diff options
author | jkim <jkim@FreeBSD.org> | 2012-07-12 19:30:53 +0000 |
---|---|---|
committer | jkim <jkim@FreeBSD.org> | 2012-07-12 19:30:53 +0000 |
commit | e393e47b1e23744a7d0ed999afb5d137070f5f8f (patch) | |
tree | 9739a803477c4610ec6628d914bdcc55fbb3602a /crypto/openssl/apps | |
parent | a8b00dea2cde4c3d96e6ed1de530ddff21012266 (diff) | |
parent | 532b4084cb8cac5e6d91d42aa6a497dd4ba4a4f5 (diff) | |
download | FreeBSD-src-e393e47b1e23744a7d0ed999afb5d137070f5f8f.zip FreeBSD-src-e393e47b1e23744a7d0ed999afb5d137070f5f8f.tar.gz |
Merge OpenSSL 1.0.1c.
Approved by: benl (maintainer)
Diffstat (limited to 'crypto/openssl/apps')
57 files changed, 8538 insertions, 3271 deletions
diff --git a/crypto/openssl/apps/Makefile b/crypto/openssl/apps/Makefile index e33ad2b..95f499e 100644 --- a/crypto/openssl/apps/Makefile +++ b/crypto/openssl/apps/Makefile @@ -31,15 +31,15 @@ LIBSSL=-L.. -lssl PROGRAM= openssl -SCRIPTS=CA.sh CA.pl +SCRIPTS=CA.sh CA.pl tsget EXE= $(PROGRAM)$(EXE_EXT) E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ ca crl rsa rsautl dsa dsaparam ec ecparam \ - x509 genrsa gendsa s_server s_client speed \ + x509 genrsa gendsa genpkey s_server s_client speed \ s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \ - pkcs8 spkac smime rand engine ocsp prime + pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts srp PROGS= $(PROGRAM).c @@ -53,18 +53,18 @@ RAND_SRC=app_rand.c E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \ ca.o pkcs7.o crl2p7.o crl.o \ rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \ - x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \ + x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o \ s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \ - ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \ - ocsp.o prime.o cms.o + ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o \ + spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \ pkcs7.c crl2p7.c crl.c \ rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \ - x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \ + x509.c genrsa.c gendsa.c genpkey.c s_server.c s_client.c speed.c \ s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \ - ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \ - ocsp.c prime.c cms.c + ciphers.c nseq.c pkcs12.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \ + spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c srp.c SRC=$(E_SRC) @@ -137,9 +137,10 @@ depend: dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) + rm -f CA.pl clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) + rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE) rm -f req $(DLIBSSL): @@ -153,19 +154,14 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ + FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ - [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ + APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} - @if [ -z "$(CROSS_COMPILE)" ]; then \ - (cd ..; \ - OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ - $(PERL) tools/c_rehash certs) \ - fi + @(cd ..; $(MAKE) rehash) progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h @@ -176,9 +172,9 @@ progs.h: progs.pl app_rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -app_rand.o: ../include/openssl/engine.h ../include/openssl/evp.h -app_rand.o: ../include/openssl/fips.h ../include/openssl/lhash.h +app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +app_rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h app_rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -192,9 +188,9 @@ apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -apps.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -apps.o: ../include/openssl/err.h ../include/openssl/evp.h -apps.o: ../include/openssl/fips.h ../include/openssl/lhash.h +apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +apps.o: ../include/openssl/engine.h ../include/openssl/err.h +apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -208,9 +204,9 @@ apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -asn1pars.o: ../include/openssl/engine.h ../include/openssl/err.h -asn1pars.o: ../include/openssl/evp.h ../include/openssl/fips.h +asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +asn1pars.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h asn1pars.o: ../include/openssl/objects.h ../include/openssl/ocsp.h asn1pars.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -225,9 +221,9 @@ ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ca.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -ca.o: ../include/openssl/err.h ../include/openssl/evp.h -ca.o: ../include/openssl/fips.h ../include/openssl/lhash.h +ca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ca.o: ../include/openssl/engine.h ../include/openssl/err.h +ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -238,36 +234,37 @@ ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ca.o: ../include/openssl/x509v3.h apps.h ca.c ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h -ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h +ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ciphers.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +ciphers.o: ../include/openssl/ec.h ../include/openssl/ecdh.h ciphers.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h -ciphers.o: ../include/openssl/fips.h ../include/openssl/hmac.h -ciphers.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -ciphers.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ciphers.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +ciphers.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -ciphers.o: ciphers.c +ciphers.o: ../include/openssl/sha.h ../include/openssl/srtp.h +ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -cms.o: ../include/openssl/buffer.h ../include/openssl/conf.h -cms.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -cms.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -cms.o: ../include/openssl/engine.h ../include/openssl/evp.h -cms.o: ../include/openssl/fips.h ../include/openssl/lhash.h +cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h +cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h +cms.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +cms.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +cms.o: ../include/openssl/engine.h ../include/openssl/err.h +cms.o: ../include/openssl/evp.h ../include/openssl/lhash.h cms.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h cms.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h cms.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +cms.o: ../include/openssl/pem.h ../include/openssl/pem2.h cms.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h cms.o: ../include/openssl/sha.h ../include/openssl/stack.h cms.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h @@ -276,9 +273,9 @@ cms.o: ../include/openssl/x509v3.h apps.h cms.c crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -crl.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -crl.o: ../include/openssl/engine.h ../include/openssl/err.h -crl.o: ../include/openssl/evp.h ../include/openssl/fips.h +crl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +crl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +crl.o: ../include/openssl/err.h ../include/openssl/evp.h crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h crl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h crl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -291,9 +288,9 @@ crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h crl.c crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -crl2p7.o: ../include/openssl/engine.h ../include/openssl/err.h -crl2p7.o: ../include/openssl/evp.h ../include/openssl/fips.h +crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +crl2p7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h crl2p7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h crl2p7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -307,9 +304,9 @@ crl2p7.o: crl2p7.c dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -dgst.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -dgst.o: ../include/openssl/engine.h ../include/openssl/err.h -dgst.o: ../include/openssl/evp.h ../include/openssl/fips.h +dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +dgst.o: ../include/openssl/err.h ../include/openssl/evp.h dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h dgst.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h @@ -324,9 +321,9 @@ dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h -dh.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -dh.o: ../include/openssl/engine.h ../include/openssl/err.h -dh.o: ../include/openssl/evp.h ../include/openssl/fips.h +dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +dh.o: ../include/openssl/err.h ../include/openssl/evp.h dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h dh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -340,9 +337,9 @@ dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -dsa.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -dsa.o: ../include/openssl/engine.h ../include/openssl/err.h -dsa.o: ../include/openssl/evp.h ../include/openssl/fips.h +dsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +dsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +dsa.o: ../include/openssl/err.h ../include/openssl/evp.h dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h dsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h dsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -357,9 +354,9 @@ dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -dsaparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -dsaparam.o: ../include/openssl/err.h ../include/openssl/evp.h -dsaparam.o: ../include/openssl/fips.h ../include/openssl/lhash.h +dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h +dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h dsaparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -367,16 +364,16 @@ dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h -dsaparam.o: ../include/openssl/store.h ../include/openssl/symhacks.h -dsaparam.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -dsaparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -dsaparam.o: ../include/openssl/x509v3.h apps.h dsaparam.c +dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h +dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +dsaparam.o: dsaparam.c ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ec.o: ../include/openssl/buffer.h ../include/openssl/conf.h ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -ec.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -ec.o: ../include/openssl/engine.h ../include/openssl/err.h -ec.o: ../include/openssl/evp.h ../include/openssl/fips.h +ec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ec.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +ec.o: ../include/openssl/err.h ../include/openssl/evp.h ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ec.o: ../include/openssl/objects.h ../include/openssl/ocsp.h ec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -390,9 +387,9 @@ ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ecparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -ecparam.o: ../include/openssl/err.h ../include/openssl/evp.h -ecparam.o: ../include/openssl/fips.h ../include/openssl/lhash.h +ecparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h +ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ecparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h ecparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -403,73 +400,71 @@ ecparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h ecparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -enc.o: ../include/openssl/buffer.h ../include/openssl/conf.h -enc.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -enc.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h +enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h +enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h +enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h enc.o: ../include/openssl/engine.h ../include/openssl/err.h -enc.o: ../include/openssl/evp.h ../include/openssl/fips.h -enc.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -enc.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -enc.o: ../include/openssl/rand.h ../include/openssl/safestack.h -enc.o: ../include/openssl/sha.h ../include/openssl/stack.h -enc.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -enc.o: ../include/openssl/x509v3.h apps.h enc.c +enc.o: ../include/openssl/evp.h ../include/openssl/lhash.h +enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +enc.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h +enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h +enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h -engine.o: ../include/openssl/comp.h ../include/openssl/conf.h -engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h +engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h +engine.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +engine.o: ../include/openssl/ec.h ../include/openssl/ecdh.h engine.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h engine.o: ../include/openssl/err.h ../include/openssl/evp.h -engine.o: ../include/openssl/fips.h ../include/openssl/hmac.h -engine.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -engine.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -engine.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h -engine.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +engine.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h -engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -engine.o: engine.c +engine.o: ../include/openssl/sha.h ../include/openssl/srtp.h +engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +engine.o: ../include/openssl/x509v3.h apps.h engine.c errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h -errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h -errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h +errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h +errstr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +errstr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h errstr.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h errstr.o: ../include/openssl/err.h ../include/openssl/evp.h -errstr.o: ../include/openssl/fips.h ../include/openssl/hmac.h -errstr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -errstr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -errstr.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h -errstr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +errstr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h -errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -errstr.o: errstr.c +errstr.o: ../include/openssl/sha.h ../include/openssl/srtp.h +errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +errstr.o: ../include/openssl/x509v3.h apps.h errstr.c gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -gendh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -gendh.o: ../include/openssl/err.h ../include/openssl/evp.h -gendh.o: ../include/openssl/fips.h ../include/openssl/lhash.h +gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +gendh.o: ../include/openssl/engine.h ../include/openssl/err.h +gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h gendh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -477,17 +472,17 @@ gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h -gendh.o: ../include/openssl/store.h ../include/openssl/symhacks.h -gendh.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -gendh.o: ../include/openssl/x509v3.h apps.h gendh.c +gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h +gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +gendh.o: gendh.c gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -gendsa.o: ../include/openssl/engine.h ../include/openssl/err.h -gendsa.o: ../include/openssl/evp.h ../include/openssl/fips.h +gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +gendsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h gendsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h gendsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -498,14 +493,30 @@ gendsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h gendsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h gendsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h gendsa.o: gendsa.c +genpkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +genpkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h +genpkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +genpkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +genpkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +genpkey.o: ../include/openssl/err.h ../include/openssl/evp.h +genpkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +genpkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +genpkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +genpkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +genpkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +genpkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h +genpkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +genpkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +genpkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +genpkey.o: genpkey.c genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -genrsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -genrsa.o: ../include/openssl/err.h ../include/openssl/evp.h -genrsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h +genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h +genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h genrsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -513,16 +524,16 @@ genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -genrsa.o: ../include/openssl/store.h ../include/openssl/symhacks.h -genrsa.