNC_TYPE_MD;
453 else if (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0)
454 list_type = FUNC_TYPE_MD_ALG;
455 else if (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0)
456 list_type = FUNC_TYPE_PKEY;
457 else if (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0)
458 list_type = FUNC_TYPE_CIPHER_ALG;
459 else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */
460 list_type = FUNC_TYPE_CIPHER;
461 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
462
463 if (list_type == FUNC_TYPE_PKEY)
464 list_pkey(bio_stdout);
465 if (list_type == FUNC_TYPE_MD_ALG)
466 list_md(bio_stdout);
467 if (list_type == FUNC_TYPE_CIPHER_ALG)
468 list_cipher(bio_stdout);
469 else {
470 for (fp = functions; fp->name != NULL; fp++)
471 if (fp->type == list_type)
472 BIO_printf(bio_stdout, "%s\n",
473 fp->name);
474 }
475 BIO_free_all(bio_stdout);
476 ret = 0;
477 goto end;
478 } else {
479 BIO_printf(bio_err,
480 "openssl:Error: '%s' is an invalid command.\n",
481 argv[0]);
482 BIO_printf(bio_err, "\nStandard commands");
483 i = 0;
484 tp = 0;
485 for (fp = functions; fp->name != NULL; fp++) {
486 nl = 0;
487#ifdef OPENSSL_NO_CAMELLIA
488 if (((i++) % 5) == 0)
489#else
490 if (((i++) % 4) == 0)
491#endif
492 {
493 BIO_printf(bio_err, "\n");
494 nl = 1;
495 }
496 if (fp->type != tp) {
497 tp = fp->type;
498 if (!nl)
499 BIO_printf(bio_err, "\n");
500 if (tp == FUNC_TYPE_MD) {
501 i = 1;
502 BIO_printf(bio_err,
503 "\nMessage Digest commands (see the `dgst' command for more details)\n");
504 } else if (tp == FUNC_TYPE_CIPHER) {
505 i = 1;
506 BIO_printf(bio_err, "\nCipher commands (see the `enc' command for more details)\n");
507 }
508 }
509#ifdef OPENSSL_NO_CAMELLIA
510 BIO_printf(bio_err, "%-15s", fp->name);
511#else
512 BIO_printf(bio_err, "%-18s", fp->name);
513#endif
514 }
515 BIO_printf(bio_err, "\n\n");
516 ret = 0;
517 }
518end:
519 return (ret);
520}
521
522static int
523SortFnByName(const void *_f1, const void *_f2)
524{
525 const FUNCTION *f1 = _f1;
526 const FUNCTION *f2 = _f2;
527
528 if (f1->type != f2->type)
529 return f1->type - f2->type;
530 return strcmp(f1->name, f2->name);
531}
532
533static void
534list_pkey(BIO * out)
535{
536 int i;
537
538 for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
539 const EVP_PKEY_ASN1_METHOD *ameth;
540 int pkey_id, pkey_base_id, pkey_flags;
541 const char *pinfo, *pem_str;
542 ameth = EVP_PKEY_asn1_get0(i);
543 EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags,
544 &pinfo, &pem_str, ameth);
545 if (pkey_flags & ASN1_PKEY_ALIAS) {
546 BIO_printf(out, "Name: %s\n",
547 OBJ_nid2ln(pkey_id));
548 BIO_printf(out, "\tType: Alias to %s\n",
549 OBJ_nid2ln(pkey_base_id));
550 } else {
551 BIO_printf(out, "Name: %s\n", pinfo);
552 BIO_printf(out, "\tType: %s Algorithm\n",
553 pkey_flags & ASN1_PKEY_DYNAMIC ?
554 "External" : "Builtin");
555 BIO_printf(out, "\tOID: %s\n", OBJ_nid2ln(pkey_id));
556 if (pem_str == NULL)
557 pem_str = "(none)";
558 BIO_printf(out, "\tPEM string: %s\n", pem_str);
559 }
560
561 }
562}
563
564static void
565list_cipher_fn(const EVP_CIPHER * c, const char *from, const char *to,
566 void *arg)
567{
568 if (c)
569 BIO_printf(arg, "%s\n", EVP_CIPHER_name(c));
570 else {
571 if (!from)
572 from = "<undefined>";
573 if (!to)
574 to = "<undefined>";
575 BIO_printf(arg, "%s => %s\n", from, to);
576 }
577}
578
579static void
580list_cipher(BIO * out)
581{
582 EVP_CIPHER_do_all_sorted(list_cipher_fn, out);
583}
584
585static void
586list_md_fn(const EVP_MD * m, const char *from, const char *to, void *arg)
587{
588 if (m)
589 BIO_printf(arg, "%s\n", EVP_MD_name(m));
590 else {
591 if (!from)
592 from = "<undefined>";
593 if (!to)
594 to = "<undefined>";
595 BIO_printf(arg, "%s => %s\n", from, to);
596 }
597}
598
599static void
600list_md(BIO * out)
601{
602 EVP_MD_do_all_sorted(list_md_fn, out);
603}
604
605static int
606function_cmp(const FUNCTION * a, const FUNCTION * b)
607{
608 return strncmp(a->name, b->name, 8);
609}
610
611static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION)
612
613static unsigned long
614function_hash(const FUNCTION * a)
615{
616 return lh_strhash(a->name);
617}
618
619static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION)
620
621static LHASH_OF(FUNCTION) *
622prog_init(void)
623{
624 LHASH_OF(FUNCTION) * ret;
625 FUNCTION *f;
626 size_t i;
627
628 /* Purely so it looks nice when the user hits ? */
629 for (i = 0, f = functions; f->name != NULL; ++f, ++i)
630 ;
631 qsort(functions, i, sizeof *functions, SortFnByName);
632
633 if ((ret = lh_FUNCTION_new()) == NULL)
634 return (NULL);
635
636 for (f = functions; f->name != NULL; f++)
637 (void) lh_FUNCTION_insert(ret, f);
638 return (ret);
639}
diff --git a/src/lib/libssl/src/apps/passwd.c b/src/lib/libssl/src/apps/passwd.c
deleted file mode 100644
index 6a16a475a9..0000000000
--- a/src/lib/libssl/src/apps/passwd.c
+++ /dev/null
@@ -1,457 +0,0 @@
1/* $OpenBSD: passwd.c,v 1.24 2014/07/25 06:05:32 doug Exp $ */
2
3#if defined OPENSSL_NO_MD5
4#define NO_MD5CRYPT_1
5#endif
6
7#if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
8
9#include <assert.h>
10#include <string.h>
11
12#include "apps.h"
13
14#include <openssl/bio.h>
15#include <openssl/err.h>
16#include <openssl/evp.h>
17#include <openssl/rand.h>
18
19#ifndef OPENSSL_NO_DES
20#include <openssl/des.h>
21#endif
22
23#ifndef NO_MD5CRYPT_1
24#include <openssl/md5.h>
25#endif
26
27static unsigned const char cov_2char[64] = {
28 /* from crypto/des/fcrypt.c */
29 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
30 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44,
31 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
32 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,
33 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62,
34 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A,
35 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72,
36 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A
37};
38
39static int
40do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
41 char *passwd, BIO * out, int quiet, int table, int reverse,
42 size_t pw_maxlen, int usecrypt, int use1, int useapr1);
43
44/* -crypt - standard Unix password algorithm (default)
45 * -1 - MD5-based password algorithm
46 * -apr1 - MD5-based password algorithm, Apache variant
47 * -salt string - salt
48 * -in file - read passwords from file
49 * -stdin - read passwords from stdin
50 * -noverify - never verify when reading password from terminal
51 * -quiet - no warnings
52 * -table - format output as table
53 * -reverse - switch table columns
54 */
55
56int passwd_main(int, char **);
57
58int
59passwd_main(int argc, char **argv)
60{
61 int ret = 1;
62 char *infile = NULL;
63 int in_stdin = 0;
64 int in_noverify = 0;
65 char *salt = NULL, *passwd = NULL, **passwds = NULL;
66 char *salt_malloc = NULL, *passwd_malloc = NULL;
67 size_t passwd_malloc_size = 0;
68 int pw_source_defined = 0;
69 BIO *in = NULL, *out = NULL;
70 int i, badopt, opt_done;
71 int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
72 int usecrypt = 0, use1 = 0, useapr1 = 0;
73 size_t pw_maxlen = 0;
74
75 out = BIO_new(BIO_s_file());
76 if (out == NULL)
77 goto err;
78 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
79
80 badopt = 0, opt_done = 0;
81 i = 0;
82 while (!badopt && !opt_done && argv[++i] != NULL) {
83 if (strcmp(argv[i], "-crypt") == 0)
84 usecrypt = 1;
85 else if (strcmp(argv[i], "-1") == 0)
86 use1 = 1;
87 else if (strcmp(argv[i], "-apr1") == 0)
88 useapr1 = 1;
89 else if (strcmp(argv[i], "-salt") == 0) {
90 if ((argv[i + 1] != NULL) && (salt == NULL)) {
91 passed_salt = 1;
92 salt = argv[++i];
93 } else
94 badopt = 1;
95 } else if (strcmp(argv[i], "-in") == 0) {
96 if ((argv[i + 1] != NULL) && !pw_source_defined) {
97 pw_source_defined = 1;
98 infile = argv[++i];
99 } else
100 badopt = 1;
101 } else if (strcmp(argv[i], "-stdin") == 0) {
102 if (!pw_source_defined) {
103 pw_source_defined = 1;
104 in_stdin = 1;
105 } else
106 badopt = 1;
107 } else if (strcmp(argv[i], "-noverify") == 0)
108 in_noverify = 1;
109 else if (strcmp(argv[i], "-quiet") == 0)
110 quiet = 1;
111 else if (strcmp(argv[i], "-table") == 0)
112 table = 1;
113 else if (strcmp(argv[i], "-reverse") == 0)
114 reverse = 1;
115 else if (argv[i][0] == '-')
116 badopt = 1;
117 else if (!pw_source_defined)
118 /* non-option arguments, use as passwords */
119 {
120 pw_source_defined = 1;
121 passwds = &argv[i];
122 opt_done = 1;
123 } else
124 badopt = 1;
125 }
126
127 if (!usecrypt && !use1 && !useapr1) /* use default */
128 usecrypt = 1;
129 if (usecrypt + use1 + useapr1 > 1) /* conflict */
130 badopt = 1;
131
132 /* reject unsupported algorithms */
133#ifdef OPENSSL_NO_DES
134 if (usecrypt)
135 badopt = 1;
136#endif
137#ifdef NO_MD5CRYPT_1
138 if (use1 || useapr1)
139 badopt = 1;
140#endif
141
142 if (badopt) {
143 BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
144 BIO_printf(bio_err, "where options are\n");
145#ifndef OPENSSL_NO_DES
146 BIO_printf(bio_err, "-crypt standard Unix password algorithm (default)\n");
147#endif
148#ifndef NO_MD5CRYPT_1
149 BIO_printf(bio_err, "-1 MD5-based password algorithm\n");
150 BIO_printf(bio_err, "-apr1 MD5-based password algorithm, Apache variant\n");
151#endif
152 BIO_printf(bio_err, "-salt string use provided salt\n");
153 BIO_printf(bio_err, "-in file read passwords from file\n");
154 BIO_printf(bio_err, "-stdin read passwords from stdin\n");
155 BIO_printf(bio_err, "-noverify never verify when reading password from terminal\n");
156 BIO_printf(bio_err, "-quiet no warnings\n");
157 BIO_printf(bio_err, "-table format output as table\n");
158 BIO_printf(bio_err, "-reverse switch table columns\n");
159
160 goto err;
161 }
162 if ((infile != NULL) || in_stdin) {
163 in = BIO_new(BIO_s_file());
164 if (in == NULL)
165 goto err;
166 if (infile != NULL) {
167 assert(in_stdin == 0);
168 if (BIO_read_filename(in, infile) <= 0)
169 goto err;
170 } else {
171 assert(in_stdin);
172 BIO_set_fp(in, stdin, BIO_NOCLOSE);
173 }
174 }
175 if (usecrypt)
176 pw_maxlen = 8;
177 else if (use1 || useapr1)
178 pw_maxlen = 256;/* arbitrary limit, should be enough for most
179 * passwords */
180
181 if (passwds == NULL) {
182 /* no passwords on the command line */
183
184 passwd_malloc_size = pw_maxlen + 2;
185 /* longer than necessary so that we can warn about truncation */
186 passwd = passwd_malloc = malloc(passwd_malloc_size);
187 if (passwd_malloc == NULL)
188 goto err;
189 }
190 if ((in == NULL) && (passwds == NULL)) {
191 /* build a null-terminated list */
192 static char *passwds_static[2] = {NULL, NULL};
193
194 passwds = passwds_static;
195 if (in == NULL)
196 if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", !(passed_salt || in_noverify)) != 0)
197 goto err;
198 passwds[0] = passwd_malloc;
199 }
200 if (in == NULL) {
201 assert(passwds != NULL);
202 assert(*passwds != NULL);
203
204 do { /* loop over list of passwords */
205 passwd = *passwds++;
206 if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
207 quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
208 goto err;
209 }
210 while (*passwds != NULL);
211 } else
212 /* in != NULL */
213 {
214 int done;
215
216 assert(passwd != NULL);
217 do {
218 int r = BIO_gets(in, passwd, pw_maxlen + 1);
219 if (r > 0) {
220 char *c = (strchr(passwd, '\n'));
221 if (c != NULL)
222 *c = 0; /* truncate at newline */
223 else {
224 /* ignore rest of line */
225 char trash[BUFSIZ];
226 do
227 r = BIO_gets(in, trash, sizeof trash);
228 while ((r > 0) && (!strchr(trash, '\n')));
229 }
230
231 if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
232 quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
233 goto err;
234 }
235 done = (r <= 0);
236 }
237 while (!done);
238 }
239 ret = 0;
240
241err:
242 ERR_print_errors(bio_err);
243 free(salt_malloc);
244 free(passwd_malloc);
245 BIO_free(in);
246 if (out)
247 BIO_free_all(out);
248
249 return (ret);
250}
251
252
253#ifndef NO_MD5CRYPT_1
254/* MD5-based password algorithm (should probably be available as a library
255 * function; then the static buffer would not be acceptable).
256 * For magic string "1", this should be compatible to the MD5-based BSD
257 * password algorithm.
258 * For 'magic' string "apr1", this is compatible to the MD5-based Apache
259 * password algorithm.
260 * (Apparently, the Apache password algorithm is identical except that the
261 * 'magic' string was changed -- the laziest application of the NIH principle
262 * I've ever encountered.)
263 */
264static char *
265md5crypt(const char *passwd, const char *magic, const char *salt)
266{
267 static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5h
268 * ash..........\0" */
269 unsigned char buf[MD5_DIGEST_LENGTH];
270 char *salt_out;
271 int n;
272 unsigned int i;
273 EVP_MD_CTX md, md2;
274 size_t passwd_len, salt_len;
275
276 passwd_len = strlen(passwd);
277 out_buf[0] = '$';
278 out_buf[1] = 0;
279 assert(strlen(magic) <= 4); /* "1" or "apr1" */
280 strlcat(out_buf, magic, sizeof(out_buf));
281 strlcat(out_buf, "$", sizeof(out_buf));
282 strlcat(out_buf, salt, sizeof(out_buf));
283 assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
284 salt_out = out_buf + 2 + strlen(magic);
285 salt_len = strlen(salt_out);
286 assert(salt_len <= 8);
287
288 EVP_MD_CTX_init(&md);
289 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
290 EVP_DigestUpdate(&md, passwd, passwd_len);
291 EVP_DigestUpdate(&md, "$", 1);
292 EVP_DigestUpdate(&md, magic, strlen(magic));
293 EVP_DigestUpdate(&md, "$", 1);
294 EVP_DigestUpdate(&md, salt_out, salt_len);
295
296 EVP_MD_CTX_init(&md2);
297 EVP_DigestInit_ex(&md2, EVP_md5(), NULL);
298 EVP_DigestUpdate(&md2, passwd, passwd_len);
299 EVP_DigestUpdate(&md2, salt_out, salt_len);
300 EVP_DigestUpdate(&md2, passwd, passwd_len);
301 EVP_DigestFinal_ex(&md2, buf, NULL);
302
303 for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
304 EVP_DigestUpdate(&md, buf, sizeof buf);
305 EVP_DigestUpdate(&md, buf, i);
306
307 n = passwd_len;
308 while (n) {
309 EVP_DigestUpdate(&md, (n & 1) ? "\0" : passwd, 1);
310 n >>= 1;
311 }
312 EVP_DigestFinal_ex(&md, buf, NULL);
313
314 for (i = 0; i < 1000; i++) {
315 EVP_DigestInit_ex(&md2, EVP_md5(), NULL);
316 EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *) passwd : buf,
317 (i & 1) ? passwd_len : sizeof buf);
318 if (i % 3)
319 EVP_DigestUpdate(&md2, salt_out, salt_len);
320 if (i % 7)
321 EVP_DigestUpdate(&md2, passwd, passwd_len);
322 EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *) passwd,
323 (i & 1) ? sizeof buf : passwd_len);
324 EVP_DigestFinal_ex(&md2, buf, NULL);
325 }
326 EVP_MD_CTX_cleanup(&md2);
327
328 {
329 /* transform buf into output string */
330
331 unsigned char buf_perm[sizeof buf];
332 int dest, source;
333 char *output;
334
335 /* silly output permutation */
336 for (dest = 0, source = 0; dest < 14; dest++, source = (source + 6) % 17)
337 buf_perm[dest] = buf[source];
338 buf_perm[14] = buf[5];
339 buf_perm[15] = buf[11];
340 assert(16 == sizeof buf_perm);
341
342 output = salt_out + salt_len;
343 assert(output == out_buf + strlen(out_buf));
344
345 *output++ = '$';
346
347 for (i = 0; i < 15; i += 3) {
348 *output++ = cov_2char[buf_perm[i + 2] & 0x3f];
349 *output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
350 (buf_perm[i + 2] >> 6)];
351 *output++ = cov_2char[((buf_perm[i] & 3) << 4) |
352 (buf_perm[i + 1] >> 4)];
353 *output++ = cov_2char[buf_perm[i] >> 2];
354 }
355 assert(i == 15);
356 *output++ = cov_2char[buf_perm[i] & 0x3f];
357 *output++ = cov_2char[buf_perm[i] >> 6];
358 *output = 0;
359 assert(strlen(out_buf) < sizeof(out_buf));
360 }
361 EVP_MD_CTX_cleanup(&md);
362
363 return out_buf;
364}
365#endif
366
367
368static int
369do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
370 char *passwd, BIO * out, int quiet, int table, int reverse,
371 size_t pw_maxlen, int usecrypt, int use1, int useapr1)
372{
373 char *hash = NULL;
374
375 assert(salt_p != NULL);
376 assert(salt_malloc_p != NULL);
377
378 /* first make sure we have a salt */
379 if (!passed_salt) {
380#ifndef OPENSSL_NO_DES
381 if (usecrypt) {
382 if (*salt_malloc_p == NULL) {
383 *salt_p = *salt_malloc_p = malloc(3);
384 if (*salt_malloc_p == NULL)
385 goto err;
386 }
387 if (RAND_pseudo_bytes((unsigned char *) *salt_p, 2) < 0)
388 goto err;
389 (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
390 (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
391 (*salt_p)[2] = 0;
392 }
393#endif /* !OPENSSL_NO_DES */
394
395#ifndef NO_MD5CRYPT_1
396 if (use1 || useapr1) {
397 int i;
398
399 if (*salt_malloc_p == NULL) {
400 *salt_p = *salt_malloc_p = malloc(9);
401 if (*salt_malloc_p == NULL)
402 goto err;
403 }
404 if (RAND_pseudo_bytes((unsigned char *) *salt_p, 8) < 0)
405 goto err;
406
407 for (i = 0; i < 8; i++)
408 (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
409 (*salt_p)[8] = 0;
410 }
411#endif /* !NO_MD5CRYPT_1 */
412 }
413 assert(*salt_p != NULL);
414
415 /* truncate password if necessary */
416 if ((strlen(passwd) > pw_maxlen)) {
417 if (!quiet)
418 /*
419 * XXX: really we should know how to print a size_t,
420 * not cast it
421 */
422 BIO_printf(bio_err, "Warning: truncating password to %u characters\n", (unsigned) pw_maxlen);
423 passwd[pw_maxlen] = 0;
424 }
425 assert(strlen(passwd) <= pw_maxlen);
426
427 /* now compute password hash */
428#ifndef OPENSSL_NO_DES
429 if (usecrypt)
430 hash = DES_crypt(passwd, *salt_p);
431#endif
432#ifndef NO_MD5CRYPT_1
433 if (use1 || useapr1)
434 hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
435#endif
436 assert(hash != NULL);
437
438 if (table && !reverse)
439 BIO_printf(out, "%s\t%s\n", passwd, hash);
440 else if (table && reverse)
441 BIO_printf(out, "%s\t%s\n", hash, passwd);
442 else
443 BIO_printf(out, "%s\n", hash);
444 return 1;
445
446err:
447 return 0;
448}
449#else
450
451int
452passwd_main(int argc, char **argv)
453{
454 fputs("Program not available.\n", stderr)
455 return (1);
456}
457#endif
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
deleted file mode 100644
index 9899fa6950..0000000000
--- a/src/lib/libssl/src/apps/pkcs12.c
+++ /dev/null
@@ -1,913 +0,0 @@
1/* $OpenBSD: pkcs12.c,v 1.38 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/opensslconf.h>
60
61#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
62
63#include <stdio.h>
64#include <stdlib.h>
65#include <string.h>
66
67#include "apps.h"
68
69#include <openssl/crypto.h>
70#include <openssl/err.h>
71#include <openssl/pem.h>
72#include <openssl/pkcs12.h>
73
74const EVP_CIPHER *enc;
75
76#define NOKEYS 0x1
77#define NOCERTS 0x2
78#define INFO 0x4
79#define CLCERTS 0x8
80#define CACERTS 0x10
81
82int get_cert_chain(X509 * cert, X509_STORE * store, STACK_OF(X509) ** chain);
83int dump_certs_keys_p12(BIO * out, PKCS12 * p12, char *pass, int passlen,
84 int options, char *pempass);
85int dump_certs_pkeys_bags(BIO * out, STACK_OF(PKCS12_SAFEBAG) * bags, char *pass,
86 int passlen, int options, char *pempass);
87int dump_certs_pkeys_bag(BIO * out, PKCS12_SAFEBAG * bags, char *pass, int passlen,
88 int options, char *pempass);
89int print_attribs(BIO * out, STACK_OF(X509_ATTRIBUTE) * attrlst, const char *name);
90void hex_prin(BIO * out, unsigned char *buf, int len);
91int alg_print(BIO * x, X509_ALGOR * alg);
92int cert_load(BIO * in, STACK_OF(X509) * sk);
93static int set_pbe(BIO * err, int *ppbe, const char *str);
94
95int pkcs12_main(int, char **);
96
97int
98pkcs12_main(int argc, char **argv)
99{
100 ENGINE *e = NULL;
101 char *infile = NULL, *outfile = NULL, *keyname = NULL;
102 char *certfile = NULL;
103 BIO *in = NULL, *out = NULL;
104 char **args;
105 char *name = NULL;
106 char *csp_name = NULL;
107 int add_lmk = 0;
108 PKCS12 *p12 = NULL;
109 char pass[50], macpass[50];
110 int export_cert = 0;
111 int options = 0;
112 int chain = 0;
113 int badarg = 0;
114 int iter = PKCS12_DEFAULT_ITER;
115 int maciter = PKCS12_DEFAULT_ITER;
116 int twopass = 0;
117 int keytype = 0;
118 int cert_pbe;
119 int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
120 int ret = 1;
121 int macver = 1;
122 int noprompt = 0;
123 STACK_OF(OPENSSL_STRING) * canames = NULL;
124 char *cpass = NULL, *mpass = NULL;
125 char *passargin = NULL, *passargout = NULL, *passarg = NULL;
126 char *passin = NULL, *passout = NULL;
127 char *macalg = NULL;
128 char *CApath = NULL, *CAfile = NULL;
129#ifndef OPENSSL_NO_ENGINE
130 char *engine = NULL;
131#endif
132
133 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
134
135 enc = EVP_des_ede3_cbc();
136
137 args = argv + 1;
138
139 while (*args) {
140 if (*args[0] == '-') {
141 if (!strcmp(*args, "-nokeys"))
142 options |= NOKEYS;
143 else if (!strcmp(*args, "-keyex"))
144 keytype = KEY_EX;
145 else if (!strcmp(*args, "-keysig"))
146 keytype = KEY_SIG;
147 else if (!strcmp(*args, "-nocerts"))
148 options |= NOCERTS;
149 else if (!strcmp(*args, "-clcerts"))
150 options |= CLCERTS;
151 else if (!strcmp(*args, "-cacerts"))
152 options |= CACERTS;
153 else if (!strcmp(*args, "-noout"))
154 options |= (NOKEYS | NOCERTS);
155 else if (!strcmp(*args, "-info"))
156 options |= INFO;
157 else if (!strcmp(*args, "-chain"))
158 chain = 1;
159 else if (!strcmp(*args, "-twopass"))
160 twopass = 1;
161 else if (!strcmp(*args, "-nomacver"))
162 macver = 0;
163 else if (!strcmp(*args, "-descert"))
164 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
165 else if (!strcmp(*args, "-export"))
166 export_cert = 1;
167 else if (!strcmp(*args, "-des"))
168 enc = EVP_des_cbc();
169 else if (!strcmp(*args, "-des3"))
170 enc = EVP_des_ede3_cbc();
171#ifndef OPENSSL_NO_IDEA
172 else if (!strcmp(*args, "-idea"))
173 enc = EVP_idea_cbc();
174#endif
175#ifndef OPENSSL_NO_AES
176 else if (!strcmp(*args, "-aes128"))
177 enc = EVP_aes_128_cbc();
178 else if (!strcmp(*args, "-aes192"))
179 enc = EVP_aes_192_cbc();
180 else if (!strcmp(*args, "-aes256"))
181 enc = EVP_aes_256_cbc();
182#endif
183#ifndef OPENSSL_NO_CAMELLIA
184 else if (!strcmp(*args, "-camellia128"))
185 enc = EVP_camellia_128_cbc();
186 else if (!strcmp(*args, "-camellia192"))
187 enc = EVP_camellia_192_cbc();
188 else if (!strcmp(*args, "-camellia256"))
189 enc = EVP_camellia_256_cbc();
190#endif
191 else if (!strcmp(*args, "-noiter"))
192 iter = 1;
193 else if (!strcmp(*args, "-maciter"))
194 maciter = PKCS12_DEFAULT_ITER;
195 else if (!strcmp(*args, "-nomaciter"))
196 maciter = 1;
197 else if (!strcmp(*args, "-nomac"))
198 maciter = -1;
199 else if (!strcmp(*args, "-macalg"))
200 if (args[1]) {
201 args++;
202 macalg = *args;
203 } else
204 badarg = 1;
205 else if (!strcmp(*args, "-nodes"))
206 enc = NULL;
207 else if (!strcmp(*args, "-certpbe")) {
208 if (!set_pbe(bio_err, &cert_pbe, *++args))
209 badarg = 1;
210 } else if (!strcmp(*args, "-keypbe")) {
211 if (!set_pbe(bio_err, &key_pbe, *++args))
212 badarg = 1;
213 } else if (!strcmp(*args, "-inkey")) {
214 if (args[1]) {
215 args++;
216 keyname = *args;
217 } else
218 badarg = 1;
219 } else if (!strcmp(*args, "-certfile")) {
220 if (args[1]) {
221 args++;
222 certfile = *args;
223 } else
224 badarg = 1;
225 } else if (!strcmp(*args, "-name")) {
226 if (args[1]) {
227 args++;
228 name = *args;
229 } else
230 badarg = 1;
231 } else if (!strcmp(*args, "-LMK"))
232 add_lmk = 1;
233 else if (!strcmp(*args, "-CSP")) {
234 if (args[1]) {
235 args++;
236 csp_name = *args;
237 } else
238 badarg = 1;
239 } else if (!strcmp(*args, "-caname")) {
240 if (args[1]) {
241 args++;
242 if (!canames)
243 canames = sk_OPENSSL_STRING_new_null();
244 sk_OPENSSL_STRING_push(canames, *args);
245 } else
246 badarg = 1;
247 } else if (!strcmp(*args, "-in")) {
248 if (args[1]) {
249 args++;
250 infile = *args;
251 } else
252 badarg = 1;
253 } else if (!strcmp(*args, "-out")) {
254 if (args[1]) {
255 args++;
256 outfile = *args;
257 } else
258 badarg = 1;
259 } else if (!strcmp(*args, "-passin")) {
260 if (args[1]) {
261 args++;
262 passargin = *args;
263 } else
264 badarg = 1;
265 } else if (!strcmp(*args, "-passout")) {
266 if (args[1]) {
267 args++;
268 passargout = *args;
269 } else
270 badarg = 1;
271 } else if (!strcmp(*args, "-password")) {
272 if (args[1]) {
273 args++;
274 passarg = *args;
275 noprompt = 1;
276 } else
277 badarg = 1;
278 } else if (!strcmp(*args, "-CApath")) {
279 if (args[1]) {
280 args++;
281 CApath = *args;
282 } else
283 badarg = 1;
284 } else if (!strcmp(*args, "-CAfile")) {
285 if (args[1]) {
286 args++;
287 CAfile = *args;
288 } else
289 badarg = 1;
290#ifndef OPENSSL_NO_ENGINE
291 } else if (!strcmp(*args, "-engine")) {
292 if (args[1]) {
293 args++;
294 engine = *args;
295 } else
296 badarg = 1;
297#endif
298 } else
299 badarg = 1;
300
301 } else
302 badarg = 1;
303 args++;
304 }
305
306 if (badarg) {
307 BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
308 BIO_printf(bio_err, "where options are\n");
309 BIO_printf(bio_err, "-export output PKCS12 file\n");
310 BIO_printf(bio_err, "-chain add certificate chain\n");
311 BIO_printf(bio_err, "-inkey file private key if not infile\n");
312 BIO_printf(bio_err, "-certfile f add all certs in f\n");
313 BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n");
314 BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n");
315 BIO_printf(bio_err, "-name \"name\" use name as friendly name\n");
316 BIO_printf(bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
317 BIO_printf(bio_err, "-in infile input filename\n");
318 BIO_printf(bio_err, "-out outfile output filename\n");
319 BIO_printf(bio_err, "-noout don't output anything, just verify.\n");
320 BIO_printf(bio_err, "-nomacver don't verify MAC.\n");
321 BIO_printf(bio_err, "-nocerts don't output certificates.\n");
322 BIO_printf(bio_err, "-clcerts only output client certificates.\n");
323 BIO_printf(bio_err, "-cacerts only output CA certificates.\n");
324 BIO_printf(bio_err, "-nokeys don't output private keys.\n");
325 BIO_printf(bio_err, "-info give info about PKCS#12 structure.\n");
326 BIO_printf(bio_err, "-des encrypt private keys with DES\n");
327 BIO_printf(bio_err, "-des3 encrypt private keys with triple DES (default)\n");
328#ifndef OPENSSL_NO_IDEA
329 BIO_printf(bio_err, "-idea encrypt private keys with idea\n");
330#endif
331#ifndef OPENSSL_NO_AES
332 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
333 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
334#endif
335#ifndef OPENSSL_NO_CAMELLIA
336 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
337 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
338#endif
339 BIO_printf(bio_err, "-nodes don't encrypt private keys\n");
340 BIO_printf(bio_err, "-noiter don't use encryption iteration\n");
341 BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n");
342 BIO_printf(bio_err, "-maciter use MAC iteration\n");
343 BIO_printf(bio_err, "-nomac don't generate MAC\n");
344 BIO_printf(bio_err, "-twopass separate MAC, encryption passwords\n");
345 BIO_printf(bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
346 BIO_printf(bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
347 BIO_printf(bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
348 BIO_printf(bio_err, "-macalg alg digest algorithm used in MAC (default SHA1)\n");
349 BIO_printf(bio_err, "-keyex set MS key exchange type\n");
350 BIO_printf(bio_err, "-keysig set MS key signature type\n");
351 BIO_printf(bio_err, "-password p set import/export password source\n");
352 BIO_printf(bio_err, "-passin p input file pass phrase source\n");
353 BIO_printf(bio_err, "-passout p output file pass phrase source\n");
354#ifndef OPENSSL_NO_ENGINE
355 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
356#endif
357 BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
358 BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n");
359 goto end;
360 }
361#ifndef OPENSSL_NO_ENGINE
362 e = setup_engine(bio_err, engine, 0);
363#endif
364
365 if (passarg) {
366 if (export_cert)
367 passargout = passarg;
368 else
369 passargin = passarg;
370 }
371 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
372 BIO_printf(bio_err, "Error getting passwords\n");
373 goto end;
374 }
375 if (!cpass) {
376 if (export_cert)
377 cpass = passout;
378 else
379 cpass = passin;
380 }
381 if (cpass) {
382 mpass = cpass;
383 noprompt = 1;
384 } else {
385 cpass = pass;
386 mpass = macpass;
387 }
388
389 ERR_load_crypto_strings();
390
391
392 if (!infile)
393 in = BIO_new_fp(stdin, BIO_NOCLOSE);
394 else
395 in = BIO_new_file(infile, "rb");
396 if (!in) {
397 BIO_printf(bio_err, "Error opening input file %s\n",
398 infile ? infile : "<stdin>");
399 perror(infile);
400 goto end;
401 }
402
403 if (!outfile) {
404 out = BIO_new_fp(stdout, BIO_NOCLOSE);
405 } else
406 out = BIO_new_file(outfile, "wb");
407 if (!out) {
408 BIO_printf(bio_err, "Error opening output file %s\n",
409 outfile ? outfile : "<stdout>");
410 perror(outfile);
411 goto end;
412 }
413 if (twopass) {
414 if (EVP_read_pw_string(macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
415 BIO_printf(bio_err, "Can't read Password\n");
416 goto end;
417 }
418 }
419 if (export_cert) {
420 EVP_PKEY *key = NULL;
421 X509 *ucert = NULL, *x = NULL;
422 STACK_OF(X509) * certs = NULL;
423 const EVP_MD *macmd = NULL;
424 unsigned char *catmp = NULL;
425 int i;
426
427 if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
428 BIO_printf(bio_err, "Nothing to do!\n");
429 goto export_end;
430 }
431 if (options & NOCERTS)
432 chain = 0;
433
434 if (!(options & NOKEYS)) {
435 key = load_key(bio_err, keyname ? keyname : infile,
436 FORMAT_PEM, 1, passin, e, "private key");
437 if (!key)
438 goto export_end;
439 }
440
441 /* Load in all certs in input file */
442 if (!(options & NOCERTS)) {
443 certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
444 "certificates");
445 if (!certs)
446 goto export_end;
447
448 if (key) {
449 /* Look for matching private key */
450 for (i = 0; i < sk_X509_num(certs); i++) {
451 x = sk_X509_value(certs, i);
452 if (X509_check_private_key(x, key)) {
453 ucert = x;
454 /* Zero keyid and alias */
455 X509_keyid_set1(ucert, NULL, 0);
456 X509_alias_set1(ucert, NULL, 0);
457 /* Remove from list */
458 (void) sk_X509_delete(certs, i);
459 break;
460 }
461 }
462 if (!ucert) {
463 BIO_printf(bio_err, "No certificate matches private key\n");
464 goto export_end;
465 }
466 }
467 }
468
469 /* Add any more certificates asked for */
470 if (certfile) {
471 STACK_OF(X509) * morecerts = NULL;
472 if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
473 NULL, e,
474 "certificates from certfile")))
475 goto export_end;
476 while (sk_X509_num(morecerts) > 0)
477 sk_X509_push(certs, sk_X509_shift(morecerts));
478 sk_X509_free(morecerts);
479 }
480
481
482 /* If chaining get chain from user cert */
483 if (chain) {
484 int vret;
485 STACK_OF(X509) * chain2;
486 X509_STORE *store = X509_STORE_new();
487 if (!store) {
488 BIO_printf(bio_err, "Memory allocation error\n");
489 goto export_end;
490 }
491 if (!X509_STORE_load_locations(store, CAfile, CApath))
492 X509_STORE_set_default_paths(store);
493
494 vret = get_cert_chain(ucert, store, &chain2);
495 X509_STORE_free(store);
496
497 if (!vret) {
498 /* Exclude verified certificate */
499 for (i = 1; i < sk_X509_num(chain2); i++)
500 sk_X509_push(certs, sk_X509_value(chain2, i));
501 /* Free first certificate */
502 X509_free(sk_X509_value(chain2, 0));
503 sk_X509_free(chain2);
504 } else {
505 if (vret >= 0)
506 BIO_printf(bio_err, "Error %s getting chain.\n",
507 X509_verify_cert_error_string(vret));
508 else
509 ERR_print_errors(bio_err);
510 goto export_end;
511 }
512 }
513 /* Add any CA names */
514
515 for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) {
516 catmp = (unsigned char *) sk_OPENSSL_STRING_value(canames, i);
517 X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
518 }
519
520 if (csp_name && key)
521 EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
522 MBSTRING_ASC, (unsigned char *) csp_name, -1);
523
524 if (add_lmk && key)
525 EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
526
527
528 if (!noprompt &&
529 EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
530 BIO_printf(bio_err, "Can't read Password\n");
531 goto export_end;
532 }
533 if (!twopass)
534 strlcpy(macpass, pass, sizeof macpass);
535
536
537 p12 = PKCS12_create(cpass, name, key, ucert, certs,
538 key_pbe, cert_pbe, iter, -1, keytype);
539
540 if (!p12) {
541 ERR_print_errors(bio_err);
542 goto export_end;
543 }
544 if (macalg) {
545 macmd = EVP_get_digestbyname(macalg);
546 if (!macmd) {
547 BIO_printf(bio_err, "Unknown digest algorithm %s\n",
548 macalg);
549 }
550 }
551 if (maciter != -1)
552 PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
553
554
555 i2d_PKCS12_bio(out, p12);
556
557 ret = 0;
558
559export_end:
560
561 if (key)
562 EVP_PKEY_free(key);
563 if (certs)
564 sk_X509_pop_free(certs, X509_free);
565 if (ucert)
566 X509_free(ucert);
567
568 goto end;
569
570 }
571 if (!(p12 = d2i_PKCS12_bio(in, NULL))) {
572 ERR_print_errors(bio_err);
573 goto end;
574 }
575 if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) {
576 BIO_printf(bio_err, "Can't read Password\n");
577 goto end;
578 }
579
580 if (!twopass)
581 strlcpy(macpass, pass, sizeof macpass);
582
583 if ((options & INFO) && p12->mac)
584 BIO_printf(bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
585 if (macver) {
586 /* If we enter empty password try no password first */
587 if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
588 /* If mac and crypto pass the same set it to NULL too */
589 if (!twopass)
590 cpass = NULL;
591 } else if (!PKCS12_verify_mac(p12, mpass, -1)) {
592 BIO_printf(bio_err, "Mac verify error: invalid password?\n");
593 ERR_print_errors(bio_err);
594 goto end;
595 }
596 BIO_printf(bio_err, "MAC verified OK\n");
597 }
598 if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) {
599 BIO_printf(bio_err, "Error outputting keys and certificates\n");
600 ERR_print_errors(bio_err);
601 goto end;
602 }
603 ret = 0;
604end:
605 if (p12)
606 PKCS12_free(p12);
607 BIO_free(in);
608 BIO_free_all(out);
609 if (canames)
610 sk_OPENSSL_STRING_free(canames);
611 free(passin);
612 free(passout);
613
614 return (ret);
615}
616
617int
618dump_certs_keys_p12(BIO * out, PKCS12 * p12, char *pass,
619 int passlen, int options, char *pempass)
620{
621 STACK_OF(PKCS7) * asafes = NULL;
622 STACK_OF(PKCS12_SAFEBAG) * bags;
623 int i, bagnid;
624 int ret = 0;
625 PKCS7 *p7;
626
627 if (!(asafes = PKCS12_unpack_authsafes(p12)))
628 return 0;
629 for (i = 0; i < sk_PKCS7_num(asafes); i++) {
630 p7 = sk_PKCS7_value(asafes, i);
631 bagnid = OBJ_obj2nid(p7->type);
632 if (bagnid == NID_pkcs7_data) {
633 bags = PKCS12_unpack_p7data(p7);
634 if (options & INFO)
635 BIO_printf(bio_err, "PKCS7 Data\n");
636 } else if (bagnid == NID_pkcs7_encrypted) {
637 if (options & INFO) {
638 BIO_printf(bio_err, "PKCS7 Encrypted data: ");
639 alg_print(bio_err,
640 p7->d.encrypted->enc_data->algorithm);
641 }
642 bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
643 } else
644 continue;
645 if (!bags)
646 goto err;
647 if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
648 options, pempass)) {
649 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
650 goto err;
651 }
652 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
653 bags = NULL;
654 }
655 ret = 1;
656
657err:
658
659 if (asafes)
660 sk_PKCS7_pop_free(asafes, PKCS7_free);
661 return ret;
662}
663
664int
665dump_certs_pkeys_bags(BIO * out, STACK_OF(PKCS12_SAFEBAG) * bags,
666 char *pass, int passlen, int options, char *pempass)
667{
668 int i;
669 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
670 if (!dump_certs_pkeys_bag(out,
671 sk_PKCS12_SAFEBAG_value(bags, i),
672 pass, passlen,
673 options, pempass))
674 return 0;
675 }
676 return 1;
677}
678
679int
680dump_certs_pkeys_bag(BIO * out, PKCS12_SAFEBAG * bag, char *pass,
681 int passlen, int options, char *pempass)
682{
683 EVP_PKEY *pkey;
684 PKCS8_PRIV_KEY_INFO *p8;
685 X509 *x509;
686
687 switch (M_PKCS12_bag_type(bag)) {
688 case NID_keyBag:
689 if (options & INFO)
690 BIO_printf(bio_err, "Key bag\n");
691 if (options & NOKEYS)
692 return 1;
693 print_attribs(out, bag->attrib, "Bag Attributes");
694 p8 = bag->value.keybag;
695 if (!(pkey = EVP_PKCS82PKEY(p8)))
696 return 0;
697 print_attribs(out, p8->attributes, "Key Attributes");
698 PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
699 EVP_PKEY_free(pkey);
700 break;
701
702 case NID_pkcs8ShroudedKeyBag:
703 if (options & INFO) {
704 BIO_printf(bio_err, "Shrouded Keybag: ");
705 alg_print(bio_err, bag->value.shkeybag->algor);
706 }
707 if (options & NOKEYS)
708 return 1;
709 print_attribs(out, bag->attrib, "Bag Attributes");
710 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
711 return 0;
712 if (!(pkey = EVP_PKCS82PKEY(p8))) {
713 PKCS8_PRIV_KEY_INFO_free(p8);
714 return 0;
715 }
716 print_attribs(out, p8->attributes, "Key Attributes");
717 PKCS8_PRIV_KEY_INFO_free(p8);
718 PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
719 EVP_PKEY_free(pkey);
720 break;
721
722 case NID_certBag:
723 if (options & INFO)
724 BIO_printf(bio_err, "Certificate bag\n");
725 if (options & NOCERTS)
726 return 1;
727 if (PKCS12_get_attr(bag, NID_localKeyID)) {
728 if (options & CACERTS)
729 return 1;
730 } else if (options & CLCERTS)
731 return 1;
732 print_attribs(out, bag->attrib, "Bag Attributes");
733 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
734 return 1;
735 if (!(x509 = PKCS12_certbag2x509(bag)))
736 return 0;
737 dump_cert_text(out, x509);
738 PEM_write_bio_X509(out, x509);
739 X509_free(x509);
740 break;
741
742 case NID_safeContentsBag:
743 if (options & INFO)
744 BIO_printf(bio_err, "Safe Contents bag\n");
745 print_attribs(out, bag->attrib, "Bag Attributes");
746 return dump_certs_pkeys_bags(out, bag->value.safes, pass,
747 passlen, options, pempass);
748
749 default:
750 BIO_printf(bio_err, "Warning unsupported bag type: ");
751 i2a_ASN1_OBJECT(bio_err, bag->type);
752 BIO_printf(bio_err, "\n");
753 return 1;
754 break;
755 }
756 return 1;
757}
758
759/* Given a single certificate return a verified chain or NULL if error */
760
761/* Hope this is OK .... */
762
763int
764get_cert_chain(X509 * cert, X509_STORE * store, STACK_OF(X509) ** chain)
765{
766 X509_STORE_CTX store_ctx;
767 STACK_OF(X509) * chn;
768 int i = 0;
769
770 /*
771 * FIXME: Should really check the return status of
772 * X509_STORE_CTX_init for an error, but how that fits into the
773 * return value of this function is less obvious.
774 */
775 X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
776 if (X509_verify_cert(&store_ctx) <= 0) {
777 i = X509_STORE_CTX_get_error(&store_ctx);
778 if (i == 0)
779 /*
780 * avoid returning 0 if X509_verify_cert() did not
781 * set an appropriate error value in the context
782 */
783 i = -1;
784 chn = NULL;
785 goto err;
786 } else
787 chn = X509_STORE_CTX_get1_chain(&store_ctx);
788err:
789 X509_STORE_CTX_cleanup(&store_ctx);
790 *chain = chn;
791
792 return i;
793}
794
795int
796alg_print(BIO * x, X509_ALGOR * alg)
797{
798 PBEPARAM *pbe;
799 const unsigned char *p;
800 p = alg->parameter->value.sequence->data;
801 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
802 if (!pbe)
803 return 1;
804 BIO_printf(bio_err, "%s, Iteration %ld\n",
805 OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)),
806 ASN1_INTEGER_get(pbe->iter));
807 PBEPARAM_free(pbe);
808 return 1;
809}
810
811/* Load all certificates from a given file */
812
813int
814cert_load(BIO * in, STACK_OF(X509) * sk)
815{
816 int ret;
817 X509 *cert;
818 ret = 0;
819 while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
820 ret = 1;
821 sk_X509_push(sk, cert);
822 }
823 if (ret)
824 ERR_clear_error();
825 return ret;
826}
827
828/* Generalised attribute print: handle PKCS#8 and bag attributes */
829
830int
831print_attribs(BIO * out, STACK_OF(X509_ATTRIBUTE) * attrlst, const char *name)
832{
833 X509_ATTRIBUTE *attr;
834 ASN1_TYPE *av;
835 char *value;
836 int i, attr_nid;
837 if (!attrlst) {
838 BIO_printf(out, "%s: <No Attributes>\n", name);
839 return 1;
840 }
841 if (!sk_X509_ATTRIBUTE_num(attrlst)) {
842 BIO_printf(out, "%s: <Empty Attributes>\n", name);
843 return 1;
844 }
845 BIO_printf(out, "%s\n", name);
846 for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
847 attr = sk_X509_ATTRIBUTE_value(attrlst, i);
848 attr_nid = OBJ_obj2nid(attr->object);
849 BIO_printf(out, " ");
850 if (attr_nid == NID_undef) {
851 i2a_ASN1_OBJECT(out, attr->object);
852 BIO_printf(out, ": ");
853 } else
854 BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
855
856 if (sk_ASN1_TYPE_num(attr->value.set)) {
857 av = sk_ASN1_TYPE_value(attr->value.set, 0);
858 switch (av->type) {
859 case V_ASN1_BMPSTRING:
860 value = OPENSSL_uni2asc(av->value.bmpstring->data,
861 av->value.bmpstring->length);
862 BIO_printf(out, "%s\n", value);
863 free(value);
864 break;
865
866 case V_ASN1_OCTET_STRING:
867 hex_prin(out, av->value.octet_string->data,
868 av->value.octet_string->length);
869 BIO_printf(out, "\n");
870 break;
871
872 case V_ASN1_BIT_STRING:
873 hex_prin(out, av->value.bit_string->data,
874 av->value.bit_string->length);
875 BIO_printf(out, "\n");
876 break;
877
878 default:
879 BIO_printf(out, "<Unsupported tag %d>\n", av->type);
880 break;
881 }
882 } else
883 BIO_printf(out, "<No Values>\n");
884 }
885 return 1;
886}
887
888void
889hex_prin(BIO * out, unsigned char *buf, int len)
890{
891 int i;
892 for (i = 0; i < len; i++)
893 BIO_printf(out, "%02X ", buf[i]);
894}
895
896static int
897set_pbe(BIO * err, int *ppbe, const char *str)
898{
899 if (!str)
900 return 0;
901 if (!strcmp(str, "NONE")) {
902 *ppbe = -1;
903 return 1;
904 }
905 *ppbe = OBJ_txt2nid(str);
906 if (*ppbe == NID_undef) {
907 BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str);
908 return 0;
909 }
910 return 1;
911}
912
913#endif
diff --git a/src/lib/libssl/src/apps/pkcs7.c b/src/lib/libssl/src/apps/pkcs7.c
deleted file mode 100644
index 34b9d512c4..0000000000
--- a/src/lib/libssl/src/apps/pkcs7.c
+++ /dev/null
@@ -1,284 +0,0 @@
1/* $OpenBSD: pkcs7.c,v 1.21 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62#include <time.h>
63
64#include "apps.h"
65
66#include <openssl/err.h>
67#include <openssl/evp.h>
68#include <openssl/objects.h>
69#include <openssl/pem.h>
70#include <openssl/pkcs7.h>
71#include <openssl/x509.h>
72
73/* -inform arg - input format - default PEM (DER or PEM)
74 * -outform arg - output format - default PEM
75 * -in arg - input file - default stdin
76 * -out arg - output file - default stdout
77 * -print_certs
78 */
79
80int pkcs7_main(int, char **);
81
82int
83pkcs7_main(int argc, char **argv)
84{
85 PKCS7 *p7 = NULL;
86 int i, badops = 0;
87 BIO *in = NULL, *out = NULL;
88 int informat, outformat;
89 char *infile, *outfile, *prog;
90 int print_certs = 0, text = 0, noout = 0, p7_print = 0;
91 int ret = 1;
92#ifndef OPENSSL_NO_ENGINE
93 char *engine = NULL;
94#endif
95
96 infile = NULL;
97 outfile = NULL;
98 informat = FORMAT_PEM;
99 outformat = FORMAT_PEM;
100
101 prog = argv[0];
102 argc--;
103 argv++;
104 while (argc >= 1) {
105 if (strcmp(*argv, "-inform") == 0) {
106 if (--argc < 1)
107 goto bad;
108 informat = str2fmt(*(++argv));
109 } else if (strcmp(*argv, "-outform") == 0) {
110 if (--argc < 1)
111 goto bad;
112 outformat = str2fmt(*(++argv));
113 } else if (strcmp(*argv, "-in") == 0) {
114 if (--argc < 1)
115 goto bad;
116 infile = *(++argv);
117 } else if (strcmp(*argv, "-out") == 0) {
118 if (--argc < 1)
119 goto bad;
120 outfile = *(++argv);
121 } else if (strcmp(*argv, "-noout") == 0)
122 noout = 1;
123 else if (strcmp(*argv, "-text") == 0)
124 text = 1;
125 else if (strcmp(*argv, "-print") == 0)
126 p7_print = 1;
127 else if (strcmp(*argv, "-print_certs") == 0)
128 print_certs = 1;
129#ifndef OPENSSL_NO_ENGINE
130 else if (strcmp(*argv, "-engine") == 0) {
131 if (--argc < 1)
132 goto bad;
133 engine = *(++argv);
134 }
135#endif
136 else {
137 BIO_printf(bio_err, "unknown option %s\n", *argv);
138 badops = 1;
139 break;
140 }
141 argc--;
142 argv++;
143 }
144
145 if (badops) {
146bad:
147 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
148 BIO_printf(bio_err, "where options are\n");
149 BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
150 BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
151 BIO_printf(bio_err, " -in arg input file\n");
152 BIO_printf(bio_err, " -out arg output file\n");
153 BIO_printf(bio_err, " -print_certs print any certs or crl in the input\n");
154 BIO_printf(bio_err, " -text print full details of certificates\n");
155 BIO_printf(bio_err, " -noout don't output encoded data\n");
156#ifndef OPENSSL_NO_ENGINE
157 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
158#endif
159 ret = 1;
160 goto end;
161 }
162 ERR_load_crypto_strings();
163
164#ifndef OPENSSL_NO_ENGINE
165 setup_engine(bio_err, engine, 0);
166#endif
167
168 in = BIO_new(BIO_s_file());
169 out = BIO_new(BIO_s_file());
170 if ((in == NULL) || (out == NULL)) {
171 ERR_print_errors(bio_err);
172 goto end;
173 }
174 if (infile == NULL)
175 BIO_set_fp(in, stdin, BIO_NOCLOSE);
176 else {
177 if (BIO_read_filename(in, infile) <= 0)
178 if (in == NULL) {
179 perror(infile);
180 goto end;
181 }
182 }
183
184 if (informat == FORMAT_ASN1)
185 p7 = d2i_PKCS7_bio(in, NULL);
186 else if (informat == FORMAT_PEM)
187 p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
188 else {
189 BIO_printf(bio_err, "bad input format specified for pkcs7 object\n");
190 goto end;
191 }
192 if (p7 == NULL) {
193 BIO_printf(bio_err, "unable to load PKCS7 object\n");
194 ERR_print_errors(bio_err);
195 goto end;
196 }
197 if (outfile == NULL) {
198 BIO_set_fp(out, stdout, BIO_NOCLOSE);
199 } else {
200 if (BIO_write_filename(out, outfile) <= 0) {
201 perror(outfile);
202 goto end;
203 }
204 }
205
206 if (p7_print)
207 PKCS7_print_ctx(out, p7, 0, NULL);
208
209 if (print_certs) {
210 STACK_OF(X509) * certs = NULL;
211 STACK_OF(X509_CRL) * crls = NULL;
212
213 i = OBJ_obj2nid(p7->type);
214 switch (i) {
215 case NID_pkcs7_signed:
216 certs = p7->d.sign->cert;
217 crls = p7->d.sign->crl;
218 break;
219 case NID_pkcs7_signedAndEnveloped:
220 certs = p7->d.signed_and_enveloped->cert;
221 crls = p7->d.signed_and_enveloped->crl;
222 break;
223 default:
224 break;
225 }
226
227 if (certs != NULL) {
228 X509 *x;
229
230 for (i = 0; i < sk_X509_num(certs); i++) {
231 x = sk_X509_value(certs, i);
232 if (text)
233 X509_print(out, x);
234 else
235 dump_cert_text(out, x);
236
237 if (!noout)
238 PEM_write_bio_X509(out, x);
239 BIO_puts(out, "\n");
240 }
241 }
242 if (crls != NULL) {
243 X509_CRL *crl;
244
245 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
246 crl = sk_X509_CRL_value(crls, i);
247
248 X509_CRL_print(out, crl);
249
250 if (!noout)
251 PEM_write_bio_X509_CRL(out, crl);
252 BIO_puts(out, "\n");
253 }
254 }
255 ret = 0;
256 goto end;
257 }
258 if (!noout) {
259 if (outformat == FORMAT_ASN1)
260 i = i2d_PKCS7_bio(out, p7);
261 else if (outformat == FORMAT_PEM)
262 i = PEM_write_bio_PKCS7(out, p7);
263 else {
264 BIO_printf(bio_err, "bad output format specified for outfile\n");
265 goto end;
266 }
267
268 if (!i) {
269 BIO_printf(bio_err, "unable to write pkcs7 object\n");
270 ERR_print_errors(bio_err);
271 goto end;
272 }
273 }
274 ret = 0;
275end:
276 if (p7 != NULL)
277 PKCS7_free(p7);
278 if (in != NULL)
279 BIO_free(in);
280 if (out != NULL)
281 BIO_free_all(out);
282
283 return (ret);
284}
diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c
deleted file mode 100644
index 9b0b15baac..0000000000
--- a/src/lib/libssl/src/apps/pkcs8.c
+++ /dev/null
@@ -1,367 +0,0 @@
1/* $OpenBSD: pkcs8.c,v 1.21 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999-2004.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include "apps.h"
63
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/pem.h>
67#include <openssl/pkcs12.h>
68
69int pkcs8_main(int, char **);
70
71int
72pkcs8_main(int argc, char **argv)
73{
74 ENGINE *e = NULL;
75 char **args, *infile = NULL, *outfile = NULL;
76 char *passargin = NULL, *passargout = NULL;
77 BIO *in = NULL, *out = NULL;
78 int topk8 = 0;
79 int pbe_nid = -1;
80 const EVP_CIPHER *cipher = NULL;
81 int iter = PKCS12_DEFAULT_ITER;
82 int informat, outformat;
83 int p8_broken = PKCS8_OK;
84 int nocrypt = 0;
85 X509_SIG *p8 = NULL;
86 PKCS8_PRIV_KEY_INFO *p8inf = NULL;
87 EVP_PKEY *pkey = NULL;
88 char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
89 int badarg = 0;
90 int ret = 1;
91#ifndef OPENSSL_NO_ENGINE
92 char *engine = NULL;
93#endif
94
95 informat = FORMAT_PEM;
96 outformat = FORMAT_PEM;
97
98 ERR_load_crypto_strings();
99 OpenSSL_add_all_algorithms();
100 args = argv + 1;
101 while (!badarg && *args && *args[0] == '-') {
102 if (!strcmp(*args, "-v2")) {
103 if (args[1]) {
104 args++;
105 cipher = EVP_get_cipherbyname(*args);
106 if (!cipher) {
107 BIO_printf(bio_err,
108 "Unknown cipher %s\n", *args);
109 badarg = 1;
110 }
111 } else
112 badarg = 1;
113 } else if (!strcmp(*args, "-v1")) {
114 if (args[1]) {
115 args++;
116 pbe_nid = OBJ_txt2nid(*args);
117 if (pbe_nid == NID_undef) {
118 BIO_printf(bio_err,
119 "Unknown PBE algorithm %s\n", *args);
120 badarg = 1;
121 }
122 } else
123 badarg = 1;
124 } else if (!strcmp(*args, "-inform")) {
125 if (args[1]) {
126 args++;
127 informat = str2fmt(*args);
128 } else
129 badarg = 1;
130 } else if (!strcmp(*args, "-outform")) {
131 if (args[1]) {
132 args++;
133 outformat = str2fmt(*args);
134 } else
135 badarg = 1;
136 } else if (!strcmp(*args, "-topk8"))
137 topk8 = 1;
138 else if (!strcmp(*args, "-noiter"))
139 iter = 1;
140 else if (!strcmp(*args, "-nocrypt"))
141 nocrypt = 1;
142 else if (!strcmp(*args, "-nooct"))
143 p8_broken = PKCS8_NO_OCTET;
144 else if (!strcmp(*args, "-nsdb"))
145 p8_broken = PKCS8_NS_DB;
146 else if (!strcmp(*args, "-embed"))
147 p8_broken = PKCS8_EMBEDDED_PARAM;
148 else if (!strcmp(*args, "-passin")) {
149 if (!args[1])
150 goto bad;
151 passargin = *(++args);
152 } else if (!strcmp(*args, "-passout")) {
153 if (!args[1])
154 goto bad;
155 passargout = *(++args);
156 }
157#ifndef OPENSSL_NO_ENGINE
158 else if (strcmp(*args, "-engine") == 0) {
159 if (!args[1])
160 goto bad;
161 engine = *(++args);
162 }
163#endif
164 else if (!strcmp(*args, "-in")) {
165 if (args[1]) {
166 args++;
167 infile = *args;
168 } else
169 badarg = 1;
170 } else if (!strcmp(*args, "-out")) {
171 if (args[1]) {
172 args++;
173 outfile = *args;
174 } else
175 badarg = 1;
176 } else
177 badarg = 1;
178 args++;
179 }
180
181 if (badarg) {
182bad:
183 BIO_printf(bio_err, "Usage pkcs8 [options]\n");
184 BIO_printf(bio_err, "where options are\n");
185 BIO_printf(bio_err, "-in file input file\n");
186 BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
187 BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
188 BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
189 BIO_printf(bio_err, "-out file output file\n");
190 BIO_printf(bio_err, "-passout arg output file pass phrase source\n");
191 BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
192 BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n");
193 BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n");
194 BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n");
195 BIO_printf(bio_err, "-noiter use 1 as iteration count\n");
196 BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n");
197 BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n");
198 BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n");
199#ifndef OPENSSL_NO_ENGINE
200 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
201#endif
202 goto end;
203 }
204#ifndef OPENSSL_NO_ENGINE
205 e = setup_engine(bio_err, engine, 0);
206#endif
207
208 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
209 BIO_printf(bio_err, "Error getting passwords\n");
210 goto end;
211 }
212 if ((pbe_nid == -1) && !cipher)
213 pbe_nid = NID_pbeWithMD5AndDES_CBC;
214
215 if (infile) {
216 if (!(in = BIO_new_file(infile, "rb"))) {
217 BIO_printf(bio_err,
218 "Can't open input file %s\n", infile);
219 goto end;
220 }
221 } else
222 in = BIO_new_fp(stdin, BIO_NOCLOSE);
223
224 if (outfile) {
225 if (!(out = BIO_new_file(outfile, "wb"))) {
226 BIO_printf(bio_err,
227 "Can't open output file %s\n", outfile);
228 goto end;
229 }
230 } else {
231 out = BIO_new_fp(stdout, BIO_NOCLOSE);
232 }
233 if (topk8) {
234 pkey = load_key(bio_err, infile, informat, 1,
235 passin, e, "key");
236 if (!pkey)
237 goto end;
238 if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
239 BIO_printf(bio_err, "Error converting key\n");
240 ERR_print_errors(bio_err);
241 goto end;
242 }
243 if (nocrypt) {
244 if (outformat == FORMAT_PEM)
245 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
246 else if (outformat == FORMAT_ASN1)
247 i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
248 else {
249 BIO_printf(bio_err, "Bad format specified for key\n");
250 goto end;
251 }
252 } else {
253 if (passout)
254 p8pass = passout;
255 else {
256 p8pass = pass;
257 if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
258 goto end;
259 }
260 if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
261 p8pass, strlen(p8pass),
262 NULL, 0, iter, p8inf))) {
263 BIO_printf(bio_err, "Error encrypting key\n");
264 ERR_print_errors(bio_err);
265 goto end;
266 }
267 if (outformat == FORMAT_PEM)
268 PEM_write_bio_PKCS8(out, p8);
269 else if (outformat == FORMAT_ASN1)
270 i2d_PKCS8_bio(out, p8);
271 else {
272 BIO_printf(bio_err, "Bad format specified for key\n");
273 goto end;
274 }
275 }
276
277 ret = 0;
278 goto end;
279 }
280 if (nocrypt) {
281 if (informat == FORMAT_PEM)
282 p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
283 else if (informat == FORMAT_ASN1)
284 p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
285 else {
286 BIO_printf(bio_err, "Bad format specified for key\n");
287 goto end;
288 }
289 } else {
290 if (informat == FORMAT_PEM)
291 p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
292 else if (informat == FORMAT_ASN1)
293 p8 = d2i_PKCS8_bio(in, NULL);
294 else {
295 BIO_printf(bio_err, "Bad format specified for key\n");
296 goto end;
297 }
298
299 if (!p8) {
300 BIO_printf(bio_err, "Error reading key\n");
301 ERR_print_errors(bio_err);
302 goto end;
303 }
304 if (passin)
305 p8pass = passin;
306 else {
307 p8pass = pass;
308 EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
309 }
310 p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
311 }
312
313 if (!p8inf) {
314 BIO_printf(bio_err, "Error decrypting key\n");
315 ERR_print_errors(bio_err);
316 goto end;
317 }
318 if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
319 BIO_printf(bio_err, "Error converting key\n");
320 ERR_print_errors(bio_err);
321 goto end;
322 }
323 if (p8inf->broken) {
324 BIO_printf(bio_err, "Warning: broken key encoding: ");
325 switch (p8inf->broken) {
326 case PKCS8_NO_OCTET:
327 BIO_printf(bio_err, "No Octet String in PrivateKey\n");
328 break;
329
330 case PKCS8_EMBEDDED_PARAM:
331 BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
332 break;
333
334 case PKCS8_NS_DB:
335 BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
336 break;
337
338 case PKCS8_NEG_PRIVKEY:
339 BIO_printf(bio_err, "DSA private key value is negative\n");
340 break;
341
342 default:
343 BIO_printf(bio_err, "Unknown broken type\n");
344 break;
345 }
346 }
347 if (outformat == FORMAT_PEM)
348 PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
349 else if (outformat == FORMAT_ASN1)
350 i2d_PrivateKey_bio(out, pkey);
351 else {
352 BIO_printf(bio_err, "Bad format specified for key\n");
353 goto end;
354 }
355 ret = 0;
356
357end:
358 X509_SIG_free(p8);
359 PKCS8_PRIV_KEY_INFO_free(p8inf);
360 EVP_PKEY_free(pkey);
361 BIO_free_all(out);
362 BIO_free(in);
363 free(passin);
364 free(passout);
365
366 return ret;
367}
diff --git a/src/lib/libssl/src/apps/pkey.c b/src/lib/libssl/src/apps/pkey.c
deleted file mode 100644
index a419e3007f..0000000000
--- a/src/lib/libssl/src/apps/pkey.c
+++ /dev/null
@@ -1,235 +0,0 @@
1/* $OpenBSD: pkey.c,v 1.11 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include "apps.h"
63
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/pem.h>
67
68int pkey_main(int, char **);
69
70int
71pkey_main(int argc, char **argv)
72{
73 ENGINE *e = NULL;
74 char **args, *infile = NULL, *outfile = NULL;
75 char *passargin = NULL, *passargout = NULL;
76 BIO *in = NULL, *out = NULL;
77 const EVP_CIPHER *cipher = NULL;
78 int informat, outformat;
79 int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
80 EVP_PKEY *pkey = NULL;
81 char *passin = NULL, *passout = NULL;
82 int badarg = 0;
83#ifndef OPENSSL_NO_ENGINE
84 char *engine = NULL;
85#endif
86 int ret = 1;
87
88 informat = FORMAT_PEM;
89 outformat = FORMAT_PEM;
90
91 ERR_load_crypto_strings();
92 OpenSSL_add_all_algorithms();
93 args = argv + 1;
94 while (!badarg && *args && *args[0] == '-') {
95 if (!strcmp(*args, "-inform")) {
96 if (args[1]) {
97 args++;
98 informat = str2fmt(*args);
99 } else
100 badarg = 1;
101 } else if (!strcmp(*args, "-outform")) {
102 if (args[1]) {
103 args++;
104 outformat = str2fmt(*args);
105 } else
106 badarg = 1;
107 } else if (!strcmp(*args, "-passin")) {
108 if (!args[1])
109 goto bad;
110 passargin = *(++args);
111 } else if (!strcmp(*args, "-passout")) {
112 if (!args[1])
113 goto bad;
114 passargout = *(++args);
115 }
116#ifndef OPENSSL_NO_ENGINE
117 else if (strcmp(*args, "-engine") == 0) {
118 if (!args[1])
119 goto bad;
120 engine = *(++args);
121 }
122#endif
123 else if (!strcmp(*args, "-in")) {
124 if (args[1]) {
125 args++;
126 infile = *args;
127 } else
128 badarg = 1;
129 } else if (!strcmp(*args, "-out")) {
130 if (args[1]) {
131 args++;
132 outfile = *args;
133 } else
134 badarg = 1;
135 } else if (strcmp(*args, "-pubin") == 0) {
136 pubin = 1;
137 pubout = 1;
138 pubtext = 1;
139 } else if (strcmp(*args, "-pubout") == 0)
140 pubout = 1;
141 else if (strcmp(*args, "-text_pub") == 0) {
142 pubtext = 1;
143 text = 1;
144 } else if (strcmp(*args, "-text") == 0)
145 text = 1;
146 else if (strcmp(*args, "-noout") == 0)
147 noout = 1;
148 else {
149 cipher = EVP_get_cipherbyname(*args + 1);
150 if (!cipher) {
151 BIO_printf(bio_err, "Unknown cipher %s\n",
152 *args + 1);
153 badarg = 1;
154 }
155 }
156 args++;
157 }
158
159 if (badarg) {
160bad:
161 BIO_printf(bio_err, "Usage pkey [options]\n");
162 BIO_printf(bio_err, "where options are\n");
163 BIO_printf(bio_err, "-in file input file\n");
164 BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
165 BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
166 BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
167 BIO_printf(bio_err, "-out file output file\n");
168 BIO_printf(bio_err, "-passout arg output file pass phrase source\n");
169#ifndef OPENSSL_NO_ENGINE
170 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
171#endif
172 return 1;
173 }
174#ifndef OPENSSL_NO_ENGINE
175 e = setup_engine(bio_err, engine, 0);
176#endif
177
178 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
179 BIO_printf(bio_err, "Error getting passwords\n");
180 goto end;
181 }
182 if (outfile) {
183 if (!(out = BIO_new_file(outfile, "wb"))) {
184 BIO_printf(bio_err,
185 "Can't open output file %s\n", outfile);
186 goto end;
187 }
188 } else {
189 out = BIO_new_fp(stdout, BIO_NOCLOSE);
190 }
191
192 if (pubin)
193 pkey = load_pubkey(bio_err, infile, informat, 1,
194 passin, e, "Public Key");
195 else
196 pkey = load_key(bio_err, infile, informat, 1,
197 passin, e, "key");
198 if (!pkey)
199 goto end;
200
201 if (!noout) {
202 if (outformat == FORMAT_PEM) {
203 if (pubout)
204 PEM_write_bio_PUBKEY(out, pkey);
205 else
206 PEM_write_bio_PrivateKey(out, pkey, cipher,
207 NULL, 0, NULL, passout);
208 } else if (outformat == FORMAT_ASN1) {
209 if (pubout)
210 i2d_PUBKEY_bio(out, pkey);
211 else
212 i2d_PrivateKey_bio(out, pkey);
213 } else {
214 BIO_printf(bio_err, "Bad format specified for key\n");
215 goto end;
216 }
217
218 }
219 if (text) {
220 if (pubtext)
221 EVP_PKEY_print_public(out, pkey, 0, NULL);
222 else
223 EVP_PKEY_print_private(out, pkey, 0, NULL);
224 }
225 ret = 0;
226
227end:
228 EVP_PKEY_free(pkey);
229 BIO_free_all(out);
230 BIO_free(in);
231 free(passin);
232 free(passout);
233
234 return ret;
235}
diff --git a/src/lib/libssl/src/apps/pkeyparam.c b/src/lib/libssl/src/apps/pkeyparam.c
deleted file mode 100644
index 3ae73efb68..0000000000
--- a/src/lib/libssl/src/apps/pkeyparam.c
+++ /dev/null
@@ -1,173 +0,0 @@
1/* $OpenBSD: pkeyparam.c,v 1.9 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include "apps.h"
63
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/pem.h>
67
68int pkeyparam_main(int, char **);
69
70int
71pkeyparam_main(int argc, char **argv)
72{
73 char **args, *infile = NULL, *outfile = NULL;
74 BIO *in = NULL, *out = NULL;
75 int text = 0, noout = 0;
76 EVP_PKEY *pkey = NULL;
77 int badarg = 0;
78#ifndef OPENSSL_NO_ENGINE
79 char *engine = NULL;
80#endif
81 int ret = 1;
82
83 ERR_load_crypto_strings();
84 OpenSSL_add_all_algorithms();
85 args = argv + 1;
86 while (!badarg && *args && *args[0] == '-') {
87 if (!strcmp(*args, "-in")) {
88 if (args[1]) {
89 args++;
90 infile = *args;
91 } else
92 badarg = 1;
93 } else if (!strcmp(*args, "-out")) {
94 if (args[1]) {
95 args++;
96 outfile = *args;
97 } else
98 badarg = 1;
99 }
100#ifndef OPENSSL_NO_ENGINE
101 else if (strcmp(*args, "-engine") == 0) {
102 if (!args[1])
103 goto bad;
104 engine = *(++args);
105 }
106#endif
107
108 else if (strcmp(*args, "-text") == 0)
109 text = 1;
110 else if (strcmp(*args, "-noout") == 0)
111 noout = 1;
112 args++;
113 }
114
115 if (badarg) {
116#ifndef OPENSSL_NO_ENGINE
117bad:
118#endif
119 BIO_printf(bio_err, "Usage pkeyparam [options]\n");
120 BIO_printf(bio_err, "where options are\n");
121 BIO_printf(bio_err, "-in file input file\n");
122 BIO_printf(bio_err, "-out file output file\n");
123 BIO_printf(bio_err, "-text print parameters as text\n");
124 BIO_printf(bio_err, "-noout don't output encoded parameters\n");
125#ifndef OPENSSL_NO_ENGINE
126 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
127#endif
128 return 1;
129 }
130#ifndef OPENSSL_NO_ENGINE
131 setup_engine(bio_err, engine, 0);
132#endif
133
134 if (infile) {
135 if (!(in = BIO_new_file(infile, "r"))) {
136 BIO_printf(bio_err,
137 "Can't open input file %s\n", infile);
138 goto end;
139 }
140 } else
141 in = BIO_new_fp(stdin, BIO_NOCLOSE);
142
143 if (outfile) {
144 if (!(out = BIO_new_file(outfile, "w"))) {
145 BIO_printf(bio_err,
146 "Can't open output file %s\n", outfile);
147 goto end;
148 }
149 } else {
150 out = BIO_new_fp(stdout, BIO_NOCLOSE);
151 }
152
153 pkey = PEM_read_bio_Parameters(in, NULL);
154 if (!pkey) {
155 BIO_printf(bio_err, "Error reading parameters\n");
156 ERR_print_errors(bio_err);
157 goto end;
158 }
159 if (!noout)
160 PEM_write_bio_Parameters(out, pkey);
161
162 if (text)
163 EVP_PKEY_print_params(out, pkey, 0, NULL);
164
165 ret = 0;
166
167end:
168 EVP_PKEY_free(pkey);
169 BIO_free_all(out);
170 BIO_free(in);
171
172 return ret;
173}
diff --git a/src/lib/libssl/src/apps/pkeyutl.c b/src/lib/libssl/src/apps/pkeyutl.c
deleted file mode 100644
index df173f4374..0000000000
--- a/src/lib/libssl/src/apps/pkeyutl.c
+++ /dev/null
@@ -1,503 +0,0 @@
1/* $OpenBSD: pkeyutl.c,v 1.14 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <string.h>
60
61#include "apps.h"
62
63#include <openssl/err.h>
64#include <openssl/evp.h>
65#include <openssl/pem.h>
66
67#define KEY_PRIVKEY 1
68#define KEY_PUBKEY 2
69#define KEY_CERT 3
70
71static void usage(void);
72
73static EVP_PKEY_CTX *init_ctx(int *pkeysize,
74 char *keyfile, int keyform, int key_type,
75 char *passargin, int pkey_op, ENGINE * e);
76
77static int setup_peer(BIO * err, EVP_PKEY_CTX * ctx, int peerform,
78 const char *file);
79
80static int do_keyop(EVP_PKEY_CTX * ctx, int pkey_op,
81 unsigned char *out, size_t * poutlen,
82 unsigned char *in, size_t inlen);
83
84int pkeyutl_main(int argc, char **);
