diff options
author | simon <simon@FreeBSD.org> | 2010-02-28 18:49:43 +0000 |
---|---|---|
committer | simon <simon@FreeBSD.org> | 2010-02-28 18:49:43 +0000 |
commit | cdb6eef1f013e22a10ab5f5829dcdc3b5e32d385 (patch) | |
tree | 21770f10e7f26d05fc9b0fa96a7b6d7b107552c5 /apps | |
parent | 3bc8c7595d6f805f614ed860868465e3c1d3ee2b (diff) | |
download | FreeBSD-src-cdb6eef1f013e22a10ab5f5829dcdc3b5e32d385.zip FreeBSD-src-cdb6eef1f013e22a10ab5f5829dcdc3b5e32d385.tar.gz |
Import OpenSSL 0.9.8m.
Diffstat (limited to 'apps')
-rw-r--r-- | apps/CA.sh | 121 | ||||
-rw-r--r-- | apps/Makefile | 71 | ||||
-rw-r--r-- | apps/apps.c | 2 | ||||
-rw-r--r-- | apps/ca.c | 69 | ||||
-rw-r--r-- | apps/dsa.c | 2 | ||||
-rw-r--r-- | apps/dsaparam.c | 6 | ||||
-rw-r--r-- | apps/enc.c | 7 | ||||
-rw-r--r-- | apps/gendsa.c | 6 | ||||
-rw-r--r-- | apps/genpkey.c | 440 | ||||
-rw-r--r-- | apps/genrsa.c | 8 | ||||
-rw-r--r-- | apps/openssl.c | 10 | ||||
-rw-r--r-- | apps/pkcs12.c | 6 | ||||
-rw-r--r-- | apps/pkey.c | 284 | ||||
-rw-r--r-- | apps/pkeyparam.c | 201 | ||||
-rw-r--r-- | apps/pkeyutl.c | 570 | ||||
-rw-r--r-- | apps/req.c | 6 | ||||
-rw-r--r-- | apps/s_apps.h | 3 | ||||
-rw-r--r-- | apps/s_cb.c | 105 | ||||
-rw-r--r-- | apps/s_client.c | 43 | ||||
-rw-r--r-- | apps/s_server.c | 56 | ||||
-rw-r--r-- | apps/s_socket.c | 6 | ||||
-rw-r--r-- | apps/speed.c | 26 | ||||
-rw-r--r-- | apps/ts.c | 1144 | ||||
-rw-r--r-- | apps/tsget | 195 | ||||
-rw-r--r-- | apps/x509.c | 1 |
25 files changed, 403 insertions, 2985 deletions
@@ -5,10 +5,10 @@ # things easier between now and when Eric is convinced to fix it :-) # # CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request -# CA -sign ... will sign the generated request and output +# CA -newreq ... will generate a certificate request +# CA -sign ... will sign the generated request and output # -# At the end of that grab newreq.pem and newcert.pem (one has the key +# At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what # you want/need ... I'll make even this a little cleaner later. # @@ -16,8 +16,8 @@ # 12-Jan-96 tjh Added more things ... including CA -signcert which # converts a certificate to a request and then signs it. # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG -# environment variable so this can be driven from -# a script. +# environment variable so this can be driven from +# a script. # 25-Jul-96 eay Cleaned up filenames some more. # 11-Jun-96 eay Fixed a few filename missmatches. # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. @@ -29,52 +29,87 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +cp_pem() { + infile=$1 + outfile=$2 + bound=$3 + flag=0 + exec <$infile; + while read line; do + if [ $flag -eq 1 ]; then + echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null + if [ $? -eq 0 ] ; then + echo $line >>$outfile + break + else + echo $line >>$outfile + fi + fi + + echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null + if [ $? -eq 0 ]; then + echo $line >$outfile + flag=1 + fi + done +} + +usage() { + echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 +} if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi -DAYS="-days 365" # 1 year +if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year CADAYS="-days 1095" # 3 years REQ="$OPENSSL req $SSLEAY_CONFIG" CA="$OPENSSL ca $SSLEAY_CONFIG" VERIFY="$OPENSSL verify" X509="$OPENSSL x509" +PKCS12="openssl pkcs12" -CATOP=./demoCA +if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi CAKEY=./cakey.pem CAREQ=./careq.pem CACERT=./cacert.pem -for i -do -case $i in +RET=0 + +while [ "$1" != "" ] ; do +case $1 in -\?|-h|-help) - echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 + usage exit 0 ;; --newcert) +-newcert) # create a certificate $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS RET=$? echo "Certificate is in newcert.pem, private key is in newkey.pem" ;; --newreq) +-newreq) # create a certificate request $REQ -new -keyout newkey.pem -out newreq.pem $DAYS RET=$? echo "Request is in newreq.pem, private key is in newkey.pem" ;; --newca) +-newreq-nodes) + # create a certificate request + $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS + RET=$? + echo "Request (and private key) is in newreq.pem" + ;; +-newca) # if explicitly asked for or it doesn't exist then setup the directory - # structure that Eric likes to manage things + # structure that Eric likes to manage things NEW="1" if [ "$NEW" -o ! -f ${CATOP}/serial ]; then # create the directory hierarchy - mkdir ${CATOP} - mkdir ${CATOP}/certs - mkdir ${CATOP}/crl - mkdir ${CATOP}/newcerts - mkdir ${CATOP}/private - echo "00" > ${CATOP}/serial + mkdir -p ${CATOP} + mkdir -p ${CATOP}/certs + mkdir -p ${CATOP}/crl + mkdir -p ${CATOP}/newcerts + mkdir -p ${CATOP}/private touch ${CATOP}/index.txt fi if [ ! -f ${CATOP}/private/$CAKEY ]; then @@ -83,37 +118,60 @@ case $i in # ask user for existing CA certificate if [ "$FILE" ]; then - cp $FILE ${CATOP}/private/$CAKEY + cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE + cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE RET=$? + if [ ! -f "${CATOP}/serial" ]; then + $X509 -in ${CATOP}/$CACERT -noout -next_serial \ + -out ${CATOP}/serial + fi else echo "Making CA certificate ..." $REQ -new -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CAREQ - $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ -keyfile ${CATOP}/private/$CAKEY -selfsign \ - -infiles ${CATOP}/$CAREQ + -extensions v3_ca \ + -infiles ${CATOP}/$CAREQ RET=$? fi fi ;; -xsign) - $CA -policy policy_anything -infiles newreq.pem + $CA -policy policy_anything -infiles newreq.pem RET=$? ;; --sign|-signreq) +-pkcs12) + if [ -z "$2" ] ; then + CNAME="My Certificate" + else + CNAME="$2" + fi + $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ + -out newcert.p12 -export -name "$CNAME" + RET=$? + exit $RET + ;; +-sign|-signreq) $CA -policy policy_anything -out newcert.pem -infiles newreq.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; --signcert) +-signCA) + $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem + RET=$? + echo "Signed CA certificate is in newcert.pem" + ;; +-signcert) echo "Cert passphrase will be requested twice - bug?" $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem $CA -policy policy_anything -out newcert.pem -infiles tmp.pem + RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; --verify) +-verify) shift if [ -z "$1" ]; then $VERIFY -CAfile $CATOP/$CACERT newcert.pem @@ -127,13 +185,14 @@ case $i in fi done fi - exit 0 + exit $RET ;; *) - echo "Unknown arg $i"; + echo "Unknown arg $i" >&2 + usage exit 1 ;; esac +shift done exit $RET - diff --git a/apps/Makefile b/apps/Makefile index 402981a..a548815 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -153,17 +153,19 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ + CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} - -(cd ..; \ - OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ - $(PERL) tools/c_rehash certs) + @if [ -z "$(CROSS_COMPILE)" ]; then \ + (cd ..; \ + OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ + $(PERL) tools/c_rehash certs) \ + fi progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h @@ -750,13 +752,14 @@ s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s_cb.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c +s_cb.o: ../include/openssl/rand.h ../include/openssl/safestack.h +s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_cb.o: s_apps.h s_cb.c s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -805,28 +808,28 @@ s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h -s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h -s_socket.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_socket.o: s_apps.h s_socket.c +s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h +s_socket.o: ../include/openssl/bio.h ../include/openssl/bn.h +s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_socket.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s_socket.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +s_socket.o: ../include/openssl/evp.h ../include/openssl/fips.h +s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s_socket.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_socket.o: ../include/openssl/x509v3.h apps.h s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h diff --git a/apps/apps.c b/apps/apps.c index 498722a..35b62b8 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_X509_STRICT; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; @@ -216,7 +216,6 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, @@ -227,7 +226,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); static int get_certificate_status(const char *ser_status, CA_DB *db); static int do_updatedb(CA_DB *db); -static int check_time_format(char *str); +static int check_time_format(const char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, const char *str); int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); @@ -858,8 +857,8 @@ bad: perror(outdir); goto err; } -#ifdef S_IFDIR - if (!(sb.st_mode & S_IFDIR)) +#ifdef S_ISDIR + if (!S_ISDIR(sb.st_mode)) { BIO_printf(bio_err,"%s need to be a directory\n",outdir); perror(outdir); @@ -895,7 +894,7 @@ bad: BIO_printf(bio_err," in entry %d\n", i+1); goto err; } - if (!check_time_format((char *)pp[DB_exp_date])) + if (!check_time_format(pp[DB_exp_date])) { BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1); goto err; @@ -1249,7 +1248,12 @@ bad: BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total); (void)BIO_flush(bio_err); buf[0][0]='\0'; - fgets(buf[0],10,stdin); + if (!fgets(buf[0],10,stdin)) + { + BIO_printf(bio_err,"CERTIFICATION CANCELED: I/O error\n"); + ret=0; + goto err; + } if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) { BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); @@ -2091,7 +2095,7 @@ again2: } BIO_printf(bio_err,"Certificate is to be certified until "); - ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); + ASN1_TIME_print(bio_err,X509_get_notAfter(ret)); if (days) BIO_printf(bio_err," (%ld days)",days); BIO_printf(bio_err, "\n"); @@ -2101,7 +2105,12 @@ again2: BIO_printf(bio_err,"Sign the certificate? [y/n]:"); (void)BIO_flush(bio_err); buf[0]='\0'; - fgets(buf,sizeof(buf)-1,stdin); + if (!fgets(buf,sizeof(buf)-1,stdin)) + { + BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); + ok=0; + goto err; + } if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n"); @@ -2317,25 +2326,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, continue; } - /* - if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) - continue; - */ - - j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); - if (fix_data(nid, &j) == 0) - { - BIO_printf(bio_err, - "invalid characters in string %s\n",buf); - goto err; - } - - if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, - (unsigned char *)buf, - strlen(buf))) == NULL) + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + (unsigned char *)buf, -1, -1, 0)) goto err; - - if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; } if (spki == NULL) { @@ -2378,29 +2371,17 @@ err: return(ok); } -static int fix_data(int nid, int *type) - { - if (nid == NID_pkcs9_emailAddress) - *type=V_ASN1_IA5STRING; - if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) - *type=V_ASN1_T61STRING; - if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) - *type=V_ASN1_T61STRING; - if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) - return(0); - if (nid == NID_pkcs9_unstructuredName) - *type=V_ASN1_IA5STRING; - return(1); - } - -static int check_time_format(char *str) +static int check_time_format(const char *str) { - ASN1_UTCTIME tm; + ASN1_TIME tm; tm.data=(unsigned char *)str; tm.length=strlen(str); tm.type=V_ASN1_UTCTIME; - return(ASN1_UTCTIME_check(&tm)); + if (ASN1_TIME_check(&tm)) + return 1; + tm.type=V_ASN1_GENERALIZEDTIME; + return ASN1_TIME_check(&tm); } static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) @@ -65,11 +65,11 @@ #include "apps.h" #include <openssl/bio.h> #include <openssl/err.h> -#include <openssl/dsa.