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -genrsa.o: ../include/openssl/x509v3.h apps.h genrsa.c +genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h +genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +genrsa.o: genrsa.c nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -nseq.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -nseq.o: ../include/openssl/engine.h ../include/openssl/err.h -nseq.o: ../include/openssl/evp.h ../include/openssl/fips.h +nseq.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +nseq.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +nseq.o: ../include/openssl/err.h ../include/openssl/evp.h nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h nseq.o: ../include/openssl/objects.h ../include/openssl/ocsp.h nseq.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -537,51 +548,50 @@ ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ocsp.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -ocsp.o: ../include/openssl/err.h ../include/openssl/evp.h -ocsp.o: ../include/openssl/fips.h ../include/openssl/hmac.h +ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h +ocsp.o: ../include/openssl/evp.h ../include/openssl/hmac.h ocsp.o: ../include/openssl/kssl.h ../include/openssl/lhash.h ocsp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ocsp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -ocsp.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -ocsp.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ocsp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h -openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h -openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h +openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h +openssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +openssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h openssl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h openssl.o: ../include/openssl/err.h ../include/openssl/evp.h -openssl.o: ../include/openssl/fips.h ../include/openssl/hmac.h -openssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -openssl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h -openssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +openssl.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h -openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -openssl.o: openssl.c progs.h s_apps.h +openssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h +openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h passwd.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h -passwd.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -passwd.o: ../include/openssl/engine.h ../include/openssl/err.h -passwd.o: ../include/openssl/evp.h ../include/openssl/fips.h +passwd.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +passwd.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +passwd.o: ../include/openssl/err.h ../include/openssl/evp.h passwd.o: ../include/openssl/lhash.h ../include/openssl/md5.h passwd.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h passwd.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h @@ -596,9 +606,9 @@ passwd.o: passwd.c pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -pkcs12.o: ../include/openssl/engine.h ../include/openssl/err.h -pkcs12.o: ../include/openssl/evp.h ../include/openssl/fips.h +pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkcs12.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h pkcs12.o: ../include/openssl/objects.h ../include/openssl/ocsp.h pkcs12.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -612,9 +622,9 @@ pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -pkcs7.o: ../include/openssl/engine.h ../include/openssl/err.h -pkcs7.o: ../include/openssl/evp.h ../include/openssl/fips.h +pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkcs7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h pkcs7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h pkcs7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -628,9 +638,9 @@ pkcs7.o: pkcs7.c pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -pkcs8.o: ../include/openssl/engine.h ../include/openssl/err.h -pkcs8.o: ../include/openssl/evp.h ../include/openssl/fips.h +pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkcs8.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h pkcs8.o: ../include/openssl/objects.h ../include/openssl/ocsp.h pkcs8.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -641,12 +651,59 @@ pkcs8.o: ../include/openssl/sha.h ../include/openssl/stack.h pkcs8.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c +pkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkey.o: ../include/openssl/err.h ../include/openssl/evp.h +pkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h pkey.c +pkeyparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkeyparam.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkeyparam.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkeyparam.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkeyparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkeyparam.o: ../include/openssl/err.h ../include/openssl/evp.h +pkeyparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkeyparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkeyparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkeyparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkeyparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkeyparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkeyparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkeyparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkeyparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkeyparam.o: pkeyparam.c +pkeyutl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkeyutl.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkeyutl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkeyutl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkeyutl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkeyutl.o: ../include/openssl/err.h ../include/openssl/evp.h +pkeyutl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkeyutl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkeyutl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkeyutl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkeyutl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkeyutl.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkeyutl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkeyutl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkeyutl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkeyutl.o: pkeyutl.c prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -prime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -prime.o: ../include/openssl/evp.h ../include/openssl/fips.h +prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +prime.o: ../include/openssl/engine.h ../include/openssl/evp.h prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h prime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h prime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -659,9 +716,9 @@ prime.o: prime.c rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -rand.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -rand.o: ../include/openssl/engine.h ../include/openssl/err.h -rand.o: ../include/openssl/evp.h ../include/openssl/fips.h +rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +rand.o: ../include/openssl/err.h ../include/openssl/evp.h rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -676,9 +733,9 @@ req.o: ../include/openssl/bn.h ../include/openssl/buffer.h req.o: ../include/openssl/conf.h ../include/openssl/crypto.h req.o: ../include/openssl/dh.h ../include/openssl/dsa.h req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -req.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -req.o: ../include/openssl/err.h ../include/openssl/evp.h -req.o: ../include/openssl/fips.h ../include/openssl/lhash.h +req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +req.o: ../include/openssl/engine.h ../include/openssl/err.h +req.o: ../include/openssl/evp.h ../include/openssl/lhash.h req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h req.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -686,17 +743,16 @@ req.o: ../include/openssl/pem.h ../include/openssl/pem2.h req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h req.o: ../include/openssl/sha.h ../include/openssl/stack.h -req.o: ../include/openssl/store.h ../include/openssl/symhacks.h -req.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -req.o: ../include/openssl/x509v3.h apps.h req.c +req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +req.o: ../include/openssl/ui.h ../include/openssl/x509.h +req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -rsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -rsa.o: ../include/openssl/err.h ../include/openssl/evp.h -rsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h +rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +rsa.o: ../include/openssl/engine.h ../include/openssl/err.h +rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h rsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -709,9 +765,9 @@ rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rsa.c rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -rsautl.o: ../include/openssl/engine.h ../include/openssl/err.h -rsautl.o: ../include/openssl/evp.h ../include/openssl/fips.h +rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +rsautl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h rsautl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h rsautl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -723,146 +779,144 @@ rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h rsautl.o: ../include/openssl/x509v3.h apps.h rsautl.c s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s_cb.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_cb.o: ../include/openssl/ec.h ../include/openssl/ecdh.h s_cb.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h -s_cb.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_cb.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_cb.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_cb.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +s_cb.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c +s_cb.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_cb.o: s_apps.h s_cb.c s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_client.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -s_client.o: ../include/openssl/err.h ../include/openssl/evp.h -s_client.o: ../include/openssl/fips.h ../include/openssl/hmac.h +s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s_client.o: ../include/openssl/engine.h ../include/openssl/err.h +s_client.o: ../include/openssl/evp.h ../include/openssl/hmac.h s_client.o: ../include/openssl/kssl.h ../include/openssl/lhash.h s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s_client.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_client.o: ../include/openssl/x509v3.h apps.h s_apps.h s_client.c timeouts.h +s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h +s_client.o: ../include/openssl/sha.h ../include/openssl/srp.h +s_client.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_client.o: s_apps.h s_client.c timeouts.h s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h s_server.o: ../include/openssl/crypto.h ../include/openssl/dh.h s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_server.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -s_server.o: ../include/openssl/err.h ../include/openssl/evp.h -s_server.o: ../include/openssl/fips.h ../include/openssl/hmac.h +s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s_server.o: ../include/openssl/engine.h ../include/openssl/err.h +s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_server.o: ../include/openssl/store.h ../include/openssl/symhacks.h +s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h +s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h s_server.o: s_apps.h s_server.c timeouts.h s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h -s_socket.o: ../include/openssl/bio.h ../include/openssl/bn.h -s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h -s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s_socket.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h +s_socket.o: ../include/openssl/bio.h ../include/openssl/buffer.h +s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h +s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h +s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h -s_socket.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_socket.o: s_apps.h s_socket.c +s_socket.o: ../include/openssl/sha.h ../include/openssl/srtp.h +s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_socket.o: ../include/openssl/x509v3.h apps.h s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_time.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_time.o: ../include/openssl/ec.h ../include/openssl/ecdh.h s_time.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h s_time.o: ../include/openssl/err.h ../include/openssl/evp.h -s_time.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_time.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_time.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_time.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_time.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +s_time.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_time.o: s_apps.h s_time.c +s_time.o: ../include/openssl/sha.h ../include/openssl/srtp.h +s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h -sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h -sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h +sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h +sess_id.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +sess_id.o: ../include/openssl/ec.h ../include/openssl/ecdh.h sess_id.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h -sess_id.o: ../include/openssl/fips.h ../include/openssl/hmac.h -sess_id.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -sess_id.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -sess_id.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h -sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +sess_id.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h -sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -sess_id.o: sess_id.c +sess_id.o: ../include/openssl/sha.h ../include/openssl/srtp.h +sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -smime.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -smime.o: ../include/openssl/engine.h ../include/openssl/err.h -smime.o: ../include/openssl/evp.h ../include/openssl/fips.h +smime.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +smime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +smime.o: ../include/openssl/err.h ../include/openssl/evp.h smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h smime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h smime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -876,33 +930,35 @@ smime.o: smime.c speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h -speed.o: ../include/openssl/cast.h ../include/openssl/conf.h -speed.o: ../include/openssl/crypto.h ../include/openssl/des.h -speed.o: ../include/openssl/des_old.h ../include/openssl/dsa.h -speed.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +speed.o: ../include/openssl/camellia.h ../include/openssl/cast.h +speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h +speed.o: ../include/openssl/des.h ../include/openssl/des_old.h +speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +speed.o: ../include/openssl/ec.h ../include/openssl/ecdh.h speed.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h speed.o: ../include/openssl/err.h ../include/openssl/evp.h -speed.o: ../include/openssl/fips.h ../include/openssl/hmac.h -speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h -speed.o: ../include/openssl/md2.h ../include/openssl/md4.h -speed.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h +speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h +speed.o: ../include/openssl/lhash.h ../include/openssl/md4.h +speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +speed.o: ../include/openssl/modes.h ../include/openssl/obj_mac.h speed.o: ../include/openssl/objects.h ../include/openssl/ocsp.h speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h speed.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h speed.o: ../include/openssl/rc4.h ../include/openssl/ripemd.h speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -speed.o: ../include/openssl/sha.h ../include/openssl/stack.h -speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -speed.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +speed.o: ../include/openssl/seed.h ../include/openssl/sha.h +speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h +speed.o: ../include/openssl/ui_compat.h ../include/openssl/whrlpool.h speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h speed.o: ../include/openssl/x509v3.h apps.h speed.c testdsa.h testrsa.h spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -spkac.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -spkac.o: ../include/openssl/engine.h ../include/openssl/err.h -spkac.o: ../include/openssl/evp.h ../include/openssl/fips.h +spkac.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +spkac.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +spkac.o: ../include/openssl/err.h ../include/openssl/evp.h spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h spkac.o: ../include/openssl/objects.h ../include/openssl/ocsp.h spkac.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -913,12 +969,45 @@ spkac.o: ../include/openssl/stack.h ../include/openssl/symhacks.h spkac.o: ../include/openssl/txt_db.h ../include/openssl/x509.h spkac.