85
86int
87pkeyutl_main(int argc, char **argv)
88{
89 BIO *in = NULL, *out = NULL;
90 char *infile = NULL, *outfile = NULL, *sigfile = NULL;
91 ENGINE *e = NULL;
92 int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
93 int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
94 char badarg = 0, rev = 0;
95 char hexdump = 0, asn1parse = 0;
96 EVP_PKEY_CTX *ctx = NULL;
97 char *passargin = NULL;
98 int keysize = -1;
99
100 unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
101 size_t buf_outlen;
102 int buf_inlen = 0, siglen = -1;
103
104 int ret = 1, rv = -1;
105
106 argc--;
107 argv++;
108
109 ERR_load_crypto_strings();
110 OpenSSL_add_all_algorithms();
111
112 while (argc >= 1) {
113 if (!strcmp(*argv, "-in")) {
114 if (--argc < 1)
115 badarg = 1;
116 else
117 infile = *(++argv);
118 } else if (!strcmp(*argv, "-out")) {
119 if (--argc < 1)
120 badarg = 1;
121 else
122 outfile = *(++argv);
123 } else if (!strcmp(*argv, "-sigfile")) {
124 if (--argc < 1)
125 badarg = 1;
126 else
127 sigfile = *(++argv);
128 } else if (!strcmp(*argv, "-inkey")) {
129 if (--argc < 1)
130 badarg = 1;
131 else {
132 ctx = init_ctx(&keysize,
133 *(++argv), keyform, key_type,
134 passargin, pkey_op, e);
135 if (!ctx) {
136 BIO_puts(bio_err,
137 "Error initializing context\n");
138 ERR_print_errors(bio_err);
139 badarg = 1;
140 }
141 }
142 } else if (!strcmp(*argv, "-peerkey")) {
143 if (--argc < 1)
144 badarg = 1;
145 else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
146 badarg = 1;
147 } else if (!strcmp(*argv, "-passin")) {
148 if (--argc < 1)
149 badarg = 1;
150 else
151 passargin = *(++argv);
152 } else if (strcmp(*argv, "-peerform") == 0) {
153 if (--argc < 1)
154 badarg = 1;
155 else
156 peerform = str2fmt(*(++argv));
157 } else if (strcmp(*argv, "-keyform") == 0) {
158 if (--argc < 1)
159 badarg = 1;
160 else
161 keyform = str2fmt(*(++argv));
162 }
163#ifndef OPENSSL_NO_ENGINE
164 else if (!strcmp(*argv, "-engine")) {
165 if (--argc < 1)
166 badarg = 1;
167 else
168 e = setup_engine(bio_err, *(++argv), 0);
169 }
170#endif
171 else if (!strcmp(*argv, "-pubin"))
172 key_type = KEY_PUBKEY;
173 else if (!strcmp(*argv, "-certin"))
174 key_type = KEY_CERT;
175 else if (!strcmp(*argv, "-asn1parse"))
176 asn1parse = 1;
177 else if (!strcmp(*argv, "-hexdump"))
178 hexdump = 1;
179 else if (!strcmp(*argv, "-sign"))
180 pkey_op = EVP_PKEY_OP_SIGN;
181 else if (!strcmp(*argv, "-verify"))
182 pkey_op = EVP_PKEY_OP_VERIFY;
183 else if (!strcmp(*argv, "-verifyrecover"))
184 pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
185 else if (!strcmp(*argv, "-rev"))
186 rev = 1;
187 else if (!strcmp(*argv, "-encrypt"))
188 pkey_op = EVP_PKEY_OP_ENCRYPT;
189 else if (!strcmp(*argv, "-decrypt"))
190 pkey_op = EVP_PKEY_OP_DECRYPT;
191 else if (!strcmp(*argv, "-derive"))
192 pkey_op = EVP_PKEY_OP_DERIVE;
193 else if (strcmp(*argv, "-pkeyopt") == 0) {
194 if (--argc < 1)
195 badarg = 1;
196 else if (!ctx) {
197 BIO_puts(bio_err,
198 "-pkeyopt command before -inkey\n");
199 badarg = 1;
200 } else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) {
201 BIO_puts(bio_err, "parameter setting error\n");
202 ERR_print_errors(bio_err);
203 goto end;
204 }
205 } else
206 badarg = 1;
207 if (badarg) {
208 usage();
209 goto end;
210 }
211 argc--;
212 argv++;
213 }
214
215 if (!ctx) {
216 usage();
217 goto end;
218 }
219 if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
220 BIO_puts(bio_err, "Signature file specified for non verify\n");
221 goto end;
222 }
223 if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) {
224 BIO_puts(bio_err, "No signature file specified for verify\n");
225 goto end;
226 }
227
228 if (pkey_op != EVP_PKEY_OP_DERIVE) {
229 if (infile) {
230 if (!(in = BIO_new_file(infile, "rb"))) {
231 BIO_puts(bio_err,
232 "Error Opening Input File\n");
233 ERR_print_errors(bio_err);
234 goto end;
235 }
236 } else
237 in = BIO_new_fp(stdin, BIO_NOCLOSE);
238 }
239 if (outfile) {
240 if (!(out = BIO_new_file(outfile, "wb"))) {
241 BIO_printf(bio_err, "Error Creating Output File\n");
242 ERR_print_errors(bio_err);
243 goto end;
244 }
245 } else {
246 out = BIO_new_fp(stdout, BIO_NOCLOSE);
247 }
248
249 if (sigfile) {
250 BIO *sigbio = BIO_new_file(sigfile, "rb");
251 if (!sigbio) {
252 BIO_printf(bio_err, "Can't open signature file %s\n",
253 sigfile);
254 goto end;
255 }
256 siglen = bio_to_mem(&sig, keysize * 10, sigbio);
257 BIO_free(sigbio);
258 if (siglen <= 0) {
259 BIO_printf(bio_err, "Error reading signature data\n");
260 goto end;
261 }
262 }
263 if (in) {
264 /* Read the input data */
265 buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
266 if (buf_inlen <= 0) {
267 BIO_printf(bio_err, "Error reading input Data\n");
268 exit(1);
269 }
270 if (rev) {
271 size_t i;
272 unsigned char ctmp;
273 size_t l = (size_t) buf_inlen;
274 for (i = 0; i < l / 2; i++) {
275 ctmp = buf_in[i];
276 buf_in[i] = buf_in[l - 1 - i];
277 buf_in[l - 1 - i] = ctmp;
278 }
279 }
280 }
281 if (pkey_op == EVP_PKEY_OP_VERIFY) {
282 rv = EVP_PKEY_verify(ctx, sig, (size_t) siglen,
283 buf_in, (size_t) buf_inlen);
284 if (rv == 0)
285 BIO_puts(out, "Signature Verification Failure\n");
286 else if (rv == 1)
287 BIO_puts(out, "Signature Verified Successfully\n");
288 if (rv >= 0)
289 goto end;
290 } else {
291 rv = do_keyop(ctx, pkey_op, NULL, (size_t *) & buf_outlen,
292 buf_in, (size_t) buf_inlen);
293 if (rv > 0) {
294 buf_out = malloc(buf_outlen);
295 if (!buf_out)
296 rv = -1;
297 else
298 rv = do_keyop(ctx, pkey_op,
299 buf_out, (size_t *) & buf_outlen,
300 buf_in, (size_t) buf_inlen);
301 }
302 }
303
304 if (rv <= 0) {
305 BIO_printf(bio_err, "Public Key operation error\n");
306 ERR_print_errors(bio_err);
307 goto end;
308 }
309 ret = 0;
310 if (asn1parse) {
311 if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
312 ERR_print_errors(bio_err);
313 } else if (hexdump)
314 BIO_dump(out, (char *) buf_out, buf_outlen);
315 else
316 BIO_write(out, buf_out, buf_outlen);
317
318end:
319 if (ctx)
320 EVP_PKEY_CTX_free(ctx);
321 BIO_free(in);
322 BIO_free_all(out);
323 free(buf_in);
324 free(buf_out);
325 free(sig);
326
327 return ret;
328}
329
330static void
331usage()
332{
333 BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
334 BIO_printf(bio_err, "-in file input file\n");
335 BIO_printf(bio_err, "-out file output file\n");
336 BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");
337 BIO_printf(bio_err, "-inkey file input key\n");
338 BIO_printf(bio_err, "-keyform arg private key format - default PEM\n");
339 BIO_printf(bio_err, "-pubin input is a public key\n");
340 BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n");
341 BIO_printf(bio_err, "-pkeyopt X:Y public key options\n");
342 BIO_printf(bio_err, "-sign sign with private key\n");
343 BIO_printf(bio_err, "-verify verify with public key\n");
344 BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n");
345 BIO_printf(bio_err, "-encrypt encrypt with public key\n");
346 BIO_printf(bio_err, "-decrypt decrypt with private key\n");
347 BIO_printf(bio_err, "-derive derive shared secret\n");
348 BIO_printf(bio_err, "-hexdump hex dump output\n");
349#ifndef OPENSSL_NO_ENGINE
350 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
351#endif
352 BIO_printf(bio_err, "-passin arg pass phrase source\n");
353
354}
355
356static EVP_PKEY_CTX *
357init_ctx(int *pkeysize,
358 char *keyfile, int keyform, int key_type,
359 char *passargin, int pkey_op, ENGINE * e)
360{
361 EVP_PKEY *pkey = NULL;
362 EVP_PKEY_CTX *ctx = NULL;
363 char *passin = NULL;
364 int rv = -1;
365 X509 *x;
366 if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
367 || (pkey_op == EVP_PKEY_OP_DERIVE))
368 && (key_type != KEY_PRIVKEY)) {
369 BIO_printf(bio_err, "A private key is needed for this operation\n");
370 goto end;
371 }
372 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
373 BIO_printf(bio_err, "Error getting password\n");
374 goto end;
375 }
376 switch (key_type) {
377 case KEY_PRIVKEY:
378 pkey = load_key(bio_err, keyfile, keyform, 0,
379 passin, e, "Private Key");
380 break;
381
382 case KEY_PUBKEY:
383 pkey = load_pubkey(bio_err, keyfile, keyform, 0,
384 NULL, e, "Public Key");
385 break;
386
387 case KEY_CERT:
388 x = load_cert(bio_err, keyfile, keyform,
389 NULL, e, "Certificate");
390 if (x) {
391 pkey = X509_get_pubkey(x);
392 X509_free(x);
393 }
394 break;
395
396 }
397
398 *pkeysize = EVP_PKEY_size(pkey);
399
400 if (!pkey)
401 goto end;
402
403 ctx = EVP_PKEY_CTX_new(pkey, e);
404
405 EVP_PKEY_free(pkey);
406
407 if (!ctx)
408 goto end;
409
410 switch (pkey_op) {
411 case EVP_PKEY_OP_SIGN:
412 rv = EVP_PKEY_sign_init(ctx);
413 break;
414
415 case EVP_PKEY_OP_VERIFY:
416 rv = EVP_PKEY_verify_init(ctx);
417 break;
418
419 case EVP_PKEY_OP_VERIFYRECOVER:
420 rv = EVP_PKEY_verify_recover_init(ctx);
421 break;
422
423 case EVP_PKEY_OP_ENCRYPT:
424 rv = EVP_PKEY_encrypt_init(ctx);
425 break;
426
427 case EVP_PKEY_OP_DECRYPT:
428 rv = EVP_PKEY_decrypt_init(ctx);
429 break;
430
431 case EVP_PKEY_OP_DERIVE:
432 rv = EVP_PKEY_derive_init(ctx);
433 break;
434 }
435
436 if (rv <= 0) {
437 EVP_PKEY_CTX_free(ctx);
438 ctx = NULL;
439 }
440end:
441
442 free(passin);
443
444 return ctx;
445
446
447}
448
449static int
450setup_peer(BIO * err, EVP_PKEY_CTX * ctx, int peerform,
451 const char *file)
452{
453 EVP_PKEY *peer = NULL;
454 int ret;
455 if (!ctx) {
456 BIO_puts(err, "-peerkey command before -inkey\n");
457 return 0;
458 }
459 peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
460
461 if (!peer) {
462 BIO_printf(bio_err, "Error reading peer key %s\n", file);
463 ERR_print_errors(err);
464 return 0;
465 }
466 ret = EVP_PKEY_derive_set_peer(ctx, peer);
467
468 EVP_PKEY_free(peer);
469 if (ret <= 0)
470 ERR_print_errors(err);
471 return ret;
472}
473
474static int
475do_keyop(EVP_PKEY_CTX * ctx, int pkey_op,
476 unsigned char *out, size_t * poutlen,
477 unsigned char *in, size_t inlen)
478{
479 int rv = 0;
480 switch (pkey_op) {
481 case EVP_PKEY_OP_VERIFYRECOVER:
482 rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
483 break;
484
485 case EVP_PKEY_OP_SIGN:
486 rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
487 break;
488
489 case EVP_PKEY_OP_ENCRYPT:
490 rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
491 break;
492
493 case EVP_PKEY_OP_DECRYPT:
494 rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
495 break;
496
497 case EVP_PKEY_OP_DERIVE:
498 rv = EVP_PKEY_derive(ctx, out, poutlen);
499 break;
500
501 }
502 return rv;
503}
diff --git a/src/lib/libssl/src/apps/prime.c b/src/lib/libssl/src/apps/prime.c
deleted file mode 100644
index 710939f08d..0000000000
--- a/src/lib/libssl/src/apps/prime.c
+++ /dev/null
@@ -1,147 +0,0 @@
1/* $OpenBSD: prime.c,v 1.12 2014/07/14 00:35:10 deraadt Exp $ */
2/* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 *
49 */
50
51#include <string.h>
52#include <limits.h>
53
54#include "apps.h"
55
56#include <openssl/bn.h>
57
58int prime_main(int, char **);
59
60int
61prime_main(int argc, char **argv)
62{
63 int hex = 0;
64 int checks = 20;
65 int generate = 0;
66 int bits = 0;
67 int safe = 0;
68 BIGNUM *bn = NULL;
69 const char *errstr = NULL;
70 BIO *bio_out;
71
72 --argc;
73 ++argv;
74 while (argc >= 1 && **argv == '-') {
75 if (!strcmp(*argv, "-hex"))
76 hex = 1;
77 else if (!strcmp(*argv, "-generate"))
78 generate = 1;
79 else if (!strcmp(*argv, "-bits")) {
80 if (--argc < 1)
81 goto bad;
82 else
83 bits = strtonum(*(++argv), 0, INT_MAX, &errstr);
84 if (errstr)
85 goto bad;
86 } else if (!strcmp(*argv, "-safe"))
87 safe = 1;
88 else if (!strcmp(*argv, "-checks")) {
89 if (--argc < 1)
90 goto bad;
91 else
92 checks = strtonum(*(++argv), 0, INT_MAX, &errstr);
93 if (errstr)
94 goto bad;
95 } else {
96 BIO_printf(bio_err, "Unknown option '%s'\n", *argv);
97 goto bad;
98 }
99 --argc;
100 ++argv;
101 }
102
103 if (argv[0] == NULL && !generate) {
104 BIO_printf(bio_err, "No prime specified\n");
105 goto bad;
106 }
107 if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
108 BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
109 }
110 if (generate) {
111 char *s;
112
113 if (!bits) {
114 BIO_printf(bio_err, "Specifiy the number of bits.\n");
115 return 1;
116 }
117 bn = BN_new();
118 BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL);
119 s = hex ? BN_bn2hex(bn) : BN_bn2dec(bn);
120 BIO_printf(bio_out, "%s\n", s);
121 free(s);
122 } else {
123 if (hex)
124 BN_hex2bn(&bn, argv[0]);
125 else
126 BN_dec2bn(&bn, argv[0]);
127
128 BN_print(bio_out, bn);
129 BIO_printf(bio_out, " is %sprime\n",
130 BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not ");
131 }
132
133 BN_free(bn);
134 BIO_free_all(bio_out);
135
136 return 0;
137
138bad:
139 if (errstr)
140 BIO_printf(bio_err, "invalid argument %s: %s\n", *argv, errstr);
141 else {
142 BIO_printf(bio_err, "options are\n");
143 BIO_printf(bio_err, "%-14s hex\n", "-hex");
144 BIO_printf(bio_err, "%-14s number of checks\n", "-checks <n>");
145 }
146 return 1;
147}
diff --git a/src/lib/libssl/src/apps/progs.h b/src/lib/libssl/src/apps/progs.h
deleted file mode 100644
index c1a0898a46..0000000000
--- a/src/lib/libssl/src/apps/progs.h
+++ /dev/null
@@ -1,234 +0,0 @@
1/* $OpenBSD: progs.h,v 1.22 2014/07/28 17:57:18 tedu Exp $ */
2/* Public domain */
3
4extern int asn1parse_main(int argc, char *argv[]);
5extern int ca_main(int argc, char *argv[]);
6extern int ciphers_main(int argc, char *argv[]);
7extern int cms_main(int argc, char *argv[]);
8extern int crl2pkcs7_main(int argc, char *argv[]);
9extern int crl_main(int argc, char *argv[]);
10extern int dgst_main(int argc, char *argv[]);
11extern int dh_main(int argc, char *argv[]);
12extern int dhparam_main(int argc, char *argv[]);
13extern int dsa_main(int argc, char *argv[]);
14extern int dsaparam_main(int argc, char *argv[]);
15extern int ec_main(int argc, char *argv[]);
16extern int ecparam_main(int argc, char *argv[]);
17extern int enc_main(int argc, char *argv[]);
18extern int engine_main(int argc, char *argv[]);
19extern int errstr_main(int argc, char *argv[]);
20extern int gendh_main(int argc, char *argv[]);
21extern int gendsa_main(int argc, char *argv[]);
22extern int genpkey_main(int argc, char *argv[]);
23extern int genrsa_main(int argc, char *argv[]);
24extern int nseq_main(int argc, char *argv[]);
25extern int ocsp_main(int argc, char *argv[]);
26extern int passwd_main(int argc, char *argv[]);
27extern int pkcs7_main(int argc, char *argv[]);
28extern int pkcs8_main(int argc, char *argv[]);
29extern int pkcs12_main(int argc, char *argv[]);
30extern int pkey_main(int argc, char *argv[]);
31extern int pkeyparam_main(int argc, char *argv[]);
32extern int pkeyutl_main(int argc, char *argv[]);
33extern int prime_main(int argc, char *argv[]);
34extern int rand_main(int argc, char *argv[]);
35extern int req_main(int argc, char *argv[]);
36extern int rsa_main(int argc, char *argv[]);
37extern int rsautl_main(int argc, char *argv[]);
38extern int s_client_main(int argc, char *argv[]);
39extern int s_server_main(int argc, char *argv[]);
40extern int s_time_main(int argc, char *argv[]);
41extern int sess_id_main(int argc, char *argv[]);
42extern int smime_main(int argc, char *argv[]);
43extern int speed_main(int argc, char *argv[]);
44extern int spkac_main(int argc, char *argv[]);
45extern int ts_main(int argc, char *argv[]);
46extern int verify_main(int argc, char *argv[]);
47extern int version_main(int argc, char *argv[]);
48extern int x509_main(int argc, char *argv[]);
49
50#define FUNC_TYPE_GENERAL 1
51#define FUNC_TYPE_MD 2
52#define FUNC_TYPE_CIPHER 3
53#define FUNC_TYPE_PKEY 4
54#define FUNC_TYPE_MD_ALG 5
55#define FUNC_TYPE_CIPHER_ALG 6
56
57typedef struct {
58 int type;
59 const char *name;
60 int (*func)(int argc, char *argv[]);
61} FUNCTION;
62DECLARE_LHASH_OF(FUNCTION);
63
64FUNCTION functions[] = {
65
66 /* General functions. */
67 { FUNC_TYPE_GENERAL, "asn1parse", asn1parse_main },
68 { FUNC_TYPE_GENERAL, "ca", ca_main },
69 { FUNC_TYPE_GENERAL, "ciphers", ciphers_main },
70#ifndef OPENSSL_NO_CMS
71 { FUNC_TYPE_GENERAL, "cms", cms_main },
72#endif
73 { FUNC_TYPE_GENERAL, "crl2pkcs7", crl2pkcs7_main },
74 { FUNC_TYPE_GENERAL, "crl", crl_main },
75 { FUNC_TYPE_GENERAL, "dgst", dgst_main },
76 { FUNC_TYPE_GENERAL, "enc", enc_main },
77#ifndef OPENSSL_NO_ENGINE
78 { FUNC_TYPE_GENERAL, "engine", engine_main },
79#endif
80 { FUNC_TYPE_GENERAL, "errstr", errstr_main },
81 { FUNC_TYPE_GENERAL, "genpkey", genpkey_main },
82 { FUNC_TYPE_GENERAL, "nseq", nseq_main },
83#ifndef OPENSSL_NO_OCSP
84 { FUNC_TYPE_GENERAL, "ocsp", ocsp_main },
85#endif
86 { FUNC_TYPE_GENERAL, "passwd", passwd_main },
87 { FUNC_TYPE_GENERAL, "pkcs7", pkcs7_main },
88 { FUNC_TYPE_GENERAL, "pkcs8", pkcs8_main },
89#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
90 { FUNC_TYPE_GENERAL, "pkcs12", pkcs12_main },
91#endif
92 { FUNC_TYPE_GENERAL, "pkey", pkey_main },
93 { FUNC_TYPE_GENERAL, "pkeyparam", pkeyparam_main },
94 { FUNC_TYPE_GENERAL, "pkeyutl", pkeyutl_main },
95 { FUNC_TYPE_GENERAL, "prime", prime_main },
96 { FUNC_TYPE_GENERAL, "rand", rand_main },
97 { FUNC_TYPE_GENERAL, "req", req_main },
98 { FUNC_TYPE_GENERAL, "s_client", s_client_main },
99 { FUNC_TYPE_GENERAL, "s_server", s_server_main },
100 { FUNC_TYPE_GENERAL, "s_time", s_time_main },
101 { FUNC_TYPE_GENERAL, "sess_id", sess_id_main },
102 { FUNC_TYPE_GENERAL, "smime", smime_main },
103#ifndef OPENSSL_NO_SPEED
104 { FUNC_TYPE_GENERAL, "speed", speed_main },
105#endif
106 { FUNC_TYPE_GENERAL, "spkac", spkac_main },
107 { FUNC_TYPE_GENERAL, "ts", ts_main },
108 { FUNC_TYPE_GENERAL, "verify", verify_main },
109 { FUNC_TYPE_GENERAL, "version", version_main },
110 { FUNC_TYPE_GENERAL, "x509", x509_main },
111
112#ifndef OPENSSL_NO_DH
113 { FUNC_TYPE_GENERAL, "dh", dh_main },
114 { FUNC_TYPE_GENERAL, "dhparam", dhparam_main },
115 { FUNC_TYPE_GENERAL, "gendh", gendh_main },
116#endif
117#ifndef OPENSSL_NO_DSA
118 { FUNC_TYPE_GENERAL, "dsa", dsa_main },
119 { FUNC_TYPE_GENERAL, "dsaparam", dsaparam_main },
120 { FUNC_TYPE_GENERAL, "gendsa", gendsa_main },
121#endif
122#ifndef OPENSSL_NO_EC
123 { FUNC_TYPE_GENERAL, "ec", ec_main },
124 { FUNC_TYPE_GENERAL, "ecparam", ecparam_main },
125#endif
126#ifndef OPENSSL_NO_RSA
127 { FUNC_TYPE_GENERAL, "genrsa", genrsa_main },
128 { FUNC_TYPE_GENERAL, "rsa", rsa_main },
129 { FUNC_TYPE_GENERAL, "rsautl", rsautl_main },
130#endif
131
132 /* Message Digests. */
133#ifndef OPENSSL_NO_MD4
134 { FUNC_TYPE_MD, "md4", dgst_main },
135#endif
136#ifndef OPENSSL_NO_MD5
137 { FUNC_TYPE_MD, "md5", dgst_main },
138#endif
139#ifndef OPENSSL_NO_RMD160
140 { FUNC_TYPE_MD, "rmd160", dgst_main },
141#endif
142#ifndef OPENSSL_NO_SHA
143 { FUNC_TYPE_MD, "sha", dgst_main },
144#endif
145#ifndef OPENSSL_NO_SHA1
146 { FUNC_TYPE_MD, "sha1", dgst_main },
147#endif
148
149 /* Ciphers. */
150 { FUNC_TYPE_CIPHER, "base64", enc_main },
151#ifndef OPENSSL_NO_AES
152 { FUNC_TYPE_CIPHER, "aes-128-cbc", enc_main },
153 { FUNC_TYPE_CIPHER, "aes-128-ecb", enc_main },
154 { FUNC_TYPE_CIPHER, "aes-192-cbc", enc_main },
155 { FUNC_TYPE_CIPHER, "aes-192-ecb", enc_main },
156 { FUNC_TYPE_CIPHER, "aes-256-cbc", enc_main },
157 { FUNC_TYPE_CIPHER, "aes-256-ecb", enc_main },
158#endif
159#ifndef OPENSSL_NO_BF
160 { FUNC_TYPE_CIPHER, "bf", enc_main },
161 { FUNC_TYPE_CIPHER, "bf-cbc", enc_main },
162 { FUNC_TYPE_CIPHER, "bf-ecb", enc_main },
163 { FUNC_TYPE_CIPHER, "bf-cfb", enc_main },
164 { FUNC_TYPE_CIPHER, "bf-ofb", enc_main },
165#endif
166#ifndef OPENSSL_NO_CAMELLIA
167 { FUNC_TYPE_CIPHER, "camellia-128-cbc", enc_main },
168 { FUNC_TYPE_CIPHER, "camellia-128-ecb", enc_main },
169 { FUNC_TYPE_CIPHER, "camellia-192-cbc", enc_main },
170 { FUNC_TYPE_CIPHER, "camellia-192-ecb", enc_main },
171 { FUNC_TYPE_CIPHER, "camellia-256-cbc", enc_main },
172 { FUNC_TYPE_CIPHER, "camellia-256-ecb", enc_main },
173#endif
174#ifndef OPENSSL_NO_CAST
175 { FUNC_TYPE_CIPHER, "cast", enc_main },
176 { FUNC_TYPE_CIPHER, "cast5-cbc", enc_main },
177 { FUNC_TYPE_CIPHER, "cast5-ecb", enc_main },
178 { FUNC_TYPE_CIPHER, "cast5-cfb", enc_main },
179 { FUNC_TYPE_CIPHER, "cast5-ofb", enc_main },
180 { FUNC_TYPE_CIPHER, "cast-cbc", enc_main },
181#endif
182#ifndef OPENSSL_NO_CHACHA
183 { FUNC_TYPE_CIPHER, "chacha", enc_main },
184#endif
185#ifndef OPENSSL_NO_DES
186 { FUNC_TYPE_CIPHER, "des", enc_main },
187 { FUNC_TYPE_CIPHER, "des3", enc_main },
188 { FUNC_TYPE_CIPHER, "desx", enc_main },
189 { FUNC_TYPE_CIPHER, "des-ecb", enc_main },
190 { FUNC_TYPE_CIPHER, "des-ede", enc_main },
191 { FUNC_TYPE_CIPHER, "des-ede3", enc_main },
192 { FUNC_TYPE_CIPHER, "des-cbc", enc_main },
193 { FUNC_TYPE_CIPHER, "des-ede-cbc", enc_main },
194 { FUNC_TYPE_CIPHER, "des-ede3-cbc", enc_main },
195 { FUNC_TYPE_CIPHER, "des-cfb", enc_main },
196 { FUNC_TYPE_CIPHER, "des-ede-cfb", enc_main },
197 { FUNC_TYPE_CIPHER, "des-ede3-cfb", enc_main },
198 { FUNC_TYPE_CIPHER, "des-ofb", enc_main },
199 { FUNC_TYPE_CIPHER, "des-ede-ofb", enc_main },
200 { FUNC_TYPE_CIPHER, "des-ede3-ofb", enc_main },
201#endif
202#ifndef OPENSSL_NO_IDEA
203 { FUNC_TYPE_CIPHER, "idea", enc_main },
204 { FUNC_TYPE_CIPHER, "idea-cbc", enc_main },
205 { FUNC_TYPE_CIPHER, "idea-ecb", enc_main },
206 { FUNC_TYPE_CIPHER, "idea-cfb", enc_main },
207 { FUNC_TYPE_CIPHER, "idea-ofb", enc_main },
208#endif
209#ifndef OPENSSL_NO_RC2
210 { FUNC_TYPE_CIPHER, "rc2", enc_main },
211 { FUNC_TYPE_CIPHER, "rc2-cbc", enc_main },
212 { FUNC_TYPE_CIPHER, "rc2-ecb", enc_main },
213 { FUNC_TYPE_CIPHER, "rc2-cfb", enc_main },
214 { FUNC_TYPE_CIPHER, "rc2-ofb", enc_main },
215 { FUNC_TYPE_CIPHER, "rc2-64-cbc", enc_main },
216 { FUNC_TYPE_CIPHER, "rc2-40-cbc", enc_main },
217#endif
218#ifndef OPENSSL_NO_RC4
219 { FUNC_TYPE_CIPHER, "rc4", enc_main },
220 { FUNC_TYPE_CIPHER, "rc4-40", enc_main },
221#endif
222#ifndef OPENSSL_NO_RC5
223 { FUNC_TYPE_CIPHER, "rc5", enc_main },
224 { FUNC_TYPE_CIPHER, "rc5-cbc", enc_main },
225 { FUNC_TYPE_CIPHER, "rc5-ecb", enc_main },
226 { FUNC_TYPE_CIPHER, "rc5-cfb", enc_main },
227 { FUNC_TYPE_CIPHER, "rc5-ofb", enc_main },
228#endif
229#ifdef ZLIB
230 { FUNC_TYPE_CIPHER, "zlib", enc_main },
231#endif
232
233 { 0, NULL, NULL }
234};
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
deleted file mode 100644
index 9d7aba4d86..0000000000
--- a/src/lib/libssl/src/apps/rand.c
+++ /dev/null
@@ -1,194 +0,0 @@
1/* $OpenBSD: rand.c,v 1.22 2014/07/14 00:35:10 deraadt Exp $ */
2/* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <ctype.h>
57#include <stdio.h>
58#include <string.h>
59
60#include "apps.h"
61
62#include <openssl/bio.h>
63#include <openssl/err.h>
64#include <openssl/rand.h>
65
66/* -out file - write to file
67 * -base64 - base64 encode output
68 * -hex - hex encode output
69 * num - write 'num' bytes
70 */
71
72int rand_main(int, char **);
73
74int
75rand_main(int argc, char **argv)
76{
77 int i, r, ret = 1;
78 int badopt;
79 char *outfile = NULL;
80 int base64 = 0;
81 int hex = 0;
82 BIO *out = NULL;
83 int num = -1;
84#ifndef OPENSSL_NO_ENGINE
85 char *engine = NULL;
86#endif
87
88 badopt = 0;
89 i = 0;
90 while (!badopt && argv[++i] != NULL) {
91 if (strcmp(argv[i], "-out") == 0) {
92 if ((argv[i + 1] != NULL) && (outfile == NULL))
93 outfile = argv[++i];
94 else
95 badopt = 1;
96 }
97#ifndef OPENSSL_NO_ENGINE
98 else if (strcmp(argv[i], "-engine") == 0) {
99 if ((argv[i + 1] != NULL) && (engine == NULL))
100 engine = argv[++i];
101 else
102 badopt = 1;
103 }
104#endif
105 else if (strcmp(argv[i], "-base64") == 0) {
106 if (!base64)
107 base64 = 1;
108 else
109 badopt = 1;
110 } else if (strcmp(argv[i], "-hex") == 0) {
111 if (!hex)
112 hex = 1;
113 else
114 badopt = 1;
115 } else if (isdigit((unsigned char) argv[i][0])) {
116 if (num < 0) {
117 r = sscanf(argv[i], "%d", &num);
118 if (r == 0 || num < 0)
119 badopt = 1;
120 } else
121 badopt = 1;
122 } else
123 badopt = 1;
124 }
125
126 if (hex && base64)
127 badopt = 1;
128
129 if (num < 0)
130 badopt = 1;
131
132 if (badopt) {
133 BIO_printf(bio_err, "Usage: rand [options] num\n");
134 BIO_printf(bio_err, "where options are\n");
135 BIO_printf(bio_err, "-out file - write to file\n");
136#ifndef OPENSSL_NO_ENGINE
137 BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n");
138#endif
139 BIO_printf(bio_err, "-base64 - base64 encode output\n");
140 BIO_printf(bio_err, "-hex - hex encode output\n");
141 goto err;
142 }
143#ifndef OPENSSL_NO_ENGINE
144 setup_engine(bio_err, engine, 0);
145#endif
146
147 out = BIO_new(BIO_s_file());
148 if (out == NULL)
149 goto err;
150 if (outfile != NULL)
151 r = BIO_write_filename(out, outfile);
152 else {
153 r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
154 }
155 if (r <= 0)
156 goto err;
157
158 if (base64) {
159 BIO *b64 = BIO_new(BIO_f_base64());
160 if (b64 == NULL)
161 goto err;
162 out = BIO_push(b64, out);
163 }
164 while (num > 0) {
165 unsigned char buf[4096];
166 int chunk;
167
168 chunk = num;
169 if (chunk > (int) sizeof(buf))
170 chunk = sizeof buf;
171 r = RAND_bytes(buf, chunk);
172 if (r <= 0)
173 goto err;
174 if (!hex)
175 BIO_write(out, buf, chunk);
176 else {
177 for (i = 0; i < chunk; i++)
178 BIO_printf(out, "%02x", buf[i]);
179 }
180 num -= chunk;
181 }
182 if (hex)
183 BIO_puts(out, "\n");
184 (void) BIO_flush(out);
185
186 ret = 0;
187
188err:
189 ERR_print_errors(bio_err);
190 if (out)
191 BIO_free_all(out);
192
193 return (ret);
194}
diff --git a/src/lib/libssl/src/apps/req.c b/src/lib/libssl/src/apps/req.c
deleted file mode 100644
index 7c2ce58f88..0000000000
--- a/src/lib/libssl/src/apps/req.c
+++ /dev/null
@@ -1,1602 +0,0 @@
1/* $OpenBSD: req.c,v 1.46 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* Until the key-gen callbacks are modified to use newer prototypes, we allow
60 * deprecated functions for openssl-internal code */
61#ifdef OPENSSL_NO_DEPRECATED
62#undef OPENSSL_NO_DEPRECATED
63#endif
64
65#include <stdio.h>
66#include <stdlib.h>
67#include <limits.h>
68#include <string.h>
69#include <time.h>
70
71#include "apps.h"
72
73#include <openssl/asn1.h>
74#include <openssl/bio.h>
75#include <openssl/bn.h>
76#include <openssl/conf.h>
77#include <openssl/err.h>
78#include <openssl/evp.h>
79#include <openssl/objects.h>
80#include <openssl/pem.h>
81#include <openssl/x509.h>
82#include <openssl/x509v3.h>
83
84#include <openssl/dsa.h>
85
86#include <openssl/rsa.h>
87
88#define SECTION "req"
89
90#define BITS "default_bits"
91#define KEYFILE "default_keyfile"
92#define PROMPT "prompt"
93#define DISTINGUISHED_NAME "distinguished_name"
94#define ATTRIBUTES "attributes"
95#define V3_EXTENSIONS "x509_extensions"
96#define REQ_EXTENSIONS "req_extensions"
97#define STRING_MASK "string_mask"
98#define UTF8_IN "utf8"
99
100#define DEFAULT_KEY_LENGTH 512
101#define MIN_KEY_LENGTH 384
102
103
104/* -inform arg - input format - default PEM (DER or PEM)
105 * -outform arg - output format - default PEM
106 * -in arg - input file - default stdin
107 * -out arg - output file - default stdout
108 * -verify - check request signature
109 * -noout - don't print stuff out.
110 * -text - print out human readable text.
111 * -nodes - no des encryption
112 * -config file - Load configuration file.
113 * -key file - make a request using key in file (or use it for verification).
114 * -keyform arg - key file format.
115 * -newkey - make a key and a request.
116 * -modulus - print RSA modulus.
117 * -pubkey - output Public Key.
118 * -x509 - output a self signed X509 structure instead.
119 * -asn1-kludge - output new certificate request in a format that some CA's
120 * require. This format is wrong
121 */
122
123static int make_REQ(X509_REQ * req, EVP_PKEY * pkey, char *dn, int mutlirdn,
124 int attribs, unsigned long chtype);
125static int build_subject(X509_REQ * req, char *subj, unsigned long chtype,
126 int multirdn);
127static int prompt_info(X509_REQ * req,
128 STACK_OF(CONF_VALUE) * dn_sk, char *dn_sect,
129 STACK_OF(CONF_VALUE) * attr_sk, char *attr_sect, int attribs,
130 unsigned long chtype);
131static int auto_info(X509_REQ * req, STACK_OF(CONF_VALUE) * sk,
132 STACK_OF(CONF_VALUE) * attr, int attribs,
133 unsigned long chtype);
134static int add_attribute_object(X509_REQ * req, char *text, const char *def,
135 char *value, int nid, int n_min,
136 int n_max, unsigned long chtype);
137static int add_DN_object(X509_NAME * n, char *text, const char *def, char *value,
138 int nid, int n_min, int n_max, unsigned long chtype, int mval);
139static int genpkey_cb(EVP_PKEY_CTX * ctx);
140static int req_check_len(int len, int n_min, int n_max);
141static int check_end(const char *str, const char *end);
142static EVP_PKEY_CTX *set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
143 long *pkeylen, char **palgnam,
144 ENGINE * keygen_engine);
145static CONF *req_conf = NULL;
146static int batch = 0;
147
148int req_main(int, char **);
149
150int
151req_main(int argc, char **argv)
152{
153 ENGINE *e = NULL, *gen_eng = NULL;
154 unsigned long nmflag = 0, reqflag = 0;
155 int ex = 1, x509 = 0, days = 30;
156 X509 *x509ss = NULL;
157 X509_REQ *req = NULL;
158 EVP_PKEY_CTX *genctx = NULL;
159 const char *keyalg = NULL;
160 char *keyalgstr = NULL;
161 STACK_OF(OPENSSL_STRING) * pkeyopts = NULL, *sigopts = NULL;
162 EVP_PKEY *pkey = NULL;
163 int i = 0, badops = 0, newreq = 0, verbose = 0, pkey_type = -1;
164 long newkey = -1;
165 BIO *in = NULL, *out = NULL;
166 int informat, outformat, verify = 0, noout = 0, text = 0, keyform = FORMAT_PEM;
167 int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
168 char *infile, *outfile, *prog, *keyfile = NULL, *template = NULL,
169 *keyout = NULL;
170#ifndef OPENSSL_NO_ENGINE
171 char *engine = NULL;
172#endif
173 char *extensions = NULL;
174 char *req_exts = NULL;
175 const EVP_CIPHER *cipher = NULL;
176 ASN1_INTEGER *serial = NULL;
177 int modulus = 0;
178 char *passargin = NULL, *passargout = NULL;
179 char *passin = NULL, *passout = NULL;
180 char *p;
181 char *subj = NULL;
182 int multirdn = 0;
183 const EVP_MD *md_alg = NULL, *digest = NULL;
184 unsigned long chtype = MBSTRING_ASC;
185
186 req_conf = NULL;
187#ifndef OPENSSL_NO_DES
188 cipher = EVP_des_ede3_cbc();
189#endif
190
191 infile = NULL;
192 outfile = NULL;
193 informat = FORMAT_PEM;
194 outformat = FORMAT_PEM;
195
196 prog = argv[0];
197 argc--;
198 argv++;
199 while (argc >= 1) {
200 if (strcmp(*argv, "-inform") == 0) {
201 if (--argc < 1)
202 goto bad;
203 informat = str2fmt(*(++argv));
204 } else if (strcmp(*argv, "-outform") == 0) {
205 if (--argc < 1)
206 goto bad;
207 outformat = str2fmt(*(++argv));
208 }
209#ifndef OPENSSL_NO_ENGINE
210 else if (strcmp(*argv, "-engine") == 0) {
211 if (--argc < 1)
212 goto bad;
213 engine = *(++argv);
214 } else if (strcmp(*argv, "-keygen_engine") == 0) {
215 if (--argc < 1)
216 goto bad;
217 gen_eng = ENGINE_by_id(*(++argv));
218 if (gen_eng == NULL) {
219 BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
220 goto end;
221 }
222 }
223#endif
224 else if (strcmp(*argv, "-key") == 0) {
225 if (--argc < 1)
226 goto bad;
227 keyfile = *(++argv);
228 } else if (strcmp(*argv, "-pubkey") == 0) {
229 pubkey = 1;
230 } else if (strcmp(*argv, "-new") == 0) {
231 newreq = 1;
232 } else if (strcmp(*argv, "-config") == 0) {
233 if (--argc < 1)
234 goto bad;
235 template = *(++argv);
236 } else if (strcmp(*argv, "-keyform") == 0) {
237 if (--argc < 1)
238 goto bad;
239 keyform = str2fmt(*(++argv));
240 } else if (strcmp(*argv, "-in") == 0) {
241 if (--argc < 1)
242 goto bad;
243 infile = *(++argv);
244 } else if (strcmp(*argv, "-out") == 0) {
245 if (--argc < 1)
246 goto bad;
247 outfile = *(++argv);
248 } else if (strcmp(*argv, "-keyout") == 0) {
249 if (--argc < 1)
250 goto bad;
251 keyout = *(++argv);
252 } else if (strcmp(*argv, "-passin") == 0) {
253 if (--argc < 1)
254 goto bad;
255 passargin = *(++argv);
256 } else if (strcmp(*argv, "-passout") == 0) {
257 if (--argc < 1)
258 goto bad;
259 passargout = *(++argv);
260 } else if (strcmp(*argv, "-newkey") == 0) {
261 if (--argc < 1)
262 goto bad;
263 keyalg = *(++argv);
264 newreq = 1;
265 } else if (strcmp(*argv, "-pkeyopt") == 0) {
266 if (--argc < 1)
267 goto bad;
268 if (!pkeyopts)
269 pkeyopts = sk_OPENSSL_STRING_new_null();
270 if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
271 goto bad;
272 } else if (strcmp(*argv, "-sigopt") == 0) {
273 if (--argc < 1)
274 goto bad;
275 if (!sigopts)
276 sigopts = sk_OPENSSL_STRING_new_null();
277 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
278 goto bad;
279 } else if (strcmp(*argv, "-batch") == 0)
280 batch = 1;
281 else if (strcmp(*argv, "-newhdr") == 0)
282 newhdr = 1;
283 else if (strcmp(*argv, "-modulus") == 0)
284 modulus = 1;
285 else if (strcmp(*argv, "-verify") == 0)
286 verify = 1;
287 else if (strcmp(*argv, "-nodes") == 0)
288 nodes = 1;
289 else if (strcmp(*argv, "-noout") == 0)
290 noout = 1;
291 else if (strcmp(*argv, "-verbose") == 0)
292 verbose = 1;
293 else if (strcmp(*argv, "-utf8") == 0)
294 chtype = MBSTRING_UTF8;
295 else if (strcmp(*argv, "-nameopt") == 0) {
296 if (--argc < 1)
297 goto bad;
298 if (!set_name_ex(&nmflag, *(++argv)))
299 goto bad;
300 } else if (strcmp(*argv, "-reqopt") == 0) {
301 if (--argc < 1)
302 goto bad;
303 if (!set_cert_ex(&reqflag, *(++argv)))
304 goto bad;
305 } else if (strcmp(*argv, "-subject") == 0)
306 subject = 1;
307 else if (strcmp(*argv, "-text") == 0)
308 text = 1;
309 else if (strcmp(*argv, "-x509") == 0)
310 x509 = 1;
311 else if (strcmp(*argv, "-asn1-kludge") == 0)
312 kludge = 1;
313 else if (strcmp(*argv, "-no-asn1-kludge") == 0)
314 kludge = 0;
315 else if (strcmp(*argv, "-subj") == 0) {
316 if (--argc < 1)
317 goto bad;
318 subj = *(++argv);
319 } else if (strcmp(*argv, "-multivalue-rdn") == 0)
320 multirdn = 1;
321 else if (strcmp(*argv, "-days") == 0) {
322 const char *errstr;
323
324 if (--argc < 1)
325 goto bad;
326 days = strtonum(*(++argv), 1, INT_MAX, &errstr);
327 if (errstr) {
328 BIO_printf(bio_err, "bad -days %s, using 0: %s\n",
329 *argv, errstr);
330 days = 30;
331 }
332 } else if (strcmp(*argv, "-set_serial") == 0) {
333 if (--argc < 1)
334 goto bad;
335 serial = s2i_ASN1_INTEGER(NULL, *(++argv));
336 if (!serial)
337 goto bad;
338 } else if (strcmp(*argv, "-extensions") == 0) {
339 if (--argc < 1)
340 goto bad;
341 extensions = *(++argv);
342 } else if (strcmp(*argv, "-reqexts") == 0) {
343 if (--argc < 1)
344 goto bad;
345 req_exts = *(++argv);
346 } else if ((md_alg = EVP_get_digestbyname(&((*argv)[1]))) != NULL) {
347 /* ok */
348 digest = md_alg;
349 } else {
350 BIO_printf(bio_err, "unknown option %s\n", *argv);
351 badops = 1;
352 break;
353 }
354 argc--;
355 argv++;
356 }
357
358 if (badops) {
359bad:
360 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
361 BIO_printf(bio_err, "where options are\n");
362 BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
363 BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
364 BIO_printf(bio_err, " -in arg input file\n");
365 BIO_printf(bio_err, " -out arg output file\n");
366 BIO_printf(bio_err, " -text text form of request\n");
367 BIO_printf(bio_err, " -pubkey output public key\n");
368 BIO_printf(bio_err, " -noout do not output REQ\n");
369 BIO_printf(bio_err, " -verify verify signature on REQ\n");
370 BIO_printf(bio_err, " -modulus RSA modulus\n");
371 BIO_printf(bio_err, " -nodes don't encrypt the output key\n");
372#ifndef OPENSSL_NO_ENGINE
373 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device\n");
374#endif
375 BIO_printf(bio_err, " -subject output the request's subject\n");
376 BIO_printf(bio_err, " -passin private key password source\n");
377 BIO_printf(bio_err, " -key file use the private key contained in file\n");
378 BIO_printf(bio_err, " -keyform arg key file format\n");
379 BIO_printf(bio_err, " -keyout arg file to send the key to\n");
380 BIO_printf(bio_err, " -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
381 BIO_printf(bio_err, " -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
382 BIO_printf(bio_err, " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
383 BIO_printf(bio_err, " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
384 BIO_printf(bio_err, " -config file request template file.\n");
385 BIO_printf(bio_err, " -subj arg set or modify request subject\n");
386 BIO_printf(bio_err, " -multivalue-rdn enable support for multivalued RDNs\n");
387 BIO_printf(bio_err, " -new new request.\n");
388 BIO_printf(bio_err, " -batch do not ask anything during request generation\n");
389 BIO_printf(bio_err, " -x509 output a x509 structure instead of a cert. req.\n");
390 BIO_printf(bio_err, " -days number of days a certificate generated by -x509 is valid for.\n");
391 BIO_printf(bio_err, " -set_serial serial number to use for a certificate generated by -x509.\n");
392 BIO_printf(bio_err, " -newhdr output \"NEW\" in the header lines\n");
393 BIO_printf(bio_err, " -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
394 BIO_printf(bio_err, " have been reported as requiring\n");
395 BIO_printf(bio_err, " -extensions .. specify certificate extension section (override value in config file)\n");
396 BIO_printf(bio_err, " -reqexts .. specify request extension section (override value in config file)\n");
397 BIO_printf(bio_err, " -utf8 input characters are UTF8 (default ASCII)\n");
398 BIO_printf(bio_err, " -nameopt arg - various certificate name options\n");
399 BIO_printf(bio_err, " -reqopt arg - various request text options\n\n");
400 goto end;
401 }
402 ERR_load_crypto_strings();
403 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
404 BIO_printf(bio_err, "Error getting passwords\n");
405 goto end;
406 }
407 if (template != NULL) {
408 long errline = -1;
409
410 if (verbose)
411 BIO_printf(bio_err, "Using configuration from %s\n", template);
412 req_conf = NCONF_new(NULL);
413 i = NCONF_load(req_conf, template, &errline);
414 if (i == 0) {
415 BIO_printf(bio_err, "error on line %ld of %s\n", errline, template);
416 goto end;
417 }
418 } else {
419 req_conf = config;
420
421 if (req_conf == NULL) {
422 BIO_printf(bio_err, "Unable to load config info from %s\n", default_config_file);
423 if (newreq)
424 goto end;
425 } else if (verbose)
426 BIO_printf(bio_err, "Using configuration from %s\n",
427 default_config_file);
428 }
429
430 if (req_conf != NULL) {
431 if (!load_config(bio_err, req_conf))
432 goto end;
433 p = NCONF_get_string(req_conf, NULL, "oid_file");
434 if (p == NULL)
435 ERR_clear_error();
436 if (p != NULL) {
437 BIO *oid_bio;
438
439 oid_bio = BIO_new_file(p, "r");
440 if (oid_bio == NULL) {
441 /*
442 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
443 ERR_print_errors(bio_err);
444 */
445 } else {
446 OBJ_create_objects(oid_bio);
447 BIO_free(oid_bio);
448 }
449 }
450 }
451 if (!add_oid_section(bio_err, req_conf))
452 goto end;
453
454 if (md_alg == NULL) {
455 p = NCONF_get_string(req_conf, SECTION, "default_md");
456 if (p == NULL)
457 ERR_clear_error();
458 if (p != NULL) {
459 if ((md_alg = EVP_get_digestbyname(p)) != NULL)
460 digest = md_alg;
461 }
462 }
463 if (!extensions) {
464 extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
465 if (!extensions)
466 ERR_clear_error();
467 }
468 if (extensions) {
469 /* Check syntax of file */
470 X509V3_CTX ctx;
471 X509V3_set_ctx_test(&ctx);
472 X509V3_set_nconf(&ctx, req_conf);
473 if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
474 BIO_printf(bio_err,
475 "Error Loading extension section %s\n", extensions);
476 goto end;
477 }
478 }
479 if (!passin) {
480 passin = NCONF_get_string(req_conf, SECTION, "input_password");
481 if (!passin)
482 ERR_clear_error();
483 }
484 if (!passout) {
485 passout = NCONF_get_string(req_conf, SECTION, "output_password");
486 if (!passout)
487 ERR_clear_error();
488 }
489 p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
490 if (!p)
491 ERR_clear_error();
492
493 if (p && !ASN1_STRING_set_default_mask_asc(p)) {
494 BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
495 goto end;
496 }
497 if (chtype != MBSTRING_UTF8) {
498 p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
499 if (!p)
500 ERR_clear_error();
501 else if (!strcmp(p, "yes"))
502 chtype = MBSTRING_UTF8;
503 }
504 if (!req_exts) {
505 req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
506 if (!req_exts)
507 ERR_clear_error();
508 }
509 if (req_exts) {
510 /* Check syntax of file */
511 X509V3_CTX ctx;
512 X509V3_set_ctx_test(&ctx);
513 X509V3_set_nconf(&ctx, req_conf);
514 if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
515 BIO_printf(bio_err,
516 "Error Loading request extension section %s\n",
517 req_exts);
518 goto end;
519 }
520 }
521 in = BIO_new(BIO_s_file());
522 out = BIO_new(BIO_s_file());
523 if ((in == NULL) || (out == NULL))
524 goto end;
525
526#ifndef OPENSSL_NO_ENGINE
527 e = setup_engine(bio_err, engine, 0);
528#endif
529
530 if (keyfile != NULL) {
531 pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
532 "Private Key");
533 if (!pkey) {
534 /*
535 * load_key() has already printed an appropriate
536 * message
537 */
538 goto end;
539 }
540 }
541 if (newreq && (pkey == NULL)) {
542 if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
543 newkey = DEFAULT_KEY_LENGTH;
544 }
545 if (keyalg) {
546 genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
547 &keyalgstr, gen_eng);
548 if (!genctx)
549 goto end;
550 }
551 if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
552 BIO_printf(bio_err, "private key length is too short,\n");
553 BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", MIN_KEY_LENGTH, newkey);
554 goto end;
555 }
556 if (!genctx) {
557 genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
558 &keyalgstr, gen_eng);
559 if (!genctx)
560 goto end;
561 }
562 if (pkeyopts) {
563 char *genopt;
564 for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
565 genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
566 if (pkey_ctrl_string(genctx, genopt) <= 0) {
567 BIO_printf(bio_err,
568 "parameter error \"%s\"\n",
569 genopt);
570 ERR_print_errors(bio_err);
571 goto end;
572 }
573 }
574 }
575 BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
576 newkey, keyalgstr);
577
578 EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
579 EVP_PKEY_CTX_set_app_data(genctx, bio_err);
580
581 if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
582 BIO_puts(bio_err, "Error Generating Key\n");
583 goto end;
584 }
585 EVP_PKEY_CTX_free(genctx);
586 genctx = NULL;
587
588 if (keyout == NULL) {
589 keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
590 if (keyout == NULL)
591 ERR_clear_error();
592 }
593 if (keyout == NULL) {
594 BIO_printf(bio_err, "writing new private key to stdout\n");
595 BIO_set_fp(out, stdout, BIO_NOCLOSE);
596 } else {
597 BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
598 if (BIO_write_filename(out, keyout) <= 0) {
599 perror(keyout);
600 goto end;
601 }
602 }
603
604 p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
605 if (p == NULL) {
606 ERR_clear_error();
607 p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
608 if (p == NULL)
609 ERR_clear_error();
610 }
611 if ((p != NULL) && (strcmp(p, "no") == 0))
612 cipher = NULL;
613 if (nodes)
614 cipher = NULL;
615
616 i = 0;
617loop:
618 if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
619 NULL, 0, NULL, passout)) {
620 if ((ERR_GET_REASON(ERR_peek_error()) ==
621 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
622 ERR_clear_error();
623 i++;
624 goto loop;
625 }
626 goto end;
627 }
628 BIO_printf(bio_err, "-----\n");
629 }
630 if (!newreq) {
631 /*
632 * Since we are using a pre-existing certificate request, the
633 * kludge 'format' info should not be changed.
634 */
635 kludge = -1;
636 if (infile == NULL)
637 BIO_set_fp(in, stdin, BIO_NOCLOSE);
638 else {
639 if (BIO_read_filename(in, infile) <= 0) {
640 perror(infile);
641 goto end;
642 }
643 }
644
645 if (informat == FORMAT_ASN1)
646 req = d2i_X509_REQ_bio(in, NULL);
647 else if (informat == FORMAT_PEM)
648 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
649 else {
650 BIO_printf(bio_err, "bad input format specified for X509 request\n");
651 goto end;
652 }
653 if (req == NULL) {
654 BIO_printf(bio_err, "unable to load X509 request\n");
655 goto end;
656 }
657 }
658 if (newreq || x509) {
659 if (pkey == NULL) {
660 BIO_printf(bio_err, "you need to specify a private key\n");
661 goto end;
662 }
663 if (req == NULL) {
664 req = X509_REQ_new();
665 if (req == NULL) {
666 goto end;
667 }
668 i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
669 subj = NULL; /* done processing '-subj' option */
670 if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
671 sk_X509_ATTRIBUTE_free(req->req_info->attributes);
672 req->req_info->attributes = NULL;
673 }
674 if (!i) {
675 BIO_printf(bio_err, "problems making Certificate Request\n");
676 goto end;
677 }
678 }
679 if (x509) {
680 EVP_PKEY *tmppkey;
681 X509V3_CTX ext_ctx;
682 if ((x509ss = X509_new()) == NULL)
683 goto end;
684
685 /* Set version to V3 */
686 if (extensions && !X509_set_version(x509ss, 2))
687 goto end;
688 if (serial) {
689 if (!X509_set_serialNumber(x509ss, serial))
690 goto end;
691 } else {
692 if (!rand_serial(NULL,
693 X509_get_serialNumber(x509ss)))
694 goto end;
695 }
696
697 if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
698 goto end;
699 if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0))
700 goto end;
701 if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL))
702 goto end;
703 if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req)))
704 goto end;
705 tmppkey = X509_REQ_get_pubkey(req);
706 if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
707 goto end;
708 EVP_PKEY_free(tmppkey);
709
710 /* Set up V3 context struct */
711
712 X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
713 X509V3_set_nconf(&ext_ctx, req_conf);
714
715 /* Add extensions */
716 if (extensions && !X509V3_EXT_add_nconf(req_conf,
717 &ext_ctx, extensions, x509ss)) {
718 BIO_printf(bio_err,
719 "Error Loading extension section %s\n",
720 extensions);
721 goto end;
722 }
723 i = do_X509_sign(bio_err, x509ss, pkey, digest, sigopts);
724 if (!i) {
725 ERR_print_errors(bio_err);
726 goto end;
727 }
728 } else {
729 X509V3_CTX ext_ctx;
730
731 /* Set up V3 context struct */
732
733 X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
734 X509V3_set_nconf(&ext_ctx, req_conf);
735
736 /* Add extensions */
737 if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
738 &ext_ctx, req_exts, req)) {
739 BIO_printf(bio_err,
740 "Error Loading extension section %s\n",
741 req_exts);
742 goto end;
743 }
744 i = do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
745 if (!i) {
746 ERR_print_errors(bio_err);
747 goto end;
748 }
749 }
750 }
751 if (subj && x509) {
752 BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
753 goto end;
754 }
755 if (subj && !x509) {
756 if (verbose) {
757 BIO_printf(bio_err, "Modifying Request's Subject\n");
758 print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag);
759 }
760 if (build_subject(req, subj, chtype, multirdn) == 0) {
761 BIO_printf(bio_err, "ERROR: cannot modify subject\n");
762 ex = 1;
763 goto end;
764 }
765 req->req_info->enc.modified = 1;
766
767 if (verbose) {
768 print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag);
769 }
770 }
771 if (verify && !x509) {
772 int tmp = 0;
773
774 if (pkey == NULL) {
775 pkey = X509_REQ_get_pubkey(req);
776 tmp = 1;
777 if (pkey == NULL)
778 goto end;
779 }
780 i = X509_REQ_verify(req, pkey);
781 if (tmp) {
782 EVP_PKEY_free(pkey);
783 pkey = NULL;
784 }
785 if (i < 0) {
786 goto end;
787 } else if (i == 0) {
788 BIO_printf(bio_err, "verify failure\n");
789 ERR_print_errors(bio_err);
790 } else /* if (i > 0) */
791 BIO_printf(bio_err, "verify OK\n");
792 }
793 if (noout && !text && !modulus && !subject && !pubkey) {
794 ex = 0;
795 goto end;
796 }
797 if (outfile == NULL) {
798 BIO_set_fp(out, stdout, BIO_NOCLOSE);
799 } else {
800 if ((keyout != NULL) && (strcmp(outfile, keyout) == 0))
801 i = (int) BIO_append_filename(out, outfile);
802 else
803 i = (int) BIO_write_filename(out, outfile);
804 if (!i) {
805 perror(outfile);
806 goto end;
807 }
808 }
809
810 if (pubkey) {
811 EVP_PKEY *tpubkey;
812 tpubkey = X509_REQ_get_pubkey(req);
813 if (tpubkey == NULL) {
814 BIO_printf(bio_err, "Error getting public key\n");
815 ERR_print_errors(bio_err);
816 goto end;
817 }
818 PEM_write_bio_PUBKEY(out, tpubkey);
819 EVP_PKEY_free(tpubkey);
820 }
821 if (text) {
822 if (x509)
823 X509_print_ex(out, x509ss, nmflag, reqflag);
824 else
825 X509_REQ_print_ex(out, req, nmflag, reqflag);
826 }
827 if (subject) {
828 if (x509)
829 print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag);
830 else
831 print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag);
832 }
833 if (modulus) {
834 EVP_PKEY *tpubkey;
835
836 if (x509)
837 tpubkey = X509_get_pubkey(x509ss);
838 else
839 tpubkey = X509_REQ_get_pubkey(req);
840 if (tpubkey == NULL) {
841 fprintf(stdout, "Modulus=unavailable\n");
842 goto end;
843 }
844 fprintf(stdout, "Modulus=");
845 if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
846 BN_print(out, tpubkey->pkey.rsa->n);
847 else
848 fprintf(stdout, "Wrong Algorithm type");
849 EVP_PKEY_free(tpubkey);
850 fprintf(stdout, "\n");
851 }
852 if (!noout && !x509) {
853 if (outformat == FORMAT_ASN1)
854 i = i2d_X509_REQ_bio(out, req);
855 else if (outformat == FORMAT_PEM) {
856 if (newhdr)
857 i = PEM_write_bio_X509_REQ_NEW(out, req);
858 else
859 i = PEM_write_bio_X509_REQ(out, req);
860 } else {
861 BIO_printf(bio_err, "bad output format specified for outfile\n");
862 goto end;
863 }
864 if (!i) {
865 BIO_printf(bio_err, "unable to write X509 request\n");
866 goto end;
867 }
868 }
869 if (!noout && x509 && (x509ss != NULL)) {
870 if (outformat == FORMAT_ASN1)
871 i = i2d_X509_bio(out, x509ss);
872 else if (outformat == FORMAT_PEM)
873 i = PEM_write_bio_X509(out, x509ss);
874 else {
875 BIO_printf(bio_err, "bad output format specified for outfile\n");
876 goto end;
877 }
878 if (!i) {
879 BIO_printf(bio_err, "unable to write X509 certificate\n");
880 goto end;
881 }
882 }
883 ex = 0;
884end:
885 if (ex) {
886 ERR_print_errors(bio_err);
887 }
888 if ((req_conf != NULL) && (req_conf != config))
889 NCONF_free(req_conf);
890 BIO_free(in);
891 BIO_free_all(out);
892 EVP_PKEY_free(pkey);
893 if (genctx)
894 EVP_PKEY_CTX_free(genctx);
895 if (pkeyopts)
896 sk_OPENSSL_STRING_free(pkeyopts);
897 if (sigopts)
898 sk_OPENSSL_STRING_free(sigopts);
899#ifndef OPENSSL_NO_ENGINE
900 if (gen_eng)
901 ENGINE_free(gen_eng);
902#endif
903 free(keyalgstr);
904 X509_REQ_free(req);
905 X509_free(x509ss);
906 ASN1_INTEGER_free(serial);
907 if (passargin && passin)
908 free(passin);
909 if (passargout && passout)
910 free(passout);
911 OBJ_cleanup();
912
913 return (ex);
914}
915
916static int
917make_REQ(X509_REQ * req, EVP_PKEY * pkey, char *subj, int multirdn,
918 int attribs, unsigned long chtype)
919{
920 int ret = 0, i;
921 char no_prompt = 0;
922 STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;
923 char *tmp, *dn_sect, *attr_sect;
924
925 tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
926 if (tmp == NULL)
927 ERR_clear_error();
928 if ((tmp != NULL) && !strcmp(tmp, "no"))
929 no_prompt = 1;
930
931 dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
932 if (dn_sect == NULL) {
933 BIO_printf(bio_err, "unable to find '%s' in config\n",
934 DISTINGUISHED_NAME);
935 goto err;
936 }
937 dn_sk = NCONF_get_section(req_conf, dn_sect);
938 if (dn_sk == NULL) {
939 BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
940 goto err;
941 }
942 attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
943 if (attr_sect == NULL) {
944 ERR_clear_error();
945 attr_sk = NULL;
946 } else {
947 attr_sk = NCONF_get_section(req_conf, attr_sect);
948 if (attr_sk == NULL) {
949 BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
950 goto err;
951 }
952 }
953
954 /* setup version number */
955 if (!X509_REQ_set_version(req, 0L))
956 goto err; /* version 1 */
957
958 if (no_prompt)
959 i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
960 else {
961 if (subj)
962 i = build_subject(req, subj, chtype, multirdn);
963 else
964 i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
965 }
966 if (!i)
967 goto err;
968
969 if (!X509_REQ_set_pubkey(req, pkey))
970 goto err;
971
972 ret = 1;
973err:
974 return (ret);
975}
976
977/*
978 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
979 * where characters may be escaped by \
980 */
981static int
982build_subject(X509_REQ * req, char *subject, unsigned long chtype, int multirdn)
983{
984 X509_NAME *n;
985
986 if (!(n = parse_name(subject, chtype, multirdn)))
987 return 0;
988
989 if (!X509_REQ_set_subject_name(req, n)) {
990 X509_NAME_free(n);
991 return 0;
992 }
993 X509_NAME_free(n);
994 return 1;
995}
996
997
998static int
999prompt_info(X509_REQ * req,
1000 STACK_OF(CONF_VALUE) * dn_sk, char *dn_sect,
1001 STACK_OF(CONF_VALUE) * attr_sk, char *attr_sect, int attribs,
1002 unsigned long chtype)
1003{
1004 int i;
1005 char *p, *q;
1006 char buf[100];
1007 int nid, mval;
1008 long n_min, n_max;
1009 char *type, *value;
1010 const char *def;
1011 CONF_VALUE *v;
1012 X509_NAME *subj;
1013 subj = X509_REQ_get_subject_name(req);
1014
1015 if (!batch) {
1016 BIO_printf(bio_err, "You are about to be asked to enter information that will be incorporated\n");
1017 BIO_printf(bio_err, "into your certificate request.\n");
1018 BIO_printf(bio_err, "What you are about to enter is what is called a Distinguished Name or a DN.\n");
1019 BIO_printf(bio_err, "There are quite a few fields but you can leave some blank\n");
1020 BIO_printf(bio_err, "For some fields there will be a default value,\n");
1021 BIO_printf(bio_err, "If you enter '.', the field will be left blank.\n");
1022 BIO_printf(bio_err, "-----\n");
1023 }
1024 if (sk_CONF_VALUE_num(dn_sk)) {
1025 i = -1;
1026start: for (;;) {
1027 int ret;
1028 i++;
1029 if (sk_CONF_VALUE_num(dn_sk) <= i)
1030 break;
1031
1032 v = sk_CONF_VALUE_value(dn_sk, i);
1033 p = q = NULL;
1034 type = v->name;
1035 if (!check_end(type, "_min") || !check_end(type, "_max") ||
1036 !check_end(type, "_default") ||
1037 !check_end(type, "_value"))
1038 continue;
1039 /*
1040 * Skip past any leading X. X: X, etc to allow for
1041 * multiple instances
1042 */
1043 for (p = v->name; *p; p++)
1044 if ((*p == ':') || (*p == ',') ||
1045 (*p == '.')) {
1046 p++;
1047 if (*p)
1048 type = p;
1049 break;
1050 }
1051 if (*type == '+') {
1052 mval = -1;
1053 type++;
1054 } else
1055 mval = 0;
1056 /* If OBJ not recognised ignore it */
1057 if ((nid = OBJ_txt2nid(type)) == NID_undef)
1058 goto start;
1059 ret = snprintf(buf, sizeof buf, "%s_default", v->name);
1060 if (ret == -1 || ret >= sizeof(buf)) {
1061 BIO_printf(bio_err, "Name '%s' too long for default\n",
1062 v->name);
1063 return 0;
1064 }
1065 if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1066 ERR_clear_error();
1067 def = "";
1068 }
1069 ret = snprintf(buf, sizeof buf, "%s_value", v->name);
1070 if (ret == -1 || ret >= sizeof(buf)) {
1071 BIO_printf(bio_err, "Name '%s' too long for value\n",
1072 v->name);
1073 return 0;
1074 }
1075 if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1076 ERR_clear_error();
1077 value = NULL;
1078 }
1079 ret = snprintf(buf, sizeof buf, "%s_min", v->name);
1080 if (ret == -1 || ret >= sizeof(buf)) {
1081 BIO_printf(bio_err, "Name '%s' too long for min\n",
1082 v->name);
1083 return 0;
1084 }
1085 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
1086 ERR_clear_error();
1087 n_min = -1;
1088 }
1089 ret = snprintf(buf, sizeof buf, "%s_max", v->name);
1090 if (ret == -1 || ret >= sizeof(buf)) {
1091 BIO_printf(bio_err, "Name '%s' too long for max\n",
1092 v->name);
1093 return 0;
1094 }
1095 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
1096 ERR_clear_error();
1097 n_max = -1;
1098 }
1099 if (!add_DN_object(subj, v->value, def, value, nid,
1100 n_min, n_max, chtype, mval))
1101 return 0;
1102 }
1103 if (X509_NAME_entry_count(subj) == 0) {
1104 BIO_printf(bio_err, "error, no objects specified in config file\n");
1105 return 0;
1106 }
1107 if (attribs) {
1108 if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) &&
1109 (!batch)) {
1110 BIO_printf(bio_err,
1111 "\nPlease enter the following 'extra' attributes\n");
1112 BIO_printf(bio_err,
1113 "to be sent with your certificate request\n");
1114 }
1115 i = -1;
1116start2: for (;;) {
1117 int ret;
1118 i++;
1119 if ((attr_sk == NULL) ||
1120 (sk_CONF_VALUE_num(attr_sk) <= i))
1121 break;
1122
1123 v = sk_CONF_VALUE_value(attr_sk, i);
1124 type = v->name;
1125 if ((nid = OBJ_txt2nid(type)) == NID_undef)
1126 goto start2;
1127 ret = snprintf(buf, sizeof buf, "%s_default", type);
1128 if (ret == -1 || ret >= sizeof(buf)) {
1129 BIO_printf(bio_err, "Name '%s' too long for default\n",
1130 v->name);
1131 return 0;
1132 }
1133 if ((def = NCONF_get_string(req_conf, attr_sect, buf))
1134 == NULL) {
1135 ERR_clear_error();
1136 def = "";
1137 }
1138 ret = snprintf(buf, sizeof buf, "%s_value", type);
1139 if (ret == -1 || ret >= sizeof(buf)) {
1140 BIO_printf(bio_err, "Name '%s' too long for value\n",
1141 v->name);
1142 return 0;
1143 }
1144 if ((value = NCONF_get_string(req_conf, attr_sect, buf))
1145 == NULL) {
1146 ERR_clear_error();
1147 value = NULL;
1148 }
1149 ret = snprintf(buf, sizeof buf, "%s_min", type);
1150 if (ret == -1 || ret >= sizeof(buf)) {
1151 BIO_printf(bio_err, "Name '%s' too long for min\n",
1152 v->name);
1153 return 0;
1154 }
1155 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
1156 ERR_clear_error();
1157 n_min = -1;
1158 }
1159 ret = snprintf(buf, sizeof buf, "%s_max", type);
1160 if (ret == -1 || ret >= sizeof(buf)) {
1161 BIO_printf(bio_err, "Name '%s' too long for max\n",
1162 v->name);
1163 return 0;
1164 }
1165 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
1166 ERR_clear_error();
1167 n_max = -1;
1168 }
1169 if (!add_attribute_object(req,
1170 v->value, def, value, nid, n_min, n_max, chtype))
1171 return 0;
1172 }
1173 }
1174 } else {
1175 BIO_printf(bio_err, "No template, please set one up.\n");
1176 return 0;
1177 }
1178
1179 return 1;
1180
1181}
1182
1183static int
1184auto_info(X509_REQ * req, STACK_OF(CONF_VALUE) * dn_sk,
1185 STACK_OF(CONF_VALUE) * attr_sk, int attribs, unsigned long chtype)
1186{
1187 int i;
1188 char *p, *q;
1189 char *type;
1190 CONF_VALUE *v;
1191 X509_NAME *subj;
1192
1193 subj = X509_REQ_get_subject_name(req);
1194
1195 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1196 int mval;
1197 v = sk_CONF_VALUE_value(dn_sk, i);
1198 p = q = NULL;
1199 type = v->name;
1200 /*
1201 * Skip past any leading X. X: X, etc to allow for multiple
1202 * instances
1203 */
1204 for (p = v->name; *p; p++)
1205 if ((*p == ':') || (*p == ',') || (*p == '.')) {
1206 p++;
1207 if (*p)
1208 type = p;
1209 break;
1210 }
1211 if (*p == '+') {
1212 p++;
1213 mval = -1;
1214 } else
1215 mval = 0;
1216 if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
1217 (unsigned char *) v->value, -1, -1, mval))
1218 return 0;
1219
1220 }
1221
1222 if (!X509_NAME_entry_count(subj)) {
1223 BIO_printf(bio_err, "error, no objects specified in config file\n");
1224 return 0;
1225 }
1226 if (attribs) {
1227 for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
1228 v = sk_CONF_VALUE_value(attr_sk, i);
1229 if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1230 (unsigned char *) v->value, -1))
1231 return 0;
1232 }
1233 }
1234 return 1;
1235}
1236
1237
1238static int
1239add_DN_object(X509_NAME * n, char *text, const char *def, char *value,
1240 int nid, int n_min, int n_max, unsigned long chtype, int mval)
1241{
1242 int i, ret = 0;
1243 char buf[1024];
1244start:
1245 if (!batch)
1246 BIO_printf(bio_err, "%s [%s]:", text, def);
1247 (void) BIO_flush(bio_err);
1248 if (value != NULL) {
1249 strlcpy(buf, value, sizeof buf);
1250 strlcat(buf, "\n", sizeof buf);
1251 BIO_printf(bio_err, "%s\n", value);
1252 } else {
1253 buf[0] = '\0';
1254 if (!batch) {
1255 if (!fgets(buf, sizeof buf, stdin))
1256 return 0;
1257 } else {
1258 buf[0] = '\n';
1259 buf[1] = '\0';
1260 }
1261 }
1262
1263 if (buf[0] == '\0')
1264 return (0);
1265 else if (buf[0] == '\n') {
1266 if ((def == NULL) || (def[0] == '\0'))
1267 return (1);
1268 strlcpy(buf, def, sizeof buf);
1269 strlcat(buf, "\n", sizeof buf);
1270 } else if ((buf[0] == '.') && (buf[1] == '\n'))
1271 return (1);
1272
1273 i = strlen(buf);
1274 if (buf[i - 1] != '\n') {
1275 BIO_printf(bio_err, "weird input :-(\n");
1276 return (0);
1277 }
1278 buf[--i] = '\0';
1279 if (!req_check_len(i, n_min, n_max))
1280 goto start;
1281 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
1282 (unsigned char *) buf, -1, -1, mval))
1283 goto err;
1284 ret = 1;
1285err:
1286 return (ret);
1287}
1288
1289static int
1290add_attribute_object(X509_REQ * req, char *text, const char *def,
1291 char *value, int nid, int n_min,
1292 int n_max, unsigned long chtype)
1293{
1294 int i;
1295 static char buf[1024];
1296
1297start:
1298 if (!batch)
1299 BIO_printf(bio_err, "%s [%s]:", text, def);
1300 (void) BIO_flush(bio_err);
1301 if (value != NULL) {
1302 strlcpy(buf, value, sizeof buf);
1303 strlcat(buf, "\n", sizeof buf);
1304 BIO_printf(bio_err, "%s\n", value);
1305 } else {
1306 buf[0] = '\0';
1307 if (!batch) {
1308 if (!fgets(buf, sizeof buf, stdin))
1309 return 0;
1310 } else {
1311 buf[0] = '\n';
1312 buf[1] = '\0';
1313 }
1314 }
1315
1316 if (buf[0] == '\0')
1317 return (0);
1318 else if (buf[0] == '\n') {
1319 if ((def == NULL) || (def[0] == '\0'))
1320 return (1);
1321 strlcpy(buf, def, sizeof buf);
1322 strlcat(buf, "\n", sizeof buf);
1323 } else if ((buf[0] == '.') && (buf[1] == '\n'))
1324 return (1);
1325
1326 i = strlen(buf);
1327 if (buf[i - 1] != '\n') {
1328 BIO_printf(bio_err, "weird input :-(\n");
1329 return (0);
1330 }
1331 buf[--i] = '\0';
1332 if (!req_check_len(i, n_min, n_max))
1333 goto start;
1334
1335 if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1336 (unsigned char *) buf, -1)) {
1337 BIO_printf(bio_err, "Error adding attribute\n");
1338 ERR_print_errors(bio_err);
1339 goto err;
1340 }
1341 return (1);
1342err:
1343 return (0);
1344}
1345
1346static int
1347req_check_len(int len, int n_min, int n_max)
1348{
1349 if ((n_min > 0) && (len < n_min)) {
1350 BIO_printf(bio_err, "string is too short, it needs to be at least %d bytes long\n", n_min);
1351 return (0);
1352 }
1353 if ((n_max >= 0) && (len > n_max)) {
1354 BIO_printf(bio_err, "string is too long, it needs to be less than %d bytes long\n", n_max);
1355 return (0);
1356 }
1357 return (1);
1358}
1359
1360/* Check if the end of a string matches 'end' */
1361static int
1362check_end(const char *str, const char *end)
1363{
1364 int elen, slen;
1365 const char *tmp;
1366 elen = strlen(end);
1367 slen = strlen(str);
1368 if (elen > slen)
1369 return 1;
1370 tmp = str + slen - elen;
1371 return strcmp(tmp, end);
1372}
1373
1374static EVP_PKEY_CTX *
1375set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
1376 long *pkeylen, char **palgnam,
1377 ENGINE * keygen_engine)
1378{
1379 EVP_PKEY_CTX *gctx = NULL;
1380 EVP_PKEY *param = NULL;
1381 long keylen = -1;
1382 BIO *pbio = NULL;
1383 const char *paramfile = NULL;
1384 const char *errstr;
1385
1386 if (gstr == NULL) {
1387 *pkey_type = EVP_PKEY_RSA;
1388 keylen = *pkeylen;
1389 } else if (gstr[0] >= '0' && gstr[0] <= '9') {
1390 *pkey_type = EVP_PKEY_RSA;
1391 keylen = strtonum(gstr, 0, LONG_MAX, &errstr);
1392 if (errstr) {
1393 BIO_printf(err, "bad algorithm %s: %s\n", gstr, errstr);
1394 return NULL;
1395 }
1396 *pkeylen = keylen;
1397 } else if (!strncmp(gstr, "param:", 6))
1398 paramfile = gstr + 6;
1399 else {
1400 const char *p = strchr(gstr, ':');
1401 int len;
1402 ENGINE *tmpeng;
1403 const EVP_PKEY_ASN1_METHOD *ameth;
1404
1405 if (p)
1406 len = p - gstr;
1407 else
1408 len = strlen(gstr);
1409 /*
1410 * The lookup of a the string will cover all engines so keep
1411 * a note of the implementation.