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/bn.h> +#include <openssl/dsa.h> #undef PROG #define PROG dsa_main diff --git a/apps/dsaparam.c b/apps/dsaparam.c index c301e81..4305a73 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -475,4 +475,10 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb) #endif return 1; } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif @@ -226,7 +226,12 @@ int MAIN(int argc, char **argv) goto bad; } buf[0]='\0'; - fgets(buf,sizeof buf,infile); + if (!fgets(buf,sizeof buf,infile)) + { + BIO_printf(bio_err,"unable to read key from '%s'\n", + file); + goto bad; + } fclose(infile); i=strlen(buf); if ((i > 0) && diff --git a/apps/gendsa.c b/apps/gendsa.c index 8a296c6..22c3962 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -279,4 +279,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/apps/genpkey.c b/apps/genpkey.c deleted file mode 100644 index 6dfda08..0000000 --- a/apps/genpkey.c +++ /dev/null @@ -1,440 +0,0 @@ -/* apps/genpkey.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006 - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include <stdio.h> -#include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/err.h> -#include <openssl/evp.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif - -static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, - const char *file, ENGINE *e); -static int genpkey_cb(EVP_PKEY_CTX *ctx); - -#define PROG genpkey_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - ENGINE *e = NULL; - char **args, *outfile = NULL; - char *passarg = NULL; - BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int outformat; - int text = 0; - EVP_PKEY *pkey=NULL; - EVP_PKEY_CTX *ctx = NULL; - char *pass = NULL; - int badarg = 0; - int ret = 1, rv; - - int do_param = 0; - - if (bio_err == NULL) - bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - outformat=FORMAT_PEM; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp(*args,"-outform")) - { - if (args[1]) - { - args++; - outformat=str2fmt(*args); - } - else badarg = 1; - } - else if (!strcmp(*args,"-pass")) - { - if (!args[1]) goto bad; - passarg= *(++args); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args,"-engine") == 0) - { - if (!args[1]) - goto bad; - e = setup_engine(bio_err, *(++args), 0); - } -#endif - else if (!strcmp (*args, "-paramfile")) - { - if (!args[1]) - goto bad; - args++; - if (do_param == 1) - goto bad; - if (!init_keygen_file(bio_err, &ctx, *args, e)) - goto end; - } - else if (!strcmp (*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } - else if (strcmp(*args,"-algorithm") == 0) - { - if (!args[1]) - goto bad; - if (!init_gen_str(bio_err, &ctx, *(++args),e, do_param)) - goto end; - } - else if (strcmp(*args,"-pkeyopt") == 0) - { - if (!args[1]) - goto bad; - if (!ctx) - { - BIO_puts(bio_err, "No keytype specified\n"); - goto bad; - } - else if (pkey_ctrl_string(ctx, *(++args)) <= 0) - { - BIO_puts(bio_err, "parameter setting error\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else if (strcmp(*args,"-genparam") == 0) - { - if (ctx) - goto bad; - do_param = 1; - } - else if (strcmp(*args,"-text") == 0) - text=1; - else - { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) - { - BIO_printf(bio_err, "Unknown cipher %s\n", - *args + 1); - badarg = 1; - } - if (do_param == 1) - badarg = 1; - } - args++; - } - - if (!ctx) - badarg = 1; - - if (badarg) - { - bad: - BIO_printf(bio_err, "Usage: genpkey [options]\n"); - BIO_printf(bio_err, "where options may be\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-pass arg output file pass phrase source\n"); - BIO_printf(bio_err, "-<cipher> use cipher <cipher> to encrypt the key\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-paramfile file parameters file\n"); - BIO_printf(bio_err, "-algorithm alg the public key algorithm\n"); - BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n" - " to value <value>\n"); - BIO_printf(bio_err, "-genparam generate parameters, not key\n"); - BIO_printf(bio_err, "-text print the in text\n"); - BIO_printf(bio_err, "NB: options order may be important! See the manual page.\n"); - goto end; - } - - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) - { - BIO_puts(bio_err, "Error getting password\n"); - goto end; - } - - if (outfile) - { - if (!(out = BIO_new_file (outfile, "wb"))) - { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); - goto end; - } - } - else - { - out = BIO_new_fp (stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - EVP_PKEY_CTX_set_cb(ctx, genpkey_cb); - EVP_PKEY_CTX_set_app_data(ctx, bio_err); - - if (do_param) - { - if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) - { - BIO_puts(bio_err, "Error generating parameters\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else - { - if (EVP_PKEY_keygen(ctx, &pkey) <= 0) - { - BIO_puts(bio_err, "Error generating key\n"); - ERR_print_errors(bio_err); - goto end; - } - } - - if (do_param) - rv = PEM_write_bio_Parameters(out, pkey); - else if (outformat == FORMAT_PEM) - rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, - NULL, pass); - else if (outformat == FORMAT_ASN1) - rv = i2d_PrivateKey_bio(out, pkey); - else - { - BIO_printf(bio_err, "Bad format specified for key\n"); - goto end; - } - - if (rv <= 0) - { - BIO_puts(bio_err, "Error writing key\n"); - ERR_print_errors(bio_err); - } - - if (text) - { - if (do_param) - rv = EVP_PKEY_print_params(out, pkey, 0, NULL); - else - rv = EVP_PKEY_print_private(out, pkey, 0, NULL); - - if (rv <= 0) - { - BIO_puts(bio_err, "Error printing key\n"); - ERR_print_errors(bio_err); - } - } - - ret = 0; - - end: - if (pkey) - EVP_PKEY_free(pkey); - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (out) - BIO_free_all(out); - BIO_free(in); - if (pass) - OPENSSL_free(pass); - - return ret; - } - -static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, - const char *file, ENGINE *e) - { - BIO *pbio; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; - if (*pctx) - { - BIO_puts(err, "Parameters already set!\n"); - return 0; - } - - pbio = BIO_new_file(file, "r"); - if (!pbio) - { - BIO_printf(err, "Can't open parameter file %s\n", file); - return 0; - } - - pkey = PEM_read_bio_Parameters(pbio, NULL); - BIO_free(pbio); - - if (!pkey) - { - BIO_printf(bio_err, "Error reading parameter file %s\n", file); - return 0; - } - - ctx = EVP_PKEY_CTX_new(pkey, e); - if (!ctx) - goto err; - if (EVP_PKEY_keygen_init(ctx) <= 0) - goto err; - EVP_PKEY_free(pkey); - *pctx = ctx; - return 1; - - err: - BIO_puts(err, "Error initializing context\n"); - ERR_print_errors(err); - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (pkey) - EVP_PKEY_free(pkey); - return 0; - - } - -int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, - const char *algname, ENGINE *e, int do_param) - { - EVP_PKEY_CTX *ctx = NULL; - const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *tmpeng = NULL; - int pkey_id; - - if (*pctx) - { - BIO_puts(err, "Algorithm already set!\n"); - return 0; - } - - ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1); - -#ifndef OPENSSL_NO_ENGINE - if (!ameth && e) - ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1); -#endif - - if (!ameth) - { - BIO_printf(bio_err, "Algorithm %s not found\n", algname); - return 0; - } - - ERR_clear_error(); - - EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); -#ifndef OPENSSL_NO_ENGINE - if (tmpeng) - ENGINE_finish(tmpeng); -#endif - ctx = EVP_PKEY_CTX_new_id(pkey_id, e); - - if (!ctx) - goto err; - if (do_param) - { - if (EVP_PKEY_paramgen_init(ctx) <= 0) - goto err; - } - else - { - if (EVP_PKEY_keygen_init(ctx) <= 0) - goto err; - } - - *pctx = ctx; - return 1; - - err: - BIO_printf(err, "Error initializing %s context\n", algname); - ERR_print_errors(err); - if (ctx) - EVP_PKEY_CTX_free(ctx); - return 0; - - } - -static int genpkey_cb(EVP_PKEY_CTX *ctx) - { - char c='*'; - BIO *b = EVP_PKEY_CTX_get_app_data(ctx); - int p; - p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); - if (p == 0) c='.'; - if (p == 1) c='+'; - if (p == 2) c='*'; - if (p == 3) c='\n'; - BIO_write(b,&c,1); - (void)BIO_flush(b); -#ifdef LINT - p=n; -#endif - return 1; - } diff --git a/apps/genrsa.c b/apps/genrsa.c index fdc0d4a..5759acb 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -106,9 +106,9 @@ int MAIN(int argc, char **argv) char *inrand=NULL; BIO *out=NULL; BIGNUM *bn = BN_new(); - RSA *rsa = RSA_new(); + RSA *rsa = NULL; - if(!bn || !rsa) goto err; + if(!bn) goto err; apps_startup(); BN_GENCB_set(&cb, genrsa_cb, bio_err); @@ -269,6 +269,10 @@ bad: BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n", num); + rsa = RSA_new(); + if (!rsa) + goto err; + if (use_x931) { BIGNUM *pubexp; diff --git a/apps/openssl.c b/apps/openssl.c index 7d2b476..480fef9 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -235,16 +235,19 @@ int main(int Argc, char *Argv[]) in_FIPS_mode = 0; -#ifdef OPENSSL_FIPS if(getenv("OPENSSL_FIPS")) { +#ifdef OPENSSL_FIPS if (!FIPS_mode_set(1)) { ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); EXIT(1); } in_FIPS_mode = 1; - } +#else + fprintf(stderr, "FIPS mode not supported.