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h spkac.o: spkac.c +srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h +srp.o: ../include/openssl/conf.h ../include/openssl/crypto.h +srp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +srp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +srp.o: ../include/openssl/engine.h ../include/openssl/err.h +srp.o: ../include/openssl/evp.h ../include/openssl/lhash.h +srp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +srp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +srp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +srp.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +srp.o: ../include/openssl/sha.h ../include/openssl/srp.h +srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +srp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +srp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h srp.c +ts.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ts.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ts.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ts.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ts.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +ts.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ts.o: ../include/openssl/engine.h ../include/openssl/err.h +ts.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ts.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ts.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ts.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ts.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ts.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +ts.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ts.o: ../include/openssl/sha.h ../include/openssl/stack.h +ts.o: ../include/openssl/symhacks.h ../include/openssl/ts.h +ts.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ts.c verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -verify.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -verify.o: ../include/openssl/engine.h ../include/openssl/err.h -verify.o: ../include/openssl/evp.h ../include/openssl/fips.h +verify.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +verify.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +verify.o: ../include/openssl/err.h ../include/openssl/evp.h verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h verify.o: ../include/openssl/objects.h ../include/openssl/ocsp.h verify.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h @@ -934,27 +1023,26 @@ version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h version.o: ../include/openssl/buffer.h ../include/openssl/conf.h version.o: ../include/openssl/crypto.h ../include/openssl/des.h version.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h -version.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -version.o: ../include/openssl/engine.h ../include/openssl/evp.h -version.o: ../include/openssl/fips.h ../include/openssl/idea.h -version.o: ../include/openssl/lhash.h ../include/openssl/md2.h -version.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -version.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -version.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -version.o: ../include/openssl/pkcs7.h ../include/openssl/rc4.h -version.o: ../include/openssl/safestack.h ../include/openssl/sha.h -version.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -version.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -version.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -version.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -version.o: version.c +version.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +version.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +version.o: ../include/openssl/evp.h ../include/openssl/idea.h +version.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +version.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +version.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h +version.o: ../include/openssl/rc4.h ../include/openssl/safestack.h +version.o: ../include/openssl/sha.h ../include/openssl/stack.h +version.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +version.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +version.o: ../include/openssl/x509v3.h apps.h version.c x509.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -x509.o: ../include/openssl/ec.h ../include/openssl/ecdsa.h -x509.o: ../include/openssl/engine.h ../include/openssl/err.h -x509.o: ../include/openssl/evp.h ../include/openssl/fips.h +x509.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +x509.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +x509.o: ../include/openssl/err.h ../include/openssl/evp.h x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h x509.o: ../include/openssl/objects.h ../include/openssl/ocsp.h x509.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c index a4b77e1..4e11915 100644 --- a/crypto/openssl/apps/apps.c +++ b/crypto/openssl/apps/apps.c @@ -109,12 +109,21 @@ * */ +#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) +#define _POSIX_C_SOURCE 2 /* On VMS, you need to define this to get + the declaration of fileno(). The value + 2 is to make sure no function defined + in POSIX-2 is left undefined. */ +#endif #include <stdio.h> #include <stdlib.h> #include <string.h> +#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB) +#include <strings.h> +#endif #include <sys/types.h> -#include <sys/stat.h> #include <ctype.h> +#include <errno.h> #include <assert.h> #include <openssl/err.h> #include <openssl/x509.h> @@ -138,6 +147,11 @@ #include "apps.h" #undef NON_MAIN +#ifdef _WIN32 +static int WIN32_rename(const char *from, const char *to); +#define rename(from,to) WIN32_rename((from),(to)) +#endif + typedef struct { const char *name; unsigned long flag; @@ -166,18 +180,23 @@ int args_from_file(char *file, int *argc, char **argv[]) static char *buf=NULL; static char **arg=NULL; char *p; - struct stat stbuf; - - if (stat(file,&stbuf) < 0) return(0); fp=fopen(file,"r"); if (fp == NULL) return(0); + if (fseek(fp,0,SEEK_END)==0) + len=ftell(fp), rewind(fp); + else len=-1; + if (len<=0) + { + fclose(fp); + return(0); + } + *argc=0; *argv=NULL; - len=(unsigned int)stbuf.st_size; if (buf != NULL) OPENSSL_free(buf); buf=(char *)OPENSSL_malloc(len+1); if (buf == NULL) return(0); @@ -238,22 +257,31 @@ int args_from_file(char *file, int *argc, char **argv[]) int str2fmt(char *s) { + if (s == NULL) + return FORMAT_UNDEF; if ((*s == 'D') || (*s == 'd')) return(FORMAT_ASN1); else if ((*s == 'T') || (*s == 't')) return(FORMAT_TEXT); - else if ((*s == 'P') || (*s == 'p')) - return(FORMAT_PEM); - else if ((*s == 'N') || (*s == 'n')) - return(FORMAT_NETSCAPE); - else if ((*s == 'S') || (*s == 's')) - return(FORMAT_SMIME); + else if ((*s == 'N') || (*s == 'n')) + return(FORMAT_NETSCAPE); + else if ((*s == 'S') || (*s == 's')) + return(FORMAT_SMIME); + else if ((*s == 'M') || (*s == 'm')) + return(FORMAT_MSBLOB); else if ((*s == '1') || (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0) || (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0)) return(FORMAT_PKCS12); else if ((*s == 'E') || (*s == 'e')) return(FORMAT_ENGINE); + else if ((*s == 'P') || (*s == 'p')) + { + if (s[1] == 'V' || s[1] == 'v') + return FORMAT_PVK; + else + return(FORMAT_PEM); + } else return(FORMAT_UNDEF); } @@ -638,6 +666,15 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) BIO_printf(err, "Can't open file %s\n", arg + 5); return NULL; } +#if !defined(_WIN32) + /* + * Under _WIN32, which covers even Win64 and CE, file + * descriptors referenced by BIO_s_fd are not inherited + * by child process and therefore below is not an option. + * It could have been an option if bss_fd.c was operating + * on real Windows descriptors, such as those obtained + * with CreateFile. + */ } else if(!strncmp(arg, "fd:", 3)) { BIO *btmp; i = atoi(arg + 3); @@ -649,6 +686,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) /* Can't do BIO_gets on an fd BIO so add a buffering BIO */ btmp = BIO_new(BIO_f_buffer()); pwdbio = BIO_push(btmp, pwdbio); +#endif } else if(!strcmp(arg, "stdin")) { pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE); if(!pwdbio) { @@ -748,8 +786,6 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc, X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) { - ASN1_HEADER *ah=NULL; - BUF_MEM *buf=NULL; X509 *x=NULL; BIO *cert; @@ -761,7 +797,11 @@ X509 *load_cert(BIO *err, const char *file, int format, if (file == NULL) { +#ifdef _IONBF +# ifndef OPENSSL_NO_SETVBUF_IONBF setvbuf(stdin, NULL, _IONBF, 0); +# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */ +#endif BIO_set_fp(cert,stdin,BIO_NOCLOSE); } else @@ -779,46 +819,21 @@ X509 *load_cert(BIO *err, const char *file, int format, x=d2i_X509_bio(cert,NULL); else if (format == FORMAT_NETSCAPE) { - const unsigned char *p,*op; - int size=0,i; - - /* We sort of have to do it this way because it is sort of nice - * to read the header first and check it, then - * try to read the certificate */ - buf=BUF_MEM_new(); - for (;;) - { - if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10))) + NETSCAPE_X509 *nx; + nx=ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),cert,NULL); + if (nx == NULL) goto end; - i=BIO_read(cert,&(buf->data[size]),1024*10); - size+=i; - if (i == 0) break; - if (i < 0) - { - perror("reading certificate"); - goto end; - } - } - p=(unsigned char *)buf->data; - op=p; - /* First load the header */ - if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL) - goto end; - if ((ah->header == NULL) || (ah->header->data == NULL) || - (strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data, - ah->header->length) != 0)) + if ((strncmp(NETSCAPE_CERT_HDR,(char *)nx->header->data, + nx->header->length) != 0)) { + NETSCAPE_X509_free(nx); BIO_printf(err,"Error reading header on certificate\n"); goto end; } - /* header is ok, so now read the object */ - p=op; - ah->meth=X509_asn1_meth(); - if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL) - goto end; - x=(X509 *)ah->data; - ah->data=NULL; + x=nx->cert; + nx->cert = NULL; + NETSCAPE_X509_free(nx); } else if (format == FORMAT_PEM) x=PEM_read_bio_X509_AUX(cert,NULL, @@ -840,9 +855,7 @@ end: BIO_printf(err,"unable to load certificate\n"); ERR_print_errors(err); } - if (ah != NULL) ASN1_HEADER_free(ah); if (cert != NULL) BIO_free(cert); - if (buf != NULL) BUF_MEM_free(buf); return(x); } @@ -887,7 +900,11 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, } if (file == NULL && maybe_stdin) { +#ifdef _IONBF +# ifndef OPENSSL_NO_SETVBUF_IONBF setvbuf(stdin, NULL, _IONBF, 0); +# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */ +#endif BIO_set_fp(key,stdin,BIO_NOCLOSE); } else @@ -918,6 +935,13 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, &pkey, NULL, NULL)) goto end; } +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) + else if (format == FORMAT_MSBLOB) + pkey = b2i_PrivateKey_bio(key); + else if (format == FORMAT_PVK) + pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback, + &cb_data); +#endif else { BIO_printf(err,"bad input format specified for key file\n"); @@ -967,7 +991,11 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, } if (file == NULL && maybe_stdin) { +#ifdef _IONBF +# ifndef OPENSSL_NO_SETVBUF_IONBF setvbuf(stdin, NULL, _IONBF, 0); +# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */ +#endif BIO_set_fp(key,stdin,BIO_NOCLOSE); } else @@ -982,6 +1010,37 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, { pkey=d2i_PUBKEY_bio(key, NULL); } +#ifndef OPENSSL_NO_RSA + else if (format == FORMAT_ASN1RSA) + { + RSA *rsa; + rsa = d2i_RSAPublicKey_bio(key, NULL); + if (rsa) + { + pkey = EVP_PKEY_new(); + if (pkey) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + else + pkey = NULL; + } + else if (format == FORMAT_PEMRSA) + { + RSA *rsa; + rsa = PEM_read_bio_RSAPublicKey(key, NULL, + (pem_password_cb *)password_callback, &cb_data); + if (rsa) + { + pkey = EVP_PKEY_new(); + if (pkey) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + else + pkey = NULL; + } +#endif else if (format == FORMAT_PEM) { pkey=PEM_read_bio_PUBKEY(key,NULL, @@ -991,6 +1050,10 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) pkey = load_netscape_key(err, key, file, key_descrip, format); #endif +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) + else if (format == FORMAT_MSBLOB) + pkey = b2i_PublicKey_bio(key); +#endif else { BIO_printf(err,"bad input format specified for key file\n"); @@ -1049,76 +1112,122 @@ error: } #endif /* ndef OPENSSL_NO_RC4 */ -STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, - const char *pass, ENGINE *e, const char *cert_descrip) +static int load_certs_crls(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *desc, + STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls) { - BIO *certs; int i; - STACK_OF(X509) *othercerts = NULL; - STACK_OF(X509_INFO) *allcerts = NULL; + BIO *bio; + STACK_OF(X509_INFO) *xis = NULL; X509_INFO *xi; PW_CB_DATA cb_data; + int rv = 0; cb_data.password = pass; cb_data.prompt_info = file; - if((certs = BIO_new(BIO_s_file())) == NULL) + if (format != FORMAT_PEM) { - ERR_print_errors(err); - goto end; + BIO_printf(err,"bad input format specified for %s\n", desc); + return 0; } if (file == NULL) - BIO_set_fp(certs,stdin,BIO_NOCLOSE); + bio = BIO_new_fp(stdin,BIO_NOCLOSE); else + bio = BIO_new_file(file, "r"); + + if (bio == NULL) { - if (BIO_read_filename(certs,file) <= 0) - { - BIO_printf(err, "Error opening %s %s\n", - cert_descrip, file); - ERR_print_errors(err); + BIO_printf(err, "Error opening %s %s\n", + desc, file ? file : "stdin"); + ERR_print_errors(err); + return 0; + } + + xis = PEM_X509_INFO_read_bio(bio, NULL, + (pem_password_cb *)password_callback, &cb_data); + + BIO_free(bio); + + if (pcerts) + { + *pcerts = sk_X509_new_null(); + if (!*pcerts) goto end; - } } - if (format == FORMAT_PEM) + if (pcrls) { - othercerts = sk_X509_new_null(); - if(!othercerts) - { - sk_X509_free(othercerts); - othercerts = NULL; + *pcrls = sk_X509_CRL_new_null(); + if (!*pcrls) goto end; + } + + for(i = 0; i < sk_X509_INFO_num(xis); i++) + { + xi = sk_X509_INFO_value (xis, i); + if (xi->x509 && pcerts) + { + if (!sk_X509_push(*pcerts, xi->x509)) + goto end; + xi->x509 = NULL; } - allcerts = PEM_X509_INFO_read_bio(certs, NULL, - (pem_password_cb *)password_callback, &cb_data); - for(i = 0; i < sk_X509_INFO_num(allcerts); i++) + if (xi->crl && pcrls) { - xi = sk_X509_INFO_value (allcerts, i); - if (xi->x509) - { - sk_X509_push(othercerts, xi->x509); - xi->x509 = NULL; - } + if (!sk_X509_CRL_push(*pcrls, xi->crl)) + goto end; + xi->crl = NULL; } - goto end; } - else { - BIO_printf(err,"bad input format specified for %s\n", - cert_descrip); - goto end; - } -end: - if (othercerts == NULL) + + if (pcerts && sk_X509_num(*pcerts) > 0) + rv = 1; + + if (pcrls && sk_X509_CRL_num(*pcrls) > 0) + rv = 1; + + end: + + if (xis) + sk_X509_INFO_pop_free(xis, X509_INFO_free); + + if (rv == 0) { - BIO_printf(err,"unable to load certificates\n"); + if (pcerts) + { + sk_X509_pop_free(*pcerts, X509_free); + *pcerts = NULL; + } + if (pcrls) + { + sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); + *pcrls = NULL; + } + BIO_printf(err,"unable to load %s\n", + pcerts ? "certificates" : "CRLs"); ERR_print_errors(err); } - if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free); - if (certs != NULL) BIO_free(certs); - return(othercerts); + return rv; } +STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *desc) + { + STACK_OF(X509) *certs; + if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL)) + return NULL; + return certs; + } + +STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *desc) + { + STACK_OF(X509_CRL) *crls; + if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls)) + return NULL; + return crls; + } #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) /* Return error for unknown extensions */ @@ -1405,6 +1514,10 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) int load_config(BIO *err, CONF *cnf) { + static int load_config_called = 0; + if (load_config_called) + return 1; + load_config_called = 1; if (!cnf) cnf = config; if (!cnf) @@ -1438,7 +1551,7 @@ char *make_config_name() return p; } -static unsigned long index_serial_hash(const char **a) +static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) { const char *n; @@ -1447,7 +1560,7 @@ static unsigned long index_serial_hash(const char **a) return(lh_strhash(n)); } -static int index_serial_cmp(const char **a, const char **b) +static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) { const char *aa,*bb; @@ -1459,17 +1572,16 @@ static int index_serial_cmp(const char **a, const char **b) static int index_name_qual(char **a) { return(a[0][0] == 'V'); } -static unsigned long index_name_hash(const char **a) +static unsigned long index_name_hash(const OPENSSL_CSTRING *a) { return(lh_strhash(a[DB_name])); } -int index_name_cmp(const char **a, const char **b) - { return(strcmp(a[DB_name], - b[DB_name])); } +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) + { return(strcmp(a[DB_name], b[DB_name])); } -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) #undef BSIZE #define BSIZE 256 @@ -1597,7 +1709,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) { char buf[5][BSIZE]; int i,j; - struct stat sb; i = strlen(serialfile) + strlen(old_suffix); j = strlen(serialfile) + strlen(new_suffix); @@ -1622,30 +1733,21 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix); #endif - if (stat(serialfile,&sb) < 0) - { - if (errno != ENOENT +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + serialfile, buf[1]); +#endif + if (rename(serialfile,buf[1]) < 0 && errno != ENOENT #ifdef ENOTDIR && errno != ENOTDIR #endif - ) - goto err; - } - else - { -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - serialfile, buf[1]); -#endif - if (rename(serialfile,buf[1]) < 0) - { + ) { BIO_printf(bio_err, "unable to rename %s to %s\n", serialfile, buf[1]); perror("reason"); goto err; } - } #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0],serialfile); @@ -1712,10 +1814,7 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) goto err; } if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) - { - if (tmpdb != NULL) TXT_DB_free(tmpdb); goto err; - } #ifndef OPENSSL_SYS_VMS BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); @@ -1776,8 +1875,8 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) int index_index(CA_DB *db) { if (!TXT_DB_create_index(db->db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) + LHASH_HASH_FN(index_serial), + LHASH_COMP_FN(index_serial))) { BIO_printf(bio_err, "error creating serial number index:(%ld,%ld,%ld)\n", @@ -1787,8 +1886,8 @@ int index_index(CA_DB *db) if (db->attributes.unique_subject && !TXT_DB_create_index(db->db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) + LHASH_HASH_FN(index_name), + LHASH_COMP_FN(index_name))) { BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", db->db->error,db->db->arg1,db->db->arg2); @@ -1868,7 +1967,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf { char buf[5][BSIZE]; int i,j; - struct stat sb; i = strlen(dbfile) + strlen(old_suffix); j = strlen(dbfile) + strlen(new_suffix); @@ -1912,30 +2010,21 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix); #endif - if (stat(dbfile,&sb) < 0) - { - if (errno != ENOENT -#ifdef ENOTDIR - && errno != ENOTDIR -#endif - ) - goto err; - } - else - { #ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - dbfile, buf[1]); + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + dbfile, buf[1]); #endif - if (rename(dbfile,buf[1]) < 0) - { + if (rename(dbfile,buf[1]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]); perror("reason"); goto err; } - } #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0],dbfile); @@ -1949,23 +2038,15 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf rename(buf[1],dbfile); goto err; } - if (stat(buf[4],&sb) < 0) - { - if (errno != ENOENT -#ifdef ENOTDIR - && errno != ENOTDIR -#endif - ) - goto err; - } - else - { #ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - buf[4],buf[3]); + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[4],buf[3]); #endif - if (rename(buf[4],buf[3]) < 0) - { + if (rename(buf[4],buf[3]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]); @@ -1974,7 +2055,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf rename(buf[1],dbfile); goto err; } - } #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2],buf[4]); @@ -2169,54 +2249,16 @@ error: return NULL; } -/* This code MUST COME AFTER anything that uses rename() */ -#ifdef OPENSSL_SYS_WIN32 -int WIN32_rename(const char *from, const char *to) - { -#ifndef OPENSSL_SYS_WINCE - /* Windows rename gives an error if 'to' exists, so delete it - * first and ignore file not found errror - */ - if((remove(to) != 0) && (errno != ENOENT)) - return -1; -#undef rename - return rename(from, to); -#else - /* convert strings to UNICODE */ - { - BOOL result = FALSE; - WCHAR* wfrom; - WCHAR* wto; - int i; - wfrom = malloc((strlen(from)+1)*2); - wto = malloc((strlen(to)+1)*2); - if (wfrom != NULL && wto != NULL) - { - for (i=0; i<(int)strlen(from)+1; i++) - wfrom[i] = (short)from[i]; - for (i=0; i<(int)strlen(to)+1; i++) - wto[i] = (short)to[i]; - result = MoveFile(wfrom, wto); - } - if (wfrom != NULL) - free(wfrom); - if (wto != NULL) - free(wto); - return result; - } -#endif - } -#endif - int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, X509_VERIFY_PARAM **pm) { ASN1_OBJECT *otmp = NULL; unsigned long flags = 0; int i; - int purpose = 0; + int purpose = 0, depth = -1; char **oldargs = *pargs; char *arg = **pargs, *argn = (*pargs)[1]; + time_t at_time = 0; if (!strcmp(arg, "-policy")) { if (!argn) @@ -2254,6 +2296,42 @@ int args_verify(char ***pargs, int *pargc, } (*pargs)++; } + else if (strcmp(arg,"-verify_depth") == 0) + { + if (!argn) + *badarg = 1; + else + { + depth = atoi(argn); + if(depth < 0) + { + BIO_printf(err, "invalid depth\n"); + *badarg = 1; + } + } + (*pargs)++; + } + else if (strcmp(arg,"-attime") == 0) + { + if (!argn) + *badarg = 1; + else + { + long timestamp; + /* interpret the -attime argument as seconds since + * Epoch */ + if (sscanf(argn, "%li", ×tamp) != 1) + { + BIO_printf(bio_err, + "Error parsing timestamp %s\n", + argn); + *badarg = 1; + } + /* on some platforms time_t may be a float */ + at_time = (time_t) timestamp; + } + (*pargs)++; + } else if (!strcmp(arg, "-ignore_critical")) flags |= X509_V_FLAG_IGNORE_CRITICAL; else if (!strcmp(arg, "-issuer_checks")) @@ -2266,8 +2344,16 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_POLICY_CHECK; else if (!strcmp(arg, "-explicit_policy")) flags |= X509_V_FLAG_EXPLICIT_POLICY; + else if (!strcmp(arg, "-inhibit_any")) + flags |= X509_V_FLAG_INHIBIT_ANY; + else if (!strcmp(arg, "-inhibit_map")) + flags |= X509_V_FLAG_INHIBIT_MAP; else if (!strcmp(arg, "-x509_strict")) flags |= X509_V_FLAG_X509_STRICT; + else if (!strcmp(arg, "-extended_crl")) + flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT; + else if (!strcmp(arg, "-use_deltas")) + flags |= X509_V_FLAG_USE_DELTAS; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) @@ -2297,6 +2383,12 @@ int args_verify(char ***pargs, int *pargc, if (purpose) X509_VERIFY_PARAM_set_purpose(*pm, purpose); + if (depth >= 0) + X509_VERIFY_PARAM_set_depth(*pm, depth); + + if (at_time) + X509_VERIFY_PARAM_set_time(*pm, at_time); + end: (*pargs)++; @@ -2308,6 +2400,61 @@ int args_verify(char ***pargs, int *pargc, } +/* Read whole contents of a BIO into an allocated memory buffer and + * return it. + */ + +int bio_to_mem(unsigned char **out, int maxlen, BIO *in) + { + BIO *mem; + int len, ret; + unsigned char tbuf[1024]; + mem = BIO_new(BIO_s_mem()); + if (!mem) + return -1; + for(;;) + { + if ((maxlen != -1) && maxlen < 1024) + len = maxlen; + else + len = 1024; + len = BIO_read(in, tbuf, len); + if (len <= 0) + break; + if (BIO_write(mem, tbuf, len) != len) + { + BIO_free(mem); + return -1; + } + maxlen -= len; + + if (maxlen == 0) + break; + } + ret = BIO_get_mem_data(mem, (char **)out); + BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY); + BIO_free(mem); + return ret; + } + +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value) + { + int rv; + char *stmp, *vtmp = NULL; + stmp = BUF_strdup(value); + if (!stmp) + return -1; + vtmp = strchr(stmp, ':'); + if (vtmp) + { + *vtmp = 0; + vtmp++; + } + rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp); + OPENSSL_free(stmp); + return rv; + } + static void nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes) { @@ -2349,7 +2496,7 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx) BIO_free(out); } -#ifndef OPENSSL_NO_JPAKE +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) static JPAKE_CTX *jpake_init(const char *us, const char *them, const char *secret) @@ -2532,17 +2679,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret) jpake_send_step3a(bconn, ctx); jpake_receive_step3b(ctx, bconn); - /* - * The problem is that you must use the derived key in the - * session key or you are subject to man-in-the-middle - * attacks. - */ - BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can" - " be MitMed. See the version in HEAD for how to do it" - " properly)\n"); + BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + + psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); BIO_pop(bconn); BIO_free(bconn); + + JPAKE_CTX_free(ctx); } void jpake_server_auth(BIO *out, BIO *conn, const char *secret) @@ -2564,17 +2708,384 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret) jpake_receive_step3a(ctx, bconn); jpake_send_step3b(bconn, ctx); - /* - * The problem is that you must use the derived key in the - * session key or you are subject to man-in-the-middle - * attacks. - */ - BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can" - " be MitMed. See the version in HEAD for how to do it" - " properly)\n"); + BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + + psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); BIO_pop(bconn); BIO_free(bconn); + + JPAKE_CTX_free(ctx); + } + +#endif + +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +/* next_protos_parse parses a comma separated list of strings into a string + * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. + * outlen: (output) set to the length of the resulting buffer on success. + * err: (maybe NULL) on failure, an error message line is written to this BIO. + * in: a NUL termianted string like "abc,def,ghi" + * + * returns: a malloced buffer or NULL on failure. + */ +unsigned char *next_protos_parse(unsigned short *outlen, const char *in) + { + size_t len; + unsigned char *out; + size_t i, start = 0; + + len = strlen(in); + if (len >= 65535) + return NULL; + + out = OPENSSL_malloc(strlen(in) + 1); + if (!out) + return NULL; + + for (i = 0; i <= len; ++i) + { + if (i == len || in[i] == ',') + { + if (i - start > 255) + { + OPENSSL_free(out); + return NULL; + } + out[start] = i - start; + start = i + 1; + } + else + out[i+1] = in[i]; + } + + *outlen = len + 1; + return out; + } +#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ + +/* + * Platform-specific sections + */ +#if defined(_WIN32) +# ifdef fileno +# undef fileno +# define fileno(a) (int)_fileno(a) +# endif + +# include <windows.h> +# include <tchar.h> + +static int WIN32_rename(const char *from, const char *to) + { + TCHAR *tfrom=NULL,*tto; + DWORD err; + int ret=0; + + if (sizeof(TCHAR) == 1) + { + tfrom = (TCHAR *)from; + tto = (TCHAR *)to; + } + else /* UNICODE path */ + { + size_t i,flen=strlen(from)+1,tlen=strlen(to)+1; + tfrom = (TCHAR *)malloc(sizeof(TCHAR)*(flen+tlen)); + if (tfrom==NULL) goto err; + tto=tfrom+flen; +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP,0,from,flen,(WCHAR *)tfrom,flen)) +#endif + for (i=0;i<flen;i++) tfrom[i]=(TCHAR)from[i]; +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP,0,to, tlen,(WCHAR *)tto, tlen)) +#endif + for (i=0;i<tlen;i++) tto[i] =(TCHAR)to[i]; + } + + if (MoveFile(tfrom,tto)) goto ok; + err=GetLastError(); + if (err==ERROR_ALREADY_EXISTS || err==ERROR_FILE_EXISTS) + { + if (DeleteFile(tto) && MoveFile(tfrom,tto)) + goto ok; + err=GetLastError(); + } + if (err==ERROR_FILE_NOT_FOUND || err==ERROR_PATH_NOT_FOUND) + errno = ENOENT; + else if (err==ERROR_ACCESS_DENIED) + errno = EACCES; + else + errno = EINVAL; /* we could map more codes... */ +err: + ret=-1; +ok: + if (tfrom!=NULL && tfrom!=(TCHAR *)from) free(tfrom); + return ret; + } +#endif + +/* app_tminterval section */ +#if defined(_WIN32) +double app_tminterval(int stop,int usertime) + { + FILETIME now; + double ret=0; + static ULARGE_INTEGER tmstart; + static int warning=1; +#ifdef _WIN32_WINNT + static HANDLE proc=NULL; + + if (proc==NULL) + { + if (GetVersion() < 0x80000000) + proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE, + GetCurrentProcessId()); + if (proc==NULL) proc = (HANDLE)-1; + } + + if (usertime && proc!=(HANDLE)-1) + { + FILETIME junk; + GetProcessTimes(proc,&junk,&junk,&junk,&now); + } + else +#endif + { + SYSTEMTIME systime; + + if (usertime && warning) + { + BIO_printf(bio_err,"To get meaningful results, run " + "this program on idle system.\n"); + warning=0; + } + GetSystemTime(&systime); + SystemTimeToFileTime(&systime,&now); + } + + if (stop==TM_START) + { + tmstart.u.LowPart = now.dwLowDateTime; + tmstart.u.HighPart = now.dwHighDateTime; + } + else { + ULARGE_INTEGER tmstop; + + tmstop.u.LowPart = now.dwLowDateTime; + tmstop.u.HighPart = now.dwHighDateTime; + + ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart)*1e-7; + } + + return (ret); + } + +#elif defined(OPENSSL_SYS_NETWARE) +#include <time.h> + +double app_tminterval(int stop,int usertime) + { + double ret=0; + static clock_t tmstart; + static int warning=1; + + if (usertime && warning) + { + BIO_printf(bio_err,"To get meaningful results, run " + "this program on idle system.\n"); + warning=0; + } + + if (stop==TM_START) tmstart = clock(); + else ret = (clock()-tmstart)/(double)CLOCKS_PER_SEC; + + return (ret); + } + +#elif defined(OPENSSL_SYSTEM_VXWORKS) +#include <time.h> + +double app_tminterval(int stop,int usertime) + { + double ret=0; +#ifdef CLOCK_REALTIME + static struct timespec tmstart; + struct timespec now; +#else + static unsigned long tmstart; + unsigned long now; +#endif + static int warning=1; + + if (usertime && warning) + { + BIO_printf(bio_err,"To get meaningful results, run " + "this program on idle system.\n"); + warning=0; + } + +#ifdef CLOCK_REALTIME + clock_gettime(CLOCK_REALTIME,&now); + if (stop==TM_START) tmstart = now; + else ret = ( (now.tv_sec+now.tv_nsec*1e-9) + - (tmstart.tv_sec+tmstart.tv_nsec*1e-9) ); +#else + now = tickGet(); + if (stop==TM_START) tmstart = now; + else ret = (now - tmstart)/(double)sysClkRateGet(); +#endif + return (ret); + } + +#elif defined(OPENSSL_SYSTEM_VMS) +#include <time.h> +#include <times.h> + +double app_tminterval(int stop,int usertime) + { + static clock_t tmstart; + double ret = 0; + clock_t now; +#ifdef __TMS + struct tms rus; + + now = times(&rus); + if (usertime) now = rus.tms_utime; +#else + if (usertime) + now = clock(); /* sum of user and kernel times */ + else { + struct timeval tv; + gettimeofday(&tv,NULL); + now = (clock_t)( + (unsigned long long)tv.tv_sec*CLK_TCK + + (unsigned long long)tv.tv_usec*(1000000/CLK_TCK) + ); + } +#endif + if (stop==TM_START) tmstart = now; + else ret = (now - tmstart)/(double)(CLK_TCK); + + return (ret); + } + +#elif defined(_SC_CLK_TCK) /* by means of unistd.h */ +#include <sys/times.h> + +double app_tminterval(int stop,int usertime) + { + double ret = 0; + struct tms rus; + clock_t now = times(&rus); + static clock_t tmstart; + + if (usertime) now = rus.tms_utime; + + if (stop==TM_START) tmstart = now; + else + { + long int tck = sysconf(_SC_CLK_TCK); + ret = (now - tmstart)/(double)tck; + } + + return (ret); + } + +#else +#include <sys/time.h> +#include <sys/resource.h> + +double app_tminterval(int stop,int usertime) + { + double ret = 0; + struct rusage rus; + struct timeval now; + static struct timeval tmstart; + + if (usertime) getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime; + else gettimeofday(&now,NULL); + + if (stop==TM_START) tmstart = now; + else ret = ( (now.tv_sec+now.tv_usec*1e-6) + - (tmstart.tv_sec+tmstart.tv_usec*1e-6) ); + + return ret; + } +#endif + +/* app_isdir section */ +#ifdef _WIN32 +int app_isdir(const char *name) + { + HANDLE hList; + WIN32_FIND_DATA FileData; +#if defined(UNICODE) || defined(_UNICODE) + size_t i, len_0 = strlen(name)+1; + + if (len_0 > sizeof(FileData.cFileName)/sizeof(FileData.cFileName[0])) + return -1; + +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP,0,name,len_0,FileData.cFileName,len_0)) +#endif + for (i=0;i<len_0;i++) + FileData.cFileName[i] = (WCHAR)name[i]; + + hList = FindFirstFile(FileData.cFileName,&FileData); +#else + hList = FindFirstFile(name,&FileData); +#endif + if (hList == INVALID_HANDLE_VALUE) return -1; + FindClose(hList); + return ((FileData.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)!=0); } +#else +#include <sys/stat.h> +#ifndef S_ISDIR +# if defined(_S_IFMT) && defined(_S_IFDIR) +# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) +# else +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +# endif +#endif + +int app_isdir(const char *name) + { +#if defined(S_ISDIR) + struct stat st; + if (stat(name,&st)==0) return S_ISDIR(st.st_mode); + else return -1; +#else + return -1; +#endif + } +#endif + +/* raw_read|write section */ +#if defined(_WIN32) && defined(STD_INPUT_HANDLE) +int raw_read_stdin(void *buf,int siz) + { + DWORD n; + if (ReadFile(GetStdHandle(STD_INPUT_HANDLE),buf,siz,&n,NULL)) + return (n); + else return (-1); + } +#else +int raw_read_stdin(void *buf,int siz) + { return read(fileno(stdin),buf,siz); } +#endif + +#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE) +int raw_write_stdout(const void *buf,int siz) + { + DWORD n; + if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL)) + return (n); + else return (-1); + } +#else +int raw_write_stdout(const void *buf,int siz) + { return write(fileno(stdout),buf,siz); } #endif diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h index 8857909..c1ca99d 100644 --- a/crypto/openssl/apps/apps.h +++ b/crypto/openssl/apps/apps.h @@ -137,11 +137,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read, * (see e_os.h). The string is * destroyed! */ -#ifdef OPENSSL_SYS_WIN32 -#define rename(from,to) WIN32_rename((from),(to)) -int WIN32_rename(const char *oldname,const char *newname); -#endif - #ifndef MONOLITH #define MAIN(a,v) main(a,v) @@ -149,11 +144,9 @@ int WIN32_rename(const char *oldname,const char *newname); #ifndef NON_MAIN CONF *config=NULL; BIO *bio_err=NULL; -int in_FIPS_mode=0; #else extern CONF *config; extern BIO *bio_err; -extern int in_FIPS_mode; #endif #else @@ -162,7 +155,6 @@ extern int in_FIPS_mode; extern CONF *config; extern char *default_config_file; extern BIO *bio_err; -extern int in_FIPS_mode; #endif @@ -176,61 +168,37 @@ extern int in_FIPS_mode; #define do_pipe_sig() #endif +#ifdef OPENSSL_NO_COMP +#define zlib_cleanup() +#else +#define zlib_cleanup() COMP_zlib_cleanup() +#endif + #if defined(MONOLITH) && !defined(OPENSSL_C) # define apps_startup() \ do_pipe_sig() # define apps_shutdown() #else # ifndef OPENSSL_NO_ENGINE -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ - defined(OPENSSL_SYS_WIN32) -# ifdef _O_BINARY -# define apps_startup() \ - do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ +# define apps_startup() \ + do { do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -# else -# define apps_startup() \ - do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -# endif -# else -# define apps_startup() \ - do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ - ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ - setup_ui_method(); } while(0) -# endif # define apps_shutdown() \ do { CONF_modules_unload(1); destroy_ui_method(); \ - EVP_cleanup(); ENGINE_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ - ERR_free_strings(); } while(0) + OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ + ERR_free_strings(); zlib_cleanup();} while(0) # else -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ - defined(OPENSSL_SYS_WIN32) -# ifdef _O_BINARY -# define apps_startup() \ - do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - setup_ui_method(); } while(0) -# else -# define apps_startup() \ - do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ +# define apps_startup() \ + do { do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ setup_ui_method(); } while(0) -# endif -# else -# define apps_startup() \ - do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ - ERR_load_crypto_strings(); \ - setup_ui_method(); } while(0) -# endif # define apps_shutdown() \ do { CONF_modules_unload(1); destroy_ui_method(); \ - EVP_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ - ERR_free_strings(); } while(0) + OBJ_cleanup(); EVP_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ + ERR_free_strings(); zlib_cleanup(); } while(0) # endif #endif @@ -240,6 +208,7 @@ extern int in_FIPS_mode; # define openssl_fdset(a,b) FD_SET(a, b) #endif + typedef struct args_st { char **data; @@ -282,6 +251,8 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); +STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); #ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); @@ -290,6 +261,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug); #ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, + STACK_OF(CONF_VALUE) *headers, int req_timeout); #endif @@ -331,18 +303,38 @@ int index_index(CA_DB *db); int save_index(const char *dbfile, const char *suffix, CA_DB *db); int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix); void free_index(CA_DB *db); -int index_name_cmp(const char **a, const char **b); +#define index_name_cmp_noconst(a, b) \ + index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ + (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); int parse_yesno(const char *str, int def); X509_NAME *parse_name(char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, X509_VERIFY_PARAM **pm); void policies_print(BIO *out, X509_STORE_CTX *ctx); +int bio_to_mem(unsigned char **out, int maxlen, BIO *in); +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); +int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, + const char *algname, ENGINE *e, int do_param); +int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts); +int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts); +int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts); +#ifndef OPENSSL_NO_PSK +extern char *psk_key; +#endif #ifndef OPENSSL_NO_JPAKE void jpake_client_auth(BIO *out, BIO *conn, const char *secret); void jpake_server_auth(BIO *out, BIO *conn, const char *secret); #endif +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +unsigned char *next_protos_parse(unsigned short *outlen, const char *in); +#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ + #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 #define FORMAT_TEXT 2 @@ -353,6 +345,10 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret); #define FORMAT_ENGINE 7 #define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid * adding yet another param to load_*key() */ +#define FORMAT_PEMRSA 9 /* PEM RSAPubicKey format */ +#define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */ +#define FORMAT_MSBLOB 11 /* MS Key blob format */ +#define FORMAT_PVK 12 /* MS PVK file format */ #define EXT_COPY_NONE 0 #define EXT_COPY_ADD 1 @@ -364,4 +360,14 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret); #define SERIAL_RAND_BITS 64 +int app_isdir(const char *); +int raw_read_stdin(void *,int); +int raw_write_stdout(const void *,int); + +#define TM_START 0 +#define TM_STOP 1 +double app_tminterval (int stop,int usertime); + +#define OPENSSL_NO_SSL_INTERN + #endif diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c index 305cdfc..0d66070 100644 --- a/crypto/openssl/apps/asn1pars.c +++ b/crypto/openssl/apps/asn1pars.c @@ -96,7 +96,7 @@ int MAIN(int argc, char **argv) unsigned char *tmpbuf; const unsigned char *ctmpbuf; BUF_MEM *buf=NULL; - STACK *osk=NULL; + STACK_OF(OPENSSL_STRING) *osk=NULL; ASN1_TYPE *at=NULL; informat=FORMAT_PEM; @@ -113,7 +113,7 @@ int MAIN(int argc, char **argv) prog=argv[0]; argc--; argv++; - if ((osk=sk_new_null()) == NULL) + if ((osk=sk_OPENSSL_STRING_new_null()) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto end; @@ -169,7 +169,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-strparse") == 0) { if (--argc < 1) goto bad; - sk_push(osk,*(++argv)); + sk_OPENSSL_STRING_push(osk,*(++argv)); } else if (strcmp(*argv,"-genstr") == 0) { @@ -302,18 +302,18 @@ bad: /* If any structs to parse go through in sequence */ - if (sk_num(osk)) + if (sk_OPENSSL_STRING_num(osk)) { tmpbuf=(unsigned char *)str; tmplen=num; - for (i=0; i<sk_num(osk); i++) + for (i=0; i<sk_OPENSSL_STRING_num(osk); i++) { ASN1_TYPE *atmp; int typ; - j=atoi(sk_value(osk,i)); + j=atoi(sk_OPENSSL_STRING_value(osk,i)); if (j == 0) { - BIO_printf(bio_err,"'%s' is an invalid number\n",sk_value(osk,i)); + BIO_printf(bio_err,"'%s' is an invalid number\n",sk_OPENSSL_STRING_value(osk,i)); continue; } tmpbuf+=j; @@ -378,7 +378,7 @@ end: ERR_print_errors(bio_err); if (buf != NULL) BUF_MEM_free(buf); if (at != NULL) ASN1_TYPE_free(at); - if (osk != NULL) sk_free(osk); + if (osk != NULL) sk_OPENSSL_STRING_free(osk); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 651c5a6..2a83d19 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -63,7 +63,6 @@ #include <string.h> #include <ctype.h> #include <sys/types.h> -#include <sys/stat.h> #include <openssl/conf.h> #include <openssl/bio.h> #include <openssl/err.h> @@ -83,7 +82,7 @@ # else # include <unixlib.h> # endif -# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM) +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) # include <sys/file.h> # endif #endif @@ -198,26 +197,30 @@ extern int EF_ALIGNMENT; static void lookup_fail(const char *name, const char *tag); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, + const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy,CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, int selfsign); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, + const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, + const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, + STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *conf, @@ -258,6 +261,7 @@ int MAIN(int argc, char **argv) int doupdatedb=0; long crldays=0; long crlhours=0; + long crlsec=0; long errorline= -1; char *configfile=NULL; char *md=NULL; @@ -305,11 +309,13 @@ int MAIN(int argc, char **argv) ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; char *f; - const char *p, **pp; + const char *p; + char * const *pp; int i,j; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(X509) *cert_sk=NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; #undef BSIZE #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; @@ -434,6 +440,15 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; outdir= *(++argv); } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + goto bad; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + goto bad; + } else if (strcmp(*argv,"-notext") == 0) notext=1; else if (strcmp(*argv,"-batch") == 0) @@ -456,6 +471,11 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; crlhours= atol(*(++argv)); } + else if (strcmp(*argv,"-crlsec") == 0) + { + if (--argc < 1) goto bad; + crlsec = atol(*(++argv)); + } else if (strcmp(*argv,"-infiles") == 0) { argc--; @@ -549,8 +569,10 @@ bad: if (badops) { - for (pp=ca_usage; (*pp != NULL); pp++) - BIO_printf(bio_err,"%s",*pp); + const char **pp2; + + for (pp2=ca_usage; (*pp2 != NULL); pp2++) + BIO_printf(bio_err,"%s",*pp2); goto err; } @@ -825,7 +847,6 @@ bad: /* lookup where to write new certificates */ if ((outdir == NULL) && (req)) { - struct stat sb; if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR)) == NULL) @@ -844,28 +865,24 @@ bad: that to access(). However, time's too short to do that just now. */ +#ifndef _WIN32 if (access(outdir,R_OK|W_OK|X_OK) != 0) +#else + if (_access(outdir,R_OK|W_OK|X_OK) != 0) +#endif { BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); perror(outdir); goto err; } - if (stat(outdir,&sb) != 0) - { - BIO_printf(bio_err,"unable to stat(%s)\n",outdir); - perror(outdir); - goto err; - } -#ifdef S_ISDIR - if (!S_ISDIR(sb.st_mode)) + if (app_isdir(outdir)<=0) { BIO_printf(bio_err,"%s need to be a directory\n",outdir); perror(outdir); goto err; } #endif -#endif } /*****************************************************************/ @@ -879,9 +896,9 @@ bad: if (db == NULL) goto err; /* Lets check some fields */ - for (i=0; i<sk_num(db->db->data); i++) + for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp=(const char **)sk_value(db->db->data,i); + pp=sk_OPENSSL_PSTRING_value(db->db->data,i); if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { @@ -894,7 +911,7 @@ bad: BIO_printf(bio_err," in entry %d\n", i+1); goto err; } - if (!check_time_format(pp[DB_exp_date])) + if (!check_time_format((char *)pp[DB_exp_date])) { BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1); goto err; @@ -934,7 +951,7 @@ bad: #endif TXT_DB_write(out,db->db); BIO_printf(bio_err,"%d entries loaded from the database\n", - db->db->data->num); + sk_OPENSSL_PSTRING_num(db->db->data)); BIO_printf(bio_err,"generating index\n"); } @@ -1025,6 +1042,17 @@ bad: goto err; } + if (!strcmp(md, "default")) + { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) + { + BIO_puts(bio_err,"no default digest\n"); + goto err; + } + md = (char *)OBJ_nid2sn(def_nid); + } + if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); @@ -1094,9 +1122,9 @@ bad: if (startdate == NULL) ERR_clear_error(); } - if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) + if (startdate && !ASN1_TIME_set_string(NULL, startdate)) { - BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n"); + BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); goto err; } if (startdate == NULL) startdate="today"; @@ -1108,9 +1136,9 @@ bad: if (enddate == NULL) ERR_clear_error(); } - if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) + if (enddate && !ASN1_TIME_set_string(NULL, enddate)) { - BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n"); + BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); goto err; } @@ -1156,8 +1184,9 @@ bad: if (spkac_file != NULL) { total++; - j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, - serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions, + j=certify_spkac(&x,spkac_file,pkey,x509,dgst,sigopts, + attribs,db, serial,subj,chtype,multirdn, + email_dn,startdate,enddate,days,extensions, conf,verbose,certopt,nameopt,default_op,ext_copy); if (j < 0) goto err; if (j > 0) @@ -1180,7 +1209,8 @@ bad: if (ss_cert_file != NULL) { total++; - j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs, + j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,sigopts, + attribs, db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy, e); @@ -1200,7 +1230,7 @@ bad: if (infile != NULL) { total++; - j=certify(&x,infile,pkey,x509p,dgst,attribs,db, + j=certify(&x,infile,pkey,x509p,dgst,sigopts, attribs,db, serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy, selfsign); @@ -1220,7 +1250,7 @@ bad: for (i=0; i<argc; i++) { total++; - j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db, + j=certify(&x,argv[i],pkey,x509p,dgst,sigopts,attribs,db, serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy, selfsign); @@ -1370,7 +1400,7 @@ bad: goto err; } - if (!crldays && !crlhours) + if (!crldays && !crlhours && !crlsec) { if (!NCONF_get_number(conf,section, ENV_DEFAULT_CRL_DAYS, &crldays)) @@ -1379,7 +1409,7 @@ bad: ENV_DEFAULT_CRL_HOURS, &crlhours)) crlhours = 0; } - if ((crldays == 0) && (crlhours == 0)) + if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n"); goto err; @@ -1393,14 +1423,19 @@ bad: if (!tmptm) goto err; X509_gmtime_adj(tmptm,0); X509_CRL_set_lastUpdate(crl, tmptm); - X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); + if (!X509_time_adj_ex(tmptm, crldays, crlhours*60*60 + crlsec, + NULL)) + { + BIO_puts(bio_err, "error setting CRL nextUpdate\n"); + goto err; + } X509_CRL_set_nextUpdate(crl, tmptm); ASN1_TIME_free(tmptm); - for (i=0; i<sk_num(db->db->data); i++) + for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp=(const char **)sk_value(db->db->data,i); + pp=sk_OPENSSL_PSTRING_value(db->db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; @@ -1426,15 +1461,6 @@ bad: /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - dgst=EVP_dss1(); - else -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - dgst=EVP_ecdsa(); -#endif /* Add any extensions asked for */ @@ -1467,7 +1493,13 @@ bad: if (crlnumberfile != NULL) /* we have a CRL number that need updating */ if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; - if (!X509_CRL_sign(crl,pkey,dgst)) goto err; + if (crlnumber) + { + BN_free(crlnumber); + crlnumber = NULL; + } + + if (!do_X509_CRL_sign(bio_err,crl,pkey,dgst,sigopts)) goto err; PEM_write_bio_X509_CRL(Sout,crl); @@ -1519,7 +1551,10 @@ err: if (free_key && key) OPENSSL_free(key); BN_free(serial); + BN_free(crlnumber); free_index(db); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); EVP_PKEY_free(pkey); if (x509) X509_free(x509); X509_CRL_free(crl); @@ -1536,8 +1571,10 @@ static void lookup_fail(const char *name, const char *tag) } static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, - BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, + int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, int selfsign) @@ -1593,7 +1630,8 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, else BIO_printf(bio_err,"Signature ok\n"); - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn, + ok=do_body(xret,pkey,x509,dgst,sigopts, policy,db,serial,subj,chtype, + multirdn, email_dn, startdate,enddate,days,batch,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, ext_copy, selfsign); @@ -1604,7 +1642,8 @@ err: } static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1647,7 +1686,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) goto err; - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate, + ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate, days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, ext_copy, 0); @@ -1658,7 +1697,8 @@ err: } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, + STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, + CA_DB *db, BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, @@ -1677,7 +1717,9 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int ok= -1,i,j,last,nid; const char *p; CONF_VALUE *cv; - char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; + OPENSSL_STRING row[DB_NUMBER]; + OPENSSL_STRING *irow=NULL; + OPENSSL_STRING *rrow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); @@ -1919,7 +1961,9 @@ again2: if (db->attributes.unique_subject) { - rrow=TXT_DB_get_by_index(db->db,DB_name,row); + OPENSSL_STRING *crow=row; + + rrow=TXT_DB_get_by_index(db->db,DB_name,crow); if (rrow != NULL) { BIO_printf(bio_err, @@ -1995,11 +2039,11 @@ again2: if (strcmp(startdate,"today") == 0) X509_gmtime_adj(X509_get_notBefore(ret),0); - else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate); + else ASN1_TIME_set_string(X509_get_notBefore(ret),startdate); if (enddate == NULL) - X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days); - else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); + X509_time_adj_ex(X509_get_notAfter(ret),days, 0, NULL); + else ASN1_TIME_set_string(X509_get_notAfter(ret),enddate); if (!X509_set_subject_name(ret,subject)) goto err; @@ -2119,27 +2163,13 @@ again2: } } - -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - dgst = EVP_ecdsa(); - pktmp = X509_get_pubkey(ret); - if (EVP_PKEY_missing_parameters(pktmp) && - !EVP_PKEY_missing_parameters(pkey)) - EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); -#endif - - if (!X509_sign(ret,pkey,dgst)) + if (!do_X509_sign(bio_err, ret,pkey,dgst, sigopts)) goto err; /* We now just add it to the database */ @@ -2233,13 +2263,14 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { STACK_OF(CONF_VALUE) *sk=NULL; - LHASH *parms=NULL; + LHASH_OF(CONF_VALUE) *parms=NULL; X509_REQ *req=NULL; CONF_VALUE *cv=NULL; NETSCAPE_SPKI *spki = NULL; @@ -2359,9 +2390,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, X509_REQ_set_pubkey(req,pktmp); EVP_PKEY_free(pktmp); - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate, - days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, - ext_copy, 0); + ok=do_body(xret,pkey,x509,dgst,sigopts,policy,db,serial,subj,chtype, + multirdn,email_dn,startdate,enddate, days,1,verbose,req, + ext_sect,lconf, certopt, nameopt, default_op, ext_copy, 0); err: if (req != NULL) X509_REQ_free(req); if (parms != NULL) CONF_free(parms); @@ -2373,15 +2404,7 @@ err: static int check_time_format(const char *str) { - ASN1_TIME tm; - - tm.data=(unsigned char *)str; - tm.length=strlen(str); - tm.type=V_ASN1_UTCTIME; - if (ASN1_TIME_check(&tm)) - return 1; - tm.type=V_ASN1_GENERALIZEDTIME; - return ASN1_TIME_check(&tm); + return ASN1_TIME_set_string(NULL, str); } static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) @@ -2396,6 +2419,8 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[i]=NULL; row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); + if (!bn) + goto err; if (BN_is_zero(bn)) row[DB_serial]=BUF_strdup("00"); else @@ -2465,7 +2490,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) goto err; } - else if (index_name_cmp((const char **)row,(const char **)rrow)) + else if (index_name_cmp_noconst(row, rrow)) { BIO_printf(bio_err,"ERROR:name does not match %s\n", row[DB_name]); @@ -2535,7 +2560,7 @@ static int get_certificate_status(const char *serial, CA_DB *db) /* Make it Upper Case */ for (i=0; row[DB_serial][i] != '\0'; i++) - row[DB_serial][i] = toupper(row[DB_serial][i]); + row[DB_serial][i] = toupper((unsigned char)row[DB_serial][i]); ok=1; @@ -2614,9 +2639,9 @@ static int do_updatedb (CA_DB *db) else a_y2k = 0; - for (i = 0; i < sk_num(db->db->data); i++) + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - rrow = (char **) sk_value(db->db->data, i); + rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); if (rrow[DB_type][0] == 'V') { @@ -2863,22 +2888,13 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) p=(char *)str->data; for (j=str->length; j>0; j--) { -#ifdef CHARSET_EBCDIC - if ((*p >= 0x20) && (*p <= 0x7e)) - BIO_printf(bp,"%c",os_toebcdic[*p]); -#else if ((*p >= ' ') && (*p <= '~')) BIO_printf(bp,"%c",*p); -#endif else if (*p & 0x80) BIO_printf(bp,"\\0x%02X",*p); else if ((unsigned char)*p == 0xf7) BIO_printf(bp,"^?"); -#ifdef CHARSET_EBCDIC - else BIO_printf(bp,"^%c",os_toebcdic[*p+0x40]); -#else else BIO_printf(bp,"^%c",*p+'@'); -#endif p++; } BIO_printf(bp,"'\n"); diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c index 43f0ac5..5f2b739 100644 --- a/crypto/openssl/apps/ciphers.c +++ b/crypto/openssl/apps/ciphers.c @@ -71,7 +71,8 @@ static const char *ciphers_usage[]={ "usage: ciphers args\n", -" -v - verbose mode, a textual listing of the ciphers in SSLeay\n", +" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", +" -V - even more verbose\n", " -ssl2 - SSL2 mode\n", " -ssl3 - SSL3 mode\n", " -tls1 - TLS1 mode\n", @@ -83,14 +84,14 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { int ret=1,i; - int verbose=0; + int verbose=0,Verbose=0; const char **pp; const char *p; int badops=0; SSL_CTX *ctx=NULL; SSL *ssl=NULL; char *ciphers=NULL; - SSL_METHOD *meth=NULL; + const SSL_METHOD *meth=NULL; STACK_OF(SSL_CIPHER) *sk; char buf[512]; BIO *STDout=NULL; @@ -114,6 +115,8 @@ int MAIN(int argc, char **argv) STDout = BIO_push(tmpbio, STDout); } #endif + if (!load_config(bio_err, NULL)) + goto end; argc--; argv++; @@ -121,6 +124,8 @@ int MAIN(int argc, char **argv) { if (strcmp(*argv,"-v") == 0) verbose=1; + else if (strcmp(*argv,"-V") == 0) + verbose=Verbose=1; #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); @@ -179,15 +184,33 @@ int MAIN(int argc, char **argv) } BIO_printf(STDout,"\n"); } - else + else /* verbose */ { sk=SSL_get_ciphers(ssl); for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { - BIO_puts(STDout,SSL_CIPHER_description( - sk_SSL_CIPHER_value(sk,i), - buf,sizeof buf)); + SSL_CIPHER *c; + + c = sk_SSL_CIPHER_value(sk,i); + + if (Verbose) + { + unsigned long id = SSL_CIPHER_get_id(c); + int id0 = (int)(id >> 24); + int id1 = (int)((id >> 16) & 0xffL); + int id2 = (int)((id >> 8) & 0xffL); + int id3 = (int)(id & 0xffL); + + if ((id & 0xff000000L) == 0x02000000L) + BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */ + else if ((id & 0xff000000L) == 0x03000000L) + BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */ + else + BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ + } + + BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf)); } } diff --git a/crypto/openssl/apps/client.pem b/crypto/openssl/apps/client.pem index 307910e..e7a47a7 100644 --- a/crypto/openssl/apps/client.pem +++ b/crypto/openssl/apps/client.pem @@ -1,24 +1,52 @@ -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit) +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA -----BEGIN CERTIFICATE----- -MIIB6TCCAVICAQIwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU2WhcNOTgwNjA5 -MTM1NzU2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG -A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0IGNl -cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALtv55QyzG6i2Plw -Z1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexmq/R4KedLjFEIYjocDui+IXs62NNt -XrT8odkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBwtMmI7oGUG8nKmftQssATViH5 -NRRtoEw07DxJp/LfatHdrhqQB73eGdL5WILZJXk46Xz2e9WMSUjVCSYhdKxtflU3 -UR2Ajv1Oo0sTNdfz0wDqJNirLNtzyhhsaq8qMTrLwXrCP31VxBiigFSQSUFnZyTE -9TKwhS4GlwbtCfxSKQ== +MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY ++yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs +lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D +nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2 +x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2 +bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9 +AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI +AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW +BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49 +hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS +curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB +IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b +vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2 +QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm +CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm -q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko -/V86mGXQ/KrSkeKlL0r4ENxjcyeMAGoKu6J9yMY7+X9+Zm4nxShNfTsf/+Freoe1 -HQIhAPOSm5Q1YI+KIsII2GeVJx1U69+wnd71OasIPakS1L1XAiEAxQAW+J3/JWE0 -ftEYakbhUOKL8tD1OaFZS71/5GdG7E8CIQCefUMmySSvwd6kC0VlATSWbW+d+jp/ -nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw -ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg== +MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f +wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr +agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy +mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr +MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x +HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L +p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT +KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB +1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx +L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl +LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO +Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn +/bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai +1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX +1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3 +NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ +zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC +mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7 +5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK +u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+ +HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV +tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn +SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh +kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww +1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw= -----END RSA PRIVATE KEY----- diff --git a/crypto/openssl/apps/cms.c b/crypto/openssl/apps/cms.c index b8c0ee8..d754140 100644 --- a/crypto/openssl/apps/cms.c +++ b/crypto/openssl/apps/cms.c @@ -71,8 +71,9 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int cms_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); -static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, - STACK *rr_from); +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, + int rr_allorfirst, + STACK_OF(OPENSSL_STRING) *rr_from); #define SMIME_OP 0x10 #define SMIME_IP 0x20 @@ -94,6 +95,8 @@ static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, #define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) #define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) +int verify_err = 0; + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -105,7 +108,7 @@ int MAIN(int argc, char **argv) const char *inmode = "r", *outmode = "w"; char *infile = NULL, *outfile = NULL, *rctfile = NULL; char *signerfile = NULL, *recipfile = NULL; - STACK *sksigners = NULL, *skkeys = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; char *certfile = NULL, *keyfile = NULL, *contfile=NULL; char *certsoutfile = NULL; const EVP_CIPHER *cipher = NULL; @@ -116,9 +119,10 @@ int MAIN(int argc, char **argv) STACK_OF(X509) *encerts = NULL, *other = NULL; BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; int badarg = 0; - int flags = CMS_DETACHED; + int flags = CMS_DETACHED, noout = 0, print = 0; + int verify_retcode = 0; int rr_print = 0, rr_allorfirst = -1; - STACK *rr_to = NULL, *rr_from = NULL; + STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; CMS_ReceiptRequest *rr = NULL; char *to = NULL, *from = NULL, *subject = NULL; char *CAfile = NULL, *CApath = NULL; @@ -132,6 +136,7 @@ int MAIN(int argc, char **argv) char *engine=NULL; #endif unsigned char *secret_key = NULL, *secret_keyid = NULL; + unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; size_t secret_keylen = 0, secret_keyidlen = 0; ASN1_OBJECT *econtent_type = NULL; @@ -166,6 +171,8 @@ int MAIN(int argc, char **argv) operation = SMIME_RESIGN; else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY; + else if (!strcmp (*args, "-verify_retcode")) + verify_retcode = 1; else if (!strcmp(*args,"-verify_receipt")) { operation = SMIME_VERIFY_RECEIPT; @@ -226,8 +233,6 @@ int MAIN(int argc, char **argv) else if (!strcmp(*args,"-camellia256")) cipher = EVP_camellia_256_cbc(); #endif - else if (!strcmp (*args, "-debug_decrypt")) - flags |= CMS_DEBUG_DECRYPT; else if (!strcmp (*args, "-text")) flags |= CMS_TEXT; else if (!strcmp (*args, "-nointern")) @@ -254,21 +259,17 @@ int MAIN(int argc, char **argv) else if (!strcmp (*args, "-no_attr_verify")) flags |= CMS_NO_ATTR_VERIFY; else if (!strcmp (*args, "-stream")) - { - args++; - continue; - } + flags |= CMS_STREAM; else if (!strcmp (*args, "-indef")) - { - args++; - continue; - } + flags |= CMS_STREAM; else if (!strcmp (*args, "-noindef")) flags &= ~CMS_STREAM; else if (!strcmp (*args, "-nooldmime")) flags |= CMS_NOOLDMIMETYPE; else if (!strcmp (*args, "-crlfeol")) flags |= CMS_CRLFEOL; + else if (!strcmp (*args, "-noout")) + noout = 1; else if (!strcmp (*args, "-receipt_request_print")) rr_print = 1; else if (!strcmp (*args, "-receipt_request_all")) @@ -281,8 +282,8 @@ int MAIN(int argc, char **argv) goto argerr; args++; if (!rr_from) - rr_from = sk_new_null(); - sk_push(rr_from, *args); + rr_from = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(rr_from, *args); } else if (!strcmp(*args,"-receipt_request_to")) { @@ -290,9 +291,14 @@ int MAIN(int argc, char **argv) goto argerr; args++; if (!rr_to) - rr_to = sk_new_null(); - sk_push(rr_to, *args); + rr_to = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(rr_to, *args); } + else if (!strcmp (*args, "-print")) + { + noout = 1; + print = 1; + } else if (!strcmp(*args,"-secretkey")) { long ltmp; @@ -321,6 +327,13 @@ int MAIN(int argc, char **argv) } secret_keyidlen = (size_t)ltmp; } + else if (!strcmp(*args,"-pwri_password")) + { + if (!args[1]) + goto argerr; + args++; + pwri_pass = (unsigned char *)*args; + } else if (!strcmp(*args,"-econtent_type")) { if (!args[1]) @@ -382,13 +395,13 @@ int MAIN(int argc, char **argv) if (signerfile) { if (!sksigners) - sksigners = sk_new_null(); - sk_push(sksigners, signerfile); + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); if (!keyfile) keyfile = signerfile; if (!skkeys) - skkeys = sk_new_null(); - sk_push(skkeys, keyfile); + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); keyfile = NULL; } signerfile = *++args; @@ -430,12 +443,12 @@ int MAIN(int argc, char **argv) goto argerr; } if (!sksigners) - sksigners = sk_new_null(); - sk_push(sksigners, signerfile); + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); signerfile = NULL; if (!skkeys) - skkeys = sk_new_null(); - sk_push(skkeys, keyfile); + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); } keyfile = *++args; } @@ -534,13 +547,13 @@ int MAIN(int argc, char **argv) if (signerfile) { if (!sksigners) - sksigners = sk_new_null(); - sk_push(sksigners, signerfile); + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); if (!skkeys) - skkeys = sk_new_null(); + skkeys = sk_OPENSSL_STRING_new_null(); if (!keyfile) keyfile = signerfile; - sk_push(skkeys, keyfile); + sk_OPENSSL_STRING_push(skkeys, keyfile); } if (!sksigners) { @@ -554,7 +567,7 @@ int MAIN(int argc, char **argv) else if (operation == SMIME_DECRYPT) { - if (!recipfile && !keyfile && !secret_key) + if (!recipfile && !keyfile && !secret_key && !pwri_pass) { BIO_printf(bio_err, "No recipient certificate or key specified\n"); badarg = 1; @@ -562,7 +575,7 @@ int MAIN(int argc, char **argv) } else if (operation == SMIME_ENCRYPT) { - if (!*args && !secret_key) + if (!*args && !secret_key && !pwri_pass) { BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); badarg = 1; @@ -699,7 +712,7 @@ int MAIN(int argc, char **argv) if (secret_key && !secret_keyid) { - BIO_printf(bio_err, "No sectre key id\n"); + BIO_printf(bio_err, "No secret key id\n"); goto end; } @@ -875,7 +888,7 @@ int MAIN(int argc, char **argv) { if (!(store = setup_verify(bio_err, CAfile, CApath))) goto end; - X509_STORE_set_verify_cb_func(store, cms_cb); + X509_STORE_set_verify_cb(store, cms_cb); if (vpm) X509_STORE_set1_param(store, vpm); } @@ -912,6 +925,17 @@ int MAIN(int argc, char **argv) secret_key = NULL; secret_keyid = NULL; } + if (pwri_pass) + { + pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass); + if (!pwri_tmp) + goto end; + if (!CMS_add0_recipient_password(cms, + -1, NID_undef, NID_undef, + pwri_tmp, -1, NULL)) + goto end; + pwri_tmp = NULL; + } if (!(flags & CMS_STREAM)) { if (!CMS_final(cms, in, NULL, flags)) @@ -975,11 +999,11 @@ int MAIN(int argc, char **argv) } else flags |= CMS_REUSE_DIGEST; - for (i = 0; i < sk_num(sksigners); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { CMS_SignerInfo *si; - signerfile = sk_value(sksigners, i); - keyfile = sk_value(skkeys, i); + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) @@ -1015,8 +1039,6 @@ int MAIN(int argc, char **argv) ret = 4; if (operation == SMIME_DECRYPT) { - if (flags & CMS_DEBUG_DECRYPT) - CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); if (secret_key) { @@ -1040,6 +1062,16 @@ int MAIN(int argc, char **argv) } } + if (pwri_pass) + { + if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) + { + BIO_puts(bio_err, + "Error decrypting CMS using password\n"); + goto end; + } + } + if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { BIO_printf(bio_err, "Error decrypting CMS structure\n"); @@ -1079,6 +1111,8 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Verification failure\n"); + if (verify_retcode) + ret = verify_err + 32; goto end; } if (signerfile) @@ -1111,7 +1145,12 @@ int MAIN(int argc, char **argv) } else { - if (outformat == FORMAT_SMIME) + if (noout) + { + if (print) + CMS_ContentInfo_print_ctx(out, cms, 0, NULL); + } + else if (outformat == FORMAT_SMIME) { if (to) BIO_printf(out, "To: %s\n", to); @@ -1125,9 +1164,9 @@ int MAIN(int argc, char **argv) ret = SMIME_write_CMS(out, cms, in, flags); } else if (outformat == FORMAT_PEM) - ret = PEM_write_bio_CMS(out, cms); + ret = PEM_write_bio_CMS_stream(out, cms, in, flags); else if (outformat == FORMAT_ASN1) - ret = i2d_CMS_bio(out,cms); + ret = i2d_CMS_bio_stream(out,cms, in, flags); else { BIO_printf(bio_err, "Bad output format for CMS file\n"); @@ -1150,21 +1189,23 @@ end: if (vpm) X509_VERIFY_PARAM_free(vpm); if (sksigners) - sk_free(sksigners); + sk_OPENSSL_STRING_free(sksigners); if (skkeys) - sk_free(skkeys); + sk_OPENSSL_STRING_free(skkeys); if (secret_key) OPENSSL_free(secret_key); if (secret_keyid) OPENSSL_free(secret_keyid); + if (pwri_tmp) + OPENSSL_free(pwri_tmp); if (econtent_type) ASN1_OBJECT_free(econtent_type); if (rr) CMS_ReceiptRequest_free(rr); if (rr_to) - sk_free(rr_to); + sk_OPENSSL_STRING_free(rr_to); if (rr_from) - sk_free(rr_from); + sk_OPENSSL_STRING_free(rr_from); X509_STORE_free(store); X509_free(cert); X509_free(recip); @@ -1203,6 +1244,8 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx) error = X509_STORE_CTX_get_error(ctx); + verify_err = error; + if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && ((error != X509_V_OK) || (ok != 2))) return ok; @@ -1284,7 +1327,7 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) } } -static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) +static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) { int i; STACK_OF(GENERAL_NAMES) *ret; @@ -1293,12 +1336,10 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) ret = sk_GENERAL_NAMES_new_null(); if (!ret) goto err; - for (i = 0; i < sk_num(ns); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { - CONF_VALUE cnf; - cnf.name = "email"; - cnf.value = sk_value(ns, i); - gen = v2i_GENERAL_NAME(NULL, NULL, &cnf); + char *str = sk_OPENSSL_STRING_value(ns, i); + gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); if (!gen) goto err; gens = GENERAL_NAMES_new(); @@ -1325,8 +1366,9 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) } -static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, - STACK *rr_from) +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, + int rr_allorfirst, + STACK_OF(OPENSSL_STRING) *rr_from) { STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; CMS_ReceiptRequest *rr; diff --git a/crypto/openssl/apps/crl2p7.c b/crypto/openssl/apps/crl2p7.c index b2f2d12..bbc8377 100644 --- a/crypto/openssl/apps/crl2p7.c +++ b/crypto/openssl/apps/crl2p7.c @@ -63,7 +63,6 @@ #include <stdio.h> #include <string.h> #include <sys/types.h> -#include <sys/stat.h> #include "apps.h" #include <openssl/err.h> #include <openssl/evp.h> @@ -93,7 +92,7 @@ int MAIN(int argc, char **argv) PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; X509_CRL *crl=NULL; - STACK *certflst=NULL; + STACK_OF(OPENSSL_STRING) *certflst=NULL; STACK_OF(X509_CRL) *crl_stack=NULL; STACK_OF(X509) *cert_stack=NULL; int