1412 */
1413
1414 ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1415
1416 if (!ameth) {
1417 BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
1418 return NULL;
1419 }
1420 EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL,
1421 ameth);
1422#ifndef OPENSSL_NO_ENGINE
1423 if (tmpeng)
1424 ENGINE_finish(tmpeng);
1425#endif
1426 if (*pkey_type == EVP_PKEY_RSA) {
1427 if (p) {
1428 keylen = strtonum(p + 1, 0, LONG_MAX, &errstr);
1429 if (errstr) {
1430 BIO_printf(err, "bad algorithm %s: %s\n",
1431 p + 1, errstr);
1432 return NULL;
1433 }
1434 *pkeylen = keylen;
1435 } else
1436 keylen = *pkeylen;
1437 } else if (p)
1438 paramfile = p + 1;
1439 }
1440
1441 if (paramfile) {
1442 pbio = BIO_new_file(paramfile, "r");
1443 if (!pbio) {
1444 BIO_printf(err, "Can't open parameter file %s\n",
1445 paramfile);
1446 return NULL;
1447 }
1448 param = PEM_read_bio_Parameters(pbio, NULL);
1449
1450 if (!param) {
1451 X509 *x;
1452 (void) BIO_reset(pbio);
1453 x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1454 if (x) {
1455 param = X509_get_pubkey(x);
1456 X509_free(x);
1457 }
1458 }
1459 BIO_free(pbio);
1460
1461 if (!param) {
1462 BIO_printf(err, "Error reading parameter file %s\n",
1463 paramfile);
1464 return NULL;
1465 }
1466 if (*pkey_type == -1)
1467 *pkey_type = EVP_PKEY_id(param);
1468 else if (*pkey_type != EVP_PKEY_base_id(param)) {
1469 BIO_printf(err, "Key Type does not match parameters\n");
1470 EVP_PKEY_free(param);
1471 return NULL;
1472 }
1473 }
1474 if (palgnam) {
1475 const EVP_PKEY_ASN1_METHOD *ameth;
1476 ENGINE *tmpeng;
1477 const char *anam;
1478 ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1479 if (!ameth) {
1480 BIO_puts(err, "Internal error: can't find key algorithm\n");
1481 return NULL;
1482 }
1483 EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1484 *palgnam = BUF_strdup(anam);
1485#ifndef OPENSSL_NO_ENGINE
1486 if (tmpeng)
1487 ENGINE_finish(tmpeng);
1488#endif
1489 }
1490 if (param) {
1491 gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1492 *pkeylen = EVP_PKEY_bits(param);
1493 EVP_PKEY_free(param);
1494 } else
1495 gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1496
1497 if (!gctx) {
1498 BIO_puts(err, "Error allocating keygen context\n");
1499 ERR_print_errors(err);
1500 return NULL;
1501 }
1502 if (EVP_PKEY_keygen_init(gctx) <= 0) {
1503 BIO_puts(err, "Error initializing keygen context\n");
1504 ERR_print_errors(err);
1505 return NULL;
1506 }
1507 if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
1508 if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
1509 BIO_puts(err, "Error setting RSA keysize\n");
1510 ERR_print_errors(err);
1511 EVP_PKEY_CTX_free(gctx);
1512 return NULL;
1513 }
1514 }
1515
1516 return gctx;
1517}
1518
1519static int
1520genpkey_cb(EVP_PKEY_CTX * ctx)
1521{
1522 char c = '*';
1523 BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1524 int p;
1525 p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1526 if (p == 0)
1527 c = '.';
1528 if (p == 1)
1529 c = '+';
1530 if (p == 2)
1531 c = '*';
1532 if (p == 3)
1533 c = '\n';
1534 BIO_write(b, &c, 1);
1535 (void) BIO_flush(b);
1536 return 1;
1537}
1538
1539static int
1540do_sign_init(BIO * err, EVP_MD_CTX * ctx, EVP_PKEY * pkey,
1541 const EVP_MD * md, STACK_OF(OPENSSL_STRING) * sigopts)
1542{
1543 EVP_PKEY_CTX *pkctx = NULL;
1544 int i;
1545 EVP_MD_CTX_init(ctx);
1546 if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
1547 return 0;
1548 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1549 char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1550 if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1551 BIO_printf(err, "parameter error \"%s\"\n", sigopt);
1552 ERR_print_errors(bio_err);
1553 return 0;
1554 }
1555 }
1556 return 1;
1557}
1558
1559int
1560do_X509_sign(BIO * err, X509 * x, EVP_PKEY * pkey, const EVP_MD * md,
1561 STACK_OF(OPENSSL_STRING) * sigopts)
1562{
1563 int rv;
1564 EVP_MD_CTX mctx;
1565 EVP_MD_CTX_init(&mctx);
1566 rv = do_sign_init(err, &mctx, pkey, md, sigopts);
1567 if (rv > 0)
1568 rv = X509_sign_ctx(x, &mctx);
1569 EVP_MD_CTX_cleanup(&mctx);
1570 return rv > 0 ? 1 : 0;
1571}
1572
1573
1574int
1575do_X509_REQ_sign(BIO * err, X509_REQ * x, EVP_PKEY * pkey, const EVP_MD * md,
1576 STACK_OF(OPENSSL_STRING) * sigopts)
1577{
1578 int rv;
1579 EVP_MD_CTX mctx;
1580 EVP_MD_CTX_init(&mctx);
1581 rv = do_sign_init(err, &mctx, pkey, md, sigopts);
1582 if (rv > 0)
1583 rv = X509_REQ_sign_ctx(x, &mctx);
1584 EVP_MD_CTX_cleanup(&mctx);
1585 return rv > 0 ? 1 : 0;
1586}
1587
1588
1589
1590int
1591do_X509_CRL_sign(BIO * err, X509_CRL * x, EVP_PKEY * pkey, const EVP_MD * md,
1592 STACK_OF(OPENSSL_STRING) * sigopts)
1593{
1594 int rv;
1595 EVP_MD_CTX mctx;
1596 EVP_MD_CTX_init(&mctx);
1597 rv = do_sign_init(err, &mctx, pkey, md, sigopts);
1598 if (rv > 0)
1599 rv = X509_CRL_sign_ctx(x, &mctx);
1600 EVP_MD_CTX_cleanup(&mctx);
1601 return rv > 0 ? 1 : 0;
1602}
diff --git a/src/lib/libssl/src/apps/rsa.c b/src/lib/libssl/src/apps/rsa.c
deleted file mode 100644
index 1bb78e94a9..0000000000
--- a/src/lib/libssl/src/apps/rsa.c
+++ /dev/null
@@ -1,392 +0,0 @@
1/* $OpenBSD: rsa.c,v 1.27 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h>
60
61
62#include <stdio.h>
63#include <stdlib.h>
64#include <string.h>
65#include <time.h>
66
67#include "apps.h"
68
69#include <openssl/bio.h>
70#include <openssl/bn.h>
71#include <openssl/err.h>
72#include <openssl/evp.h>
73#include <openssl/pem.h>
74#include <openssl/rsa.h>
75#include <openssl/x509.h>
76
77/* -inform arg - input format - default PEM (one of DER, NET or PEM)
78 * -outform arg - output format - default PEM
79 * -in arg - input file - default stdin
80 * -out arg - output file - default stdout
81 * -des - encrypt output if PEM format with DES in cbc mode
82 * -des3 - encrypt output if PEM format
83 * -idea - encrypt output if PEM format
84 * -seed - encrypt output if PEM format
85 * -aes128 - encrypt output if PEM format
86 * -aes192 - encrypt output if PEM format
87 * -aes256 - encrypt output if PEM format
88 * -camellia128 - encrypt output if PEM format
89 * -camellia192 - encrypt output if PEM format
90 * -camellia256 - encrypt output if PEM format
91 * -text - print a text version
92 * -modulus - print the RSA key modulus
93 * -check - verify key consistency
94 * -pubin - Expect a public key in input file.
95 * -pubout - Output a public key.
96 */
97
98int rsa_main(int, char **);
99
100int
101rsa_main(int argc, char **argv)
102{
103 ENGINE *e = NULL;
104 int ret = 1;
105 RSA *rsa = NULL;
106 int i, badops = 0, sgckey = 0;
107 const EVP_CIPHER *enc = NULL;
108 BIO *out = NULL;
109 int informat, outformat, text = 0, check = 0, noout = 0;
110 int pubin = 0, pubout = 0;
111 char *infile, *outfile, *prog;
112 char *passargin = NULL, *passargout = NULL;
113 char *passin = NULL, *passout = NULL;
114#ifndef OPENSSL_NO_ENGINE
115 char *engine = NULL;
116#endif
117 int modulus = 0;
118
119 int pvk_encr = 2;
120
121 infile = NULL;
122 outfile = NULL;
123 informat = FORMAT_PEM;
124 outformat = FORMAT_PEM;
125
126 prog = argv[0];
127 argc--;
128 argv++;
129 while (argc >= 1) {
130 if (strcmp(*argv, "-inform") == 0) {
131 if (--argc < 1)
132 goto bad;
133 informat = str2fmt(*(++argv));
134 } else if (strcmp(*argv, "-outform") == 0) {
135 if (--argc < 1)
136 goto bad;
137 outformat = str2fmt(*(++argv));
138 } else if (strcmp(*argv, "-in") == 0) {
139 if (--argc < 1)
140 goto bad;
141 infile = *(++argv);
142 } else if (strcmp(*argv, "-out") == 0) {
143 if (--argc < 1)
144 goto bad;
145 outfile = *(++argv);
146 } else if (strcmp(*argv, "-passin") == 0) {
147 if (--argc < 1)
148 goto bad;
149 passargin = *(++argv);
150 } else if (strcmp(*argv, "-passout") == 0) {
151 if (--argc < 1)
152 goto bad;
153 passargout = *(++argv);
154 }
155#ifndef OPENSSL_NO_ENGINE
156 else if (strcmp(*argv, "-engine") == 0) {
157 if (--argc < 1)
158 goto bad;
159 engine = *(++argv);
160 }
161#endif
162 else if (strcmp(*argv, "-sgckey") == 0)
163 sgckey = 1;
164 else if (strcmp(*argv, "-pubin") == 0)
165 pubin = 1;
166 else if (strcmp(*argv, "-pubout") == 0)
167 pubout = 1;
168 else if (strcmp(*argv, "-RSAPublicKey_in") == 0)
169 pubin = 2;
170 else if (strcmp(*argv, "-RSAPublicKey_out") == 0)
171 pubout = 2;
172 else if (strcmp(*argv, "-pvk-strong") == 0)
173 pvk_encr = 2;
174 else if (strcmp(*argv, "-pvk-weak") == 0)
175 pvk_encr = 1;
176 else if (strcmp(*argv, "-pvk-none") == 0)
177 pvk_encr = 0;
178 else if (strcmp(*argv, "-noout") == 0)
179 noout = 1;
180 else if (strcmp(*argv, "-text") == 0)
181 text = 1;
182 else if (strcmp(*argv, "-modulus") == 0)
183 modulus = 1;
184 else if (strcmp(*argv, "-check") == 0)
185 check = 1;
186 else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
187 BIO_printf(bio_err, "unknown option %s\n", *argv);
188 badops = 1;
189 break;
190 }
191 argc--;
192 argv++;
193 }
194
195 if (badops) {
196bad:
197 BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
198 BIO_printf(bio_err, "where options are\n");
199 BIO_printf(bio_err, " -inform arg input format - one of DER NET PEM\n");
200 BIO_printf(bio_err, " -outform arg output format - one of DER NET PEM\n");
201 BIO_printf(bio_err, " -in arg input file\n");
202 BIO_printf(bio_err, " -sgckey Use IIS SGC key format\n");
203 BIO_printf(bio_err, " -passin arg input file pass phrase source\n");
204 BIO_printf(bio_err, " -out arg output file\n");
205 BIO_printf(bio_err, " -passout arg output file pass phrase source\n");
206 BIO_printf(bio_err, " -des encrypt PEM output with cbc des\n");
207 BIO_printf(bio_err, " -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
208#ifndef OPENSSL_NO_IDEA
209 BIO_printf(bio_err, " -idea encrypt PEM output with cbc idea\n");
210#endif
211#ifndef OPENSSL_NO_AES
212 BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
213 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
214#endif
215#ifndef OPENSSL_NO_CAMELLIA
216 BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
217 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
218#endif
219 BIO_printf(bio_err, " -text print the key in text\n");
220 BIO_printf(bio_err, " -noout don't print key out\n");
221 BIO_printf(bio_err, " -modulus print the RSA key modulus\n");
222 BIO_printf(bio_err, " -check verify key consistency\n");
223 BIO_printf(bio_err, " -pubin expect a public key in input file\n");
224 BIO_printf(bio_err, " -pubout output a public key\n");
225#ifndef OPENSSL_NO_ENGINE
226 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
227#endif
228 goto end;
229 }
230 ERR_load_crypto_strings();
231
232#ifndef OPENSSL_NO_ENGINE
233 e = setup_engine(bio_err, engine, 0);
234#endif
235
236 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
237 BIO_printf(bio_err, "Error getting passwords\n");
238 goto end;
239 }
240 if (check && pubin) {
241 BIO_printf(bio_err, "Only private keys can be checked\n");
242 goto end;
243 }
244 out = BIO_new(BIO_s_file());
245
246 {
247 EVP_PKEY *pkey;
248
249 if (pubin) {
250 int tmpformat = -1;
251 if (pubin == 2) {
252 if (informat == FORMAT_PEM)
253 tmpformat = FORMAT_PEMRSA;
254 else if (informat == FORMAT_ASN1)
255 tmpformat = FORMAT_ASN1RSA;
256 } else if (informat == FORMAT_NETSCAPE && sgckey)
257 tmpformat = FORMAT_IISSGC;
258 else
259 tmpformat = informat;
260
261 pkey = load_pubkey(bio_err, infile, tmpformat, 1,
262 passin, e, "Public Key");
263 } else
264 pkey = load_key(bio_err, infile,
265 (informat == FORMAT_NETSCAPE && sgckey ?
266 FORMAT_IISSGC : informat), 1,
267 passin, e, "Private Key");
268
269 if (pkey != NULL)
270 rsa = EVP_PKEY_get1_RSA(pkey);
271 EVP_PKEY_free(pkey);
272 }
273
274 if (rsa == NULL) {
275 ERR_print_errors(bio_err);
276 goto end;
277 }
278 if (outfile == NULL) {
279 BIO_set_fp(out, stdout, BIO_NOCLOSE);
280 } else {
281 if (BIO_write_filename(out, outfile) <= 0) {
282 perror(outfile);
283 goto end;
284 }
285 }
286
287 if (text)
288 if (!RSA_print(out, rsa, 0)) {
289 perror(outfile);
290 ERR_print_errors(bio_err);
291 goto end;
292 }
293 if (modulus) {
294 BIO_printf(out, "Modulus=");
295 BN_print(out, rsa->n);
296 BIO_printf(out, "\n");
297 }
298 if (check) {
299 int r = RSA_check_key(rsa);
300
301 if (r == 1)
302 BIO_printf(out, "RSA key ok\n");
303 else if (r == 0) {
304 unsigned long err;
305
306 while ((err = ERR_peek_error()) != 0 &&
307 ERR_GET_LIB(err) == ERR_LIB_RSA &&
308 ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY &&
309 ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) {
310 BIO_printf(out, "RSA key error: %s\n", ERR_reason_error_string(err));
311 ERR_get_error(); /* remove e from error
312 * stack */
313 }
314 }
315 if (r == -1 || ERR_peek_error() != 0) { /* should happen only if
316 * r == -1 */
317 ERR_print_errors(bio_err);
318 goto end;
319 }
320 }
321 if (noout) {
322 ret = 0;
323 goto end;
324 }
325 BIO_printf(bio_err, "writing RSA key\n");
326 if (outformat == FORMAT_ASN1) {
327 if (pubout || pubin) {
328 if (pubout == 2)
329 i = i2d_RSAPublicKey_bio(out, rsa);
330 else
331 i = i2d_RSA_PUBKEY_bio(out, rsa);
332 } else
333 i = i2d_RSAPrivateKey_bio(out, rsa);
334 }
335#ifndef OPENSSL_NO_RC4
336 else if (outformat == FORMAT_NETSCAPE) {
337 unsigned char *p, *pp;
338 int size;
339
340 i = 1;
341 size = i2d_RSA_NET(rsa, NULL, NULL, sgckey);
342 if ((p = malloc(size)) == NULL) {
343 BIO_printf(bio_err, "Memory allocation failure\n");
344 goto end;
345 }
346 pp = p;
347 i2d_RSA_NET(rsa, &p, NULL, sgckey);
348 BIO_write(out, (char *) pp, size);
349 free(pp);
350 }
351#endif
352 else if (outformat == FORMAT_PEM) {
353 if (pubout || pubin) {
354 if (pubout == 2)
355 i = PEM_write_bio_RSAPublicKey(out, rsa);
356 else
357 i = PEM_write_bio_RSA_PUBKEY(out, rsa);
358 } else
359 i = PEM_write_bio_RSAPrivateKey(out, rsa,
360 enc, NULL, 0, NULL, passout);
361#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
362 } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
363 EVP_PKEY *pk;
364 pk = EVP_PKEY_new();
365 EVP_PKEY_set1_RSA(pk, rsa);
366 if (outformat == FORMAT_PVK)
367 i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
368 else if (pubin || pubout)
369 i = i2b_PublicKey_bio(out, pk);
370 else
371 i = i2b_PrivateKey_bio(out, pk);
372 EVP_PKEY_free(pk);
373#endif
374 } else {
375 BIO_printf(bio_err, "bad output format specified for outfile\n");
376 goto end;
377 }
378 if (i <= 0) {
379 BIO_printf(bio_err, "unable to write key\n");
380 ERR_print_errors(bio_err);
381 } else
382 ret = 0;
383end:
384 if (out != NULL)
385 BIO_free_all(out);
386 if (rsa != NULL)
387 RSA_free(rsa);
388 free(passin);
389 free(passout);
390
391 return (ret);
392}
diff --git a/src/lib/libssl/src/apps/rsautl.c b/src/lib/libssl/src/apps/rsautl.c
deleted file mode 100644
index d961582fe4..0000000000
--- a/src/lib/libssl/src/apps/rsautl.c
+++ /dev/null
@@ -1,341 +0,0 @@
1/* $OpenBSD: rsautl.c,v 1.24 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/opensslconf.h>
60
61
62#include <string.h>
63
64#include "apps.h"
65
66#include <openssl/err.h>
67#include <openssl/pem.h>
68#include <openssl/rsa.h>
69
70#define RSA_SIGN 1
71#define RSA_VERIFY 2
72#define RSA_ENCRYPT 3
73#define RSA_DECRYPT 4
74
75#define KEY_PRIVKEY 1
76#define KEY_PUBKEY 2
77#define KEY_CERT 3
78
79static void usage(void);
80
81int rsautl_main(int argc, char **);
82
83int
84rsautl_main(int argc, char **argv)
85{
86 ENGINE *e = NULL;
87 BIO *in = NULL, *out = NULL;
88 char *infile = NULL, *outfile = NULL;
89#ifndef OPENSSL_NO_ENGINE
90 char *engine = NULL;
91#endif
92 char *keyfile = NULL;
93 char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
94 int keyform = FORMAT_PEM;
95 char need_priv = 0, badarg = 0, rev = 0;
96 char hexdump = 0, asn1parse = 0;
97 X509 *x;
98 EVP_PKEY *pkey = NULL;
99 RSA *rsa = NULL;
100 unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
101 char *passargin = NULL, *passin = NULL;
102 int rsa_inlen, rsa_outlen = 0;
103 int keysize;
104
105 int ret = 1;
106
107 argc--;
108 argv++;
109
110 ERR_load_crypto_strings();
111 OpenSSL_add_all_algorithms();
112 pad = RSA_PKCS1_PADDING;
113
114 while (argc >= 1) {
115 if (!strcmp(*argv, "-in")) {
116 if (--argc < 1)
117 badarg = 1;
118 else
119 infile = *(++argv);
120 } else if (!strcmp(*argv, "-out")) {
121 if (--argc < 1)
122 badarg = 1;
123 else
124 outfile = *(++argv);
125 } else if (!strcmp(*argv, "-inkey")) {
126 if (--argc < 1)
127 badarg = 1;
128 else
129 keyfile = *(++argv);
130 } else if (!strcmp(*argv, "-passin")) {
131 if (--argc < 1)
132 badarg = 1;
133 else
134 passargin = *(++argv);
135 } else if (strcmp(*argv, "-keyform") == 0) {
136 if (--argc < 1)
137 badarg = 1;
138 else
139 keyform = str2fmt(*(++argv));
140#ifndef OPENSSL_NO_ENGINE
141 } else if (!strcmp(*argv, "-engine")) {
142 if (--argc < 1)
143 badarg = 1;
144 else
145 engine = *(++argv);
146#endif
147 } else if (!strcmp(*argv, "-pubin")) {
148 key_type = KEY_PUBKEY;
149 } else if (!strcmp(*argv, "-certin")) {
150 key_type = KEY_CERT;
151 } else if (!strcmp(*argv, "-asn1parse"))
152 asn1parse = 1;
153 else if (!strcmp(*argv, "-hexdump"))
154 hexdump = 1;
155 else if (!strcmp(*argv, "-raw"))
156 pad = RSA_NO_PADDING;
157 else if (!strcmp(*argv, "-oaep"))
158 pad = RSA_PKCS1_OAEP_PADDING;
159 else if (!strcmp(*argv, "-ssl"))
160 pad = RSA_SSLV23_PADDING;
161 else if (!strcmp(*argv, "-pkcs"))
162 pad = RSA_PKCS1_PADDING;
163 else if (!strcmp(*argv, "-x931"))
164 pad = RSA_X931_PADDING;
165 else if (!strcmp(*argv, "-sign")) {
166 rsa_mode = RSA_SIGN;
167 need_priv = 1;
168 } else if (!strcmp(*argv, "-verify"))
169 rsa_mode = RSA_VERIFY;
170 else if (!strcmp(*argv, "-rev"))
171 rev = 1;
172 else if (!strcmp(*argv, "-encrypt"))
173 rsa_mode = RSA_ENCRYPT;
174 else if (!strcmp(*argv, "-decrypt")) {
175 rsa_mode = RSA_DECRYPT;
176 need_priv = 1;
177 } else
178 badarg = 1;
179 if (badarg) {
180 usage();
181 goto end;
182 }
183 argc--;
184 argv++;
185 }
186
187 if (need_priv && (key_type != KEY_PRIVKEY)) {
188 BIO_printf(bio_err, "A private key is needed for this operation\n");
189 goto end;
190 }
191#ifndef OPENSSL_NO_ENGINE
192 e = setup_engine(bio_err, engine, 0);
193#endif
194 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
195 BIO_printf(bio_err, "Error getting password\n");
196 goto end;
197 }
198
199 switch (key_type) {
200 case KEY_PRIVKEY:
201 pkey = load_key(bio_err, keyfile, keyform, 0,
202 passin, e, "Private Key");
203 break;
204
205 case KEY_PUBKEY:
206 pkey = load_pubkey(bio_err, keyfile, keyform, 0,
207 NULL, e, "Public Key");
208 break;
209
210 case KEY_CERT:
211 x = load_cert(bio_err, keyfile, keyform,
212 NULL, e, "Certificate");
213 if (x) {
214 pkey = X509_get_pubkey(x);
215 X509_free(x);
216 }
217 break;
218 }
219
220 if (!pkey) {
221 return 1;
222 }
223 rsa = EVP_PKEY_get1_RSA(pkey);
224 EVP_PKEY_free(pkey);
225
226 if (!rsa) {
227 BIO_printf(bio_err, "Error getting RSA key\n");
228 ERR_print_errors(bio_err);
229 goto end;
230 }
231 if (infile) {
232 if (!(in = BIO_new_file(infile, "rb"))) {
233 BIO_printf(bio_err, "Error Reading Input File\n");
234 ERR_print_errors(bio_err);
235 goto end;
236 }
237 } else
238 in = BIO_new_fp(stdin, BIO_NOCLOSE);
239
240 if (outfile) {
241 if (!(out = BIO_new_file(outfile, "wb"))) {
242 BIO_printf(bio_err, "Error Reading Output File\n");
243 ERR_print_errors(bio_err);
244 goto end;
245 }
246 } else {
247 out = BIO_new_fp(stdout, BIO_NOCLOSE);
248 }
249
250 keysize = RSA_size(rsa);
251
252 rsa_in = reallocarray(NULL, keysize, 2);
253 rsa_out = malloc(keysize);
254
255 /* Read the input data */
256 rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
257 if (rsa_inlen <= 0) {
258 BIO_printf(bio_err, "Error reading input Data\n");
259 exit(1);
260 }
261 if (rev) {
262 int i;
263 unsigned char ctmp;
264 for (i = 0; i < rsa_inlen / 2; i++) {
265 ctmp = rsa_in[i];
266 rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
267 rsa_in[rsa_inlen - 1 - i] = ctmp;
268 }
269 }
270 switch (rsa_mode) {
271
272 case RSA_VERIFY:
273 rsa_outlen = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
274 break;
275
276 case RSA_SIGN:
277 rsa_outlen = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
278 break;
279
280 case RSA_ENCRYPT:
281 rsa_outlen = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
282 break;
283
284 case RSA_DECRYPT:
285 rsa_outlen = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
286 break;
287
288 }
289
290 if (rsa_outlen <= 0) {
291 BIO_printf(bio_err, "RSA operation error\n");
292 ERR_print_errors(bio_err);
293 goto end;
294 }
295 ret = 0;
296 if (asn1parse) {
297 if (!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
298 ERR_print_errors(bio_err);
299 }
300 } else if (hexdump)
301 BIO_dump(out, (char *) rsa_out, rsa_outlen);
302 else
303 BIO_write(out, rsa_out, rsa_outlen);
304
305end:
306 RSA_free(rsa);
307 BIO_free(in);
308 BIO_free_all(out);
309 free(rsa_in);
310 free(rsa_out);
311 free(passin);
312
313 return ret;
314}
315
316static void
317usage()
318{
319 BIO_printf(bio_err, "Usage: rsautl [options]\n");
320 BIO_printf(bio_err, "-in file input file\n");
321 BIO_printf(bio_err, "-out file output file\n");
322 BIO_printf(bio_err, "-inkey file input key\n");
323 BIO_printf(bio_err, "-keyform arg private key format - default PEM\n");
324 BIO_printf(bio_err, "-pubin input is an RSA public\n");
325 BIO_printf(bio_err, "-certin input is a certificate carrying an RSA public key\n");
326 BIO_printf(bio_err, "-ssl use SSL v2 padding\n");
327 BIO_printf(bio_err, "-raw use no padding\n");
328 BIO_printf(bio_err, "-pkcs use PKCS#1 v1.5 padding (default)\n");
329 BIO_printf(bio_err, "-oaep use PKCS#1 OAEP\n");
330 BIO_printf(bio_err, "-sign sign with private key\n");
331 BIO_printf(bio_err, "-verify verify with public key\n");
332 BIO_printf(bio_err, "-encrypt encrypt with public key\n");
333 BIO_printf(bio_err, "-decrypt decrypt with private key\n");
334 BIO_printf(bio_err, "-hexdump hex dump output\n");
335#ifndef OPENSSL_NO_ENGINE
336 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
337 BIO_printf(bio_err, "-passin arg pass phrase source\n");
338#endif
339
340}
341
diff --git a/src/lib/libssl/src/apps/s_apps.h b/src/lib/libssl/src/apps/s_apps.h
deleted file mode 100644
index e81350ea56..0000000000
--- a/src/lib/libssl/src/apps/s_apps.h
+++ /dev/null
@@ -1,147 +0,0 @@
1/* $OpenBSD: s_apps.h,v 1.14 2014/06/12 15:49:27 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111#include <sys/types.h>
112#include <openssl/opensslconf.h>
113
114#define PORT 4433
115#define PORT_STR "4433"
116#define PROTOCOL "tcp"
117
118int do_server(int port, int type, int *ret,
119 int (*cb)(char *hostname, int s, unsigned char *context),
120 unsigned char *context);
121#ifdef HEADER_X509_H
122int verify_callback(int ok, X509_STORE_CTX *ctx);
123#endif
124#ifdef HEADER_SSL_H
125int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
126int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
127#endif
128int init_client(int *sock, char *server, char *port, int type, int af);
129int should_retry(int i);
130int extract_port(char *str, short *port_ptr);
131int extract_host_port(char *str, char **host_ptr, unsigned char *ip, char **p);
132
133long bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi,
134 long argl, long ret);
135
136#ifdef HEADER_SSL_H
137void apps_ssl_info_callback(const SSL *s, int where, int ret);
138void msg_cb(int write_p, int version, int content_type, const void *buf,
139 size_t len, SSL *ssl, void *arg);
140void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
141 int len, void *arg);
142#endif
143
144int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
145 unsigned int *cookie_len);
146int verify_cookie_callback(SSL *ssl, unsigned char *cookie,
147 unsigned int cookie_len);
diff --git a/src/lib/libssl/src/apps/s_cb.c b/src/lib/libssl/src/apps/s_cb.c
deleted file mode 100644
index 29dd80e87d..0000000000
--- a/src/lib/libssl/src/apps/s_cb.c
+++ /dev/null
@@ -1,854 +0,0 @@
1/* $OpenBSD: s_cb.c,v 1.22 2014/06/13 04:29:13 miod Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <sys/socket.h>
113
114#include <netinet/in.h>
115
116#include <netdb.h>
117#include <stdio.h>
118#include <stdlib.h>
119#include <string.h>
120
121#include "apps.h"
122
123#include <openssl/err.h>
124#include <openssl/rand.h>
125#include <openssl/ssl.h>
126#include <openssl/x509.h>
127
128#include "s_apps.h"
129
130#define COOKIE_SECRET_LENGTH 16
131
132int verify_depth = 0;
133int verify_error = X509_V_OK;
134int verify_return_error = 0;
135unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
136int cookie_initialized = 0;
137
138int
139verify_callback(int ok, X509_STORE_CTX * ctx)
140{
141 X509 *err_cert;
142 int err, depth;
143
144 err_cert = X509_STORE_CTX_get_current_cert(ctx);
145 err = X509_STORE_CTX_get_error(ctx);
146 depth = X509_STORE_CTX_get_error_depth(ctx);
147
148 BIO_printf(bio_err, "depth=%d ", depth);
149 if (err_cert) {
150 X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
151 0, XN_FLAG_ONELINE);
152 BIO_puts(bio_err, "\n");
153 } else
154 BIO_puts(bio_err, "<no cert>\n");
155 if (!ok) {
156 BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
157 X509_verify_cert_error_string(err));
158 if (verify_depth >= depth) {
159 if (!verify_return_error)
160 ok = 1;
161 verify_error = X509_V_OK;
162 } else {
163 ok = 0;
164 verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
165 }
166 }
167 switch (err) {
168 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
169 BIO_puts(bio_err, "issuer= ");
170 X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
171 0, XN_FLAG_ONELINE);
172 BIO_puts(bio_err, "\n");
173 break;
174 case X509_V_ERR_CERT_NOT_YET_VALID:
175 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
176 BIO_printf(bio_err, "notBefore=");
177 ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
178 BIO_printf(bio_err, "\n");
179 break;
180 case X509_V_ERR_CERT_HAS_EXPIRED:
181 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
182 BIO_printf(bio_err, "notAfter=");
183 ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
184 BIO_printf(bio_err, "\n");
185 break;
186 case X509_V_ERR_NO_EXPLICIT_POLICY:
187 policies_print(bio_err, ctx);
188 break;
189 }
190 if (err == X509_V_OK && ok == 2)
191 policies_print(bio_err, ctx);
192
193 BIO_printf(bio_err, "verify return:%d\n", ok);
194 return (ok);
195}
196
197int
198set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
199{
200 if (cert_file != NULL) {
201 /*
202 SSL *ssl;
203 X509 *x509;
204 */
205
206 if (SSL_CTX_use_certificate_file(ctx, cert_file,
207 SSL_FILETYPE_PEM) <= 0) {
208 BIO_printf(bio_err,
209 "unable to get certificate from '%s'\n", cert_file);
210 ERR_print_errors(bio_err);
211 return (0);
212 }
213 if (key_file == NULL)
214 key_file = cert_file;
215 if (SSL_CTX_use_PrivateKey_file(ctx, key_file,
216 SSL_FILETYPE_PEM) <= 0) {
217 BIO_printf(bio_err,
218 "unable to get private key from '%s'\n", key_file);
219 ERR_print_errors(bio_err);
220 return (0);
221 }
222 /*
223 In theory this is no longer needed
224 ssl=SSL_new(ctx);
225 x509=SSL_get_certificate(ssl);
226
227 if (x509 != NULL) {
228 EVP_PKEY *pktmp;
229 pktmp = X509_get_pubkey(x509);
230 EVP_PKEY_copy_parameters(pktmp,
231 SSL_get_privatekey(ssl));
232 EVP_PKEY_free(pktmp);
233 }
234 SSL_free(ssl);
235 */
236
237 /*
238 * If we are using DSA, we can copy the parameters from the
239 * private key
240 */
241
242
243 /*
244 * Now we know that a key and cert have been set against the
245 * SSL context
246 */
247 if (!SSL_CTX_check_private_key(ctx)) {
248 BIO_printf(bio_err,
249 "Private key does not match the certificate public key\n");
250 return (0);
251 }
252 }
253 return (1);
254}
255
256int
257set_cert_key_stuff(SSL_CTX * ctx, X509 * cert, EVP_PKEY * key)
258{
259 if (cert == NULL)
260 return 1;
261 if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
262 BIO_printf(bio_err, "error setting certificate\n");
263 ERR_print_errors(bio_err);
264 return 0;
265 }
266 if (SSL_CTX_use_PrivateKey(ctx, key) <= 0) {
267 BIO_printf(bio_err, "error setting private key\n");
268 ERR_print_errors(bio_err);
269 return 0;
270 }
271 /*
272 * Now we know that a key and cert have been set against the SSL
273 * context
274 */
275 if (!SSL_CTX_check_private_key(ctx)) {
276 BIO_printf(bio_err,
277 "Private key does not match the certificate public key\n");
278 return 0;
279 }
280 return 1;
281}
282
283long
284bio_dump_callback(BIO * bio, int cmd, const char *argp,
285 int argi, long argl, long ret)
286{
287 BIO *out;
288
289 out = (BIO *) BIO_get_callback_arg(bio);
290 if (out == NULL)
291 return (ret);
292
293 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
294 BIO_printf(out,
295 "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
296 (void *) bio, argp, (unsigned long) argi, ret, ret);
297 BIO_dump(out, argp, (int) ret);
298 return (ret);
299 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
300 BIO_printf(out,
301 "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
302 (void *) bio, argp, (unsigned long) argi, ret, ret);
303 BIO_dump(out, argp, (int) ret);
304 }
305 return (ret);
306}
307
308void
309apps_ssl_info_callback(const SSL * s, int where, int ret)
310{
311 const char *str;
312 int w;
313
314 w = where & ~SSL_ST_MASK;
315
316 if (w & SSL_ST_CONNECT)
317 str = "SSL_connect";
318 else if (w & SSL_ST_ACCEPT)
319 str = "SSL_accept";
320 else
321 str = "undefined";
322
323 if (where & SSL_CB_LOOP) {
324 BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s));
325 } else if (where & SSL_CB_ALERT) {
326 str = (where & SSL_CB_READ) ? "read" : "write";
327 BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", str,
328 SSL_alert_type_string_long(ret),
329 SSL_alert_desc_string_long(ret));
330 } else if (where & SSL_CB_EXIT) {
331 if (ret == 0)
332 BIO_printf(bio_err, "%s:failed in %s\n",
333 str, SSL_state_string_long(s));
334 else if (ret < 0) {
335 BIO_printf(bio_err, "%s:error in %s\n",
336 str, SSL_state_string_long(s));
337 }
338 }
339}
340
341
342void
343msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL * ssl, void *arg)
344{
345 BIO *bio = arg;
346 const char *str_write_p, *str_version, *str_content_type = "",
347 *str_details1 = "", *str_details2 = "";
348
349 str_write_p = write_p ? ">>>" : "<<<";
350
351 switch (version) {
352 case SSL2_VERSION:
353 str_version = "SSL 2.0";
354 break;
355 case SSL3_VERSION:
356 str_version = "SSL 3.0 ";
357 break;
358 case TLS1_VERSION:
359 str_version = "TLS 1.0 ";
360 break;
361 case TLS1_1_VERSION:
362 str_version = "TLS 1.1 ";
363 break;
364 case TLS1_2_VERSION:
365 str_version = "TLS 1.2 ";
366 break;
367 case DTLS1_VERSION:
368 str_version = "DTLS 1.0 ";
369 break;
370 case DTLS1_BAD_VER:
371 str_version = "DTLS 1.0 (bad) ";
372 break;
373 default:
374 str_version = "???";
375 }
376
377 if (version == SSL2_VERSION) {
378 str_details1 = "???";
379
380 if (len > 0) {
381 switch (((const unsigned char *) buf)[0]) {
382 case 0:
383 str_details1 = ", ERROR:";
384 str_details2 = " ???";
385 if (len >= 3) {
386 unsigned err = (((const unsigned char *) buf)[1] << 8) + ((const unsigned char *) buf)[2];
387
388 switch (err) {
389 case 0x0001:
390 str_details2 = " NO-CIPHER-ERROR";
391 break;
392 case 0x0002:
393 str_details2 = " NO-CERTIFICATE-ERROR";
394 break;
395 case 0x0004:
396 str_details2 = " BAD-CERTIFICATE-ERROR";
397 break;
398 case 0x0006:
399 str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";
400 break;
401 }
402 }
403 break;
404 case 1:
405 str_details1 = ", CLIENT-HELLO";
406 break;
407 case 2:
408 str_details1 = ", CLIENT-MASTER-KEY";
409 break;
410 case 3:
411 str_details1 = ", CLIENT-FINISHED";
412 break;
413 case 4:
414 str_details1 = ", SERVER-HELLO";
415 break;
416 case 5:
417 str_details1 = ", SERVER-VERIFY";
418 break;
419 case 6:
420 str_details1 = ", SERVER-FINISHED";
421 break;
422 case 7:
423 str_details1 = ", REQUEST-CERTIFICATE";
424 break;
425 case 8:
426 str_details1 = ", CLIENT-CERTIFICATE";
427 break;
428 }
429 }
430 }
431 if (version == SSL3_VERSION || version == TLS1_VERSION ||
432 version == TLS1_1_VERSION || version == TLS1_2_VERSION ||
433 version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
434 switch (content_type) {
435 case 20:
436 str_content_type = "ChangeCipherSpec";
437 break;
438 case 21:
439 str_content_type = "Alert";
440 break;
441 case 22:
442 str_content_type = "Handshake";
443 break;
444 }
445
446 if (content_type == 21) { /* Alert */
447 str_details1 = ", ???";
448
449 if (len == 2) {
450 switch (((const unsigned char *) buf)[0]) {
451 case 1:
452 str_details1 = ", warning";
453 break;
454 case 2:
455 str_details1 = ", fatal";
456 break;
457 }
458
459 str_details2 = " ???";
460 switch (((const unsigned char *) buf)[1]) {
461 case 0:
462 str_details2 = " close_notify";
463 break;
464 case 10:
465 str_details2 = " unexpected_message";
466 break;
467 case 20:
468 str_details2 = " bad_record_mac";
469 break;
470 case 21:
471 str_details2 = " decryption_failed";
472 break;
473 case 22:
474 str_details2 = " record_overflow";
475 break;
476 case 30:
477 str_details2 = " decompression_failure";
478 break;
479 case 40:
480 str_details2 = " handshake_failure";
481 break;
482 case 42:
483 str_details2 = " bad_certificate";
484 break;
485 case 43:
486 str_details2 = " unsupported_certificate";
487 break;
488 case 44:
489 str_details2 = " certificate_revoked";
490 break;
491 case 45:
492 str_details2 = " certificate_expired";
493 break;
494 case 46:
495 str_details2 = " certificate_unknown";
496 break;
497 case 47:
498 str_details2 = " illegal_parameter";
499 break;
500 case 48:
501 str_details2 = " unknown_ca";
502 break;
503 case 49:
504 str_details2 = " access_denied";
505 break;
506 case 50:
507 str_details2 = " decode_error";
508 break;
509 case 51:
510 str_details2 = " decrypt_error";
511 break;
512 case 60:
513 str_details2 = " export_restriction";
514 break;
515 case 70:
516 str_details2 = " protocol_version";
517 break;
518 case 71:
519 str_details2 = " insufficient_security";
520 break;
521 case 80:
522 str_details2 = " internal_error";
523 break;
524 case 90:
525 str_details2 = " user_canceled";
526 break;
527 case 100:
528 str_details2 = " no_renegotiation";
529 break;
530 case 110:
531 str_details2 = " unsupported_extension";
532 break;
533 case 111:
534 str_details2 = " certificate_unobtainable";
535 break;
536 case 112:
537 str_details2 = " unrecognized_name";
538 break;
539 case 113:
540 str_details2 = " bad_certificate_status_response";
541 break;
542 case 114:
543 str_details2 = " bad_certificate_hash_value";
544 break;
545 case 115:
546 str_details2 = " unknown_psk_identity";
547 break;
548 }
549 }
550 }
551 if (content_type == 22) { /* Handshake */
552 str_details1 = "???";
553
554 if (len > 0) {
555 switch (((const unsigned char *) buf)[0]) {
556 case 0:
557 str_details1 = ", HelloRequest";
558 break;
559 case 1:
560 str_details1 = ", ClientHello";
561 break;
562 case 2:
563 str_details1 = ", ServerHello";
564 break;
565 case 3:
566 str_details1 = ", HelloVerifyRequest";
567 break;
568 case 11:
569 str_details1 = ", Certificate";
570 break;
571 case 12:
572 str_details1 = ", ServerKeyExchange";
573 break;
574 case 13:
575 str_details1 = ", CertificateRequest";
576 break;
577 case 14:
578 str_details1 = ", ServerHelloDone";
579 break;
580 case 15:
581 str_details1 = ", CertificateVerify";
582 break;
583 case 16:
584 str_details1 = ", ClientKeyExchange";
585 break;
586 case 20:
587 str_details1 = ", Finished";
588 break;
589 }
590 }
591 }
592 }
593 BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p,
594 str_version, str_content_type, (unsigned long) len,
595 str_details1, str_details2);
596
597 if (len > 0) {
598 size_t num, i;
599
600 BIO_printf(bio, " ");
601 num = len;
602#if 0
603 if (num > 16)
604 num = 16;
605#endif
606 for (i = 0; i < num; i++) {
607 if (i % 16 == 0 && i > 0)
608 BIO_printf(bio, "\n ");
609 BIO_printf(bio, " %02x",
610 ((const unsigned char *) buf)[i]);
611 }
612 if (i < len)
613 BIO_printf(bio, " ...");
614 BIO_printf(bio, "\n");
615 }
616 (void) BIO_flush(bio);
617}
618
619void
620tlsext_cb(SSL * s, int client_server, int type, unsigned char *data, int len,
621 void *arg)
622{
623 BIO *bio = arg;
624 char *extname;
625
626 switch (type) {
627 case TLSEXT_TYPE_server_name:
628 extname = "server name";
629 break;
630
631 case TLSEXT_TYPE_max_fragment_length:
632 extname = "max fragment length";
633 break;
634
635 case TLSEXT_TYPE_client_certificate_url:
636 extname = "client certificate URL";
637 break;
638
639 case TLSEXT_TYPE_trusted_ca_keys:
640 extname = "trusted CA keys";
641 break;
642
643 case TLSEXT_TYPE_truncated_hmac:
644 extname = "truncated HMAC";
645 break;
646
647 case TLSEXT_TYPE_status_request:
648 extname = "status request";
649 break;
650
651 case TLSEXT_TYPE_user_mapping:
652 extname = "user mapping";
653 break;
654
655 case TLSEXT_TYPE_client_authz:
656 extname = "client authz";
657 break;
658
659 case TLSEXT_TYPE_server_authz:
660 extname = "server authz";
661 break;
662
663 case TLSEXT_TYPE_cert_type:
664 extname = "cert type";
665 break;
666
667 case TLSEXT_TYPE_elliptic_curves:
668 extname = "elliptic curves";
669 break;
670
671 case TLSEXT_TYPE_ec_point_formats:
672 extname = "EC point formats";
673 break;
674
675 case TLSEXT_TYPE_srp:
676 extname = "SRP";
677 break;
678
679 case TLSEXT_TYPE_signature_algorithms:
680 extname = "signature algorithms";
681 break;
682
683 case TLSEXT_TYPE_use_srtp:
684 extname = "use SRTP";
685 break;
686
687 case TLSEXT_TYPE_heartbeat:
688 extname = "heartbeat";
689 break;
690
691 case TLSEXT_TYPE_session_ticket:
692 extname = "session ticket";
693 break;
694
695 case TLSEXT_TYPE_renegotiate:
696 extname = "renegotiation info";
697 break;
698
699#ifdef TLSEXT_TYPE_next_proto_neg
700 case TLSEXT_TYPE_next_proto_neg:
701 extname = "next protocol";
702 break;
703#endif
704
705 default:
706 extname = "unknown";
707 break;
708
709 }
710
711 BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
712 client_server ? "server" : "client", extname, type, len);
713 BIO_dump(bio, (char *) data, len);
714 (void) BIO_flush(bio);
715}
716
717int
718generate_cookie_callback(SSL * ssl, unsigned char *cookie,
719 unsigned int *cookie_len)
720{
721 unsigned char *buffer, result[EVP_MAX_MD_SIZE];
722 unsigned int length, resultlength;
723 union {
724 struct sockaddr sa;
725 struct sockaddr_in s4;
726 struct sockaddr_in6 s6;
727 } peer;
728
729 /* Initialize a random secret */
730 if (!cookie_initialized) {
731 if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) {
732 BIO_printf(bio_err,
733 "error setting random cookie secret\n");
734 return 0;
735 }
736 cookie_initialized = 1;
737 }
738 /* Read peer information */
739 (void) BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
740
741 /* Create buffer with peer's address and port */
742 length = 0;
743 switch (peer.sa.sa_family) {
744 case AF_INET:
745 length += sizeof(struct in_addr);
746 length += sizeof(peer.s4.sin_port);
747 break;
748 case AF_INET6:
749 length += sizeof(struct in6_addr);
750 length += sizeof(peer.s6.sin6_port);
751 break;
752 default:
753 OPENSSL_assert(0);
754 break;
755 }
756 buffer = malloc(length);
757
758 if (buffer == NULL) {
759 BIO_printf(bio_err, "out of memory\n");
760 return 0;
761 }
762 switch (peer.sa.sa_family) {
763 case AF_INET:
764 memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
765 memcpy(buffer + sizeof(peer.s4.sin_port),
766 &peer.s4.sin_addr, sizeof(struct in_addr));
767 break;
768 case AF_INET6:
769 memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
770 memcpy(buffer + sizeof(peer.s6.sin6_port),
771 &peer.s6.sin6_addr, sizeof(struct in6_addr));
772 break;
773 default:
774 OPENSSL_assert(0);
775 break;
776 }
777
778 /* Calculate HMAC of buffer using the secret */
779 HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
780 buffer, length, result, &resultlength);
781 free(buffer);
782
783 memcpy(cookie, result, resultlength);
784 *cookie_len = resultlength;
785
786 return 1;
787}
788
789int
790verify_cookie_callback(SSL * ssl, unsigned char *cookie, unsigned int cookie_len)
791{
792 unsigned char *buffer, result[EVP_MAX_MD_SIZE];
793 unsigned int length, resultlength;
794 union {
795 struct sockaddr sa;
796 struct sockaddr_in s4;
797 struct sockaddr_in6 s6;
798 } peer;
799
800 /* If secret isn't initialized yet, the cookie can't be valid */
801 if (!cookie_initialized)
802 return 0;
803
804 /* Read peer information */
805 (void) BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
806
807 /* Create buffer with peer's address and port */
808 length = 0;
809 switch (peer.sa.sa_family) {
810 case AF_INET:
811 length += sizeof(struct in_addr);
812 length += sizeof(peer.s4.sin_port);
813 break;
814 case AF_INET6:
815 length += sizeof(struct in6_addr);
816 length += sizeof(peer.s6.sin6_port);
817 break;
818 default:
819 OPENSSL_assert(0);
820 break;
821 }
822 buffer = malloc(length);
823
824 if (buffer == NULL) {
825 BIO_printf(bio_err, "out of memory\n");
826 return 0;
827 }
828 switch (peer.sa.sa_family) {
829 case AF_INET:
830 memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
831 memcpy(buffer + sizeof(peer.s4.sin_port),
832 &peer.s4.sin_addr, sizeof(struct in_addr));
833 break;
834 case AF_INET6:
835 memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
836 memcpy(buffer + sizeof(peer.s6.sin6_port),
837 &peer.s6.sin6_addr, sizeof(struct in6_addr));
838 break;
839 default:
840 OPENSSL_assert(0);
841 break;
842 }
843
844 /* Calculate HMAC of buffer using the secret */
845 HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
846 buffer, length, result, &resultlength);
847 free(buffer);
848
849 if (cookie_len == resultlength &&
850 memcmp(result, cookie, resultlength) == 0)
851 return 1;
852
853 return 0;
854}
diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c
deleted file mode 100644
index 9cc764660c..0000000000
--- a/src/lib/libssl/src/apps/s_client.c
+++ /dev/null
@@ -1,1507 +0,0 @@
1/* $OpenBSD: s_client.c,v 1.70 2014/08/24 16:07:29 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <sys/types.h>
139#include <sys/ioctl.h>
140#include <sys/select.h>
141#include <sys/socket.h>
142
143#include <netinet/in.h>
144
145#include <assert.h>
146#include <ctype.h>
147#include <limits.h>
148#include <netdb.h>
149#include <stdio.h>
150#include <stdlib.h>
151#include <limits.h>
152#include <string.h>
153#include <unistd.h>
154
155#include "apps.h"
156
157#include <openssl/bn.h>
158#include <openssl/err.h>
159#include <openssl/ocsp.h>
160#include <openssl/pem.h>
161#include <openssl/rand.h>
162#include <openssl/ssl.h>
163#include <openssl/x509.h>
164
165#include "s_apps.h"
166#include "timeouts.h"
167
168/*#define SSL_HOST_NAME "www.netscape.com" */
169/*#define SSL_HOST_NAME "193.118.187.102" */
170#define SSL_HOST_NAME "localhost"
171
172 /*#define TEST_CERT "client.pem" *//* no default cert. */
173
174#define BUFSIZZ 1024*8
175
176extern int verify_depth;
177extern int verify_error;
178extern int verify_return_error;
179
180static int c_nbio = 0;
181static int c_Pause = 0;
182static int c_debug = 0;
183#ifndef OPENSSL_NO_TLSEXT
184static int c_tlsextdebug = 0;
185static int c_status_req = 0;
186#endif
187static int c_msg = 0;
188static int c_showcerts = 0;
189
190static char *keymatexportlabel = NULL;
191static int keymatexportlen = 20;
192
193static void sc_usage(void);
194static void print_stuff(BIO * berr, SSL * con, int full);
195#ifndef OPENSSL_NO_TLSEXT
196static int ocsp_resp_cb(SSL * s, void *arg);
197#endif
198static BIO *bio_c_out = NULL;
199static int c_quiet = 0;
200static int c_ign_eof = 0;
201
202
203static void
204sc_usage(void)
205{
206 BIO_printf(bio_err, "usage: s_client args\n");
207 BIO_printf(bio_err, "\n");
208 BIO_printf(bio_err, " -4 - Force IPv4\n");
209 BIO_printf(bio_err, " -6 - Force IPv6\n");
210 BIO_printf(bio_err, " -host host - use -connect instead\n");
211 BIO_printf(bio_err, " -port port - use -connect instead\n");
212 BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR);
213
214 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n");
215 BIO_printf(bio_err, " -cert arg - certificate file to use, PEM format assumed\n");
216 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n");
217 BIO_printf(bio_err, " -key arg - Private key file to use, in cert file if\n");
218 BIO_printf(bio_err, " not specified but cert file is.\n");
219 BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n");
220 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n");
221 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
222 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
223 BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n");
224 BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n");
225 BIO_printf(bio_err, " -showcerts - show all certificates in the chain\n");
226 BIO_printf(bio_err, " -debug - extra output\n");
227 BIO_printf(bio_err, " -msg - Show protocol messages\n");
228 BIO_printf(bio_err, " -nbio_test - more ssl protocol testing\n");
229 BIO_printf(bio_err, " -state - print the 'ssl' states\n");
230 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n");
231 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n");
232 BIO_printf(bio_err, " -quiet - no s_client output\n");
233 BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n");
234 BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n");
235 BIO_printf(bio_err, " -ssl3 - just use SSLv3\n");
236 BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n");
237 BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n");
238 BIO_printf(bio_err, " -tls1 - just use TLSv1\n");
239 BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n");
240 BIO_printf(bio_err, " -mtu - set the link layer MTU\n");
241 BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
242 BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n");
243 BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
244 BIO_printf(bio_err, " command to see what is available\n");
245 BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n");
246 BIO_printf(bio_err, " for those protocols that support it, where\n");
247 BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n");
248 BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
249 BIO_printf(bio_err, " are supported.\n");
250#ifndef OPENSSL_NO_ENGINE
251 BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n");
252#endif
253 BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
254 BIO_printf(bio_err, " -sess_in arg - file to read SSL session from\n");
255#ifndef OPENSSL_NO_TLSEXT
256 BIO_printf(bio_err, " -servername host - Set TLS extension servername in ClientHello\n");
257 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n");
258 BIO_printf(bio_err, " -status - request certificate status from server\n");
259 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n");
260#ifndef OPENSSL_NO_NEXTPROTONEG
261 BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
262#endif
263#endif
264#ifndef OPENSSL_NO_SRTP
265 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
266#endif
267 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n");
268 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n");
269}
270
271#ifndef OPENSSL_NO_TLSEXT
272
273/* This is a context that we pass to callbacks */
274typedef struct tlsextctx_st {
275 BIO *biodebug;
276 int ack;
277} tlsextctx;
278
279
280static int
281ssl_servername_cb(SSL * s, int *ad, void *arg)
282{
283 tlsextctx *p = (tlsextctx *) arg;
284 const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
285 if (SSL_get_servername_type(s) != -1)
286 p->ack = !SSL_session_reused(s) && hn != NULL;
287 else
288 BIO_printf(bio_err, "Can't use SSL_get_servername\n");
289
290 return SSL_TLSEXT_ERR_OK;
291}
292
293#ifndef OPENSSL_NO_SRTP
294char *srtp_profiles = NULL;
295#endif
296
297#ifndef OPENSSL_NO_NEXTPROTONEG
298/* This the context that we pass to next_proto_cb */
299typedef struct tlsextnextprotoctx_st {
300 unsigned char *data;
301 unsigned short len;
302 int status;
303} tlsextnextprotoctx;
304
305static tlsextnextprotoctx next_proto;
306
307static int
308next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
309{
310 tlsextnextprotoctx *ctx = arg;
311
312 if (!c_quiet) {
313 /* We can assume that |in| is syntactically valid. */
314 unsigned i;
315 BIO_printf(bio_c_out, "Protocols advertised by server: ");
316 for (i = 0; i < inlen;) {
317 if (i)
318 BIO_write(bio_c_out, ", ", 2);
319 BIO_write(bio_c_out, &in[i + 1], in[i]);
320 i += in[i] + 1;
321 }
322 BIO_write(bio_c_out, "\n", 1);
323 }
324 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
325 return SSL_TLSEXT_ERR_OK;
326}
327#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
328#endif
329
330enum {
331 PROTO_OFF = 0,
332 PROTO_SMTP,
333 PROTO_LMTP,
334 PROTO_POP3,
335 PROTO_IMAP,
336 PROTO_FTP,
337 PROTO_XMPP
338};
339
340int s_client_main(int, char **);
341
342int
343s_client_main(int argc, char **argv)
344{
345 unsigned int off = 0, clr = 0;
346 SSL *con = NULL;
347 int s, k, width, state = 0, af = AF_UNSPEC;
348 char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL;
349 int cbuf_len, cbuf_off;
350 int sbuf_len, sbuf_off;
351 fd_set readfds, writefds;
352 char *port = PORT_STR;
353 int full_log = 1;
354 char *host = SSL_HOST_NAME;
355 char *cert_file = NULL, *key_file = NULL;
356 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
357 char *passarg = NULL, *pass = NULL;
358 X509 *cert = NULL;
359 EVP_PKEY *key = NULL;
360 char *CApath = NULL, *CAfile = NULL, *cipher = NULL;
361 int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0;
362 int crlf = 0;
363 int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
364 SSL_CTX *ctx = NULL;
365 int ret = 1, in_init = 1, i, nbio_test = 0;
366 int starttls_proto = PROTO_OFF;
367 int prexit = 0;
368 X509_VERIFY_PARAM *vpm = NULL;
369 int badarg = 0;
370 const SSL_METHOD *meth = NULL;
371 int socket_type = SOCK_STREAM;
372 BIO *sbio;
373 int mbuf_len = 0;
374 struct timeval timeout, *timeoutp;
375 const char *errstr = NULL;
376#ifndef OPENSSL_NO_ENGINE
377 char *engine_id = NULL;
378 char *ssl_client_engine_id = NULL;
379 ENGINE *ssl_client_engine = NULL;
380#endif
381 ENGINE *e = NULL;
382#ifndef OPENSSL_NO_TLSEXT
383 char *servername = NULL;
384 tlsextctx tlsextcbp =
385 {NULL, 0};
386#ifndef OPENSSL_NO_NEXTPROTONEG
387 const char *next_proto_neg_in = NULL;
388#endif
389#endif
390 char *sess_in = NULL;
391 char *sess_out = NULL;
392 struct sockaddr peer;
393 int peerlen = sizeof(peer);
394 int enable_timeouts = 0;
395 long socket_mtu = 0;
396
397 meth = SSLv23_client_method();
398
399 c_Pause = 0;
400 c_quiet = 0;
401 c_ign_eof = 0;
402 c_debug = 0;
403 c_msg = 0;
404 c_showcerts = 0;
405
406 if (((cbuf = malloc(BUFSIZZ)) == NULL) ||
407 ((sbuf = malloc(BUFSIZZ)) == NULL) ||
408 ((mbuf = malloc(BUFSIZZ + 1)) == NULL)) { /* NUL byte */
409 BIO_printf(bio_err, "out of memory\n");
410 goto end;
411 }
412 verify_depth = 0;
413 verify_error = X509_V_OK;
414 c_nbio = 0;
415
416 argc--;
417 argv++;
418 while (argc >= 1) {
419 if (strcmp(*argv, "-host") == 0) {
420 if (--argc < 1)
421 goto bad;
422 host = *(++argv);
423 } else if (strcmp(*argv, "-port") == 0) {
424 if (--argc < 1)
425 goto bad;
426 port = *(++argv);
427 if (port == NULL || *port == '\0')
428 goto bad;
429 } else if (strcmp(*argv, "-connect") == 0) {
430 if (--argc < 1)
431 goto bad;
432 if (!extract_host_port(*(++argv), &host, NULL, &port))
433 goto bad;
434 } else if (strcmp(*argv, "-verify") == 0) {
435 verify = SSL_VERIFY_PEER;
436 if (--argc < 1)
437 goto bad;
438 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
439 if (errstr)
440 goto bad;
441 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
442 } else if (strcmp(*argv, "-cert") == 0) {
443 if (--argc < 1)
444 goto bad;
445 cert_file = *(++argv);
446 } else if (strcmp(*argv, "-sess_out") == 0) {
447 if (--argc < 1)
448 goto bad;
449 sess_out = *(++argv);
450 } else if (strcmp(*argv, "-sess_in") == 0) {
451 if (--argc < 1)
452 goto bad;
453 sess_in = *(++argv);
454 } else if (strcmp(*argv, "-certform") == 0) {
455 if (--argc < 1)
456 goto bad;
457 cert_format = str2fmt(*(++argv));
458 } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
459 if (badarg)
460 goto bad;
461 continue;
462 } else if (strcmp(*argv, "-verify_return_error") == 0)
463 verify_return_error = 1;
464 else if (strcmp(*argv, "-prexit") == 0)
465 prexit = 1;
466 else if (strcmp(*argv, "-crlf") == 0)
467 crlf = 1;
468 else if (strcmp(*argv, "-quiet") == 0) {
469 c_quiet = 1;
470 c_ign_eof = 1;
471 } else if (strcmp(*argv, "-ign_eof") == 0)
472 c_ign_eof = 1;
473 else if (strcmp(*argv, "-no_ign_eof") == 0)
474 c_ign_eof = 0;
475 else if (strcmp(*argv, "-pause") == 0)
476 c_Pause = 1;
477 else if (strcmp(*argv, "-debug") == 0)
478 c_debug = 1;
479#ifndef OPENSSL_NO_TLSEXT
480 else if (strcmp(*argv, "-tlsextdebug") == 0)
481 c_tlsextdebug = 1;
482 else if (strcmp(*argv, "-status") == 0)
483 c_status_req = 1;
484#endif
485 else if (strcmp(*argv, "-msg") == 0)
486 c_msg = 1;
487 else if (strcmp(*argv, "-showcerts") == 0)
488 c_showcerts = 1;
489 else if (strcmp(*argv, "-nbio_test") == 0)
490 nbio_test = 1;
491 else if (strcmp(*argv, "-state") == 0)
492 state = 1;
493 else if (strcmp(*argv, "-ssl3") == 0)
494 meth = SSLv3_client_method();
495 else if (strcmp(*argv, "-tls1_2") == 0)
496 meth = TLSv1_2_client_method();
497 else if (strcmp(*argv, "-tls1_1") == 0)
498 meth = TLSv1_1_client_method();
499 else if (strcmp(*argv, "-tls1") == 0)
500 meth = TLSv1_client_method();
501#ifndef OPENSSL_NO_DTLS1
502 else if (strcmp(*argv, "-dtls1") == 0) {
503 meth = DTLSv1_client_method();
504 socket_type = SOCK_DGRAM;
505 } else if (strcmp(*argv, "-timeout") == 0)
506 enable_timeouts = 1;
507 else if (strcmp(*argv, "-mtu") == 0) {
508 if (--argc < 1)
509 goto bad;
510 socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr);
511 if (errstr)
512 goto bad;
513 }
514#endif
515 else if (strcmp(*argv, "-bugs") == 0)
516 bugs = 1;
517 else if (strcmp(*argv, "-keyform") == 0) {
518 if (--argc < 1)
519 goto bad;
520 key_format = str2fmt(*(++argv));
521 } else if (strcmp(*argv, "-pass") == 0) {
522 if (--argc < 1)
523 goto bad;
524 passarg = *(++argv);
525 } else if (strcmp(*argv, "-key") == 0) {
526 if (--argc < 1)
527 goto bad;
528 key_file = *(++argv);
529 } else if (strcmp(*argv, "-reconnect") == 0) {
530 reconnect = 5;
531 } else if (strcmp(*argv, "-CApath") == 0) {
532 if (--argc < 1)
533 goto bad;
534 CApath = *(++argv);
535 } else if (strcmp(*argv, "-CAfile") == 0) {
536 if (--argc < 1)
537 goto bad;
538 CAfile = *(++argv);
539 } else if (strcmp(*argv, "-no_tls1_2") == 0)
540 off |= SSL_OP_NO_TLSv1_2;
541 else if (strcmp(*argv, "-no_tls1_1") == 0)
542 off |= SSL_OP_NO_TLSv1_1;
543 else if (strcmp(*argv, "-no_tls1") == 0)
544 off |= SSL_OP_NO_TLSv1;
545 else if (strcmp(*argv, "-no_ssl3") == 0)
546 off |= SSL_OP_NO_SSLv3;
547 else if (strcmp(*argv, "-no_ssl2") == 0)
548 off |= SSL_OP_NO_SSLv2;
549 else if (strcmp(*argv, "-no_comp") == 0) {
550 off |= SSL_OP_NO_COMPRESSION;
551 }
552#ifndef OPENSSL_NO_TLSEXT
553 else if (strcmp(*argv, "-no_ticket") == 0) {
554 off |= SSL_OP_NO_TICKET;
555 }
556#ifndef OPENSSL_NO_NEXTPROTONEG
557 else if (strcmp(*argv, "-nextprotoneg") == 0) {
558 if (--argc < 1)
559 goto bad;
560 next_proto_neg_in = *(++argv);
561 }
562#endif
563#endif
564 else if (strcmp(*argv, "-serverpref") == 0)
565 off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
566 else if (strcmp(*argv, "-legacy_renegotiation") == 0)
567 ; /* no-op */
568 else if (strcmp(*argv, "-legacy_server_connect") == 0) {
569 off |= SSL_OP_LEGACY_SERVER_CONNECT;
570 } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) {
571 clr |= SSL_OP_LEGACY_SERVER_CONNECT;
572 } else if (strcmp(*argv, "-cipher") == 0) {
573 if (--argc < 1)
574 goto bad;
575 cipher = *(++argv);
576 }
577 else if (strcmp(*argv, "-nbio") == 0) {
578 c_nbio = 1;
579 }
580 else if (strcmp(*argv, "-starttls") == 0) {
581 if (--argc < 1)
582 goto bad;
583 ++argv;
584 if (strcmp(*argv, "smtp") == 0)
585 starttls_proto = PROTO_SMTP;
586 else if (strcmp(*argv, "lmtp") == 0)
587 starttls_proto = PROTO_LMTP;
588 else if (strcmp(*argv, "pop3") == 0)
589 starttls_proto = PROTO_POP3;
590 else if (strcmp(*argv, "imap") == 0)
591 starttls_proto = PROTO_IMAP;
592 else if (strcmp(*argv, "ftp") == 0)
593 starttls_proto = PROTO_FTP;
594 else if (strcmp(*argv, "xmpp") == 0)
595 starttls_proto = PROTO_XMPP;
596 else
597 goto bad;
598 }
599#ifndef OPENSSL_NO_ENGINE
600 else if (strcmp(*argv, "-engine") == 0) {
601 if (--argc < 1)
602 goto bad;
603 engine_id = *(++argv);
604 } else if (strcmp(*argv, "-ssl_client_engine") == 0) {
605 if (--argc < 1)
606 goto bad;
607 ssl_client_engine_id = *(++argv);
608 }
609#endif
610 else if (strcmp(*argv, "-4") == 0) {
611 af = AF_INET;
612 } else if (strcmp(*argv, "-6") == 0) {
613 af = AF_INET6;
614 }
615#ifndef OPENSSL_NO_TLSEXT
616 else if (strcmp(*argv, "-servername") == 0) {
617 if (--argc < 1)
618 goto bad;
619 servername = *(++argv);
620 /* meth=TLSv1_client_method(); */
621 }
622#endif
623#ifndef OPENSSL_NO_SRTP
624 else if (strcmp(*argv, "-use_srtp") == 0) {
625 if (--argc < 1)
626 goto bad;
627 srtp_profiles = *(++argv);
628 }
629#endif
630 else if (strcmp(*argv, "-keymatexport") == 0) {
631 if (--argc < 1)
632 goto bad;
633 keymatexportlabel = *(++argv);
634 } else if (strcmp(*argv, "-keymatexportlen") == 0) {
635 const char *errstr;
636
637 if (--argc < 1)
638 goto bad;
639 keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr);
640 if (errstr)
641 goto bad;
642 } else {
643 BIO_printf(bio_err, "unknown option %s\n", *argv);
644 badop = 1;
645 break;
646 }
647 argc--;
648 argv++;
649 }
650 if (badop) {
651bad:
652 if (errstr)
653 BIO_printf(bio_err, "invalid argument %s: %s\n",
654 *argv, errstr);
655 else
656 sc_usage();
657 goto end;
658 }
659
660#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
661 next_proto.status = -1;
662 if (next_proto_neg_in) {
663 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
664 if (next_proto.data == NULL) {
665 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
666 goto end;
667 }
668 } else
669 next_proto.data = NULL;
670#endif
671
672#ifndef OPENSSL_NO_ENGINE
673 e = setup_engine(bio_err, engine_id, 1);
674 if (ssl_client_engine_id) {
675 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
676 if (!ssl_client_engine) {
677 BIO_printf(bio_err,
678 "Error getting client auth engine\n");
679 goto end;
680 }
681 }
682#endif
683 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
684 BIO_printf(bio_err, "Error getting password\n");
685 goto end;
686 }
687 if (key_file == NULL)
688 key_file = cert_file;
689
690
691 if (key_file) {
692
693 key = load_key(bio_err, key_file, key_format, 0, pass, e,
694 "client certificate private key file");
695 if (!key) {
696 ERR_print_errors(bio_err);
697 goto end;
698 }
699 }
700 if (cert_file) {
701 cert = load_cert(bio_err, cert_file, cert_format,
702 NULL, e, "client certificate file");
703
704 if (!cert) {
705 ERR_print_errors(bio_err);
706 goto end;
707 }
708 }
709 if (bio_c_out == NULL) {
710 if (c_quiet && !c_debug && !c_msg) {
711 bio_c_out = BIO_new(BIO_s_null());
712 } else {
713 if (bio_c_out == NULL)
714 bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE);
715 }
716 }
717
718 ctx = SSL_CTX_new(meth);
719 if (ctx == NULL) {
720 ERR_print_errors(bio_err);
721 goto end;
722 }
723 if (vpm)
724 SSL_CTX_set1_param(ctx, vpm);
725
726#ifndef OPENSSL_NO_ENGINE
727 if (ssl_client_engine) {
728 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
729 BIO_puts(bio_err, "Error setting client auth engine\n");
730 ERR_print_errors(bio_err);
731 ENGINE_free(ssl_client_engine);
732 goto end;
733 }
734 ENGINE_free(ssl_client_engine);
735 }
736#endif
737
738#ifndef OPENSSL_NO_SRTP
739 if (srtp_profiles != NULL)
740 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
741#endif
742 if (bugs)
743 SSL_CTX_set_options(ctx, SSL_OP_ALL | off);
744 else
745 SSL_CTX_set_options(ctx, off);
746
747 if (clr)
748 SSL_CTX_clear_options(ctx, clr);
749 /*
750 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
751 * read ahead solves this problem.
752 */
753 if (socket_type == SOCK_DGRAM)
754 SSL_CTX_set_read_ahead(ctx, 1);
755
756#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
757 if (next_proto.data)
758 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
759#endif
760
761 if (state)
762 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
763 if (cipher != NULL)
764 if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
765 BIO_printf(bio_err, "error setting cipher list\n");
766 ERR_print_errors(bio_err);
767 goto end;
768 }
769
770 SSL_CTX_set_verify(ctx, verify, verify_callback);
771 if (!set_cert_key_stuff(ctx, cert, key))
772 goto end;
773
774 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
775 (!SSL_CTX_set_default_verify_paths(ctx))) {
776 /*
777 * BIO_printf(bio_err,"error setting default verify
778 * locations\n");
779 */
780 ERR_print_errors(bio_err);
781 /* goto end; */
782 }
783#ifndef OPENSSL_NO_TLSEXT
784 if (servername != NULL) {
785 tlsextcbp.biodebug = bio_err;
786 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
787 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
788 }
789#endif
790
791 con = SSL_new(ctx);
792 if (sess_in) {
793 SSL_SESSION *sess;
794 BIO *stmp = BIO_new_file(sess_in, "r");
795 if (!stmp) {
796 BIO_printf(bio_err, "Can't open session file %s\n",
797 sess_in);
798 ERR_print_errors(bio_err);
799 goto end;
800 }
801 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
802 BIO_free(stmp);
803 if (!sess) {
804 BIO_printf(bio_err, "Can't open session file %s\n",
805 sess_in);
806 ERR_print_errors(bio_err);
807 goto end;
808 }
809 SSL_set_session(con, sess);
810 SSL_SESSION_free(sess);
811 }
812#ifndef OPENSSL_NO_TLSEXT
813 if (servername != NULL) {
814 if (!SSL_set_tlsext_host_name(con, servername)) {
815 BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
816 ERR_print_errors(bio_err);
817 goto end;
818 }
819 }
820#endif
821/* SSL_set_cipher_list(con,"RC4-MD5"); */
822
823re_start:
824
825 if (init_client(&s, host, port, socket_type, af) == 0) {
826 BIO_printf(bio_err, "connect:errno=%d\n", errno);
827 shutdown(s, SHUT_RD);
828 close(s);
829 goto end;
830 }
831 BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
832
833 if (c_nbio) {
834 unsigned long l = 1;
835 BIO_printf(bio_c_out, "turning on non blocking io\n");
836 if (BIO_socket_ioctl(s, FIONBIO, &l) < 0) {
837 ERR_print_errors(bio_err);
838 goto end;
839 }
840 }
841 if (c_Pause & 0x01)
842 SSL_set_debug(con, 1);
843
844 if (SSL_version(con) == DTLS1_VERSION) {
845
846 sbio = BIO_new_dgram(s, BIO_NOCLOSE);
847 if (getsockname(s, &peer, (void *) &peerlen) < 0) {
848 BIO_printf(bio_err, "getsockname:errno=%d\n",
849 errno);
850 shutdown(s, SHUT_RD);
851 close(s);
852 goto end;
853 }
854 (void) BIO_ctrl_set_connected(sbio, 1, &peer);
855
856 if (enable_timeouts) {
857 timeout.tv_sec = 0;
858 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
859 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
860
861 timeout.tv_sec = 0;
862 timeout.tv_usec = DGRAM_SND_TIMEOUT;
863 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
864 }
865 if (socket_mtu > 28) {
866 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
867 SSL_set_mtu(con, socket_mtu - 28);
868 } else
869 /* want to do MTU discovery */
870 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
871 } else
872 sbio = BIO_new_socket(s, BIO_NOCLOSE);
873
874 if (nbio_test) {
875 BIO *test;
876
877 test = BIO_new(BIO_f_nbio_test());
878 sbio = BIO_push(test, sbio);
879 }
880 if (c_debug) {
881 SSL_set_debug(con, 1);
882 BIO_set_callback(sbio, bio_dump_callback);
883 BIO_set_callback_arg(sbio, (char *) bio_c_out);
884 }
885 if (c_msg) {
886 SSL_set_msg_callback(con, msg_cb);
887 SSL_set_msg_callback_arg(con, bio_c_out);
888 }
889#ifndef OPENSSL_NO_TLSEXT
890 if (c_tlsextdebug) {
891 SSL_set_tlsext_debug_callback(con, tlsext_cb);
892 SSL_set_tlsext_debug_arg(con, bio_c_out);
893 }
894 if (c_status_req) {
895 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
896 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
897 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
898 }
899#endif
900
901 SSL_set_bio(con, sbio, sbio);
902 SSL_set_connect_state(con);
903
904 /* ok, lets connect */
905 width = SSL_get_fd(con) + 1;
906
907 read_tty = 1;
908 write_tty = 0;
909 tty_on = 0;
910 read_ssl = 1;
911 write_ssl = 1;
912
913 cbuf_len = 0;
914 cbuf_off = 0;
915 sbuf_len = 0;
916 sbuf_off = 0;
917
918 /* This is an ugly hack that does a lot of assumptions */
919 /*
920 * We do have to handle multi-line responses which may come in a
921 * single packet or not. We therefore have to use BIO_gets() which
922 * does need a buffering BIO. So during the initial chitchat we do
923 * push a buffering BIO into the chain that is removed again later on
924 * to not disturb the rest of the s_client operation.