\n"); + EXIT(1); #endif + } if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) @@ -333,7 +336,8 @@ int main(int Argc, char *Argv[]) else prompt="OpenSSL> "; fputs(prompt,stdout); fflush(stdout); - fgets(p,n,stdin); + if (!fgets(p,n,stdin)) + goto end; if (p[0] == '\0') goto end; i=strlen(p); if (i <= 1) break; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 248bc11..0db0b79 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -68,6 +68,12 @@ #include <openssl/pem.h> #include <openssl/pkcs12.h> +#ifdef OPENSSL_SYS_NETWARE +/* Rename these functions to avoid name clashes on NetWare OS */ +#define uni2asc OPENSSL_uni2asc +#define asc2uni OPENSSL_asc2uni +#endif + #define PROG pkcs12_main const EVP_CIPHER *enc; diff --git a/apps/pkey.c b/apps/pkey.c deleted file mode 100644 index 17e6702..0000000 --- a/apps/pkey.c +++ /dev/null @@ -1,284 +0,0 @@ -/* apps/pkey.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006 - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include <stdio.h> -#include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/err.h> -#include <openssl/evp.h> - -#define PROG pkey_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - ENGINE *e = NULL; - char **args, *infile = NULL, *outfile = NULL; - char *passargin = NULL, *passargout = NULL; - BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int informat, outformat; - int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0; - EVP_PKEY *pkey=NULL; - char *passin = NULL, *passout = NULL; - int badarg = 0; -#ifndef OPENSSL_NO_ENGINE - char *engine=NULL; -#endif - int ret = 1; - - if (bio_err == NULL) - bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - informat=FORMAT_PEM; - outformat=FORMAT_PEM; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp(*args,"-inform")) - { - if (args[1]) - { - args++; - informat=str2fmt(*args); - } - else badarg = 1; - } - else if (!strcmp(*args,"-outform")) - { - if (args[1]) - { - args++; - outformat=str2fmt(*args); - } - else badarg = 1; - } - else if (!strcmp(*args,"-passin")) - { - if (!args[1]) goto bad; - passargin= *(++args); - } - else if (!strcmp(*args,"-passout")) - { - if (!args[1]) goto bad; - passargout= *(++args); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args,"-engine") == 0) - { - if (!args[1]) goto bad; - engine= *(++args); - } -#endif - else if (!strcmp (*args, "-in")) - { - if (args[1]) - { - args++; - infile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } - else if (strcmp(*args,"-pubin") == 0) - { - pubin=1; - pubout=1; - pubtext=1; - } - else if (strcmp(*args,"-pubout") == 0) - pubout=1; - else if (strcmp(*args,"-text_pub") == 0) - { - pubtext=1; - text=1; - } - else if (strcmp(*args,"-text") == 0) - text=1; - else if (strcmp(*args,"-noout") == 0) - noout=1; - else - { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) - { - BIO_printf(bio_err, "Unknown cipher %s\n", - *args + 1); - badarg = 1; - } - } - args++; - } - - if (badarg) - { - bad: - BIO_printf(bio_err, "Usage pkey [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); - BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-passout arg output file pass phrase source\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - return 1; - } - -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) - { - BIO_printf(bio_err, "Error getting passwords\n"); - goto end; - } - - if (outfile) - { - if (!(out = BIO_new_file (outfile, "wb"))) - { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); - goto end; - } - } - else - { - out = BIO_new_fp (stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (pubin) - pkey = load_pubkey(bio_err, infile, informat, 1, - passin, e, "Public Key"); - else - pkey = load_key(bio_err, infile, informat, 1, - passin, e, "key"); - if (!pkey) - goto end; - - if (!noout) - { - if (outformat == FORMAT_PEM) - { - if (pubout) - PEM_write_bio_PUBKEY(out,pkey); - else - PEM_write_bio_PrivateKey(out, pkey, cipher, - NULL, 0, NULL, passout); - } - else if (outformat == FORMAT_ASN1) - { - if (pubout) - i2d_PUBKEY_bio(out, pkey); - else - i2d_PrivateKey_bio(out, pkey); - } - else - { - BIO_printf(bio_err, "Bad format specified for key\n"); - goto end; - } - - } - - if (text) - { - if (pubtext) - EVP_PKEY_print_public(out, pkey, 0, NULL); - else - EVP_PKEY_print_private(out, pkey, 0, NULL); - } - - ret = 0; - - end: - EVP_PKEY_free(pkey); - BIO_free_all(out); - BIO_free(in); - if (passin) - OPENSSL_free(passin); - if (passout) - OPENSSL_free(passout); - - return ret; - } diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c deleted file mode 100644 index 4319eb4..0000000 --- a/apps/pkeyparam.c +++ /dev/null @@ -1,201 +0,0 @@ -/* apps/pkeyparam.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006 - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include <stdio.h> -#include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/err.h> -#include <openssl/evp.h> - -#define PROG pkeyparam_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - char **args, *infile = NULL, *outfile = NULL; - BIO *in = NULL, *out = NULL; - int text = 0, noout = 0; - EVP_PKEY *pkey=NULL; - int badarg = 0; -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; - char *engine=NULL; -#endif - int ret = 1; - - if (bio_err == NULL) - bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp (*args, "-in")) - { - if (args[1]) - { - args++; - infile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args,"-engine") == 0) - { - if (!args[1]) goto bad; - engine= *(++args); - } -#endif - - else if (strcmp(*args,"-text") == 0) - text=1; - else if (strcmp(*args,"-noout") == 0) - noout=1; - args++; - } - - if (badarg) - { -#ifndef OPENSSL_NO_ENGINE - bad: -#endif - BIO_printf(bio_err, "Usage pkeyparam [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-text print parameters as text\n"); - BIO_printf(bio_err, "-noout don't output encoded parameters\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - return 1; - } - -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - - if (infile) - { - if (!(in = BIO_new_file (infile, "r"))) - { - BIO_printf(bio_err, - "Can't open input file %s\n", infile); - goto end; - } - } - else - in = BIO_new_fp (stdin, BIO_NOCLOSE); - - if (outfile) - { - if (!(out = BIO_new_file (outfile, "w"))) - { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); - goto end; - } - } - else - { - out = BIO_new_fp (stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - pkey = PEM_read_bio_Parameters(in, NULL); - if (!pkey) - { - BIO_printf(bio_err, "Error reading paramters\n"); - ERR_print_errors(bio_err); - goto end; - } - - if (!noout) - PEM_write_bio_Parameters(out,pkey); - - if (text) - EVP_PKEY_print_params(out, pkey, 0, NULL); - - ret = 0; - - end: - EVP_PKEY_free(pkey); - BIO_free_all(out); - BIO_free(in); - - return ret; - } diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c deleted file mode 100644 index b808e1e..0000000 --- a/apps/pkeyutl.c +++ /dev/null @@ -1,570 +0,0 @@ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include "apps.h" -#include <string.h> -#include <openssl/err.h> -#include <openssl/pem.h> -#include <openssl/evp.h> - -#define KEY_PRIVKEY 1 -#define KEY_PUBKEY 2 -#define KEY_CERT 3 - -static void usage(void); - -#undef PROG - -#define PROG pkeyutl_main - -static EVP_PKEY_CTX *init_ctx(int *pkeysize, - char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e); - -static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file); - -static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, - unsigned char *out, size_t *poutlen, - unsigned char *in, size_t inlen); - -int MAIN(int argc, char **); - -int MAIN(int argc, char **argv) -{ - BIO *in = NULL, *out = NULL; - char *infile = NULL, *outfile = NULL, *sigfile = NULL; - ENGINE *e = NULL; - int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; - int keyform = FORMAT_PEM, peerform = FORMAT_PEM; - char badarg = 0, rev = 0; - char hexdump = 0, asn1parse = 0; - EVP_PKEY_CTX *ctx = NULL; - char *passargin = NULL; - int keysize = -1; - - unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; - size_t buf_outlen; - int buf_inlen = 0, siglen = -1; - - int ret = 1, rv = -1; - - argc--; - argv++; - - if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - - while(argc >= 1) - { - if (!strcmp(*argv,"-in")) - { - if (--argc < 1) badarg = 1; - infile= *(++argv); - } - else if (!strcmp(*argv,"-out")) - { - if (--argc < 1) badarg = 1; - outfile= *(++argv); - } - else if (!strcmp(*argv,"-sigfile")) - { - if (--argc < 1) badarg = 1; - sigfile= *(++argv); - } - else if(!strcmp(*argv, "-inkey")) - { - if (--argc < 1) - badarg = 1; - else - { - ctx = init_ctx(&keysize, - *(++argv), keyform, key_type, - passargin, pkey_op, e); - if (!ctx) - { - BIO_puts(bio_err, - "Error initializing context\n"); - ERR_print_errors(bio_err); - badarg = 1; - } - } - } - else if (!strcmp(*argv,"-peerkey")) - { - if (--argc < 1) - badarg = 1; - else if (!setup_peer(bio_err, ctx, peerform, *(++argv))) - badarg = 1; - } - else if (!strcmp(*argv,"-passin")) - { - if (--argc < 1) badarg = 1; - passargin= *(++argv); - } - else if (strcmp(*argv,"-peerform") == 0) - { - if (--argc < 1) badarg = 1; - peerform=str2fmt(*(++argv)); - } - else if (strcmp(*argv,"-keyform") == 0) - { - if (--argc < 1) badarg = 1; - keyform=str2fmt(*(++argv)); - } -#ifndef OPENSSL_NO_ENGINE - else if(!strcmp(*argv, "-engine")) - { - if (--argc < 1) - badarg = 1; - else - e = setup_engine(bio_err, *(++argv), 0); - } -#endif - else if(!strcmp(*argv, "-pubin")) - key_type = KEY_PUBKEY; - else if(!strcmp(*argv, "-certin")) - key_type = KEY_CERT; - else if(!strcmp(*argv, "-asn1parse")) - asn1parse = 1; - else if(!strcmp(*argv, "-hexdump")) - hexdump = 1; - else if(!strcmp(*argv, "-sign")) - pkey_op = EVP_PKEY_OP_SIGN; - else if(!strcmp(*argv, "-verify")) - pkey_op = EVP_PKEY_OP_VERIFY; - else if(!strcmp(*argv, "-verifyrecover")) - pkey_op = EVP_PKEY_OP_VERIFYRECOVER; - else if(!strcmp(*argv, "-rev")) - rev = 1; - else if(!strcmp(*argv, "-encrypt")) - pkey_op = EVP_PKEY_OP_ENCRYPT; - else if(!strcmp(*argv, "-decrypt")) - pkey_op = EVP_PKEY_OP_DECRYPT; - else if(!strcmp(*argv, "-derive")) - pkey_op = EVP_PKEY_OP_DERIVE; - else if (strcmp(*argv,"-pkeyopt") == 0) - { - if (--argc < 1) - badarg = 1; - else if (!ctx) - { - BIO_puts(bio_err, - "-pkeyopt command before -inkey\n"); - badarg = 1; - } - else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) - { - BIO_puts(bio_err, "parameter setting error\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else badarg = 1; - if(badarg) - { - usage(); - goto end; - } - argc--; - argv++; - } - - if (!ctx) - { - usage(); - goto end; - } - - if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) - { - BIO_puts(bio_err, "Signature file specified for non verify\n"); - goto end; - } - - if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) - { - BIO_puts(bio_err, "No signature file specified for verify\n"); - goto end; - } - -/* FIXME: seed PRNG only if needed */ - app_RAND_load_file(NULL, bio_err, 0); - - if (pkey_op != EVP_PKEY_OP_DERIVE) - { - if(infile) - { - if(!