ret=1,nocrl=0; @@ -141,8 +140,8 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-certfile") == 0) { if (--argc < 1) goto bad; - if(!certflst) certflst = sk_new_null(); - sk_push(certflst,*(++argv)); + if(!certflst) certflst = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(certflst,*(++argv)); } else { @@ -227,8 +226,8 @@ bad: if ((cert_stack=sk_X509_new_null()) == NULL) goto end; p7s->cert=cert_stack; - if(certflst) for(i = 0; i < sk_num(certflst); i++) { - certfile = sk_value(certflst, i); + if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { + certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack,certfile) < 0) { BIO_printf(bio_err, "error loading certificates\n"); @@ -237,7 +236,7 @@ bad: } } - sk_free(certflst); + sk_OPENSSL_STRING_free(certflst); if (outfile == NULL) { @@ -295,19 +294,12 @@ end: */ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile) { - struct stat st; BIO *in=NULL; int count=0; int ret= -1; STACK_OF(X509_INFO) *sk=NULL; X509_INFO *xi; - if ((stat(certfile,&st) != 0)) - { - BIO_printf(bio_err,"unable to load the file, %s\n",certfile); - goto end; - } - in=BIO_new(BIO_s_file()); if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0)) { diff --git a/crypto/openssl/apps/demoCA/cacert.pem b/crypto/openssl/apps/demoCA/cacert.pem deleted file mode 100644 index affbce3..0000000 --- a/crypto/openssl/apps/demoCA/cacert.pem +++ /dev/null @@ -1,14 +0,0 @@ -subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server -issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA ------BEGIN X509 CERTIFICATE----- - -MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV -BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz -MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM -RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV -BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3 -LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb -/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0 -DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn -IMs6ZOZB ------END X509 CERTIFICATE----- diff --git a/crypto/openssl/apps/demoCA/index.txt b/crypto/openssl/apps/demoCA/index.txt deleted file mode 100644 index 2cdd252..0000000 --- a/crypto/openssl/apps/demoCA/index.txt +++ /dev/null @@ -1,39 +0,0 @@ -R 980705233205Z 951009233205Z 01 certs/00000001 /CN=Eric Young -E 951009233205Z 02 certs/00000002 /CN=Duncan Young -R 980705233205Z 951201010000Z 03 certs/00000003 /CN=Tim Hudson -V 980705233205Z 04 certs/00000004 /CN=Eric Young4 -V 980705233205Z 05 certs/00000004 /CN=Eric Young5 -V 980705233205Z 06 certs/00000004 /CN=Eric Young6 -V 980705233205Z 07 certs/00000004 /CN=Eric Young7 -V 980705233205Z 08 certs/00000004 /CN=Eric Young8 -V 980705233205Z 09 certs/00000004 /CN=Eric Young9 -V 980705233205Z 0A certs/00000004 /CN=Eric YoungA -V 980705233205Z 0B certs/00000004 /CN=Eric YoungB -V 980705233205Z 0C certs/00000004 /CN=Eric YoungC -V 980705233205Z 0D certs/00000004 /CN=Eric YoungD -V 980705233205Z 0E certs/00000004 /CN=Eric YoungE -V 980705233205Z 0F certs/00000004 /CN=Eric YoungF -V 980705233205Z 10 certs/00000004 /CN=Eric Young10 -V 980705233205Z 11 certs/00000004 /CN=Eric Young11 -V 980705233205Z 12 certs/00000004 /CN=Eric Young12 -V 980705233205Z 13 certs/00000004 /CN=Eric Young13 -V 980705233205Z 14 certs/00000004 /CN=Eric Young14 -V 980705233205Z 15 certs/00000004 /CN=Eric Young15 -V 980705233205Z 16 certs/00000004 /CN=Eric Young16 -V 980705233205Z 17 certs/00000004 /CN=Eric Young17 -V 961206150305Z 010C unknown /C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au -V 961206153245Z 010D unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au -V 970322074816Z 010E unknown /CN=Eric Young/Email=eay@mincom.oz.au -V 970322075152Z 010F unknown /CN=Eric Young -V 970322075906Z 0110 unknown /CN=Eric Youngg -V 970324092238Z 0111 unknown /C=AU/SP=Queensland/CN=Eric Young -V 970324221931Z 0112 unknown /CN=Fred -V 970324224934Z 0113 unknown /C=AU/CN=eay -V 971001005237Z 0114 unknown /C=AU/SP=QLD/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test -V 971001010331Z 0115 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test again - x509v3 -V 971001013945Z 0117 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test -V 971014225415Z 0118 unknown /C=AU/SP=Queensland/CN=test -V 971015004448Z 0119 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test2 -V 971016035001Z 011A unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test64 -V 971016080129Z 011B unknown /C=FR/O=ALCATEL/OU=Alcatel Mobile Phones/CN=bourque/Email=bourque@art.alcatel.fr -V 971016224000Z 011D unknown /L=Bedford/O=Cranfield University/OU=Computer Centre/CN=Peter R Lister/Email=P.Lister@cranfield.ac.uk diff --git a/crypto/openssl/apps/demoCA/private/cakey.pem b/crypto/openssl/apps/demoCA/private/cakey.pem deleted file mode 100644 index 48fb18c..0000000 --- a/crypto/openssl/apps/demoCA/private/cakey.pem +++ /dev/null @@ -1,24 +0,0 @@ -issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA -subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server ------BEGIN X509 CERTIFICATE----- - -MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV -BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz -MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM -RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV -BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3 -LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb -/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0 -DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn -IMs6ZOZB ------END X509 CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- - -MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe -Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ -hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG -sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw -tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq -agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA -g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI= ------END RSA PRIVATE KEY----- diff --git a/crypto/openssl/apps/demoCA/serial b/crypto/openssl/apps/demoCA/serial deleted file mode 100644 index 69fa0ff..0000000 --- a/crypto/openssl/apps/demoCA/serial +++ /dev/null @@ -1 +0,0 @@ -011E diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c index 9ebfc22..b08e9a7 100644 --- a/crypto/openssl/apps/dgst.c +++ b/crypto/openssl/apps/dgst.c @@ -75,8 +75,29 @@ #define PROG dgst_main int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, - EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow); + EVP_PKEY *key, unsigned char *sigin, int siglen, + const char *sig_name, const char *md_name, + const char *file,BIO *bmd); + +static void list_md_fn(const EVP_MD *m, + const char *from, const char *to, void *arg) + { + const char *mname; + /* Skip aliases */ + if (!m) + return; + mname = OBJ_nid2ln(EVP_MD_type(m)); + /* Skip shortnames */ + if (strcmp(from, mname)) + return; + /* Skip clones */ + if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) + return; + if (strchr(mname, ' ')) + mname= EVP_MD_name(m); + BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n", + mname, mname); + } int MAIN(int, char **); @@ -89,7 +110,6 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*inp; BIO *bmd=NULL; BIO *out = NULL; - const char *name; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; int separator=0; @@ -101,16 +121,17 @@ int MAIN(int argc, char **argv) EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; - unsigned int sig_flags = 0; char *passargin = NULL, *passin = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif char *hmac_key=NULL; + char *mac_name=NULL; int non_fips_allow = 0; + STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; apps_startup(); -ERR_load_crypto_strings(); + if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { BIO_printf(bio_err,"out of memory\n"); @@ -135,6 +156,8 @@ ERR_load_crypto_strings(); if ((*argv)[0] != '-') break; if (strcmp(*argv,"-c") == 0) separator=1; + else if (strcmp(*argv,"-r") == 0) + separator=2; else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) break; @@ -169,27 +192,6 @@ ERR_load_crypto_strings(); keyfile=*(++argv); do_verify = 1; } - else if (strcmp(*argv,"-x931") == 0) - sig_flags = EVP_MD_CTX_FLAG_PAD_X931; - else if (strcmp(*argv,"-pss_saltlen") == 0) - { - int saltlen; - if (--argc < 1) break; - saltlen=atoi(*(++argv)); - if (saltlen == -1) - sig_flags = EVP_MD_CTX_FLAG_PSS_MREC; - else if (saltlen == -2) - sig_flags = EVP_MD_CTX_FLAG_PSS_MDLEN; - else if (saltlen < -2 || saltlen >= 0xFFFE) - { - BIO_printf(bio_err, "Invalid PSS salt length %d\n", saltlen); - goto end; - } - else - sig_flags = saltlen; - sig_flags <<= 16; - sig_flags |= EVP_MD_CTX_FLAG_PAD_PSS; - } else if (strcmp(*argv,"-signature") == 0) { if (--argc < 1) break; @@ -205,6 +207,7 @@ ERR_load_crypto_strings(); { if (--argc < 1) break; engine= *(++argv); + e = setup_engine(bio_err, engine, 0); } #endif else if (strcmp(*argv,"-hex") == 0) @@ -223,6 +226,30 @@ ERR_load_crypto_strings(); break; hmac_key=*++argv; } + else if (!strcmp(*argv,"-mac")) + { + if (--argc < 1) + break; + mac_name=*++argv; + } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + break; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + break; + } + else if (strcmp(*argv,"-macopt") == 0) + { + if (--argc < 1) + break; + if (!macopts) + macopts = sk_OPENSSL_STRING_new_null(); + if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) + break; + } else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else @@ -231,12 +258,9 @@ ERR_load_crypto_strings(); argv++; } - if (md == NULL) - md=EVP_md5(); if(do_verify && !sigfile) { BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); - err = 1; goto end; } @@ -245,6 +269,7 @@ ERR_load_crypto_strings(); BIO_printf(bio_err,"unknown option '%s'\n",*argv); BIO_printf(bio_err,"options are\n"); BIO_printf(bio_err,"-c to output the digest with separating colons\n"); + BIO_printf(bio_err,"-r to output the digest in coreutils format\n"); BIO_printf(bio_err,"-d to output debug info\n"); BIO_printf(bio_err,"-hex output as hex dump\n"); BIO_printf(bio_err,"-binary output in binary form\n"); @@ -252,49 +277,20 @@ ERR_load_crypto_strings(); BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); + BIO_printf(bio_err,"-out filename output to filename rather than stdout\n"); BIO_printf(bio_err,"-signature file signature to verify\n"); - BIO_printf(bio_err,"-binary output in binary form\n"); + BIO_printf(bio_err,"-sigopt nm:v signature parameter\n"); BIO_printf(bio_err,"-hmac key create hashed MAC with key\n"); + BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n"); + BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); #endif - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n", - LN_md5,LN_md5); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_md4,LN_md4); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_md2,LN_md2); -#ifndef OPENSSL_NO_SHA - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha1,LN_sha1); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha,LN_sha); -#ifndef OPENSSL_NO_SHA256 - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha224,LN_sha224); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha256,LN_sha256); -#endif -#ifndef OPENSSL_NO_SHA512 - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha384,LN_sha384); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha512,LN_sha512); -#endif -#endif - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_mdc2,LN_mdc2); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_ripemd160,LN_ripemd160); - err=1; + EVP_MD_do_all_sorted(list_md_fn, bio_err); goto end; } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - in=BIO_new(BIO_s_file()); bmd=BIO_new(BIO_f_md()); if (debug) @@ -317,8 +313,10 @@ ERR_load_crypto_strings(); } if(out_bin == -1) { - if(keyfile) out_bin = 1; - else out_bin = 0; + if(keyfile) + out_bin = 1; + else + out_bin = 0; } if(randfile) @@ -344,6 +342,11 @@ ERR_load_crypto_strings(); ERR_print_errors(bio_err); goto end; } + if ((!!mac_name + !!keyfile + !!hmac_key) > 1) + { + BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); + goto end; + } if(keyfile) { @@ -361,6 +364,108 @@ ERR_load_crypto_strings(); } } + if (mac_name) + { + EVP_PKEY_CTX *mac_ctx = NULL; + int r = 0; + if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0)) + goto mac_end; + if (macopts) + { + char *macopt; + for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) + { + macopt = sk_OPENSSL_STRING_value(macopts, i); + if (pkey_ctrl_string(mac_ctx, macopt) <= 0) + { + BIO_printf(bio_err, + "MAC parameter error \"%s\"\n", + macopt); + ERR_print_errors(bio_err); + goto mac_end; + } + } + } + if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) + { + BIO_puts(bio_err, "Error generating key\n"); + ERR_print_errors(bio_err); + goto mac_end; + } + r = 1; + mac_end: + if (mac_ctx) + EVP_PKEY_CTX_free(mac_ctx); + if (r == 0) + goto end; + } + + if (non_fips_allow) + { + EVP_MD_CTX *md_ctx; + BIO_get_md_ctx(bmd,&md_ctx); + EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } + + if (hmac_key) + { + sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e, + (unsigned char *)hmac_key, -1); + if (!sigkey) + goto end; + } + + if (sigkey) + { + EVP_MD_CTX *mctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + int r; + if (!BIO_get_md_ctx(bmd, &mctx)) + { + BIO_printf(bio_err, "Error getting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (do_verify) + r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey); + else + r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey); + if (!r) + { + BIO_printf(bio_err, "Error setting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (sigopts) + { + char *sigopt; + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) + { + sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pctx, sigopt) <= 0) + { + BIO_printf(bio_err, + "parameter error \"%s\"\n", + sigopt); + ERR_print_errors(bio_err); + goto end; + } + } + } + } + /* we use md as a filter, reading from 'in' */ + else + { + if (md == NULL) + md = EVP_md5(); + if (!BIO_set_md(bmd,md)) + { + BIO_printf(bio_err, "Error setting digest %s\n", pname); + ERR_print_errors(bio_err); + goto end; + } + } + if(sigfile && sigkey) { BIO *sigbio; sigbio = BIO_new_file(sigfile, "rb"); @@ -381,67 +486,51 @@ ERR_load_crypto_strings(); goto end; } } + inp=BIO_push(bmd,in); - if (non_fips_allow) - { - EVP_MD_CTX *md_ctx; - BIO_get_md_ctx(bmd,&md_ctx); - EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - } - - if (sig_flags) - { - EVP_MD_CTX *md_ctx; - BIO_get_md_ctx(bmd,&md_ctx); - EVP_MD_CTX_set_flags(md_ctx, sig_flags); - } - - /* we use md as a filter, reading from 'in' */ - if (!BIO_set_md(bmd,md)) + if (md == NULL) { - BIO_printf(bio_err, "Error setting digest %s\n", pname); - ERR_print_errors(bio_err); - goto end; + EVP_MD_CTX *tctx; + BIO_get_md_ctx(bmd, &tctx); + md = EVP_MD_CTX_md(tctx); } - - inp=BIO_push(bmd,in); if (argc == 0) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)",bmd,hmac_key,non_fips_allow); + siglen,NULL,NULL,"stdin",bmd); } else { - name=OBJ_nid2sn(md->type); + const char *md_name = NULL, *sig_name = NULL; + if(!out_bin) + { + if (sigkey) + { + const EVP_PKEY_ASN1_METHOD *ameth; + ameth = EVP_PKEY_get0_asn1(sigkey); + if (ameth) + EVP_PKEY_asn1_get0_info(NULL, NULL, + NULL, NULL, &sig_name, ameth); + } + md_name = EVP_MD_name(md); + } err = 0; for (i=0; i<argc; i++) { - char *tmp,*tofree=NULL; int r; - if (BIO_read_filename(in,argv[i]) <= 0) { perror(argv[i]); err++; continue; } - if(!out_bin) - { - size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; - tmp=tofree=OPENSSL_malloc(len); - BIO_snprintf(tmp,len,"%s%s(%s)= ", - hmac_key ? "HMAC-" : "",name,argv[i]); - } else - tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow); + siglen,sig_name,md_name, argv[i],bmd); if(r) err=r; - if(tofree) - OPENSSL_free(tofree); (void)BIO_reset(bmd); } } @@ -456,6 +545,10 @@ end: OPENSSL_free(passin); BIO_free_all(out); EVP_PKEY_free(sigkey); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); + if (macopts) + sk_OPENSSL_STRING_free(macopts); if(sigbuf) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); apps_shutdown(); @@ -463,24 +556,13 @@ end: } int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, - EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file,BIO *bmd,const char *hmac_key,int non_fips_allow) + EVP_PKEY *key, unsigned char *sigin, int siglen, + const char *sig_name, const char *md_name, + const char *file,BIO *bmd) { - unsigned int len; + size_t len; int i; - EVP_MD_CTX *md_ctx; - HMAC_CTX hmac_ctx; - - if (hmac_key) - { - EVP_MD *md; - BIO_get_md(bmd,&md); - HMAC_CTX_init(&hmac_ctx); - HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); - BIO_get_md_ctx(bmd,&md_ctx); - BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); - } for (;;) { i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -496,7 +578,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, { EVP_MD_CTX *ctx; BIO_get_md_ctx(bp, &ctx); - i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); + i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen); if(i > 0) BIO_printf(out, "Verified OK\n"); else if(i == 0) @@ -516,25 +598,39 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, { EVP_MD_CTX *ctx; BIO_get_md_ctx(bp, &ctx); - if(!EVP_SignFinal(ctx, buf, (unsigned int *)&len, key)) + len = BUFSIZE; + if(!EVP_DigestSignFinal(ctx, buf, &len)) { BIO_printf(bio_err, "Error Signing Data\n"); ERR_print_errors(bio_err); return 1; } } - else if(hmac_key) - { - HMAC_Final(&hmac_ctx,buf,&len); - HMAC_CTX_cleanup(&hmac_ctx); - } else + { len=BIO_gets(bp,(char *)buf,BUFSIZE); + if ((int)len <0) + { + ERR_print_errors(bio_err); + return 1; + } + } if(binout) BIO_write(out, buf, len); + else if (sep == 2) + { + for (i=0; i<(int)len; i++) + BIO_printf(out, "%02x",buf[i]); + BIO_printf(out, " *%s\n", file); + } else { - BIO_write(out,title,strlen(title)); + if (sig_name) + BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file); + else if (md_name) + BIO_printf(out, "%s(%s)= ", md_name, file); + else + BIO_printf(out, "(%s)= ", file); for (i=0; i<(int)len; i++) { if (sep && (i != 0)) @@ -543,10 +639,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, } BIO_printf(out, "\n"); } - if (hmac_key) - { - BIO_set_md_ctx(bmd,md_ctx); - } return 0; } diff --git a/crypto/openssl/apps/dh.c b/crypto/openssl/apps/dh.c index 7e45bd3..dee9c01 100644 --- a/crypto/openssl/apps/dh.c +++ b/crypto/openssl/apps/dh.c @@ -346,4 +346,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/dhparam.c b/crypto/openssl/apps/dhparam.c index 465cdfe..b47097c 100644 --- a/crypto/openssl/apps/dhparam.c +++ b/crypto/openssl/apps/dhparam.c @@ -551,4 +551,10 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb) return 1; } +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/dsa.c b/crypto/openssl/apps/dsa.c index 5e68a56..5222487 100644 --- a/crypto/openssl/apps/dsa.c +++ b/crypto/openssl/apps/dsa.c @@ -65,11 +65,11 @@ #include "apps.h" #include <openssl/bio.h> #include <openssl/err.h> +#include <openssl/dsa.