925 */
926 if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) {
927 int foundit = 0;
928 BIO *fbio = BIO_new(BIO_f_buffer());
929 BIO_push(fbio, sbio);
930 /* wait for multi-line response to end from SMTP */
931 do {
932 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
933 }
934 while (mbuf_len > 3 && mbuf[3] == '-');
935 /* STARTTLS command requires EHLO... */
936 BIO_printf(fbio, "%cHLO openssl.client.net\r\n",
937 starttls_proto == PROTO_SMTP ? 'E' : 'L');
938 (void) BIO_flush(fbio);
939 /* wait for multi-line response to end EHLO SMTP response */
940 do {
941 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
942 if (strstr(mbuf, "STARTTLS"))
943 foundit = 1;
944 }
945 while (mbuf_len > 3 && mbuf[3] == '-');
946 (void) BIO_flush(fbio);
947 BIO_pop(fbio);
948 BIO_free(fbio);
949 if (!foundit)
950 BIO_printf(bio_err,
951 "didn't found starttls in server response,"
952 " try anyway...\n");
953 BIO_printf(sbio, "STARTTLS\r\n");
954 BIO_read(sbio, sbuf, BUFSIZZ);
955 } else if (starttls_proto == PROTO_POP3) {
956 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
957 if (mbuf_len == -1) {
958 BIO_printf(bio_err, "BIO_read failed\n");
959 goto end;
960 }
961 BIO_printf(sbio, "STLS\r\n");
962 BIO_read(sbio, sbuf, BUFSIZZ);
963 } else if (starttls_proto == PROTO_IMAP) {
964 int foundit = 0;
965 BIO *fbio = BIO_new(BIO_f_buffer());
966 BIO_push(fbio, sbio);
967 BIO_gets(fbio, mbuf, BUFSIZZ);
968 /* STARTTLS command requires CAPABILITY... */
969 BIO_printf(fbio, ". CAPABILITY\r\n");
970 (void) BIO_flush(fbio);
971 /* wait for multi-line CAPABILITY response */
972 do {
973 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
974 if (strstr(mbuf, "STARTTLS"))
975 foundit = 1;
976 }
977 while (mbuf_len > 3 && mbuf[0] != '.');
978 (void) BIO_flush(fbio);
979 BIO_pop(fbio);
980 BIO_free(fbio);
981 if (!foundit)
982 BIO_printf(bio_err,
983 "didn't found STARTTLS in server response,"
984 " try anyway...\n");
985 BIO_printf(sbio, ". STARTTLS\r\n");
986 BIO_read(sbio, sbuf, BUFSIZZ);
987 } else if (starttls_proto == PROTO_FTP) {
988 BIO *fbio = BIO_new(BIO_f_buffer());
989 BIO_push(fbio, sbio);
990 /* wait for multi-line response to end from FTP */
991 do {
992 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
993 }
994 while (mbuf_len > 3 && mbuf[3] == '-');
995 (void) BIO_flush(fbio);
996 BIO_pop(fbio);
997 BIO_free(fbio);
998 BIO_printf(sbio, "AUTH TLS\r\n");
999 BIO_read(sbio, sbuf, BUFSIZZ);
1000 }
1001 if (starttls_proto == PROTO_XMPP) {
1002 int seen = 0;
1003 BIO_printf(sbio, "<stream:stream "
1004 "xmlns:stream='http://etherx.jabber.org/streams' "
1005 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1006 seen = BIO_read(sbio, mbuf, BUFSIZZ);
1007 mbuf[seen] = 0;
1008 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
1009 if (strstr(mbuf, "/stream:features>"))
1010 goto shut;
1011 seen = BIO_read(sbio, mbuf, BUFSIZZ);
1012 mbuf[seen] = 0;
1013 }
1014 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1015 seen = BIO_read(sbio, sbuf, BUFSIZZ);
1016 sbuf[seen] = 0;
1017 if (!strstr(sbuf, "<proceed"))
1018 goto shut;
1019 mbuf[0] = 0;
1020 }
1021 for (;;) {
1022 FD_ZERO(&readfds);
1023 FD_ZERO(&writefds);
1024
1025 if ((SSL_version(con) == DTLS1_VERSION) &&
1026 DTLSv1_get_timeout(con, &timeout))
1027 timeoutp = &timeout;
1028 else
1029 timeoutp = NULL;
1030
1031 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) {
1032 in_init = 1;
1033 tty_on = 0;
1034 } else {
1035 tty_on = 1;
1036 if (in_init) {
1037 in_init = 0;
1038 if (sess_out) {
1039 BIO *stmp = BIO_new_file(sess_out, "w");
1040 if (stmp) {
1041 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1042 BIO_free(stmp);
1043 } else
1044 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1045 }
1046 print_stuff(bio_c_out, con, full_log);
1047 if (full_log > 0)
1048 full_log--;
1049
1050 if (starttls_proto) {
1051 BIO_write(bio_err, mbuf, mbuf_len);
1052 /* We don't need to know any more */
1053 starttls_proto = PROTO_OFF;
1054 }
1055 if (reconnect) {
1056 reconnect--;
1057 BIO_printf(bio_c_out, "drop connection and then reconnect\n");
1058 SSL_shutdown(con);
1059 SSL_set_connect_state(con);
1060 shutdown(SSL_get_fd(con), SHUT_RD);
1061 close(SSL_get_fd(con));
1062 goto re_start;
1063 }
1064 }
1065 }
1066
1067 ssl_pending = read_ssl && SSL_pending(con);
1068
1069 /* XXX should add tests for fd_set overflow */
1070
1071 if (!ssl_pending) {
1072 if (tty_on) {
1073 if (read_tty)
1074 FD_SET(fileno(stdin), &readfds);
1075 if (write_tty)
1076 FD_SET(fileno(stdout), &writefds);
1077 }
1078 if (read_ssl)
1079 FD_SET(SSL_get_fd(con), &readfds);
1080 if (write_ssl)
1081 FD_SET(SSL_get_fd(con), &writefds);
1082/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1083 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1084
1085 i = select(width, &readfds, &writefds,
1086 NULL, timeoutp);
1087 if (i < 0) {
1088 BIO_printf(bio_err, "bad select %d\n",
1089 errno);
1090 goto shut;
1091 /* goto end; */
1092 }
1093 }
1094 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) {
1095 BIO_printf(bio_err, "TIMEOUT occured\n");
1096 }
1097 if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) {
1098 k = SSL_write(con, &(cbuf[cbuf_off]),
1099 (unsigned int) cbuf_len);
1100 switch (SSL_get_error(con, k)) {
1101 case SSL_ERROR_NONE:
1102 cbuf_off += k;
1103 cbuf_len -= k;
1104 if (k <= 0)
1105 goto end;
1106 /* we have done a write(con,NULL,0); */
1107 if (cbuf_len <= 0) {
1108 read_tty = 1;
1109 write_ssl = 0;
1110 } else { /* if (cbuf_len > 0) */
1111 read_tty = 0;
1112 write_ssl = 1;
1113 }
1114 break;
1115 case SSL_ERROR_WANT_WRITE:
1116 BIO_printf(bio_c_out, "write W BLOCK\n");
1117 write_ssl = 1;
1118 read_tty = 0;
1119 break;
1120 case SSL_ERROR_WANT_READ:
1121 BIO_printf(bio_c_out, "write R BLOCK\n");
1122 write_tty = 0;
1123 read_ssl = 1;
1124 write_ssl = 0;
1125 break;
1126 case SSL_ERROR_WANT_X509_LOOKUP:
1127 BIO_printf(bio_c_out, "write X BLOCK\n");
1128 break;
1129 case SSL_ERROR_ZERO_RETURN:
1130 if (cbuf_len != 0) {
1131 BIO_printf(bio_c_out, "shutdown\n");
1132 ret = 0;
1133 goto shut;
1134 } else {
1135 read_tty = 1;
1136 write_ssl = 0;
1137 break;
1138 }
1139
1140 case SSL_ERROR_SYSCALL:
1141 if ((k != 0) || (cbuf_len != 0)) {
1142 BIO_printf(bio_err, "write:errno=%d\n",
1143 errno);
1144 goto shut;
1145 } else {
1146 read_tty = 1;
1147 write_ssl = 0;
1148 }
1149 break;
1150 case SSL_ERROR_SSL:
1151 ERR_print_errors(bio_err);
1152 goto shut;
1153 }
1154 } else if (!ssl_pending && FD_ISSET(fileno(stdout), &writefds)) {
1155 i = write(fileno(stdout), &(sbuf[sbuf_off]), sbuf_len);
1156
1157 if (i <= 0) {
1158 BIO_printf(bio_c_out, "DONE\n");
1159 ret = 0;
1160 goto shut;
1161 /* goto end; */
1162 }
1163 sbuf_len -= i;
1164 sbuf_off += i;
1165 if (sbuf_len <= 0) {
1166 read_ssl = 1;
1167 write_tty = 0;
1168 }
1169 } else if (ssl_pending || FD_ISSET(SSL_get_fd(con), &readfds)) {
1170#ifdef RENEG
1171 {
1172 static int iiii;
1173 if (++iiii == 52) {
1174 SSL_renegotiate(con);
1175 iiii = 0;
1176 }
1177 }
1178#endif
1179 k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
1180
1181 switch (SSL_get_error(con, k)) {
1182 case SSL_ERROR_NONE:
1183 if (k <= 0)
1184 goto end;
1185 sbuf_off = 0;
1186 sbuf_len = k;
1187
1188 read_ssl = 0;
1189 write_tty = 1;
1190 break;
1191 case SSL_ERROR_WANT_WRITE:
1192 BIO_printf(bio_c_out, "read W BLOCK\n");
1193 write_ssl = 1;
1194 read_tty = 0;
1195 break;
1196 case SSL_ERROR_WANT_READ:
1197 BIO_printf(bio_c_out, "read R BLOCK\n");
1198 write_tty = 0;
1199 read_ssl = 1;
1200 if ((read_tty == 0) && (write_ssl == 0))
1201 write_ssl = 1;
1202 break;
1203 case SSL_ERROR_WANT_X509_LOOKUP:
1204 BIO_printf(bio_c_out, "read X BLOCK\n");
1205 break;
1206 case SSL_ERROR_SYSCALL:
1207 ret = errno;
1208 BIO_printf(bio_err, "read:errno=%d\n", ret);
1209 goto shut;
1210 case SSL_ERROR_ZERO_RETURN:
1211 BIO_printf(bio_c_out, "closed\n");
1212 ret = 0;
1213 goto shut;
1214 case SSL_ERROR_SSL:
1215 ERR_print_errors(bio_err);
1216 goto shut;
1217 /* break; */
1218 }
1219 } else if (FD_ISSET(fileno(stdin), &readfds)) {
1220 if (crlf) {
1221 int j, lf_num;
1222
1223 i = read(fileno(stdin), cbuf, BUFSIZZ / 2);
1224 lf_num = 0;
1225 /* both loops are skipped when i <= 0 */
1226 for (j = 0; j < i; j++)
1227 if (cbuf[j] == '\n')
1228 lf_num++;
1229 for (j = i - 1; j >= 0; j--) {
1230 cbuf[j + lf_num] = cbuf[j];
1231 if (cbuf[j] == '\n') {
1232 lf_num--;
1233 i++;
1234 cbuf[j + lf_num] = '\r';
1235 }
1236 }
1237 assert(lf_num == 0);
1238 } else
1239 i = read(fileno(stdin), cbuf, BUFSIZZ);
1240
1241 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) {
1242 BIO_printf(bio_err, "DONE\n");
1243 ret = 0;
1244 goto shut;
1245 }
1246 if ((!c_ign_eof) && (cbuf[0] == 'R')) {
1247 BIO_printf(bio_err, "RENEGOTIATING\n");
1248 SSL_renegotiate(con);
1249 cbuf_len = 0;
1250 } else {
1251 cbuf_len = i;
1252 cbuf_off = 0;
1253 }
1254
1255 write_ssl = 1;
1256 read_tty = 0;
1257 }
1258 }
1259
1260 ret = 0;
1261shut:
1262 if (in_init)
1263 print_stuff(bio_c_out, con, full_log);
1264 SSL_shutdown(con);
1265 shutdown(SSL_get_fd(con), SHUT_RD);
1266 close(SSL_get_fd(con));
1267end:
1268 if (con != NULL) {
1269 if (prexit != 0)
1270 print_stuff(bio_c_out, con, 1);
1271 SSL_free(con);
1272 }
1273#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1274 free(next_proto.data);
1275#endif
1276 if (ctx != NULL)
1277 SSL_CTX_free(ctx);
1278 if (cert)
1279 X509_free(cert);
1280 if (key)
1281 EVP_PKEY_free(key);
1282 free(pass);
1283 if (vpm)
1284 X509_VERIFY_PARAM_free(vpm);
1285 if (cbuf != NULL) {
1286 OPENSSL_cleanse(cbuf, BUFSIZZ);
1287 free(cbuf);
1288 }
1289 if (sbuf != NULL) {
1290 OPENSSL_cleanse(sbuf, BUFSIZZ);
1291 free(sbuf);
1292 }
1293 if (mbuf != NULL) {
1294 OPENSSL_cleanse(mbuf, BUFSIZZ);
1295 free(mbuf);
1296 }
1297 if (bio_c_out != NULL) {
1298 BIO_free(bio_c_out);
1299 bio_c_out = NULL;
1300 }
1301
1302 return (ret);
1303}
1304
1305
1306static void
1307print_stuff(BIO * bio, SSL * s, int full)
1308{
1309 X509 *peer = NULL;
1310 char *p;
1311 static const char *space = " ";
1312 char buf[BUFSIZ];
1313 STACK_OF(X509) * sk;
1314 STACK_OF(X509_NAME) * sk2;
1315 const SSL_CIPHER *c;
1316 X509_NAME *xn;
1317 int j, i;
1318 unsigned char *exportedkeymat;
1319
1320 if (full) {
1321 int got_a_chain = 0;
1322
1323 sk = SSL_get_peer_cert_chain(s);
1324 if (sk != NULL) {
1325 got_a_chain = 1; /* we don't have it for SSL2
1326 * (yet) */
1327
1328 BIO_printf(bio, "---\nCertificate chain\n");
1329 for (i = 0; i < sk_X509_num(sk); i++) {
1330 X509_NAME_oneline(X509_get_subject_name(
1331 sk_X509_value(sk, i)), buf, sizeof buf);
1332 BIO_printf(bio, "%2d s:%s\n", i, buf);
1333 X509_NAME_oneline(X509_get_issuer_name(
1334 sk_X509_value(sk, i)), buf, sizeof buf);
1335 BIO_printf(bio, " i:%s\n", buf);
1336 if (c_showcerts)
1337 PEM_write_bio_X509(bio, sk_X509_value(sk, i));
1338 }
1339 }
1340 BIO_printf(bio, "---\n");
1341 peer = SSL_get_peer_certificate(s);
1342 if (peer != NULL) {
1343 BIO_printf(bio, "Server certificate\n");
1344 if (!(c_showcerts && got_a_chain)) /* Redundant if we
1345 * showed the whole
1346 * chain */
1347 PEM_write_bio_X509(bio, peer);
1348 X509_NAME_oneline(X509_get_subject_name(peer),
1349 buf, sizeof buf);
1350 BIO_printf(bio, "subject=%s\n", buf);
1351 X509_NAME_oneline(X509_get_issuer_name(peer),
1352 buf, sizeof buf);
1353 BIO_printf(bio, "issuer=%s\n", buf);
1354 } else
1355 BIO_printf(bio, "no peer certificate available\n");
1356
1357 sk2 = SSL_get_client_CA_list(s);
1358 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) {
1359 BIO_printf(bio, "---\nAcceptable client certificate CA names\n");
1360 for (i = 0; i < sk_X509_NAME_num(sk2); i++) {
1361 xn = sk_X509_NAME_value(sk2, i);
1362 X509_NAME_oneline(xn, buf, sizeof(buf));
1363 BIO_write(bio, buf, strlen(buf));
1364 BIO_write(bio, "\n", 1);
1365 }
1366 } else {
1367 BIO_printf(bio, "---\nNo client certificate CA names sent\n");
1368 }
1369 p = SSL_get_shared_ciphers(s, buf, sizeof buf);
1370 if (p != NULL) {
1371 /*
1372 * This works only for SSL 2. In later protocol
1373 * versions, the client does not know what other
1374 * ciphers (in addition to the one to be used in the
1375 * current connection) the server supports.
1376 */
1377
1378 BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n");
1379 j = i = 0;
1380 while (*p) {
1381 if (*p == ':') {
1382 BIO_write(bio, space, 15 - j % 25);
1383 i++;
1384 j = 0;
1385 BIO_write(bio, ((i % 3) ? " " : "\n"), 1);
1386 } else {
1387 BIO_write(bio, p, 1);
1388 j++;
1389 }
1390 p++;
1391 }
1392 BIO_write(bio, "\n", 1);
1393 }
1394 BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1395 BIO_number_read(SSL_get_rbio(s)),
1396 BIO_number_written(SSL_get_wbio(s)));
1397 }
1398 BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, "));
1399 c = SSL_get_current_cipher(s);
1400 BIO_printf(bio, "%s, Cipher is %s\n",
1401 SSL_CIPHER_get_version(c),
1402 SSL_CIPHER_get_name(c));
1403 if (peer != NULL) {
1404 EVP_PKEY *pktmp;
1405 pktmp = X509_get_pubkey(peer);
1406 BIO_printf(bio, "Server public key is %d bit\n",
1407 EVP_PKEY_bits(pktmp));
1408 EVP_PKEY_free(pktmp);
1409 }
1410 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1411 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
1412
1413 /* Compression is not supported and will always be none. */
1414 BIO_printf(bio, "Compression: NONE\n");
1415 BIO_printf(bio, "Expansion: NONE\n");
1416
1417#ifdef SSL_DEBUG
1418 {
1419 /* Print out local port of connection: useful for debugging */
1420 int sock;
1421 struct sockaddr_in ladd;
1422 socklen_t ladd_size = sizeof(ladd);
1423 sock = SSL_get_fd(s);
1424 getsockname(sock, (struct sockaddr *) & ladd, &ladd_size);
1425 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
1426 }
1427#endif
1428
1429#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1430 if (next_proto.status != -1) {
1431 const unsigned char *proto;
1432 unsigned int proto_len;
1433 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
1434 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
1435 BIO_write(bio, proto, proto_len);
1436 BIO_write(bio, "\n", 1);
1437 }
1438#endif
1439
1440#ifndef OPENSSL_NO_SRTP
1441 {
1442 SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s);
1443
1444 if (srtp_profile)
1445 BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n",
1446 srtp_profile->name);
1447 }
1448#endif
1449
1450 SSL_SESSION_print(bio, SSL_get_session(s));
1451 if (keymatexportlabel != NULL) {
1452 BIO_printf(bio, "Keying material exporter:\n");
1453 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
1454 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
1455 exportedkeymat = malloc(keymatexportlen);
1456 if (exportedkeymat != NULL) {
1457 if (!SSL_export_keying_material(s, exportedkeymat,
1458 keymatexportlen,
1459 keymatexportlabel,
1460 strlen(keymatexportlabel),
1461 NULL, 0, 0)) {
1462 BIO_printf(bio, " Error\n");
1463 } else {
1464 BIO_printf(bio, " Keying material: ");
1465 for (i = 0; i < keymatexportlen; i++)
1466 BIO_printf(bio, "%02X",
1467 exportedkeymat[i]);
1468 BIO_printf(bio, "\n");
1469 }
1470 free(exportedkeymat);
1471 }
1472 }
1473 BIO_printf(bio, "---\n");
1474 if (peer != NULL)
1475 X509_free(peer);
1476 /* flush, or debugging output gets mixed with http response */
1477 (void) BIO_flush(bio);
1478}
1479
1480#ifndef OPENSSL_NO_TLSEXT
1481
1482static int
1483ocsp_resp_cb(SSL * s, void *arg)
1484{
1485 const unsigned char *p;
1486 int len;
1487 OCSP_RESPONSE *rsp;
1488 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1489 BIO_puts(arg, "OCSP response: ");
1490 if (!p) {
1491 BIO_puts(arg, "no response sent\n");
1492 return 1;
1493 }
1494 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1495 if (!rsp) {
1496 BIO_puts(arg, "response parse error\n");
1497 BIO_dump_indent(arg, (char *) p, len, 4);
1498 return 0;
1499 }
1500 BIO_puts(arg, "\n======================================\n");
1501 OCSP_RESPONSE_print(arg, rsp, 0);
1502 BIO_puts(arg, "======================================\n");
1503 OCSP_RESPONSE_free(rsp);
1504 return 1;
1505}
1506
1507#endif
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
deleted file mode 100644
index c986ebcb3e..0000000000
--- a/src/lib/libssl/src/apps/s_server.c
+++ /dev/null
@@ -1,2154 +0,0 @@
1/* $OpenBSD: s_server.c,v 1.63 2014/08/24 16:07:29 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143/* Until the key-gen callbacks are modified to use newer prototypes, we allow
144 * deprecated functions for openssl-internal code */
145#ifdef OPENSSL_NO_DEPRECATED
146#undef OPENSSL_NO_DEPRECATED
147#endif
148
149#include <sys/types.h>
150#include <sys/ioctl.h>
151#include <sys/select.h>
152#include <sys/socket.h>
153
154#include <assert.h>
155#include <ctype.h>
156#include <stdio.h>
157#include <stdlib.h>
158#include <limits.h>
159#include <string.h>
160#include <unistd.h>
161
162#include "apps.h"
163
164#include <openssl/bn.h>
165#include <openssl/err.h>
166#include <openssl/lhash.h>
167#include <openssl/ocsp.h>
168#include <openssl/pem.h>
169#include <openssl/rand.h>
170#include <openssl/ssl.h>
171#include <openssl/x509.h>
172
173#ifndef OPENSSL_NO_DH
174#include <openssl/dh.h>
175#endif
176
177#include <openssl/rsa.h>
178
179#include "s_apps.h"
180#include "timeouts.h"
181
182static RSA *tmp_rsa_cb(SSL * s, int is_export, int keylength);
183static int sv_body(char *hostname, int s, unsigned char *context);
184static int www_body(char *hostname, int s, unsigned char *context);
185static void close_accept_socket(void);
186static void sv_usage(void);
187static int init_ssl_connection(SSL * s);
188static void print_stats(BIO * bp, SSL_CTX * ctx);
189static int
190generate_session_id(const SSL * ssl, unsigned char *id,
191 unsigned int *id_len);
192#ifndef OPENSSL_NO_DH
193static DH *load_dh_param(const char *dhfile);
194static DH *get_dh512(void);
195#endif
196
197static void s_server_init(void);
198
199#ifndef OPENSSL_NO_DH
200static unsigned char dh512_p[] = {
201 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
202 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
203 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
204 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
205 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
206 0x47, 0x74, 0xE8, 0x33,
207};
208static unsigned char dh512_g[] = {
209 0x02,
210};
211
212static DH *
213get_dh512(void)
214{
215 DH *dh = NULL;
216
217 if ((dh = DH_new()) == NULL)
218 return (NULL);
219 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
220 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
221 if ((dh->p == NULL) || (dh->g == NULL))
222 return (NULL);
223 return (dh);
224}
225#endif
226
227
228/* static int load_CA(SSL_CTX *ctx, char *file);*/
229
230#define BUFSIZZ 16*1024
231static int bufsize = BUFSIZZ;
232static int accept_socket = -1;
233
234#define TEST_CERT "server.pem"
235#ifndef OPENSSL_NO_TLSEXT
236#define TEST_CERT2 "server2.pem"
237#endif
238
239extern int verify_depth, verify_return_error;
240
241static char *cipher = NULL;
242static int s_server_verify = SSL_VERIFY_NONE;
243static int s_server_session_id_context = 1; /* anything will do */
244static const char *s_cert_file = TEST_CERT, *s_key_file = NULL;
245#ifndef OPENSSL_NO_TLSEXT
246static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
247#endif
248static char *s_dcert_file = NULL, *s_dkey_file = NULL;
249static int s_nbio = 0;
250static int s_nbio_test = 0;
251int s_crlf = 0;
252static SSL_CTX *ctx = NULL;
253#ifndef OPENSSL_NO_TLSEXT
254static SSL_CTX *ctx2 = NULL;
255#endif
256static int www = 0;
257
258static BIO *bio_s_out = NULL;
259static int s_debug = 0;
260#ifndef OPENSSL_NO_TLSEXT
261static int s_tlsextdebug = 0;
262static int s_tlsextstatus = 0;
263static int cert_status_cb(SSL * s, void *arg);
264#endif
265static int s_msg = 0;
266static int s_quiet = 0;
267
268static char *keymatexportlabel = NULL;
269static int keymatexportlen = 20;
270
271static int hack = 0;
272#ifndef OPENSSL_NO_ENGINE
273static char *engine_id = NULL;
274#endif
275static const char *session_id_prefix = NULL;
276
277static int enable_timeouts = 0;
278static long socket_mtu;
279#ifndef OPENSSL_NO_DTLS1
280static int cert_chain = 0;
281#endif
282
283
284
285
286static void
287s_server_init(void)
288{
289 accept_socket = -1;
290 cipher = NULL;
291 s_server_verify = SSL_VERIFY_NONE;
292 s_dcert_file = NULL;
293 s_dkey_file = NULL;
294 s_cert_file = TEST_CERT;
295 s_key_file = NULL;
296#ifndef OPENSSL_NO_TLSEXT
297 s_cert_file2 = TEST_CERT2;
298 s_key_file2 = NULL;
299 ctx2 = NULL;
300#endif
301 s_nbio = 0;
302 s_nbio_test = 0;
303 ctx = NULL;
304 www = 0;
305
306 bio_s_out = NULL;
307 s_debug = 0;
308 s_msg = 0;
309 s_quiet = 0;
310 hack = 0;
311#ifndef OPENSSL_NO_ENGINE
312 engine_id = NULL;
313#endif
314}
315
316static void
317sv_usage(void)
318{
319 BIO_printf(bio_err, "usage: s_server [args ...]\n");
320 BIO_printf(bio_err, "\n");
321 BIO_printf(bio_err, " -accept arg - port to accept on (default is %d)\n", PORT);
322 BIO_printf(bio_err, " -context arg - set session ID context\n");
323 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n");
324 BIO_printf(bio_err, " -Verify arg - turn on peer certificate verification, must have a cert.\n");
325 BIO_printf(bio_err, " -cert arg - certificate file to use\n");
326 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT);
327 BIO_printf(bio_err, " -crl_check - check the peer certificate has not been revoked by its CA.\n" \
328 " The CRL(s) are appended to the certificate file\n");
329 BIO_printf(bio_err, " -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
330 " or any other CRL in the CA chain. CRL(s) are appended to the\n" \
331 " the certificate file.\n");
332 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n");
333 BIO_printf(bio_err, " -key arg - Private Key file to use, in cert file if\n");
334 BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT);
335 BIO_printf(bio_err, " -keyform arg - key format (PEM, DER or ENGINE) PEM default\n");
336 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n");
337 BIO_printf(bio_err, " -dcert arg - second certificate file to use (usually for DSA)\n");
338 BIO_printf(bio_err, " -dcertform x - second certificate format (PEM or DER) PEM default\n");
339 BIO_printf(bio_err, " -dkey arg - second private key file to use (usually for DSA)\n");
340 BIO_printf(bio_err, " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
341 BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n");
342 BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n");
343 BIO_printf(bio_err, " or a default set of parameters is used\n");
344 BIO_printf(bio_err, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
345 " Use \"openssl ecparam -list_curves\" for all names\n" \
346 " (default is nistp256).\n");
347 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n");
348 BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n");
349 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n");
350 BIO_printf(bio_err, " -debug - Print more output\n");
351 BIO_printf(bio_err, " -msg - Show protocol messages\n");
352 BIO_printf(bio_err, " -state - Print the SSL states\n");
353 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
354 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
355 BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n");
356 BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
357 BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
358 BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n");
359 BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
360 BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
361 BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n");
362 BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n");
363 BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n");
364 BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n");
365 BIO_printf(bio_err, " -timeout - Enable timeouts\n");
366 BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
367 BIO_printf(bio_err, " -chain - Read a certificate chain\n");
368 BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
369 BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
370 BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
371 BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
372 BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n");
373#ifndef OPENSSL_NO_DH
374 BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
375#endif
376 BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n");
377 BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
378 BIO_printf(bio_err, " -www - Respond to a 'GET /' with a status page\n");
379 BIO_printf(bio_err, " -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
380 BIO_printf(bio_err, " -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
381 BIO_printf(bio_err, " with the assumption it contains a complete HTTP response.\n");
382#ifndef OPENSSL_NO_ENGINE
383 BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n");
384#endif
385 BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
386#ifndef OPENSSL_NO_TLSEXT
387 BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n");
388 BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
389 BIO_printf(bio_err, " -cert2 arg - certificate file to use for servername\n");
390 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2);
391 BIO_printf(bio_err, " -key2 arg - Private Key file to use for servername, in cert file if\n");
392 BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2);
393 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n");
394 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n");
395#ifndef OPENSSL_NO_NEXTPROTONEG
396 BIO_printf(bio_err, " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
397#endif
398#ifndef OPENSSL_NO_SRTP
399 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
400#endif
401#endif
402 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n");
403 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n");
404}
405
406static int local_argc = 0;
407static char **local_argv;
408
409#ifndef OPENSSL_NO_TLSEXT
410
411/* This is a context that we pass to callbacks */
412typedef struct tlsextctx_st {
413 char *servername;
414 BIO *biodebug;
415 int extension_error;
416} tlsextctx;
417
418
419static int
420ssl_servername_cb(SSL * s, int *ad, void *arg)
421{
422 tlsextctx *p = (tlsextctx *) arg;
423 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
424 if (servername && p->biodebug)
425 BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", servername);
426
427 if (!p->servername)
428 return SSL_TLSEXT_ERR_NOACK;
429
430 if (servername) {
431 if (strcmp(servername, p->servername))
432 return p->extension_error;
433 if (ctx2) {
434 BIO_printf(p->biodebug, "Switching server context.\n");
435 SSL_set_SSL_CTX(s, ctx2);
436 }
437 }
438 return SSL_TLSEXT_ERR_OK;
439}
440
441/* Structure passed to cert status callback */
442
443typedef struct tlsextstatusctx_st {
444 /* Default responder to use */
445 char *host, *path, *port;
446 int use_ssl;
447 int timeout;
448 BIO *err;
449 int verbose;
450} tlsextstatusctx;
451
452static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
453
454/* Certificate Status callback. This is called when a client includes a
455 * certificate status request extension.
456 *
457 * This is a simplified version. It examines certificates each time and
458 * makes one OCSP responder query for each request.
459 *
460 * A full version would store details such as the OCSP certificate IDs and
461 * minimise the number of OCSP responses by caching them until they were
462 * considered "expired".
463 */
464
465static int
466cert_status_cb(SSL * s, void *arg)
467{
468 tlsextstatusctx *srctx = arg;
469 BIO *err = srctx->err;
470 char *host, *port, *path;
471 int use_ssl;
472 unsigned char *rspder = NULL;
473 int rspderlen;
474 STACK_OF(OPENSSL_STRING) * aia = NULL;
475 X509 *x = NULL;
476 X509_STORE_CTX inctx;
477 X509_OBJECT obj;
478 OCSP_REQUEST *req = NULL;
479 OCSP_RESPONSE *resp = NULL;
480 OCSP_CERTID *id = NULL;
481 STACK_OF(X509_EXTENSION) * exts;
482 int ret = SSL_TLSEXT_ERR_NOACK;
483 int i;
484
485 if (srctx->verbose)
486 BIO_puts(err, "cert_status: callback called\n");
487 /* Build up OCSP query from server certificate */
488 x = SSL_get_certificate(s);
489 aia = X509_get1_ocsp(x);
490 if (aia) {
491 if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
492 &host, &port, &path, &use_ssl)) {
493 BIO_puts(err, "cert_status: can't parse AIA URL\n");
494 goto err;
495 }
496 if (srctx->verbose)
497 BIO_printf(err, "cert_status: AIA URL: %s\n",
498 sk_OPENSSL_STRING_value(aia, 0));
499 } else {
500 if (!srctx->host) {
501 BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n");
502 goto done;
503 }
504 host = srctx->host;
505 path = srctx->path;
506 port = srctx->port;
507 use_ssl = srctx->use_ssl;
508 }
509
510 if (!X509_STORE_CTX_init(&inctx,
511 SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
512 NULL, NULL))
513 goto err;
514 if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
515 X509_get_issuer_name(x), &obj) <= 0) {
516 BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
517 X509_STORE_CTX_cleanup(&inctx);
518 goto done;
519 }
520 req = OCSP_REQUEST_new();
521 if (!req)
522 goto err;
523 id = OCSP_cert_to_id(NULL, x, obj.data.x509);
524 X509_free(obj.data.x509);
525 X509_STORE_CTX_cleanup(&inctx);
526 if (!id)
527 goto err;
528 if (!OCSP_request_add0_id(req, id))
529 goto err;
530 id = NULL;
531 /* Add any extensions to the request */
532 SSL_get_tlsext_status_exts(s, &exts);
533 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
534 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
535 if (!OCSP_REQUEST_add_ext(req, ext, -1))
536 goto err;
537 }
538 resp = process_responder(err, req, host, path, port, use_ssl, NULL,
539 srctx->timeout);
540 if (!resp) {
541 BIO_puts(err, "cert_status: error querying responder\n");
542 goto done;
543 }
544 rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
545 if (rspderlen <= 0)
546 goto err;
547 SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
548 if (srctx->verbose) {
549 BIO_puts(err, "cert_status: ocsp response sent:\n");
550 OCSP_RESPONSE_print(err, resp, 2);
551 }
552 ret = SSL_TLSEXT_ERR_OK;
553done:
554 if (ret != SSL_TLSEXT_ERR_OK)
555 ERR_print_errors(err);
556 if (aia) {
557 free(host);
558 free(path);
559 free(port);
560 X509_email_free(aia);
561 }
562 if (id)
563 OCSP_CERTID_free(id);
564 if (req)
565 OCSP_REQUEST_free(req);
566 if (resp)
567 OCSP_RESPONSE_free(resp);
568 return ret;
569err:
570 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
571 goto done;
572}
573
574#ifndef OPENSSL_NO_NEXTPROTONEG
575/* This is the context that we pass to next_proto_cb */
576typedef struct tlsextnextprotoctx_st {
577 unsigned char *data;
578 unsigned int len;
579} tlsextnextprotoctx;
580
581static int
582next_proto_cb(SSL * s, const unsigned char **data, unsigned int *len, void *arg)
583{
584 tlsextnextprotoctx *next_proto = arg;
585
586 *data = next_proto->data;
587 *len = next_proto->len;
588
589 return SSL_TLSEXT_ERR_OK;
590}
591#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
592
593
594#endif
595
596int s_server_main(int, char **);
597
598#ifndef OPENSSL_NO_SRTP
599static char *srtp_profiles = NULL;
600#endif
601
602int
603s_server_main(int argc, char *argv[])
604{
605 X509_VERIFY_PARAM *vpm = NULL;
606 int badarg = 0;
607 short port = PORT;
608 char *CApath = NULL, *CAfile = NULL;
609 unsigned char *context = NULL;
610 char *dhfile = NULL;
611 char *named_curve = NULL;
612 int badop = 0, bugs = 0;
613 int ret = 1;
614 int off = 0;
615 int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
616 int state = 0;
617 const SSL_METHOD *meth = NULL;
618 int socket_type = SOCK_STREAM;
619 ENGINE *e = NULL;
620 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
621 char *passarg = NULL, *pass = NULL;
622 char *dpassarg = NULL, *dpass = NULL;
623 int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
624 X509 *s_cert = NULL, *s_dcert = NULL;
625 EVP_PKEY *s_key = NULL, *s_dkey = NULL;
626 int no_cache = 0;
627 const char *errstr = NULL;
628#ifndef OPENSSL_NO_TLSEXT
629 EVP_PKEY *s_key2 = NULL;
630 X509 *s_cert2 = NULL;
631 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
632#ifndef OPENSSL_NO_NEXTPROTONEG
633 const char *next_proto_neg_in = NULL;
634 tlsextnextprotoctx next_proto;
635#endif
636#endif
637 meth = SSLv23_server_method();
638
639 local_argc = argc;
640 local_argv = argv;
641
642 s_server_init();
643
644 verify_depth = 0;
645 s_nbio = 0;
646 s_nbio_test = 0;
647
648 argc--;
649 argv++;
650
651 while (argc >= 1) {
652 if ((strcmp(*argv, "-port") == 0) ||
653 (strcmp(*argv, "-accept") == 0)) {
654 if (--argc < 1)
655 goto bad;
656 if (!extract_port(*(++argv), &port))
657 goto bad;
658 } else if (strcmp(*argv, "-verify") == 0) {
659 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
660 if (--argc < 1)
661 goto bad;
662 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
663 if (errstr)
664 goto bad;
665 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
666 } else if (strcmp(*argv, "-Verify") == 0) {
667 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
668 SSL_VERIFY_CLIENT_ONCE;
669 if (--argc < 1)
670 goto bad;
671 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
672 if (errstr)
673 goto bad;
674 BIO_printf(bio_err, "verify depth is %d, must return a certificate\n", verify_depth);
675 } else if (strcmp(*argv, "-context") == 0) {
676 if (--argc < 1)
677 goto bad;
678 context = (unsigned char *) *(++argv);
679 } else if (strcmp(*argv, "-cert") == 0) {
680 if (--argc < 1)
681 goto bad;
682 s_cert_file = *(++argv);
683 } else if (strcmp(*argv, "-certform") == 0) {
684 if (--argc < 1)
685 goto bad;
686 s_cert_format = str2fmt(*(++argv));
687 } else if (strcmp(*argv, "-key") == 0) {
688 if (--argc < 1)
689 goto bad;
690 s_key_file = *(++argv);
691 } else if (strcmp(*argv, "-keyform") == 0) {
692 if (--argc < 1)
693 goto bad;
694 s_key_format = str2fmt(*(++argv));
695 } else if (strcmp(*argv, "-pass") == 0) {
696 if (--argc < 1)
697 goto bad;
698 passarg = *(++argv);
699 } else if (strcmp(*argv, "-dhparam") == 0) {
700 if (--argc < 1)
701 goto bad;
702 dhfile = *(++argv);
703 }
704 else if (strcmp(*argv, "-named_curve") == 0) {
705 if (--argc < 1)
706 goto bad;
707 named_curve = *(++argv);
708 }
709 else if (strcmp(*argv, "-dcertform") == 0) {
710 if (--argc < 1)
711 goto bad;
712 s_dcert_format = str2fmt(*(++argv));
713 } else if (strcmp(*argv, "-dcert") == 0) {
714 if (--argc < 1)
715 goto bad;
716 s_dcert_file = *(++argv);
717 } else if (strcmp(*argv, "-dkeyform") == 0) {
718 if (--argc < 1)
719 goto bad;
720 s_dkey_format = str2fmt(*(++argv));
721 } else if (strcmp(*argv, "-dpass") == 0) {
722 if (--argc < 1)
723 goto bad;
724 dpassarg = *(++argv);
725 } else if (strcmp(*argv, "-dkey") == 0) {
726 if (--argc < 1)
727 goto bad;
728 s_dkey_file = *(++argv);
729 } else if (strcmp(*argv, "-nocert") == 0) {
730 nocert = 1;
731 } else if (strcmp(*argv, "-CApath") == 0) {
732 if (--argc < 1)
733 goto bad;
734 CApath = *(++argv);
735 } else if (strcmp(*argv, "-no_cache") == 0)
736 no_cache = 1;
737 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
738 if (badarg)
739 goto bad;
740 continue;
741 } else if (strcmp(*argv, "-verify_return_error") == 0)
742 verify_return_error = 1;
743 else if (strcmp(*argv, "-serverpref") == 0) {
744 off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
745 } else if (strcmp(*argv, "-legacy_renegotiation") == 0)
746 ; /* no-op */
747 else if (strcmp(*argv, "-cipher") == 0) {
748 if (--argc < 1)
749 goto bad;
750 cipher = *(++argv);
751 } else if (strcmp(*argv, "-CAfile") == 0) {
752 if (--argc < 1)
753 goto bad;
754 CAfile = *(++argv);
755 }
756 else if (strcmp(*argv, "-nbio") == 0) {
757 s_nbio = 1;
758 }
759 else if (strcmp(*argv, "-nbio_test") == 0) {
760 s_nbio = 1;
761 s_nbio_test = 1;
762 } else if (strcmp(*argv, "-debug") == 0) {
763 s_debug = 1;
764 }
765#ifndef OPENSSL_NO_TLSEXT
766 else if (strcmp(*argv, "-tlsextdebug") == 0)
767 s_tlsextdebug = 1;
768 else if (strcmp(*argv, "-status") == 0)
769 s_tlsextstatus = 1;
770 else if (strcmp(*argv, "-status_verbose") == 0) {
771 s_tlsextstatus = 1;
772 tlscstatp.verbose = 1;
773 } else if (!strcmp(*argv, "-status_timeout")) {
774 s_tlsextstatus = 1;
775 if (--argc < 1)
776 goto bad;
777 tlscstatp.timeout = strtonum(*(++argv), 0, INT_MAX, &errstr);
778 if (errstr)
779 goto bad;
780 } else if (!strcmp(*argv, "-status_url")) {
781 s_tlsextstatus = 1;
782 if (--argc < 1)
783 goto bad;
784 if (!OCSP_parse_url(*(++argv),
785 &tlscstatp.host,
786 &tlscstatp.port,
787 &tlscstatp.path,
788 &tlscstatp.use_ssl)) {
789 BIO_printf(bio_err, "Error parsing URL\n");
790 goto bad;
791 }
792 }
793#endif
794 else if (strcmp(*argv, "-msg") == 0) {
795 s_msg = 1;
796 } else if (strcmp(*argv, "-hack") == 0) {
797 hack = 1;
798 } else if (strcmp(*argv, "-state") == 0) {
799 state = 1;
800 } else if (strcmp(*argv, "-crlf") == 0) {
801 s_crlf = 1;
802 } else if (strcmp(*argv, "-quiet") == 0) {
803 s_quiet = 1;
804 } else if (strcmp(*argv, "-bugs") == 0) {
805 bugs = 1;
806 } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
807 no_tmp_rsa = 1;
808 } else if (strcmp(*argv, "-no_dhe") == 0) {
809 no_dhe = 1;
810 } else if (strcmp(*argv, "-no_ecdhe") == 0) {
811 no_ecdhe = 1;
812 }
813 else if (strcmp(*argv, "-www") == 0) {
814 www = 1;
815 } else if (strcmp(*argv, "-WWW") == 0) {
816 www = 2;
817 } else if (strcmp(*argv, "-HTTP") == 0) {
818 www = 3;
819 } else if (strcmp(*argv, "-no_ssl2") == 0) {
820 off |= SSL_OP_NO_SSLv2;
821 } else if (strcmp(*argv, "-no_ssl3") == 0) {
822 off |= SSL_OP_NO_SSLv3;
823 } else if (strcmp(*argv, "-no_tls1") == 0) {
824 off |= SSL_OP_NO_TLSv1;
825 } else if (strcmp(*argv, "-no_tls1_1") == 0) {
826 off |= SSL_OP_NO_TLSv1_1;
827 } else if (strcmp(*argv, "-no_tls1_2") == 0) {
828 off |= SSL_OP_NO_TLSv1_2;
829 } else if (strcmp(*argv, "-no_comp") == 0) {
830 off |= SSL_OP_NO_COMPRESSION;
831 }
832#ifndef OPENSSL_NO_TLSEXT
833 else if (strcmp(*argv, "-no_ticket") == 0) {
834 off |= SSL_OP_NO_TICKET;
835 }
836#endif
837 else if (strcmp(*argv, "-ssl3") == 0) {
838 meth = SSLv3_server_method();
839 } else if (strcmp(*argv, "-tls1") == 0) {
840 meth = TLSv1_server_method();
841 } else if (strcmp(*argv, "-tls1_1") == 0) {
842 meth = TLSv1_1_server_method();
843 } else if (strcmp(*argv, "-tls1_2") == 0) {
844 meth = TLSv1_2_server_method();
845 }
846#ifndef OPENSSL_NO_DTLS1
847 else if (strcmp(*argv, "-dtls1") == 0) {
848 meth = DTLSv1_server_method();
849 socket_type = SOCK_DGRAM;
850 } else if (strcmp(*argv, "-timeout") == 0)
851 enable_timeouts = 1;
852 else if (strcmp(*argv, "-mtu") == 0) {
853 if (--argc < 1)
854 goto bad;
855 socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr);
856 if (errstr)
857 goto bad;
858 } else if (strcmp(*argv, "-chain") == 0)
859 cert_chain = 1;
860#endif
861 else if (strcmp(*argv, "-id_prefix") == 0) {
862 if (--argc < 1)
863 goto bad;
864 session_id_prefix = *(++argv);
865 }
866#ifndef OPENSSL_NO_ENGINE
867 else if (strcmp(*argv, "-engine") == 0) {
868 if (--argc < 1)
869 goto bad;
870 engine_id = *(++argv);
871 }
872#endif
873#ifndef OPENSSL_NO_TLSEXT
874 else if (strcmp(*argv, "-servername") == 0) {
875 if (--argc < 1)
876 goto bad;
877 tlsextcbp.servername = *(++argv);
878 } else if (strcmp(*argv, "-servername_fatal") == 0) {
879 tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
880 } else if (strcmp(*argv, "-cert2") == 0) {
881 if (--argc < 1)
882 goto bad;
883 s_cert_file2 = *(++argv);
884 } else if (strcmp(*argv, "-key2") == 0) {
885 if (--argc < 1)
886 goto bad;
887 s_key_file2 = *(++argv);
888 }
889#ifndef OPENSSL_NO_NEXTPROTONEG
890 else if (strcmp(*argv, "-nextprotoneg") == 0) {
891 if (--argc < 1)
892 goto bad;
893 next_proto_neg_in = *(++argv);
894 }
895#endif
896#endif
897#ifndef OPENSSL_NO_SRTP
898 else if (strcmp(*argv, "-use_srtp") == 0) {
899 if (--argc < 1)
900 goto bad;
901 srtp_profiles = *(++argv);
902 }
903#endif
904 else if (strcmp(*argv, "-keymatexport") == 0) {
905 if (--argc < 1)
906 goto bad;
907 keymatexportlabel = *(++argv);
908 } else if (strcmp(*argv, "-keymatexportlen") == 0) {
909 if (--argc < 1)
910 goto bad;
911 keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr);
912 if (errstr)
913 goto bad;
914 } else {
915 BIO_printf(bio_err, "unknown option %s\n", *argv);
916 badop = 1;
917 break;
918 }
919 argc--;
920 argv++;
921 }
922 if (badop) {
923bad:
924 if (errstr)
925 BIO_printf(bio_err, "invalid argument %s: %s\n",
926 *argv, errstr);
927 else
928 sv_usage();
929 goto end;
930 }
931
932#ifndef OPENSSL_NO_ENGINE
933 e = setup_engine(bio_err, engine_id, 1);
934#endif
935
936 if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
937 BIO_printf(bio_err, "Error getting password\n");
938 goto end;
939 }
940 if (s_key_file == NULL)
941 s_key_file = s_cert_file;
942#ifndef OPENSSL_NO_TLSEXT
943 if (s_key_file2 == NULL)
944 s_key_file2 = s_cert_file2;
945#endif
946
947 if (nocert == 0) {
948 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
949 "server certificate private key file");
950 if (!s_key) {
951 ERR_print_errors(bio_err);
952 goto end;
953 }
954 s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
955 NULL, e, "server certificate file");
956
957 if (!s_cert) {
958 ERR_print_errors(bio_err);
959 goto end;
960 }
961#ifndef OPENSSL_NO_TLSEXT
962 if (tlsextcbp.servername) {
963 s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
964 "second server certificate private key file");
965 if (!s_key2) {
966 ERR_print_errors(bio_err);
967 goto end;
968 }
969 s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
970 NULL, e, "second server certificate file");
971
972 if (!s_cert2) {
973 ERR_print_errors(bio_err);
974 goto end;
975 }
976 }
977#endif
978 }
979#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
980 if (next_proto_neg_in) {
981 unsigned short len;
982 next_proto.data = next_protos_parse(&len, next_proto_neg_in);
983 if (next_proto.data == NULL)
984 goto end;
985 next_proto.len = len;
986 } else {
987 next_proto.data = NULL;
988 }
989#endif
990
991
992 if (s_dcert_file) {
993
994 if (s_dkey_file == NULL)
995 s_dkey_file = s_dcert_file;
996
997 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
998 0, dpass, e,
999 "second certificate private key file");
1000 if (!s_dkey) {
1001 ERR_print_errors(bio_err);
1002 goto end;
1003 }
1004 s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
1005 NULL, e, "second server certificate file");
1006
1007 if (!s_dcert) {
1008 ERR_print_errors(bio_err);
1009 goto end;
1010 }
1011 }
1012 if (bio_s_out == NULL) {
1013 if (s_quiet && !s_debug && !s_msg) {
1014 bio_s_out = BIO_new(BIO_s_null());
1015 } else {
1016 if (bio_s_out == NULL)
1017 bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
1018 }
1019 }
1020 if (nocert)
1021 {
1022 s_cert_file = NULL;
1023 s_key_file = NULL;
1024 s_dcert_file = NULL;
1025 s_dkey_file = NULL;
1026#ifndef OPENSSL_NO_TLSEXT
1027 s_cert_file2 = NULL;
1028 s_key_file2 = NULL;
1029#endif
1030 }
1031 ctx = SSL_CTX_new(meth);
1032 if (ctx == NULL) {
1033 ERR_print_errors(bio_err);
1034 goto end;
1035 }
1036 if (session_id_prefix) {
1037 if (strlen(session_id_prefix) >= 32)
1038 BIO_printf(bio_err,
1039 "warning: id_prefix is too long, only one new session will be possible\n");
1040 else if (strlen(session_id_prefix) >= 16)
1041 BIO_printf(bio_err,
1042 "warning: id_prefix is too long if you use SSLv2\n");
1043 if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1044 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1045 ERR_print_errors(bio_err);
1046 goto end;
1047 }
1048 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1049 }
1050 SSL_CTX_set_quiet_shutdown(ctx, 1);
1051 if (bugs)
1052 SSL_CTX_set_options(ctx, SSL_OP_ALL);
1053 if (hack)
1054 SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1055 SSL_CTX_set_options(ctx, off);
1056 /*
1057 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
1058 * read ahead solves this problem.
1059 */
1060 if (socket_type == SOCK_DGRAM)
1061 SSL_CTX_set_read_ahead(ctx, 1);
1062
1063 if (state)
1064 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1065 if (no_cache)
1066 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1067 else
1068 SSL_CTX_sess_set_cache_size(ctx, 128);
1069
1070#ifndef OPENSSL_NO_SRTP
1071 if (srtp_profiles != NULL)
1072 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1073#endif
1074
1075
1076 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
1077 (!SSL_CTX_set_default_verify_paths(ctx))) {
1078 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
1079 ERR_print_errors(bio_err);
1080 /* goto end; */
1081 }
1082 if (vpm)
1083 SSL_CTX_set1_param(ctx, vpm);
1084
1085#ifndef OPENSSL_NO_TLSEXT
1086 if (s_cert2) {
1087 ctx2 = SSL_CTX_new(meth);
1088 if (ctx2 == NULL) {
1089 ERR_print_errors(bio_err);
1090 goto end;
1091 }
1092 }
1093 if (ctx2) {
1094 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1095
1096 if (session_id_prefix) {
1097 if (strlen(session_id_prefix) >= 32)
1098 BIO_printf(bio_err,
1099 "warning: id_prefix is too long, only one new session will be possible\n");
1100 else if (strlen(session_id_prefix) >= 16)
1101 BIO_printf(bio_err,
1102 "warning: id_prefix is too long if you use SSLv2\n");
1103 if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
1104 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1105 ERR_print_errors(bio_err);
1106 goto end;
1107 }
1108 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1109 }
1110 SSL_CTX_set_quiet_shutdown(ctx2, 1);
1111 if (bugs)
1112 SSL_CTX_set_options(ctx2, SSL_OP_ALL);
1113 if (hack)
1114 SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1115 SSL_CTX_set_options(ctx2, off);
1116 /*
1117 * DTLS: partial reads end up discarding unread UDP bytes :-(
1118 * Setting read ahead solves this problem.
1119 */
1120 if (socket_type == SOCK_DGRAM)
1121 SSL_CTX_set_read_ahead(ctx2, 1);
1122
1123 if (state)
1124 SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1125
1126 if (no_cache)
1127 SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
1128 else
1129 SSL_CTX_sess_set_cache_size(ctx2, 128);
1130
1131 if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
1132 (!SSL_CTX_set_default_verify_paths(ctx2))) {
1133 ERR_print_errors(bio_err);
1134 }
1135 if (vpm)
1136 SSL_CTX_set1_param(ctx2, vpm);
1137 }
1138#ifndef OPENSSL_NO_NEXTPROTONEG
1139 if (next_proto.data)
1140 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
1141#endif
1142#endif
1143
1144#ifndef OPENSSL_NO_DH
1145 if (!no_dhe) {
1146 DH *dh = NULL;
1147
1148 if (dhfile)
1149 dh = load_dh_param(dhfile);
1150 else if (s_cert_file)
1151 dh = load_dh_param(s_cert_file);
1152
1153 if (dh != NULL) {
1154 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1155 } else {
1156 BIO_printf(bio_s_out, "Using default temp DH parameters\n");
1157 dh = get_dh512();
1158 }
1159 (void) BIO_flush(bio_s_out);
1160
1161 SSL_CTX_set_tmp_dh(ctx, dh);
1162#ifndef OPENSSL_NO_TLSEXT
1163 if (ctx2) {
1164 if (!dhfile) {
1165 DH *dh2 = load_dh_param(s_cert_file2);
1166 if (dh2 != NULL) {
1167 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1168 (void) BIO_flush(bio_s_out);
1169
1170 DH_free(dh);
1171 dh = dh2;
1172 }
1173 }
1174 SSL_CTX_set_tmp_dh(ctx2, dh);
1175 }
1176#endif
1177 DH_free(dh);
1178 }
1179#endif
1180
1181 if (!no_ecdhe) {
1182 EC_KEY *ecdh = NULL;
1183
1184 if (named_curve) {
1185 int nid = OBJ_sn2nid(named_curve);
1186
1187 if (nid == 0) {
1188 BIO_printf(bio_err, "unknown curve name (%s)\n",
1189 named_curve);
1190 goto end;
1191 }
1192 ecdh = EC_KEY_new_by_curve_name(nid);
1193 if (ecdh == NULL) {
1194 BIO_printf(bio_err, "unable to create curve (%s)\n",
1195 named_curve);
1196 goto end;
1197 }
1198 }
1199 if (ecdh != NULL) {
1200 BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
1201 } else {
1202 BIO_printf(bio_s_out, "Using default temp ECDH parameters\n");
1203 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1204 if (ecdh == NULL) {
1205 BIO_printf(bio_err, "unable to create curve (nistp256)\n");
1206 goto end;
1207 }
1208 }
1209 (void) BIO_flush(bio_s_out);
1210
1211 SSL_CTX_set_tmp_ecdh(ctx, ecdh);
1212#ifndef OPENSSL_NO_TLSEXT
1213 if (ctx2)
1214 SSL_CTX_set_tmp_ecdh(ctx2, ecdh);
1215#endif
1216 EC_KEY_free(ecdh);
1217 }
1218
1219 if (!set_cert_key_stuff(ctx, s_cert, s_key))
1220 goto end;
1221#ifndef OPENSSL_NO_TLSEXT
1222 if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2))
1223 goto end;
1224#endif
1225 if (s_dcert != NULL) {
1226 if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
1227 goto end;
1228 }
1229 if (!no_tmp_rsa) {
1230 SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
1231#ifndef OPENSSL_NO_TLSEXT
1232 if (ctx2)
1233 SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
1234#endif
1235 }
1236
1237
1238 if (cipher != NULL) {
1239 if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
1240 BIO_printf(bio_err, "error setting cipher list\n");
1241 ERR_print_errors(bio_err);
1242 goto end;
1243 }
1244#ifndef OPENSSL_NO_TLSEXT
1245 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) {
1246 BIO_printf(bio_err, "error setting cipher list\n");
1247 ERR_print_errors(bio_err);
1248 goto end;
1249 }
1250#endif
1251 }
1252 SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
1253 SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context,
1254 sizeof s_server_session_id_context);
1255
1256 /* Set DTLS cookie generation and verification callbacks */
1257 SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
1258 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
1259
1260#ifndef OPENSSL_NO_TLSEXT
1261 if (ctx2) {
1262 SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
1263 SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context,
1264 sizeof s_server_session_id_context);
1265
1266 tlsextcbp.biodebug = bio_s_out;
1267 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
1268 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
1269 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1270 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1271 }
1272#endif
1273
1274 if (CAfile != NULL) {
1275 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
1276#ifndef OPENSSL_NO_TLSEXT
1277 if (ctx2)
1278 SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
1279#endif
1280 }
1281 BIO_printf(bio_s_out, "ACCEPT\n");
1282 (void) BIO_flush(bio_s_out);
1283 if (www)
1284 do_server(port, socket_type, &accept_socket, www_body, context);
1285 else
1286 do_server(port, socket_type, &accept_socket, sv_body, context);
1287 print_stats(bio_s_out, ctx);
1288 ret = 0;
1289end:
1290 if (ctx != NULL)
1291 SSL_CTX_free(ctx);
1292 if (s_cert)
1293 X509_free(s_cert);
1294 if (s_dcert)
1295 X509_free(s_dcert);
1296 if (s_key)
1297 EVP_PKEY_free(s_key);
1298 if (s_dkey)
1299 EVP_PKEY_free(s_dkey);
1300 free(pass);
1301 free(dpass);
1302 if (vpm)
1303 X509_VERIFY_PARAM_free(vpm);
1304#ifndef OPENSSL_NO_TLSEXT
1305 free(tlscstatp.host);
1306 free(tlscstatp.port);
1307 free(tlscstatp.path);
1308 if (ctx2 != NULL)
1309 SSL_CTX_free(ctx2);
1310 if (s_cert2)
1311 X509_free(s_cert2);
1312 if (s_key2)
1313 EVP_PKEY_free(s_key2);
1314#endif
1315 if (bio_s_out != NULL) {
1316 BIO_free(bio_s_out);
1317 bio_s_out = NULL;
1318 }
1319
1320 return (ret);
1321}
1322
1323static void
1324print_stats(BIO * bio, SSL_CTX * ssl_ctx)
1325{
1326 BIO_printf(bio, "%4ld items in the session cache\n",
1327 SSL_CTX_sess_number(ssl_ctx));
1328 BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
1329 SSL_CTX_sess_connect(ssl_ctx));
1330 BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
1331 SSL_CTX_sess_connect_renegotiate(ssl_ctx));
1332 BIO_printf(bio, "%4ld client connects that finished\n",
1333 SSL_CTX_sess_connect_good(ssl_ctx));
1334 BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
1335 SSL_CTX_sess_accept(ssl_ctx));
1336 BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
1337 SSL_CTX_sess_accept_renegotiate(ssl_ctx));
1338 BIO_printf(bio, "%4ld server accepts that finished\n",
1339 SSL_CTX_sess_accept_good(ssl_ctx));
1340 BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
1341 BIO_printf(bio, "%4ld session cache misses\n", SSL_CTX_sess_misses(ssl_ctx));
1342 BIO_printf(bio, "%4ld session cache timeouts\n", SSL_CTX_sess_timeouts(ssl_ctx));
1343 BIO_printf(bio, "%4ld callback cache hits\n", SSL_CTX_sess_cb_hits(ssl_ctx));
1344 BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
1345 SSL_CTX_sess_cache_full(ssl_ctx),
1346 SSL_CTX_sess_get_cache_size(ssl_ctx));
1347}
1348
1349static int
1350sv_body(char *hostname, int s, unsigned char *context)
1351{
1352 char *buf = NULL;
1353 fd_set readfds;
1354 int ret = 1, width;
1355 int k, i;
1356 unsigned long l;
1357 SSL *con = NULL;
1358 BIO *sbio;
1359 struct timeval timeout;
1360 struct timeval *timeoutp;
1361
1362 if ((buf = malloc(bufsize)) == NULL) {
1363 BIO_printf(bio_err, "out of memory\n");
1364 goto err;
1365 }
1366 if (s_nbio) {
1367 unsigned long sl = 1;
1368
1369 if (!s_quiet)
1370 BIO_printf(bio_err, "turning on non blocking io\n");
1371 if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
1372 ERR_print_errors(bio_err);
1373 }
1374
1375 if (con == NULL) {
1376 con = SSL_new(ctx);
1377#ifndef OPENSSL_NO_TLSEXT
1378 if (s_tlsextdebug) {
1379 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1380 SSL_set_tlsext_debug_arg(con, bio_s_out);
1381 }
1382 if (s_tlsextstatus) {
1383 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
1384 tlscstatp.err = bio_err;
1385 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
1386 }
1387#endif
1388 if (context)
1389 SSL_set_session_id_context(con, context,
1390 strlen((char *) context));
1391 }
1392 SSL_clear(con);
1393
1394 if (SSL_version(con) == DTLS1_VERSION) {
1395
1396 sbio = BIO_new_dgram(s, BIO_NOCLOSE);
1397
1398 if (enable_timeouts) {
1399 timeout.tv_sec = 0;
1400 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1401 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1402
1403 timeout.tv_sec = 0;
1404 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1405 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1406 }
1407 if (socket_mtu > 28) {
1408 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1409 SSL_set_mtu(con, socket_mtu - 28);
1410 } else
1411 /* want to do MTU discovery */
1412 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1413
1414 /* turn on cookie exchange */
1415 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1416 } else
1417 sbio = BIO_new_socket(s, BIO_NOCLOSE);
1418
1419 if (s_nbio_test) {
1420 BIO *test;
1421
1422 test = BIO_new(BIO_f_nbio_test());
1423 sbio = BIO_push(test, sbio);
1424 }
1425
1426 SSL_set_bio(con, sbio, sbio);
1427 SSL_set_accept_state(con);
1428 /* SSL_set_fd(con,s); */
1429
1430 if (s_debug) {
1431 SSL_set_debug(con, 1);
1432 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1433 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
1434 }
1435 if (s_msg) {
1436 SSL_set_msg_callback(con, msg_cb);
1437 SSL_set_msg_callback_arg(con, bio_s_out);
1438 }
1439#ifndef OPENSSL_NO_TLSEXT
1440 if (s_tlsextdebug) {
1441 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1442 SSL_set_tlsext_debug_arg(con, bio_s_out);
1443 }
1444#endif
1445
1446 width = s + 1;
1447 for (;;) {
1448 int read_from_terminal;
1449 int read_from_sslcon;
1450
1451 read_from_terminal = 0;
1452 read_from_sslcon = SSL_pending(con);
1453
1454 if (!read_from_sslcon) {
1455 FD_ZERO(&readfds);
1456 FD_SET(fileno(stdin), &readfds);
1457 FD_SET(s, &readfds);
1458 if ((SSL_version(con) == DTLS1_VERSION) &&
1459 DTLSv1_get_timeout(con, &timeout))
1460 timeoutp = &timeout;
1461 else
1462 timeoutp = NULL;
1463
1464 i = select(width, &readfds, NULL, NULL, timeoutp);
1465
1466 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) {
1467 BIO_printf(bio_err, "TIMEOUT occured\n");
1468 }
1469 if (i <= 0)
1470 continue;
1471 if (FD_ISSET(fileno(stdin), &readfds))
1472 read_from_terminal = 1;
1473 if (FD_ISSET(s, &readfds))
1474 read_from_sslcon = 1;
1475 }
1476 if (read_from_terminal) {
1477 if (s_crlf) {
1478 int j, lf_num;
1479
1480 i = read(fileno(stdin), buf, bufsize / 2);
1481 lf_num = 0;
1482 /* both loops are skipped when i <= 0 */
1483 for (j = 0; j < i; j++)
1484 if (buf[j] == '\n')
1485 lf_num++;
1486 for (j = i - 1; j >= 0; j--) {
1487 buf[j + lf_num] = buf[j];
1488 if (buf[j] == '\n') {
1489 lf_num--;
1490 i++;
1491 buf[j + lf_num] = '\r';
1492 }
1493 }
1494 assert(lf_num == 0);
1495 } else
1496 i = read(fileno(stdin), buf, bufsize);
1497 if (!s_quiet) {
1498 if ((i <= 0) || (buf[0] == 'Q')) {
1499 BIO_printf(bio_s_out, "DONE\n");
1500 shutdown(s, SHUT_RD);
1501 close(s);
1502 close_accept_socket();
1503 ret = -11;
1504 goto err;
1505 }
1506 if ((i <= 0) || (buf[0] == 'q')) {
1507 BIO_printf(bio_s_out, "DONE\n");
1508 if (SSL_version(con) != DTLS1_VERSION) {
1509 shutdown(s, SHUT_RD);
1510 close(s);
1511 }
1512 /*
1513 * close_accept_socket(); ret= -11;
1514 */
1515 goto err;
1516 }
1517 if ((buf[0] == 'r') &&
1518 ((buf[1] == '\n') || (buf[1] == '\r'))) {
1519 SSL_renegotiate(con);
1520 i = SSL_do_handshake(con);
1521 printf("SSL_do_handshake -> %d\n", i);
1522 i = 0; /* 13; */
1523 continue;
1524 /*
1525 * strcpy(buf,"server side
1526 * RE-NEGOTIATE\n");
1527 */
1528 }
1529 if ((buf[0] == 'R') &&
1530 ((buf[1] == '\n') || (buf[1] == '\r'))) {
1531 SSL_set_verify(con,
1532 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
1533 SSL_renegotiate(con);
1534 i = SSL_do_handshake(con);
1535 printf("SSL_do_handshake -> %d\n", i);
1536 i = 0; /* 13; */
1537 continue;
1538 /*
1539 * strcpy(buf,"server side
1540 * RE-NEGOTIATE asking for client
1541 * cert\n");
1542 */
1543 }
1544 if (buf[0] == 'P') {
1545 static const char *str = "Lets print some clear text\n";
1546 BIO_write(SSL_get_wbio(con), str, strlen(str));
1547 }
1548 if (buf[0] == 'S') {
1549 print_stats(bio_s_out, SSL_get_SSL_CTX(con));
1550 }
1551 }
1552 l = k = 0;
1553 for (;;) {
1554 /* should do a select for the write */
1555#ifdef RENEG
1556 {
1557 static count = 0;
1558 if (++count == 100) {
1559 count = 0;
1560 SSL_renegotiate(con);
1561 }
1562 }
1563#endif
1564 k = SSL_write(con, &(buf[l]), (unsigned int) i);
1565 switch (SSL_get_error(con, k)) {
1566 case SSL_ERROR_NONE:
1567 break;
1568 case SSL_ERROR_WANT_WRITE:
1569 case SSL_ERROR_WANT_READ:
1570 case SSL_ERROR_WANT_X509_LOOKUP:
1571 BIO_printf(bio_s_out, "Write BLOCK\n");
1572 break;
1573 case SSL_ERROR_SYSCALL:
1574 case SSL_ERROR_SSL:
1575 BIO_printf(bio_s_out, "ERROR\n");
1576 ERR_print_errors(bio_err);
1577 ret = 1;
1578 goto err;
1579 /* break; */
1580 case SSL_ERROR_ZERO_RETURN:
1581 BIO_printf(bio_s_out, "DONE\n");
1582 ret = 1;
1583 goto err;
1584 }
1585 l += k;
1586 i -= k;
1587 if (i <= 0)
1588 break;
1589 }
1590 }
1591 if (read_from_sslcon) {
1592 if (!SSL_is_init_finished(con)) {
1593 i = init_ssl_connection(con);
1594
1595 if (i < 0) {
1596 ret = 0;
1597 goto err;
1598 } else if (i == 0) {
1599 ret = 1;
1600 goto err;
1601 }
1602 } else {
1603 again:
1604 i = SSL_read(con, (char *) buf, bufsize);
1605 switch (SSL_get_error(con, i)) {
1606 case SSL_ERROR_NONE: {
1607 int len, n;
1608 for (len = 0; len < i;) {
1609 do {
1610 n = write(fileno(stdout), buf + len, i - len);
1611 } while (n == -1 && errno == EINTR);
1612
1613 if (n < 0) {
1614 BIO_printf(bio_s_out, "ERROR\n");
1615 goto err;
1616 }
1617 len += n;
1618 }
1619 }
1620 if (SSL_pending(con))
1621 goto again;
1622 break;
1623 case SSL_ERROR_WANT_WRITE:
1624 case SSL_ERROR_WANT_READ:
1625 BIO_printf(bio_s_out, "Read BLOCK\n");
1626 break;
1627 case SSL_ERROR_SYSCALL:
1628 case SSL_ERROR_SSL:
1629 BIO_printf(bio_s_out, "ERROR\n");
1630 ERR_print_errors(bio_err);
1631 ret = 1;
1632 goto err;
1633 case SSL_ERROR_ZERO_RETURN:
1634 BIO_printf(bio_s_out, "DONE\n");
1635 ret = 1;
1636 goto err;
1637 }
1638 }
1639 }
1640 }
1641err:
1642 if (con != NULL) {
1643 BIO_printf(bio_s_out, "shutting down SSL\n");
1644 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
1645 SSL_free(con);
1646 }
1647 BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
1648 if (buf != NULL) {
1649 OPENSSL_cleanse(buf, bufsize);
1650 free(buf);
1651 }
1652 if (ret >= 0)
1653 BIO_printf(bio_s_out, "ACCEPT\n");
1654 return (ret);
1655}
1656
1657static void
1658close_accept_socket(void)
1659{
1660 BIO_printf(bio_err, "shutdown accept socket\n");
1661 if (accept_socket >= 0) {
1662 shutdown(accept_socket, SHUT_RDWR);
1663 close(accept_socket);
1664 }
1665}
1666
1667static int
1668init_ssl_connection(SSL * con)
1669{
1670 int i;
1671 const char *str;
1672 X509 *peer;
1673 long verify_error;
1674 char buf[BUFSIZ];
1675#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1676 const unsigned char *next_proto_neg;
1677 unsigned next_proto_neg_len;
1678#endif
1679 unsigned char *exportedkeymat;
1680
1681
1682 i = SSL_accept(con);
1683 if (i <= 0) {
1684 if (BIO_sock_should_retry(i)) {
1685 BIO_printf(bio_s_out, "DELAY\n");
1686 return (1);
1687 }
1688 BIO_printf(bio_err, "ERROR\n");
1689 verify_error = SSL_get_verify_result(con);
1690 if (verify_error != X509_V_OK) {
1691 BIO_printf(bio_err, "verify error:%s\n",
1692 X509_verify_cert_error_string(verify_error));
1693 } else
1694 ERR_print_errors(bio_err);
1695 return (0);
1696 }
1697 PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
1698
1699 peer = SSL_get_peer_certificate(con);
1700 if (peer != NULL) {
1701 BIO_printf(bio_s_out, "Client certificate\n");
1702 PEM_write_bio_X509(bio_s_out, peer);
1703 X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
1704 BIO_printf(bio_s_out, "subject=%s\n", buf);
1705 X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
1706 BIO_printf(bio_s_out, "issuer=%s\n", buf);
1707 X509_free(peer);
1708 }
1709 if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
1710 BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
1711 str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
1712 BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
1713
1714#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1715 SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
1716 if (next_proto_neg) {
1717 BIO_printf(bio_s_out, "NEXTPROTO is ");
1718 BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
1719 BIO_printf(bio_s_out, "\n");
1720 }
1721#endif
1722#ifndef OPENSSL_NO_SRTP
1723 {
1724 SRTP_PROTECTION_PROFILE *srtp_profile
1725 = SSL_get_selected_srtp_profile(con);
1726
1727 if (srtp_profile)
1728 BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
1729 srtp_profile->name);
1730 }
1731#endif
1732 if (SSL_cache_hit(con))
1733 BIO_printf(bio_s_out, "Reused session-id\n");
1734 if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
1735 TLS1_FLAGS_TLS_PADDING_BUG)
1736 BIO_printf(bio_s_out,
1737 "Peer has incorrect TLSv1 block padding\n");
1738 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
1739 SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
1740 if (keymatexportlabel != NULL) {
1741 BIO_printf(bio_s_out, "Keying material exporter:\n");
1742 BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
1743 BIO_printf(bio_s_out, " Length: %i bytes\n",
1744 keymatexportlen);
1745 exportedkeymat = malloc(keymatexportlen);
1746 if (exportedkeymat != NULL) {
1747 if (!SSL_export_keying_material(con, exportedkeymat,
1748 keymatexportlen,
1749 keymatexportlabel,
1750 strlen(keymatexportlabel),
1751 NULL, 0, 0)) {
1752 BIO_printf(bio_s_out, " Error\n");
1753 } else {
1754 BIO_printf(bio_s_out, " Keying material: ");
1755 for (i = 0; i < keymatexportlen; i++)
1756 BIO_printf(bio_s_out, "%02X",
1757 exportedkeymat[i]);
1758 BIO_printf(bio_s_out, "\n");
1759 }
1760 free(exportedkeymat);
1761 }
1762 }
1763 return (1);
1764}
1765
1766#ifndef OPENSSL_NO_DH
1767static DH *
1768load_dh_param(const char *dhfile)
1769{
1770 DH *ret = NULL;
1771 BIO *bio;
1772
1773 if ((bio = BIO_new_file(dhfile, "r")) == NULL)
1774 goto err;
1775 ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1776err:
1777 BIO_free(bio);
1778 return (ret);
1779}
1780#endif
1781
1782static int
1783www_body(char *hostname, int s, unsigned char *context)
1784{
1785 char *buf = NULL;
1786 int ret = 1;
1787 int i, j, k, dot;
1788 SSL *con;
1789 const SSL_CIPHER *c;
1790 BIO *io, *ssl_bio, *sbio;
1791
1792 buf = malloc(bufsize);
1793 if (buf == NULL)
1794 return (0);
1795 io = BIO_new(BIO_f_buffer());
1796 ssl_bio = BIO_new(BIO_f_ssl());
1797 if ((io == NULL) || (ssl_bio == NULL))
1798 goto err;
1799
1800 if (s_nbio) {
1801 unsigned long sl = 1;
1802
1803 if (!s_quiet)
1804 BIO_printf(bio_err, "turning on non blocking io\n");
1805 if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
1806 ERR_print_errors(bio_err);
1807 }
1808
1809 /* lets make the output buffer a reasonable size */
1810 if (!BIO_set_write_buffer_size(io, bufsize))
1811 goto err;
1812
1813 if ((con = SSL_new(ctx)) == NULL)
1814 goto err;
1815#ifndef OPENSSL_NO_TLSEXT
1816 if (s_tlsextdebug) {
1817 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1818 SSL_set_tlsext_debug_arg(con, bio_s_out);
1819 }
1820#endif
1821 if (context)
1822 SSL_set_session_id_context(con, context,
1823 strlen((char *) context));
1824
1825 sbio = BIO_new_socket(s, BIO_NOCLOSE);
1826 if (s_nbio_test) {
1827 BIO *test;
1828
1829 test = BIO_new(BIO_f_nbio_test());
1830 sbio = BIO_push(test, sbio);
1831 }
1832 SSL_set_bio(con, sbio, sbio);
1833 SSL_set_accept_state(con);
1834
1835 /* SSL_set_fd(con,s); */
1836 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
1837 BIO_push(io, ssl_bio);
1838
1839 if (s_debug) {
1840 SSL_set_debug(con, 1);
1841 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1842 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
1843 }
1844 if (s_msg) {
1845 SSL_set_msg_callback(con, msg_cb);
1846 SSL_set_msg_callback_arg(con, bio_s_out);
1847 }
1848 for (;;) {
1849 if (hack) {
1850 i = SSL_accept(con);
1851 switch (SSL_get_error(con, i)) {
1852 case SSL_ERROR_NONE:
1853 break;
1854 case SSL_ERROR_WANT_WRITE:
1855 case SSL_ERROR_WANT_READ:
1856 case SSL_ERROR_WANT_X509_LOOKUP:
1857 continue;
1858 case SSL_ERROR_SYSCALL:
1859 case SSL_ERROR_SSL:
1860 case SSL_ERROR_ZERO_RETURN:
1861 ret = 1;
1862 goto err;
1863 /* break; */
1864 }
1865
1866 SSL_renegotiate(con);
1867 SSL_write(con, NULL, 0);
1868 }
1869 i = BIO_gets(io, buf, bufsize - 1);
1870 if (i < 0) { /* error */
1871 if (!BIO_should_retry(io)) {
1872 if (!s_quiet)
1873 ERR_print_errors(bio_err);
1874 goto err;
1875 } else {
1876 BIO_printf(bio_s_out, "read R BLOCK\n");
1877 sleep(1);
1878 continue;
1879 }
1880 } else if (i == 0) { /* end of input */
1881 ret = 1;
1882 goto end;
1883 }
1884 /* else we have data */
1885 if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
1886 ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
1887 char *p;
1888 X509 *peer;
1889 STACK_OF(SSL_CIPHER) * sk;
1890 static const char *space = " ";
1891
1892 BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
1893 BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
1894 BIO_puts(io, "<pre>\n");
1895/* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
1896 BIO_puts(io, "\n");
1897 for (i = 0; i < local_argc; i++) {
1898 BIO_puts(io, local_argv[i]);
1899 BIO_write(io, " ", 1);
1900 }
1901 BIO_puts(io, "\n");
1902
1903 BIO_printf(io,
1904 "Secure Renegotiation IS%s supported\n",
1905 SSL_get_secure_renegotiation_support(con) ?
1906 "" : " NOT");
1907
1908 /*
1909 * The following is evil and should not really be
1910 * done
1911 */
1912 BIO_printf(io, "Ciphers supported in s_server binary\n");
1913 sk = SSL_get_ciphers(con);
1914 j = sk_SSL_CIPHER_num(sk);
1915 for (i = 0; i < j; i++) {
1916 c = sk_SSL_CIPHER_value(sk, i);
1917 BIO_printf(io, "%-11s:%-25s",
1918 SSL_CIPHER_get_version(c),
1919 SSL_CIPHER_get_name(c));
1920 if ((((i + 1) % 2) == 0) && (i + 1 != j))
1921 BIO_puts(io, "\n");
1922 }
1923 BIO_puts(io, "\n");
1924 p = SSL_get_shared_ciphers(con, buf, bufsize);
1925 if (p != NULL) {
1926 BIO_printf(io, "---\nCiphers common between both SSL end points:\n");
1927 j = i = 0;
1928 while (*p) {
1929 if (*p == ':') {
1930 BIO_write(io, space, 26 - j);
1931 i++;
1932 j = 0;
1933 BIO_write(io, ((i % 3) ? " " : "\n"), 1);
1934 } else {
1935 BIO_write(io, p, 1);
1936 j++;
1937 }
1938 p++;
1939 }
1940 BIO_puts(io, "\n");
1941 }
1942 BIO_printf(io, (SSL_cache_hit(con)
1943 ? "---\nReused, "
1944 : "---\nNew, "));
1945 c = SSL_get_current_cipher(con);
1946 BIO_printf(io, "%s, Cipher is %s\n",
1947 SSL_CIPHER_get_version(c),
1948 SSL_CIPHER_get_name(c));
1949 SSL_SESSION_print(io, SSL_get_session(con));
1950 BIO_printf(io, "---\n");
1951 print_stats(io, SSL_get_SSL_CTX(con));
1952 BIO_printf(io, "---\n");
1953 peer = SSL_get_peer_certificate(con);
1954 if (peer != NULL) {
1955 BIO_printf(io, "Client certificate\n");
1956 X509_print(io, peer);
1957 PEM_write_bio_X509(io, peer);
1958 } else
1959 BIO_puts(io, "no client certificate available\n");
1960 BIO_puts(io, "</BODY></HTML>\r\n\r\n");
1961 break;
1962 } else if ((www == 2 || www == 3)
1963 && (strncmp("GET /", buf, 5) == 0)) {
1964 BIO *file;
1965 char *p, *e;
1966 static const char *text = "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
1967
1968 /* skip the '/' */
1969 p = &(buf[5]);
1970
1971 dot = 1;
1972 for (e = p; *e != '\0'; e++) {
1973 if (e[0] == ' ')
1974 break;
1975
1976 switch (dot) {
1977 case 1:
1978 dot = (e[0] == '.') ? 2 : 0;
1979 break;
1980 case 2:
1981 dot = (e[0] == '.') ? 3 : 0;
1982 break;
1983 case 3:
1984 dot = (e[0] == '/') ? -1 : 0;
1985 break;
1986 }
1987 if (dot == 0)
1988 dot = (e[0] == '/') ? 1 : 0;
1989 }
1990 dot = (dot == 3) || (dot == -1); /* filename contains
1991 * ".." component */
1992
1993 if (*e == '\0') {
1994 BIO_puts(io, text);
1995 BIO_printf(io, "'%s' is an invalid file name\r\n", p);
1996 break;
1997 }
1998 *e = '\0';
1999
2000 if (dot) {
2001 BIO_puts(io, text);
2002 BIO_printf(io, "'%s' contains '..' reference\r\n", p);
2003 break;
2004 }
2005 if (*p == '/') {
2006 BIO_puts(io, text);
2007 BIO_printf(io, "'%s' is an invalid path\r\n", p);
2008 break;
2009 }
2010 /* if a directory, do the index thang */
2011 if (app_isdir(p) > 0) {
2012 BIO_puts(io, text);
2013 BIO_printf(io, "'%s' is a directory\r\n", p);
2014 break;
2015 }
2016 if ((file = BIO_new_file(p, "r")) == NULL) {
2017 BIO_puts(io, text);
2018 BIO_printf(io, "Error opening '%s'\r\n", p);
2019 ERR_print_errors(io);
2020 break;
2021 }
2022 if (!s_quiet)
2023 BIO_printf(bio_err, "FILE:%s\n", p);
2024
2025 if (www == 2) {
2026 i = strlen(p);
2027 if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
2028 ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
2029 ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
2030 BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2031 else
2032 BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
2033 }
2034 /* send the file */
2035 for (;;) {
2036 i = BIO_read(file, buf, bufsize);
2037 if (i <= 0)
2038 break;
2039
2040#ifdef RENEG
2041 total_bytes += i;
2042 fprintf(stderr, "%d\n", i);
2043 if (total_bytes > 3 * 1024) {
2044 total_bytes = 0;
2045 fprintf(stderr, "RENEGOTIATE\n");
2046 SSL_renegotiate(con);
2047 }
2048#endif
2049
2050 for (j = 0; j < i;) {
2051#ifdef RENEG
2052 {
2053 static count = 0;
2054 if (++count == 13) {
2055 SSL_renegotiate(con);
2056 }
2057 }
2058#endif
2059 k = BIO_write(io, &(buf[j]), i - j);
2060 if (k <= 0) {
2061 if (!BIO_should_retry(io))
2062 goto write_error;
2063 else {
2064 BIO_printf(bio_s_out, "rwrite W BLOCK\n");
2065 }
2066 } else {
2067 j += k;
2068 }
2069 }
2070 }
2071 write_error:
2072 BIO_free(file);
2073 break;
2074 }
2075 }
2076
2077 for (;;) {
2078 i = (int) BIO_flush(io);
2079 if (i <= 0) {
2080 if (!BIO_should_retry(io))
2081 break;
2082 } else
2083 break;
2084 }
2085end:
2086 /* make sure we re-use sessions */
2087 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2088
2089err:
2090
2091 if (ret >= 0)
2092 BIO_printf(bio_s_out, "ACCEPT\n");
2093
2094 if (buf != NULL)
2095 free(buf);
2096 if (io != NULL)
2097 BIO_free_all(io);
2098/* if (ssl_bio != NULL) BIO_free(ssl_bio);*/
2099 return (ret);
2100}
2101
2102static RSA *
2103tmp_rsa_cb(SSL * s, int is_export, int keylength)
2104{
2105 BIGNUM *bn = NULL;
2106 static RSA *rsa_tmp = NULL;
2107
2108 if (!rsa_tmp && ((bn = BN_new()) == NULL))
2109 BIO_printf(bio_err, "Allocation error in generating RSA key\n");
2110 if (!rsa_tmp && bn) {
2111 if (!s_quiet) {
2112 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength);
2113 (void) BIO_flush(bio_err);
2114 }
2115 if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
2116 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
2117 if (rsa_tmp)
2118 RSA_free(rsa_tmp);
2119 rsa_tmp = NULL;
2120 }
2121 if (!s_quiet) {
2122 BIO_printf(bio_err, "\n");
2123 (void) BIO_flush(bio_err);
2124 }
2125 BN_free(bn);
2126 }
2127 return (rsa_tmp);
2128}
2129
2130#define MAX_SESSION_ID_ATTEMPTS 10
2131static int
2132generate_session_id(const SSL * ssl, unsigned char *id,
2133 unsigned int *id_len)
2134{
2135 unsigned int count = 0;
2136 do {
2137 RAND_pseudo_bytes(id, *id_len);
2138 /*
2139 * Prefix the session_id with the required prefix. NB: If our
2140 * prefix is too long, clip it - but there will be worse
2141 * effects anyway, eg. the server could only possibly create
2142 * 1 session ID (ie. the prefix!) so all future session
2143 * negotiations will fail due to conflicts.