(in = BIO_new_file(infile, "rb"))) - { - BIO_puts(bio_err, - "Error Opening Input File\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - } - - if(outfile) - { - if(!(out = BIO_new_file(outfile, "wb"))) - { - BIO_printf(bio_err, "Error Creating Output File\n"); - ERR_print_errors(bio_err); - goto end; - } - } - else - { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (sigfile) - { - BIO *sigbio = BIO_new_file(sigfile, "rb"); - if (!sigbio) - { - BIO_printf(bio_err, "Can't open signature file %s\n", - sigfile); - goto end; - } - siglen = bio_to_mem(&sig, keysize * 10, sigbio); - BIO_free(sigbio); - if (siglen <= 0) - { - BIO_printf(bio_err, "Error reading signature data\n"); - goto end; - } - } - - if (in) - { - /* Read the input data */ - buf_inlen = bio_to_mem(&buf_in, keysize * 10, in); - if(buf_inlen <= 0) - { - BIO_printf(bio_err, "Error reading input Data\n"); - exit(1); - } - if(rev) - { - size_t i; - unsigned char ctmp; - size_t l = (size_t)buf_inlen; - for(i = 0; i < l/2; i++) - { - ctmp = buf_in[i]; - buf_in[i] = buf_in[l - 1 - i]; - buf_in[l - 1 - i] = ctmp; - } - } - } - - if(pkey_op == EVP_PKEY_OP_VERIFY) - { - rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, - buf_in, (size_t)buf_inlen); - if (rv == 0) - BIO_puts(out, "Signature Verification Failure\n"); - else if (rv == 1) - BIO_puts(out, "Signature Verified Successfully\n"); - if (rv >= 0) - goto end; - } - else - { - rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - if (rv > 0) - { - buf_out = OPENSSL_malloc(buf_outlen); - if (!buf_out) - rv = -1; - else - rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - } - } - - if(rv <= 0) - { - BIO_printf(bio_err, "Public Key operation error\n"); - ERR_print_errors(bio_err); - goto end; - } - ret = 0; - if(asn1parse) - { - if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) - ERR_print_errors(bio_err); - } - else if(hexdump) - BIO_dump(out, (char *)buf_out, buf_outlen); - else - BIO_write(out, buf_out, buf_outlen); - - end: - if (ctx) - EVP_PKEY_CTX_free(ctx); - BIO_free(in); - BIO_free_all(out); - if (buf_in) - OPENSSL_free(buf_in); - if (buf_out) - OPENSSL_free(buf_out); - if (sig) - OPENSSL_free(sig); - return ret; -} - -static void usage() -{ - BIO_printf(bio_err, "Usage: pkeyutl [options]\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-signature file signature file (verify operation only)\n"); - BIO_printf(bio_err, "-inkey file input key\n"); - BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); - BIO_printf(bio_err, "-pubin input is a public key\n"); - BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n"); - BIO_printf(bio_err, "-pkeyopt X:Y public key options\n"); - BIO_printf(bio_err, "-sign sign with private key\n"); - BIO_printf(bio_err, "-verify verify with public key\n"); - BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n"); - BIO_printf(bio_err, "-encrypt encrypt with public key\n"); - BIO_printf(bio_err, "-decrypt decrypt with private key\n"); - BIO_printf(bio_err, "-derive derive shared secret\n"); - BIO_printf(bio_err, "-hexdump hex dump output\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-passin arg pass phrase source\n"); - -} - -static EVP_PKEY_CTX *init_ctx(int *pkeysize, - char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e) - { - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; - char *passin = NULL; - int rv = -1; - X509 *x; - if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) - || (pkey_op == EVP_PKEY_OP_DERIVE)) - && (key_type != KEY_PRIVKEY)) - { - BIO_printf(bio_err, "A private key is needed for this operation\n"); - goto end; - } - if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) - { - BIO_printf(bio_err, "Error getting password\n"); - goto end; - } - switch(key_type) - { - case KEY_PRIVKEY: - pkey = load_key(bio_err, keyfile, keyform, 0, - passin, e, "Private Key"); - break; - - case KEY_PUBKEY: - pkey = load_pubkey(bio_err, keyfile, keyform, 0, - NULL, e, "Public Key"); - break; - - case KEY_CERT: - x = load_cert(bio_err, keyfile, keyform, - NULL, e, "Certificate"); - if(x) - { - pkey = X509_get_pubkey(x); - X509_free(x); - } - break; - - } - - *pkeysize = EVP_PKEY_size(pkey); - - if (!pkey) - goto end; - - ctx = EVP_PKEY_CTX_new(pkey, e); - - EVP_PKEY_free(pkey); - - if (!ctx) - goto end; - - switch(pkey_op) - { - case EVP_PKEY_OP_SIGN: - rv = EVP_PKEY_sign_init(ctx); - break; - - case EVP_PKEY_OP_VERIFY: - rv = EVP_PKEY_verify_init(ctx); - break; - - case EVP_PKEY_OP_VERIFYRECOVER: - rv = EVP_PKEY_verify_recover_init(ctx); - break; - - case EVP_PKEY_OP_ENCRYPT: - rv = EVP_PKEY_encrypt_init(ctx); - break; - - case EVP_PKEY_OP_DECRYPT: - rv = EVP_PKEY_decrypt_init(ctx); - break; - - case EVP_PKEY_OP_DERIVE: - rv = EVP_PKEY_derive_init(ctx); - break; - } - - if (rv <= 0) - { - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - } - - end: - - if (passin) - OPENSSL_free(passin); - - return ctx; - - - } - -static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file) - { - EVP_PKEY *peer = NULL; - int ret; - if (!ctx) - { - BIO_puts(err, "-peerkey command before -inkey\n"); - return 0; - } - - peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key"); - - if (!peer) - { - BIO_printf(bio_err, "Error reading peer key %s\n", file); - ERR_print_errors(err); - return 0; - } - - ret = EVP_PKEY_derive_set_peer(ctx, peer); - - EVP_PKEY_free(peer); - if (ret <= 0) - ERR_print_errors(err); - return ret; - } - -static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, - unsigned char *out, size_t *poutlen, - unsigned char *in, size_t inlen) - { - int rv = 0; - switch(pkey_op) - { - case EVP_PKEY_OP_VERIFYRECOVER: - rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_SIGN: - rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_ENCRYPT: - rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_DECRYPT: - rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen); - break; - - case EVP_PKEY_OP_DERIVE: - rv = EVP_PKEY_derive(ctx, out, poutlen); - break; - - } - return rv; - } @@ -1538,7 +1538,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { @@ -1596,7 +1597,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { diff --git a/apps/s_apps.h b/apps/s_apps.h index 08fbbc2..f5a39ba 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -171,3 +171,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); #endif + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len); +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len); diff --git a/apps/s_cb.c b/apps/s_cb.c index a512589..97caffc 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -117,12 +117,17 @@ #undef NON_MAIN #undef USE_SOCKETS #include <openssl/err.h> +#include <openssl/rand.h> #include <openssl/x509.h> #include <openssl/ssl.h> #include "s_apps.h" +#define COOKIE_SECRET_LENGTH 16 + int verify_depth=0; int verify_error=X509_V_OK; +unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +int cookie_initialized=0; int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { @@ -338,6 +343,12 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * break; default: str_version = "???"; + case DTLS1_VERSION: + str_version = "DTLS 1.0 "; + break; + case DTLS1_BAD_VER: + str_version = "DTLS 1.0 (bad) "; + break; } if (version == SSL2_VERSION) @@ -401,7 +412,10 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * } } - if (version == SSL3_VERSION || version == TLS1_VERSION) + if (version == SSL3_VERSION || + version == TLS1_VERSION || + version == DTLS1_VERSION || + version == DTLS1_BAD_VER) { switch (content_type) { @@ -540,6 +554,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 15: str_details1 = ", CertificateVerify"; break; + case 3: + str_details1 = ", HelloVerifyRequest"; + break; case 16: str_details1 = ", ClientKeyExchange"; break; @@ -621,6 +638,9 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, extname = "server ticket"; break; + case TLSEXT_TYPE_renegotiate: + extname = "renegotiate"; + break; default: extname = "unknown"; @@ -634,3 +654,86 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, BIO_dump(bio, (char *)data, len); (void)BIO_flush(bio); } + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) + { + unsigned char *buffer, result[EVP_MAX_MD_SIZE]; + unsigned int length, resultlength; + struct sockaddr_in peer; + + /* Initialize a random secret */ + if (!cookie_initialized) + { + if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) + { + BIO_printf(bio_err,"error setting random cookie secret\n"); + return 0; + } + cookie_initialized = 1; + } + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + + /* Create buffer with peer's address and port */ + length = sizeof(peer.sin_addr); + length += sizeof(peer.sin_port); + buffer = OPENSSL_malloc(length); + + if (buffer == NULL) + { + BIO_printf(bio_err,"out of memory\n"); + return 0; + } + + memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr)); + memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port)); + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, result, &resultlength); + OPENSSL_free(buffer); + + memcpy(cookie, result, resultlength); + *cookie_len = resultlength; + + return 1; + } + +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len) + { + unsigned char *buffer, result[EVP_MAX_MD_SIZE]; + unsigned int length, resultlength; + struct sockaddr_in peer; + + /* If secret isn't initialized yet, the cookie can't be valid */ + if (!cookie_initialized) + return 0; + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + + /* Create buffer with peer's address and port */ + length = sizeof(peer.sin_addr); + length += sizeof(peer.sin_port); + buffer = (unsigned char*) OPENSSL_malloc(length); + + if (buffer == NULL) + { + BIO_printf(bio_err,"out of memory\n"); + return 0; + } + + memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr)); + memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port)); + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, result, &resultlength); + OPENSSL_free(buffer); + + if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) + return 1; + + return 0; + } diff --git a/apps/s_client.c b/apps/s_client.c index 4974f5f..2f743f0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -226,7 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err," -mtu - set the MTU\n"); + BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); @@ -249,6 +249,7 @@ static void sc_usage(void) BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); #endif + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); } #ifndef OPENSSL_NO_TLSEXT @@ -286,7 +287,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - int off=0; + int off=0, clr = 0; SSL *con=NULL,*con2=NULL; X509_STORE *store = NULL; int s,k,width,state=0; @@ -318,6 +319,7 @@ int MAIN(int argc, char **argv) BIO *sbio; char *inrand=NULL; int mbuf_len=0; + struct timeval timeout, *timeoutp; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; char *ssl_client_engine_id=NULL; @@ -338,7 +340,7 @@ int MAIN(int argc, char **argv) struct sockaddr peer; int peerlen = sizeof(peer); int enable_timeouts = 0 ; - long mtu = 0; + long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE char *jpake_secret = NULL; #endif @@ -489,7 +491,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-mtu") == 0) { if (--argc < 1) goto bad; - mtu = atol(*(++argv)); + socket_mtu = atol(*(++argv)); } #endif else if (strcmp(*argv,"-bugs") == 0) @@ -535,6 +537,12 @@ int MAIN(int argc, char **argv) #endif else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; + else if (strcmp(*argv,"-legacy_renegotiation") == 0) + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + else if (strcmp(*argv,"-legacy_server_connect") == 0) + { off|=SSL_OP_LEGACY_SERVER_CONNECT; } + else if (strcmp(*argv,"-no_legacy_server_connect") == 0) + { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -709,6 +717,9 @@ bad: SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); + + if (clr) + SSL_CTX_clear_options(ctx, clr); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -819,7 +830,6 @@ re_start: if ( SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); if (getsockname(s, &peer, (void *)&peerlen) < 0) @@ -843,10 +853,10 @@ re_start: BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if ( mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1036,6 +1046,12 @@ SSL_set_tlsext_status_ids(con, ids); FD_ZERO(&readfds); FD_ZERO(&writefds); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { in_init=1; @@ -1132,7 +1148,7 @@ SSL_set_tlsext_status_ids(con, ids); if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; #endif } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #elif defined(OPENSSL_SYS_NETWARE) if(!write_tty) { @@ -1142,11 +1158,11 @@ SSL_set_tlsext_status_ids(con, ids); i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); #endif if ( i < 0) { @@ -1157,6 +1173,11 @@ SSL_set_tlsext_status_ids(con, ids); } } + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) { k=SSL_write(con,&(cbuf[cbuf_off]), @@ -1511,6 +1532,8 @@ static void print_stuff(BIO *bio, SSL *s, int full) EVP_PKEY_bits(pktmp)); EVP_PKEY_free(pktmp); } + BIO_printf(bio, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); #ifndef OPENSSL_NO_COMP comp=SSL_get_current_compression(s); expansion=SSL_get_current_expansion(s); diff --git a/apps/s_server.c b/apps/s_server.c index 84b1b28..88b308c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -283,11 +283,10 @@ static char *engine_id=NULL; static const char *session_id_prefix=NULL; static int enable_timeouts = 0; -#ifdef mtu -#undef mtu -#endif -static long mtu; +static long socket_mtu; +#ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; +#endif #ifdef MONOLITH @@ -375,7 +374,7 @@ static void sv_usage(void) BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); @@ -405,6 +404,7 @@ static void sv_usage(void) BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); #endif } @@ -772,6 +772,7 @@ int MAIN(int argc, char *argv[]) int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; X509 *s_cert = NULL, *s_dcert = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; + int no_cache = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; @@ -911,6 +912,8 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-no_cache") == 0) + no_cache = 1; else if (strcmp(*argv,"-crl_check") == 0) { vflags |= X509_V_FLAG_CRL_CHECK; @@ -921,6 +924,8 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-serverpref") == 0) { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } + else if (strcmp(*argv,"-legacy_renegotiation") == 0) + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -1032,7 +1037,7 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-mtu") == 0) { if (--argc < 1) goto bad; - mtu = atol(*(++argv)); + socket_mtu = atol(*(++argv)); } else if (strcmp(*argv, "-chain") == 0) cert_chain = 1; @@ -1253,8 +1258,10 @@ bad: if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - - SSL_CTX_sess_set_cache_size(ctx,128); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + else + SSL_CTX_sess_set_cache_size(ctx,128); #if 0 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); @@ -1321,7 +1328,10 @@ bad: if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); - SSL_CTX_sess_set_cache_size(ctx2,128); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF); + else + SSL_CTX_sess_set_cache_size(ctx2,128); if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx2))) @@ -1498,6 +1508,10 @@ bad: SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); + /* Set DTLS cookie generation and verification callbacks */ + SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); + SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); + #ifndef OPENSSL_NO_TLSEXT if (ctx2) { @@ -1591,8 +1605,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; + struct timeval timeout; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; +#else + struct timeval *timeoutp; #endif if ((buf=OPENSSL_malloc(bufsize)) == NULL) @@ -1644,7 +1661,6 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); @@ -1660,10 +1676,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) } - if ( mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1745,7 +1761,19 @@ static int sv_body(char *hostname, int s, unsigned char *context) if(_kbhit()) read_from_terminal = 1; #else - i=select(width,(void *)&readfds,NULL,NULL,NULL); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + + i=select(width,(void *)&readfds,NULL,NULL,timeoutp); + + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (i <= 0) continue; if (FD_ISSET(fileno(stdin),&readfds)) read_from_terminal = 1; @@ -2002,6 +2030,8 @@ static int init_ssl_connection(SSL *con) con->kssl_ctx->client_princ); } #endif /* OPENSSL_NO_KRB5 */ + BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); return(1); } diff --git a/apps/s_socket.c b/apps/s_socket.c index 4a922e1..cf82358 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -62,6 +62,12 @@ #include <errno.h> #include <signal.h> +#ifdef FLAT_INC +#include "e_os2.h" +#else +#include "../e_os2.h" +#endif + /* With IPv6, it looks like Digital has mixed up the proper order of recursive header file inclusion, resulting in the compiler complaining that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which diff --git a/apps/speed.c b/apps/speed.c index af077b5..07f0ae0 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -254,8 +254,12 @@ # endif #endif -#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_NETWARE) -# define HAVE_FORK 1 +#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE) +# define NO_FORK 1 +#elif HAVE_FORK +# undef NO_FORK +#else +# define NO_FORK 1 #endif #undef BUFSIZE @@ -271,7 +275,7 @@ static void print_message(const char *s,long num,int length); static void pkey_print_message(const char *str, const char *str2, long num, int bits, int sec); static void print_result(int alg,int run_no,int count,double time_used); -#ifdef HAVE_FORK +#ifndef NO_FORK static int do_multi(int multi); #endif @@ -293,8 +297,12 @@ static const char *names[ALGOR_NUM]={ "aes-128 ige","aes-192 ige","aes-256 ige"}; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +#ifndef OPENSSL_NO_RSA static double rsa_results[RSA_NUM][2]; +#endif +#ifndef OPENSSL_NO_DSA static double dsa_results[DSA_NUM][2]; +#endif #ifndef OPENSSL_NO_ECDSA static double ecdsa_results[EC_NUM][2]; #endif @@ -749,7 +757,7 @@ int MAIN(int argc, char **argv) const EVP_CIPHER *evp_cipher=NULL; const EVP_MD *evp_md=NULL; int decrypt=0; -#ifdef HAVE_FORK +#ifndef NO_FORK int multi=0; #endif @@ -877,7 +885,7 @@ int MAIN(int argc, char **argv) j--; } #endif -#ifdef HAVE_FORK +#ifndef NO_FORK else if ((argc > 0) && (strcmp(*argv,"-multi") == 0)) { argc--; @@ -1257,7 +1265,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-evp e use EVP e.\n"); BIO_printf(bio_err,"-decrypt time decryption instead of encryption (only EVP).\n"); BIO_printf(bio_err,"-mr produce machine readable output.\n"); -#ifdef HAVE_FORK +#ifndef NO_FORK BIO_printf(bio_err,"-multi n run n benchmarks in parallel.\n"); #endif goto end; @@ -1267,7 +1275,7 @@ int MAIN(int argc, char **argv) j++; } -#ifdef HAVE_FORK +#ifndef NO_FORK if(multi && do_multi(multi)) goto show_res; #endif @@ -2462,7 +2470,7 @@ int MAIN(int argc, char **argv) } if (rnd_fake) RAND_cleanup(); #endif -#ifdef HAVE_FORK +#ifndef NO_FORK show_res: #endif if(!mr) @@ -2717,7 +2725,7 @@ static void print_result(int alg,int run_no,int count,double time_used) results[alg][run_no]=((double)count)/time_used*lengths[run_no]; } -#ifdef HAVE_FORK +#ifndef NO_FORK static char *sstrsep(char **string, const char *delim) { char isdelim[256]; diff --git a/apps/ts.c b/apps/ts.c deleted file mode 100644 index 74e7e93..0000000 --- a/apps/ts.c +++ /dev/null @@ -1,1144 +0,0 @@ -/* apps/ts.c */ -/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL - * project 2002. - */ -/* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "apps.h" -#include <openssl/bio.h> -#include <openssl/err.h> -#include <openssl/pem.h> -#include <openssl/rand.h> -#include <openssl/ts.h> -#include <openssl/bn.h> - -#undef PROG -#define PROG ts_main - -/* Length of the nonce of the request in bits (must be a multiple of 8). */ -#define NONCE_LENGTH 64 - -/* Macro definitions for the configuration file. */ -#define ENV_OID_FILE "oid_file" - -/* Local function declarations. */ - -static ASN1_OBJECT *txt2obj(const char *oid); -static CONF *load_config_file(const char *configfile); - -/* Query related functions. */ -static int query_command(const char *data, char *digest, - const EVP_MD *md, const char *policy, int no_nonce, - int cert, const char *in, const char *out, int text); -static BIO *BIO_open_with_default(const char *file, const char *mode, - FILE *default_fp); -static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, - const char *policy, int no_nonce, int cert); -static int create_digest(BIO *input, char *digest, - const EVP_MD *md, unsigned char **md_value); -static ASN1_INTEGER *create_nonce(int bits); - -/* Reply related functions. */ -static int reply_command(CONF *conf, char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, char *out, int token_out, - int text); -static TS_RESP *read_PKCS7(BIO *in_bio); -static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy); -static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data); -static ASN1_INTEGER *next_serial(const char *serialfile); -static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); - -/* Verify related functions. */ -static int verify_command(char *data, char *digest, char *queryfile, - char *in, int token_in, - char *ca_path, char *ca_file, char *untrusted); -static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, - char *queryfile, - char *ca_path, char *ca_file, - char *untrusted); -static X509_STORE *create_cert_store(char *ca_path, char *ca_file); -static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx); - -/* Main function definition. */ -int MAIN(int, char **); - -int MAIN(int argc, char **argv) - { - int ret = 1; - char *configfile = NULL; - char *section = NULL; - CONF *conf = NULL; - enum mode { - CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY - } mode = CMD_NONE; - char *data = NULL; - char *digest = NULL; - const EVP_MD *md = NULL; - char *rnd = NULL; - char *policy = NULL; - int no_nonce = 0; - int cert = 0; - char *in = NULL; - char *out = NULL; - int text = 0; - char *queryfile = NULL; - char *passin = NULL; /* Password source. */ - char *password =NULL; /* Password itself. */ - char *inkey = NULL; - char *signer = NULL; - char *chain = NULL; - char *ca_path = NULL; - char *ca_file = NULL; - char *untrusted = NULL; - char *engine = NULL; - /* Input is ContentInfo instead of TimeStampResp. */ - int token_in = 0; - /* Output is ContentInfo instead of TimeStampResp. */ - int token_out = 0; - int free_bio_err = 0; - - ERR_load_crypto_strings(); - apps_startup(); - - if (bio_err == NULL && (bio_err = BIO_new(BIO_s_file())) != NULL) - { - free_bio_err = 1; - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - } - - for (argc--, argv++; argc > 0; argc--, argv++) - { - if (strcmp(*argv, "-config") == 0) - { - if (argc-- < 1) goto usage; - configfile = *++argv; - } - else if (strcmp(*argv, "-section") == 0) - { - if (argc-- < 1) goto usage; - section = *++argv; - } - else if (strcmp(*argv, "-query") == 0) - { - if (mode != CMD_NONE) goto usage; - mode = CMD_QUERY; - } - else if (strcmp(*argv, "-data") == 0) - { - if (argc-- < 1) goto usage; - data = *++argv; - } - else if (strcmp(*argv, "-digest") == 0) - { - if (argc-- < 1) goto usage; - digest = *++argv; - } - else if (strcmp(*argv, "-rand") == 0) - { - if (argc-- < 1) goto usage; - rnd = *++argv; - } - else if (strcmp(*argv, "-policy") == 0) - { - if (argc-- < 1) goto usage; - policy = *++argv; - } - else if (strcmp(*argv, "-no_nonce") == 0) - { - no_nonce = 1; - } - else if (strcmp(*argv, "-cert") == 0) - { - cert = 1; - } - else if (strcmp(*argv, "-in") == 0) - { - if (argc-- < 1) goto usage; - in = *++argv; - } - else if (strcmp(*argv, "-token_in") == 0) - { - token_in = 1; - } - else if (strcmp(*argv, "-out") == 0) - { - if (argc-- < 1) goto usage; - out = *++argv; - } - else if (strcmp(*argv, "-token_out") == 0) - { - token_out = 1; - } - else if (strcmp(*argv, "-text") == 0) - { - text = 1; - } - else if (strcmp(*argv, "-reply") == 0) - { - if (mode != CMD_NONE) goto usage; - mode = CMD_REPLY; - } - else if (strcmp(*argv, "-queryfile") == 0) - { - if (argc-- < 1) goto usage; - queryfile = *++argv; - } - else if (strcmp(*argv, "-passin") == 0) - { - if (argc-- < 1) goto usage; - passin = *++argv; - } - else if (strcmp(*argv, "-inkey") == 0) - { - if (argc-- < 1) goto usage; - inkey = *++argv; - } - else if (strcmp(*argv, "-signer") == 0) - { - if (argc-- < 1) goto usage; - signer = *++argv; - } - else if (strcmp(*argv, "-chain") == 0) - { - if (argc-- < 1) goto usage; - chain = *++argv; - } - else if (strcmp(*argv, "-verify") == 0) - { - if (mode != CMD_NONE) goto usage; - mode = CMD_VERIFY; - } - else if (strcmp(*argv, "-CApath") == 0) - { - if (argc-- < 1) goto usage; - ca_path = *++argv; - } - else if (strcmp(*argv, "-CAfile") == 0) - { - if (argc-- < 1) goto usage; - ca_file = *++argv; - } - else if (strcmp(*argv, "-untrusted") == 0) - { - if (argc-- < 1) goto usage; - untrusted = *++argv; - } - else if (strcmp(*argv, "-engine") == 0) - { - if (argc-- < 1) goto usage; - engine = *++argv; - } - else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) - { - /* empty. */ - } - else - goto usage; - } - - /* Seed the random number generator if it is going to be used. */ - if (mode == CMD_QUERY && !no_nonce) - { - if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL) - BIO_printf(bio_err, "warning, not much extra random " - "data, consider using the -rand option\n"); - if (rnd != NULL) - BIO_printf(bio_err,"%ld semi-random bytes loaded\n", - app_RAND_load_files(rnd)); - } - - /* Get the password if required. */ - if(mode == CMD_REPLY && passin && - !app_passwd(bio_err, passin, NULL, &password, NULL)) - { - BIO_printf(bio_err,"Error getting password.\n"); - goto cleanup; - } - - /* Check consistency of parameters and execute - the appropriate function. */ - switch (mode) - { - case CMD_NONE: - goto usage; - case CMD_QUERY: - /* Data file and message imprint cannot be specified - at the same time. */ - ret = data != NULL && digest != NULL; - if (ret) goto usage; - /* Load the config file for possible policy OIDs. */ - conf = load_config_file(configfile); - ret = !query_command(data, digest, md, policy, no_nonce, cert, - in, out, text); - break; - case CMD_REPLY: - conf = load_config_file(configfile); - if (in == NULL) - { - ret = !(queryfile != NULL && conf != NULL && !token_in); - if (ret) goto usage; - } - else - { - /* 'in' and 'queryfile' are exclusive. */ - ret = !(queryfile == NULL); - if (ret) goto usage; - } - - ret = !reply_command(conf, section, engine, queryfile, - password, inkey, signer, chain, policy, - in, token_in, out, token_out, text); - break; - case CMD_VERIFY: - ret = !(((queryfile && !data && !digest) - || (!queryfile && data && !digest) - || (!queryfile && !data && digest)) - && in != NULL); - if (ret) goto usage; - - ret = !verify_command(data, digest, queryfile, in, token_in, - ca_path, ca_file, untrusted); - } - - goto cleanup; - - usage: - BIO_printf(bio_err, "usage:\n" - "ts -query [-rand file%cfile%c...] [-config configfile] " - "[-data file_to_hash] [-digest digest_bytes]" - "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " - "[-policy object_id] [-no_nonce] [-cert] " - "[-in request.tsq] [-out request.tsq] [-text]\n", - LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "or\n" - "ts -reply [-config configfile] [-section tsa_section] " - "[-queryfile request.tsq] [-passin password] " - "[-signer tsa_cert.pem] [-inkey private_key.pem] " - "[-chain certs_file.pem] [-policy object_id] " - "[-in response.tsr] [-token_in] " - "[-out response.tsr] [-token_out] [-text] [-engine id]\n"); - BIO_printf(bio_err, "or\n" - "ts -verify [-data file_to_hash] [-digest digest_bytes] " - "[-queryfile request.tsq] " - "-in response.tsr [-token_in] " - "-CApath ca_path -CAfile ca_file.pem " - "-untrusted cert_file.pem\n"); - cleanup: - /* Clean up. */ - app_RAND_write_file(NULL, bio_err); - NCONF_free(conf); - OPENSSL_free(password); - OBJ_cleanup(); - if (free_bio_err) - { - BIO_free_all(bio_err); - bio_err = NULL; - } - - OPENSSL_EXIT(ret); - } - -/* - * Configuration file-related function definitions. - */ - -static ASN1_OBJECT *txt2obj(const char *oid) - { - ASN1_OBJECT *oid_obj = NULL; - - if (!(oid_obj = OBJ_txt2obj(oid, 0))) - BIO_printf(bio_err, "cannot convert %s to OID\n", oid); - - return oid_obj; - } - -static CONF *load_config_file(const char *configfile) - { - CONF *conf = NULL; - long errorline = -1; - - if (!configfile) configfile = getenv("OPENSSL_CONF"); - if (!configfile) configfile = getenv("SSLEAY_CONF"); - - if (configfile && - (!(conf = NCONF_new(NULL)) || - NCONF_load(conf, configfile, &errorline) <= 0)) - { - if (errorline <= 0) - BIO_printf(bio_err, "error loading the config file " - "'%s'\n", configfile); - else - BIO_printf(bio_err, "error on line %ld of config file " - "'%s'\n", errorline, configfile); - } - - if (conf != NULL) - { - const char *p; - - BIO_printf(bio_err,"Using configuration from %s\n", configfile); - p = NCONF_get_string(conf, NULL, ENV_OID_FILE); - if (p != NULL) - { - BIO *oid_bio = BIO_new_file(p, "r"); - if (!oid_bio) - ERR_print_errors(bio_err); - else - { - OBJ_create_objects(oid_bio); - BIO_free_all(oid_bio); - } - } - else - ERR_clear_error(); - if(!add_oid_section(bio_err, conf)) - ERR_print_errors(bio_err); - } - return conf; - } - -/* - * Query-related method definitions. - */ - -static int query_command(const char *data, char *digest, const EVP_MD *md, - const char *policy, int no_nonce, - int cert, const char *in, const char *out, int text) - { - int ret = 0; - TS_REQ *query = NULL; - BIO *in_bio = NULL; - BIO *data_bio = NULL; - BIO *out_bio = NULL; - - /* Build query object either from file or from scratch. */ - if (in != NULL) - { - if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; - query = d2i_TS_REQ_bio(in_bio, NULL); - } - else - { - /* Open the file if no explicit digest bytes were specified. */ - if (!digest - && !(data_bio = BIO_open_with_default(data, "rb", stdin))) - goto end; - /* Creating the query object. */ - query = create_query(data_bio, digest, md, - policy, no_nonce, cert); - /* Saving the random number generator state. */ - } - if (query == NULL) goto end; - - /* Write query either in ASN.1 or in text format. */ - if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) - goto end; - if (text) - { - /* Text output. */ - if (!TS_REQ_print_bio(out_bio, query)) - goto end; - } - else - { - /* ASN.1 output. */ - if (!i2d_TS_REQ_bio(out_bio, query)) - goto end; - } - - ret = 1; - - end: - ERR_print_errors(bio_err); - - /* Clean up. */ - BIO_free_all(in_bio); - BIO_free_all(data_bio); - BIO_free_all(out_bio); - TS_REQ_free(query); - - return ret; - } - -static BIO *BIO_open_with_default(const char *file, const char *mode, - FILE *default_fp) - { - return file == NULL ? - BIO_new_fp(default_fp, BIO_NOCLOSE) - : BIO_new_file(file, mode); - } - -static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, - const char *policy, int no_nonce, int cert) - { - int ret = 0; - TS_REQ *ts_req = NULL; - int len; - TS_MSG_IMPRINT *msg_imprint = NULL; - X509_ALGOR *algo = NULL; - unsigned char *data = NULL; - ASN1_OBJECT *policy_obj = NULL; - ASN1_INTEGER *nonce_asn1 = NULL; - - /* Setting default message digest. */ - if (!md && !