2144 */
2145 memcpy(id, session_id_prefix,
2146 (strlen(session_id_prefix) < *id_len) ?
2147 strlen(session_id_prefix) : *id_len);
2148 }
2149 while (SSL_has_matching_session_id(ssl, id, *id_len) &&
2150 (++count < MAX_SESSION_ID_ATTEMPTS));
2151 if (count >= MAX_SESSION_ID_ATTEMPTS)
2152 return 0;
2153 return 1;
2154}
diff --git a/src/lib/libssl/src/apps/s_socket.c b/src/lib/libssl/src/apps/s_socket.c
deleted file mode 100644
index c5f3a28519..0000000000
--- a/src/lib/libssl/src/apps/s_socket.c
+++ /dev/null
@@ -1,351 +0,0 @@
1/* $OpenBSD: s_socket.c,v 1.42 2014/06/28 04:39:41 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <sys/socket.h>
60
61#include <netinet/in.h>
62
63#include <errno.h>
64#include <netdb.h>
65#include <stdio.h>
66#include <stdlib.h>
67#include <string.h>
68#include <unistd.h>
69
70#include "apps.h"
71
72#include <openssl/ssl.h>
73
74#include "s_apps.h"
75
76static int ssl_sock_init(void);
77static int init_server(int *sock, int port, int type);
78static int init_server_long(int *sock, int port, char *ip, int type);
79static int do_accept(int acc_sock, int *sock, char **host);
80
81#define SOCKET_PROTOCOL IPPROTO_TCP
82
83static int
84ssl_sock_init(void)
85{
86 return (1);
87}
88
89int
90init_client(int *sock, char *host, char *port, int type, int af)
91{
92 struct addrinfo hints, *ai_top, *ai;
93 int i, s;
94
95 if (!ssl_sock_init())
96 return (0);
97
98 memset(&hints, '\0', sizeof(hints));
99 hints.ai_family = af;
100 hints.ai_socktype = type;
101
102 if ((i = getaddrinfo(host, port, &hints, &ai_top)) != 0) {
103 BIO_printf(bio_err, "getaddrinfo: %s\n", gai_strerror(i));
104 return (0);
105 }
106 if (ai_top == NULL || ai_top->ai_addr == NULL) {
107 BIO_printf(bio_err, "getaddrinfo returned no addresses\n");
108 if (ai_top != NULL) {
109 freeaddrinfo(ai_top);
110 }
111 return (0);
112 }
113 for (ai = ai_top; ai != NULL; ai = ai->ai_next) {
114 s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
115 if (s == -1) {
116 continue;
117 }
118 if (type == SOCK_STREAM) {
119 i = 0;
120 i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
121 (char *) &i, sizeof(i));
122 if (i < 0) {
123 perror("keepalive");
124 close(s);
125 return (0);
126 }
127 }
128 if ((i = connect(s, ai->ai_addr, ai->ai_addrlen)) == 0) {
129 *sock = s;
130 freeaddrinfo(ai_top);
131 return (1);
132 }
133 close(s);
134 }
135
136 perror("connect");
137 close(s);
138 freeaddrinfo(ai_top);
139 return (0);
140}
141
142int
143do_server(int port, int type, int *ret,
144 int (*cb) (char *hostname, int s, unsigned char *context),
145 unsigned char *context)
146{
147 int sock;
148 char *name = NULL;
149 int accept_socket = 0;
150 int i;
151
152 if (!init_server(&accept_socket, port, type))
153 return (0);
154
155 if (ret != NULL) {
156 *ret = accept_socket;
157 /* return(1); */
158 }
159 for (;;) {
160 if (type == SOCK_STREAM) {
161 if (do_accept(accept_socket, &sock, &name) == 0) {
162 shutdown(accept_socket, SHUT_RD);
163 close(accept_socket);
164 return (0);
165 }
166 } else
167 sock = accept_socket;
168 i = (*cb) (name, sock, context);
169 free(name);
170 if (type == SOCK_STREAM) {
171 shutdown(sock, SHUT_RDWR);
172 close(sock);
173 }
174 if (i < 0) {
175 shutdown(accept_socket, SHUT_RDWR);
176 close(accept_socket);
177 return (i);
178 }
179 }
180}
181
182static int
183init_server_long(int *sock, int port, char *ip, int type)
184{
185 int ret = 0;
186 struct sockaddr_in server;
187 int s = -1;
188
189 if (!ssl_sock_init())
190 return (0);
191
192 memset((char *) &server, 0, sizeof(server));
193 server.sin_family = AF_INET;
194 server.sin_port = htons((unsigned short) port);
195 if (ip == NULL)
196 server.sin_addr.s_addr = INADDR_ANY;
197 else
198 memcpy(&server.sin_addr.s_addr, ip, 4);
199
200 if (type == SOCK_STREAM)
201 s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
202 else /* type == SOCK_DGRAM */
203 s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
204
205 if (s == -1)
206 goto err;
207#if defined SOL_SOCKET && defined SO_REUSEADDR
208 {
209 int j = 1;
210 setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
211 (void *) &j, sizeof j);
212 }
213#endif
214 if (bind(s, (struct sockaddr *) & server, sizeof(server)) == -1) {
215 perror("bind");
216 goto err;
217 }
218 /* Make it 128 for linux */
219 if (type == SOCK_STREAM && listen(s, 128) == -1)
220 goto err;
221 *sock = s;
222 ret = 1;
223err:
224 if ((ret == 0) && (s != -1)) {
225 shutdown(s, SHUT_RD);
226 close(s);
227 }
228 return (ret);
229}
230
231static int
232init_server(int *sock, int port, int type)
233{
234 return (init_server_long(sock, port, NULL, type));
235}
236
237static int
238do_accept(int acc_sock, int *sock, char **host)
239{
240 int ret;
241 struct hostent *h1, *h2;
242 static struct sockaddr_in from;
243 socklen_t len;
244/* struct linger ling; */
245
246 if (!ssl_sock_init())
247 return (0);
248
249redoit:
250
251 memset((char *) &from, 0, sizeof(from));
252 len = sizeof(from);
253 ret = accept(acc_sock, (struct sockaddr *) & from, &len);
254 if (ret == -1) {
255 if (errno == EINTR) {
256 /* check_timeout(); */
257 goto redoit;
258 }
259 fprintf(stderr, "errno=%d ", errno);
260 perror("accept");
261 return (0);
262 }
263/*
264 ling.l_onoff=1;
265 ling.l_linger=0;
266 i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
267 if (i < 0) { perror("linger"); return(0); }
268 i=0;
269 i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
270 if (i < 0) { perror("keepalive"); return(0); }
271*/
272
273 if (host == NULL)
274 goto end;
275 h1 = gethostbyaddr((char *) &from.sin_addr.s_addr,
276 sizeof(from.sin_addr.s_addr), AF_INET);
277 if (h1 == NULL) {
278 BIO_printf(bio_err, "bad gethostbyaddr\n");
279 *host = NULL;
280 /* return(0); */
281 } else {
282 if ((*host = strdup(h1->h_name)) == NULL) {
283 perror("strdup");
284 close(ret);
285 return (0);
286 }
287
288 h2 = gethostbyname(*host);
289 if (h2 == NULL) {
290 BIO_printf(bio_err, "gethostbyname failure\n");
291 close(ret);
292 return (0);
293 }
294 if (h2->h_addrtype != AF_INET) {
295 BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
296 close(ret);
297 return (0);
298 }
299 }
300
301end:
302 *sock = ret;
303 return (1);
304}
305
306int
307extract_host_port(char *str, char **host_ptr, unsigned char *ip,
308 char **port_ptr)
309{
310 char *h, *p;
311
312 h = str;
313 p = strrchr(str, '/'); /* IPv6 host/port */
314 if (p == NULL) {
315 p = strrchr(str, ':');
316 }
317 if (p == NULL) {
318 BIO_printf(bio_err, "no port defined\n");
319 return (0);
320 }
321 *(p++) = '\0';
322
323 if (host_ptr != NULL)
324 *host_ptr = h;
325
326 if (port_ptr != NULL && p != NULL && *p != '\0')
327 *port_ptr = p;
328
329 return (1);
330}
331
332int
333extract_port(char *str, short *port_ptr)
334{
335 int i;
336 const char *errstr;
337 struct servent *s;
338
339 i = strtonum(str, 1, 65535, &errstr);
340 if (!errstr) {
341 *port_ptr = (unsigned short) i;
342 } else {
343 s = getservbyname(str, "tcp");
344 if (s == NULL) {
345 BIO_printf(bio_err, "getservbyname failure for %s\n", str);
346 return (0);
347 }
348 *port_ptr = ntohs((unsigned short) s->s_port);
349 }
350 return (1);
351}
diff --git a/src/lib/libssl/src/apps/s_time.c b/src/lib/libssl/src/apps/s_time.c
deleted file mode 100644
index ae1aa00019..0000000000
--- a/src/lib/libssl/src/apps/s_time.c
+++ /dev/null
@@ -1,587 +0,0 @@
1/* $OpenBSD: s_time.c,v 1.35 2014/08/24 16:07:29 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#define NO_SHUTDOWN
60
61/*-----------------------------------------
62 s_time - SSL client connection timer program
63 Written and donated by Larry Streepy <streepy@healthcare.com>
64 -----------------------------------------*/
65
66#include <sys/select.h>
67#include <sys/socket.h>
68
69#include <stdio.h>
70#include <stdlib.h>
71#include <limits.h>
72#include <string.h>
73#include <unistd.h>
74
75#include "apps.h"
76
77#include <openssl/err.h>
78#include <openssl/pem.h>
79#include <openssl/ssl.h>
80#include <openssl/x509.h>
81
82#include "s_apps.h"
83
84#define SSL_CONNECT_NAME "localhost:4433"
85
86 /*#define TEST_CERT "client.pem" *//* no default cert. */
87
88#define BUFSIZZ 1024*10
89
90#define MYBUFSIZ 1024*8
91
92#undef min
93#undef max
94#define min(a,b) (((a) < (b)) ? (a) : (b))
95#define max(a,b) (((a) > (b)) ? (a) : (b))
96
97#define SECONDS 30
98extern int verify_depth;
99extern int verify_error;
100
101static void s_time_usage(void);
102static int parseArgs(int argc, char **argv);
103static SSL *doConnection(SSL * scon);
104static void s_time_init(void);
105
106/***********************************************************************
107 * Static data declarations
108 */
109
110/* static char *port=PORT_STR;*/
111static char *host = SSL_CONNECT_NAME;
112static char *t_cert_file = NULL;
113static char *t_key_file = NULL;
114static char *CApath = NULL;
115static char *CAfile = NULL;
116static char *tm_cipher = NULL;
117static int tm_verify = SSL_VERIFY_NONE;
118static int maxTime = SECONDS;
119static SSL_CTX *tm_ctx = NULL;
120static const SSL_METHOD *s_time_meth = NULL;
121static char *s_www_path = NULL;
122static long bytes_read = 0;
123static int st_bugs = 0;
124static int perform = 0;
125static int t_nbio = 0;
126
127static void
128s_time_init(void)
129{
130 host = SSL_CONNECT_NAME;
131 t_cert_file = NULL;
132 t_key_file = NULL;
133 CApath = NULL;
134 CAfile = NULL;
135 tm_cipher = NULL;
136 tm_verify = SSL_VERIFY_NONE;
137 maxTime = SECONDS;
138 tm_ctx = NULL;
139 s_time_meth = NULL;
140 s_www_path = NULL;
141 bytes_read = 0;
142 st_bugs = 0;
143 perform = 0;
144
145 t_nbio = 0;
146}
147
148/***********************************************************************
149 * usage - display usage message
150 */
151static void
152s_time_usage(void)
153{
154 static const char umsg[] = "\
155-time arg - max number of seconds to collect data, default %d\n\
156-verify arg - turn on peer certificate verification, arg == depth\n\
157-cert arg - certificate file to use, PEM format assumed\n\
158-key arg - RSA file to use, PEM format assumed, key is in cert file\n\
159 file if not specified by this option\n\
160-CApath arg - PEM format directory of CA's\n\
161-CAfile arg - PEM format file of CA's\n\
162-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
163
164 printf("usage: s_time <args>\n\n");
165
166 printf("-connect host:port - host:port to connect to (default is %s)\n", SSL_CONNECT_NAME);
167 printf("-nbio - Run with non-blocking IO\n");
168 printf("-ssl2 - Just use SSLv2\n");
169 printf("-ssl3 - Just use SSLv3\n");
170 printf("-bugs - Turn on SSL bug compatibility\n");
171 printf("-new - Just time new connections\n");
172 printf("-reuse - Just time connection reuse\n");
173 printf("-www page - Retrieve 'page' from the site\n");
174 printf(umsg, SECONDS);
175}
176
177/***********************************************************************
178 * parseArgs - Parse command line arguments and initialize data
179 *
180 * Returns 0 if ok, -1 on bad args
181 */
182static int
183parseArgs(int argc, char **argv)
184{
185 int badop = 0;
186 const char *errstr;
187
188 verify_depth = 0;
189 verify_error = X509_V_OK;
190
191 argc--;
192 argv++;
193
194 while (argc >= 1) {
195 if (strcmp(*argv, "-connect") == 0) {
196 if (--argc < 1)
197 goto bad;
198 host = *(++argv);
199 }
200#if 0
201 else if (strcmp(*argv, "-host") == 0) {
202 if (--argc < 1)
203 goto bad;
204 host = *(++argv);
205 } else if (strcmp(*argv, "-port") == 0) {
206 if (--argc < 1)
207 goto bad;
208 port = *(++argv);
209 }
210#endif
211 else if (strcmp(*argv, "-reuse") == 0)
212 perform = 2;
213 else if (strcmp(*argv, "-new") == 0)
214 perform = 1;
215 else if (strcmp(*argv, "-verify") == 0) {
216 const char *errstr;
217
218 tm_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
219 if (--argc < 1)
220 goto bad;
221 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
222 if (errstr)
223 goto bad;
224 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
225
226 } else if (strcmp(*argv, "-cert") == 0) {
227
228 if (--argc < 1)
229 goto bad;
230 t_cert_file = *(++argv);
231
232 } else if (strcmp(*argv, "-key") == 0) {
233
234 if (--argc < 1)
235 goto bad;
236 t_key_file = *(++argv);
237
238 } else if (strcmp(*argv, "-CApath") == 0) {
239
240 if (--argc < 1)
241 goto bad;
242 CApath = *(++argv);
243
244 } else if (strcmp(*argv, "-CAfile") == 0) {
245
246 if (--argc < 1)
247 goto bad;
248 CAfile = *(++argv);
249
250 } else if (strcmp(*argv, "-cipher") == 0) {
251
252 if (--argc < 1)
253 goto bad;
254 tm_cipher = *(++argv);
255 }
256 else if (strcmp(*argv, "-nbio") == 0) {
257 t_nbio = 1;
258 }
259 else if (strcmp(*argv, "-www") == 0) {
260 if (--argc < 1)
261 goto bad;
262 s_www_path = *(++argv);
263 if (strlen(s_www_path) > MYBUFSIZ - 100) {
264 BIO_printf(bio_err, "-www option too long\n");
265 badop = 1;
266 }
267 } else if (strcmp(*argv, "-bugs") == 0)
268 st_bugs = 1;
269 else if (strcmp(*argv, "-ssl3") == 0)
270 s_time_meth = SSLv3_client_method();
271 else if (strcmp(*argv, "-time") == 0) {
272
273 if (--argc < 1)
274 goto bad;
275 maxTime = strtonum(*(++argv), 0, INT_MAX, &errstr);
276 if (errstr)
277 goto bad;
278 } else {
279 BIO_printf(bio_err, "unknown option %s\n", *argv);
280 badop = 1;
281 break;
282 }
283
284 argc--;
285 argv++;
286 }
287
288 if (perform == 0)
289 perform = 3;
290
291 if (badop) {
292bad:
293 s_time_usage();
294 return -1;
295 }
296 return 0; /* Valid args */
297}
298
299/***********************************************************************
300 * TIME - time functions
301 */
302#define START 0
303#define STOP 1
304
305static double
306tm_Time_F(int s)
307{
308 return app_tminterval(s, 1);
309}
310
311/***********************************************************************
312 * MAIN - main processing area for client
313 * real name depends on MONOLITH
314 */
315int s_time_main(int, char **);
316
317int
318s_time_main(int argc, char **argv)
319{
320 double totalTime = 0.0;
321 int nConn = 0;
322 SSL *scon = NULL;
323 long finishtime = 0;
324 int ret = 1, i;
325 char buf[1024 * 8];
326 int ver;
327
328 s_time_init();
329
330 s_time_meth = SSLv23_client_method();
331
332 /* parse the command line arguments */
333 if (parseArgs(argc, argv) < 0)
334 goto end;
335
336 if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
337 return (1);
338
339 SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
340
341 if (st_bugs)
342 SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
343 SSL_CTX_set_cipher_list(tm_ctx, tm_cipher);
344 if (!set_cert_stuff(tm_ctx, t_cert_file, t_key_file))
345 goto end;
346
347 if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
348 (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
349 /*
350 * BIO_printf(bio_err,"error setting default verify
351 * locations\n");
352 */
353 ERR_print_errors(bio_err);
354 /* goto end; */
355 }
356 if (tm_cipher == NULL)
357 tm_cipher = getenv("SSL_CIPHER");
358
359 if (tm_cipher == NULL) {
360 fprintf(stderr, "No CIPHER specified\n");
361 }
362 if (!(perform & 1))
363 goto next;
364 printf("Collecting connection statistics for %d seconds\n", maxTime);
365
366 /* Loop and time how long it takes to make connections */
367
368 bytes_read = 0;
369 finishtime = (long) time(NULL) + maxTime;
370 tm_Time_F(START);
371 for (;;) {
372 if (finishtime < (long) time(NULL))
373 break;
374 if ((scon = doConnection(NULL)) == NULL)
375 goto end;
376
377 if (s_www_path != NULL) {
378 int ret = snprintf(buf, sizeof buf,
379 "GET %s HTTP/1.0\r\n\r\n", s_www_path);
380 if (ret == -1 || ret >= sizeof buf) {
381 fprintf(stderr, "URL too long\n");
382 goto end;
383 }
384 SSL_write(scon, buf, strlen(buf));
385 while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
386 bytes_read += i;
387 }
388#ifdef NO_SHUTDOWN
389 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
390#else
391 SSL_shutdown(scon);
392#endif
393 shutdown(SSL_get_fd(scon), SHUT_RDWR);
394 close(SSL_get_fd(scon));
395
396 nConn += 1;
397 if (SSL_session_reused(scon))
398 ver = 'r';
399 else {
400 ver = SSL_version(scon);
401 if (ver == TLS1_VERSION)
402 ver = 't';
403 else if (ver == SSL3_VERSION)
404 ver = '3';
405 else if (ver == SSL2_VERSION)
406 ver = '2';
407 else
408 ver = '*';
409 }
410 fputc(ver, stdout);
411 fflush(stdout);
412
413 SSL_free(scon);
414 scon = NULL;
415 }
416 totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
417
418 i = (int) ((long) time(NULL) - finishtime + maxTime);
419 printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double) nConn / totalTime), bytes_read);
420 printf("%d connections in %ld real seconds, %ld bytes read per connection\n", nConn, (long) time(NULL) - finishtime + maxTime, bytes_read / nConn);
421
422 /*
423 * Now loop and time connections using the same session id over and
424 * over
425 */
426
427next:
428 if (!(perform & 2))
429 goto end;
430 printf("\n\nNow timing with session id reuse.\n");
431
432 /* Get an SSL object so we can reuse the session id */
433 if ((scon = doConnection(NULL)) == NULL) {
434 fprintf(stderr, "Unable to get connection\n");
435 goto end;
436 }
437 if (s_www_path != NULL) {
438 int ret = snprintf(buf, sizeof buf,
439 "GET %s HTTP/1.0\r\n\r\n", s_www_path);
440 if (ret == -1 || ret >= sizeof buf) {
441 fprintf(stderr, "URL too long\n");
442 goto end;
443 }
444 SSL_write(scon, buf, strlen(buf));
445 while (SSL_read(scon, buf, sizeof(buf)) > 0);
446 }
447#ifdef NO_SHUTDOWN
448 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
449#else
450 SSL_shutdown(scon);
451#endif
452 shutdown(SSL_get_fd(scon), SHUT_RDWR);
453 close(SSL_get_fd(scon));
454
455 nConn = 0;
456 totalTime = 0.0;
457
458 finishtime = (long) time(NULL) + maxTime;
459
460 printf("starting\n");
461 bytes_read = 0;
462 tm_Time_F(START);
463
464 for (;;) {
465 if (finishtime < (long) time(NULL))
466 break;
467 if ((doConnection(scon)) == NULL)
468 goto end;
469
470 if (s_www_path) {
471 int ret = snprintf(buf, sizeof buf,
472 "GET %s HTTP/1.0\r\n\r\n", s_www_path);
473 if (ret == -1 || ret >= sizeof buf) {
474 fprintf(stderr, "URL too long\n");
475 goto end;
476 }
477 SSL_write(scon, buf, strlen(buf));
478 while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
479 bytes_read += i;
480 }
481#ifdef NO_SHUTDOWN
482 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
483#else
484 SSL_shutdown(scon);
485#endif
486 shutdown(SSL_get_fd(scon), SHUT_RDWR);
487 close(SSL_get_fd(scon));
488
489 nConn += 1;
490 if (SSL_session_reused(scon))
491 ver = 'r';
492 else {
493 ver = SSL_version(scon);
494 if (ver == TLS1_VERSION)
495 ver = 't';
496 else if (ver == SSL3_VERSION)
497 ver = '3';
498 else if (ver == SSL2_VERSION)
499 ver = '2';
500 else
501 ver = '*';
502 }
503 fputc(ver, stdout);
504 fflush(stdout);
505 }
506 totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
507
508
509 printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double) nConn / totalTime), bytes_read);
510 printf("%d connections in %ld real seconds, %ld bytes read per connection\n", nConn, (long) time(NULL) - finishtime + maxTime, bytes_read / nConn);
511
512 ret = 0;
513end:
514 if (scon != NULL)
515 SSL_free(scon);
516
517 if (tm_ctx != NULL) {
518 SSL_CTX_free(tm_ctx);
519 tm_ctx = NULL;
520 }
521
522 return (ret);
523}
524
525/***********************************************************************
526 * doConnection - make a connection
527 * Args:
528 * scon = earlier ssl connection for session id, or NULL
529 * Returns:
530 * SSL * = the connection pointer.
531 */
532static SSL *
533doConnection(SSL * scon)
534{
535 BIO *conn;
536 SSL *serverCon;
537 int width, i;
538 fd_set readfds;
539
540 if ((conn = BIO_new(BIO_s_connect())) == NULL)
541 return (NULL);
542
543/* BIO_set_conn_port(conn,port);*/
544 BIO_set_conn_hostname(conn, host);
545
546 if (scon == NULL)
547 serverCon = SSL_new(tm_ctx);
548 else {
549 serverCon = scon;
550 SSL_set_connect_state(serverCon);
551 }
552
553 SSL_set_bio(serverCon, conn, conn);
554
555#if 0
556 if (scon != NULL)
557 SSL_set_session(serverCon, SSL_get_session(scon));
558#endif
559
560 /* ok, lets connect */
561 for (;;) {
562 i = SSL_connect(serverCon);
563 if (BIO_sock_should_retry(i)) {
564 BIO_printf(bio_err, "DELAY\n");
565
566 i = SSL_get_fd(serverCon);
567 width = i + 1;
568 FD_ZERO(&readfds);
569 FD_SET(i, &readfds);
570 select(width, &readfds, NULL, NULL, NULL);
571 continue;
572 }
573 break;
574 }
575 if (i <= 0) {
576 BIO_printf(bio_err, "ERROR\n");
577 if (verify_error != X509_V_OK)
578 BIO_printf(bio_err, "verify error:%s\n",
579 X509_verify_cert_error_string(verify_error));
580 else
581 ERR_print_errors(bio_err);
582 if (scon == NULL)
583 SSL_free(serverCon);
584 return NULL;
585 }
586 return serverCon;
587}
diff --git a/src/lib/libssl/src/apps/sess_id.c b/src/lib/libssl/src/apps/sess_id.c
deleted file mode 100644
index 0022abc436..0000000000
--- a/src/lib/libssl/src/apps/sess_id.c
+++ /dev/null
@@ -1,282 +0,0 @@
1/* $OpenBSD: sess_id.c,v 1.20 2014/07/25 06:05:32 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/bio.h>
66#include <openssl/err.h>
67#include <openssl/pem.h>
68#include <openssl/ssl.h>
69#include <openssl/x509.h>
70
71static const char *sess_id_usage[] = {
72 "usage: sess_id args\n",
73 "\n",
74 " -inform arg - input format - default PEM (DER or PEM)\n",
75 " -outform arg - output format - default PEM\n",
76 " -in arg - input file - default stdin\n",
77 " -out arg - output file - default stdout\n",
78 " -text - print ssl session id details\n",
79 " -cert - output certificate \n",
80 " -noout - no output of encoded session info\n",
81 " -context arg - set the session ID context\n",
82 NULL
83};
84
85static SSL_SESSION *load_sess_id(char *file, int format);
86
87int sess_id_main(int, char **);
88
89int
90sess_id_main(int argc, char **argv)
91{
92 SSL_SESSION *x = NULL;
93 X509 *peer = NULL;
94 int ret = 1, i, num, badops = 0;
95 BIO *out = NULL;
96 int informat, outformat;
97 char *infile = NULL, *outfile = NULL, *context = NULL;
98 int cert = 0, noout = 0, text = 0;
99 const char **pp;
100
101 informat = FORMAT_PEM;
102 outformat = FORMAT_PEM;
103
104 argc--;
105 argv++;
106 num = 0;
107 while (argc >= 1) {
108 if (strcmp(*argv, "-inform") == 0) {
109 if (--argc < 1)
110 goto bad;
111 informat = str2fmt(*(++argv));
112 } else if (strcmp(*argv, "-outform") == 0) {
113 if (--argc < 1)
114 goto bad;
115 outformat = str2fmt(*(++argv));
116 } else if (strcmp(*argv, "-in") == 0) {
117 if (--argc < 1)
118 goto bad;
119 infile = *(++argv);
120 } else if (strcmp(*argv, "-out") == 0) {
121 if (--argc < 1)
122 goto bad;
123 outfile = *(++argv);
124 } else if (strcmp(*argv, "-text") == 0)
125 text = ++num;
126 else if (strcmp(*argv, "-cert") == 0)
127 cert = ++num;
128 else if (strcmp(*argv, "-noout") == 0)
129 noout = ++num;
130 else if (strcmp(*argv, "-context") == 0) {
131 if (--argc < 1)
132 goto bad;
133 context = *++argv;
134 } else {
135 BIO_printf(bio_err, "unknown option %s\n", *argv);
136 badops = 1;
137 break;
138 }
139 argc--;
140 argv++;
141 }
142
143 if (badops) {
144bad:
145 for (pp = sess_id_usage; (*pp != NULL); pp++)
146 BIO_printf(bio_err, "%s", *pp);
147 goto end;
148 }
149 ERR_load_crypto_strings();
150 x = load_sess_id(infile, informat);
151 if (x == NULL) {
152 goto end;
153 }
154 peer = SSL_SESSION_get0_peer(x);
155
156 if (context) {
157 size_t ctx_len = strlen(context);
158 if (ctx_len > SSL_MAX_SID_CTX_LENGTH) {
159 BIO_printf(bio_err, "Context too long\n");
160 goto end;
161 }
162 SSL_SESSION_set1_id_context(x, (unsigned char *) context, ctx_len);
163 }
164#ifdef undef
165 /* just testing for memory leaks :-) */
166 {
167 SSL_SESSION *s;
168 char buf[1024 * 10], *p;
169 int i;
170
171 s = SSL_SESSION_new();
172
173 p = &buf;
174 i = i2d_SSL_SESSION(x, &p);
175 p = &buf;
176 d2i_SSL_SESSION(&s, &p, (long) i);
177 p = &buf;
178 d2i_SSL_SESSION(&s, &p, (long) i);
179 p = &buf;
180 d2i_SSL_SESSION(&s, &p, (long) i);
181 SSL_SESSION_free(s);
182 }
183#endif
184
185 if (!noout || text) {
186 out = BIO_new(BIO_s_file());
187 if (out == NULL) {
188 ERR_print_errors(bio_err);
189 goto end;
190 }
191 if (outfile == NULL) {
192 BIO_set_fp(out, stdout, BIO_NOCLOSE);
193 } else {
194 if (BIO_write_filename(out, outfile) <= 0) {
195 perror(outfile);
196 goto end;
197 }
198 }
199 }
200 if (text) {
201 SSL_SESSION_print(out, x);
202
203 if (cert) {
204 if (peer == NULL)
205 BIO_puts(out, "No certificate present\n");
206 else
207 X509_print(out, peer);
208 }
209 }
210 if (!noout && !cert) {
211 if (outformat == FORMAT_ASN1)
212 i = i2d_SSL_SESSION_bio(out, x);
213 else if (outformat == FORMAT_PEM)
214 i = PEM_write_bio_SSL_SESSION(out, x);
215 else {
216 BIO_printf(bio_err, "bad output format specified for outfile\n");
217 goto end;
218 }
219 if (!i) {
220 BIO_printf(bio_err, "unable to write SSL_SESSION\n");
221 goto end;
222 }
223 } else if (!noout && (peer != NULL)) { /* just print the certificate */
224 if (outformat == FORMAT_ASN1)
225 i = (int) i2d_X509_bio(out, peer);
226 else if (outformat == FORMAT_PEM)
227 i = PEM_write_bio_X509(out, peer);
228 else {
229 BIO_printf(bio_err, "bad output format specified for outfile\n");
230 goto end;
231 }
232 if (!i) {
233 BIO_printf(bio_err, "unable to write X509\n");
234 goto end;
235 }
236 }
237 ret = 0;
238end:
239 if (out != NULL)
240 BIO_free_all(out);
241 if (x != NULL)
242 SSL_SESSION_free(x);
243
244 return (ret);
245}
246
247static SSL_SESSION *
248load_sess_id(char *infile, int format)
249{
250 SSL_SESSION *x = NULL;
251 BIO *in = NULL;
252
253 in = BIO_new(BIO_s_file());
254 if (in == NULL) {
255 ERR_print_errors(bio_err);
256 goto end;
257 }
258 if (infile == NULL)
259 BIO_set_fp(in, stdin, BIO_NOCLOSE);
260 else {
261 if (BIO_read_filename(in, infile) <= 0) {
262 perror(infile);
263 goto end;
264 }
265 }
266 if (format == FORMAT_ASN1)
267 x = d2i_SSL_SESSION_bio(in, NULL);
268 else if (format == FORMAT_PEM)
269 x = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
270 else {
271 BIO_printf(bio_err, "bad input format specified for input crl\n");
272 goto end;
273 }
274 if (x == NULL) {
275 BIO_printf(bio_err, "unable to load SSL_SESSION\n");
276 ERR_print_errors(bio_err);
277 goto end;
278 }
279end:
280 BIO_free(in);
281 return (x);
282}
diff --git a/src/lib/libssl/src/apps/smime.c b/src/lib/libssl/src/apps/smime.c
deleted file mode 100644
index 8386f1e458..0000000000
--- a/src/lib/libssl/src/apps/smime.c
+++ /dev/null
@@ -1,697 +0,0 @@
1/* $OpenBSD: smime.c,v 1.28 2014/07/14 00:35:10 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59/* S/MIME utility function */
60
61#include <stdio.h>
62#include <string.h>
63
64#include "apps.h"
65
66#include <openssl/crypto.h>
67#include <openssl/err.h>
68#include <openssl/pem.h>
69#include <openssl/x509_vfy.h>
70#include <openssl/x509v3.h>
71
72static int save_certs(char *signerfile, STACK_OF(X509) * signers);
73static int smime_cb(int ok, X509_STORE_CTX * ctx);
74
75#define SMIME_OP 0x10
76#define SMIME_IP 0x20
77#define SMIME_SIGNERS 0x40
78#define SMIME_ENCRYPT (1 | SMIME_OP)
79#define SMIME_DECRYPT (2 | SMIME_IP)
80#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
81#define SMIME_VERIFY (4 | SMIME_IP)
82#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP)
83#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
84
85int smime_main(int, char **);
86
87int
88smime_main(int argc, char **argv)
89{
90 ENGINE *e = NULL;
91 int operation = 0;
92 int ret = 0;
93 char **args;
94 const char *inmode = "r", *outmode = "w";
95 char *infile = NULL, *outfile = NULL;
96 char *signerfile = NULL, *recipfile = NULL;
97 STACK_OF(OPENSSL_STRING) * sksigners = NULL, *skkeys = NULL;
98 char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
99 const EVP_CIPHER *cipher = NULL;
100 PKCS7 *p7 = NULL;
101 X509_STORE *store = NULL;
102 X509 *cert = NULL, *recip = NULL, *signer = NULL;
103 EVP_PKEY *key = NULL;
104 STACK_OF(X509) * encerts = NULL, *other = NULL;
105 BIO *in = NULL, *out = NULL, *indata = NULL;
106 int badarg = 0;
107 int flags = PKCS7_DETACHED;
108 char *to = NULL, *from = NULL, *subject = NULL;
109 char *CAfile = NULL, *CApath = NULL;
110 char *passargin = NULL, *passin = NULL;
111 int indef = 0;
112 const EVP_MD *sign_md = NULL;
113 int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
114 int keyform = FORMAT_PEM;
115#ifndef OPENSSL_NO_ENGINE
116 char *engine = NULL;
117#endif
118
119 X509_VERIFY_PARAM *vpm = NULL;
120
121 args = argv + 1;
122 ret = 1;
123
124 while (!badarg && *args && *args[0] == '-') {
125 if (!strcmp(*args, "-encrypt"))
126 operation = SMIME_ENCRYPT;
127 else if (!strcmp(*args, "-decrypt"))
128 operation = SMIME_DECRYPT;
129 else if (!strcmp(*args, "-sign"))
130 operation = SMIME_SIGN;
131 else if (!strcmp(*args, "-resign"))
132 operation = SMIME_RESIGN;
133 else if (!strcmp(*args, "-verify"))
134 operation = SMIME_VERIFY;
135 else if (!strcmp(*args, "-pk7out"))
136 operation = SMIME_PK7OUT;
137#ifndef OPENSSL_NO_DES
138 else if (!strcmp(*args, "-des3"))
139 cipher = EVP_des_ede3_cbc();
140 else if (!strcmp(*args, "-des"))
141 cipher = EVP_des_cbc();
142#endif
143#ifndef OPENSSL_NO_RC2
144 else if (!strcmp(*args, "-rc2-40"))
145 cipher = EVP_rc2_40_cbc();
146 else if (!strcmp(*args, "-rc2-128"))
147 cipher = EVP_rc2_cbc();
148 else if (!strcmp(*args, "-rc2-64"))
149 cipher = EVP_rc2_64_cbc();
150#endif
151#ifndef OPENSSL_NO_AES
152 else if (!strcmp(*args, "-aes128"))
153 cipher = EVP_aes_128_cbc();
154 else if (!strcmp(*args, "-aes192"))
155 cipher = EVP_aes_192_cbc();
156 else if (!strcmp(*args, "-aes256"))
157 cipher = EVP_aes_256_cbc();
158#endif
159#ifndef OPENSSL_NO_CAMELLIA
160 else if (!strcmp(*args, "-camellia128"))
161 cipher = EVP_camellia_128_cbc();
162 else if (!strcmp(*args, "-camellia192"))
163 cipher = EVP_camellia_192_cbc();
164 else if (!strcmp(*args, "-camellia256"))
165 cipher = EVP_camellia_256_cbc();
166#endif
167 else if (!strcmp(*args, "-text"))
168 flags |= PKCS7_TEXT;
169 else if (!strcmp(*args, "-nointern"))
170 flags |= PKCS7_NOINTERN;
171 else if (!strcmp(*args, "-noverify"))
172 flags |= PKCS7_NOVERIFY;
173 else if (!strcmp(*args, "-nochain"))
174 flags |= PKCS7_NOCHAIN;
175 else if (!strcmp(*args, "-nocerts"))
176 flags |= PKCS7_NOCERTS;
177 else if (!strcmp(*args, "-noattr"))
178 flags |= PKCS7_NOATTR;
179 else if (!strcmp(*args, "-nodetach"))
180 flags &= ~PKCS7_DETACHED;
181 else if (!strcmp(*args, "-nosmimecap"))
182 flags |= PKCS7_NOSMIMECAP;
183 else if (!strcmp(*args, "-binary"))
184 flags |= PKCS7_BINARY;
185 else if (!strcmp(*args, "-nosigs"))
186 flags |= PKCS7_NOSIGS;
187 else if (!strcmp(*args, "-stream"))
188 indef = 1;
189 else if (!strcmp(*args, "-indef"))
190 indef = 1;
191 else if (!strcmp(*args, "-noindef"))
192 indef = 0;
193 else if (!strcmp(*args, "-nooldmime"))
194 flags |= PKCS7_NOOLDMIMETYPE;
195 else if (!strcmp(*args, "-crlfeol"))
196 flags |= PKCS7_CRLFEOL;
197#ifndef OPENSSL_NO_ENGINE
198 else if (!strcmp(*args, "-engine")) {
199 if (!args[1])
200 goto argerr;
201 engine = *++args;
202 }
203#endif
204 else if (!strcmp(*args, "-passin")) {
205 if (!args[1])
206 goto argerr;
207 passargin = *++args;
208 } else if (!strcmp(*args, "-to")) {
209 if (!args[1])
210 goto argerr;
211 to = *++args;
212 } else if (!strcmp(*args, "-from")) {
213 if (!args[1])
214 goto argerr;
215 from = *++args;
216 } else if (!strcmp(*args, "-subject")) {
217 if (!args[1])
218 goto argerr;
219 subject = *++args;
220 } else if (!strcmp(*args, "-signer")) {
221 if (!args[1])
222 goto argerr;
223 /* If previous -signer argument add signer to list */
224
225 if (signerfile) {
226 if (!sksigners)
227 sksigners = sk_OPENSSL_STRING_new_null();
228 sk_OPENSSL_STRING_push(sksigners, signerfile);
229 if (!keyfile)
230 keyfile = signerfile;
231 if (!skkeys)
232 skkeys = sk_OPENSSL_STRING_new_null();
233 sk_OPENSSL_STRING_push(skkeys, keyfile);
234 keyfile = NULL;
235 }
236 signerfile = *++args;
237 } else if (!strcmp(*args, "-recip")) {
238 if (!args[1])
239 goto argerr;
240 recipfile = *++args;
241 } else if (!strcmp(*args, "-md")) {
242 if (!args[1])
243 goto argerr;
244 sign_md = EVP_get_digestbyname(*++args);
245 if (sign_md == NULL) {
246 BIO_printf(bio_err, "Unknown digest %s\n",
247 *args);
248 goto argerr;
249 }
250 } else if (!strcmp(*args, "-inkey")) {
251 if (!args[1])
252 goto argerr;
253 /* If previous -inkey arument add signer to list */
254 if (keyfile) {
255 if (!signerfile) {
256 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
257 goto argerr;
258 }
259 if (!sksigners)
260 sksigners = sk_OPENSSL_STRING_new_null();
261 sk_OPENSSL_STRING_push(sksigners, signerfile);
262 signerfile = NULL;
263 if (!skkeys)
264 skkeys = sk_OPENSSL_STRING_new_null();
265 sk_OPENSSL_STRING_push(skkeys, keyfile);
266 }
267 keyfile = *++args;
268 } else if (!strcmp(*args, "-keyform")) {
269 if (!args[1])
270 goto argerr;
271 keyform = str2fmt(*++args);
272 } else if (!strcmp(*args, "-certfile")) {
273 if (!args[1])
274 goto argerr;
275 certfile = *++args;
276 } else if (!strcmp(*args, "-CAfile")) {
277 if (!args[1])
278 goto argerr;
279 CAfile = *++args;
280 } else if (!strcmp(*args, "-CApath")) {
281 if (!args[1])
282 goto argerr;
283 CApath = *++args;
284 } else if (!strcmp(*args, "-in")) {
285 if (!args[1])
286 goto argerr;
287 infile = *++args;
288 } else if (!strcmp(*args, "-inform")) {
289 if (!args[1])
290 goto argerr;
291 informat = str2fmt(*++args);
292 } else if (!strcmp(*args, "-outform")) {
293 if (!args[1])
294 goto argerr;
295 outformat = str2fmt(*++args);
296 } else if (!strcmp(*args, "-out")) {
297 if (!args[1])
298 goto argerr;
299 outfile = *++args;
300 } else if (!strcmp(*args, "-content")) {
301 if (!args[1])
302 goto argerr;
303 contfile = *++args;
304 } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
305 continue;
306 else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
307 badarg = 1;
308 args++;
309 }
310
311 if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
312 BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
313 goto argerr;
314 }
315 if (operation & SMIME_SIGNERS) {
316 /* Check to see if any final signer needs to be appended */
317 if (keyfile && !signerfile) {
318 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
319 goto argerr;
320 }
321 if (signerfile) {
322 if (!sksigners)
323 sksigners = sk_OPENSSL_STRING_new_null();
324 sk_OPENSSL_STRING_push(sksigners, signerfile);
325 if (!skkeys)
326 skkeys = sk_OPENSSL_STRING_new_null();
327 if (!keyfile)
328 keyfile = signerfile;
329 sk_OPENSSL_STRING_push(skkeys, keyfile);
330 }
331 if (!sksigners) {
332 BIO_printf(bio_err, "No signer certificate specified\n");
333 badarg = 1;
334 }
335 signerfile = NULL;
336 keyfile = NULL;
337 } else if (operation == SMIME_DECRYPT) {
338 if (!recipfile && !keyfile) {
339 BIO_printf(bio_err, "No recipient certificate or key specified\n");
340 badarg = 1;
341 }
342 } else if (operation == SMIME_ENCRYPT) {
343 if (!*args) {
344 BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
345 badarg = 1;
346 }
347 } else if (!operation)
348 badarg = 1;
349
350 if (badarg) {
351argerr:
352 BIO_printf(bio_err, "Usage smime [options] cert.pem ...\n");
353 BIO_printf(bio_err, "where options are\n");
354 BIO_printf(bio_err, "-encrypt encrypt message\n");
355 BIO_printf(bio_err, "-decrypt decrypt encrypted message\n");
356 BIO_printf(bio_err, "-sign sign message\n");
357 BIO_printf(bio_err, "-verify verify signed message\n");
358 BIO_printf(bio_err, "-pk7out output PKCS#7 structure\n");
359#ifndef OPENSSL_NO_DES
360 BIO_printf(bio_err, "-des3 encrypt with triple DES\n");
361 BIO_printf(bio_err, "-des encrypt with DES\n");
362#endif
363#ifndef OPENSSL_NO_RC2
364 BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
365 BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n");
366 BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n");
367#endif
368#ifndef OPENSSL_NO_AES
369 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
370 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
371#endif
372#ifndef OPENSSL_NO_CAMELLIA
373 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
374 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
375#endif
376 BIO_printf(bio_err, "-nointern don't search certificates in message for signer\n");
377 BIO_printf(bio_err, "-nosigs don't verify message signature\n");
378 BIO_printf(bio_err, "-noverify don't verify signers certificate\n");
379 BIO_printf(bio_err, "-nocerts don't include signers certificate when signing\n");
380 BIO_printf(bio_err, "-nodetach use opaque signing\n");
381 BIO_printf(bio_err, "-noattr don't include any signed attributes\n");
382 BIO_printf(bio_err, "-binary don't translate message to text\n");
383 BIO_printf(bio_err, "-certfile file other certificates file\n");
384 BIO_printf(bio_err, "-signer file signer certificate file\n");
385 BIO_printf(bio_err, "-recip file recipient certificate file for decryption\n");
386 BIO_printf(bio_err, "-in file input file\n");
387 BIO_printf(bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
388 BIO_printf(bio_err, "-inkey file input private key (if not signer or recipient)\n");
389 BIO_printf(bio_err, "-keyform arg input private key format (PEM or ENGINE)\n");
390 BIO_printf(bio_err, "-out file output file\n");
391 BIO_printf(bio_err, "-outform arg output format SMIME (default), PEM or DER\n");
392 BIO_printf(bio_err, "-content file supply or override content for detached signature\n");
393 BIO_printf(bio_err, "-to addr to address\n");
394 BIO_printf(bio_err, "-from ad from address\n");
395 BIO_printf(bio_err, "-subject s subject\n");
396 BIO_printf(bio_err, "-text include or delete text MIME headers\n");
397 BIO_printf(bio_err, "-CApath dir trusted certificates directory\n");
398 BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
399 BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
400 BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
401#ifndef OPENSSL_NO_ENGINE
402 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
403#endif
404 BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
405 BIO_printf(bio_err, "cert.pem recipient certificate(s) for encryption\n");
406 goto end;
407 }
408#ifndef OPENSSL_NO_ENGINE
409 e = setup_engine(bio_err, engine, 0);
410#endif
411
412 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
413 BIO_printf(bio_err, "Error getting password\n");
414 goto end;
415 }
416 ret = 2;
417
418 if (!(operation & SMIME_SIGNERS))
419 flags &= ~PKCS7_DETACHED;
420
421 if (operation & SMIME_OP) {
422 if (outformat == FORMAT_ASN1)
423 outmode = "wb";
424 } else {
425 if (flags & PKCS7_BINARY)
426 outmode = "wb";
427 }
428
429 if (operation & SMIME_IP) {
430 if (informat == FORMAT_ASN1)
431 inmode = "rb";
432 } else {
433 if (flags & PKCS7_BINARY)
434 inmode = "rb";
435 }
436
437 if (operation == SMIME_ENCRYPT) {
438 if (!cipher) {
439#ifndef OPENSSL_NO_RC2
440 cipher = EVP_rc2_40_cbc();
441#else
442 BIO_printf(bio_err, "No cipher selected\n");
443 goto end;
444#endif
445 }
446 encerts = sk_X509_new_null();
447 while (*args) {
448 if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
449 NULL, e, "recipient certificate file"))) {
450#if 0 /* An appropriate message is already printed */
451 BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
452#endif
453 goto end;
454 }
455 sk_X509_push(encerts, cert);
456 cert = NULL;
457 args++;
458 }
459 }
460 if (certfile) {
461 if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
462 e, "certificate file"))) {
463 ERR_print_errors(bio_err);
464 goto end;
465 }
466 }
467 if (recipfile && (operation == SMIME_DECRYPT)) {
468 if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
469 e, "recipient certificate file"))) {
470 ERR_print_errors(bio_err);
471 goto end;
472 }
473 }
474 if (operation == SMIME_DECRYPT) {
475 if (!keyfile)
476 keyfile = recipfile;
477 } else if (operation == SMIME_SIGN) {
478 if (!keyfile)
479 keyfile = signerfile;
480 } else
481 keyfile = NULL;
482
483 if (keyfile) {
484 key = load_key(bio_err, keyfile, keyform, 0, passin, e,
485 "signing key file");
486 if (!key)
487 goto end;
488 }
489 if (infile) {
490 if (!(in = BIO_new_file(infile, inmode))) {
491 BIO_printf(bio_err,
492 "Can't open input file %s\n", infile);
493 goto end;
494 }
495 } else
496 in = BIO_new_fp(stdin, BIO_NOCLOSE);
497
498 if (operation & SMIME_IP) {
499 if (informat == FORMAT_SMIME)
500 p7 = SMIME_read_PKCS7(in, &indata);
501 else if (informat == FORMAT_PEM)
502 p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
503 else if (informat == FORMAT_ASN1)
504 p7 = d2i_PKCS7_bio(in, NULL);
505 else {
506 BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
507 goto end;
508 }
509
510 if (!p7) {
511 BIO_printf(bio_err, "Error reading S/MIME message\n");
512 goto end;
513 }
514 if (contfile) {
515 BIO_free(indata);
516 if (!(indata = BIO_new_file(contfile, "rb"))) {
517 BIO_printf(bio_err, "Can't read content file %s\n", contfile);
518 goto end;
519 }
520 }
521 }
522 if (outfile) {
523 if (!(out = BIO_new_file(outfile, outmode))) {
524 BIO_printf(bio_err,
525 "Can't open output file %s\n", outfile);
526 goto end;
527 }
528 } else {
529 out = BIO_new_fp(stdout, BIO_NOCLOSE);
530 }
531
532 if (operation == SMIME_VERIFY) {
533 if (!(store = setup_verify(bio_err, CAfile, CApath)))
534 goto end;
535 X509_STORE_set_verify_cb(store, smime_cb);
536 if (vpm)
537 X509_STORE_set1_param(store, vpm);
538 }
539 ret = 3;
540
541 if (operation == SMIME_ENCRYPT) {
542 if (indef)
543 flags |= PKCS7_STREAM;
544 p7 = PKCS7_encrypt(encerts, in, cipher, flags);
545 } else if (operation & SMIME_SIGNERS) {
546 int i;
547 /*
548 * If detached data content we only enable streaming if
549 * S/MIME output format.
550 */
551 if (operation == SMIME_SIGN) {
552 if (flags & PKCS7_DETACHED) {
553 if (outformat == FORMAT_SMIME)
554 flags |= PKCS7_STREAM;
555 } else if (indef)
556 flags |= PKCS7_STREAM;
557 flags |= PKCS7_PARTIAL;
558 p7 = PKCS7_sign(NULL, NULL, other, in, flags);
559 if (!p7)
560 goto end;
561 } else
562 flags |= PKCS7_REUSE_DIGEST;
563 for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
564 signerfile = sk_OPENSSL_STRING_value(sksigners, i);
565 keyfile = sk_OPENSSL_STRING_value(skkeys, i);
566 signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
567 e, "signer certificate");
568 if (!signer)
569 goto end;
570 key = load_key(bio_err, keyfile, keyform, 0, passin, e,
571 "signing key file");
572 if (!key)
573 goto end;
574 if (!PKCS7_sign_add_signer(p7, signer, key,
575 sign_md, flags))
576 goto end;
577 X509_free(signer);
578 signer = NULL;
579 EVP_PKEY_free(key);
580 key = NULL;
581 }
582 /* If not streaming or resigning finalize structure */
583 if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) {
584 if (!PKCS7_final(p7, in, flags))
585 goto end;
586 }
587 }
588 if (!p7) {
589 BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
590 goto end;
591 }
592 ret = 4;
593 if (operation == SMIME_DECRYPT) {
594 if (!PKCS7_decrypt(p7, key, recip, out, flags)) {
595 BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
596 goto end;
597 }
598 } else if (operation == SMIME_VERIFY) {
599 STACK_OF(X509) * signers;
600 if (PKCS7_verify(p7, other, store, indata, out, flags))
601 BIO_printf(bio_err, "Verification successful\n");
602 else {
603 BIO_printf(bio_err, "Verification failure\n");
604 goto end;
605 }
606 signers = PKCS7_get0_signers(p7, other, flags);
607 if (!save_certs(signerfile, signers)) {
608 BIO_printf(bio_err, "Error writing signers to %s\n",
609 signerfile);
610 ret = 5;
611 goto end;
612 }
613 sk_X509_free(signers);
614 } else if (operation == SMIME_PK7OUT)
615 PEM_write_bio_PKCS7(out, p7);
616 else {
617 if (to)
618 BIO_printf(out, "To: %s\n", to);
619 if (from)
620 BIO_printf(out, "From: %s\n", from);
621 if (subject)
622 BIO_printf(out, "Subject: %s\n", subject);
623 if (outformat == FORMAT_SMIME) {
624 if (operation == SMIME_RESIGN)
625 SMIME_write_PKCS7(out, p7, indata, flags);
626 else
627 SMIME_write_PKCS7(out, p7, in, flags);
628 } else if (outformat == FORMAT_PEM)
629 PEM_write_bio_PKCS7_stream(out, p7, in, flags);
630 else if (outformat == FORMAT_ASN1)
631 i2d_PKCS7_bio_stream(out, p7, in, flags);
632 else {
633 BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
634 goto end;
635 }
636 }
637 ret = 0;
638end:
639 if (ret)
640 ERR_print_errors(bio_err);
641 sk_X509_pop_free(encerts, X509_free);
642 sk_X509_pop_free(other, X509_free);
643 if (vpm)
644 X509_VERIFY_PARAM_free(vpm);
645 if (sksigners)
646 sk_OPENSSL_STRING_free(sksigners);
647 if (skkeys)
648 sk_OPENSSL_STRING_free(skkeys);
649 X509_STORE_free(store);
650 X509_free(cert);
651 X509_free(recip);
652 X509_free(signer);
653 EVP_PKEY_free(key);
654 PKCS7_free(p7);
655 BIO_free(in);
656 BIO_free(indata);
657 BIO_free_all(out);
658 free(passin);
659
660 return (ret);
661}
662
663static int
664save_certs(char *signerfile, STACK_OF(X509) * signers)
665{
666 int i;
667 BIO *tmp;
668 if (!signerfile)
669 return 1;
670 tmp = BIO_new_file(signerfile, "w");
671 if (!tmp)
672 return 0;
673 for (i = 0; i < sk_X509_num(signers); i++)
674 PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
675 BIO_free(tmp);
676 return 1;
677}
678
679
680/* Minimal callback just to output policy info (if any) */
681
682static int
683smime_cb(int ok, X509_STORE_CTX * ctx)
684{
685 int error;
686
687 error = X509_STORE_CTX_get_error(ctx);
688
689 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
690 && ((error != X509_V_OK) || (ok != 2)))
691 return ok;
692
693 policies_print(NULL, ctx);
694
695 return ok;
696
697}
diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c
deleted file mode 100644
index 61b2157c28..0000000000
--- a/src/lib/libssl/src/apps/speed.c
+++ /dev/null
@@ -1,2170 +0,0 @@
1/* $OpenBSD: speed.c,v 1.52 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 *
61 * Portions of the attached software ("Contribution") are developed by
62 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
63 *
64 * The Contribution is licensed pursuant to the OpenSSL open source
65 * license provided above.
66 *
67 * The ECDH and ECDSA speed test software is originally written by
68 * Sumit Gupta of Sun Microsystems Laboratories.
69 *
70 */
71
72/* most of this code has been pilfered from my libdes speed.c program */
73
74#ifndef OPENSSL_NO_SPEED
75
76#define SECONDS 3
77#define RSA_SECONDS 10
78#define DSA_SECONDS 10
79#define ECDSA_SECONDS 10
80#define ECDH_SECONDS 10
81
82/* 11-Sep-92 Andrew Daviel Support for Silicon Graphics IRIX added */
83/* 06-Apr-92 Luke Brennan Support for VMS and add extra signal calls */
84
85#include <math.h>
86#include <signal.h>
87#include <stdio.h>
88#include <stdlib.h>
89#include <limits.h>
90#include <string.h>
91#include <unistd.h>
92
93#include "apps.h"
94
95#include <openssl/bn.h>
96#include <openssl/crypto.h>
97#include <openssl/err.h>
98#include <openssl/evp.h>
99#include <openssl/modes.h>
100#include <openssl/objects.h>
101#include <openssl/rand.h>
102#include <openssl/x509.h>
103
104#ifndef OPENSSL_NO_AES
105#include <openssl/aes.h>
106#endif
107#ifndef OPENSSL_NO_BF
108#include <openssl/blowfish.h>
109#endif
110#ifndef OPENSSL_NO_CAST
111#include <openssl/cast.h>
112#endif
113#ifndef OPENSSL_NO_CAMELLIA
114#include <openssl/camellia.h>
115#endif
116#ifndef OPENSSL_NO_DES
117#include <openssl/des.h>
118#endif
119#include <openssl/dsa.h>
120#include <openssl/ecdh.h>
121#include <openssl/ecdsa.h>
122#ifndef OPENSSL_NO_HMAC
123#include <openssl/hmac.h>
124#endif
125#ifndef OPENSSL_NO_IDEA
126#include <openssl/idea.h>
127#endif
128#ifndef OPENSSL_NO_MDC2
129#include <openssl/mdc2.h>
130#endif
131#ifndef OPENSSL_NO_MD4
132#include <openssl/md4.h>
133#endif
134#ifndef OPENSSL_NO_MD5
135#include <openssl/md5.h>
136#endif
137#ifndef OPENSSL_NO_RC2
138#include <openssl/rc2.h>
139#endif
140#ifndef OPENSSL_NO_RC4
141#include <openssl/rc4.h>
142#endif
143#ifndef OPENSSL_NO_RC5
144#include <openssl/rc5.h>
145#endif
146#include <openssl/rsa.h>
147#ifndef OPENSSL_NO_RIPEMD
148#include <openssl/ripemd.h>
149#endif
150#ifndef OPENSSL_NO_SHA
151#include <openssl/sha.h>
152#endif
153#ifndef OPENSSL_NO_WHIRLPOOL
154#include <openssl/whrlpool.h>
155#endif
156
157#include "./testdsa.h"
158#include "./testrsa.h"
159
160#define BUFSIZE ((long)1024*8+1)
161int run = 0;
162
163static int mr = 0;
164static int usertime = 1;
165
166static double Time_F(int s);
167static void print_message(const char *s, long num, int length);
168static void
169pkey_print_message(const char *str, const char *str2,
170 long num, int bits, int sec);
171static void print_result(int alg, int run_no, int count, double time_used);
172static int do_multi(int multi);
173
174#define ALGOR_NUM 30
175#define SIZE_NUM 5
176#define RSA_NUM 4
177#define DSA_NUM 3
178
179#define EC_NUM 16
180#define MAX_ECDH_SIZE 256
181
182static const char *names[ALGOR_NUM] = {
183 "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4",
184 "des cbc", "des ede3", "idea cbc", "seed cbc",
185 "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc",
186 "aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
187 "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
188 "evp", "sha256", "sha512", "whirlpool",
189"aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash"};
190static double results[ALGOR_NUM][SIZE_NUM];
191static int lengths[SIZE_NUM] = {16, 64, 256, 1024, 8 * 1024};
192static double rsa_results[RSA_NUM][2];
193static double dsa_results[DSA_NUM][2];
194static double ecdsa_results[EC_NUM][2];
195static double ecdh_results[EC_NUM][1];
196
197static void sig_done(int sig);
198
199static void
200sig_done(int sig)
201{
202 signal(SIGALRM, sig_done);
203 run = 0;
204}
205
206#define START 0
207#define STOP 1
208
209
210static double
211Time_F(int s)
212{
213 return app_tminterval(s, usertime);
214}
215
216
217static const int KDF1_SHA1_len = 20;
218static void *
219KDF1_SHA1(const void *in, size_t inlen, void *out, size_t * outlen)
220{
221#ifndef OPENSSL_NO_SHA
222 if (*outlen < SHA_DIGEST_LENGTH)
223 return NULL;
224 else
225 *outlen = SHA_DIGEST_LENGTH;
226 return SHA1(in, inlen, out);
227#else
228 return NULL;
229#endif /* OPENSSL_NO_SHA */
230}
231
232
233int speed_main(int, char **);
234
235int
236speed_main(int argc, char **argv)
237{
238 unsigned char *buf = NULL, *buf2 = NULL;
239 int mret = 1;
240 long count = 0, save_count = 0;
241 int i, j, k;
242 long rsa_count;
243 unsigned rsa_num;
244 unsigned char md[EVP_MAX_MD_SIZE];
245#ifndef OPENSSL_NO_MDC2
246 unsigned char mdc2[MDC2_DIGEST_LENGTH];
247#endif
248#ifndef OPENSSL_NO_MD4
249 unsigned char md4[MD4_DIGEST_LENGTH];
250#endif
251#ifndef OPENSSL_NO_MD5
252 unsigned char md5[MD5_DIGEST_LENGTH];
253 unsigned char hmac[MD5_DIGEST_LENGTH];
254#endif
255#ifndef OPENSSL_NO_SHA
256 unsigned char sha[SHA_DIGEST_LENGTH];
257#ifndef OPENSSL_NO_SHA256
258 unsigned char sha256[SHA256_DIGEST_LENGTH];
259#endif
260#ifndef OPENSSL_NO_SHA512
261 unsigned char sha512[SHA512_DIGEST_LENGTH];
262#endif
263#endif
264#ifndef OPENSSL_NO_WHIRLPOOL
265 unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH];
266#endif
267#ifndef OPENSSL_NO_RIPEMD
268 unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
269#endif
270#ifndef OPENSSL_NO_RC4
271 RC4_KEY rc4_ks;
272#endif
273#ifndef OPENSSL_NO_RC5
274 RC5_32_KEY rc5_ks;
275#endif
276#ifndef OPENSSL_NO_RC2
277 RC2_KEY rc2_ks;
278#endif
279#ifndef OPENSSL_NO_IDEA
280 IDEA_KEY_SCHEDULE idea_ks;
281#endif
282#ifndef OPENSSL_NO_BF
283 BF_KEY bf_ks;
284#endif
285#ifndef OPENSSL_NO_CAST
286 CAST_KEY cast_ks;
287#endif
288 static const unsigned char key16[16] =
289 {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
290 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12};
291#ifndef OPENSSL_NO_AES
292 static const unsigned char key24[24] =
293 {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
294 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
295 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
296 static const unsigned char key32[32] =
297 {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
298 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
299 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
300 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56};
301#endif
302#ifndef OPENSSL_NO_CAMELLIA
303 static const unsigned char ckey24[24] =
304 {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
305 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
306 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
307 static const unsigned char ckey32[32] =
308 {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
309 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
310 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
311 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56};
312#endif
313#ifndef OPENSSL_NO_AES
314#define MAX_BLOCK_SIZE 128
315#else
316#define MAX_BLOCK_SIZE 64
317#endif
318 unsigned char DES_iv[8];
319 unsigned char iv[2 * MAX_BLOCK_SIZE / 8];
320#ifndef OPENSSL_NO_DES
321 static DES_cblock key = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
322 static DES_cblock key2 = {0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12};
323 static DES_cblock key3 = {0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
324 DES_key_schedule sch;
325 DES_key_schedule sch2;
326 DES_key_schedule sch3;
327#endif
328#ifndef OPENSSL_NO_AES
329 AES_KEY aes_ks1, aes_ks2, aes_ks3;
330#endif
331#ifndef OPENSSL_NO_CAMELLIA
332 CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3;
333#endif
334#define D_MD2 0
335#define D_MDC2 1
336#define D_MD4 2
337#define D_MD5 3
338#define D_HMAC 4
339#define D_SHA1 5
340#define D_RMD160 6
341#define D_RC4 7
342#define D_CBC_DES 8
343#define D_EDE3_DES 9
344#define D_CBC_IDEA 10
345#define D_CBC_SEED 11
346#define D_CBC_RC2 12
347#define D_CBC_RC5 13
348#define D_CBC_BF 14
349#define D_CBC_CAST 15
350#define D_CBC_128_AES 16
351#define D_CBC_192_AES 17
352#define D_CBC_256_AES 18
353#define D_CBC_128_CML 19
354#define D_CBC_192_CML 20
355#define D_CBC_256_CML 21
356#define D_EVP 22
357#define D_SHA256 23
358#define D_SHA512 24
359#define D_WHIRLPOOL 25
360#define D_IGE_128_AES 26
361#define D_IGE_192_AES 27
362#define D_IGE_256_AES 28
363#define D_GHASH 29
364 double d = 0.0;
365 long c[ALGOR_NUM][SIZE_NUM];
366#define R_DSA_512 0
367#define R_DSA_1024 1
368#define R_DSA_2048 2
369#define R_RSA_512 0
370#define R_RSA_1024 1
371#define R_RSA_2048 2
372#define R_RSA_4096 3
373
374#define R_EC_P160 0
375#define R_EC_P192 1
376#define R_EC_P224 2
377#define R_EC_P256 3
378#define R_EC_P384 4
379#define R_EC_P521 5
380#define R_EC_K163 6
381#define R_EC_K233 7
382#define R_EC_K283 8
383#define R_EC_K409 9
384#define R_EC_K571 10
385#define R_EC_B163 11
386#define R_EC_B233 12
387#define R_EC_B283 13
388#define R_EC_B409 14
389#define R_EC_B571 15
390
391 RSA *rsa_key[RSA_NUM];
392 long rsa_c[RSA_NUM][2];
393 static unsigned int rsa_bits[RSA_NUM] = {512, 1024, 2048, 4096};
394 static unsigned char *rsa_data[RSA_NUM] =
395 {test512, test1024, test2048, test4096};
396 static int rsa_data_length[RSA_NUM] = {
397 sizeof(test512), sizeof(test1024),
398 sizeof(test2048), sizeof(test4096)};
399 DSA *dsa_key[DSA_NUM];
400 long dsa_c[DSA_NUM][2];
401 static unsigned int dsa_bits[DSA_NUM] = {512, 1024, 2048};
402#ifndef OPENSSL_NO_EC
403 /*
404 * We only test over the following curves as they are representative,
405 * To add tests over more curves, simply add the curve NID and curve
406 * name to the following arrays and increase the EC_NUM value
407 * accordingly.