(md = EVP_get_digestbyname("sha1"))) goto err; - - /* Creating request object. */ - if (!(ts_req = TS_REQ_new())) goto err; - - /* Setting version. */ - if (!TS_REQ_set_version(ts_req, 1)) goto err; - - /* Creating and adding MSG_IMPRINT object. */ - if (!(msg_imprint = TS_MSG_IMPRINT_new())) goto err; - - /* Adding algorithm. */ - if (!(algo = X509_ALGOR_new())) goto err; - if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md)))) goto err; - if (!(algo->parameter = ASN1_TYPE_new())) goto err; - algo->parameter->type = V_ASN1_NULL; - if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo)) goto err; - - /* Adding message digest. */ - if ((len = create_digest(data_bio, digest, md, &data)) == 0) - goto err; - if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len)) goto err; - - if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint)) goto err; - - /* Setting policy if requested. */ - if (policy && !(policy_obj = txt2obj(policy))) goto err; - if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj)) goto err; - - /* Setting nonce if requested. */ - if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH))) goto err; - if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1)) goto err; - - /* Setting certificate request flag if requested. */ - if (!TS_REQ_set_cert_req(ts_req, cert)) goto err; - - ret = 1; - err: - if (!ret) - { - TS_REQ_free(ts_req); - ts_req = NULL; - BIO_printf(bio_err, "could not create query\n"); - } - TS_MSG_IMPRINT_free(msg_imprint); - X509_ALGOR_free(algo); - OPENSSL_free(data); - ASN1_OBJECT_free(policy_obj); - ASN1_INTEGER_free(nonce_asn1); - return ts_req; - } - -static int create_digest(BIO *input, char *digest, const EVP_MD *md, - unsigned char **md_value) - { - int md_value_len; - - md_value_len = EVP_MD_size(md); - if (md_value_len < 0) - goto err; - if (input) - { - /* Digest must be computed from an input file. */ - EVP_MD_CTX md_ctx; - unsigned char buffer[4096]; - int length; - - *md_value = OPENSSL_malloc(md_value_len); - if (*md_value == 0) goto err; - - EVP_DigestInit(&md_ctx, md); - while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) - { - EVP_DigestUpdate(&md_ctx, buffer, length); - } - EVP_DigestFinal(&md_ctx, *md_value, NULL); - } - else - { - /* Digest bytes are specified with digest. */ - long digest_len; - *md_value = string_to_hex(digest, &digest_len); - if (!*md_value || md_value_len != digest_len) - { - OPENSSL_free(*md_value); - *md_value = NULL; - BIO_printf(bio_err, "bad digest, %d bytes " - "must be specified\n", md_value_len); - goto err; - } - } - - return md_value_len; - err: - return 0; - } - -static ASN1_INTEGER *create_nonce(int bits) - { - unsigned char buf[20]; - ASN1_INTEGER *nonce = NULL; - int len = (bits - 1) / 8 + 1; - int i; - - /* Generating random byte sequence. */ - if (len > (int)sizeof(buf)) goto err; - if (!RAND_bytes(buf, len)) goto err; - - /* Find the first non-zero byte and creating ASN1_INTEGER object. */ - for (i = 0; i < len && !buf[i]; ++i); - if (!(nonce = ASN1_INTEGER_new())) goto err; - OPENSSL_free(nonce->data); - /* Allocate at least one byte. */ - nonce->length = len - i; - if (!(nonce->data = OPENSSL_malloc(nonce->length + 1))) goto err; - memcpy(nonce->data, buf + i, nonce->length); - - return nonce; - err: - BIO_printf(bio_err, "could not create nonce\n"); - ASN1_INTEGER_free(nonce); - return NULL; - } -/* - * Reply-related method definitions. - */ - -static int reply_command(CONF *conf, char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy, - char *in, int token_in, - char *out, int token_out, int text) - { - int ret = 0; - TS_RESP *response = NULL; - BIO *in_bio = NULL; - BIO *query_bio = NULL; - BIO *inkey_bio = NULL; - BIO *signer_bio = NULL; - BIO *out_bio = NULL; - - /* Build response object either from response or query. */ - if (in != NULL) - { - if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; - if (token_in) - { - /* We have a ContentInfo (PKCS7) object, add - 'granted' status info around it. */ - response = read_PKCS7(in_bio); - } - else - { - /* We have a ready-made TS_RESP object. */ - response = d2i_TS_RESP_bio(in_bio, NULL); - } - } - else - { - response = create_response(conf, section, engine, queryfile, - passin, inkey, signer, chain, - policy); - if (response) - BIO_printf(bio_err, "Response has been generated.\n"); - else - BIO_printf(bio_err, "Response is not generated.\n"); - } - if (response == NULL) goto end; - - /* Write response either in ASN.1 or text format. */ - if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) - goto end; - if (text) - { - /* Text output. */ - if (token_out) - { - TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); - if (!TS_TST_INFO_print_bio(out_bio, tst_info)) goto end; - } - else - { - if (!TS_RESP_print_bio(out_bio, response)) goto end; - } - } - else - { - /* ASN.1 DER output. */ - if (token_out) - { - PKCS7 *token = TS_RESP_get_token(response); - if (!i2d_PKCS7_bio(out_bio, token)) goto end; - } - else - { - if (!i2d_TS_RESP_bio(out_bio, response)) goto end; - } - } - - ret = 1; - - end: - ERR_print_errors(bio_err); - - /* Clean up. */ - BIO_free_all(in_bio); - BIO_free_all(query_bio); - BIO_free_all(inkey_bio); - BIO_free_all(signer_bio); - BIO_free_all(out_bio); - TS_RESP_free(response); - - return ret; - } - -/* Reads a PKCS7 token and adds default 'granted' status info to it. */ -static TS_RESP *read_PKCS7(BIO *in_bio) - { - int ret = 0; - PKCS7 *token = NULL; - TS_TST_INFO *tst_info = NULL; - TS_RESP *resp = NULL; - TS_STATUS_INFO *si = NULL; - - /* Read PKCS7 object and extract the signed time stamp info. */ - if (!(token = d2i_PKCS7_bio(in_bio, NULL))) goto end; - if (!(tst_info = PKCS7_to_TS_TST_INFO(token))) goto end; - - /* Creating response object. */ - if (!(resp = TS_RESP_new())) goto end; - - /* Create granted status info. */ - if (!(si = TS_STATUS_INFO_new())) goto end; - if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED))) goto end; - if (!TS_RESP_set_status_info(resp, si)) goto end; - - /* Setting encapsulated token. */ - TS_RESP_set_tst_info(resp, token, tst_info); - token = NULL; /* Ownership is lost. */ - tst_info = NULL; /* Ownership is lost. */ - - ret = 1; - end: - PKCS7_free(token); - TS_TST_INFO_free(tst_info); - if (!ret) - { - TS_RESP_free(resp); - resp = NULL; - } - TS_STATUS_INFO_free(si); - return resp; - } - -static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy) - { - int ret = 0; - TS_RESP *response = NULL; - BIO *query_bio = NULL; - TS_RESP_CTX *resp_ctx = NULL; - - if (!(query_bio = BIO_new_file(queryfile, "rb"))) - goto end; - - /* Getting TSA configuration section. */ - if (!(section = TS_CONF_get_tsa_section(conf, section))) - goto end; - - /* Setting up response generation context. */ - if (!(resp_ctx = TS_RESP_CTX_new())) goto end; - - /* Setting serial number provider callback. */ - if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx)) goto end; -#ifndef OPENSSL_NO_ENGINE - /* Setting default OpenSSL engine. */ - if (!TS_CONF_set_crypto_device(conf, section, engine)) goto end; -#endif - - /* Setting TSA signer certificate. */ - if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx)) goto end; - - /* Setting TSA signer certificate chain. */ - if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) goto end; - - /* Setting TSA signer private key. */ - if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) - goto end; - - /* Setting default policy OID. */ - if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; - - /* Setting acceptable policy OIDs. */ - if (!TS_CONF_set_policies(conf, section, resp_ctx)) goto end; - - /* Setting the acceptable one-way hash algorithms. */ - if (!TS_CONF_set_digests(conf, section, resp_ctx)) goto end; - - /* Setting guaranteed time stamp accuracy. */ - if (!TS_CONF_set_accuracy(conf, section, resp_ctx)) goto end; - - /* Setting the precision of the time. */ - if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx)) - goto end; - - /* Setting the ordering flaf if requested. */ - if (!TS_CONF_set_ordering(conf, section, resp_ctx)) goto end; - - /* Setting the TSA name required flag if requested. */ - if (!TS_CONF_set_tsa_name(conf, section, resp_ctx)) goto end; - - /* Setting the ESS cert id chain flag if requested. */ - if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx)) goto end; - - /* Creating the response. */ - if (!(response = TS_RESP_create_response(resp_ctx, query_bio))) - goto end; - - ret = 1; - end: - if (!ret) - { - TS_RESP_free(response); - response = NULL; - } - TS_RESP_CTX_free(resp_ctx); - BIO_free_all(query_bio); - - return response; - } - -static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data) - { - const char *serial_file = (const char *) data; - ASN1_INTEGER *serial = next_serial(serial_file); - - if (!serial) - { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Error during serial number " - "generation."); - TS_RESP_CTX_add_failure_info(ctx, - TS_INFO_ADD_INFO_NOT_AVAILABLE); - } - else - save_ts_serial(serial_file, serial); - - return serial; - } - -static ASN1_INTEGER *next_serial(const char *serialfile) - { - int ret = 0; - BIO *in = NULL; - ASN1_INTEGER *serial = NULL; - BIGNUM *bn = NULL; - - if (!(serial = ASN1_INTEGER_new())) goto err; - - if (!(in = BIO_new_file(serialfile, "r"))) - { - ERR_clear_error(); - BIO_printf(bio_err, "Warning: could not open file %s for " - "reading, using serial number: 1\n", serialfile); - if (!ASN1_INTEGER_set(serial, 1)) goto err; - } - else - { - char buf[1024]; - if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) - { - BIO_printf(bio_err, "unable to load number from %s\n", - serialfile); - goto err; - } - if (!(bn = ASN1_INTEGER_to_BN(serial, NULL))) goto err; - ASN1_INTEGER_free(serial); - serial = NULL; - if (!BN_add_word(bn, 1)) goto err; - if (!(serial = BN_to_ASN1_INTEGER(bn, NULL))) goto err; - } - ret = 1; - err: - if (!ret) - { - ASN1_INTEGER_free(serial); - serial = NULL; - } - BIO_free_all(in); - BN_free(bn); - return serial; - } - -static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial) - { - int ret = 0; - BIO *out = NULL; - - if (!