408 */
409 static unsigned int test_curves[EC_NUM] =
410 {
411 /* Prime Curves */
412 NID_secp160r1,
413 NID_X9_62_prime192v1,
414 NID_secp224r1,
415 NID_X9_62_prime256v1,
416 NID_secp384r1,
417 NID_secp521r1,
418 /* Binary Curves */
419 NID_sect163k1,
420 NID_sect233k1,
421 NID_sect283k1,
422 NID_sect409k1,
423 NID_sect571k1,
424 NID_sect163r2,
425 NID_sect233r1,
426 NID_sect283r1,
427 NID_sect409r1,
428 NID_sect571r1
429 };
430 static const char *test_curves_names[EC_NUM] =
431 {
432 /* Prime Curves */
433 "secp160r1",
434 "nistp192",
435 "nistp224",
436 "nistp256",
437 "nistp384",
438 "nistp521",
439 /* Binary Curves */
440 "nistk163",
441 "nistk233",
442 "nistk283",
443 "nistk409",
444 "nistk571",
445 "nistb163",
446 "nistb233",
447 "nistb283",
448 "nistb409",
449 "nistb571"
450 };
451 static int test_curves_bits[EC_NUM] =
452 {
453 160, 192, 224, 256, 384, 521,
454 163, 233, 283, 409, 571,
455 163, 233, 283, 409, 571
456 };
457
458#endif
459
460 unsigned char ecdsasig[256];
461 unsigned int ecdsasiglen;
462 EC_KEY *ecdsa[EC_NUM];
463 long ecdsa_c[EC_NUM][2];
464
465 EC_KEY *ecdh_a[EC_NUM], *ecdh_b[EC_NUM];
466 unsigned char secret_a[MAX_ECDH_SIZE], secret_b[MAX_ECDH_SIZE];
467 int secret_size_a, secret_size_b;
468 int ecdh_checks = 0;
469 int secret_idx = 0;
470 long ecdh_c[EC_NUM][2];
471
472 int rsa_doit[RSA_NUM];
473 int dsa_doit[DSA_NUM];
474 int ecdsa_doit[EC_NUM];
475 int ecdh_doit[EC_NUM];
476 int doit[ALGOR_NUM];
477 int pr_header = 0;
478 const EVP_CIPHER *evp_cipher = NULL;
479 const EVP_MD *evp_md = NULL;
480 int decrypt = 0;
481 int multi = 0;
482 const char *errstr = NULL;
483
484#ifndef TIMES
485 usertime = -1;
486#endif
487
488 memset(results, 0, sizeof(results));
489 memset(dsa_key, 0, sizeof(dsa_key));
490 for (i = 0; i < EC_NUM; i++)
491 ecdsa[i] = NULL;
492 for (i = 0; i < EC_NUM; i++) {
493 ecdh_a[i] = NULL;
494 ecdh_b[i] = NULL;
495 }
496
497 memset(rsa_key, 0, sizeof(rsa_key));
498 for (i = 0; i < RSA_NUM; i++)
499 rsa_key[i] = NULL;
500
501 if ((buf = malloc((int) BUFSIZE)) == NULL) {
502 BIO_printf(bio_err, "out of memory\n");
503 goto end;
504 }
505 if ((buf2 = malloc((int) BUFSIZE)) == NULL) {
506 BIO_printf(bio_err, "out of memory\n");
507 goto end;
508 }
509 memset(c, 0, sizeof(c));
510 memset(DES_iv, 0, sizeof(DES_iv));
511 memset(iv, 0, sizeof(iv));
512
513 for (i = 0; i < ALGOR_NUM; i++)
514 doit[i] = 0;
515 for (i = 0; i < RSA_NUM; i++)
516 rsa_doit[i] = 0;
517 for (i = 0; i < DSA_NUM; i++)
518 dsa_doit[i] = 0;
519 for (i = 0; i < EC_NUM; i++)
520 ecdsa_doit[i] = 0;
521 for (i = 0; i < EC_NUM; i++)
522 ecdh_doit[i] = 0;
523
524
525 j = 0;
526 argc--;
527 argv++;
528 while (argc) {
529 if ((argc > 0) && (strcmp(*argv, "-elapsed") == 0)) {
530 usertime = 0;
531 j--; /* Otherwise, -elapsed gets confused with an
532 * algorithm. */
533 } else if ((argc > 0) && (strcmp(*argv, "-evp") == 0)) {
534 argc--;
535 argv++;
536 if (argc == 0) {
537 BIO_printf(bio_err, "no EVP given\n");
538 goto end;
539 }
540 evp_cipher = EVP_get_cipherbyname(*argv);
541 if (!evp_cipher) {
542 evp_md = EVP_get_digestbyname(*argv);
543 }
544 if (!evp_cipher && !evp_md) {
545 BIO_printf(bio_err, "%s is an unknown cipher or digest\n", *argv);
546 goto end;
547 }
548 doit[D_EVP] = 1;
549 } else if (argc > 0 && !strcmp(*argv, "-decrypt")) {
550 decrypt = 1;
551 j--; /* Otherwise, -elapsed gets confused with an
552 * algorithm. */
553 }
554#ifndef OPENSSL_NO_ENGINE
555 else if ((argc > 0) && (strcmp(*argv, "-engine") == 0)) {
556 argc--;
557 argv++;
558 if (argc == 0) {
559 BIO_printf(bio_err, "no engine given\n");
560 goto end;
561 }
562 setup_engine(bio_err, *argv, 0);
563 /*
564 * j will be increased again further down. We just
565 * don't want speed to confuse an engine with an
566 * algorithm, especially when none is given (which
567 * means all of them should be run)
568 */
569 j--;
570 }
571#endif
572 else if ((argc > 0) && (strcmp(*argv, "-multi") == 0)) {
573 argc--;
574 argv++;
575 if (argc == 0) {
576 BIO_printf(bio_err, "no multi count given\n");
577 goto end;
578 }
579 multi = strtonum(argv[0], 1, INT_MAX, &errstr);
580 if (errstr) {
581 BIO_printf(bio_err, "bad multi count: %s", errstr);
582 goto end;
583 }
584 j--; /* Otherwise, -mr gets confused with an
585 * algorithm. */
586 }
587 else if (argc > 0 && !strcmp(*argv, "-mr")) {
588 mr = 1;
589 j--; /* Otherwise, -mr gets confused with an
590 * algorithm. */
591 } else
592#ifndef OPENSSL_NO_MDC2
593 if (strcmp(*argv, "mdc2") == 0)
594 doit[D_MDC2] = 1;
595 else
596#endif
597#ifndef OPENSSL_NO_MD4
598 if (strcmp(*argv, "md4") == 0)
599 doit[D_MD4] = 1;
600 else
601#endif
602#ifndef OPENSSL_NO_MD5
603 if (strcmp(*argv, "md5") == 0)
604 doit[D_MD5] = 1;
605 else
606#endif
607#ifndef OPENSSL_NO_MD5
608 if (strcmp(*argv, "hmac") == 0)
609 doit[D_HMAC] = 1;
610 else
611#endif
612#ifndef OPENSSL_NO_SHA
613 if (strcmp(*argv, "sha1") == 0)
614 doit[D_SHA1] = 1;
615 else if (strcmp(*argv, "sha") == 0)
616 doit[D_SHA1] = 1,
617 doit[D_SHA256] = 1,
618 doit[D_SHA512] = 1;
619 else
620#ifndef OPENSSL_NO_SHA256
621 if (strcmp(*argv, "sha256") == 0)
622 doit[D_SHA256] = 1;
623 else
624#endif
625#ifndef OPENSSL_NO_SHA512
626 if (strcmp(*argv, "sha512") == 0)
627 doit[D_SHA512] = 1;
628 else
629#endif
630#endif
631#ifndef OPENSSL_NO_WHIRLPOOL
632 if (strcmp(*argv, "whirlpool") == 0)
633 doit[D_WHIRLPOOL] = 1;
634 else
635#endif
636#ifndef OPENSSL_NO_RIPEMD
637 if (strcmp(*argv, "ripemd") == 0)
638 doit[D_RMD160] = 1;
639 else if (strcmp(*argv, "rmd160") == 0)
640 doit[D_RMD160] = 1;
641 else if (strcmp(*argv, "ripemd160") == 0)
642 doit[D_RMD160] = 1;
643 else
644#endif
645#ifndef OPENSSL_NO_RC4
646 if (strcmp(*argv, "rc4") == 0)
647 doit[D_RC4] = 1;
648 else
649#endif
650#ifndef OPENSSL_NO_DES
651 if (strcmp(*argv, "des-cbc") == 0)
652 doit[D_CBC_DES] = 1;
653 else if (strcmp(*argv, "des-ede3") == 0)
654 doit[D_EDE3_DES] = 1;
655 else
656#endif
657#ifndef OPENSSL_NO_AES
658 if (strcmp(*argv, "aes-128-cbc") == 0)
659 doit[D_CBC_128_AES] = 1;
660 else if (strcmp(*argv, "aes-192-cbc") == 0)
661 doit[D_CBC_192_AES] = 1;
662 else if (strcmp(*argv, "aes-256-cbc") == 0)
663 doit[D_CBC_256_AES] = 1;
664 else if (strcmp(*argv, "aes-128-ige") == 0)
665 doit[D_IGE_128_AES] = 1;
666 else if (strcmp(*argv, "aes-192-ige") == 0)
667 doit[D_IGE_192_AES] = 1;
668 else if (strcmp(*argv, "aes-256-ige") == 0)
669 doit[D_IGE_256_AES] = 1;
670 else
671#endif
672#ifndef OPENSSL_NO_CAMELLIA
673 if (strcmp(*argv, "camellia-128-cbc") == 0)
674 doit[D_CBC_128_CML] = 1;
675 else if (strcmp(*argv, "camellia-192-cbc") == 0)
676 doit[D_CBC_192_CML] = 1;
677 else if (strcmp(*argv, "camellia-256-cbc") == 0)
678 doit[D_CBC_256_CML] = 1;
679 else
680#endif
681#if 0 /* was: #ifdef RSAref */
682 if (strcmp(*argv, "rsaref") == 0) {
683 RSA_set_default_openssl_method(RSA_PKCS1_RSAref());
684 j--;
685 } else
686#endif
687#ifndef RSA_NULL
688 if (strcmp(*argv, "openssl") == 0) {
689 RSA_set_default_method(RSA_PKCS1_SSLeay());
690 j--;
691 } else
692#endif
693 if (strcmp(*argv, "dsa512") == 0)
694 dsa_doit[R_DSA_512] = 2;
695 else if (strcmp(*argv, "dsa1024") == 0)
696 dsa_doit[R_DSA_1024] = 2;
697 else if (strcmp(*argv, "dsa2048") == 0)
698 dsa_doit[R_DSA_2048] = 2;
699 else if (strcmp(*argv, "rsa512") == 0)
700 rsa_doit[R_RSA_512] = 2;
701 else if (strcmp(*argv, "rsa1024") == 0)
702 rsa_doit[R_RSA_1024] = 2;
703 else if (strcmp(*argv, "rsa2048") == 0)
704 rsa_doit[R_RSA_2048] = 2;
705 else if (strcmp(*argv, "rsa4096") == 0)
706 rsa_doit[R_RSA_4096] = 2;
707 else
708#ifndef OPENSSL_NO_RC2
709 if (strcmp(*argv, "rc2-cbc") == 0)
710 doit[D_CBC_RC2] = 1;
711 else if (strcmp(*argv, "rc2") == 0)
712 doit[D_CBC_RC2] = 1;
713 else
714#endif
715#ifndef OPENSSL_NO_RC5
716 if (strcmp(*argv, "rc5-cbc") == 0)
717 doit[D_CBC_RC5] = 1;
718 else if (strcmp(*argv, "rc5") == 0)
719 doit[D_CBC_RC5] = 1;
720 else
721#endif
722#ifndef OPENSSL_NO_IDEA
723 if (strcmp(*argv, "idea-cbc") == 0)
724 doit[D_CBC_IDEA] = 1;
725 else if (strcmp(*argv, "idea") == 0)
726 doit[D_CBC_IDEA] = 1;
727 else
728#endif
729#ifndef OPENSSL_NO_BF
730 if (strcmp(*argv, "bf-cbc") == 0)
731 doit[D_CBC_BF] = 1;
732 else if (strcmp(*argv, "blowfish") == 0)
733 doit[D_CBC_BF] = 1;
734 else if (strcmp(*argv, "bf") == 0)
735 doit[D_CBC_BF] = 1;
736 else
737#endif
738#ifndef OPENSSL_NO_CAST
739 if (strcmp(*argv, "cast-cbc") == 0)
740 doit[D_CBC_CAST] = 1;
741 else if (strcmp(*argv, "cast") == 0)
742 doit[D_CBC_CAST] = 1;
743 else if (strcmp(*argv, "cast5") == 0)
744 doit[D_CBC_CAST] = 1;
745 else
746#endif
747#ifndef OPENSSL_NO_DES
748 if (strcmp(*argv, "des") == 0) {
749 doit[D_CBC_DES] = 1;
750 doit[D_EDE3_DES] = 1;
751 } else
752#endif
753#ifndef OPENSSL_NO_AES
754 if (strcmp(*argv, "aes") == 0) {
755 doit[D_CBC_128_AES] = 1;
756 doit[D_CBC_192_AES] = 1;
757 doit[D_CBC_256_AES] = 1;
758 } else if (strcmp(*argv, "ghash") == 0) {
759 doit[D_GHASH] = 1;
760 } else
761#endif
762#ifndef OPENSSL_NO_CAMELLIA
763 if (strcmp(*argv, "camellia") == 0) {
764 doit[D_CBC_128_CML] = 1;
765 doit[D_CBC_192_CML] = 1;
766 doit[D_CBC_256_CML] = 1;
767 } else
768#endif
769 if (strcmp(*argv, "rsa") == 0) {
770 rsa_doit[R_RSA_512] = 1;
771 rsa_doit[R_RSA_1024] = 1;
772 rsa_doit[R_RSA_2048] = 1;
773 rsa_doit[R_RSA_4096] = 1;
774 } else
775 if (strcmp(*argv, "dsa") == 0) {
776 dsa_doit[R_DSA_512] = 1;
777 dsa_doit[R_DSA_1024] = 1;
778 dsa_doit[R_DSA_2048] = 1;
779 } else
780 if (strcmp(*argv, "ecdsap160") == 0)
781 ecdsa_doit[R_EC_P160] = 2;
782 else if (strcmp(*argv, "ecdsap192") == 0)
783 ecdsa_doit[R_EC_P192] = 2;
784 else if (strcmp(*argv, "ecdsap224") == 0)
785 ecdsa_doit[R_EC_P224] = 2;
786 else if (strcmp(*argv, "ecdsap256") == 0)
787 ecdsa_doit[R_EC_P256] = 2;
788 else if (strcmp(*argv, "ecdsap384") == 0)
789 ecdsa_doit[R_EC_P384] = 2;
790 else if (strcmp(*argv, "ecdsap521") == 0)
791 ecdsa_doit[R_EC_P521] = 2;
792 else if (strcmp(*argv, "ecdsak163") == 0)
793 ecdsa_doit[R_EC_K163] = 2;
794 else if (strcmp(*argv, "ecdsak233") == 0)
795 ecdsa_doit[R_EC_K233] = 2;
796 else if (strcmp(*argv, "ecdsak283") == 0)
797 ecdsa_doit[R_EC_K283] = 2;
798 else if (strcmp(*argv, "ecdsak409") == 0)
799 ecdsa_doit[R_EC_K409] = 2;
800 else if (strcmp(*argv, "ecdsak571") == 0)
801 ecdsa_doit[R_EC_K571] = 2;
802 else if (strcmp(*argv, "ecdsab163") == 0)
803 ecdsa_doit[R_EC_B163] = 2;
804 else if (strcmp(*argv, "ecdsab233") == 0)
805 ecdsa_doit[R_EC_B233] = 2;
806 else if (strcmp(*argv, "ecdsab283") == 0)
807 ecdsa_doit[R_EC_B283] = 2;
808 else if (strcmp(*argv, "ecdsab409") == 0)
809 ecdsa_doit[R_EC_B409] = 2;
810 else if (strcmp(*argv, "ecdsab571") == 0)
811 ecdsa_doit[R_EC_B571] = 2;
812 else if (strcmp(*argv, "ecdsa") == 0) {
813 for (i = 0; i < EC_NUM; i++)
814 ecdsa_doit[i] = 1;
815 } else
816 if (strcmp(*argv, "ecdhp160") == 0)
817 ecdh_doit[R_EC_P160] = 2;
818 else if (strcmp(*argv, "ecdhp192") == 0)
819 ecdh_doit[R_EC_P192] = 2;
820 else if (strcmp(*argv, "ecdhp224") == 0)
821 ecdh_doit[R_EC_P224] = 2;
822 else if (strcmp(*argv, "ecdhp256") == 0)
823 ecdh_doit[R_EC_P256] = 2;
824 else if (strcmp(*argv, "ecdhp384") == 0)
825 ecdh_doit[R_EC_P384] = 2;
826 else if (strcmp(*argv, "ecdhp521") == 0)
827 ecdh_doit[R_EC_P521] = 2;
828 else if (strcmp(*argv, "ecdhk163") == 0)
829 ecdh_doit[R_EC_K163] = 2;
830 else if (strcmp(*argv, "ecdhk233") == 0)
831 ecdh_doit[R_EC_K233] = 2;
832 else if (strcmp(*argv, "ecdhk283") == 0)
833 ecdh_doit[R_EC_K283] = 2;
834 else if (strcmp(*argv, "ecdhk409") == 0)
835 ecdh_doit[R_EC_K409] = 2;
836 else if (strcmp(*argv, "ecdhk571") == 0)
837 ecdh_doit[R_EC_K571] = 2;
838 else if (strcmp(*argv, "ecdhb163") == 0)
839 ecdh_doit[R_EC_B163] = 2;
840 else if (strcmp(*argv, "ecdhb233") == 0)
841 ecdh_doit[R_EC_B233] = 2;
842 else if (strcmp(*argv, "ecdhb283") == 0)
843 ecdh_doit[R_EC_B283] = 2;
844 else if (strcmp(*argv, "ecdhb409") == 0)
845 ecdh_doit[R_EC_B409] = 2;
846 else if (strcmp(*argv, "ecdhb571") == 0)
847 ecdh_doit[R_EC_B571] = 2;
848 else if (strcmp(*argv, "ecdh") == 0) {
849 for (i = 0; i < EC_NUM; i++)
850 ecdh_doit[i] = 1;
851 } else
852 {
853 BIO_printf(bio_err, "Error: bad option or value\n");
854 BIO_printf(bio_err, "\n");
855 BIO_printf(bio_err, "Available values:\n");
856#ifndef OPENSSL_NO_MDC2
857 BIO_printf(bio_err, "mdc2 ");
858#endif
859#ifndef OPENSSL_NO_MD4
860 BIO_printf(bio_err, "md4 ");
861#endif
862#ifndef OPENSSL_NO_MD5
863 BIO_printf(bio_err, "md5 ");
864#ifndef OPENSSL_NO_HMAC
865 BIO_printf(bio_err, "hmac ");
866#endif
867#endif
868#ifndef OPENSSL_NO_SHA1
869 BIO_printf(bio_err, "sha1 ");
870#endif
871#ifndef OPENSSL_NO_SHA256
872 BIO_printf(bio_err, "sha256 ");
873#endif
874#ifndef OPENSSL_NO_SHA512
875 BIO_printf(bio_err, "sha512 ");
876#endif
877#ifndef OPENSSL_NO_WHIRLPOOL
878 BIO_printf(bio_err, "whirlpool");
879#endif
880#ifndef OPENSSL_NO_RIPEMD160
881 BIO_printf(bio_err, "rmd160");
882#endif
883#if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \
884 !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \
885 !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \
886 !defined(OPENSSL_NO_WHIRLPOOL)
887 BIO_printf(bio_err, "\n");
888#endif
889
890#ifndef OPENSSL_NO_IDEA
891 BIO_printf(bio_err, "idea-cbc ");
892#endif
893#ifndef OPENSSL_NO_RC2
894 BIO_printf(bio_err, "rc2-cbc ");
895#endif
896#ifndef OPENSSL_NO_RC5
897 BIO_printf(bio_err, "rc5-cbc ");
898#endif
899#ifndef OPENSSL_NO_BF
900 BIO_printf(bio_err, "bf-cbc");
901#endif
902#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || !defined(OPENSSL_NO_RC2) || \
903 !defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_RC5)
904 BIO_printf(bio_err, "\n");
905#endif
906#ifndef OPENSSL_NO_DES
907 BIO_printf(bio_err, "des-cbc des-ede3 ");
908#endif
909#ifndef OPENSSL_NO_AES
910 BIO_printf(bio_err, "aes-128-cbc aes-192-cbc aes-256-cbc ");
911 BIO_printf(bio_err, "aes-128-ige aes-192-ige aes-256-ige ");
912#endif
913#ifndef OPENSSL_NO_CAMELLIA
914 BIO_printf(bio_err, "\n");
915 BIO_printf(bio_err, "camellia-128-cbc camellia-192-cbc camellia-256-cbc ");
916#endif
917#ifndef OPENSSL_NO_RC4
918 BIO_printf(bio_err, "rc4");
919#endif
920 BIO_printf(bio_err, "\n");
921
922 BIO_printf(bio_err, "rsa512 rsa1024 rsa2048 rsa4096\n");
923
924 BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
925 BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521\n");
926 BIO_printf(bio_err, "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
927 BIO_printf(bio_err, "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
928 BIO_printf(bio_err, "ecdsa\n");
929 BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 ecdhp256 ecdhp384 ecdhp521\n");
930 BIO_printf(bio_err, "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
931 BIO_printf(bio_err, "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
932 BIO_printf(bio_err, "ecdh\n");
933
934#ifndef OPENSSL_NO_IDEA
935 BIO_printf(bio_err, "idea ");
936#endif
937#ifndef OPENSSL_NO_RC2
938 BIO_printf(bio_err, "rc2 ");
939#endif
940#ifndef OPENSSL_NO_DES
941 BIO_printf(bio_err, "des ");
942#endif
943#ifndef OPENSSL_NO_AES
944 BIO_printf(bio_err, "aes ");
945#endif
946#ifndef OPENSSL_NO_CAMELLIA
947 BIO_printf(bio_err, "camellia ");
948#endif
949 BIO_printf(bio_err, "rsa ");
950#ifndef OPENSSL_NO_BF
951 BIO_printf(bio_err, "blowfish");
952#endif
953#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || \
954 !defined(OPENSSL_NO_RC2) || !defined(OPENSSL_NO_DES) || \
955 !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_BF) || \
956 !defined(OPENSSL_NO_AES) || !defined(OPENSSL_NO_CAMELLIA)
957 BIO_printf(bio_err, "\n");
958#endif
959
960 BIO_printf(bio_err, "\n");
961 BIO_printf(bio_err, "Available options:\n");
962#if defined(TIMES) || defined(USE_TOD)
963 BIO_printf(bio_err, "-elapsed measure time in real time instead of CPU user time.\n");
964#endif
965#ifndef OPENSSL_NO_ENGINE
966 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
967#endif
968 BIO_printf(bio_err, "-evp e use EVP e.\n");
969 BIO_printf(bio_err, "-decrypt time decryption instead of encryption (only EVP).\n");
970 BIO_printf(bio_err, "-mr produce machine readable output.\n");
971 BIO_printf(bio_err, "-multi n run n benchmarks in parallel.\n");
972 goto end;
973 }
974 argc--;
975 argv++;
976 j++;
977 }
978
979 if (multi && do_multi(multi))
980 goto show_res;
981
982 if (j == 0) {
983 for (i = 0; i < ALGOR_NUM; i++) {
984 if (i != D_EVP)
985 doit[i] = 1;
986 }
987 for (i = 0; i < RSA_NUM; i++)
988 rsa_doit[i] = 1;
989 for (i = 0; i < DSA_NUM; i++)
990 dsa_doit[i] = 1;
991 for (i = 0; i < EC_NUM; i++)
992 ecdsa_doit[i] = 1;
993 for (i = 0; i < EC_NUM; i++)
994 ecdh_doit[i] = 1;
995 }
996 for (i = 0; i < ALGOR_NUM; i++)
997 if (doit[i])
998 pr_header++;
999
1000 if (usertime == 0 && !mr)
1001 BIO_printf(bio_err, "You have chosen to measure elapsed time instead of user CPU time.\n");
1002
1003 for (i = 0; i < RSA_NUM; i++) {
1004 const unsigned char *p;
1005
1006 p = rsa_data[i];
1007 rsa_key[i] = d2i_RSAPrivateKey(NULL, &p, rsa_data_length[i]);
1008 if (rsa_key[i] == NULL) {
1009 BIO_printf(bio_err, "internal error loading RSA key number %d\n", i);
1010 goto end;
1011 }
1012#if 0
1013 else {
1014 BIO_printf(bio_err, mr ? "+RK:%d:"
1015 : "Loaded RSA key, %d bit modulus and e= 0x",
1016 BN_num_bits(rsa_key[i]->n));
1017 BN_print(bio_err, rsa_key[i]->e);
1018 BIO_printf(bio_err, "\n");
1019 }
1020#endif
1021 }
1022
1023 dsa_key[0] = get_dsa512();
1024 dsa_key[1] = get_dsa1024();
1025 dsa_key[2] = get_dsa2048();
1026
1027#ifndef OPENSSL_NO_DES
1028 DES_set_key_unchecked(&key, &sch);
1029 DES_set_key_unchecked(&key2, &sch2);
1030 DES_set_key_unchecked(&key3, &sch3);
1031#endif
1032#ifndef OPENSSL_NO_AES
1033 AES_set_encrypt_key(key16, 128, &aes_ks1);
1034 AES_set_encrypt_key(key24, 192, &aes_ks2);
1035 AES_set_encrypt_key(key32, 256, &aes_ks3);
1036#endif
1037#ifndef OPENSSL_NO_CAMELLIA
1038 Camellia_set_key(key16, 128, &camellia_ks1);
1039 Camellia_set_key(ckey24, 192, &camellia_ks2);
1040 Camellia_set_key(ckey32, 256, &camellia_ks3);
1041#endif
1042#ifndef OPENSSL_NO_IDEA
1043 idea_set_encrypt_key(key16, &idea_ks);
1044#endif
1045#ifndef OPENSSL_NO_RC4
1046 RC4_set_key(&rc4_ks, 16, key16);
1047#endif
1048#ifndef OPENSSL_NO_RC2
1049 RC2_set_key(&rc2_ks, 16, key16, 128);
1050#endif
1051#ifndef OPENSSL_NO_RC5
1052 RC5_32_set_key(&rc5_ks, 16, key16, 12);
1053#endif
1054#ifndef OPENSSL_NO_BF
1055 BF_set_key(&bf_ks, 16, key16);
1056#endif
1057#ifndef OPENSSL_NO_CAST
1058 CAST_set_key(&cast_ks, 16, key16);
1059#endif
1060 memset(rsa_c, 0, sizeof(rsa_c));
1061#define COND(c) (run && count<0x7fffffff)
1062#define COUNT(d) (count)
1063 signal(SIGALRM, sig_done);
1064
1065#ifndef OPENSSL_NO_MDC2
1066 if (doit[D_MDC2]) {
1067 for (j = 0; j < SIZE_NUM; j++) {
1068 print_message(names[D_MDC2], c[D_MDC2][j], lengths[j]);
1069 Time_F(START);
1070 for (count = 0, run = 1; COND(c[D_MDC2][j]); count++)
1071 EVP_Digest(buf, (unsigned long) lengths[j], &(mdc2[0]), NULL, EVP_mdc2(), NULL);
1072 d = Time_F(STOP);
1073 print_result(D_MDC2, j, count, d);
1074 }
1075 }
1076#endif
1077
1078#ifndef OPENSSL_NO_MD4
1079 if (doit[D_MD4]) {
1080 for (j = 0; j < SIZE_NUM; j++) {
1081 print_message(names[D_MD4], c[D_MD4][j], lengths[j]);
1082 Time_F(START);
1083 for (count = 0, run = 1; COND(c[D_MD4][j]); count++)
1084 EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md4[0]), NULL, EVP_md4(), NULL);
1085 d = Time_F(STOP);
1086 print_result(D_MD4, j, count, d);
1087 }
1088 }
1089#endif
1090
1091#ifndef OPENSSL_NO_MD5
1092 if (doit[D_MD5]) {
1093 for (j = 0; j < SIZE_NUM; j++) {
1094 print_message(names[D_MD5], c[D_MD5][j], lengths[j]);
1095 Time_F(START);
1096 for (count = 0, run = 1; COND(c[D_MD5][j]); count++)
1097 EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md5[0]), NULL, EVP_get_digestbyname("md5"), NULL);
1098 d = Time_F(STOP);
1099 print_result(D_MD5, j, count, d);
1100 }
1101 }
1102#endif
1103
1104#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_HMAC)
1105 if (doit[D_HMAC]) {
1106 HMAC_CTX hctx;
1107
1108 HMAC_CTX_init(&hctx);
1109 HMAC_Init_ex(&hctx, (unsigned char *) "This is a key...",
1110 16, EVP_md5(), NULL);
1111
1112 for (j = 0; j < SIZE_NUM; j++) {
1113 print_message(names[D_HMAC], c[D_HMAC][j], lengths[j]);
1114 Time_F(START);
1115 for (count = 0, run = 1; COND(c[D_HMAC][j]); count++) {
1116 HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL);
1117 HMAC_Update(&hctx, buf, lengths[j]);
1118 HMAC_Final(&hctx, &(hmac[0]), NULL);
1119 }
1120 d = Time_F(STOP);
1121 print_result(D_HMAC, j, count, d);
1122 }
1123 HMAC_CTX_cleanup(&hctx);
1124 }
1125#endif
1126#ifndef OPENSSL_NO_SHA
1127 if (doit[D_SHA1]) {
1128 for (j = 0; j < SIZE_NUM; j++) {
1129 print_message(names[D_SHA1], c[D_SHA1][j], lengths[j]);
1130 Time_F(START);
1131 for (count = 0, run = 1; COND(c[D_SHA1][j]); count++)
1132 EVP_Digest(buf, (unsigned long) lengths[j], &(sha[0]), NULL, EVP_sha1(), NULL);
1133 d = Time_F(STOP);
1134 print_result(D_SHA1, j, count, d);
1135 }
1136 }
1137#ifndef OPENSSL_NO_SHA256
1138 if (doit[D_SHA256]) {
1139 for (j = 0; j < SIZE_NUM; j++) {
1140 print_message(names[D_SHA256], c[D_SHA256][j], lengths[j]);
1141 Time_F(START);
1142 for (count = 0, run = 1; COND(c[D_SHA256][j]); count++)
1143 SHA256(buf, lengths[j], sha256);
1144 d = Time_F(STOP);
1145 print_result(D_SHA256, j, count, d);
1146 }
1147 }
1148#endif
1149
1150#ifndef OPENSSL_NO_SHA512
1151 if (doit[D_SHA512]) {
1152 for (j = 0; j < SIZE_NUM; j++) {
1153 print_message(names[D_SHA512], c[D_SHA512][j], lengths[j]);
1154 Time_F(START);
1155 for (count = 0, run = 1; COND(c[D_SHA512][j]); count++)
1156 SHA512(buf, lengths[j], sha512);
1157 d = Time_F(STOP);
1158 print_result(D_SHA512, j, count, d);
1159 }
1160 }
1161#endif
1162#endif
1163
1164#ifndef OPENSSL_NO_WHIRLPOOL
1165 if (doit[D_WHIRLPOOL]) {
1166 for (j = 0; j < SIZE_NUM; j++) {
1167 print_message(names[D_WHIRLPOOL], c[D_WHIRLPOOL][j], lengths[j]);
1168 Time_F(START);
1169 for (count = 0, run = 1; COND(c[D_WHIRLPOOL][j]); count++)
1170 WHIRLPOOL(buf, lengths[j], whirlpool);
1171 d = Time_F(STOP);
1172 print_result(D_WHIRLPOOL, j, count, d);
1173 }
1174 }
1175#endif
1176
1177#ifndef OPENSSL_NO_RIPEMD
1178 if (doit[D_RMD160]) {
1179 for (j = 0; j < SIZE_NUM; j++) {
1180 print_message(names[D_RMD160], c[D_RMD160][j], lengths[j]);
1181 Time_F(START);
1182 for (count = 0, run = 1; COND(c[D_RMD160][j]); count++)
1183 EVP_Digest(buf, (unsigned long) lengths[j], &(rmd160[0]), NULL, EVP_ripemd160(), NULL);
1184 d = Time_F(STOP);
1185 print_result(D_RMD160, j, count, d);
1186 }
1187 }
1188#endif
1189#ifndef OPENSSL_NO_RC4
1190 if (doit[D_RC4]) {
1191 for (j = 0; j < SIZE_NUM; j++) {
1192 print_message(names[D_RC4], c[D_RC4][j], lengths[j]);
1193 Time_F(START);
1194 for (count = 0, run = 1; COND(c[D_RC4][j]); count++)
1195 RC4(&rc4_ks, (unsigned int) lengths[j],
1196 buf, buf);
1197 d = Time_F(STOP);
1198 print_result(D_RC4, j, count, d);
1199 }
1200 }
1201#endif
1202#ifndef OPENSSL_NO_DES
1203 if (doit[D_CBC_DES]) {
1204 for (j = 0; j < SIZE_NUM; j++) {
1205 print_message(names[D_CBC_DES], c[D_CBC_DES][j], lengths[j]);
1206 Time_F(START);
1207 for (count = 0, run = 1; COND(c[D_CBC_DES][j]); count++)
1208 DES_ncbc_encrypt(buf, buf, lengths[j], &sch,
1209 &DES_iv, DES_ENCRYPT);
1210 d = Time_F(STOP);
1211 print_result(D_CBC_DES, j, count, d);
1212 }
1213 }
1214 if (doit[D_EDE3_DES]) {
1215 for (j = 0; j < SIZE_NUM; j++) {
1216 print_message(names[D_EDE3_DES], c[D_EDE3_DES][j], lengths[j]);
1217 Time_F(START);
1218 for (count = 0, run = 1; COND(c[D_EDE3_DES][j]); count++)
1219 DES_ede3_cbc_encrypt(buf, buf, lengths[j],
1220 &sch, &sch2, &sch3,
1221 &DES_iv, DES_ENCRYPT);
1222 d = Time_F(STOP);
1223 print_result(D_EDE3_DES, j, count, d);
1224 }
1225 }
1226#endif
1227#ifndef OPENSSL_NO_AES
1228 if (doit[D_CBC_128_AES]) {
1229 for (j = 0; j < SIZE_NUM; j++) {
1230 print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][j], lengths[j]);
1231 Time_F(START);
1232 for (count = 0, run = 1; COND(c[D_CBC_128_AES][j]); count++)
1233 AES_cbc_encrypt(buf, buf,
1234 (unsigned long) lengths[j], &aes_ks1,
1235 iv, AES_ENCRYPT);
1236 d = Time_F(STOP);
1237 print_result(D_CBC_128_AES, j, count, d);
1238 }
1239 }
1240 if (doit[D_CBC_192_AES]) {
1241 for (j = 0; j < SIZE_NUM; j++) {
1242 print_message(names[D_CBC_192_AES], c[D_CBC_192_AES][j], lengths[j]);
1243 Time_F(START);
1244 for (count = 0, run = 1; COND(c[D_CBC_192_AES][j]); count++)
1245 AES_cbc_encrypt(buf, buf,
1246 (unsigned long) lengths[j], &aes_ks2,
1247 iv, AES_ENCRYPT);
1248 d = Time_F(STOP);
1249 print_result(D_CBC_192_AES, j, count, d);
1250 }
1251 }
1252 if (doit[D_CBC_256_AES]) {
1253 for (j = 0; j < SIZE_NUM; j++) {
1254 print_message(names[D_CBC_256_AES], c[D_CBC_256_AES][j], lengths[j]);
1255 Time_F(START);
1256 for (count = 0, run = 1; COND(c[D_CBC_256_AES][j]); count++)
1257 AES_cbc_encrypt(buf, buf,
1258 (unsigned long) lengths[j], &aes_ks3,
1259 iv, AES_ENCRYPT);
1260 d = Time_F(STOP);
1261 print_result(D_CBC_256_AES, j, count, d);
1262 }
1263 }
1264 if (doit[D_IGE_128_AES]) {
1265 for (j = 0; j < SIZE_NUM; j++) {
1266 print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][j], lengths[j]);
1267 Time_F(START);
1268 for (count = 0, run = 1; COND(c[D_IGE_128_AES][j]); count++)
1269 AES_ige_encrypt(buf, buf2,
1270 (unsigned long) lengths[j], &aes_ks1,
1271 iv, AES_ENCRYPT);
1272 d = Time_F(STOP);
1273 print_result(D_IGE_128_AES, j, count, d);
1274 }
1275 }
1276 if (doit[D_IGE_192_AES]) {
1277 for (j = 0; j < SIZE_NUM; j++) {
1278 print_message(names[D_IGE_192_AES], c[D_IGE_192_AES][j], lengths[j]);
1279 Time_F(START);
1280 for (count = 0, run = 1; COND(c[D_IGE_192_AES][j]); count++)
1281 AES_ige_encrypt(buf, buf2,
1282 (unsigned long) lengths[j], &aes_ks2,
1283 iv, AES_ENCRYPT);
1284 d = Time_F(STOP);
1285 print_result(D_IGE_192_AES, j, count, d);
1286 }
1287 }
1288 if (doit[D_IGE_256_AES]) {
1289 for (j = 0; j < SIZE_NUM; j++) {
1290 print_message(names[D_IGE_256_AES], c[D_IGE_256_AES][j], lengths[j]);
1291 Time_F(START);
1292 for (count = 0, run = 1; COND(c[D_IGE_256_AES][j]); count++)
1293 AES_ige_encrypt(buf, buf2,
1294 (unsigned long) lengths[j], &aes_ks3,
1295 iv, AES_ENCRYPT);
1296 d = Time_F(STOP);
1297 print_result(D_IGE_256_AES, j, count, d);
1298 }
1299 }
1300 if (doit[D_GHASH]) {
1301 GCM128_CONTEXT *ctx = CRYPTO_gcm128_new(&aes_ks1, (block128_f) AES_encrypt);
1302 CRYPTO_gcm128_setiv(ctx, (unsigned char *) "0123456789ab", 12);
1303
1304 for (j = 0; j < SIZE_NUM; j++) {
1305 print_message(names[D_GHASH], c[D_GHASH][j], lengths[j]);
1306 Time_F(START);
1307 for (count = 0, run = 1; COND(c[D_GHASH][j]); count++)
1308 CRYPTO_gcm128_aad(ctx, buf, lengths[j]);
1309 d = Time_F(STOP);
1310 print_result(D_GHASH, j, count, d);
1311 }
1312 CRYPTO_gcm128_release(ctx);
1313 }
1314#endif
1315#ifndef OPENSSL_NO_CAMELLIA
1316 if (doit[D_CBC_128_CML]) {
1317 for (j = 0; j < SIZE_NUM; j++) {
1318 print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][j], lengths[j]);
1319 Time_F(START);
1320 for (count = 0, run = 1; COND(c[D_CBC_128_CML][j]); count++)
1321 Camellia_cbc_encrypt(buf, buf,
1322 (unsigned long) lengths[j], &camellia_ks1,
1323 iv, CAMELLIA_ENCRYPT);
1324 d = Time_F(STOP);
1325 print_result(D_CBC_128_CML, j, count, d);
1326 }
1327 }
1328 if (doit[D_CBC_192_CML]) {
1329 for (j = 0; j < SIZE_NUM; j++) {
1330 print_message(names[D_CBC_192_CML], c[D_CBC_192_CML][j], lengths[j]);
1331 Time_F(START);
1332 for (count = 0, run = 1; COND(c[D_CBC_192_CML][j]); count++)
1333 Camellia_cbc_encrypt(buf, buf,
1334 (unsigned long) lengths[j], &camellia_ks2,
1335 iv, CAMELLIA_ENCRYPT);
1336 d = Time_F(STOP);
1337 print_result(D_CBC_192_CML, j, count, d);
1338 }
1339 }
1340 if (doit[D_CBC_256_CML]) {
1341 for (j = 0; j < SIZE_NUM; j++) {
1342 print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][j], lengths[j]);
1343 Time_F(START);
1344 for (count = 0, run = 1; COND(c[D_CBC_256_CML][j]); count++)
1345 Camellia_cbc_encrypt(buf, buf,
1346 (unsigned long) lengths[j], &camellia_ks3,
1347 iv, CAMELLIA_ENCRYPT);
1348 d = Time_F(STOP);
1349 print_result(D_CBC_256_CML, j, count, d);
1350 }
1351 }
1352#endif
1353#ifndef OPENSSL_NO_IDEA
1354 if (doit[D_CBC_IDEA]) {
1355 for (j = 0; j < SIZE_NUM; j++) {
1356 print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][j], lengths[j]);
1357 Time_F(START);
1358 for (count = 0, run = 1; COND(c[D_CBC_IDEA][j]); count++)
1359 idea_cbc_encrypt(buf, buf,
1360 (unsigned long) lengths[j], &idea_ks,
1361 iv, IDEA_ENCRYPT);
1362 d = Time_F(STOP);
1363 print_result(D_CBC_IDEA, j, count, d);
1364 }
1365 }
1366#endif
1367#ifndef OPENSSL_NO_RC2
1368 if (doit[D_CBC_RC2]) {
1369 for (j = 0; j < SIZE_NUM; j++) {
1370 print_message(names[D_CBC_RC2], c[D_CBC_RC2][j], lengths[j]);
1371 Time_F(START);
1372 for (count = 0, run = 1; COND(c[D_CBC_RC2][j]); count++)
1373 RC2_cbc_encrypt(buf, buf,
1374 (unsigned long) lengths[j], &rc2_ks,
1375 iv, RC2_ENCRYPT);
1376 d = Time_F(STOP);
1377 print_result(D_CBC_RC2, j, count, d);
1378 }
1379 }
1380#endif
1381#ifndef OPENSSL_NO_RC5
1382 if (doit[D_CBC_RC5]) {
1383 for (j = 0; j < SIZE_NUM; j++) {
1384 print_message(names[D_CBC_RC5], c[D_CBC_RC5][j], lengths[j]);
1385 Time_F(START);
1386 for (count = 0, run = 1; COND(c[D_CBC_RC5][j]); count++)
1387 RC5_32_cbc_encrypt(buf, buf,
1388 (unsigned long) lengths[j], &rc5_ks,
1389 iv, RC5_ENCRYPT);
1390 d = Time_F(STOP);
1391 print_result(D_CBC_RC5, j, count, d);
1392 }
1393 }
1394#endif
1395#ifndef OPENSSL_NO_BF
1396 if (doit[D_CBC_BF]) {
1397 for (j = 0; j < SIZE_NUM; j++) {
1398 print_message(names[D_CBC_BF], c[D_CBC_BF][j], lengths[j]);
1399 Time_F(START);
1400 for (count = 0, run = 1; COND(c[D_CBC_BF][j]); count++)
1401 BF_cbc_encrypt(buf, buf,
1402 (unsigned long) lengths[j], &bf_ks,
1403 iv, BF_ENCRYPT);
1404 d = Time_F(STOP);
1405 print_result(D_CBC_BF, j, count, d);
1406 }
1407 }
1408#endif
1409#ifndef OPENSSL_NO_CAST
1410 if (doit[D_CBC_CAST]) {
1411 for (j = 0; j < SIZE_NUM; j++) {
1412 print_message(names[D_CBC_CAST], c[D_CBC_CAST][j], lengths[j]);
1413 Time_F(START);
1414 for (count = 0, run = 1; COND(c[D_CBC_CAST][j]); count++)
1415 CAST_cbc_encrypt(buf, buf,
1416 (unsigned long) lengths[j], &cast_ks,
1417 iv, CAST_ENCRYPT);
1418 d = Time_F(STOP);
1419 print_result(D_CBC_CAST, j, count, d);
1420 }
1421 }
1422#endif
1423
1424 if (doit[D_EVP]) {
1425 for (j = 0; j < SIZE_NUM; j++) {
1426 if (evp_cipher) {
1427 EVP_CIPHER_CTX ctx;
1428 int outl;
1429
1430 names[D_EVP] = OBJ_nid2ln(evp_cipher->nid);
1431 /*
1432 * -O3 -fschedule-insns messes up an
1433 * optimization here! names[D_EVP] somehow
1434 * becomes NULL
1435 */
1436 print_message(names[D_EVP], save_count,
1437 lengths[j]);
1438
1439 EVP_CIPHER_CTX_init(&ctx);
1440 if (decrypt)
1441 EVP_DecryptInit_ex(&ctx, evp_cipher, NULL, key16, iv);
1442 else
1443 EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, key16, iv);
1444 EVP_CIPHER_CTX_set_padding(&ctx, 0);
1445
1446 Time_F(START);
1447 if (decrypt)
1448 for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
1449 EVP_DecryptUpdate(&ctx, buf, &outl, buf, lengths[j]);
1450 else
1451 for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
1452 EVP_EncryptUpdate(&ctx, buf, &outl, buf, lengths[j]);
1453 if (decrypt)
1454 EVP_DecryptFinal_ex(&ctx, buf, &outl);
1455 else
1456 EVP_EncryptFinal_ex(&ctx, buf, &outl);
1457 d = Time_F(STOP);
1458 EVP_CIPHER_CTX_cleanup(&ctx);
1459 }
1460 if (evp_md) {
1461 names[D_EVP] = OBJ_nid2ln(evp_md->type);
1462 print_message(names[D_EVP], save_count,
1463 lengths[j]);
1464
1465 Time_F(START);
1466 for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
1467 EVP_Digest(buf, lengths[j], &(md[0]), NULL, evp_md, NULL);
1468
1469 d = Time_F(STOP);
1470 }
1471 print_result(D_EVP, j, count, d);
1472 }
1473 }
1474 RAND_pseudo_bytes(buf, 36);
1475 for (j = 0; j < RSA_NUM; j++) {
1476 int ret;
1477 if (!rsa_doit[j])
1478 continue;
1479 ret = RSA_sign(NID_md5_sha1, buf, 36, buf2, &rsa_num, rsa_key[j]);
1480 if (ret == 0) {
1481 BIO_printf(bio_err, "RSA sign failure. No RSA sign will be done.\n");
1482 ERR_print_errors(bio_err);
1483 rsa_count = 1;
1484 } else {
1485 pkey_print_message("private", "rsa",
1486 rsa_c[j][0], rsa_bits[j],
1487 RSA_SECONDS);
1488/* RSA_blinding_on(rsa_key[j],NULL); */
1489 Time_F(START);
1490 for (count = 0, run = 1; COND(rsa_c[j][0]); count++) {
1491 ret = RSA_sign(NID_md5_sha1, buf, 36, buf2,
1492 &rsa_num, rsa_key[j]);
1493 if (ret == 0) {
1494 BIO_printf(bio_err,
1495 "RSA sign failure\n");
1496 ERR_print_errors(bio_err);
1497 count = 1;
1498 break;
1499 }
1500 }
1501 d = Time_F(STOP);
1502 BIO_printf(bio_err, mr ? "+R1:%ld:%d:%.2f\n"
1503 : "%ld %d bit private RSA's in %.2fs\n",
1504 count, rsa_bits[j], d);
1505 rsa_results[j][0] = d / (double) count;
1506 rsa_count = count;
1507 }
1508
1509#if 1
1510 ret = RSA_verify(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[j]);
1511 if (ret <= 0) {
1512 BIO_printf(bio_err, "RSA verify failure. No RSA verify will be done.\n");
1513 ERR_print_errors(bio_err);
1514 rsa_doit[j] = 0;
1515 } else {
1516 pkey_print_message("public", "rsa",
1517 rsa_c[j][1], rsa_bits[j],
1518 RSA_SECONDS);
1519 Time_F(START);
1520 for (count = 0, run = 1; COND(rsa_c[j][1]); count++) {
1521 ret = RSA_verify(NID_md5_sha1, buf, 36, buf2,
1522 rsa_num, rsa_key[j]);
1523 if (ret <= 0) {
1524 BIO_printf(bio_err,
1525 "RSA verify failure\n");
1526 ERR_print_errors(bio_err);
1527 count = 1;
1528 break;
1529 }
1530 }
1531 d = Time_F(STOP);
1532 BIO_printf(bio_err, mr ? "+R2:%ld:%d:%.2f\n"
1533 : "%ld %d bit public RSA's in %.2fs\n",
1534 count, rsa_bits[j], d);
1535 rsa_results[j][1] = d / (double) count;
1536 }
1537#endif
1538
1539 if (rsa_count <= 1) {
1540 /* if longer than 10s, don't do any more */
1541 for (j++; j < RSA_NUM; j++)
1542 rsa_doit[j] = 0;
1543 }
1544 }
1545
1546 RAND_pseudo_bytes(buf, 20);
1547 for (j = 0; j < DSA_NUM; j++) {
1548 unsigned int kk;
1549 int ret;
1550
1551 if (!dsa_doit[j])
1552 continue;
1553/* DSA_generate_key(dsa_key[j]); */
1554/* DSA_sign_setup(dsa_key[j],NULL); */
1555 ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2,
1556 &kk, dsa_key[j]);
1557 if (ret == 0) {
1558 BIO_printf(bio_err, "DSA sign failure. No DSA sign will be done.\n");
1559 ERR_print_errors(bio_err);
1560 rsa_count = 1;
1561 } else {
1562 pkey_print_message("sign", "dsa",
1563 dsa_c[j][0], dsa_bits[j],
1564 DSA_SECONDS);
1565 Time_F(START);
1566 for (count = 0, run = 1; COND(dsa_c[j][0]); count++) {
1567 ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2,
1568 &kk, dsa_key[j]);
1569 if (ret == 0) {
1570 BIO_printf(bio_err,
1571 "DSA sign failure\n");
1572 ERR_print_errors(bio_err);
1573 count = 1;
1574 break;
1575 }
1576 }
1577 d = Time_F(STOP);
1578 BIO_printf(bio_err, mr ? "+R3:%ld:%d:%.2f\n"
1579 : "%ld %d bit DSA signs in %.2fs\n",
1580 count, dsa_bits[j], d);
1581 dsa_results[j][0] = d / (double) count;
1582 rsa_count = count;
1583 }
1584
1585 ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2,
1586 kk, dsa_key[j]);
1587 if (ret <= 0) {
1588 BIO_printf(bio_err, "DSA verify failure. No DSA verify will be done.\n");
1589 ERR_print_errors(bio_err);
1590 dsa_doit[j] = 0;
1591 } else {
1592 pkey_print_message("verify", "dsa",
1593 dsa_c[j][1], dsa_bits[j],
1594 DSA_SECONDS);
1595 Time_F(START);
1596 for (count = 0, run = 1; COND(dsa_c[j][1]); count++) {
1597 ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2,
1598 kk, dsa_key[j]);
1599 if (ret <= 0) {
1600 BIO_printf(bio_err,
1601 "DSA verify failure\n");
1602 ERR_print_errors(bio_err);
1603 count = 1;
1604 break;
1605 }
1606 }
1607 d = Time_F(STOP);
1608 BIO_printf(bio_err, mr ? "+R4:%ld:%d:%.2f\n"
1609 : "%ld %d bit DSA verify in %.2fs\n",
1610 count, dsa_bits[j], d);
1611 dsa_results[j][1] = d / (double) count;
1612 }
1613
1614 if (rsa_count <= 1) {
1615 /* if longer than 10s, don't do any more */
1616 for (j++; j < DSA_NUM; j++)
1617 dsa_doit[j] = 0;
1618 }
1619 }
1620
1621 for (j = 0; j < EC_NUM; j++) {
1622 int ret;
1623
1624 if (!ecdsa_doit[j])
1625 continue; /* Ignore Curve */
1626 ecdsa[j] = EC_KEY_new_by_curve_name(test_curves[j]);
1627 if (ecdsa[j] == NULL) {
1628 BIO_printf(bio_err, "ECDSA failure.\n");
1629 ERR_print_errors(bio_err);
1630 rsa_count = 1;
1631 } else {
1632#if 1
1633 EC_KEY_precompute_mult(ecdsa[j], NULL);
1634#endif
1635 /* Perform ECDSA signature test */
1636 EC_KEY_generate_key(ecdsa[j]);
1637 ret = ECDSA_sign(0, buf, 20, ecdsasig,
1638 &ecdsasiglen, ecdsa[j]);
1639 if (ret == 0) {
1640 BIO_printf(bio_err, "ECDSA sign failure. No ECDSA sign will be done.\n");
1641 ERR_print_errors(bio_err);
1642 rsa_count = 1;
1643 } else {
1644 pkey_print_message("sign", "ecdsa",
1645 ecdsa_c[j][0],
1646 test_curves_bits[j],
1647 ECDSA_SECONDS);
1648
1649 Time_F(START);
1650 for (count = 0, run = 1; COND(ecdsa_c[j][0]);
1651 count++) {
1652 ret = ECDSA_sign(0, buf, 20,
1653 ecdsasig, &ecdsasiglen,
1654 ecdsa[j]);
1655 if (ret == 0) {
1656 BIO_printf(bio_err, "ECDSA sign failure\n");
1657 ERR_print_errors(bio_err);
1658 count = 1;
1659 break;
1660 }
1661 }
1662 d = Time_F(STOP);
1663
1664 BIO_printf(bio_err, mr ? "+R5:%ld:%d:%.2f\n" :
1665 "%ld %d bit ECDSA signs in %.2fs \n",
1666 count, test_curves_bits[j], d);
1667 ecdsa_results[j][0] = d / (double) count;
1668 rsa_count = count;
1669 }
1670
1671 /* Perform ECDSA verification test */
1672 ret = ECDSA_verify(0, buf, 20, ecdsasig,
1673 ecdsasiglen, ecdsa[j]);
1674 if (ret != 1) {
1675 BIO_printf(bio_err, "ECDSA verify failure. No ECDSA verify will be done.\n");
1676 ERR_print_errors(bio_err);
1677 ecdsa_doit[j] = 0;
1678 } else {
1679 pkey_print_message("verify", "ecdsa",
1680 ecdsa_c[j][1],
1681 test_curves_bits[j],
1682 ECDSA_SECONDS);
1683 Time_F(START);
1684 for (count = 0, run = 1; COND(ecdsa_c[j][1]); count++) {
1685 ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]);
1686 if (ret != 1) {
1687 BIO_printf(bio_err, "ECDSA verify failure\n");
1688 ERR_print_errors(bio_err);
1689 count = 1;
1690 break;
1691 }
1692 }
1693 d = Time_F(STOP);
1694 BIO_printf(bio_err, mr ? "+R6:%ld:%d:%.2f\n"
1695 : "%ld %d bit ECDSA verify in %.2fs\n",
1696 count, test_curves_bits[j], d);
1697 ecdsa_results[j][1] = d / (double) count;
1698 }
1699
1700 if (rsa_count <= 1) {
1701 /* if longer than 10s, don't do any more */
1702 for (j++; j < EC_NUM; j++)
1703 ecdsa_doit[j] = 0;
1704 }
1705 }
1706 }
1707
1708 for (j = 0; j < EC_NUM; j++) {
1709 if (!ecdh_doit[j])
1710 continue;
1711 ecdh_a[j] = EC_KEY_new_by_curve_name(test_curves[j]);
1712 ecdh_b[j] = EC_KEY_new_by_curve_name(test_curves[j]);
1713 if ((ecdh_a[j] == NULL) || (ecdh_b[j] == NULL)) {
1714 BIO_printf(bio_err, "ECDH failure.\n");
1715 ERR_print_errors(bio_err);
1716 rsa_count = 1;
1717 } else {
1718 /* generate two ECDH key pairs */
1719 if (!EC_KEY_generate_key(ecdh_a[j]) ||
1720 !EC_KEY_generate_key(ecdh_b[j])) {
1721 BIO_printf(bio_err, "ECDH key generation failure.\n");
1722 ERR_print_errors(bio_err);
1723 rsa_count = 1;
1724 } else {
1725 /*
1726 * If field size is not more than 24 octets,
1727 * then use SHA-1 hash of result; otherwise,
1728 * use result (see section 4.8 of
1729 * draft-ietf-tls-ecc-03.txt).
1730 */
1731 int field_size, outlen;
1732 void *(*kdf) (const void *in, size_t inlen, void *out, size_t * xoutlen);
1733 field_size = EC_GROUP_get_degree(EC_KEY_get0_group(ecdh_a[j]));
1734 if (field_size <= 24 * 8) {
1735 outlen = KDF1_SHA1_len;
1736 kdf = KDF1_SHA1;
1737 } else {
1738 outlen = (field_size + 7) / 8;
1739 kdf = NULL;
1740 }
1741 secret_size_a = ECDH_compute_key(secret_a, outlen,
1742 EC_KEY_get0_public_key(ecdh_b[j]),
1743 ecdh_a[j], kdf);
1744 secret_size_b = ECDH_compute_key(secret_b, outlen,
1745 EC_KEY_get0_public_key(ecdh_a[j]),
1746 ecdh_b[j], kdf);
1747 if (secret_size_a != secret_size_b)
1748 ecdh_checks = 0;
1749 else
1750 ecdh_checks = 1;
1751
1752 for (secret_idx = 0;
1753 (secret_idx < secret_size_a)
1754 && (ecdh_checks == 1);
1755 secret_idx++) {
1756 if (secret_a[secret_idx] != secret_b[secret_idx])
1757 ecdh_checks = 0;
1758 }
1759
1760 if (ecdh_checks == 0) {
1761 BIO_printf(bio_err, "ECDH computations don't match.\n");
1762 ERR_print_errors(bio_err);
1763 rsa_count = 1;
1764 }
1765 pkey_print_message("", "ecdh",
1766 ecdh_c[j][0],
1767 test_curves_bits[j],
1768 ECDH_SECONDS);
1769 Time_F(START);
1770 for (count = 0, run = 1; COND(ecdh_c[j][0]); count++) {
1771 ECDH_compute_key(secret_a, outlen,
1772 EC_KEY_get0_public_key(ecdh_b[j]),
1773 ecdh_a[j], kdf);
1774 }
1775 d = Time_F(STOP);
1776 BIO_printf(bio_err, mr ? "+R7:%ld:%d:%.2f\n" : "%ld %d-bit ECDH ops in %.2fs\n",
1777 count, test_curves_bits[j], d);
1778 ecdh_results[j][0] = d / (double) count;
1779 rsa_count = count;
1780 }
1781 }
1782
1783
1784 if (rsa_count <= 1) {
1785 /* if longer than 10s, don't do any more */
1786 for (j++; j < EC_NUM; j++)
1787 ecdh_doit[j] = 0;
1788 }
1789 }
1790show_res:
1791 if (!mr) {
1792 fprintf(stdout, "%s\n", SSLeay_version(SSLEAY_VERSION));
1793 fprintf(stdout, "%s\n", SSLeay_version(SSLEAY_BUILT_ON));
1794 printf("options:");
1795 printf("%s ", BN_options());
1796#ifndef OPENSSL_NO_RC4
1797 printf("%s ", RC4_options());
1798#endif
1799#ifndef OPENSSL_NO_DES
1800 printf("%s ", DES_options());
1801#endif
1802#ifndef OPENSSL_NO_AES
1803 printf("%s ", AES_options());
1804#endif
1805#ifndef OPENSSL_NO_IDEA
1806 printf("%s ", idea_options());
1807#endif
1808#ifndef OPENSSL_NO_BF
1809 printf("%s ", BF_options());
1810#endif
1811 fprintf(stdout, "\n%s\n", SSLeay_version(SSLEAY_CFLAGS));
1812 }
1813 if (pr_header) {
1814 if (mr)
1815 fprintf(stdout, "+H");
1816 else {
1817 fprintf(stdout, "The 'numbers' are in 1000s of bytes per second processed.\n");
1818 fprintf(stdout, "type ");
1819 }
1820 for (j = 0; j < SIZE_NUM; j++)
1821 fprintf(stdout, mr ? ":%d" : "%7d bytes", lengths[j]);
1822 fprintf(stdout, "\n");
1823 }
1824 for (k = 0; k < ALGOR_NUM; k++) {
1825 if (!doit[k])
1826 continue;
1827 if (mr)
1828 fprintf(stdout, "+F:%d:%s", k, names[k]);
1829 else
1830 fprintf(stdout, "%-13s", names[k]);
1831 for (j = 0; j < SIZE_NUM; j++) {
1832 if (results[k][j] > 10000 && !mr)
1833 fprintf(stdout, " %11.2fk", results[k][j] / 1e3);
1834 else
1835 fprintf(stdout, mr ? ":%.2f" : " %11.2f ", results[k][j]);
1836 }
1837 fprintf(stdout, "\n");
1838 }
1839 j = 1;
1840 for (k = 0; k < RSA_NUM; k++) {
1841 if (!rsa_doit[k])
1842 continue;
1843 if (j && !mr) {
1844 printf("%18ssign verify sign/s verify/s\n", " ");
1845 j = 0;
1846 }
1847 if (mr)
1848 fprintf(stdout, "+F2:%u:%u:%f:%f\n",
1849 k, rsa_bits[k], rsa_results[k][0],
1850 rsa_results[k][1]);
1851 else
1852 fprintf(stdout, "rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
1853 rsa_bits[k], rsa_results[k][0], rsa_results[k][1],
1854 1.0 / rsa_results[k][0], 1.0 / rsa_results[k][1]);
1855 }
1856 j = 1;
1857 for (k = 0; k < DSA_NUM; k++) {
1858 if (!dsa_doit[k])
1859 continue;
1860 if (j && !mr) {
1861 printf("%18ssign verify sign/s verify/s\n", " ");
1862 j = 0;
1863 }
1864 if (mr)
1865 fprintf(stdout, "+F3:%u:%u:%f:%f\n",
1866 k, dsa_bits[k], dsa_results[k][0], dsa_results[k][1]);
1867 else
1868 fprintf(stdout, "dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
1869 dsa_bits[k], dsa_results[k][0], dsa_results[k][1],
1870 1.0 / dsa_results[k][0], 1.0 / dsa_results[k][1]);
1871 }
1872 j = 1;
1873 for (k = 0; k < EC_NUM; k++) {
1874 if (!ecdsa_doit[k])
1875 continue;
1876 if (j && !mr) {
1877 printf("%30ssign verify sign/s verify/s\n", " ");
1878 j = 0;
1879 }
1880 if (mr)
1881 fprintf(stdout, "+F4:%u:%u:%f:%f\n",
1882 k, test_curves_bits[k],
1883 ecdsa_results[k][0], ecdsa_results[k][1]);
1884 else
1885 fprintf(stdout,
1886 "%4u bit ecdsa (%s) %8.4fs %8.4fs %8.1f %8.1f\n",
1887 test_curves_bits[k],
1888 test_curves_names[k],
1889 ecdsa_results[k][0], ecdsa_results[k][1],
1890 1.0 / ecdsa_results[k][0], 1.0 / ecdsa_results[k][1]);
1891 }
1892
1893
1894 j = 1;
1895 for (k = 0; k < EC_NUM; k++) {
1896 if (!ecdh_doit[k])
1897 continue;
1898 if (j && !mr) {
1899 printf("%30sop op/s\n", " ");
1900 j = 0;
1901 }
1902 if (mr)
1903 fprintf(stdout, "+F5:%u:%u:%f:%f\n",
1904 k, test_curves_bits[k],
1905 ecdh_results[k][0], 1.0 / ecdh_results[k][0]);
1906
1907 else
1908 fprintf(stdout, "%4u bit ecdh (%s) %8.4fs %8.1f\n",
1909 test_curves_bits[k],
1910 test_curves_names[k],
1911 ecdh_results[k][0], 1.0 / ecdh_results[k][0]);
1912 }
1913
1914 mret = 0;
1915
1916end:
1917 ERR_print_errors(bio_err);
1918 free(buf);
1919 free(buf2);
1920 for (i = 0; i < RSA_NUM; i++)
1921 if (rsa_key[i] != NULL)
1922 RSA_free(rsa_key[i]);
1923 for (i = 0; i < DSA_NUM; i++)
1924 if (dsa_key[i] != NULL)
1925 DSA_free(dsa_key[i]);
1926
1927 for (i = 0; i < EC_NUM; i++)
1928 if (ecdsa[i] != NULL)
1929 EC_KEY_free(ecdsa[i]);
1930 for (i = 0; i < EC_NUM; i++) {
1931 if (ecdh_a[i] != NULL)
1932 EC_KEY_free(ecdh_a[i]);
1933 if (ecdh_b[i] != NULL)
1934 EC_KEY_free(ecdh_b[i]);
1935 }
1936
1937
1938 return (mret);
1939}
1940
1941static void
1942print_message(const char *s, long num, int length)
1943{
1944 BIO_printf(bio_err, mr ? "+DT:%s:%d:%d\n"
1945 : "Doing %s for %ds on %d size blocks: ", s, SECONDS, length);
1946 (void) BIO_flush(bio_err);
1947 alarm(SECONDS);
1948}
1949
1950static void
1951pkey_print_message(const char *str, const char *str2, long num,
1952 int bits, int tm)
1953{
1954 BIO_printf(bio_err, mr ? "+DTP:%d:%s:%s:%d\n"
1955 : "Doing %d bit %s %s's for %ds: ", bits, str, str2, tm);
1956 (void) BIO_flush(bio_err);
1957 alarm(tm);
1958}
1959
1960static void
1961print_result(int alg, int run_no, int count, double time_used)
1962{
1963 BIO_printf(bio_err, mr ? "+R:%d:%s:%f\n"
1964 : "%d %s's in %.2fs\n", count, names[alg], time_used);
1965 results[alg][run_no] = ((double) count) / time_used * lengths[run_no];
1966}
1967
1968static char *
1969sstrsep(char **string, const char *delim)
1970{
1971 char isdelim[256];
1972 char *token = *string;
1973
1974 if (**string == 0)
1975 return NULL;
1976
1977 memset(isdelim, 0, sizeof isdelim);
1978 isdelim[0] = 1;
1979
1980 while (*delim) {
1981 isdelim[(unsigned char) (*delim)] = 1;
1982 delim++;
1983 }
1984
1985 while (!isdelim[(unsigned char) (**string)]) {
1986 (*string)++;
1987 }
1988
1989 if (**string) {
1990 **string = 0;
1991 (*string)++;
1992 }
1993 return token;
1994}
1995
1996static int
1997do_multi(int multi)
1998{
1999 int n;
2000 int fd[2];
2001 int *fds;
2002 static char sep[] = ":";
2003 const char *errstr = NULL;
2004
2005 fds = reallocarray(NULL, multi, sizeof *fds);
2006 for (n = 0; n < multi; ++n) {
2007 if (pipe(fd) == -1) {
2008 fprintf(stderr, "pipe failure\n");
2009 exit(1);
2010 }
2011 fflush(stdout);
2012 fflush(stderr);
2013 if (fork()) {
2014 close(fd[1]);
2015 fds[n] = fd[0];
2016 } else {
2017 close(fd[0]);
2018 close(1);
2019 if (dup(fd[1]) == -1) {
2020 fprintf(stderr, "dup failed\n");
2021 exit(1);
2022 }
2023 close(fd[1]);
2024 mr = 1;
2025 usertime = 0;
2026 free(fds);
2027 return 0;
2028 }
2029 printf("Forked child %d\n", n);
2030 }
2031
2032 /* for now, assume the pipe is long enough to take all the output */
2033 for (n = 0; n < multi; ++n) {
2034 FILE *f;
2035 char buf[1024];
2036 char *p;
2037
2038 f = fdopen(fds[n], "r");
2039 while (fgets(buf, sizeof buf, f)) {
2040 p = strchr(buf, '\n');
2041 if (p)
2042 *p = '\0';
2043 if (buf[0] != '+') {
2044 fprintf(stderr, "Don't understand line '%s' from child %d\n",
2045 buf, n);
2046 continue;
2047 }
2048 printf("Got: %s from %d\n", buf, n);
2049 if (!strncmp(buf, "+F:", 3)) {
2050 int alg;
2051 int j;
2052
2053 p = buf + 3;
2054 alg = strtonum(sstrsep(&p, sep),
2055 0, ALGOR_NUM - 1, &errstr);
2056 sstrsep(&p, sep);
2057 for (j = 0; j < SIZE_NUM; ++j)
2058 results[alg][j] += atof(sstrsep(&p, sep));
2059 } else if (!strncmp(buf, "+F2:", 4)) {
2060 int k;
2061 double d;
2062
2063 p = buf + 4;
2064 k = strtonum(sstrsep(&p, sep),
2065 0, ALGOR_NUM - 1, &errstr);
2066 sstrsep(&p, sep);
2067
2068 d = atof(sstrsep(&p, sep));
2069 if (n)
2070 rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d);
2071 else
2072 rsa_results[k][0] = d;
2073
2074 d = atof(sstrsep(&p, sep));
2075 if (n)
2076 rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d);
2077 else
2078 rsa_results[k][1] = d;
2079 } else if (!strncmp(buf, "+F2:", 4)) {
2080 int k;
2081 double d;
2082
2083 p = buf + 4;
2084 k = strtonum(sstrsep(&p, sep),
2085 0, ALGOR_NUM - 1, &errstr);
2086 sstrsep(&p, sep);
2087
2088 d = atof(sstrsep(&p, sep));
2089 if (n)
2090 rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d);
2091 else
2092 rsa_results[k][0] = d;
2093
2094 d = atof(sstrsep(&p, sep));
2095 if (n)
2096 rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d);
2097 else
2098 rsa_results[k][1] = d;
2099 }
2100 else if (!strncmp(buf, "+F3:", 4)) {
2101 int k;
2102 double d;
2103
2104 p = buf + 4;
2105 k = strtonum(sstrsep(&p, sep),
2106 0, ALGOR_NUM - 1, &errstr);
2107 sstrsep(&p, sep);
2108
2109 d = atof(sstrsep(&p, sep));
2110 if (n)
2111 dsa_results[k][0] = 1 / (1 / dsa_results[k][0] + 1 / d);
2112 else
2113 dsa_results[k][0] = d;
2114
2115 d = atof(sstrsep(&p, sep));
2116 if (n)
2117 dsa_results[k][1] = 1 / (1 / dsa_results[k][1] + 1 / d);
2118 else
2119 dsa_results[k][1] = d;
2120 }
2121 else if (!strncmp(buf, "+F4:", 4)) {
2122 int k;
2123 double d;
2124
2125 p = buf + 4;
2126 k = strtonum(sstrsep(&p, sep),
2127 0, ALGOR_NUM - 1, &errstr);
2128 sstrsep(&p, sep);
2129
2130 d = atof(sstrsep(&p, sep));
2131 if (n)
2132 ecdsa_results[k][0] = 1 / (1 / ecdsa_results[k][0] + 1 / d);
2133 else
2134 ecdsa_results[k][0] = d;
2135
2136 d = atof(sstrsep(&p, sep));
2137 if (n)
2138 ecdsa_results[k][1] = 1 / (1 / ecdsa_results[k][1] + 1 / d);
2139 else
2140 ecdsa_results[k][1] = d;
2141 }
2142
2143 else if (!strncmp(buf, "+F5:", 4)) {
2144 int k;
2145 double d;
2146
2147 p = buf + 4;
2148 k = strtonum(sstrsep(&p, sep),
2149 0, ALGOR_NUM - 1, &errstr);
2150 sstrsep(&p, sep);
2151
2152 d = atof(sstrsep(&p, sep));
2153 if (n)
2154 ecdh_results[k][0] = 1 / (1 / ecdh_results[k][0] + 1 / d);
2155 else
2156 ecdh_results[k][0] = d;
2157
2158 }
2159
2160 else if (!strncmp(buf, "+H:", 3)) {
2161 } else
2162 fprintf(stderr, "Unknown type '%s' from child %d\n", buf, n);
2163 }
2164
2165 fclose(f);
2166 }
2167 free(fds);
2168 return 1;
2169}
2170#endif
diff --git a/src/lib/libssl/src/apps/spkac.c b/src/lib/libssl/src/apps/spkac.c
deleted file mode 100644
index b13a83d097..0000000000
--- a/src/lib/libssl/src/apps/spkac.c
+++ /dev/null
@@ -1,284 +0,0 @@
1/* $OpenBSD: spkac.c,v 1.22 2014/07/22 06:55:22 guenther Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. Based on an original idea by Massimiliano Pala
4 * (madwolf@openca.org).
5 */
6/* ====================================================================
7 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60#include <stdio.h>
61#include <stdlib.h>
62#include <string.h>
63#include <time.h>
64
65#include "apps.h"
66
67#include <openssl/bio.h>
68#include <openssl/conf.h>
69#include <openssl/err.h>
70#include <openssl/evp.h>
71#include <openssl/lhash.h>
72#include <openssl/pem.h>
73#include <openssl/x509.h>
74
75/* -in arg - input file - default stdin
76 * -out arg - output file - default stdout
77 */
78
79int spkac_main(int, char **);
80
81int
82spkac_main(int argc, char **argv)
83{
84 ENGINE *e = NULL;
85 int i, badops = 0, ret = 1;
86 BIO *in = NULL, *out = NULL;
87 int verify = 0, noout = 0, pubkey = 0;
88 char *infile = NULL, *outfile = NULL, *prog;
89 char *passargin = NULL, *passin = NULL;
90 const char *spkac = "SPKAC", *spksect = "default";
91 char *spkstr = NULL;
92 char *challenge = NULL, *keyfile = NULL;
93 CONF *conf = NULL;
94 NETSCAPE_SPKI *spki = NULL;
95 EVP_PKEY *pkey = NULL;
96#ifndef OPENSSL_NO_ENGINE
97 char *engine = NULL;
98#endif
99
100 prog = argv[0];
101 argc--;
102 argv++;
103 while (argc >= 1) {
104 if (strcmp(*argv, "-in") == 0) {
105 if (--argc < 1)
106 goto bad;
107 infile = *(++argv);
108 } else if (strcmp(*argv, "-out") == 0) {
109 if (--argc < 1)
110 goto bad;
111 outfile = *(++argv);
112 } else if (strcmp(*argv, "-passin") == 0) {
113 if (--argc < 1)
114 goto bad;
115 passargin = *(++argv);
116 } else if (strcmp(*argv, "-key") == 0) {
117 if (--argc < 1)
118 goto bad;
119 keyfile = *(++argv);
120 } else if (strcmp(*argv, "-challenge") == 0) {
121 if (--argc < 1)
122 goto bad;
123 challenge = *(++argv);
124 } else if (strcmp(*argv, "-spkac") == 0) {
125 if (--argc < 1)
126 goto bad;
127 spkac = *(++argv);
128 } else if (strcmp(*argv, "-spksect") == 0) {
129 if (--argc < 1)
130 goto bad;
131 spksect = *(++argv);
132 }
133#ifndef OPENSSL_NO_ENGINE
134 else if (strcmp(*argv, "-engine") == 0) {
135 if (--argc < 1)
136 goto bad;
137 engine = *(++argv);
138 }
139#endif
140 else if (strcmp(*argv, "-noout") == 0)
141 noout = 1;
142 else if (strcmp(*argv, "-pubkey") == 0)
143 pubkey = 1;
144 else if (strcmp(*argv, "-verify") == 0)
145 verify = 1;
146 else
147 badops = 1;
148 argc--;
149 argv++;
150 }
151
152 if (badops) {
153bad:
154 BIO_printf(bio_err, "%s [options]\n", prog);
155 BIO_printf(bio_err, "where options are\n");
156 BIO_printf(bio_err, " -in arg input file\n");
157 BIO_printf(bio_err, " -out arg output file\n");
158 BIO_printf(bio_err, " -key arg create SPKAC using private key\n");
159 BIO_printf(bio_err, " -passin arg input file pass phrase source\n");
160 BIO_printf(bio_err, " -challenge arg challenge string\n");
161 BIO_printf(bio_err, " -spkac arg alternative SPKAC name\n");
162 BIO_printf(bio_err, " -noout don't print SPKAC\n");
163 BIO_printf(bio_err, " -pubkey output public key\n");
164 BIO_printf(bio_err, " -verify verify SPKAC signature\n");
165#ifndef OPENSSL_NO_ENGINE
166 BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n");
167#endif
168 goto end;
169 }
170 ERR_load_crypto_strings();
171 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
172 BIO_printf(bio_err, "Error getting password\n");
173 goto end;
174 }
175#ifndef OPENSSL_NO_ENGINE
176 e = setup_engine(bio_err, engine, 0);
177#endif
178
179 if (keyfile) {
180 pkey = load_key(bio_err,
181 strcmp(keyfile, "-") ? keyfile : NULL,
182 FORMAT_PEM, 1, passin, e, "private key");
183 if (!pkey) {
184 goto end;
185 }
186 spki = NETSCAPE_SPKI_new();
187 if (challenge)
188 ASN1_STRING_set(spki->spkac->challenge,
189 challenge, (int) strlen(challenge));
190 NETSCAPE_SPKI_set_pubkey(spki, pkey);
191 NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
192 spkstr = NETSCAPE_SPKI_b64_encode(spki);
193 if (spkstr == NULL) {
194 BIO_printf(bio_err, "Error encoding SPKAC\n");
195 ERR_print_errors(bio_err);
196 goto end;
197 }
198
199 if (outfile)
200 out = BIO_new_file(outfile, "w");
201 else
202 out = BIO_new_fp(stdout, BIO_NOCLOSE);
203
204 if (!out) {
205 BIO_printf(bio_err, "Error opening output file\n");
206 ERR_print_errors(bio_err);
207 } else {
208 BIO_printf(out, "SPKAC=%s\n", spkstr);
209 ret = 0;
210 }
211 free(spkstr);
212 goto end;
213 }
214 if (infile)
215 in = BIO_new_file(infile, "r");
216 else
217 in = BIO_new_fp(stdin, BIO_NOCLOSE);
218
219 if (!in) {
220 BIO_printf(bio_err, "Error opening input file\n");
221 ERR_print_errors(bio_err);
222 goto end;
223 }
224 conf = NCONF_new(NULL);
225 i = NCONF_load_bio(conf, in, NULL);
226
227 if (!i) {
228 BIO_printf(bio_err, "Error parsing config file\n");
229 ERR_print_errors(bio_err);
230 goto end;
231 }
232 spkstr = NCONF_get_string(conf, spksect, spkac);
233
234 if (!spkstr) {
235 BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
236 ERR_print_errors(bio_err);
237 goto end;
238 }
239 spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
240
241 if (!spki) {
242 BIO_printf(bio_err, "Error loading SPKAC\n");
243 ERR_print_errors(bio_err);
244 goto end;
245 }
246 if (outfile)
247 out = BIO_new_file(outfile, "w");
248 else {
249 out = BIO_new_fp(stdout, BIO_NOCLOSE);
250 }
251
252 if (!out) {
253 BIO_printf(bio_err, "Error opening output file\n");
254 ERR_print_errors(bio_err);
255 goto end;
256 }
257 if (!noout)
258 NETSCAPE_SPKI_print(out, spki);
259 pkey = NETSCAPE_SPKI_get_pubkey(spki);
260 if (verify) {
261 i = NETSCAPE_SPKI_verify(spki, pkey);
262 if (i > 0)
263 BIO_printf(bio_err, "Signature OK\n");
264 else {
265 BIO_printf(bio_err, "Signature Failure\n");
266 ERR_print_errors(bio_err);
267 goto end;
268 }
269 }
270 if (pubkey)
271 PEM_write_bio_PUBKEY(out, pkey);
272
273 ret = 0;
274
275end:
276 NCONF_free(conf);
277 NETSCAPE_SPKI_free(spki);
278 BIO_free(in);
279 BIO_free_all(out);
280 EVP_PKEY_free(pkey);
281 free(passin);
282
283 return (ret);
284}
diff --git a/src/lib/libssl/src/apps/testdsa.h b/src/lib/libssl/src/apps/testdsa.h
deleted file mode 100644
index 0fcdac0f36..0000000000
--- a/src/lib/libssl/src/apps/testdsa.h
+++ /dev/null
@@ -1,221 +0,0 @@
1/* $OpenBSD: testdsa.h,v 1.7 2014/06/12 15:49:27 deraadt Exp $ */
2
3DSA *get_dsa512(void);
4DSA *get_dsa1024(void);
5DSA *get_dsa2048(void);
6
7static unsigned char dsa512_priv[] = {
8 0x65, 0xe5, 0xc7, 0x38, 0x60, 0x24, 0xb5, 0x89, 0xd4, 0x9c, 0xeb, 0x4c,
9 0x9c, 0x1d, 0x7a, 0x22, 0xbd, 0xd1, 0xc2, 0xd2,
10};
11static unsigned char dsa512_pub[] = {
12 0x00, 0x95, 0xa7, 0x0d, 0xec, 0x93, 0x68, 0xba, 0x5f, 0xf7, 0x5f, 0x07,
13 0xf2, 0x3b, 0xad, 0x6b, 0x01, 0xdc, 0xbe, 0xec, 0xde, 0x04, 0x7a, 0x3a,
14 0x27, 0xb3, 0xec, 0x49, 0xfd, 0x08, 0x43, 0x3d, 0x7e, 0xa8, 0x2c, 0x5e,
15 0x7b, 0xbb, 0xfc, 0xf4, 0x6e, 0xeb, 0x6c, 0xb0, 0x6e, 0xf8, 0x02, 0x12,
16 0x8c, 0x38, 0x5d, 0x83, 0x56, 0x7d, 0xee, 0x53, 0x05, 0x3e, 0x24, 0x84,
17 0xbe, 0xba, 0x0a, 0x6b, 0xc8,
18};
19static unsigned char dsa512_p[] = {
20 0x9D, 0x1B, 0x69, 0x8E, 0x26, 0xDB, 0xF2, 0x2B, 0x11, 0x70, 0x19, 0x86,
21 0xF6, 0x19, 0xC8, 0xF8, 0x19, 0xF2, 0x18, 0x53, 0x94, 0x46, 0x06, 0xD0,
22 0x62, 0x50, 0x33, 0x4B, 0x02, 0x3C, 0x52, 0x30, 0x03, 0x8B, 0x3B, 0xF9,
23 0x5F, 0xD1, 0x24, 0x06, 0x4F, 0x7B, 0x4C, 0xBA, 0xAA, 0x40, 0x9B, 0xFD,
24 0x96, 0xE4, 0x37, 0x33, 0xBB, 0x2D, 0x5A, 0xD7, 0x5A, 0x11, 0x40, 0x66,
25 0xA2, 0x76, 0x7D, 0x31,
26};
27static unsigned char dsa512_q[] = {
28 0xFB, 0x53, 0xEF, 0x50, 0xB4, 0x40, 0x92, 0x31, 0x56, 0x86, 0x53, 0x7A,
29 0xE8, 0x8B, 0x22, 0x9A, 0x49, 0xFB, 0x71, 0x8F,
30};
31static unsigned char dsa512_g[] = {
32 0x83, 0x3E, 0x88, 0xE5, 0xC5, 0x89, 0x73, 0xCE, 0x3B, 0x6C, 0x01, 0x49,
33 0xBF, 0xB3, 0xC7, 0x9F, 0x0A, 0xEA, 0x44, 0x91, 0xE5, 0x30, 0xAA, 0xD9,
34 0xBE, 0x5B, 0x5F, 0xB7, 0x10, 0xD7, 0x89, 0xB7, 0x8E, 0x74, 0xFB, 0xCF,
35 0x29, 0x1E, 0xEB, 0xA8, 0x2C, 0x54, 0x51, 0xB8, 0x10, 0xDE, 0xA0, 0xCE,
36 0x2F, 0xCC, 0x24, 0x6B, 0x90, 0x77, 0xDE, 0xA2, 0x68, 0xA6, 0x52, 0x12,
37 0xA2, 0x03, 0x9D, 0x20,
38};
39
40DSA *
41get_dsa512()
42{
43 DSA *dsa;
44
45 if ((dsa = DSA_new()) == NULL)
46 return (NULL);
47 dsa->priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL);
48 dsa->pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL);
49 dsa->p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL);
50 dsa->q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL);
51 dsa->g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL);
52 if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) ||
53 (dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
54 return (NULL);
55 return (dsa);
56}
57
58static unsigned char dsa1024_priv[] = {
59 0x7d, 0x21, 0xda, 0xbb, 0x62, 0x15, 0x47, 0x36, 0x07, 0x67, 0x12, 0xe8,
60 0x8c, 0xaa, 0x1c, 0xcd, 0x38, 0x12, 0x61, 0x18,
61};
62static unsigned char dsa1024_pub[] = {
63 0x3c, 0x4e, 0x9c, 0x2a, 0x7f, 0x16, 0xc1, 0x25, 0xeb, 0xac, 0x78, 0x63,
64 0x90, 0x14, 0x8c, 0x8b, 0xf4, 0x68, 0x43, 0x3c, 0x2d, 0xee, 0x65, 0x50,
65 0x7d, 0x9c, 0x8f, 0x8c, 0x8a, 0x51, 0xd6, 0x11, 0x2b, 0x99, 0xaf, 0x1e,
66 0x90, 0x97, 0xb5, 0xd3, 0xa6, 0x20, 0x25, 0xd6, 0xfe, 0x43, 0x02, 0xd5,
67 0x91, 0x7d, 0xa7, 0x8c, 0xdb, 0xc9, 0x85, 0xa3, 0x36, 0x48, 0xf7, 0x68,
68 0xaa, 0x60, 0xb1, 0xf7, 0x05, 0x68, 0x3a, 0xa3, 0x3f, 0xd3, 0x19, 0x82,
69 0xd8, 0x82, 0x7a, 0x77, 0xfb, 0xef, 0xf4, 0x15, 0x0a, 0xeb, 0x06, 0x04,
70 0x7f, 0x53, 0x07, 0x0c, 0xbc, 0xcb, 0x2d, 0x83, 0xdb, 0x3e, 0xd1, 0x28,
71 0xa5, 0xa1, 0x31, 0xe0, 0x67, 0xfa, 0x50, 0xde, 0x9b, 0x07, 0x83, 0x7e,
72 0x2c, 0x0b, 0xc3, 0x13, 0x50, 0x61, 0xe5, 0xad, 0xbd, 0x36, 0xb8, 0x97,
73 0x4e, 0x40, 0x7d, 0xe8, 0x83, 0x0d, 0xbc, 0x4b
74};
75static unsigned char dsa1024_p[] = {
76 0xA7, 0x3F, 0x6E, 0x85, 0xBF, 0x41, 0x6A, 0x29, 0x7D, 0xF0, 0x9F, 0x47,
77 0x19, 0x30, 0x90, 0x9A, 0x09, 0x1D, 0xDA, 0x6A, 0x33, 0x1E, 0xC5, 0x3D,
78 0x86, 0x96, 0xB3, 0x15, 0xE0, 0x53, 0x2E, 0x8F, 0xE0, 0x59, 0x82, 0x73,
79 0x90, 0x3E, 0x75, 0x31, 0x99, 0x47, 0x7A, 0x52, 0xFB, 0x85, 0xE4, 0xD9,
80 0xA6, 0x7B, 0x38, 0x9B, 0x68, 0x8A, 0x84, 0x9B, 0x87, 0xC6, 0x1E, 0xB5,
81 0x7E, 0x86, 0x4B, 0x53, 0x5B, 0x59, 0xCF, 0x71, 0x65, 0x19, 0x88, 0x6E,
82 0xCE, 0x66, 0xAE, 0x6B, 0x88, 0x36, 0xFB, 0xEC, 0x28, 0xDC, 0xC2, 0xD7,
83 0xA5, 0xBB, 0xE5, 0x2C, 0x39, 0x26, 0x4B, 0xDA, 0x9A, 0x70, 0x18, 0x95,
84 0x37, 0x95, 0x10, 0x56, 0x23, 0xF6, 0x15, 0xED, 0xBA, 0x04, 0x5E, 0xDE,
85 0x39, 0x4F, 0xFD, 0xB7, 0x43, 0x1F, 0xB5, 0xA4, 0x65, 0x6F, 0xCD, 0x80,
86 0x11, 0xE4, 0x70, 0x95, 0x5B, 0x50, 0xCD, 0x49,
87};
88static unsigned char dsa1024_q[] = {
89 0xF7, 0x07, 0x31, 0xED, 0xFA, 0x6C, 0x06, 0x03, 0xD5, 0x85, 0x8A, 0x1C,
90 0xAC, 0x9C, 0x65, 0xE7, 0x50, 0x66, 0x65, 0x6F,
91};
92static unsigned char dsa1024_g[] = {
93 0x4D, 0xDF, 0x4C, 0x03, 0xA6, 0x91, 0x8A, 0xF5, 0x19, 0x6F, 0x50, 0x46,
94 0x25, 0x99, 0xE5, 0x68, 0x6F, 0x30, 0xE3, 0x69, 0xE1, 0xE5, 0xB3, 0x5D,
95 0x98, 0xBB, 0x28, 0x86, 0x48, 0xFC, 0xDE, 0x99, 0x04, 0x3F, 0x5F, 0x88,
96 0x0C, 0x9C, 0x73, 0x24, 0x0D, 0x20, 0x5D, 0xB9, 0x2A, 0x9A, 0x3F, 0x18,
97 0x96, 0x27, 0xE4, 0x62, 0x87, 0xC1, 0x7B, 0x74, 0x62, 0x53, 0xFC, 0x61,
98 0x27, 0xA8, 0x7A, 0x91, 0x09, 0x9D, 0xB6, 0xF1, 0x4D, 0x9C, 0x54, 0x0F,
99 0x58, 0x06, 0xEE, 0x49, 0x74, 0x07, 0xCE, 0x55, 0x7E, 0x23, 0xCE, 0x16,
100 0xF6, 0xCA, 0xDC, 0x5A, 0x61, 0x01, 0x7E, 0xC9, 0x71, 0xB5, 0x4D, 0xF6,
101 0xDC, 0x34, 0x29, 0x87, 0x68, 0xF6, 0x5E, 0x20, 0x93, 0xB3, 0xDB, 0xF5,
102 0xE4, 0x09, 0x6C, 0x41, 0x17, 0x95, 0x92, 0xEB, 0x01, 0xB5, 0x73, 0xA5,
103 0x6A, 0x7E, 0xD8, 0x32, 0xED, 0x0E, 0x02, 0xB8,
104};
105
106DSA *
107get_dsa1024()
108{
109 DSA *dsa;
110
111 if ((dsa = DSA_new()) == NULL)
112 return (NULL);
113 dsa->priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL);
114 dsa->pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL);
115 dsa->p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL);
116 dsa->q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL);
117 dsa->g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL);
118 if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) ||
119 (dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
120 return (NULL);
121 return (dsa);
122}
123
124static unsigned char dsa2048_priv[] = {
125 0x32, 0x67, 0x92, 0xf6, 0xc4, 0xe2, 0xe2, 0xe8, 0xa0, 0x8b, 0x6b, 0x45,
126 0x0c, 0x8a, 0x76, 0xb0, 0xee, 0xcf, 0x91, 0xa7,
127};
128static unsigned char dsa2048_pub[] = {
129 0x17, 0x8f, 0xa8, 0x11, 0x84, 0x92, 0xec, 0x83, 0x47, 0xc7, 0x6a, 0xb0,
130 0x92, 0xaf, 0x5a, 0x20, 0x37, 0xa3, 0x64, 0x79, 0xd2, 0xd0, 0x3d, 0xcd,
131 0xe0, 0x61, 0x88, 0x88, 0x21, 0xcc, 0x74, 0x5d, 0xce, 0x4c, 0x51, 0x47,
132 0xf0, 0xc5, 0x5c, 0x4c, 0x82, 0x7a, 0xaf, 0x72, 0xad, 0xb9, 0xe0, 0x53,
133 0xf2, 0x78, 0xb7, 0xf0, 0xb5, 0x48, 0x7f, 0x8a, 0x3a, 0x18, 0xd1, 0x9f,
134 0x8b, 0x7d, 0xa5, 0x47, 0xb7, 0x95, 0xab, 0x98, 0xf8, 0x7b, 0x74, 0x50,
135 0x56, 0x8e, 0x57, 0xf0, 0xee, 0xf5, 0xb7, 0xba, 0xab, 0x85, 0x86, 0xf9,
136 0x2b, 0xef, 0x41, 0x56, 0xa0, 0xa4, 0x9f, 0xb7, 0x38, 0x00, 0x46, 0x0a,
137 0xa6, 0xf1, 0xfc, 0x1f, 0xd8, 0x4e, 0x85, 0x44, 0x92, 0x43, 0x21, 0x5d,
138 0x6e, 0xcc, 0xc2, 0xcb, 0x26, 0x31, 0x0d, 0x21, 0xc4, 0xbd, 0x8d, 0x24,
139 0xbc, 0xd9, 0x18, 0x19, 0xd7, 0xdc, 0xf1, 0xe7, 0x93, 0x50, 0x48, 0x03,
140 0x2c, 0xae, 0x2e, 0xe7, 0x49, 0x88, 0x5f, 0x93, 0x57, 0x27, 0x99, 0x36,
141 0xb4, 0x20, 0xab, 0xfc, 0xa7, 0x2b, 0xf2, 0xd9, 0x98, 0xd7, 0xd4, 0x34,
142 0x9d, 0x96, 0x50, 0x58, 0x9a, 0xea, 0x54, 0xf3, 0xee, 0xf5, 0x63, 0x14,
143 0xee, 0x85, 0x83, 0x74, 0x76, 0xe1, 0x52, 0x95, 0xc3, 0xf7, 0xeb, 0x04,
144 0x04, 0x7b, 0xa7, 0x28, 0x1b, 0xcc, 0xea, 0x4a, 0x4e, 0x84, 0xda, 0xd8,
145 0x9c, 0x79, 0xd8, 0x9b, 0x66, 0x89, 0x2f, 0xcf, 0xac, 0xd7, 0x79, 0xf9,
146 0xa9, 0xd8, 0x45, 0x13, 0x78, 0xb9, 0x00, 0x14, 0xc9, 0x7e, 0x22, 0x51,
147 0x86, 0x67, 0xb0, 0x9f, 0x26, 0x11, 0x23, 0xc8, 0x38, 0xd7, 0x70, 0x1d,
148 0x15, 0x8e, 0x4d, 0x4f, 0x95, 0x97, 0x40, 0xa1, 0xc2, 0x7e, 0x01, 0x18,
149 0x72, 0xf4, 0x10, 0xe6, 0x8d, 0x52, 0x16, 0x7f, 0xf2, 0xc9, 0xf8, 0x33,
150 0x8b, 0x33, 0xb7, 0xce,
151};
152static unsigned char dsa2048_p[] = {
153 0xA0, 0x25, 0xFA, 0xAD, 0xF4, 0x8E, 0xB9, 0xE5, 0x99, 0xF3, 0x5D, 0x6F,
154 0x4F, 0x83, 0x34, 0xE2, 0x7E, 0xCF, 0x6F, 0xBF, 0x30, 0xAF, 0x6F, 0x81,
155 0xEB, 0xF8, 0xC4, 0x13, 0xD9, 0xA0, 0x5D, 0x8B, 0x5C, 0x8E, 0xDC, 0xC2,
156 0x1D, 0x0B, 0x41, 0x32, 0xB0, 0x1F, 0xFE, 0xEF, 0x0C, 0xC2, 0xA2, 0x7E,
157 0x68, 0x5C, 0x28, 0x21, 0xE9, 0xF5, 0xB1, 0x58, 0x12, 0x63, 0x4C, 0x19,
158 0x4E, 0xFF, 0x02, 0x4B, 0x92, 0xED, 0xD2, 0x07, 0x11, 0x4D, 0x8C, 0x58,
159 0x16, 0x5C, 0x55, 0x8E, 0xAD, 0xA3, 0x67, 0x7D, 0xB9, 0x86, 0x6E, 0x0B,
160 0xE6, 0x54, 0x6F, 0x40, 0xAE, 0x0E, 0x67, 0x4C, 0xF9, 0x12, 0x5B, 0x3C,
161 0x08, 0x7A, 0xF7, 0xFC, 0x67, 0x86, 0x69, 0xE7, 0x0A, 0x94, 0x40, 0xBF,
162 0x8B, 0x76, 0xFE, 0x26, 0xD1, 0xF2, 0xA1, 0x1A, 0x84, 0xA1, 0x43, 0x56,
163 0x28, 0xBC, 0x9A, 0x5F, 0xD7, 0x3B, 0x69, 0x89, 0x8A, 0x36, 0x2C, 0x51,
164 0xDF, 0x12, 0x77, 0x2F, 0x57, 0x7B, 0xA0, 0xAA, 0xDD, 0x7F, 0xA1, 0x62,
165 0x3B, 0x40, 0x7B, 0x68, 0x1A, 0x8F, 0x0D, 0x38, 0xBB, 0x21, 0x5D, 0x18,
166 0xFC, 0x0F, 0x46, 0xF7, 0xA3, 0xB0, 0x1D, 0x23, 0xC3, 0xD2, 0xC7, 0x72,
167 0x51, 0x18, 0xDF, 0x46, 0x95, 0x79, 0xD9, 0xBD, 0xB5, 0x19, 0x02, 0x2C,
168 0x87, 0xDC, 0xE7, 0x57, 0x82, 0x7E, 0xF1, 0x8B, 0x06, 0x3D, 0x00, 0xA5,
169 0x7B, 0x6B, 0x26, 0x27, 0x91, 0x0F, 0x6A, 0x77, 0xE4, 0xD5, 0x04, 0xE4,
170 0x12, 0x2C, 0x42, 0xFF, 0xD2, 0x88, 0xBB, 0xD3, 0x92, 0xA0, 0xF9, 0xC8,
171 0x51, 0x64, 0x14, 0x5C, 0xD8, 0xF9, 0x6C, 0x47, 0x82, 0xB4, 0x1C, 0x7F,
172 0x09, 0xB8, 0xF0, 0x25, 0x83, 0x1D, 0x3F, 0x3F, 0x05, 0xB3, 0x21, 0x0A,
173 0x5D, 0xA7, 0xD8, 0x54, 0xC3, 0x65, 0x7D, 0xC3, 0xB0, 0x1D, 0xBF, 0xAE,
174 0xF8, 0x68, 0xCF, 0x9B,
175};
176static unsigned char dsa2048_q[] = {
177 0x97, 0xE7, 0x33, 0x4D, 0xD3, 0x94, 0x3E, 0x0B, 0xDB, 0x62, 0x74, 0xC6,
178 0xA1, 0x08, 0xDD, 0x19, 0xA3, 0x75, 0x17, 0x1B,
179};
180static unsigned char dsa2048_g[] = {
181 0x2C, 0x78, 0x16, 0x59, 0x34, 0x63, 0xF4, 0xF3, 0x92, 0xFC, 0xB5, 0xA5,
182 0x4F, 0x13, 0xDE, 0x2F, 0x1C, 0xA4, 0x3C, 0xAE, 0xAD, 0x38, 0x3F, 0x7E,
183 0x90, 0xBF, 0x96, 0xA6, 0xAE, 0x25, 0x90, 0x72, 0xF5, 0x8E, 0x80, 0x0C,
184 0x39, 0x1C, 0xD9, 0xEC, 0xBA, 0x90, 0x5B, 0x3A, 0xE8, 0x58, 0x6C, 0x9E,
185 0x30, 0x42, 0x37, 0x02, 0x31, 0x82, 0xBC, 0x6A, 0xDF, 0x6A, 0x09, 0x29,
186 0xE3, 0xC0, 0x46, 0xD1, 0xCB, 0x85, 0xEC, 0x0C, 0x30, 0x5E, 0xEA, 0xC8,
187 0x39, 0x8E, 0x22, 0x9F, 0x22, 0x10, 0xD2, 0x34, 0x61, 0x68, 0x37, 0x3D,
188 0x2E, 0x4A, 0x5B, 0x9A, 0xF5, 0xC1, 0x48, 0xC6, 0xF6, 0xDC, 0x63, 0x1A,
189 0xD3, 0x96, 0x64, 0xBA, 0x34, 0xC9, 0xD1, 0xA0, 0xD1, 0xAE, 0x6C, 0x2F,
190 0x48, 0x17, 0x93, 0x14, 0x43, 0xED, 0xF0, 0x21, 0x30, 0x19, 0xC3, 0x1B,
191 0x5F, 0xDE, 0xA3, 0xF0, 0x70, 0x78, 0x18, 0xE1, 0xA8, 0xE4, 0xEE, 0x2E,
192 0x00, 0xA5, 0xE4, 0xB3, 0x17, 0xC8, 0x0C, 0x7D, 0x6E, 0x42, 0xDC, 0xB7,
193 0x46, 0x00, 0x36, 0x4D, 0xD4, 0x46, 0xAA, 0x3D, 0x3C, 0x46, 0x89, 0x40,
194 0xBF, 0x1D, 0x84, 0x77, 0x0A, 0x75, 0xF3, 0x87, 0x1D, 0x08, 0x4C, 0xA6,
195 0xD1, 0xA9, 0x1C, 0x1E, 0x12, 0x1E, 0xE1, 0xC7, 0x30, 0x28, 0x76, 0xA5,
196 0x7F, 0x6C, 0x85, 0x96, 0x2B, 0x6F, 0xDB, 0x80, 0x66, 0x26, 0xAE, 0xF5,
197 0x93, 0xC7, 0x8E, 0xAE, 0x9A, 0xED, 0xE4, 0xCA, 0x04, 0xEA, 0x3B, 0x72,
198 0xEF, 0xDC, 0x87, 0xED, 0x0D, 0xA5, 0x4C, 0x4A, 0xDD, 0x71, 0x22, 0x64,
199 0x59, 0x69, 0x4E, 0x8E, 0xBF, 0x43, 0xDC, 0xAB, 0x8E, 0x66, 0xBB, 0x01,
200 0xB6, 0xF4, 0xE7, 0xFD, 0xD2, 0xAD, 0x9F, 0x36, 0xC1, 0xA0, 0x29, 0x99,
201 0xD1, 0x96, 0x70, 0x59, 0x06, 0x78, 0x35, 0xBD, 0x65, 0x55, 0x52, 0x9E,
202 0xF8, 0xB2, 0xE5, 0x38,
203};
204
205DSA *
206get_dsa2048()
207{
208 DSA *dsa;
209
210 if ((dsa = DSA_new()) == NULL)
211 return (NULL);
212 dsa->priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL);
213 dsa->pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL);
214 dsa->p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL);
215 dsa->q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL);
216 dsa->g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL);
217 if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) ||
218 (dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
219 return (NULL);
220 return (dsa);
221}
diff --git a/src/lib/libssl/src/apps/testrsa.h b/src/lib/libssl/src/apps/testrsa.h
deleted file mode 100644
index 66e13281f7..0000000000
--- a/src/lib/libssl/src/apps/testrsa.h
+++ /dev/null
@@ -1,517 +0,0 @@
1/* $OpenBSD: testrsa.h,v 1.4 2014/06/12 15:49:27 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59static unsigned char test512[] = {
60 0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
61 0xd6, 0x33, 0xb9, 0xc8, 0xfb, 0x4f, 0x3c, 0x7d, 0xc0, 0x01,
62 0x86, 0xd0, 0xe7, 0xa0, 0x55, 0xf2, 0x95, 0x93, 0xcc, 0x4f,
63 0xb7, 0x5b, 0x67, 0x5b, 0x94, 0x68, 0xc9, 0x34, 0x15, 0xde,
64 0xa5, 0x2e, 0x1c, 0x33, 0xc2, 0x6e, 0xfc, 0x34, 0x5e, 0x71,
65 0x13, 0xb7, 0xd6, 0xee, 0xd8, 0xa5, 0x65, 0x05, 0x72, 0x87,
66 0xa8, 0xb0, 0x77, 0xfe, 0x57, 0xf5, 0xfc, 0x5f, 0x55, 0x83,
67 0x87, 0xdd, 0x57, 0x49, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
68 0x41, 0x00, 0xa7, 0xf7, 0x91, 0xc5, 0x0f, 0x84, 0x57, 0xdc,
69 0x07, 0xf7, 0x6a, 0x7f, 0x60, 0x52, 0xb3, 0x72, 0xf1, 0x66,
70 0x1f, 0x7d, 0x97, 0x3b, 0x9e, 0xb6, 0x0a, 0x8f, 0x8c, 0xcf,
71 0x42, 0x23, 0x00, 0x04, 0xd4, 0x28, 0x0e, 0x1c, 0x90, 0xc4,
72 0x11, 0x25, 0x25, 0xa5, 0x93, 0xa5, 0x2f, 0x70, 0x02, 0xdf,
73 0x81, 0x9c, 0x49, 0x03, 0xa0, 0xf8, 0x6d, 0x54, 0x2e, 0x26,
74 0xde, 0xaa, 0x85, 0x59, 0xa8, 0x31, 0x02, 0x21, 0x00, 0xeb,
75 0x47, 0xd7, 0x3b, 0xf6, 0xc3, 0xdd, 0x5a, 0x46, 0xc5, 0xb9,
76 0x2b, 0x9a, 0xa0, 0x09, 0x8f, 0xa6, 0xfb, 0xf3, 0x78, 0x7a,
77 0x33, 0x70, 0x9d, 0x0f, 0x42, 0x6b, 0x13, 0x68, 0x24, 0xd3,
78 0x15, 0x02, 0x21, 0x00, 0xe9, 0x10, 0xb0, 0xb3, 0x0d, 0xe2,
79 0x82, 0x68, 0x77, 0x8a, 0x6e, 0x7c, 0xda, 0xbc, 0x3e, 0x53,
80 0x83, 0xfb, 0xd6, 0x22, 0xe7, 0xb5, 0xae, 0x6e, 0x80, 0xda,
81 0x00, 0x55, 0x97, 0xc1, 0xd0, 0x65, 0x02, 0x20, 0x4c, 0xf8,
82 0x73, 0xb1, 0x6a, 0x49, 0x29, 0x61, 0x1f, 0x46, 0x10, 0x0d,
83 0xf3, 0xc7, 0xe7, 0x58, 0xd7, 0x88, 0x15, 0x5e, 0x94, 0x9b,
84 0xbf, 0x7b, 0xa2, 0x42, 0x58, 0x45, 0x41, 0x0c, 0xcb, 0x01,
85 0x02, 0x20, 0x12, 0x11, 0xba, 0x31, 0x57, 0x9d, 0x3d, 0x11,
86 0x0e, 0x5b, 0x8c, 0x2f, 0x5f, 0xe2, 0x02, 0x4f, 0x05, 0x47,
87 0x8c, 0x15, 0x8e, 0xb3, 0x56, 0x3f, 0xb8, 0xfb, 0xad, 0xd4,
88 0xf4, 0xfc, 0x10, 0xc5, 0x02, 0x20, 0x18, 0xa1, 0x29, 0x99,
89 0x5b, 0xd9, 0xc8, 0xd4, 0xfc, 0x49, 0x7a, 0x2a, 0x21, 0x2c,
90 0x49, 0xe4, 0x4f, 0xeb, 0xef, 0x51, 0xf1, 0xab, 0x6d, 0xfb,
91 0x4b, 0x14, 0xe9, 0x4b, 0x52, 0xb5, 0x82, 0x2c,
92};
93
94static unsigned char test1024[] = {
95 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
96 0x00, 0xdc, 0x98, 0x43, 0xe8, 0x3d, 0x43, 0x5b, 0xe4, 0x05,
97 0xcd, 0xd0, 0xa9, 0x3e, 0xcb, 0x83, 0x75, 0xf6, 0xb5, 0xa5,
98 0x9f, 0x6b, 0xe9, 0x34, 0x41, 0x29, 0x18, 0xfa, 0x6a, 0x55,
99 0x4d, 0x70, 0xfc, 0xec, 0xae, 0x87, 0x38, 0x0a, 0x20, 0xa9,
100 0xc0, 0x45, 0x77, 0x6e, 0x57, 0x60, 0x57, 0xf4, 0xed, 0x96,
101 0x22, 0xcb, 0x8f, 0xe1, 0x33, 0x3a, 0x17, 0x1f, 0xed, 0x37,
102 0xa5, 0x6f, 0xeb, 0xa6, 0xbc, 0x12, 0x80, 0x1d, 0x53, 0xbd,
103 0x70, 0xeb, 0x21, 0x76, 0x3e, 0xc9, 0x2f, 0x1a, 0x45, 0x24,
104 0x82, 0xff, 0xcd, 0x59, 0x32, 0x06, 0x2e, 0x12, 0x3b, 0x23,
105 0x78, 0xed, 0x12, 0x3d, 0xe0, 0x8d, 0xf9, 0x67, 0x4f, 0x37,
106 0x4e, 0x47, 0x02, 0x4c, 0x2d, 0xc0, 0x4f, 0x1f, 0xb3, 0x94,
107 0xe1, 0x41, 0x2e, 0x2d, 0x90, 0x10, 0xfc, 0x82, 0x91, 0x8b,
108 0x0f, 0x22, 0xd4, 0xf2, 0xfc, 0x2c, 0xab, 0x53, 0x55, 0x02,
109 0x03, 0x01, 0x00, 0x01, 0x02, 0x81, 0x80, 0x2b, 0xcc, 0x3f,
110 0x8f, 0x58, 0xba, 0x8b, 0x00, 0x16, 0xf6, 0xea, 0x3a, 0xf0,
111 0x30, 0xd0, 0x05, 0x17, 0xda, 0xb0, 0xeb, 0x9a, 0x2d, 0x4f,
112 0x26, 0xb0, 0xd6, 0x38, 0xc1, 0xeb, 0xf5, 0xd8, 0x3d, 0x1f,
113 0x70, 0xf7, 0x7f, 0xf4, 0xe2, 0xcf, 0x51, 0x51, 0x79, 0x88,
114 0xfa, 0xe8, 0x32, 0x0e, 0x7b, 0x2d, 0x97, 0xf2, 0xfa, 0xba,
115 0x27, 0xc5, 0x9c, 0xd9, 0xc5, 0xeb, 0x8a, 0x79, 0x52, 0x3c,
116 0x64, 0x34, 0x7d, 0xc2, 0xcf, 0x28, 0xc7, 0x4e, 0xd5, 0x43,
117 0x0b, 0xd1, 0xa6, 0xca, 0x6d, 0x03, 0x2d, 0x72, 0x23, 0xbc,
118 0x6d, 0x05, 0xfa, 0x16, 0x09, 0x2f, 0x2e, 0x5c, 0xb6, 0xee,
119 0x74, 0xdd, 0xd2, 0x48, 0x8e, 0x36, 0x0c, 0x06, 0x3d, 0x4d,
120 0xe5, 0x10, 0x82, 0xeb, 0x6a, 0xf3, 0x4b, 0x9f, 0xd6, 0xed,
121 0x11, 0xb1, 0x6e, 0xec, 0xf4, 0xfe, 0x8e, 0x75, 0x94, 0x20,
122 0x2f, 0xcb, 0xac, 0x46, 0xf1, 0x02, 0x41, 0x00, 0xf9, 0x8c,
123 0xa3, 0x85, 0xb1, 0xdd, 0x29, 0xaf, 0x65, 0xc1, 0x33, 0xf3,
124 0x95, 0xc5, 0x52, 0x68, 0x0b, 0xd4, 0xf1, 0xe5, 0x0e, 0x02,
125 0x9f, 0x4f, 0xfa, 0x77, 0xdc, 0x46, 0x9e, 0xc7, 0xa6, 0xe4,
126 0x16, 0x29, 0xda, 0xb0, 0x07, 0xcf, 0x5b, 0xa9, 0x12, 0x8a,
127 0xdd, 0x63, 0x0a, 0xde, 0x2e, 0x8c, 0x66, 0x8b, 0x8c, 0xdc,
128 0x19, 0xa3, 0x7e, 0xf4, 0x3b, 0xd0, 0x1a, 0x8c, 0xa4, 0xc2,
129 0xe1, 0xd3, 0x02, 0x41, 0x00, 0xe2, 0x4c, 0x05, 0xf2, 0x04,
130 0x86, 0x4e, 0x61, 0x43, 0xdb, 0xb0, 0xb9, 0x96, 0x86, 0x52,
131 0x2c, 0xca, 0x8d, 0x7b, 0xab, 0x0b, 0x13, 0x0d, 0x7e, 0x38,
132 0x5b, 0xe2, 0x2e, 0x7b, 0x0e, 0xe7, 0x19, 0x99, 0x38, 0xe7,
133 0xf2, 0x21, 0xbd, 0x85, 0x85, 0xe3, 0xfd, 0x28, 0x77, 0x20,
134 0x31, 0x71, 0x2c, 0xd0, 0xff, 0xfb, 0x2e, 0xaf, 0x85, 0xb4,
135 0x86, 0xca, 0xf3, 0xbb, 0xca, 0xaa, 0x0f, 0x95, 0x37, 0x02,
136 0x40, 0x0e, 0x41, 0x9a, 0x95, 0xe8, 0xb3, 0x59, 0xce, 0x4b,
137 0x61, 0xde, 0x35, 0xec, 0x38, 0x79, 0x9c, 0xb8, 0x10, 0x52,
138 0x41, 0x63, 0xab, 0x82, 0xae, 0x6f, 0x00, 0xa9, 0xf4, 0xde,
139 0xdd, 0x49, 0x0b, 0x7e, 0xb8, 0xa5, 0x65, 0xa9, 0x0c, 0x8f,
140 0x8f, 0xf9, 0x1f, 0x35, 0xc6, 0x92, 0xb8, 0x5e, 0xb0, 0x66,
141 0xab, 0x52, 0x40, 0xc0, 0xb6, 0x36, 0x6a, 0x7d, 0x80, 0x46,
142 0x04, 0x02, 0xe5, 0x9f, 0x41, 0x02, 0x41, 0x00, 0xc0, 0xad,
143 0xcc, 0x4e, 0x21, 0xee, 0x1d, 0x24, 0x91, 0xfb, 0xa7, 0x80,
144 0x8d, 0x9a, 0xb6, 0xb3, 0x2e, 0x8f, 0xc2, 0xe1, 0x82, 0xdf,
145 0x69, 0x18, 0xb4, 0x71, 0xff, 0xa6, 0x65, 0xde, 0xed, 0x84,
146 0x8d, 0x42, 0xb7, 0xb3, 0x21, 0x69, 0x56, 0x1c, 0x07, 0x60,
147 0x51, 0x29, 0x04, 0xff, 0x34, 0x06, 0xdd, 0xb9, 0x67, 0x2c,
148 0x7c, 0x04, 0x93, 0x0e, 0x46, 0x15, 0xbb, 0x2a, 0xb7, 0x1b,
149 0xe7, 0x87, 0x02, 0x40, 0x78, 0xda, 0x5d, 0x07, 0x51, 0x0c,
150 0x16, 0x7a, 0x9f, 0x29, 0x20, 0x84, 0x0d, 0x42, 0xfa, 0xd7,
151 0x00, 0xd8, 0x77, 0x7e, 0xb0, 0xb0, 0x6b, 0xd6, 0x5b, 0x53,
152 0xb8, 0x9b, 0x7a, 0xcd, 0xc7, 0x2b, 0xb8, 0x6a, 0x63, 0xa9,
153 0xfb, 0x6f, 0xa4, 0x72, 0xbf, 0x4c, 0x5d, 0x00, 0x14, 0xba,
154 0xfa, 0x59, 0x88, 0xed, 0xe4, 0xe0, 0x8c, 0xa2, 0xec, 0x14,
155 0x7e, 0x2d, 0xe2, 0xf0, 0x46, 0x49, 0x95, 0x45,
156};
157
158static unsigned char test2048[] = {
159 0x30, 0x82, 0x04, 0xa3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
160 0x01, 0x00, 0xc0, 0xc0, 0xce, 0x3e, 0x3c, 0x53, 0x67, 0x3f,
161 0x4f, 0xc5, 0x2f, 0xa4, 0xc2, 0x5a, 0x2f, 0x58, 0xfd, 0x27,
162 0x52, 0x6a, 0xe8, 0xcf, 0x4a, 0x73, 0x47, 0x8d, 0x25, 0x0f,
163 0x5f, 0x03, 0x26, 0x78, 0xef, 0xf0, 0x22, 0x12, 0xd3, 0xde,
164 0x47, 0xb2, 0x1c, 0x0b, 0x38, 0x63, 0x1a, 0x6c, 0x85, 0x7a,
165 0x80, 0xc6, 0x8f, 0xa0, 0x41, 0xaf, 0x62, 0xc4, 0x67, 0x32,
166 0x88, 0xf8, 0xa6, 0x9c, 0xf5, 0x23, 0x1d, 0xe4, 0xac, 0x3f,
167 0x29, 0xf9, 0xec, 0xe1, 0x8b, 0x26, 0x03, 0x2c, 0xb2, 0xab,
168 0xf3, 0x7d, 0xb5, 0xca, 0x49, 0xc0, 0x8f, 0x1c, 0xdf, 0x33,
169 0x3a, 0x60, 0xda, 0x3c, 0xb0, 0x16, 0xf8, 0xa9, 0x12, 0x8f,
170 0x64, 0xac, 0x23, 0x0c, 0x69, 0x64, 0x97, 0x5d, 0x99, 0xd4,
171 0x09, 0x83, 0x9b, 0x61, 0xd3, 0xac, 0xf0, 0xde, 0xdd, 0x5e,
172 0x9f, 0x44, 0x94, 0xdb, 0x3a, 0x4d, 0x97, 0xe8, 0x52, 0x29,
173 0xf7, 0xdb, 0x94, 0x07, 0x45, 0x90, 0x78, 0x1e, 0x31, 0x0b,
174 0x80, 0xf7, 0x57, 0xad, 0x1c, 0x79, 0xc5, 0xcb, 0x32, 0xb0,
175 0xce, 0xcd, 0x74, 0xb3, 0xe2, 0x94, 0xc5, 0x78, 0x2f, 0x34,
176 0x1a, 0x45, 0xf7, 0x8c, 0x52, 0xa5, 0xbc, 0x8d, 0xec, 0xd1,
177 0x2f, 0x31, 0x3b, 0xf0, 0x49, 0x59, 0x5e, 0x88, 0x9d, 0x15,
178 0x92, 0x35, 0x32, 0xc1, 0xe7, 0x61, 0xec, 0x50, 0x48, 0x7c,
179 0xba, 0x05, 0xf9, 0xf8, 0xf8, 0xa7, 0x8c, 0x83, 0xe8, 0x66,
180 0x5b, 0xeb, 0xfe, 0xd8, 0x4f, 0xdd, 0x6d, 0x36, 0xc0, 0xb2,
181 0x90, 0x0f, 0xb8, 0x52, 0xf9, 0x04, 0x9b, 0x40, 0x2c, 0x27,
182 0xd6, 0x36, 0x8e, 0xc2, 0x1b, 0x44, 0xf3, 0x92, 0xd5, 0x15,
183 0x9e, 0x9a, 0xbc, 0xf3, 0x7d, 0x03, 0xd7, 0x02, 0x14, 0x20,
184 0xe9, 0x10, 0x92, 0xfd, 0xf9, 0xfc, 0x8f, 0xe5, 0x18, 0xe1,
185 0x95, 0xcc, 0x9e, 0x60, 0xa6, 0xfa, 0x38, 0x4d, 0x02, 0x03,
186 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x00, 0xc3, 0xc3,
187 0x0d, 0xb4, 0x27, 0x90, 0x8d, 0x4b, 0xbf, 0xb8, 0x84, 0xaa,
188 0xd0, 0xb8, 0xc7, 0x5d, 0x99, 0xbe, 0x55, 0xf6, 0x3e, 0x7c,
189 0x49, 0x20, 0xcb, 0x8a, 0x8e, 0x19, 0x0e, 0x66, 0x24, 0xac,
190 0xaf, 0x03, 0x33, 0x97, 0xeb, 0x95, 0xd5, 0x3b, 0x0f, 0x40,
191 0x56, 0x04, 0x50, 0xd1, 0xe6, 0xbe, 0x84, 0x0b, 0x25, 0xd3,
192 0x9c, 0xe2, 0x83, 0x6c, 0xf5, 0x62, 0x5d, 0xba, 0x2b, 0x7d,
193 0x3d, 0x7a, 0x6c, 0xe1, 0xd2, 0x0e, 0x54, 0x93, 0x80, 0x01,
194 0x91, 0x51, 0x09, 0xe8, 0x5b, 0x8e, 0x47, 0xbd, 0x64, 0xe4,
195 0x0e, 0x03, 0x83, 0x55, 0xcf, 0x5a, 0x37, 0xf0, 0x25, 0xb5,
196 0x7d, 0x21, 0xd7, 0x69, 0xdf, 0x6f, 0xc2, 0xcf, 0x10, 0xc9,
197 0x8a, 0x40, 0x9f, 0x7a, 0x70, 0xc0, 0xe8, 0xe8, 0xc0, 0xe6,
198 0x9a, 0x15, 0x0a, 0x8d, 0x4e, 0x46, 0xcb, 0x7a, 0xdb, 0xb3,
199 0xcb, 0x83, 0x02, 0xc4, 0xf0, 0xab, 0xeb, 0x02, 0x01, 0x0e,
200 0x23, 0xfc, 0x1d, 0xc4, 0xbd, 0xd4, 0xaa, 0x5d, 0x31, 0x46,
201 0x99, 0xce, 0x9e, 0xf8, 0x04, 0x75, 0x10, 0x67, 0xc4, 0x53,
202 0x47, 0x44, 0xfa, 0xc2, 0x25, 0x73, 0x7e, 0xd0, 0x8e, 0x59,
203 0xd1, 0xb2, 0x5a, 0xf4, 0xc7, 0x18, 0x92, 0x2f, 0x39, 0xab,
204 0xcd, 0xa3, 0xb5, 0xc2, 0xb9, 0xc7, 0xb9, 0x1b, 0x9f, 0x48,
205 0xfa, 0x13, 0xc6, 0x98, 0x4d, 0xca, 0x84, 0x9c, 0x06, 0xca,
206 0xe7, 0x89, 0x01, 0x04, 0xc4, 0x6c, 0xfd, 0x29, 0x59, 0x35,
207 0xe7, 0xf3, 0xdd, 0xce, 0x64, 0x59, 0xbf, 0x21, 0x13, 0xa9,
208 0x9f, 0x0e, 0xc5, 0xff, 0xbd, 0x33, 0x00, 0xec, 0xac, 0x6b,
209 0x11, 0xef, 0x51, 0x5e, 0xad, 0x07, 0x15, 0xde, 0xb8, 0x5f,
210 0xc6, 0xb9, 0xa3, 0x22, 0x65, 0x46, 0x83, 0x14, 0xdf, 0xd0,
211 0xf1, 0x44, 0x8a, 0xe1, 0x9c, 0x23, 0x33, 0xb4, 0x97, 0x33,
212 0xe6, 0x6b, 0x81, 0x02, 0x81, 0x81, 0x00, 0xec, 0x12, 0xa7,
213 0x59, 0x74, 0x6a, 0xde, 0x3e, 0xad, 0xd8, 0x36, 0x80, 0x50,
214 0xa2, 0xd5, 0x21, 0x81, 0x07, 0xf1, 0xd0, 0x91, 0xf2, 0x6c,
215 0x12, 0x2f, 0x9d, 0x1a, 0x26, 0xf8, 0x30, 0x65, 0xdf, 0xe8,
216 0xc0, 0x9b, 0x6a, 0x30, 0x98, 0x82, 0x87, 0xec, 0xa2, 0x56,
217 0x87, 0x62, 0x6f, 0xe7, 0x9f, 0xf6, 0x56, 0xe6, 0x71, 0x8f,
218 0x49, 0x86, 0x93, 0x5a, 0x4d, 0x34, 0x58, 0xfe, 0xd9, 0x04,
219 0x13, 0xaf, 0x79, 0xb7, 0xad, 0x11, 0xd1, 0x30, 0x9a, 0x14,
220 0x06, 0xa0, 0xfa, 0xb7, 0x55, 0xdc, 0x6c, 0x5a, 0x4c, 0x2c,
221 0x59, 0x56, 0xf6, 0xe8, 0x9d, 0xaf, 0x0a, 0x78, 0x99, 0x06,
222 0x06, 0x9e, 0xe7, 0x9c, 0x51, 0x55, 0x43, 0xfc, 0x3b, 0x6c,
223 0x0b, 0xbf, 0x2d, 0x41, 0xa7, 0xaf, 0xb7, 0xe0, 0xe8, 0x28,
224 0x18, 0xb4, 0x13, 0xd1, 0xe6, 0x97, 0xd0, 0x9f, 0x6a, 0x80,
225 0xca, 0xdd, 0x1a, 0x7e, 0x15, 0x02, 0x81, 0x81, 0x00, 0xd1,
226 0x06, 0x0c, 0x1f, 0xe3, 0xd0, 0xab, 0xd6, 0xca, 0x7c, 0xbc,
227 0x7d, 0x13, 0x35, 0xce, 0x27, 0xcd, 0xd8, 0x49, 0x51, 0x63,
228 0x64, 0x0f, 0xca, 0x06, 0x12, 0xfc, 0x07, 0x3e, 0xaf, 0x61,
229 0x6d, 0xe2, 0x53, 0x39, 0x27, 0xae, 0xc3, 0x11, 0x9e, 0x94,
230 0x01, 0x4f, 0xe3, 0xf3, 0x67, 0xf9, 0x77, 0xf9, 0xe7, 0x95,
231 0x3a, 0x6f, 0xe2, 0x20, 0x73, 0x3e, 0xa4, 0x7a, 0x28, 0xd4,
232 0x61, 0x97, 0xf6, 0x17, 0xa0, 0x23, 0x10, 0x2b, 0xce, 0x84,
233 0x57, 0x7e, 0x25, 0x1f, 0xf4, 0xa8, 0x54, 0xd2, 0x65, 0x94,
234 0xcc, 0x95, 0x0a, 0xab, 0x30, 0xc1, 0x59, 0x1f, 0x61, 0x8e,
235 0xb9, 0x6b, 0xd7, 0x4e, 0xb9, 0x83, 0x43, 0x79, 0x85, 0x11,
236 0xbc, 0x0f, 0xae, 0x25, 0x20, 0x05, 0xbc, 0xd2, 0x48, 0xa1,
237 0x68, 0x09, 0x84, 0xf6, 0x12, 0x9a, 0x66, 0xb9, 0x2b, 0xbb,
238 0x76, 0x03, 0x17, 0x46, 0x4e, 0x97, 0x59, 0x02, 0x81, 0x80,
239 0x09, 0x4c, 0xfa, 0xd6, 0xe5, 0x65, 0x48, 0x78, 0x43, 0xb5,
240 0x1f, 0x00, 0x93, 0x2c, 0xb7, 0x24, 0xe8, 0xc6, 0x7d, 0x5a,
241 0x70, 0x45, 0x92, 0xc8, 0x6c, 0xa3, 0xcd, 0xe1, 0xf7, 0x29,
242 0x40, 0xfa, 0x3f, 0x5b, 0x47, 0x44, 0x39, 0xc1, 0xe8, 0x72,
243 0x9e, 0x7a, 0x0e, 0xda, 0xaa, 0xa0, 0x2a, 0x09, 0xfd, 0x54,
244 0x93, 0x23, 0xaa, 0x37, 0x85, 0x5b, 0xcc, 0xd4, 0xf9, 0xd8,
245 0xff, 0xc1, 0x61, 0x0d, 0xbd, 0x7e, 0x18, 0x24, 0x73, 0x6d,
246 0x40, 0x72, 0xf1, 0x93, 0x09, 0x48, 0x97, 0x6c, 0x84, 0x90,
247 0xa8, 0x46, 0x14, 0x01, 0x39, 0x11, 0xe5, 0x3c, 0x41, 0x27,
248 0x32, 0x75, 0x24, 0xed, 0xa1, 0xd9, 0x12, 0x29, 0x8a, 0x28,
249 0x71, 0x89, 0x8d, 0xca, 0x30, 0xb0, 0x01, 0xc4, 0x2f, 0x82,
250 0x19, 0x14, 0x4c, 0x70, 0x1c, 0xb8, 0x23, 0x2e, 0xe8, 0x90,
251 0x49, 0x97, 0x92, 0x97, 0x6b, 0x7a, 0x9d, 0xb9, 0x02, 0x81,
252 0x80, 0x0f, 0x0e, 0xa1, 0x76, 0xf6, 0xa1, 0x44, 0x8f, 0xaf,
253 0x7c, 0x76, 0xd3, 0x87, 0xbb, 0xbb, 0x83, 0x10, 0x88, 0x01,
254 0x18, 0x14, 0xd1, 0xd3, 0x75, 0x59, 0x24, 0xaa, 0xf5, 0x16,
255 0xa5, 0xe9, 0x9d, 0xd1, 0xcc, 0xee, 0xf4, 0x15, 0xd9, 0xc5,
256 0x7e, 0x27, 0xe9, 0x44, 0x49, 0x06, 0x72, 0xb9, 0xfc, 0xd3,
257 0x8a, 0xc4, 0x2c, 0x36, 0x7d, 0x12, 0x9b, 0x5a, 0xaa, 0xdc,
258 0x85, 0xee, 0x6e, 0xad, 0x54, 0xb3, 0xf4, 0xfc, 0x31, 0xa1,
259 0x06, 0x3a, 0x70, 0x57, 0x0c, 0xf3, 0x95, 0x5b, 0x3e, 0xe8,
260 0xfd, 0x1a, 0x4f, 0xf6, 0x78, 0x93, 0x46, 0x6a, 0xd7, 0x31,
261 0xb4, 0x84, 0x64, 0x85, 0x09, 0x38, 0x89, 0x92, 0x94, 0x1c,
262 0xbf, 0xe2, 0x3c, 0x2a, 0xe0, 0xff, 0x99, 0xa3, 0xf0, 0x2b,
263 0x31, 0xc2, 0x36, 0xcd, 0x60, 0xbf, 0x9d, 0x2d, 0x74, 0x32,
264 0xe8, 0x9c, 0x93, 0x6e, 0xbb, 0x91, 0x7b, 0xfd, 0xd9, 0x02,
265 0x81, 0x81, 0x00, 0xa2, 0x71, 0x25, 0x38, 0xeb, 0x2a, 0xe9,
266 0x37, 0xcd, 0xfe, 0x44, 0xce, 0x90, 0x3f, 0x52, 0x87, 0x84,
267 0x52, 0x1b, 0xae, 0x8d, 0x22, 0x94, 0xce, 0x38, 0xe6, 0x04,
268 0x88, 0x76, 0x85, 0x9a, 0xd3, 0x14, 0x09, 0xe5, 0x69, 0x9a,
269 0xff, 0x58, 0x92, 0x02, 0x6a, 0x7d, 0x7c, 0x1e, 0x2c, 0xfd,
270 0xa8, 0xca, 0x32, 0x14, 0x4f, 0x0d, 0x84, 0x0d, 0x37, 0x43,
271 0xbf, 0xe4, 0x5d, 0x12, 0xc8, 0x24, 0x91, 0x27, 0x8d, 0x46,
272 0xd9, 0x54, 0x53, 0xe7, 0x62, 0x71, 0xa8, 0x2b, 0x71, 0x41,
273 0x8d, 0x75, 0xf8, 0x3a, 0xa0, 0x61, 0x29, 0x46, 0xa6, 0xe5,
274 0x82, 0xfa, 0x3a, 0xd9, 0x08, 0xfa, 0xfc, 0x63, 0xfd, 0x6b,
275 0x30, 0xbc, 0xf4, 0x4e, 0x9e, 0x8c, 0x25, 0x0c, 0xb6, 0x55,
276 0xe7, 0x3c, 0xd4, 0x4e, 0x0b, 0xfd, 0x8b, 0xc3, 0x0e, 0x1d,
277 0x9c, 0x44, 0x57, 0x8f, 0x1f, 0x86, 0xf7, 0xd5, 0x1b, 0xe4,
278 0x95,
279};
280
281static unsigned char test4096[] = {
282 0x30, 0x82, 0x09, 0x29, 0x02, 0x01, 0x00, 0x02, 0x82, 0x02,
283 0x01, 0x00, 0xc0, 0x71, 0xac, 0x1a, 0x13, 0x88, 0x82, 0x43,
284 0x3b, 0x51, 0x57, 0x71, 0x8d, 0xb6, 0x2b, 0x82, 0x65, 0x21,
285 0x53, 0x5f, 0x28, 0x29, 0x4f, 0x8d, 0x7c, 0x8a, 0xb9, 0x44,
286 0xb3, 0x28, 0x41, 0x4f, 0xd3, 0xfa, 0x6a, 0xf8, 0xb9, 0x28,
287 0x50, 0x39, 0x67, 0x53, 0x2c, 0x3c, 0xd7, 0xcb, 0x96, 0x41,
288 0x40, 0x32, 0xbb, 0xeb, 0x70, 0xae, 0x1f, 0xb0, 0x65, 0xf7,
289 0x3a, 0xd9, 0x22, 0xfd, 0x10, 0xae, 0xbd, 0x02, 0xe2, 0xdd,
290 0xf3, 0xc2, 0x79, 0x3c, 0xc6, 0xfc, 0x75, 0xbb, 0xaf, 0x4e,
291 0x3a, 0x36, 0xc2, 0x4f, 0xea, 0x25, 0xdf, 0x13, 0x16, 0x4b,
292 0x20, 0xfe, 0x4b, 0x69, 0x16, 0xc4, 0x7f, 0x1a, 0x43, 0xa6,
293 0x17, 0x1b, 0xb9, 0x0a, 0xf3, 0x09, 0x86, 0x28, 0x89, 0xcf,
294 0x2c, 0xd0, 0xd4, 0x81, 0xaf, 0xc6, 0x6d, 0xe6, 0x21, 0x8d,
295 0xee, 0xef, 0xea, 0xdc, 0xb7, 0xc6, 0x3b, 0x63, 0x9f, 0x0e,
296 0xad, 0x89, 0x78, 0x23, 0x18, 0xbf, 0x70, 0x7e, 0x84, 0xe0,
297 0x37, 0xec, 0xdb, 0x8e, 0x9c, 0x3e, 0x6a, 0x19, 0xcc, 0x99,
298 0x72, 0xe6, 0xb5, 0x7d, 0x6d, 0xfa, 0xe5, 0xd3, 0xe4, 0x90,
299 0xb5, 0xb2, 0xb2, 0x12, 0x70, 0x4e, 0xca, 0xf8, 0x10, 0xf8,
300 0xa3, 0x14, 0xc2, 0x48, 0x19, 0xeb, 0x60, 0x99, 0xbb, 0x2a,
301 0x1f, 0xb1, 0x7a, 0xb1, 0x3d, 0x24, 0xfb, 0xa0, 0x29, 0xda,
302 0xbd, 0x1b, 0xd7, 0xa4, 0xbf, 0xef, 0x60, 0x2d, 0x22, 0xca,
303 0x65, 0x98, 0xf1, 0xc4, 0xe1, 0xc9, 0x02, 0x6b, 0x16, 0x28,
304 0x2f, 0xa1, 0xaa, 0x79, 0x00, 0xda, 0xdc, 0x7c, 0x43, 0xf7,
305 0x42, 0x3c, 0xa0, 0xef, 0x68, 0xf7, 0xdf, 0xb9, 0x69, 0xfb,
306 0x8e, 0x01, 0xed, 0x01, 0x42, 0xb5, 0x4e, 0x57, 0xa6, 0x26,
307 0xb8, 0xd0, 0x7b, 0x56, 0x6d, 0x03, 0xc6, 0x40, 0x8c, 0x8c,
308 0x2a, 0x55, 0xd7, 0x9c, 0x35, 0x00, 0x94, 0x93, 0xec, 0x03,
309 0xeb, 0x22, 0xef, 0x77, 0xbb, 0x79, 0x13, 0x3f, 0x15, 0xa1,
310 0x8f, 0xca, 0xdf, 0xfd, 0xd3, 0xb8, 0xe1, 0xd4, 0xcc, 0x09,
311 0x3f, 0x3c, 0x2c, 0xdb, 0xd1, 0x49, 0x7f, 0x38, 0x07, 0x83,
312 0x6d, 0xeb, 0x08, 0x66, 0xe9, 0x06, 0x44, 0x12, 0xac, 0x95,
313 0x22, 0x90, 0x23, 0x67, 0xd4, 0x08, 0xcc, 0xf4, 0xb7, 0xdc,
314 0xcc, 0x87, 0xd4, 0xac, 0x69, 0x35, 0x4c, 0xb5, 0x39, 0x36,
315 0xcd, 0xa4, 0xd2, 0x95, 0xca, 0x0d, 0xc5, 0xda, 0xc2, 0xc5,
316 0x22, 0x32, 0x28, 0x08, 0xe3, 0xd2, 0x8b, 0x38, 0x30, 0xdc,
317 0x8c, 0x75, 0x4f, 0x6a, 0xec, 0x7a, 0xac, 0x16, 0x3e, 0xa8,
318 0xd4, 0x6a, 0x45, 0xe1, 0xa8, 0x4f, 0x2e, 0x80, 0x34, 0xaa,
319 0x54, 0x1b, 0x02, 0x95, 0x7d, 0x8a, 0x6d, 0xcc, 0x79, 0xca,
320 0xf2, 0xa4, 0x2e, 0x8d, 0xfb, 0xfe, 0x15, 0x51, 0x10, 0x0e,
321 0x4d, 0x88, 0xb1, 0xc7, 0xf4, 0x79, 0xdb, 0xf0, 0xb4, 0x56,
322 0x44, 0x37, 0xca, 0x5a, 0xc1, 0x8c, 0x48, 0xac, 0xae, 0x48,
323 0x80, 0x83, 0x01, 0x3f, 0xde, 0xd9, 0xd3, 0x2c, 0x51, 0x46,
324 0xb1, 0x41, 0xb6, 0xc6, 0x91, 0x72, 0xf9, 0x83, 0x55, 0x1b,
325 0x8c, 0xba, 0xf3, 0x73, 0xe5, 0x2c, 0x74, 0x50, 0x3a, 0xbe,
326 0xc5, 0x2f, 0xa7, 0xb2, 0x6d, 0x8c, 0x9e, 0x13, 0x77, 0xa3,
327 0x13, 0xcd, 0x6d, 0x8c, 0x45, 0xe1, 0xfc, 0x0b, 0xb7, 0x69,
328 0xe9, 0x27, 0xbc, 0x65, 0xc3, 0xfa, 0x9b, 0xd0, 0xef, 0xfe,
329 0xe8, 0x1f, 0xb3, 0x5e, 0x34, 0xf4, 0x8c, 0xea, 0xfc, 0xd3,
330 0x81, 0xbf, 0x3d, 0x30, 0xb2, 0xb4, 0x01, 0xe8, 0x43, 0x0f,
331 0xba, 0x02, 0x23, 0x42, 0x76, 0x82, 0x31, 0x73, 0x91, 0xed,
332 0x07, 0x46, 0x61, 0x0d, 0x39, 0x83, 0x40, 0xce, 0x7a, 0xd4,
333 0xdb, 0x80, 0x2c, 0x1f, 0x0d, 0xd1, 0x34, 0xd4, 0x92, 0xe3,
334 0xd4, 0xf1, 0xc2, 0x01, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
335 0x82, 0x02, 0x01, 0x00, 0x97, 0x6c, 0xda, 0x6e, 0xea, 0x4f,
336 0xcf, 0xaf, 0xf7, 0x4c, 0xd9, 0xf1, 0x90, 0x00, 0x77, 0xdb,
337 0xf2, 0x97, 0x76, 0x72, 0xb9, 0xb7, 0x47, 0xd1, 0x9c, 0xdd,
338 0xcb, 0x4a, 0x33, 0x6e, 0xc9, 0x75, 0x76, 0xe6, 0xe4, 0xa5,
339 0x31, 0x8c, 0x77, 0x13, 0xb4, 0x29, 0xcd, 0xf5, 0x52, 0x17,
340 0xef, 0xf3, 0x08, 0x00, 0xe3, 0xbd, 0x2e, 0xbc, 0xd4, 0x52,
341 0x88, 0xe9, 0x30, 0x75, 0x0b, 0x02, 0xf5, 0xcd, 0x89, 0x0c,
342 0x6c, 0x57, 0x19, 0x27, 0x3d, 0x1e, 0x85, 0xb4, 0xc1, 0x2f,
343 0x1d, 0x92, 0x00, 0x5c, 0x76, 0x29, 0x4b, 0xa4, 0xe1, 0x12,
344 0xb3, 0xc8, 0x09, 0xfe, 0x0e, 0x78, 0x72, 0x61, 0xcb, 0x61,
345 0x6f, 0x39, 0x91, 0x95, 0x4e, 0xd5, 0x3e, 0xc7, 0x8f, 0xb8,
346 0xf6, 0x36, 0xfe, 0x9c, 0x93, 0x9a, 0x38, 0x25, 0x7a, 0xf4,
347 0x4a, 0x12, 0xd4, 0xa0, 0x13, 0xbd, 0xf9, 0x1d, 0x12, 0x3e,
348 0x21, 0x39, 0xfb, 0x72, 0xe0, 0x05, 0x3d, 0xc3, 0xe5, 0x50,
349 0xa8, 0x5d, 0x85, 0xa3, 0xea, 0x5f, 0x1c, 0xb2, 0x3f, 0xea,
350 0x6d, 0x03, 0x91, 0x55, 0xd8, 0x19, 0x0a, 0x21, 0x12, 0x16,
351 0xd9, 0x12, 0xc4, 0xe6, 0x07, 0x18, 0x5b, 0x26, 0xa4, 0xae,
352 0xed, 0x2b, 0xb7, 0xa6, 0xed, 0xf8, 0xad, 0xec, 0x77, 0xe6,
353 0x7f, 0x4f, 0x76, 0x00, 0xc0, 0xfa, 0x15, 0x92, 0xb4, 0x2c,
354 0x22, 0xc2, 0xeb, 0x6a, 0xad, 0x14, 0x05, 0xb2, 0xe5, 0x8a,
355 0x9e, 0x85, 0x83, 0xcc, 0x04, 0xf1, 0x56, 0x78, 0x44, 0x5e,
356 0xde, 0xe0, 0x60, 0x1a, 0x65, 0x79, 0x31, 0x23, 0x05, 0xbb,
357 0x01, 0xff, 0xdd, 0x2e, 0xb7, 0xb3, 0xaa, 0x74, 0xe0, 0xa5,
358 0x94, 0xaf, 0x4b, 0xde, 0x58, 0x0f, 0x55, 0xde, 0x33, 0xf6,
359 0xe3, 0xd6, 0x34, 0x36, 0x57, 0xd6, 0x79, 0x91, 0x2e, 0xbe,
360 0x3b, 0xd9, 0x4e, 0xb6, 0x9d, 0x21, 0x5c, 0xd3, 0x48, 0x14,
361 0x7f, 0x4a, 0xc4, 0x60, 0xa9, 0x29, 0xf8, 0x53, 0x7f, 0x88,
362 0x11, 0x2d, 0xb5, 0xc5, 0x2d, 0x6f, 0xee, 0x85, 0x0b, 0xf7,
363 0x8d, 0x9a, 0xbe, 0xb0, 0x42, 0xf2, 0x2e, 0x71, 0xaf, 0x19,
364 0x31, 0x6d, 0xec, 0xcd, 0x6f, 0x2b, 0x23, 0xdf, 0xb4, 0x40,
365 0xaf, 0x2c, 0x0a, 0xc3, 0x1b, 0x7d, 0x7d, 0x03, 0x1d, 0x4b,
366 0xf3, 0xb5, 0xe0, 0x85, 0xd8, 0xdf, 0x91, 0x6b, 0x0a, 0x69,
367 0xf7, 0xf2, 0x69, 0x66, 0x5b, 0xf1, 0xcf, 0x46, 0x7d, 0xe9,
368 0x70, 0xfa, 0x6d, 0x7e, 0x75, 0x4e, 0xa9, 0x77, 0xe6, 0x8c,
369 0x02, 0xf7, 0x14, 0x4d, 0xa5, 0x41, 0x8f, 0x3f, 0xc1, 0x62,
370 0x1e, 0x71, 0x5e, 0x38, 0xb4, 0xd6, 0xe6, 0xe1, 0x4b, 0xc2,
371 0x2c, 0x30, 0x83, 0x81, 0x6f, 0x49, 0x2e, 0x96, 0xe6, 0xc9,
372 0x9a, 0xf7, 0x5d, 0x09, 0xa0, 0x55, 0x02, 0xa5, 0x3a, 0x25,
373 0x23, 0xd0, 0x92, 0xc3, 0xa3, 0xe3, 0x0e, 0x12, 0x2f, 0x4d,
374 0xef, 0xf3, 0x55, 0x5a, 0xbe, 0xe6, 0x19, 0x86, 0x31, 0xab,
375 0x75, 0x9a, 0xd3, 0xf0, 0x2c, 0xc5, 0x41, 0x92, 0xd9, 0x1f,
376 0x5f, 0x11, 0x8c, 0x75, 0x1c, 0x63, 0xd0, 0x02, 0x80, 0x2c,
377 0x68, 0xcb, 0x93, 0xfb, 0x51, 0x73, 0x49, 0xb4, 0x60, 0xda,
378 0xe2, 0x26, 0xaf, 0xa9, 0x46, 0x12, 0xb8, 0xec, 0x50, 0xdd,
379 0x12, 0x06, 0x5f, 0xce, 0x59, 0xe6, 0xf6, 0x1c, 0xe0, 0x54,
380 0x10, 0xad, 0xf6, 0xcd, 0x98, 0xcc, 0x0f, 0xfb, 0xcb, 0x41,
381 0x14, 0x9d, 0xed, 0xe4, 0xb4, 0x74, 0x5f, 0x09, 0x60, 0xc7,
382 0x12, 0xf6, 0x7b, 0x3c, 0x8f, 0xa7, 0x20, 0xbc, 0xe4, 0xb1,
383 0xef, 0xeb, 0xa4, 0x93, 0xc5, 0x06, 0xca, 0x9a, 0x27, 0x9d,
384 0x87, 0xf3, 0xde, 0xca, 0xe5, 0xe7, 0xf6, 0x1c, 0x01, 0x65,
385 0x5b, 0xfb, 0x19, 0x79, 0x6e, 0x08, 0x26, 0xc5, 0xc8, 0x28,
386 0x0e, 0xb6, 0x3b, 0x07, 0x08, 0xc1, 0x02, 0x82, 0x01, 0x01,
387 0x00, 0xe8, 0x1c, 0x73, 0xa6, 0xb8, 0xe0, 0x0e, 0x6d, 0x8d,
388 0x1b, 0xb9, 0x53, 0xed, 0x58, 0x94, 0xe6, 0x1d, 0x60, 0x14,
389 0x5c, 0x76, 0x43, 0xc4, 0x58, 0x19, 0xc4, 0x24, 0xe8, 0xbc,
390 0x1b, 0x3b, 0x0b, 0x13, 0x24, 0x45, 0x54, 0x0e, 0xcc, 0x37,
391 0xf0, 0xe0, 0x63, 0x7d, 0xc3, 0xf7, 0xfb, 0x81, 0x74, 0x81,
392 0xc4, 0x0f, 0x1a, 0x21, 0x48, 0xaf, 0xce, 0xc1, 0xc4, 0x94,
393 0x18, 0x06, 0x44, 0x8d, 0xd3, 0xd2, 0x22, 0x2d, 0x2d, 0x3e,
394 0x5a, 0x31, 0xdc, 0x95, 0x8e, 0xf4, 0x41, 0xfc, 0x58, 0xc9,
395 0x40, 0x92, 0x17, 0x5f, 0xe3, 0xda, 0xac, 0x9e, 0x3f, 0x1c,
396 0x2a, 0x6b, 0x58, 0x5f, 0x48, 0x78, 0x20, 0xb1, 0xaf, 0x24,
397 0x9b, 0x3c, 0x20, 0x8b, 0x93, 0x25, 0x9e, 0xe6, 0x6b, 0xbc,
398 0x13, 0x42, 0x14, 0x6c, 0x36, 0x31, 0xff, 0x7a, 0xd1, 0xc1,
399 0x1a, 0x26, 0x14, 0x7f, 0xa9, 0x76, 0xa7, 0x0c, 0xf8, 0xcc,
400 0xed, 0x07, 0x6a, 0xd2, 0xdf, 0x62, 0xee, 0x0a, 0x7c, 0x84,
401 0xcb, 0x49, 0x90, 0xb2, 0x03, 0x0d, 0xa2, 0x82, 0x06, 0x77,
402 0xf1, 0xcd, 0x67, 0xf2, 0x47, 0x21, 0x02, 0x3f, 0x43, 0x21,
403 0xf0, 0x46, 0x30, 0x62, 0x51, 0x72, 0xb1, 0xe7, 0x48, 0xc6,
404 0x67, 0x12, 0xcd, 0x9e, 0xd6, 0x15, 0xe5, 0x21, 0xed, 0xfa,
405 0x8f, 0x30, 0xa6, 0x41, 0xfe, 0xb6, 0xfa, 0x8f, 0x34, 0x14,
406 0x19, 0xe8, 0x11, 0xf7, 0xa5, 0x77, 0x3e, 0xb7, 0xf9, 0x39,
407 0x07, 0x8c, 0x67, 0x2a, 0xab, 0x7b, 0x08, 0xf8, 0xb0, 0x06,
408 0xa8, 0xea, 0x2f, 0x8f, 0xfa, 0xcc, 0xcc, 0x40, 0xce, 0xf3,
409 0x70, 0x4f, 0x3f, 0x7f, 0xe2, 0x0c, 0xea, 0x76, 0x4a, 0x35,
410 0x4e, 0x47, 0xad, 0x2b, 0xa7, 0x97, 0x5d, 0x74, 0x43, 0x97,
411 0x90, 0xd2, 0xfb, 0xd9, 0xf9, 0x96, 0x01, 0x33, 0x05, 0xed,
412 0x7b, 0x03, 0x05, 0xad, 0xf8, 0x49, 0x03, 0x02, 0x82, 0x01,
413 0x01, 0x00, 0xd4, 0x40, 0x17, 0x66, 0x10, 0x92, 0x95, 0xc8,
414 0xec, 0x62, 0xa9, 0x7a, 0xcb, 0x93, 0x8e, 0xe6, 0x53, 0xd4,
415 0x80, 0x48, 0x27, 0x4b, 0x41, 0xce, 0x61, 0xdf, 0xbf, 0x94,
416 0xa4, 0x3d, 0x71, 0x03, 0x0b, 0xed, 0x25, 0x71, 0x98, 0xa4,
417 0xd6, 0xd5, 0x4a, 0x57, 0xf5, 0x6c, 0x1b, 0xda, 0x21, 0x7d,
418 0x35, 0x45, 0xb3, 0xf3, 0x6a, 0xd9, 0xd3, 0x43, 0xe8, 0x5c,
419 0x54, 0x1c, 0x83, 0x1b, 0xb4, 0x5f, 0xf2, 0x97, 0x24, 0x2e,
420 0xdc, 0x40, 0xde, 0x92, 0x23, 0x59, 0x8e, 0xbc, 0xd2, 0xa1,
421 0xf2, 0xe0, 0x4c, 0xdd, 0x0b, 0xd1, 0xe7, 0xae, 0x65, 0xbc,
422 0xb5, 0xf5, 0x5b, 0x98, 0xe9, 0xd7, 0xc2, 0xb7, 0x0e, 0x55,
423 0x71, 0x0e, 0x3c, 0x0a, 0x24, 0x6b, 0xa6, 0xe6, 0x14, 0x61,
424 0x11, 0xfd, 0x33, 0x42, 0x99, 0x2b, 0x84, 0x77, 0x74, 0x92,
425 0x91, 0xf5, 0x79, 0x79, 0xcf, 0xad, 0x8e, 0x04, 0xef, 0x80,
426 0x1e, 0x57, 0xf4, 0x14, 0xf5, 0x35, 0x09, 0x74, 0xb2, 0x13,
427 0x71, 0x58, 0x6b, 0xea, 0x32, 0x5d, 0xf3, 0xd3, 0x76, 0x48,
428 0x39, 0x10, 0x23, 0x84, 0x9d, 0xbe, 0x92, 0x77, 0x4a, 0xed,
429 0x70, 0x3e, 0x1a, 0xa2, 0x6c, 0xb3, 0x81, 0x00, 0xc3, 0xc9,
430 0xe4, 0x52, 0xc8, 0x24, 0x88, 0x0c, 0x41, 0xad, 0x87, 0x5a,
431 0xea, 0xa3, 0x7a, 0x85, 0x1c, 0x5e, 0x31, 0x7f, 0xc3, 0x35,
432 0xc6, 0xfa, 0x10, 0xc8, 0x75, 0x10, 0xc4, 0x96, 0x99, 0xe7,
433 0xfe, 0x01, 0xb4, 0x74, 0xdb, 0xb4, 0x11, 0xc3, 0xc8, 0x8c,
434 0xf6, 0xf7, 0x3b, 0x66, 0x50, 0xfc, 0xdb, 0xeb, 0xca, 0x47,
435 0x85, 0x89, 0xe1, 0x65, 0xd9, 0x62, 0x34, 0x3c, 0x70, 0xd8,
436 0x2e, 0xb4, 0x2f, 0x65, 0x3c, 0x4a, 0xa6, 0x2a, 0xe7, 0xc7,
437 0xd8, 0x41, 0x8f, 0x8a, 0x43, 0xbf, 0x42, 0xf2, 0x4d, 0xbc,
438 0xfc, 0x9e, 0x27, 0x95, 0xfb, 0x75, 0xff, 0xab, 0x02, 0x82,
439 0x01, 0x00, 0x41, 0x2f, 0x44, 0x57, 0x6d, 0x12, 0x17, 0x5b,
440 0x32, 0xc6, 0xb7, 0x6c, 0x57, 0x7a, 0x8a, 0x0e, 0x79, 0xef,
441 0x72, 0xa8, 0x68, 0xda, 0x2d, 0x38, 0xe4, 0xbb, 0x8d, 0xf6,
442 0x02, 0x65, 0xcf, 0x56, 0x13, 0xe1, 0x1a, 0xcb, 0x39, 0x80,
443 0xa6, 0xb1, 0x32, 0x03, 0x1e, 0xdd, 0xbb, 0x35, 0xd9, 0xac,
444 0x43, 0x89, 0x31, 0x08, 0x90, 0x92, 0x5e, 0x35, 0x3d, 0x7b,
445 0x9c, 0x6f, 0x86, 0xcb, 0x17, 0xdd, 0x85, 0xe4, 0xed, 0x35,
446 0x08, 0x8e, 0xc1, 0xf4, 0x05, 0xd8, 0x68, 0xc6, 0x63, 0x3c,
447 0xf7, 0xff, 0xf7, 0x47, 0x33, 0x39, 0xc5, 0x3e, 0xb7, 0x0e,
448 0x58, 0x35, 0x9d, 0x81, 0xea, 0xf8, 0x6a, 0x2c, 0x1c, 0x5a,
449 0x68, 0x78, 0x64, 0x11, 0x6b, 0xc1, 0x3e, 0x4e, 0x7a, 0xbd,
450 0x84, 0xcb, 0x0f, 0xc2, 0xb6, 0x85, 0x1d, 0xd3, 0x76, 0xc5,
451 0x93, 0x6a, 0x69, 0x89, 0x56, 0x34, 0xdc, 0x4a, 0x9b, 0xbc,
452 0xff, 0xa8, 0x0d, 0x6e, 0x35, 0x9c, 0x60, 0xa7, 0x23, 0x30,
453 0xc7, 0x06, 0x64, 0x39, 0x8b, 0x94, 0x89, 0xee, 0xba, 0x7f,
454 0x60, 0x8d, 0xfa, 0xb6, 0x97, 0x76, 0xdc, 0x51, 0x4a, 0x3c,
455 0xeb, 0x3a, 0x14, 0x2c, 0x20, 0x60, 0x69, 0x4a, 0x86, 0xfe,
456 0x8c, 0x21, 0x84, 0x49, 0x54, 0xb3, 0x20, 0xe1, 0x01, 0x7f,
457 0x58, 0xdf, 0x7f, 0xb5, 0x21, 0x51, 0x8c, 0x47, 0x9f, 0x91,
458 0xeb, 0x97, 0x3e, 0xf2, 0x54, 0xcf, 0x16, 0x46, 0xf9, 0xd9,
459 0xb6, 0xe7, 0x64, 0xc9, 0xd0, 0x54, 0xea, 0x2f, 0xa1, 0xcf,
460 0xa5, 0x7f, 0x28, 0x8d, 0x84, 0xec, 0xd5, 0x39, 0x03, 0x76,
461 0x5b, 0x2d, 0x8e, 0x43, 0xf2, 0x01, 0x24, 0xc9, 0x6f, 0xc0,
462 0xf5, 0x69, 0x6f, 0x7d, 0xb5, 0x85, 0xd2, 0x5f, 0x7f, 0x78,
463 0x40, 0x07, 0x7f, 0x09, 0x15, 0xb5, 0x1f, 0x28, 0x65, 0x10,
464 0xe4, 0x19, 0xa8, 0xc6, 0x9e, 0x8d, 0xdc, 0xcb, 0x02, 0x82,
465 0x01, 0x00, 0x13, 0x01, 0xee, 0x56, 0x80, 0x93, 0x70, 0x00,
466 0x7f, 0x52, 0xd2, 0x94, 0xa1, 0x98, 0x84, 0x4a, 0x92, 0x25,
467 0x4c, 0x9b, 0xa9, 0x91, 0x2e, 0xc2, 0x79, 0xb7, 0x5c, 0xe3,
468 0xc5, 0xd5, 0x8e, 0xc2, 0x54, 0x16, 0x17, 0xad, 0x55, 0x9b,
469 0x25, 0x76, 0x12, 0x63, 0x50, 0x22, 0x2f, 0x58, 0x58, 0x79,
470 0x6b, 0x04, 0xe3, 0xf9, 0x9f, 0x8f, 0x04, 0x41, 0x67, 0x94,
471 0xa5, 0x1f, 0xac, 0x8a, 0x15, 0x9c, 0x26, 0x10, 0x6c, 0xf8,
472 0x19, 0x57, 0x61, 0xd7, 0x3a, 0x7d, 0x31, 0xb0, 0x2d, 0x38,
473 0xbd, 0x94, 0x62, 0xad, 0xc4, 0xfa, 0x36, 0x42, 0x42, 0xf0,
474 0x24, 0x67, 0x65, 0x9d, 0x8b, 0x0b, 0x7c, 0x6f, 0x82, 0x44,
475 0x1a, 0x8c, 0xc8, 0xc9, 0xab, 0xbb, 0x4c, 0x45, 0xfc, 0x7b,
476 0x38, 0xee, 0x30, 0xe1, 0xfc, 0xef, 0x8d, 0xbc, 0x58, 0xdf,
477 0x2b, 0x5d, 0x0d, 0x54, 0xe0, 0x49, 0x4d, 0x97, 0x99, 0x8f,
478 0x22, 0xa8, 0x83, 0xbe, 0x40, 0xbb, 0x50, 0x2e, 0x78, 0x28,
479 0x0f, 0x95, 0x78, 0x8c, 0x8f, 0x98, 0x24, 0x56, 0xc2, 0x97,
480 0xf3, 0x2c, 0x43, 0xd2, 0x03, 0x82, 0x66, 0x81, 0x72, 0x5f,
481 0x53, 0x16, 0xec, 0xb1, 0xb1, 0x04, 0x5e, 0x40, 0x20, 0x48,
482 0x7b, 0x3f, 0x02, 0x97, 0x6a, 0xeb, 0x96, 0x12, 0x21, 0x35,
483 0xfe, 0x1f, 0x47, 0xc0, 0x95, 0xea, 0xc5, 0x8a, 0x08, 0x84,
484 0x4f, 0x5e, 0x63, 0x94, 0x60, 0x0f, 0x71, 0x5b, 0x7f, 0x4a,
485 0xec, 0x4f, 0x60, 0xc6, 0xba, 0x4a, 0x24, 0xf1, 0x20, 0x8b,
486 0xa7, 0x2e, 0x3a, 0xce, 0x8d, 0xe0, 0x27, 0x1d, 0xb5, 0x8e,
487 0xb4, 0x21, 0xc5, 0xe2, 0xa6, 0x16, 0x0a, 0x51, 0x83, 0x55,
488 0x88, 0xd1, 0x30, 0x11, 0x63, 0xd5, 0xd7, 0x8d, 0xae, 0x16,
489 0x12, 0x82, 0xc4, 0x85, 0x00, 0x4e, 0x27, 0x83, 0xa5, 0x7c,
490 0x90, 0x2e, 0xe5, 0xa2, 0xa3, 0xd3, 0x4c, 0x63, 0x02, 0x82,
491 0x01, 0x01, 0x00, 0x86, 0x08, 0x98, 0x98, 0xa5, 0x00, 0x05,
492 0x39, 0x77, 0xd9, 0x66, 0xb3, 0xcf, 0xca, 0xa0, 0x71, 0xb3,
493 0x50, 0xce, 0x3d, 0xb1, 0x93, 0x95, 0x35, 0xc4, 0xd4, 0x2e,
494 0x90, 0xdf, 0x0f, 0xfc, 0x60, 0xc1, 0x94, 0x68, 0x61, 0x43,
495 0xca, 0x9a, 0x23, 0x4a, 0x1e, 0x45, 0x72, 0x99, 0xb5, 0x1e,
496 0x61, 0x8d, 0x77, 0x0f, 0xa0, 0xbb, 0xd7, 0x77, 0xb4, 0x2a,
497 0x15, 0x11, 0x88, 0x2d, 0xb3, 0x56, 0x61, 0x5e, 0x6a, 0xed,
498 0xa4, 0x46, 0x4a, 0x3f, 0x50, 0x11, 0xd6, 0xba, 0xb6, 0xd7,
499 0x95, 0x65, 0x53, 0xc3, 0xa1, 0x8f, 0xe0, 0xa3, 0xf5, 0x1c,
500 0xfd, 0xaf, 0x6e, 0x43, 0xd7, 0x17, 0xa7, 0xd3, 0x81, 0x1b,
501 0xa4, 0xdf, 0xe0, 0x97, 0x8a, 0x46, 0x03, 0xd3, 0x46, 0x0e,
502 0x83, 0x48, 0x4e, 0xd2, 0x02, 0xcb, 0xc0, 0xad, 0x79, 0x95,
503 0x8c, 0x96, 0xba, 0x40, 0x34, 0x11, 0x71, 0x5e, 0xe9, 0x11,
504 0xf9, 0xc5, 0x4a, 0x5e, 0x91, 0x9d, 0xf5, 0x92, 0x4f, 0xeb,
505 0xc6, 0x70, 0x02, 0x2d, 0x3d, 0x04, 0xaa, 0xe9, 0x3a, 0x8e,
506 0xd5, 0xa8, 0xad, 0xf7, 0xce, 0x0d, 0x16, 0xb2, 0xec, 0x0a,
507 0x9c, 0xf5, 0x94, 0x39, 0xb9, 0x8a, 0xfc, 0x1e, 0xf9, 0xcc,
508 0xf2, 0x5f, 0x21, 0x31, 0x74, 0x72, 0x6b, 0x64, 0xae, 0x35,
509 0x61, 0x8d, 0x0d, 0xcb, 0xe7, 0xda, 0x39, 0xca, 0xf3, 0x21,
510 0x66, 0x0b, 0x95, 0xd7, 0x0a, 0x7c, 0xca, 0xa1, 0xa9, 0x5a,
511 0xe8, 0xac, 0xe0, 0x71, 0x54, 0xaf, 0x28, 0xcf, 0xd5, 0x70,
512 0x89, 0xe0, 0xf3, 0x9e, 0x43, 0x6c, 0x8d, 0x7b, 0x99, 0x01,
513 0x68, 0x4d, 0xa1, 0x45, 0x46, 0x0c, 0x43, 0xbc, 0xcc, 0x2c,
514 0xdd, 0xc5, 0x46, 0xc8, 0x4e, 0x0e, 0xbe, 0xed, 0xb9, 0x26,
515 0xab, 0x2e, 0xdb, 0xeb, 0x8f, 0xff, 0xdb, 0xb0, 0xc6, 0x55,
516 0xaf, 0xf8, 0x2a, 0x91, 0x9d, 0x50, 0x44, 0x21, 0x17,
517};
diff --git a/src/lib/libssl/src/apps/timeouts.h b/src/lib/libssl/src/apps/timeouts.h
deleted file mode 100644
index 2b3ae38bb4..0000000000
--- a/src/lib/libssl/src/apps/timeouts.h
+++ /dev/null
@@ -1,67 +0,0 @@
1/* $OpenBSD: timeouts.h,v 1.3 2014/06/12 15:49:27 deraadt Exp $ */
2/*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6/* ====================================================================
7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60#ifndef INCLUDED_TIMEOUTS_H
61#define INCLUDED_TIMEOUTS_H
62
63/* numbers in us */
64#define DGRAM_RCV_TIMEOUT 250000
65#define DGRAM_SND_TIMEOUT 250000
66
67#endif /* ! INCLUDED_TIMEOUTS_H */
diff --git a/src/lib/libssl/src/apps/ts.c b/src/lib/libssl/src/apps/ts.c
deleted file mode 100644
index 9142242860..0000000000
--- a/src/lib/libssl/src/apps/ts.c
+++ /dev/null
@@ -1,1102 +0,0 @@
1/* $OpenBSD: ts.c,v 1.18 2014/07/12 17:54:31 jsing Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/bio.h>
66#include <openssl/bn.h>
67#include <openssl/err.h>
68#include <openssl/pem.h>
69#include <openssl/rand.h>
70#include <openssl/ts.h>
71
72/* Length of the nonce of the request in bits (must be a multiple of 8). */
73#define NONCE_LENGTH 64
74
75/* Macro definitions for the configuration file. */
76#define ENV_OID_FILE "oid_file"
77
78/* Local function declarations. */
79
80static ASN1_OBJECT *txt2obj(const char *oid);
81static CONF *load_config_file(const char *configfile);
82
83/* Query related functions. */
84static int query_command(const char *data, char *digest,
85 const EVP_MD * md, const char *policy, int no_nonce,
86 int cert, const char *in, const char *out, int text);
87static BIO *BIO_open_with_default(const char *file, const char *mode,
88 FILE * default_fp);
89static TS_REQ *create_query(BIO * data_bio, char *digest, const EVP_MD * md,
90 const char *policy, int no_nonce, int cert);
91static int create_digest(BIO * input, char *digest,
92 const EVP_MD * md, unsigned char **md_value);
93static ASN1_INTEGER *create_nonce(int bits);
94
95/* Reply related functions. */
96static int reply_command(CONF * conf, char *section, char *engine,
97 char *queryfile, char *passin, char *inkey,
98 char *signer, char *chain, const char *policy,
99 char *in, int token_in, char *out, int token_out,
100 int text);
101static TS_RESP *read_PKCS7(BIO * in_bio);
102static TS_RESP *create_response(CONF * conf, const char *section, char *engine,
103 char *queryfile, char *passin, char *inkey,
104 char *signer, char *chain, const char *policy);
105static ASN1_INTEGER *serial_cb(TS_RESP_CTX * ctx, void *data);
106static ASN1_INTEGER *next_serial(const char *serialfile);
107static int save_ts_serial(const char *serialfile, ASN1_INTEGER * serial);
108
109/* Verify related functions. */
110static int verify_command(char *data, char *digest, char *queryfile,
111 char *in, int token_in,
112 char *ca_path, char *ca_file, char *untrusted);
113static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
114 char *queryfile,
115 char *ca_path, char *ca_file,
116 char *untrusted);
117static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
118static int verify_cb(int ok, X509_STORE_CTX * ctx);
119
120/* Main function definition. */
121int ts_main(int, char **);
122
123int
124ts_main(int argc, char **argv)
125{
126 int ret = 1;
127 char *configfile = NULL;
128 char *section = NULL;
129 CONF *conf = NULL;
130 enum mode {
131 CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY
132 } mode = CMD_NONE;
133 char *data = NULL;
134 char *digest = NULL;
135 const EVP_MD *md = NULL;
136 char *policy = NULL;
137 int no_nonce = 0;
138 int cert = 0;
139 char *in = NULL;
140 char *out = NULL;
141 int text = 0;
142 char *queryfile = NULL;
143 char *passin = NULL; /* Password source. */
144 char *password = NULL; /* Password itself. */
145 char *inkey = NULL;
146 char *signer = NULL;
147 char *chain = NULL;
148 char *ca_path = NULL;
149 char *ca_file = NULL;
150 char *untrusted = NULL;
151 char *engine = NULL;
152 /* Input is ContentInfo instead of TimeStampResp. */
153 int token_in = 0;
154 /* Output is ContentInfo instead of TimeStampResp. */
155 int token_out = 0;
156
157 ERR_load_crypto_strings();
158
159 for (argc--, argv++; argc > 0; argc--, argv++) {
160 if (strcmp(*argv, "-config") == 0) {
161 if (argc-- < 1)
162 goto usage;
163 configfile = *++argv;
164 } else if (strcmp(*argv, "-section") == 0) {
165 if (argc-- < 1)
166 goto usage;
167 section = *++argv;
168 } else if (strcmp(*argv, "-query") == 0) {
169 if (mode != CMD_NONE)
170 goto usage;
171 mode = CMD_QUERY;
172 } else if (strcmp(*argv, "-data") == 0) {
173 if (argc-- < 1)
174 goto usage;
175 data = *++argv;
176 } else if (strcmp(*argv, "-digest") == 0) {
177 if (argc-- < 1)
178 goto usage;
179 digest = *++argv;
180 } else if (strcmp(*argv, "-policy") == 0) {
181 if (argc-- < 1)
182 goto usage;
183 policy = *++argv;
184 } else if (strcmp(*argv, "-no_nonce") == 0) {
185 no_nonce = 1;
186 } else if (strcmp(*argv, "-cert") == 0) {
187 cert = 1;
188 } else if (strcmp(*argv, "-in") == 0) {
189 if (argc-- < 1)
190 goto usage;
191 in = *++argv;
192 } else if (strcmp(*argv, "-token_in") == 0) {
193 token_in = 1;
194 } else if (strcmp(*argv, "-out") == 0) {
195 if (argc-- < 1)
196 goto usage;
197 out = *++argv;
198 } else if (strcmp(*argv, "-token_out") == 0) {
199 token_out = 1;
200 } else if (strcmp(*argv, "-text") == 0) {
201 text = 1;
202 } else if (strcmp(*argv, "-reply") == 0) {
203 if (mode != CMD_NONE)
204 goto usage;
205 mode = CMD_REPLY;
206 } else if (strcmp(*argv, "-queryfile") == 0) {
207 if (argc-- < 1)
208 goto usage;
209 queryfile = *++argv;
210 } else if (strcmp(*argv, "-passin") == 0) {
211 if (argc-- < 1)
212 goto usage;
213 passin = *++argv;
214 } else if (strcmp(*argv, "-inkey") == 0) {
215 if (argc-- < 1)
216 goto usage;
217 inkey = *++argv;
218 } else if (strcmp(*argv, "-signer") == 0) {
219 if (argc-- < 1)
220 goto usage;
221 signer = *++argv;
222 } else if (strcmp(*argv, "-chain") == 0) {
223 if (argc-- < 1)
224 goto usage;
225 chain = *++argv;
226 } else if (strcmp(*argv, "-verify") == 0) {
227 if (mode != CMD_NONE)
228 goto usage;
229 mode = CMD_VERIFY;
230 } else if (strcmp(*argv, "-CApath") == 0) {
231 if (argc-- < 1)
232 goto usage;
233 ca_path = *++argv;
234 } else if (strcmp(*argv, "-CAfile") == 0) {
235 if (argc-- < 1)
236 goto usage;
237 ca_file = *++argv;
238 } else if (strcmp(*argv, "-untrusted") == 0) {
239 if (argc-- < 1)
240 goto usage;
241 untrusted = *++argv;
242 } else if (strcmp(*argv, "-engine") == 0) {
243 if (argc-- < 1)
244 goto usage;
245 engine = *++argv;
246 } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
247 /* empty. */
248 } else
249 goto usage;
250 }
251
252 /* Get the password if required. */
253 if (mode == CMD_REPLY && passin &&
254 !app_passwd(bio_err, passin, NULL, &password, NULL)) {
255 BIO_printf(bio_err, "Error getting password.\n");
256 goto cleanup;
257 }
258 /*
259 * Check consistency of parameters and execute the appropriate
260 * function.