(out = BIO_new_file(serialfile, "w"))) goto err; - if (i2a_ASN1_INTEGER(out, serial) <= 0) goto err; - if (BIO_puts(out, "\n") <= 0) goto err; - ret = 1; - err: - if (!ret) - BIO_printf(bio_err, "could not save serial number to %s\n", - serialfile); - BIO_free_all(out); - return ret; - } - -/* - * Verify-related method definitions. - */ - -static int verify_command(char *data, char *digest, char *queryfile, - char *in, int token_in, - char *ca_path, char *ca_file, char *untrusted) - { - BIO *in_bio = NULL; - PKCS7 *token = NULL; - TS_RESP *response = NULL; - TS_VERIFY_CTX *verify_ctx = NULL; - int ret = 0; - - /* Decode the token (PKCS7) or response (TS_RESP) files. */ - if (!(in_bio = BIO_new_file(in, "rb"))) goto end; - if (token_in) - { - if (!(token = d2i_PKCS7_bio(in_bio, NULL))) goto end; - } - else - { - if (!(response = d2i_TS_RESP_bio(in_bio, NULL))) goto end; - } - - if (!(verify_ctx = create_verify_ctx(data, digest, queryfile, - ca_path, ca_file, untrusted))) - goto end; - - /* Checking the token or response against the request. */ - ret = token_in ? - TS_RESP_verify_token(verify_ctx, token) : - TS_RESP_verify_response(verify_ctx, response); - - end: - printf("Verification: "); - if (ret) - printf("OK\n"); - else - { - printf("FAILED\n"); - /* Print errors, if there are any. */ - ERR_print_errors(bio_err); - } - - /* Clean up. */ - BIO_free_all(in_bio); - PKCS7_free(token); - TS_RESP_free(response); - TS_VERIFY_CTX_free(verify_ctx); - return ret; - } - -static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, - char *queryfile, - char *ca_path, char *ca_file, - char *untrusted) - { - TS_VERIFY_CTX *ctx = NULL; - BIO *input = NULL; - TS_REQ *request = NULL; - int ret = 0; - - if (data != NULL || digest != NULL) - { - if (!(ctx = TS_VERIFY_CTX_new())) goto err; - ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER; - if (data != NULL) - { - ctx->flags |= TS_VFY_DATA; - if (!(ctx->data = BIO_new_file(data, "rb"))) goto err; - } - else if (digest != NULL) - { - long imprint_len; - ctx->flags |= TS_VFY_IMPRINT; - if (!(ctx->imprint = string_to_hex(digest, - &imprint_len))) - { - BIO_printf(bio_err, "invalid digest string\n"); - goto err; - } - ctx->imprint_len = imprint_len; - } - - } - else if (queryfile != NULL) - { - /* The request has just to be read, decoded and converted to - a verify context object. */ - if (!(input = BIO_new_file(queryfile, "rb"))) goto err; - if (!(request = d2i_TS_REQ_bio(input, NULL))) goto err; - if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL))) goto err; - } - else - return NULL; - - /* Add the signature verification flag and arguments. */ - ctx->flags |= TS_VFY_SIGNATURE; - - /* Initialising the X509_STORE object. */ - if (!(ctx->store = create_cert_store(ca_path, ca_file))) goto err; - - /* Loading untrusted certificates. */ - if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted))) - goto err; - - ret = 1; - err: - if (!ret) - { - TS_VERIFY_CTX_free(ctx); - ctx = NULL; - } - BIO_free_all(input); - TS_REQ_free(request); - return ctx; - } - -static X509_STORE *create_cert_store(char *ca_path, char *ca_file) - { - X509_STORE *cert_ctx = NULL; - X509_LOOKUP *lookup = NULL; - int i; - - /* Creating the X509_STORE object. */ - cert_ctx = X509_STORE_new(); - - /* Setting the callback for certificate chain verification. */ - X509_STORE_set_verify_cb_func(cert_ctx, verify_cb); - - /* Adding a trusted certificate directory source. */ - if (ca_path) - { - lookup = X509_STORE_add_lookup(cert_ctx, - X509_LOOKUP_hash_dir()); - if (lookup == NULL) - { - BIO_printf(bio_err, "memory allocation failure\n"); - goto err; - } - i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM); - if (!i) - { - BIO_printf(bio_err, "Error loading directory %s\n", - ca_path); - goto err; - } - } - - /* Adding a trusted certificate file source. */ - if (ca_file) - { - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); - if (lookup == NULL) - { - BIO_printf(bio_err, "memory allocation failure\n"); - goto err; - } - i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM); - if (!i) - { - BIO_printf(bio_err, "Error loading file %s\n", ca_file); - goto err; - } - } - - return cert_ctx; - err: - X509_STORE_free(cert_ctx); - return NULL; - } - -static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx) - { - /* - char buf[256]; - - if (!ok) - { - X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), - buf, sizeof(buf)); - printf("%s\n", buf); - printf("error %d at %d depth lookup: %s\n", - ctx->error, ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); - } - */ - - return ok; - } diff --git a/apps/tsget b/apps/tsget deleted file mode 100644 index ddae803..0000000 --- a/apps/tsget +++ /dev/null @@ -1,195 +0,0 @@ -#!/usr/bin/perl -w -# Written by Zoltan Glozik <zglozik@stones.com>. -# Copyright (c) 2002 The OpenTSA Project. All rights reserved. -$::version = '$Id: tsget,v 1.1 2006/02/12 23:11:21 ulf Exp $'; - -use strict; -use IO::Handle; -use Getopt::Std; -use File::Basename; -use WWW::Curl::easy; - -use vars qw(%options); - -# Callback for reading the body. -sub read_body { - my ($maxlength, $state) = @_; - my $return_data = ""; - my $data_len = length ${$state->{data}}; - if ($state->{bytes} < $data_len) { - $data_len = $data_len - $state->{bytes}; - $data_len = $maxlength if $data_len > $maxlength; - $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; - $state->{bytes} += $data_len; - } - return $return_data; -} - -# Callback for writing the body into a variable. -sub write_body { - my ($data, $pointer) = @_; - ${$pointer} .= $data; - return length($data); -} - -# Initialise a new Curl object. -sub create_curl { - my $url = shift; - - # Create Curl object. - my $curl = WWW::Curl::easy::new(); - - # Error-handling related options. - $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; - $curl->setopt(CURLOPT_FAILONERROR, 1); - $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split / /, $::version)[2]); - - # Options for POST method. - $curl->setopt(CURLOPT_UPLOAD, 1); - $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); - $curl->setopt(CURLOPT_HTTPHEADER, - ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply"]); - $curl->setopt(CURLOPT_READFUNCTION, \&read_body); - $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); - - # Options for getting the result. - $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body); - - # SSL related options. - $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); - $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. - $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. - $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); - $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); - $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); - $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C}); - $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P}); - $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r}); - $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g}); - - # Setting destination. - $curl->setopt(CURLOPT_URL, $url); - - return $curl; -} - -# Send a request and returns the body back. -sub get_timestamp { - my $curl = shift; - my $body = shift; - my $ts_body; - local $::error_buf; - - # Error-handling related options. - $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf"); - - # Options for POST method. - $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0}); - $curl->setopt(CURLOPT_INFILESIZE, length(${$body})); - - # Options for getting the result. - $curl->setopt(CURLOPT_FILE, \$ts_body); - - # Send the request... - my $error_code = $curl->perform(); - my $error_string; - if ($error_code != 0) { - my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); - $error_string = "could not get timestamp"; - $error_string .= ", http code: $http_code" unless $http_code == 0; - $error_string .= ", curl code: $error_code"; - $error_string .= " ($::error_buf)" if defined($::error_buf); - } else { - my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply") { - $error_string = "unexpected content type returned: $ct"; - } - } - return ($ts_body, $error_string); - -} - -# Print usage information and exists. -sub usage { - - print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] "; - print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] "; - print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] "; - print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n"; - exit 1; -} - -# ---------------------------------------------------------------------- -# Main program -# ---------------------------------------------------------------------- - -# Getting command-line options (default comes from TSGET environment variable). -my $getopt_arg = "h:e:o:vdk:p:c:C:P:r:g:"; -if (exists $ENV{TSGET}) { - my @old_argv = @ARGV; - @ARGV = split /\s+/, $ENV{TSGET}; - getopts($getopt_arg, \%options) or usage; - @ARGV = @old_argv; -} -getopts($getopt_arg, \%options) or usage; - -# Checking argument consistency. -if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o})) - || (@ARGV > 1 && exists($options{o}))) { - print STDERR "Inconsistent command line options.\n"; - usage; -} -# Setting defaults. -@ARGV = ("-") unless @ARGV != 0; -$options{e} = ".tsr" unless defined($options{e}); - -# Processing requests. -my $curl = create_curl $options{h}; -undef $/; # For reading whole files. -REQUEST: foreach (@ARGV) { - my $input = $_; - my ($base, $path) = fileparse($input, '\.[^.]*'); - my $output_base = $base . $options{e}; - my $output = defined($options{o}) ? $options{o} : $path . $output_base; - - STDERR->printflush("$input: ") if $options{v}; - # Read request. - my $body; - if ($input eq "-") { - # Read the request from STDIN; - $body = <STDIN>; - } else { - # Read the request from file. - open INPUT, "<" . $input - or warn("$input: could not open input file: $!\n"), next REQUEST; - $body = <INPUT>; - close INPUT - or warn("$input: could not close input file: $!\n"), next REQUEST; - } - - # Send request. - STDERR->printflush("sending request") if $options{v}; - - my ($ts_body, $error) = get_timestamp $curl, \$body; - if (defined($error)) { - die "$input: fatal error: $error\n"; - } - STDERR->printflush(", reply received") if $options{v}; - - # Write response. - if ($output eq "-") { - # Write to STDOUT. - print $ts_body; - } else { - # Write to file. - open OUTPUT, ">", $output - or warn("$output: could not open output file: $!\n"), next REQUEST; - print OUTPUT $ts_body; - close OUTPUT - or warn("$output: could not close output file: $!\n"), next REQUEST; - } - STDERR->printflush(", $output written.\n") if $options{v}; -} -$curl->cleanup(); -WWW::Curl::easy::global_cleanup(); diff --git a/apps/x509.c b/apps/x509.c index 6debce4..b25508a 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1151,6 +1151,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); + X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; |