261 */
262 switch (mode) {
263 case CMD_NONE:
264 goto usage;
265 case CMD_QUERY:
266 /*
267 * Data file and message imprint cannot be specified at the
268 * same time.
269 */
270 ret = data != NULL && digest != NULL;
271 if (ret)
272 goto usage;
273 /* Load the config file for possible policy OIDs. */
274 conf = load_config_file(configfile);
275 ret = !query_command(data, digest, md, policy, no_nonce, cert,
276 in, out, text);
277 break;
278 case CMD_REPLY:
279 conf = load_config_file(configfile);
280 if (in == NULL) {
281 ret = !(queryfile != NULL && conf != NULL && !token_in);
282 if (ret)
283 goto usage;
284 } else {
285 /* 'in' and 'queryfile' are exclusive. */
286 ret = !(queryfile == NULL);
287 if (ret)
288 goto usage;
289 }
290
291 ret = !reply_command(conf, section, engine, queryfile,
292 password, inkey, signer, chain, policy,
293 in, token_in, out, token_out, text);
294 break;
295 case CMD_VERIFY:
296 ret = !(((queryfile && !data && !digest) ||
297 (!queryfile && data && !digest) ||
298 (!queryfile && !data && digest)) && in != NULL);
299 if (ret)
300 goto usage;
301
302 ret = !verify_command(data, digest, queryfile, in, token_in,
303 ca_path, ca_file, untrusted);
304 }
305
306 goto cleanup;
307
308usage:
309 BIO_printf(bio_err, "usage:\n"
310 "ts -query [-config configfile] "
311 "[-data file_to_hash] [-digest digest_bytes]"
312 "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
313 "[-policy object_id] [-no_nonce] [-cert] "
314 "[-in request.tsq] [-out request.tsq] [-text]\n");
315 BIO_printf(bio_err, "or\n"
316 "ts -reply [-config configfile] [-section tsa_section] "
317 "[-queryfile request.tsq] [-passin password] "
318 "[-signer tsa_cert.pem] [-inkey private_key.pem] "
319 "[-chain certs_file.pem] [-policy object_id] "
320 "[-in response.tsr] [-token_in] "
321 "[-out response.tsr] [-token_out] [-text] [-engine id]\n");
322 BIO_printf(bio_err, "or\n"
323 "ts -verify [-data file_to_hash] [-digest digest_bytes] "
324 "[-queryfile request.tsq] "
325 "-in response.tsr [-token_in] "
326 "-CApath ca_path -CAfile ca_file.pem "
327 "-untrusted cert_file.pem\n");
328
329cleanup:
330 /* Clean up. */
331 NCONF_free(conf);
332 free(password);
333 OBJ_cleanup();
334
335 return (ret);
336}
337
338/*
339 * Configuration file-related function definitions.
340 */
341
342static ASN1_OBJECT *
343txt2obj(const char *oid)
344{
345 ASN1_OBJECT *oid_obj = NULL;
346
347 if (!(oid_obj = OBJ_txt2obj(oid, 0)))
348 BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
349
350 return oid_obj;
351}
352
353static CONF *
354load_config_file(const char *configfile)
355{
356 CONF *conf = NULL;
357 long errorline = -1;
358
359 if (!configfile)
360 configfile = getenv("OPENSSL_CONF");
361 if (!configfile)
362 configfile = getenv("SSLEAY_CONF");
363
364 if (configfile &&
365 (!(conf = NCONF_new(NULL)) ||
366 NCONF_load(conf, configfile, &errorline) <= 0)) {
367 if (errorline <= 0)
368 BIO_printf(bio_err, "error loading the config file "
369 "'%s'\n", configfile);
370 else
371 BIO_printf(bio_err, "error on line %ld of config file "
372 "'%s'\n", errorline, configfile);
373 }
374 if (conf != NULL) {
375 const char *p;
376
377 BIO_printf(bio_err, "Using configuration from %s\n",
378 configfile);
379 p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
380 if (p != NULL) {
381 BIO *oid_bio = BIO_new_file(p, "r");
382 if (!oid_bio)
383 ERR_print_errors(bio_err);
384 else {
385 OBJ_create_objects(oid_bio);
386 BIO_free_all(oid_bio);
387 }
388 } else
389 ERR_clear_error();
390 if (!add_oid_section(bio_err, conf))
391 ERR_print_errors(bio_err);
392 }
393 return conf;
394}
395
396/*
397 * Query-related method definitions.
398 */
399
400static int
401query_command(const char *data, char *digest, const EVP_MD * md,
402 const char *policy, int no_nonce, int cert, const char *in,
403 const char *out, int text)
404{
405 int ret = 0;
406 TS_REQ *query = NULL;
407 BIO *in_bio = NULL;
408 BIO *data_bio = NULL;
409 BIO *out_bio = NULL;
410
411 /* Build query object either from file or from scratch. */
412 if (in != NULL) {
413 if ((in_bio = BIO_new_file(in, "rb")) == NULL)
414 goto end;
415 query = d2i_TS_REQ_bio(in_bio, NULL);
416 } else {
417 /* Open the file if no explicit digest bytes were specified. */
418 if (!digest &&
419 !(data_bio = BIO_open_with_default(data, "rb", stdin)))
420 goto end;
421 /* Creating the query object. */
422 query = create_query(data_bio, digest, md,
423 policy, no_nonce, cert);
424 /* Saving the random number generator state. */
425 }
426 if (query == NULL)
427 goto end;
428
429 /* Write query either in ASN.1 or in text format. */
430 if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
431 goto end;
432 if (text) {
433 /* Text output. */
434 if (!TS_REQ_print_bio(out_bio, query))
435 goto end;
436 } else {
437 /* ASN.1 output. */
438 if (!i2d_TS_REQ_bio(out_bio, query))
439 goto end;
440 }
441
442 ret = 1;
443
444end:
445 ERR_print_errors(bio_err);
446
447 /* Clean up. */
448 BIO_free_all(in_bio);
449 BIO_free_all(data_bio);
450 BIO_free_all(out_bio);
451 TS_REQ_free(query);
452
453 return ret;
454}
455
456static BIO *
457BIO_open_with_default(const char *file, const char *mode, FILE * default_fp)
458{
459 return file == NULL ? BIO_new_fp(default_fp, BIO_NOCLOSE) :
460 BIO_new_file(file, mode);
461}
462
463static TS_REQ *
464create_query(BIO * data_bio, char *digest, const EVP_MD * md,
465 const char *policy, int no_nonce, int cert)
466{
467 int ret = 0;
468 TS_REQ *ts_req = NULL;
469 int len;
470 TS_MSG_IMPRINT *msg_imprint = NULL;
471 X509_ALGOR *algo = NULL;
472 unsigned char *data = NULL;
473 ASN1_OBJECT *policy_obj = NULL;
474 ASN1_INTEGER *nonce_asn1 = NULL;
475
476 /* Setting default message digest. */
477 if (!md && !(md = EVP_get_digestbyname("sha1")))
478 goto err;
479
480 /* Creating request object. */
481 if (!(ts_req = TS_REQ_new()))
482 goto err;
483
484 /* Setting version. */
485 if (!TS_REQ_set_version(ts_req, 1))
486 goto err;
487
488 /* Creating and adding MSG_IMPRINT object. */
489 if (!(msg_imprint = TS_MSG_IMPRINT_new()))
490 goto err;
491
492 /* Adding algorithm. */
493 if (!(algo = X509_ALGOR_new()))
494 goto err;
495 if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))))
496 goto err;
497 if (!(algo->parameter = ASN1_TYPE_new()))
498 goto err;
499 algo->parameter->type = V_ASN1_NULL;
500 if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
501 goto err;
502
503 /* Adding message digest. */
504 if ((len = create_digest(data_bio, digest, md, &data)) == 0)
505 goto err;
506 if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
507 goto err;
508
509 if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
510 goto err;
511
512 /* Setting policy if requested. */
513 if (policy && !(policy_obj = txt2obj(policy)))
514 goto err;
515 if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
516 goto err;
517
518 /* Setting nonce if requested. */
519 if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH)))
520 goto err;
521 if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
522 goto err;
523
524 /* Setting certificate request flag if requested. */
525 if (!TS_REQ_set_cert_req(ts_req, cert))
526 goto err;
527
528 ret = 1;
529
530err:
531 if (!ret) {
532 TS_REQ_free(ts_req);
533 ts_req = NULL;
534 BIO_printf(bio_err, "could not create query\n");
535 }
536 TS_MSG_IMPRINT_free(msg_imprint);
537 X509_ALGOR_free(algo);
538 free(data);
539 ASN1_OBJECT_free(policy_obj);
540 ASN1_INTEGER_free(nonce_asn1);
541
542 return ts_req;
543}
544
545static int
546create_digest(BIO * input, char *digest, const EVP_MD * md,
547 unsigned char **md_value)
548{
549 int md_value_len;
550
551 md_value_len = EVP_MD_size(md);
552 if (md_value_len < 0)
553 goto err;
554 if (input) {
555 /* Digest must be computed from an input file. */
556 EVP_MD_CTX md_ctx;
557 unsigned char buffer[4096];
558 int length;
559
560 *md_value = malloc(md_value_len);
561 if (*md_value == 0)
562 goto err;
563
564 EVP_DigestInit(&md_ctx, md);
565 while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
566 EVP_DigestUpdate(&md_ctx, buffer, length);
567 }
568 EVP_DigestFinal(&md_ctx, *md_value, NULL);
569 } else {
570 /* Digest bytes are specified with digest. */
571 long digest_len;
572 *md_value = string_to_hex(digest, &digest_len);
573 if (!*md_value || md_value_len != digest_len) {
574 free(*md_value);
575 *md_value = NULL;
576 BIO_printf(bio_err, "bad digest, %d bytes "
577 "must be specified\n", md_value_len);
578 goto err;
579 }
580 }
581
582 return md_value_len;
583err:
584 return 0;
585}
586
587static ASN1_INTEGER *
588create_nonce(int bits)
589{
590 unsigned char buf[20];
591 ASN1_INTEGER *nonce = NULL;
592 int len = (bits - 1) / 8 + 1;
593 int i;
594
595 /* Generating random byte sequence. */
596 if (len > (int) sizeof(buf))
597 goto err;
598 if (RAND_bytes(buf, len) <= 0)
599 goto err;
600
601 /* Find the first non-zero byte and creating ASN1_INTEGER object. */
602 for (i = 0; i < len && !buf[i]; ++i)
603 ;
604 if (!(nonce = ASN1_INTEGER_new()))
605 goto err;
606 free(nonce->data);
607 /* Allocate at least one byte. */
608 nonce->length = len - i;
609 if (!(nonce->data = malloc(nonce->length + 1)))
610 goto err;
611 memcpy(nonce->data, buf + i, nonce->length);
612
613 return nonce;
614
615err:
616 BIO_printf(bio_err, "could not create nonce\n");
617 ASN1_INTEGER_free(nonce);
618 return NULL;
619}
620/*
621 * Reply-related method definitions.
622 */
623
624static int
625reply_command(CONF * conf, char *section, char *engine, char *queryfile,
626 char *passin, char *inkey, char *signer, char *chain, const char *policy,
627 char *in, int token_in, char *out, int token_out, int text)
628{
629 int ret = 0;
630 TS_RESP *response = NULL;
631 BIO *in_bio = NULL;
632 BIO *query_bio = NULL;
633 BIO *inkey_bio = NULL;
634 BIO *signer_bio = NULL;
635 BIO *out_bio = NULL;
636
637 /* Build response object either from response or query. */
638 if (in != NULL) {
639 if ((in_bio = BIO_new_file(in, "rb")) == NULL)
640 goto end;
641 if (token_in) {
642 /*
643 * We have a ContentInfo (PKCS7) object, add
644 * 'granted' status info around it.
645 */
646 response = read_PKCS7(in_bio);
647 } else {
648 /* We have a ready-made TS_RESP object. */
649 response = d2i_TS_RESP_bio(in_bio, NULL);
650 }
651 } else {
652 response = create_response(conf, section, engine, queryfile,
653 passin, inkey, signer, chain,
654 policy);
655 if (response)
656 BIO_printf(bio_err, "Response has been generated.\n");
657 else
658 BIO_printf(bio_err, "Response is not generated.\n");
659 }
660 if (response == NULL)
661 goto end;
662
663 /* Write response either in ASN.1 or text format. */
664 if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
665 goto end;
666 if (text) {
667 /* Text output. */
668 if (token_out) {
669 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
670 if (!TS_TST_INFO_print_bio(out_bio, tst_info))
671 goto end;
672 } else {
673 if (!TS_RESP_print_bio(out_bio, response))
674 goto end;
675 }
676 } else {
677 /* ASN.1 DER output. */
678 if (token_out) {
679 PKCS7 *token = TS_RESP_get_token(response);
680 if (!i2d_PKCS7_bio(out_bio, token))
681 goto end;
682 } else {
683 if (!i2d_TS_RESP_bio(out_bio, response))
684 goto end;
685 }
686 }
687
688 ret = 1;
689
690end:
691 ERR_print_errors(bio_err);
692
693 /* Clean up. */
694 BIO_free_all(in_bio);
695 BIO_free_all(query_bio);
696 BIO_free_all(inkey_bio);
697 BIO_free_all(signer_bio);
698 BIO_free_all(out_bio);
699 TS_RESP_free(response);
700
701 return ret;
702}
703
704/* Reads a PKCS7 token and adds default 'granted' status info to it. */
705static TS_RESP *
706read_PKCS7(BIO * in_bio)
707{
708 int ret = 0;
709 PKCS7 *token = NULL;
710 TS_TST_INFO *tst_info = NULL;
711 TS_RESP *resp = NULL;
712 TS_STATUS_INFO *si = NULL;
713
714 /* Read PKCS7 object and extract the signed time stamp info. */
715 if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
716 goto end;
717 if (!(tst_info = PKCS7_to_TS_TST_INFO(token)))
718 goto end;
719
720 /* Creating response object. */
721 if (!(resp = TS_RESP_new()))
722 goto end;
723
724 /* Create granted status info. */
725 if (!(si = TS_STATUS_INFO_new()))
726 goto end;
727 if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED)))
728 goto end;
729 if (!TS_RESP_set_status_info(resp, si))
730 goto end;
731
732 /* Setting encapsulated token. */
733 TS_RESP_set_tst_info(resp, token, tst_info);
734 token = NULL; /* Ownership is lost. */
735 tst_info = NULL; /* Ownership is lost. */
736
737 ret = 1;
738end:
739 PKCS7_free(token);
740 TS_TST_INFO_free(tst_info);
741 if (!ret) {
742 TS_RESP_free(resp);
743 resp = NULL;
744 }
745 TS_STATUS_INFO_free(si);
746 return resp;
747}
748
749static TS_RESP *
750create_response(CONF * conf, const char *section, char *engine,
751 char *queryfile, char *passin, char *inkey,
752 char *signer, char *chain, const char *policy)
753{
754 int ret = 0;
755 TS_RESP *response = NULL;
756 BIO *query_bio = NULL;
757 TS_RESP_CTX *resp_ctx = NULL;
758
759 if (!(query_bio = BIO_new_file(queryfile, "rb")))
760 goto end;
761
762 /* Getting TSA configuration section. */
763 if (!(section = TS_CONF_get_tsa_section(conf, section)))
764 goto end;
765
766 /* Setting up response generation context. */
767 if (!(resp_ctx = TS_RESP_CTX_new()))
768 goto end;
769
770 /* Setting serial number provider callback. */
771 if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
772 goto end;
773#ifndef OPENSSL_NO_ENGINE
774 /* Setting default OpenSSL engine. */
775 if (!TS_CONF_set_crypto_device(conf, section, engine))
776 goto end;
777#endif
778
779 /* Setting TSA signer certificate. */
780 if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
781 goto end;
782
783 /* Setting TSA signer certificate chain. */
784 if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
785 goto end;
786
787 /* Setting TSA signer private key. */
788 if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
789 goto end;
790
791 /* Setting default policy OID. */
792 if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
793 goto end;
794
795 /* Setting acceptable policy OIDs. */
796 if (!TS_CONF_set_policies(conf, section, resp_ctx))
797 goto end;
798
799 /* Setting the acceptable one-way hash algorithms. */
800 if (!TS_CONF_set_digests(conf, section, resp_ctx))
801 goto end;
802
803 /* Setting guaranteed time stamp accuracy. */
804 if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
805 goto end;
806
807 /* Setting the precision of the time. */
808 if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
809 goto end;
810
811 /* Setting the ordering flaf if requested. */
812 if (!TS_CONF_set_ordering(conf, section, resp_ctx))
813 goto end;
814
815 /* Setting the TSA name required flag if requested. */
816 if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
817 goto end;
818
819 /* Setting the ESS cert id chain flag if requested. */
820 if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
821 goto end;
822
823 /* Creating the response. */
824 if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
825 goto end;
826
827 ret = 1;
828end:
829 if (!ret) {
830 TS_RESP_free(response);
831 response = NULL;
832 }
833 TS_RESP_CTX_free(resp_ctx);
834 BIO_free_all(query_bio);
835
836 return response;
837}
838
839static ASN1_INTEGER *
840serial_cb(TS_RESP_CTX * ctx, void *data)
841{
842 const char *serial_file = (const char *) data;
843 ASN1_INTEGER *serial = next_serial(serial_file);
844
845 if (!serial) {
846 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
847 "Error during serial number "
848 "generation.");
849 TS_RESP_CTX_add_failure_info(ctx,
850 TS_INFO_ADD_INFO_NOT_AVAILABLE);
851 } else
852 save_ts_serial(serial_file, serial);
853
854 return serial;
855}
856
857static ASN1_INTEGER *
858next_serial(const char *serialfile)
859{
860 int ret = 0;
861 BIO *in = NULL;
862 ASN1_INTEGER *serial = NULL;
863 BIGNUM *bn = NULL;
864
865 if (!(serial = ASN1_INTEGER_new()))
866 goto err;
867
868 if (!(in = BIO_new_file(serialfile, "r"))) {
869 ERR_clear_error();
870 BIO_printf(bio_err, "Warning: could not open file %s for "
871 "reading, using serial number: 1\n", serialfile);
872 if (!ASN1_INTEGER_set(serial, 1))
873 goto err;
874 } else {
875 char buf[1024];
876 if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
877 BIO_printf(bio_err, "unable to load number from %s\n",
878 serialfile);
879 goto err;
880 }
881 if (!(bn = ASN1_INTEGER_to_BN(serial, NULL)))
882 goto err;
883 ASN1_INTEGER_free(serial);
884 serial = NULL;
885 if (!BN_add_word(bn, 1))
886 goto err;
887 if (!(serial = BN_to_ASN1_INTEGER(bn, NULL)))
888 goto err;
889 }
890 ret = 1;
891err:
892 if (!ret) {
893 ASN1_INTEGER_free(serial);
894 serial = NULL;
895 }
896 BIO_free_all(in);
897 BN_free(bn);
898 return serial;
899}
900
901static int
902save_ts_serial(const char *serialfile, ASN1_INTEGER * serial)
903{
904 int ret = 0;
905 BIO *out = NULL;
906
907 if (!(out = BIO_new_file(serialfile, "w")))
908 goto err;
909 if (i2a_ASN1_INTEGER(out, serial) <= 0)
910 goto err;
911 if (BIO_puts(out, "\n") <= 0)
912 goto err;
913 ret = 1;
914err:
915 if (!ret)
916 BIO_printf(bio_err, "could not save serial number to %s\n",
917 serialfile);
918 BIO_free_all(out);
919 return ret;
920}
921
922/*
923 * Verify-related method definitions.
924 */
925
926static int
927verify_command(char *data, char *digest, char *queryfile, char *in,
928 int token_in, char *ca_path, char *ca_file, char *untrusted)
929{
930 BIO *in_bio = NULL;
931 PKCS7 *token = NULL;
932 TS_RESP *response = NULL;
933 TS_VERIFY_CTX *verify_ctx = NULL;
934 int ret = 0;
935
936 /* Decode the token (PKCS7) or response (TS_RESP) files. */
937 if (!(in_bio = BIO_new_file(in, "rb")))
938 goto end;
939 if (token_in) {
940 if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
941 goto end;
942 } else {
943 if (!(response = d2i_TS_RESP_bio(in_bio, NULL)))
944 goto end;
945 }
946
947 if (!(verify_ctx = create_verify_ctx(data, digest, queryfile,
948 ca_path, ca_file, untrusted)))
949 goto end;
950
951 /* Checking the token or response against the request. */
952 ret = token_in ?
953 TS_RESP_verify_token(verify_ctx, token) :
954 TS_RESP_verify_response(verify_ctx, response);
955
956end:
957 printf("Verification: ");
958 if (ret)
959 printf("OK\n");
960 else {
961 printf("FAILED\n");
962 /* Print errors, if there are any. */
963 ERR_print_errors(bio_err);
964 }
965
966 /* Clean up. */
967 BIO_free_all(in_bio);
968 PKCS7_free(token);
969 TS_RESP_free(response);
970 TS_VERIFY_CTX_free(verify_ctx);
971 return ret;
972}
973
974static TS_VERIFY_CTX *
975create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path,
976 char *ca_file, char *untrusted)
977{
978 TS_VERIFY_CTX *ctx = NULL;
979 BIO *input = NULL;
980 TS_REQ *request = NULL;
981 int ret = 0;
982
983 if (data != NULL || digest != NULL) {
984 if (!(ctx = TS_VERIFY_CTX_new()))
985 goto err;
986 ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER;
987 if (data != NULL) {
988 ctx->flags |= TS_VFY_DATA;
989 if (!(ctx->data = BIO_new_file(data, "rb")))
990 goto err;
991 } else if (digest != NULL) {
992 long imprint_len;
993 ctx->flags |= TS_VFY_IMPRINT;
994 if (!(ctx->imprint = string_to_hex(digest,
995 &imprint_len))) {
996 BIO_printf(bio_err, "invalid digest string\n");
997 goto err;
998 }
999 ctx->imprint_len = imprint_len;
1000 }
1001 } else if (queryfile != NULL) {
1002 /*
1003 * The request has just to be read, decoded and converted to
1004 * a verify context object.
1005 */
1006 if (!(input = BIO_new_file(queryfile, "rb")))
1007 goto err;
1008 if (!(request = d2i_TS_REQ_bio(input, NULL)))
1009 goto err;
1010 if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)))
1011 goto err;
1012 } else
1013 return NULL;
1014
1015 /* Add the signature verification flag and arguments. */
1016 ctx->flags |= TS_VFY_SIGNATURE;
1017
1018 /* Initialising the X509_STORE object. */
1019 if (!(ctx->store = create_cert_store(ca_path, ca_file)))
1020 goto err;
1021
1022 /* Loading untrusted certificates. */
1023 if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted)))
1024 goto err;
1025
1026 ret = 1;
1027err:
1028 if (!ret) {
1029 TS_VERIFY_CTX_free(ctx);
1030 ctx = NULL;
1031 }
1032 BIO_free_all(input);
1033 TS_REQ_free(request);
1034 return ctx;
1035}
1036
1037static X509_STORE *
1038create_cert_store(char *ca_path, char *ca_file)
1039{
1040 X509_STORE *cert_ctx = NULL;
1041 X509_LOOKUP *lookup = NULL;
1042 int i;
1043
1044 /* Creating the X509_STORE object. */
1045 cert_ctx = X509_STORE_new();
1046
1047 /* Setting the callback for certificate chain verification. */
1048 X509_STORE_set_verify_cb(cert_ctx, verify_cb);
1049
1050 /* Adding a trusted certificate directory source. */
1051 if (ca_path) {
1052 lookup = X509_STORE_add_lookup(cert_ctx,
1053 X509_LOOKUP_hash_dir());
1054 if (lookup == NULL) {
1055 BIO_printf(bio_err, "memory allocation failure\n");
1056 goto err;
1057 }
1058 i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM);
1059 if (!i) {
1060 BIO_printf(bio_err, "Error loading directory %s\n",
1061 ca_path);
1062 goto err;
1063 }
1064 }
1065 /* Adding a trusted certificate file source. */
1066 if (ca_file) {
1067 lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
1068 if (lookup == NULL) {
1069 BIO_printf(bio_err, "memory allocation failure\n");
1070 goto err;
1071 }
1072 i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM);
1073 if (!i) {
1074 BIO_printf(bio_err, "Error loading file %s\n", ca_file);
1075 goto err;
1076 }
1077 }
1078 return cert_ctx;
1079err:
1080 X509_STORE_free(cert_ctx);
1081 return NULL;
1082}
1083
1084static int
1085verify_cb(int ok, X509_STORE_CTX * ctx)
1086{
1087 /*
1088 char buf[256];
1089
1090 if (!ok)
1091 {
1092 X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
1093 buf, sizeof(buf));
1094 printf("%s\n", buf);
1095 printf("error %d at %d depth lookup: %s\n",
1096 ctx->error, ctx->error_depth,
1097 X509_verify_cert_error_string(ctx->error));
1098 }
1099 */
1100
1101 return ok;
1102}
diff --git a/src/lib/libssl/src/apps/verify.c b/src/lib/libssl/src/apps/verify.c
deleted file mode 100644
index 218270aa44..0000000000
--- a/src/lib/libssl/src/apps/verify.c
+++ /dev/null
@@ -1,339 +0,0 @@
1/* $OpenBSD: verify.c,v 1.26 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include "apps.h"
64
65#include <openssl/bio.h>
66#include <openssl/err.h>
67#include <openssl/pem.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70
71static int cb(int ok, X509_STORE_CTX * ctx);
72static int check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
73 STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e);
74static int v_verbose = 0, vflags = 0;
75
76int verify_main(int, char **);
77
78int
79verify_main(int argc, char **argv)
80{
81 ENGINE *e = NULL;
82 int i, ret = 1, badarg = 0;
83 char *CApath = NULL, *CAfile = NULL;
84 char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
85 STACK_OF(X509) * untrusted = NULL, *trusted = NULL;
86 STACK_OF(X509_CRL) * crls = NULL;
87 X509_STORE *cert_ctx = NULL;
88 X509_LOOKUP *lookup = NULL;
89 X509_VERIFY_PARAM *vpm = NULL;
90#ifndef OPENSSL_NO_ENGINE
91 char *engine = NULL;
92#endif
93
94 cert_ctx = X509_STORE_new();
95 if (cert_ctx == NULL)
96 goto end;
97 X509_STORE_set_verify_cb(cert_ctx, cb);
98
99 ERR_load_crypto_strings();
100
101 argc--;
102 argv++;
103 for (;;) {
104 if (argc >= 1) {
105 if (strcmp(*argv, "-CApath") == 0) {
106 if (argc-- < 1)
107 goto end;
108 CApath = *(++argv);
109 } else if (strcmp(*argv, "-CAfile") == 0) {
110 if (argc-- < 1)
111 goto end;
112 CAfile = *(++argv);
113 } else if (args_verify(&argv, &argc, &badarg, bio_err,
114 &vpm)) {
115 if (badarg)
116 goto end;
117 continue;
118 } else if (strcmp(*argv, "-untrusted") == 0) {
119 if (argc-- < 1)
120 goto end;
121 untfile = *(++argv);
122 } else if (strcmp(*argv, "-trusted") == 0) {
123 if (argc-- < 1)
124 goto end;
125 trustfile = *(++argv);
126 } else if (strcmp(*argv, "-CRLfile") == 0) {
127 if (argc-- < 1)
128 goto end;
129 crlfile = *(++argv);
130 }
131#ifndef OPENSSL_NO_ENGINE
132 else if (strcmp(*argv, "-engine") == 0) {
133 if (--argc < 1)
134 goto end;
135 engine = *(++argv);
136 }
137#endif
138 else if (strcmp(*argv, "-help") == 0)
139 goto end;
140 else if (strcmp(*argv, "-verbose") == 0)
141 v_verbose = 1;
142 else if (argv[0][0] == '-')
143 goto end;
144 else
145 break;
146 argc--;
147 argv++;
148 } else
149 break;
150 }
151
152#ifndef OPENSSL_NO_ENGINE
153 e = setup_engine(bio_err, engine, 0);
154#endif
155
156 if (vpm)
157 X509_STORE_set1_param(cert_ctx, vpm);
158
159 lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
160 if (lookup == NULL)
161 abort();
162 if (CAfile) {
163 i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
164 if (!i) {
165 BIO_printf(bio_err, "Error loading file %s\n", CAfile);
166 ERR_print_errors(bio_err);
167 goto end;
168 }
169 } else
170 X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
171
172 lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
173 if (lookup == NULL)
174 abort();
175 if (CApath) {
176 i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
177 if (!i) {
178 BIO_printf(bio_err, "Error loading directory %s\n", CApath);
179 ERR_print_errors(bio_err);
180 goto end;
181 }
182 } else
183 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
184
185 ERR_clear_error();
186
187 if (untfile) {
188 untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
189 NULL, e, "untrusted certificates");
190 if (!untrusted)
191 goto end;
192 }
193 if (trustfile) {
194 trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
195 NULL, e, "trusted certificates");
196 if (!trusted)
197 goto end;
198 }
199 if (crlfile) {
200 crls = load_crls(bio_err, crlfile, FORMAT_PEM,
201 NULL, e, "other CRLs");
202 if (!crls)
203 goto end;
204 }
205 ret = 0;
206 if (argc < 1) {
207 if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
208 ret = -1;
209 } else {
210 for (i = 0; i < argc; i++)
211 if (1 != check(cert_ctx, argv[i], untrusted, trusted,
212 crls, e))
213 ret = -1;
214 }
215
216end:
217 if (ret == 1) {
218 BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
219 BIO_printf(bio_err, " [-attime timestamp]");
220#ifndef OPENSSL_NO_ENGINE
221 BIO_printf(bio_err, " [-engine e]");
222#endif
223 BIO_printf(bio_err, " cert1 cert2 ...\n");
224
225 BIO_printf(bio_err, "recognized usages:\n");
226 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
227 X509_PURPOSE *ptmp;
228 ptmp = X509_PURPOSE_get0(i);
229 BIO_printf(bio_err, "\t%-10s\t%s\n",
230 X509_PURPOSE_get0_sname(ptmp),
231 X509_PURPOSE_get0_name(ptmp));
232 }
233 }
234 if (vpm)
235 X509_VERIFY_PARAM_free(vpm);
236 if (cert_ctx != NULL)
237 X509_STORE_free(cert_ctx);
238 sk_X509_pop_free(untrusted, X509_free);
239 sk_X509_pop_free(trusted, X509_free);
240 sk_X509_CRL_pop_free(crls, X509_CRL_free);
241
242 return (ret < 0 ? 2 : ret);
243}
244
245static int
246check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
247 STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e)
248{
249 X509 *x = NULL;
250 int i = 0, ret = 0;
251 X509_STORE_CTX *csc;
252
253 x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
254 if (x == NULL)
255 goto end;
256 fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
257
258 csc = X509_STORE_CTX_new();
259 if (csc == NULL) {
260 ERR_print_errors(bio_err);
261 goto end;
262 }
263 X509_STORE_set_flags(ctx, vflags);
264 if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
265 ERR_print_errors(bio_err);
266 goto end;
267 }
268 if (tchain)
269 X509_STORE_CTX_trusted_stack(csc, tchain);
270 if (crls)
271 X509_STORE_CTX_set0_crls(csc, crls);
272 i = X509_verify_cert(csc);
273 X509_STORE_CTX_free(csc);
274
275 ret = 0;
276
277end:
278 if (i > 0) {
279 fprintf(stdout, "OK\n");
280 ret = 1;
281 } else
282 ERR_print_errors(bio_err);
283 if (x != NULL)
284 X509_free(x);
285
286 return (ret);
287}
288
289static int
290cb(int ok, X509_STORE_CTX * ctx)
291{
292 int cert_error = X509_STORE_CTX_get_error(ctx);
293 X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
294
295 if (!ok) {
296 if (current_cert) {
297 X509_NAME_print_ex_fp(stdout,
298 X509_get_subject_name(current_cert),
299 0, XN_FLAG_ONELINE);
300 printf("\n");
301 }
302 printf("%serror %d at %d depth lookup:%s\n",
303 X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
304 cert_error,
305 X509_STORE_CTX_get_error_depth(ctx),
306 X509_verify_cert_error_string(cert_error));
307 switch (cert_error) {
308 case X509_V_ERR_NO_EXPLICIT_POLICY:
309 policies_print(NULL, ctx);
310 case X509_V_ERR_CERT_HAS_EXPIRED:
311
312 /*
313 * since we are just checking the certificates, it is
314 * ok if they are self signed. But we should still
315 * warn the user.
316 */
317
318 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
319 /* Continue after extension errors too */
320 case X509_V_ERR_INVALID_CA:
321 case X509_V_ERR_INVALID_NON_CA:
322 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
323 case X509_V_ERR_INVALID_PURPOSE:
324 case X509_V_ERR_CRL_HAS_EXPIRED:
325 case X509_V_ERR_CRL_NOT_YET_VALID:
326 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
327 ok = 1;
328
329 }
330
331 return ok;
332
333 }
334 if (cert_error == X509_V_OK && ok == 2)
335 policies_print(NULL, ctx);
336 if (!v_verbose)
337 ERR_clear_error();
338 return (ok);
339}
diff --git a/src/lib/libssl/src/apps/version.c b/src/lib/libssl/src/apps/version.c
deleted file mode 100644
index 4bb0ef558c..0000000000
--- a/src/lib/libssl/src/apps/version.c
+++ /dev/null
@@ -1,208 +0,0 @@
1/* $OpenBSD: version.c,v 1.18 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include <stdlib.h>
114#include <string.h>
115
116#include "apps.h"
117
118#include <openssl/bn.h>
119#include <openssl/crypto.h>
120#include <openssl/evp.h>
121
122#ifndef OPENSSL_NO_BF
123#include <openssl/blowfish.h>
124#endif
125
126#ifndef OPENSSL_NO_DES
127#include <openssl/des.h>
128#endif
129
130#ifndef OPENSSL_NO_IDEA
131#include <openssl/idea.h>
132#endif
133
134#ifndef OPENSSL_NO_RC4
135#include <openssl/rc4.h>
136#endif
137
138int version_main(int, char **);
139
140int
141version_main(int argc, char **argv)
142{
143 int i, ret = 0;
144 int cflags = 0, version = 0, date = 0, options = 0, platform = 0,
145 dir = 0;
146
147 if (argc == 1)
148 version = 1;
149 for (i = 1; i < argc; i++) {
150 if (strcmp(argv[i], "-v") == 0)
151 version = 1;
152 else if (strcmp(argv[i], "-b") == 0)
153 date = 1;
154 else if (strcmp(argv[i], "-f") == 0)
155 cflags = 1;
156 else if (strcmp(argv[i], "-o") == 0)
157 options = 1;
158 else if (strcmp(argv[i], "-p") == 0)
159 platform = 1;
160 else if (strcmp(argv[i], "-d") == 0)
161 dir = 1;
162 else if (strcmp(argv[i], "-a") == 0)
163 date = version = cflags = options = platform = dir = 1;
164 else {
165 BIO_printf(bio_err, "usage:version -[avbofpd]\n");
166 ret = 1;
167 goto end;
168 }
169 }
170
171 if (version) {
172 if (SSLeay() == SSLEAY_VERSION_NUMBER) {
173 printf("%s\n", SSLeay_version(SSLEAY_VERSION));
174 } else {
175 printf("%s (Library: %s)\n",
176 OPENSSL_VERSION_TEXT,
177 SSLeay_version(SSLEAY_VERSION));
178 }
179 }
180 if (date)
181 printf("%s\n", SSLeay_version(SSLEAY_BUILT_ON));
182 if (platform)
183 printf("%s\n", SSLeay_version(SSLEAY_PLATFORM));
184 if (options) {
185 printf("options: ");
186 printf("%s ", BN_options());
187#ifndef OPENSSL_NO_RC4
188 printf("%s ", RC4_options());
189#endif
190#ifndef OPENSSL_NO_DES
191 printf("%s ", DES_options());
192#endif
193#ifndef OPENSSL_NO_IDEA
194 printf("%s ", idea_options());
195#endif
196#ifndef OPENSSL_NO_BF
197 printf("%s ", BF_options());
198#endif
199 printf("\n");
200 }
201 if (cflags)
202 printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
203 if (dir)
204 printf("%s\n", SSLeay_version(SSLEAY_DIR));
205end:
206
207 return (ret);
208}
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
deleted file mode 100644
index 6729ed412c..0000000000
--- a/src/lib/libssl/src/apps/x509.c
+++ /dev/null
@@ -1,1160 +0,0 @@
1/* $OpenBSD: x509.c,v 1.49 2014/07/14 00:35:10 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <assert.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <limits.h>
63#include <string.h>
64
65#include "apps.h"
66
67#include <openssl/asn1.h>
68#include <openssl/bio.h>
69#include <openssl/bn.h>
70#include <openssl/err.h>
71#include <openssl/evp.h>
72#include <openssl/objects.h>
73#include <openssl/pem.h>
74#include <openssl/x509.h>
75#include <openssl/x509v3.h>
76
77#include <openssl/dsa.h>
78
79#include <openssl/rsa.h>
80
81#define POSTFIX ".srl"
82#define DEF_DAYS 30
83
84static const char *x509_usage[] = {
85 "usage: x509 args\n",
86 " -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
87 " -outform arg - output format - default PEM (one of DER, NET or PEM)\n",
88 " -keyform arg - private key format - default PEM\n",
89 " -CAform arg - CA format - default PEM\n",
90 " -CAkeyform arg - CA key format - default PEM\n",
91 " -in arg - input file - default stdin\n",
92 " -out arg - output file - default stdout\n",
93 " -passin arg - private key password source\n",
94 " -serial - print serial number value\n",
95 " -subject_hash - print subject hash value\n",
96#ifndef OPENSSL_NO_MD5
97 " -subject_hash_old - print old-style (MD5) subject hash value\n",
98#endif
99 " -issuer_hash - print issuer hash value\n",
100#ifndef OPENSSL_NO_MD5
101 " -issuer_hash_old - print old-style (MD5) issuer hash value\n",
102#endif
103 " -hash - synonym for -subject_hash\n",
104 " -subject - print subject DN\n",
105 " -issuer - print issuer DN\n",
106 " -email - print email address(es)\n",
107 " -startdate - notBefore field\n",
108 " -enddate - notAfter field\n",
109 " -purpose - print out certificate purposes\n",
110 " -dates - both Before and After dates\n",
111 " -modulus - print the RSA key modulus\n",
112 " -pubkey - output the public key\n",
113 " -fingerprint - print the certificate fingerprint\n",
114 " -alias - output certificate alias\n",
115 " -noout - no certificate output\n",
116 " -ocspid - print OCSP hash values for the subject name and public key\n",
117 " -ocsp_uri - print OCSP Responder URL(s)\n",
118 " -trustout - output a \"trusted\" certificate\n",
119 " -clrtrust - clear all trusted purposes\n",
120 " -clrreject - clear all rejected purposes\n",
121 " -addtrust arg - trust certificate for a given purpose\n",
122 " -addreject arg - reject certificate for a given purpose\n",
123 " -setalias arg - set certificate alias\n",
124 " -days arg - How long till expiry of a signed certificate - def 30 days\n",
125 " -checkend arg - check whether the cert expires in the next arg seconds\n",
126 " exit 1 if so, 0 if not\n",
127 " -signkey arg - self sign cert with arg\n",
128 " -x509toreq - output a certification request object\n",
129 " -req - input is a certificate request, sign and output.\n",
130 " -CA arg - set the CA certificate, must be PEM format.\n",
131 " -CAkey arg - set the CA key, must be PEM format\n",
132 " missing, it is assumed to be in the CA file.\n",
133 " -CAcreateserial - create serial number file if it does not exist\n",
134 " -CAserial arg - serial file\n",
135 " -set_serial - serial number to use\n",
136 " -text - print the certificate in text form\n",
137 " -C - print out C code forms\n",
138 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
139 " -extfile - configuration file with X509V3 extensions to add\n",
140 " -extensions - section from config file with X509V3 extensions to add\n",
141 " -clrext - delete extensions before signing and input certificate\n",
142 " -nameopt arg - various certificate name options\n",
143#ifndef OPENSSL_NO_ENGINE
144 " -engine e - use engine e, possibly a hardware device.\n",
145#endif
146 " -certopt arg - various certificate text options\n",
147 NULL
148};
149
150static int callb(int ok, X509_STORE_CTX *ctx);
151static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
152 const EVP_MD *digest, CONF *conf, char *section);
153static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
154 X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts,
155 char *serial, int create, int days, int clrext, CONF *conf, char *section,
156 ASN1_INTEGER *sno);
157static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
158static int reqfile = 0;
159
160int x509_main(int, char **);
161
162int
163x509_main(int argc, char **argv)
164{
165 ENGINE *e = NULL;
166 int ret = 1;
167 X509_REQ *req = NULL;
168 X509 *x = NULL, *xca = NULL;
169 ASN1_OBJECT *objtmp;
170 STACK_OF(OPENSSL_STRING) *sigopts = NULL;
171 EVP_PKEY *Upkey = NULL, *CApkey = NULL;
172 ASN1_INTEGER *sno = NULL;
173 int i, num, badops = 0;
174 BIO *out = NULL;
175 BIO *STDout = NULL;
176 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
177 int informat, outformat, keyformat, CAformat, CAkeyformat;
178 char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
179 char *CAkeyfile = NULL, *CAserial = NULL;
180 char *alias = NULL;
181 int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0,
182 enddate = 0;
183 int next_serial = 0;
184 int subject_hash = 0, issuer_hash = 0, ocspid = 0;
185#ifndef OPENSSL_NO_MD5
186 int subject_hash_old = 0, issuer_hash_old = 0;
187#endif
188 int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0,
189 email = 0;
190 int ocsp_uri = 0;
191 int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0;
192 int C = 0;
193 int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0;
194 int pprint = 0;
195 const char **pp;
196 X509_STORE *ctx = NULL;
197 X509_REQ *rq = NULL;
198 int fingerprint = 0;
199 char buf[256];
200 const EVP_MD *md_alg, *digest = NULL;
201 CONF *extconf = NULL;
202 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
203 int checkend = 0, checkoffset = 0;
204 unsigned long nmflag = 0, certflag = 0;
205#ifndef OPENSSL_NO_ENGINE
206 char *engine = NULL;
207#endif
208 const char *errstr = NULL;
209
210 reqfile = 0;
211
212 STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
213
214 informat = FORMAT_PEM;
215 outformat = FORMAT_PEM;
216 keyformat = FORMAT_PEM;
217 CAformat = FORMAT_PEM;
218 CAkeyformat = FORMAT_PEM;
219
220 ctx = X509_STORE_new();
221 if (ctx == NULL)
222 goto end;
223 X509_STORE_set_verify_cb(ctx, callb);
224
225 argc--;
226 argv++;
227 num = 0;
228 while (argc >= 1) {
229 if (strcmp(*argv, "-inform") == 0) {
230 if (--argc < 1)
231 goto bad;
232 informat = str2fmt(*(++argv));
233 } else if (strcmp(*argv, "-outform") == 0) {
234 if (--argc < 1)
235 goto bad;
236 outformat = str2fmt(*(++argv));
237 } else if (strcmp(*argv, "-keyform") == 0) {
238 if (--argc < 1)
239 goto bad;
240 keyformat = str2fmt(*(++argv));
241 } else if (strcmp(*argv, "-req") == 0) {
242 reqfile = 1;
243 } else if (strcmp(*argv, "-CAform") == 0) {
244 if (--argc < 1)
245 goto bad;
246 CAformat = str2fmt(*(++argv));
247 } else if (strcmp(*argv, "-CAkeyform") == 0) {
248 if (--argc < 1)
249 goto bad;
250 CAkeyformat = str2fmt(*(++argv));
251 } else if (strcmp(*argv, "-sigopt") == 0) {
252 if (--argc < 1)
253 goto bad;
254 if (!sigopts)
255 sigopts = sk_OPENSSL_STRING_new_null();
256 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
257 goto bad;
258 } else if (strcmp(*argv, "-days") == 0) {
259 if (--argc < 1)
260 goto bad;
261 days = strtonum(*(++argv), 1, INT_MAX, &errstr);
262 if (errstr) {
263 BIO_printf(bio_err, "bad number of days: %s\n", errstr);
264 goto bad;
265 }
266 } else if (strcmp(*argv, "-passin") == 0) {
267 if (--argc < 1)
268 goto bad;
269 passargin = *(++argv);
270 } else if (strcmp(*argv, "-extfile") == 0) {
271 if (--argc < 1)
272 goto bad;
273 extfile = *(++argv);
274 } else if (strcmp(*argv, "-extensions") == 0) {
275 if (--argc < 1)
276 goto bad;
277 extsect = *(++argv);
278 } else if (strcmp(*argv, "-in") == 0) {
279 if (--argc < 1)
280 goto bad;
281 infile = *(++argv);
282 } else if (strcmp(*argv, "-out") == 0) {
283 if (--argc < 1)
284 goto bad;
285 outfile = *(++argv);
286 } else if (strcmp(*argv, "-signkey") == 0) {
287 if (--argc < 1)
288 goto bad;
289 keyfile = *(++argv);
290 sign_flag = ++num;
291 } else if (strcmp(*argv, "-CA") == 0) {
292 if (--argc < 1)
293 goto bad;
294 CAfile = *(++argv);
295 CA_flag = ++num;
296 } else if (strcmp(*argv, "-CAkey") == 0) {
297 if (--argc < 1)
298 goto bad;
299 CAkeyfile = *(++argv);
300 } else if (strcmp(*argv, "-CAserial") == 0) {
301 if (--argc < 1)
302 goto bad;
303 CAserial = *(++argv);
304 } else if (strcmp(*argv, "-set_serial") == 0) {
305 if (--argc < 1)
306 goto bad;
307 if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
308 goto bad;
309 } else if (strcmp(*argv, "-addtrust") == 0) {
310 if (--argc < 1)
311 goto bad;
312 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
313 BIO_printf(bio_err,
314 "Invalid trust object value %s\n", *argv);
315 goto bad;
316 }
317 if (!trust)
318 trust = sk_ASN1_OBJECT_new_null();
319 sk_ASN1_OBJECT_push(trust, objtmp);
320 trustout = 1;
321 } else if (strcmp(*argv, "-addreject") == 0) {
322 if (--argc < 1)
323 goto bad;
324 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
325 BIO_printf(bio_err,
326 "Invalid reject object value %s\n", *argv);
327 goto bad;
328 }
329 if (!reject)
330 reject = sk_ASN1_OBJECT_new_null();
331 sk_ASN1_OBJECT_push(reject, objtmp);
332 trustout = 1;
333 } else if (strcmp(*argv, "-setalias") == 0) {
334 if (--argc < 1)
335 goto bad;
336 alias = *(++argv);
337 trustout = 1;
338 } else if (strcmp(*argv, "-certopt") == 0) {
339 if (--argc < 1)
340 goto bad;
341 if (!set_cert_ex(&certflag, *(++argv)))
342 goto bad;
343 } else if (strcmp(*argv, "-nameopt") == 0) {
344 if (--argc < 1)
345 goto bad;
346 if (!set_name_ex(&nmflag, *(++argv)))
347 goto bad;
348 }
349#ifndef OPENSSL_NO_ENGINE
350 else if (strcmp(*argv, "-engine") == 0) {
351 if (--argc < 1)
352 goto bad;
353 engine = *(++argv);
354 }
355#endif
356 else if (strcmp(*argv, "-C") == 0)
357 C = ++num;
358 else if (strcmp(*argv, "-email") == 0)
359 email = ++num;
360 else if (strcmp(*argv, "-ocsp_uri") == 0)
361 ocsp_uri = ++num;
362 else if (strcmp(*argv, "-serial") == 0)
363 serial = ++num;
364 else if (strcmp(*argv, "-next_serial") == 0)
365 next_serial = ++num;
366 else if (strcmp(*argv, "-modulus") == 0)
367 modulus = ++num;
368 else if (strcmp(*argv, "-pubkey") == 0)
369 pubkey = ++num;
370 else if (strcmp(*argv, "-x509toreq") == 0)
371 x509req = ++num;
372 else if (strcmp(*argv, "-text") == 0)
373 text = ++num;
374 else if (strcmp(*argv, "-hash") == 0 ||
375 strcmp(*argv, "-subject_hash") == 0)
376 subject_hash = ++num;
377#ifndef OPENSSL_NO_MD5
378 else if (strcmp(*argv, "-subject_hash_old") == 0)
379 subject_hash_old = ++num;
380#endif
381 else if (strcmp(*argv, "-issuer_hash") == 0)
382 issuer_hash = ++num;
383#ifndef OPENSSL_NO_MD5
384 else if (strcmp(*argv, "-issuer_hash_old") == 0)
385 issuer_hash_old = ++num;
386#endif
387 else if (strcmp(*argv, "-subject") == 0)
388 subject = ++num;
389 else if (strcmp(*argv, "-issuer") == 0)
390 issuer = ++num;
391 else if (strcmp(*argv, "-fingerprint") == 0)
392 fingerprint = ++num;
393 else if (strcmp(*argv, "-dates") == 0) {
394 startdate = ++num;
395 enddate = ++num;
396 } else if (strcmp(*argv, "-purpose") == 0)
397 pprint = ++num;
398 else if (strcmp(*argv, "-startdate") == 0)
399 startdate = ++num;
400 else if (strcmp(*argv, "-enddate") == 0)
401 enddate = ++num;
402 else if (strcmp(*argv, "-checkend") == 0) {
403 if (--argc < 1)
404 goto bad;
405 checkoffset = strtonum(*(++argv), 0, INT_MAX, &errstr);
406 if (errstr) {
407 BIO_printf(bio_err, "checkend unusable: %s\n", errstr);
408 goto bad;
409 }
410 checkend = 1;
411 } else if (strcmp(*argv, "-noout") == 0)
412 noout = ++num;
413 else if (strcmp(*argv, "-trustout") == 0)
414 trustout = 1;
415 else if (strcmp(*argv, "-clrtrust") == 0)
416 clrtrust = ++num;
417 else if (strcmp(*argv, "-clrreject") == 0)
418 clrreject = ++num;
419 else if (strcmp(*argv, "-alias") == 0)
420 aliasout = ++num;
421 else if (strcmp(*argv, "-CAcreateserial") == 0)
422 CA_createserial = ++num;
423 else if (strcmp(*argv, "-clrext") == 0)
424 clrext = 1;
425 else if (strcmp(*argv, "-ocspid") == 0)
426 ocspid = ++num;
427 else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
428 /* ok */
429 digest = md_alg;
430 } else {
431 BIO_printf(bio_err, "unknown option %s\n", *argv);
432 badops = 1;
433 break;
434 }
435 argc--;
436 argv++;
437 }
438
439 if (badops) {
440bad:
441 for (pp = x509_usage; (*pp != NULL); pp++)
442 BIO_printf(bio_err, "%s", *pp);
443 goto end;
444 }
445#ifndef OPENSSL_NO_ENGINE
446 e = setup_engine(bio_err, engine, 0);
447#endif
448
449 ERR_load_crypto_strings();
450
451 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
452 BIO_printf(bio_err, "Error getting password\n");
453 goto end;
454 }
455 if (!X509_STORE_set_default_paths(ctx)) {
456 ERR_print_errors(bio_err);
457 goto end;
458 }
459 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
460 CAkeyfile = CAfile;
461 } else if ((CA_flag) && (CAkeyfile == NULL)) {
462 BIO_printf(bio_err,
463 "need to specify a CAkey if using the CA command\n");
464 goto end;
465 }
466 if (extfile) {
467 long errorline = -1;
468 X509V3_CTX ctx2;
469 extconf = NCONF_new(NULL);
470 if (!NCONF_load(extconf, extfile, &errorline)) {
471 if (errorline <= 0)
472 BIO_printf(bio_err,
473 "error loading the config file '%s'\n",
474 extfile);
475 else
476 BIO_printf(bio_err,
477 "error on line %ld of config file '%s'\n",
478 errorline, extfile);
479 goto end;
480 }
481 if (!extsect) {
482 extsect = NCONF_get_string(extconf, "default",
483 "extensions");
484 if (!extsect) {
485 ERR_clear_error();
486 extsect = "default";
487 }
488 }
489 X509V3_set_ctx_test(&ctx2);
490 X509V3_set_nconf(&ctx2, extconf);
491 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
492 BIO_printf(bio_err,
493 "Error Loading extension section %s\n",
494 extsect);
495 ERR_print_errors(bio_err);
496 goto end;
497 }
498 }
499 if (reqfile) {
500 EVP_PKEY *pkey;
501 BIO *in;
502
503 if (!sign_flag && !CA_flag) {
504 BIO_printf(bio_err, "We need a private key to sign with\n");
505 goto end;
506 }
507 in = BIO_new(BIO_s_file());
508 if (in == NULL) {
509 ERR_print_errors(bio_err);
510 goto end;
511 }
512 if (infile == NULL)
513 BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
514 else {
515 if (BIO_read_filename(in, infile) <= 0) {
516 perror(infile);
517 BIO_free(in);
518 goto end;
519 }
520 }
521 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
522 BIO_free(in);
523
524 if (req == NULL) {
525 ERR_print_errors(bio_err);
526 goto end;
527 }
528 if ((req->req_info == NULL) ||
529 (req->req_info->pubkey == NULL) ||
530 (req->req_info->pubkey->public_key == NULL) ||
531 (req->req_info->pubkey->public_key->data == NULL)) {
532 BIO_printf(bio_err, "The certificate request appears to corrupted\n");
533 BIO_printf(bio_err, "It does not contain a public key\n");
534 goto end;
535 }
536 if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
537 BIO_printf(bio_err, "error unpacking public key\n");
538 goto end;
539 }
540 i = X509_REQ_verify(req, pkey);
541 EVP_PKEY_free(pkey);
542 if (i < 0) {
543 BIO_printf(bio_err, "Signature verification error\n");
544 ERR_print_errors(bio_err);
545 goto end;
546 }
547 if (i == 0) {
548 BIO_printf(bio_err, "Signature did not match the certificate request\n");
549 goto end;
550 } else
551 BIO_printf(bio_err, "Signature ok\n");
552
553 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
554
555 if ((x = X509_new()) == NULL)
556 goto end;
557
558 if (sno == NULL) {
559 sno = ASN1_INTEGER_new();
560 if (!sno || !rand_serial(NULL, sno))
561 goto end;
562 if (!X509_set_serialNumber(x, sno))
563 goto end;
564 ASN1_INTEGER_free(sno);
565 sno = NULL;
566 } else if (!X509_set_serialNumber(x, sno))
567 goto end;
568
569 if (!X509_set_issuer_name(x, req->req_info->subject))
570 goto end;
571 if (!X509_set_subject_name(x, req->req_info->subject))
572 goto end;
573
574 X509_gmtime_adj(X509_get_notBefore(x), 0);
575 X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
576
577 pkey = X509_REQ_get_pubkey(req);
578 X509_set_pubkey(x, pkey);
579 EVP_PKEY_free(pkey);
580 } else
581 x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
582
583 if (x == NULL)
584 goto end;
585 if (CA_flag) {
586 xca = load_cert(bio_err, CAfile, CAformat, NULL, e, "CA Certificate");
587 if (xca == NULL)
588 goto end;
589 }
590 if (!noout || text || next_serial) {
591 OBJ_create("2.99999.3",
592 "SET.ex3", "SET x509v3 extension 3");
593
594 out = BIO_new(BIO_s_file());
595 if (out == NULL) {
596 ERR_print_errors(bio_err);
597 goto end;
598 }
599 if (outfile == NULL) {
600 BIO_set_fp(out, stdout, BIO_NOCLOSE);
601 } else {
602 if (BIO_write_filename(out, outfile) <= 0) {
603 perror(outfile);
604 goto end;
605 }
606 }
607 }
608 if (alias)
609 X509_alias_set1(x, (unsigned char *) alias, -1);
610
611 if (clrtrust)
612 X509_trust_clear(x);
613 if (clrreject)
614 X509_reject_clear(x);
615
616 if (trust) {
617 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
618 objtmp = sk_ASN1_OBJECT_value(trust, i);
619 X509_add1_trust_object(x, objtmp);
620 }
621 }
622 if (reject) {
623 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
624 objtmp = sk_ASN1_OBJECT_value(reject, i);
625 X509_add1_reject_object(x, objtmp);
626 }
627 }
628 if (num) {
629 for (i = 1; i <= num; i++) {
630 if (issuer == i) {
631 print_name(STDout, "issuer= ",
632 X509_get_issuer_name(x), nmflag);
633 } else if (subject == i) {
634 print_name(STDout, "subject= ",
635 X509_get_subject_name(x), nmflag);
636 } else if (serial == i) {
637 BIO_printf(STDout, "serial=");
638 i2a_ASN1_INTEGER(STDout,
639 X509_get_serialNumber(x));
640 BIO_printf(STDout, "\n");
641 } else if (next_serial == i) {
642 BIGNUM *bnser;
643 ASN1_INTEGER *ser;
644 ser = X509_get_serialNumber(x);
645 bnser = ASN1_INTEGER_to_BN(ser, NULL);
646 if (!bnser)
647 goto end;
648 if (!BN_add_word(bnser, 1))
649 goto end;
650 ser = BN_to_ASN1_INTEGER(bnser, NULL);
651 if (!ser)
652 goto end;
653 BN_free(bnser);
654 i2a_ASN1_INTEGER(out, ser);
655 ASN1_INTEGER_free(ser);
656 BIO_puts(out, "\n");
657 } else if ((email == i) || (ocsp_uri == i)) {
658 int j;
659 STACK_OF(OPENSSL_STRING) *emlst;
660 if (email == i)
661 emlst = X509_get1_email(x);
662 else
663 emlst = X509_get1_ocsp(x);
664 for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
665 BIO_printf(STDout, "%s\n",
666 sk_OPENSSL_STRING_value(emlst, j));
667 X509_email_free(emlst);
668 } else if (aliasout == i) {
669 unsigned char *alstr;
670 alstr = X509_alias_get0(x, NULL);
671 if (alstr)
672 BIO_printf(STDout, "%s\n", alstr);
673 else
674 BIO_puts(STDout, "<No Alias>\n");
675 } else if (subject_hash == i) {
676 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x));
677 }
678#ifndef OPENSSL_NO_MD5
679 else if (subject_hash_old == i) {
680 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x));
681 }
682#endif
683 else if (issuer_hash == i) {
684 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x));
685 }
686#ifndef OPENSSL_NO_MD5
687 else if (issuer_hash_old == i) {
688 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x));
689 }
690#endif
691 else if (pprint == i) {
692 X509_PURPOSE *ptmp;
693 int j;
694 BIO_printf(STDout, "Certificate purposes:\n");
695 for (j = 0; j < X509_PURPOSE_get_count(); j++) {
696 ptmp = X509_PURPOSE_get0(j);
697 purpose_print(STDout, x, ptmp);
698 }
699 } else if (modulus == i) {
700 EVP_PKEY *pkey;
701
702 pkey = X509_get_pubkey(x);
703 if (pkey == NULL) {
704 BIO_printf(bio_err, "Modulus=unavailable\n");
705 ERR_print_errors(bio_err);
706 goto end;
707 }
708 BIO_printf(STDout, "Modulus=");
709 if (pkey->type == EVP_PKEY_RSA)
710 BN_print(STDout, pkey->pkey.rsa->n);
711 else
712 if (pkey->type == EVP_PKEY_DSA)
713 BN_print(STDout, pkey->pkey.dsa->pub_key);
714 else
715 BIO_printf(STDout, "Wrong Algorithm type");
716 BIO_printf(STDout, "\n");
717 EVP_PKEY_free(pkey);
718 } else if (pubkey == i) {
719 EVP_PKEY *pkey;
720
721 pkey = X509_get_pubkey(x);
722 if (pkey == NULL) {
723 BIO_printf(bio_err, "Error getting public key\n");
724 ERR_print_errors(bio_err);
725 goto end;
726 }
727 PEM_write_bio_PUBKEY(STDout, pkey);
728 EVP_PKEY_free(pkey);
729 } else if (C == i) {
730 unsigned char *d;
731 char *m;
732 int y, z;
733
734 X509_NAME_oneline(X509_get_subject_name(x),
735 buf, sizeof buf);
736 BIO_printf(STDout, "/* subject:%s */\n", buf);
737 m = X509_NAME_oneline(
738 X509_get_issuer_name(x), buf,
739 sizeof buf);
740 BIO_printf(STDout, "/* issuer :%s */\n", buf);
741
742 z = i2d_X509(x, NULL);
743 m = malloc(z);
744
745 d = (unsigned char *) m;
746 z = i2d_X509_NAME(X509_get_subject_name(x), &d);
747 BIO_printf(STDout, "unsigned char XXX_subject_name[%d]={\n", z);
748 d = (unsigned char *) m;
749 for (y = 0; y < z; y++) {
750 BIO_printf(STDout, "0x%02X,", d[y]);
751 if ((y & 0x0f) == 0x0f)
752 BIO_printf(STDout, "\n");
753 }
754 if (y % 16 != 0)
755 BIO_printf(STDout, "\n");
756 BIO_printf(STDout, "};\n");
757
758 z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
759 BIO_printf(STDout, "unsigned char XXX_public_key[%d]={\n", z);
760 d = (unsigned char *) m;
761 for (y = 0; y < z; y++) {
762 BIO_printf(STDout, "0x%02X,", d[y]);
763 if ((y & 0x0f) == 0x0f)
764 BIO_printf(STDout, "\n");
765 }
766 if (y % 16 != 0)
767 BIO_printf(STDout, "\n");
768 BIO_printf(STDout, "};\n");
769
770 z = i2d_X509(x, &d);
771 BIO_printf(STDout, "unsigned char XXX_certificate[%d]={\n", z);
772 d = (unsigned char *) m;
773 for (y = 0; y < z; y++) {
774 BIO_printf(STDout, "0x%02X,", d[y]);
775 if ((y & 0x0f) == 0x0f)
776 BIO_printf(STDout, "\n");
777 }
778 if (y % 16 != 0)
779 BIO_printf(STDout, "\n");
780 BIO_printf(STDout, "};\n");
781
782 free(m);
783 } else if (text == i) {
784 X509_print_ex(STDout, x, nmflag, certflag);
785 } else if (startdate == i) {
786 BIO_puts(STDout, "notBefore=");
787 ASN1_TIME_print(STDout, X509_get_notBefore(x));
788 BIO_puts(STDout, "\n");
789 } else if (enddate == i) {
790 BIO_puts(STDout, "notAfter=");
791 ASN1_TIME_print(STDout, X509_get_notAfter(x));
792 BIO_puts(STDout, "\n");
793 } else if (fingerprint == i) {
794 int j;
795 unsigned int n;
796 unsigned char md[EVP_MAX_MD_SIZE];
797 const EVP_MD *fdig = digest;
798
799 if (!fdig)
800 fdig = EVP_sha1();
801
802 if (!X509_digest(x, fdig, md, &n)) {
803 BIO_printf(bio_err, "out of memory\n");
804 goto end;
805 }
806 BIO_printf(STDout, "%s Fingerprint=",
807 OBJ_nid2sn(EVP_MD_type(fdig)));
808 for (j = 0; j < (int) n; j++) {
809 BIO_printf(STDout, "%02X%c", md[j],
810 (j + 1 == (int)n) ? '\n' : ':');
811 }
812 }
813 /* should be in the library */
814 else if ((sign_flag == i) && (x509req == 0)) {
815 BIO_printf(bio_err, "Getting Private key\n");
816 if (Upkey == NULL) {
817 Upkey = load_key(bio_err,
818 keyfile, keyformat, 0,
819 passin, e, "Private key");
820 if (Upkey == NULL)
821 goto end;
822 }
823 if (!sign(x, Upkey, days, clrext, digest,
824 extconf, extsect))
825 goto end;
826 } else if (CA_flag == i) {
827 BIO_printf(bio_err, "Getting CA Private Key\n");
828 if (CAkeyfile != NULL) {
829 CApkey = load_key(bio_err,
830 CAkeyfile, CAkeyformat,
831 0, passin, e,
832 "CA Private Key");
833 if (CApkey == NULL)
834 goto end;
835 }
836 if (!x509_certify(ctx, CAfile, digest, x, xca,
837 CApkey, sigopts,
838 CAserial, CA_createserial, days, clrext,
839 extconf, extsect, sno))
840 goto end;
841 } else if (x509req == i) {
842 EVP_PKEY *pk;
843
844 BIO_printf(bio_err, "Getting request Private Key\n");
845 if (keyfile == NULL) {
846 BIO_printf(bio_err, "no request key file specified\n");
847 goto end;
848 } else {
849 pk = load_key(bio_err,
850 keyfile, keyformat, 0,
851 passin, e, "request key");
852 if (pk == NULL)
853 goto end;
854 }
855
856 BIO_printf(bio_err, "Generating certificate request\n");
857
858 rq = X509_to_X509_REQ(x, pk, digest);
859 EVP_PKEY_free(pk);
860 if (rq == NULL) {
861 ERR_print_errors(bio_err);
862 goto end;
863 }
864 if (!noout) {
865 X509_REQ_print(out, rq);
866 PEM_write_bio_X509_REQ(out, rq);
867 }
868 noout = 1;
869 } else if (ocspid == i) {
870 X509_ocspid_print(out, x);
871 }
872 }
873 }
874 if (checkend) {
875 time_t tcheck = time(NULL) + checkoffset;
876
877 if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
878 BIO_printf(out, "Certificate will expire\n");
879 ret = 1;
880 } else {
881 BIO_printf(out, "Certificate will not expire\n");
882 ret = 0;
883 }
884 goto end;
885 }
886 if (noout) {
887 ret = 0;
888 goto end;
889 }
890 if (outformat == FORMAT_ASN1)
891 i = i2d_X509_bio(out, x);
892 else if (outformat == FORMAT_PEM) {
893 if (trustout)
894 i = PEM_write_bio_X509_AUX(out, x);
895 else
896 i = PEM_write_bio_X509(out, x);
897 } else if (outformat == FORMAT_NETSCAPE) {
898 NETSCAPE_X509 nx;
899 ASN1_OCTET_STRING hdr;
900
901 hdr.data = (unsigned char *) NETSCAPE_CERT_HDR;
902 hdr.length = strlen(NETSCAPE_CERT_HDR);
903 nx.header = &hdr;
904 nx.cert = x;
905
906 i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx);
907 } else {
908 BIO_printf(bio_err, "bad output format specified for outfile\n");
909 goto end;
910 }
911 if (!i) {
912 BIO_printf(bio_err, "unable to write certificate\n");
913 ERR_print_errors(bio_err);
914 goto end;
915 }
916 ret = 0;
917
918end:
919 OBJ_cleanup();
920 NCONF_free(extconf);
921 BIO_free_all(out);
922 BIO_free_all(STDout);
923 X509_STORE_free(ctx);
924 X509_REQ_free(req);
925 X509_free(x);
926 X509_free(xca);
927 EVP_PKEY_free(Upkey);
928 EVP_PKEY_free(CApkey);
929 if (sigopts)
930 sk_OPENSSL_STRING_free(sigopts);
931 X509_REQ_free(rq);
932 ASN1_INTEGER_free(sno);
933 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
934 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
935 free(passin);
936
937 return (ret);
938}
939
940static ASN1_INTEGER *
941x509_load_serial(char *CAfile, char *serialfile, int create)
942{
943 char *buf = NULL, *p;
944 ASN1_INTEGER *bs = NULL;
945 BIGNUM *serial = NULL;
946 size_t len;
947
948 len = ((serialfile == NULL) ? (strlen(CAfile) + strlen(POSTFIX) + 1) :
949 (strlen(serialfile))) + 1;
950 buf = malloc(len);
951 if (buf == NULL) {
952 BIO_printf(bio_err, "out of mem\n");
953 goto end;
954 }
955 if (serialfile == NULL) {
956 strlcpy(buf, CAfile, len);
957 for (p = buf; *p; p++)
958 if (*p == '.') {
959 *p = '\0';
960 break;
961 }
962 strlcat(buf, POSTFIX, len);
963 } else
964 strlcpy(buf, serialfile, len);
965
966 serial = load_serial(buf, create, NULL);
967 if (serial == NULL)
968 goto end;
969
970 if (!BN_add_word(serial, 1)) {
971 BIO_printf(bio_err, "add_word failure\n");
972 goto end;
973 }
974 if (!save_serial(buf, NULL, serial, &bs))
975 goto end;
976
977end:
978 free(buf);
979 BN_free(serial);
980
981 return bs;
982}
983
984static int
985x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
986 X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts,
987 char *serialfile, int create, int days, int clrext, CONF *conf,
988 char *section, ASN1_INTEGER *sno)
989{
990 int ret = 0;
991 ASN1_INTEGER *bs = NULL;
992 X509_STORE_CTX xsc;
993 EVP_PKEY *upkey;
994
995 upkey = X509_get_pubkey(xca);
996 EVP_PKEY_copy_parameters(upkey, pkey);
997 EVP_PKEY_free(upkey);
998
999 if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
1000 BIO_printf(bio_err, "Error initialising X509 store\n");
1001 goto end;
1002 }
1003 if (sno)
1004 bs = sno;
1005 else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
1006 goto end;
1007
1008/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/
1009
1010 /*
1011 * NOTE: this certificate can/should be self signed, unless it was a
1012 * certificate request in which case it is not.
1013 */
1014 X509_STORE_CTX_set_cert(&xsc, x);
1015 X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
1016 if (!reqfile && X509_verify_cert(&xsc) <= 0)
1017 goto end;
1018
1019 if (!X509_check_private_key(xca, pkey)) {
1020 BIO_printf(bio_err, "CA certificate and CA private key do not match\n");
1021 goto end;
1022 }
1023 if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
1024 goto end;
1025 if (!X509_set_serialNumber(x, bs))
1026 goto end;
1027
1028 if (X509_gmtime_adj(X509_get_notBefore(x), 0L) == NULL)
1029 goto end;
1030
1031 /* hardwired expired */
1032 if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
1033 goto end;
1034
1035 if (clrext) {
1036 while (X509_get_ext_count(x) > 0)
1037 X509_delete_ext(x, 0);
1038 }
1039 if (conf) {
1040 X509V3_CTX ctx2;
1041 X509_set_version(x, 2); /* version 3 certificate */
1042 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
1043 X509V3_set_nconf(&ctx2, conf);
1044 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
1045 goto end;
1046 }
1047 if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))
1048 goto end;
1049 ret = 1;
1050end:
1051 X509_STORE_CTX_cleanup(&xsc);
1052 if (!ret)
1053 ERR_print_errors(bio_err);
1054 if (!sno)
1055 ASN1_INTEGER_free(bs);
1056 return ret;
1057}
1058
1059static int
1060callb(int ok, X509_STORE_CTX *ctx)
1061{
1062 int err;
1063 X509 *err_cert;
1064
1065 /*
1066 * it is ok to use a self signed certificate This case will catch
1067 * both the initial ok == 0 and the final ok == 1 calls to this
1068 * function
1069 */
1070 err = X509_STORE_CTX_get_error(ctx);
1071 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
1072 return 1;
1073
1074 /*
1075 * BAD we should have gotten an error. Normally if everything worked
1076 * X509_STORE_CTX_get_error(ctx) will still be set to
1077 * DEPTH_ZERO_SELF_....
1078 */
1079 if (ok) {
1080 BIO_printf(bio_err, "error with certificate to be certified - should be self signed\n");
1081 return 0;
1082 } else {
1083 err_cert = X509_STORE_CTX_get_current_cert(ctx);
1084 print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0);
1085 BIO_printf(bio_err, "error with certificate - error %d at depth %d\n%s\n",
1086 err, X509_STORE_CTX_get_error_depth(ctx),
1087 X509_verify_cert_error_string(err));
1088 return 1;
1089 }
1090}
1091
1092/* self sign */
1093static int
1094sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
1095 CONF *conf, char *section)
1096{
1097
1098 EVP_PKEY *pktmp;
1099
1100 pktmp = X509_get_pubkey(x);
1101 EVP_PKEY_copy_parameters(pktmp, pkey);
1102 EVP_PKEY_save_parameters(pktmp, 1);
1103 EVP_PKEY_free(pktmp);
1104
1105 if (!X509_set_issuer_name(x, X509_get_subject_name(x)))
1106 goto err;
1107 if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
1108 goto err;
1109
1110 /* Lets just make it 12:00am GMT, Jan 1 1970 */
1111 /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
1112 /* 28 days to be certified */
1113
1114 if (X509_gmtime_adj(X509_get_notAfter(x),
1115 (long) 60 * 60 * 24 * days) == NULL)
1116 goto err;
1117
1118 if (!X509_set_pubkey(x, pkey))
1119 goto err;
1120 if (clrext) {
1121 while (X509_get_ext_count(x) > 0)
1122 X509_delete_ext(x, 0);
1123 }
1124 if (conf) {
1125 X509V3_CTX ctx;
1126 X509_set_version(x, 2); /* version 3 certificate */
1127 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
1128 X509V3_set_nconf(&ctx, conf);
1129 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
1130 goto err;
1131 }
1132 if (!X509_sign(x, pkey, digest))
1133 goto err;
1134 return 1;
1135
1136err:
1137 ERR_print_errors(bio_err);
1138 return 0;
1139}
1140
1141static int
1142purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
1143{
1144 int id, i, idret;
1145 char *pname;
1146
1147 id = X509_PURPOSE_get_id(pt);
1148 pname = X509_PURPOSE_get0_name(pt);
1149 for (i = 0; i < 2; i++) {
1150 idret = X509_check_purpose(cert, id, i);
1151 BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");
1152 if (idret == 1)
1153 BIO_printf(bio, "Yes\n");
1154 else if (idret == 0)
1155 BIO_printf(bio, "No\n");
1156 else
1157 BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
1158 }
1159 return 1;
1160}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-04 14:08:46 +0000