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/bn.h> -#include <openssl/dsa.h> #undef PROG #define PROG dsa_main @@ -112,6 +112,8 @@ int MAIN(int argc, char **argv) char *passin = NULL, *passout = NULL; int modulus=0; + int pvk_encr = 2; + apps_startup(); if (bio_err == NULL) @@ -171,6 +173,12 @@ int MAIN(int argc, char **argv) engine= *(++argv); } #endif + else if (strcmp(*argv,"-pvk-strong") == 0) + pvk_encr=2; + else if (strcmp(*argv,"-pvk-weak") == 0) + pvk_encr=1; + else if (strcmp(*argv,"-pvk-none") == 0) + pvk_encr=0; else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) @@ -238,16 +246,30 @@ bad: goto end; } + in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); - if (out == NULL) + if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } + if (infile == NULL) + BIO_set_fp(in,stdin,BIO_NOCLOSE); + else + { + if (BIO_read_filename(in,infile) <= 0) + { + perror(infile); + goto end; + } + } + BIO_printf(bio_err,"read DSA key\n"); - { + + { EVP_PKEY *pkey; + if (pubin) pkey = load_pubkey(bio_err, infile, informat, 1, passin, e, "Public Key"); @@ -255,10 +277,12 @@ bad: pkey = load_key(bio_err, infile, informat, 1, passin, e, "Private Key"); - if (pkey != NULL) - dsa = pkey == NULL ? NULL : EVP_PKEY_get1_DSA(pkey); - EVP_PKEY_free(pkey); - } + if (pkey) + { + dsa = EVP_PKEY_get1_DSA(pkey); + EVP_PKEY_free(pkey); + } + } if (dsa == NULL) { BIO_printf(bio_err,"unable to load Key\n"); @@ -310,11 +334,24 @@ bad: i=PEM_write_bio_DSA_PUBKEY(out,dsa); else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc, NULL,0,NULL, passout); +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4) + } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { + EVP_PKEY *pk; + pk = EVP_PKEY_new(); + EVP_PKEY_set1_DSA(pk, dsa); + if (outformat == FORMAT_PVK) + i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); + else if (pubin || pubout) + i = i2b_PublicKey_bio(out, pk); + else + i = i2b_PrivateKey_bio(out, pk); + EVP_PKEY_free(pk); +#endif } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } - if (!i) + if (i <= 0) { BIO_printf(bio_err,"unable to write private key\n"); ERR_print_errors(bio_err); @@ -330,4 +367,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/ec.c b/crypto/openssl/apps/ec.c index 6b3d3ad..896eabc 100644 --- a/crypto/openssl/apps/ec.c +++ b/crypto/openssl/apps/ec.c @@ -397,4 +397,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_EC */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/ecparam.c b/crypto/openssl/apps/ecparam.c index 2d3fd30..465480b 100644 --- a/crypto/openssl/apps/ecparam.c +++ b/crypto/openssl/apps/ecparam.c @@ -722,4 +722,10 @@ static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var, BIO_printf(out, "\n\t};\n\n"); return 1; } +#else /* !OPENSSL_NO_EC */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 8beb2df..719acc3 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -67,6 +67,7 @@ #include <openssl/x509.h> #include <openssl/rand.h> #include <openssl/pem.h> +#include <openssl/comp.h> #include <ctype.h> int set_hex(char *in,unsigned char *out,int size); @@ -113,6 +114,10 @@ int MAIN(int argc, char **argv) char *hkey=NULL,*hiv=NULL,*hsalt = NULL; char *md=NULL; int enc=1,printkey=0,i,base64=0; +#ifdef ZLIB + int do_zlib=0; + BIO *bzl = NULL; +#endif int debug=0,olb64=0,nosalt=0; const EVP_CIPHER *cipher=NULL,*c; EVP_CIPHER_CTX *ctx = NULL; @@ -139,9 +144,18 @@ int MAIN(int argc, char **argv) program_name(argv[0],pname,sizeof pname); if (strcmp(pname,"base64") == 0) base64=1; +#ifdef ZLIB + if (strcmp(pname,"zlib") == 0) + do_zlib=1; +#endif cipher=EVP_get_cipherbyname(pname); +#ifdef ZLIB + if (!do_zlib && !base64 && (cipher == NULL) + && (strcmp(pname,"enc") != 0)) +#else if (!base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0)) +#endif { BIO_printf(bio_err,"%s is an unknown cipher\n",pname); goto bad; @@ -197,6 +211,10 @@ int MAIN(int argc, char **argv) base64=1; else if (strcmp(*argv,"-base64") == 0) base64=1; +#ifdef ZLIB + else if (strcmp(*argv,"-z") == 0) + do_zlib=1; +#endif else if (strcmp(*argv,"-bufsize") == 0) { if (--argc < 1) goto bad; @@ -288,9 +306,11 @@ bad: BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile"); BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md"); BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n",""); + BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S"); BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>"); + BIO_printf(bio_err,"%-14s disable standard block padding\n","-nopad"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e"); #endif @@ -319,10 +339,7 @@ bad: if (dgst == NULL) { - if (in_FIPS_mode) - dgst = EVP_sha1(); - else - dgst = EVP_md5(); + dgst = EVP_md5(); } if (bufsize != NULL) @@ -379,8 +396,10 @@ bad: if (inf == NULL) { +#ifndef OPENSSL_NO_SETVBUF_IONBF if (bufsize != NULL) setvbuf(stdin, (char *)NULL, _IONBF, 0); +#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */ BIO_set_fp(in,stdin,BIO_NOCLOSE); } else @@ -433,8 +452,10 @@ bad: if (outf == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); +#ifndef OPENSSL_NO_SETVBUF_IONBF if (bufsize != NULL) setvbuf(stdout, (char *)NULL, _IONBF, 0); +#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */ #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); @@ -454,6 +475,19 @@ bad: rbio=in; wbio=out; +#ifdef ZLIB + + if (do_zlib) + { + if ((bzl=BIO_new(BIO_f_zlib())) == NULL) + goto end; + if (enc) + wbio=BIO_push(bzl,wbio); + else + rbio=BIO_push(bzl,rbio); + } +#endif + if (base64) { if ((b64=BIO_new(BIO_f_base64())) == NULL) @@ -653,6 +687,9 @@ end: if (out != NULL) BIO_free_all(out); if (benc != NULL) BIO_free(benc); if (b64 != NULL) BIO_free(b64); +#ifdef ZLIB + if (bzl != NULL) BIO_free(bzl); +#endif if(pass) OPENSSL_free(pass); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c index 17bd81f..9a02943 100644 --- a/crypto/openssl/apps/engine.c +++ b/crypto/openssl/apps/engine.c @@ -92,7 +92,7 @@ static const char *engine_usage[]={ NULL }; -static void identity(void *ptr) +static void identity(char *ptr) { return; } @@ -148,11 +148,6 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) if(flags & ENGINE_CMD_FLAG_NUMERIC) { - if(started) - { - BIO_printf(bio_out, "|"); - err = 1; - } BIO_printf(bio_out, "NUMERIC"); started = 1; } @@ -205,7 +200,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent char *desc = NULL; int flags; int xpos = 0; - STACK *cmds = NULL; + STACK_OF(OPENSSL_STRING) *cmds = NULL; if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, 0, NULL, NULL)) <= 0)) @@ -216,7 +211,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent return 1; } - cmds = sk_new_null(); + cmds = sk_OPENSSL_STRING_new_null(); if(!cmds) goto err; @@ -289,15 +284,17 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent BIO_printf(bio_out, "\n"); ret = 1; err: - if(cmds) sk_pop_free(cmds, identity); + if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity); if(name) OPENSSL_free(name); if(desc) OPENSSL_free(desc); return ret; } -static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *indent) +static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, + BIO *bio_out, const char *indent) { - int loop, res, num = sk_num(cmds); + int loop, res, num = sk_OPENSSL_STRING_num(cmds); + if(num < 0) { BIO_printf(bio_out, "[Error]: internal stack error\n"); @@ -307,7 +304,7 @@ static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *inden { char buf[256]; const char *cmd, *arg; - cmd = sk_value(cmds, loop); + cmd = sk_OPENSSL_STRING_value(cmds, loop); res = 1; /* assume success */ /* Check if this command has no ":arg" */ if((arg = strstr(cmd, ":")) == NULL) @@ -347,9 +344,9 @@ int MAIN(int argc, char **argv) const char **pp; int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0; ENGINE *e; - STACK *engines = sk_new_null(); - STACK *pre_cmds = sk_new_null(); - STACK *post_cmds = sk_new_null(); + STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null(); + STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); + STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null(); int badops=1; BIO *bio_out=NULL; const char *indent = " "; @@ -396,20 +393,20 @@ int MAIN(int argc, char **argv) argc--; argv++; if (argc == 0) goto skip_arg_loop; - sk_push(pre_cmds,*argv); + sk_OPENSSL_STRING_push(pre_cmds,*argv); } else if (strcmp(*argv,"-post") == 0) { argc--; argv++; if (argc == 0) goto skip_arg_loop; - sk_push(post_cmds,*argv); + sk_OPENSSL_STRING_push(post_cmds,*argv); } else if ((strncmp(*argv,"-h",2) == 0) || (strcmp(*argv,"-?") == 0)) goto skip_arg_loop; else - sk_push(engines,*argv); + sk_OPENSSL_STRING_push(engines,*argv); argc--; argv++; } @@ -424,17 +421,17 @@ skip_arg_loop: goto end; } - if (sk_num(engines) == 0) + if (sk_OPENSSL_STRING_num(engines) == 0) { for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { - sk_push(engines,(char *)ENGINE_get_id(e)); + sk_OPENSSL_STRING_push(engines,(char *)ENGINE_get_id(e)); } } - for (i=0; i<sk_num(engines); i++) + for (i=0; i<sk_OPENSSL_STRING_num(engines); i++) { - const char *id = sk_value(engines,i); + const char *id = sk_OPENSSL_STRING_value(engines,i); if ((e = ENGINE_by_id(id)) != NULL) { const char *name = ENGINE_get_name(e); @@ -454,6 +451,7 @@ skip_arg_loop: const int *nids; ENGINE_CIPHERS_PTR fn_c; ENGINE_DIGESTS_PTR fn_d; + ENGINE_PKEY_METHS_PTR fn_pk; if (ENGINE_get_RSA(e) != NULL && !append_buf(&cap_buf, "RSA", @@ -492,6 +490,15 @@ skip_ciphers: goto end; skip_digests: + fn_pk = ENGINE_get_pkey_meths(e); + if(!fn_pk) goto skip_pmeths; + n = fn_pk(e, NULL, &nids, 0); + for(k=0 ; k < n ; ++k) + if(!append_buf(&cap_buf, + OBJ_nid2sn(nids[k]), + &cap_size, 256)) + goto end; +skip_pmeths: if (cap_buf && (*cap_buf != '\0')) BIO_printf(bio_out, " [%s]\n", cap_buf); @@ -526,9 +533,9 @@ skip_digests: end: ERR_print_errors(bio_err); - sk_pop_free(engines, identity); - sk_pop_free(pre_cmds, identity); - sk_pop_free(post_cmds, identity); + sk_OPENSSL_STRING_pop_free(engines, identity); + sk_OPENSSL_STRING_pop_free(pre_cmds, identity); + sk_OPENSSL_STRING_pop_free(post_cmds, identity); if (bio_out != NULL) BIO_free_all(bio_out); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/crypto/openssl/apps/errstr.c b/crypto/openssl/apps/errstr.c index 19489b0..fe3b980 100644 --- a/crypto/openssl/apps/errstr.c +++ b/crypto/openssl/apps/errstr.c @@ -97,10 +97,12 @@ int MAIN(int argc, char **argv) out = BIO_push(tmpbio, out); } #endif - lh_node_stats_bio((LHASH *)ERR_get_string_table(),out); - lh_stats_bio((LHASH *)ERR_get_string_table(),out); - lh_node_usage_stats_bio((LHASH *) - ERR_get_string_table(),out); + lh_ERR_STRING_DATA_node_stats_bio( + ERR_get_string_table(), out); + lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), + out); + lh_ERR_STRING_DATA_node_usage_stats_bio( + ERR_get_string_table(),out); } if (out != NULL) BIO_free_all(out); argc--; diff --git a/crypto/openssl/apps/gendh.c b/crypto/openssl/apps/gendh.c index 346ea4a..4ec776b 100644 --- a/crypto/openssl/apps/gendh.c +++ b/crypto/openssl/apps/gendh.c @@ -232,4 +232,10 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb) #endif return 1; } +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/genpkey.c b/crypto/openssl/apps/genpkey.c new file mode 100644 index 0000000..6dfda08 --- /dev/null +++ b/crypto/openssl/apps/genpkey.c @@ -0,0 +1,440 @@ +/* apps/genpkey.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2006 + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +#include <stdio.h> +#include <string.h> +#include "apps.h" +#include <openssl/pem.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif + +static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, + const char *file, ENGINE *e); +static int genpkey_cb(EVP_PKEY_CTX *ctx); + +#define PROG genpkey_main + +int MAIN(int, char **); + +int MAIN(int argc, char **argv) + { + ENGINE *e = NULL; + char **args, *outfile = NULL; + char *passarg = NULL; + BIO *in = NULL, *out = NULL; + const EVP_CIPHER *cipher = NULL; + int outformat; + int text = 0; + EVP_PKEY *pkey=NULL; + EVP_PKEY_CTX *ctx = NULL; + char *pass = NULL; + int badarg = 0; + int ret = 1, rv; + + int do_param = 0; + + if (bio_err == NULL) + bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); + + if (!load_config(bio_err, NULL)) + goto end; + + outformat=FORMAT_PEM; + + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + args = argv + 1; + while (!badarg && *args && *args[0] == '-') + { + if (!strcmp(*args,"-outform")) + { + if (args[1]) + { + args++; + outformat=str2fmt(*args); + } + else badarg = 1; + } + else if (!strcmp(*args,"-pass")) + { + if (!args[1]) goto bad; + passarg= *(++args); + } +#ifndef OPENSSL_NO_ENGINE + else if (strcmp(*args,"-engine") == 0) + { + if (!args[1]) + goto bad; + e = setup_engine(bio_err, *(++args), 0); + } +#endif + else if (!strcmp (*args, "-paramfile")) + { + if (!args[1]) + goto bad; + args++; + if (do_param == 1) + goto bad; + if (!init_keygen_file(bio_err, &ctx, *args, e)) + goto end; + } + else if (!strcmp (*args, "-out")) + { + if (args[1]) + { + args++; + outfile = *args; + } + else badarg = 1; + } + else if (strcmp(*args,"-algorithm") == 0) + { + if (!args[1]) + goto bad; + if (!init_gen_str(bio_err, &ctx, *(++args),e, do_param)) + goto end; + } + else if (strcmp(*args,"-pkeyopt") == 0) + { + if (!args[1]) + goto bad; + if (!ctx) + { + BIO_puts(bio_err, "No keytype specified\n"); + goto bad; + } + else if (pkey_ctrl_string(ctx, *(++args)) <= 0) + { + BIO_puts(bio_err, "parameter setting error\n"); + ERR_print_errors(bio_err); + goto end; + } + } + else if (strcmp(*args,"-genparam") == 0) + { + if (ctx) + goto bad; + do_param = 1; + } + else if (strcmp(*args,"-text") == 0) + text=1; + else + { + cipher = EVP_get_cipherbyname(*args + 1); + if (!cipher) + { + BIO_printf(bio_err, "Unknown cipher %s\n", + *args + 1); + badarg = 1; + } + if (do_param == 1) + badarg = 1; + } + args++; + } + + if (!ctx) + badarg = 1; + + if (badarg) + { + bad: + BIO_printf(bio_err, "Usage: genpkey [options]\n"); + BIO_printf(bio_err, "where options may be\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); + BIO_printf(bio_err, "-pass arg output file pass phrase source\n"); + BIO_printf(bio_err, "-<cipher> use cipher <cipher> to encrypt the key\n"); +#ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif + BIO_printf(bio_err, "-paramfile file parameters file\n"); + BIO_printf(bio_err, "-algorithm alg the public key algorithm\n"); + BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n" + " to value <value>\n"); + BIO_printf(bio_err, "-genparam generate parameters, not key\n"); + BIO_printf(bio_err, "-text print the in text\n"); + BIO_printf(bio_err, "NB: options order may be important! See the manual page.\n"); + goto end; + } + + if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) + { + BIO_puts(bio_err, "Error getting password\n"); + goto end; + } + + if (outfile) + { + if (!(out = BIO_new_file (outfile, "wb"))) + { + BIO_printf(bio_err, + "Can't open output file %s\n", outfile); + goto end; + } + } + else + { + out = BIO_new_fp (stdout, BIO_NOCLOSE); +#ifdef OPENSSL_SYS_VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif + } + + EVP_PKEY_CTX_set_cb(ctx, genpkey_cb); + EVP_PKEY_CTX_set_app_data(ctx, bio_err); + + if (do_param) + { + if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) + { + BIO_puts(bio_err, "Error generating parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + } + else + { + if (EVP_PKEY_keygen(ctx, &pkey) <= 0) + { + BIO_puts(bio_err, "Error generating key\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + if (do_param) + rv = PEM_write_bio_Parameters(out, pkey); + else if (outformat == FORMAT_PEM) + rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, + NULL, pass); + else if (outformat == FORMAT_ASN1) + rv = i2d_PrivateKey_bio(out, pkey); + else + { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + + if (rv <= 0) + { + BIO_puts(bio_err, "Error writing key\n"); + ERR_print_errors(bio_err); + } + + if (text) + { + if (do_param) + rv = EVP_PKEY_print_params(out, pkey, 0, NULL); + else + rv = EVP_PKEY_print_private(out, pkey, 0, NULL); + + if (rv <= 0) + { + BIO_puts(bio_err, "Error printing key\n"); + ERR_print_errors(bio_err); + } + } + + ret = 0; + + end: + if (pkey) + EVP_PKEY_free(pkey); + if (ctx) + EVP_PKEY_CTX_free(ctx); + if (out) + BIO_free_all(out); + BIO_free(in); + if (pass) + OPENSSL_free(pass); + + return ret; + } + +static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, + const char *file, ENGINE *e) + { + BIO *pbio; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + if (*pctx) + { + BIO_puts(err, "Parameters already set!\n"); + return 0; + } + + pbio = BIO_new_file(file, "r"); + if (!pbio) + { + BIO_printf(err, "Can't open parameter file %s\n", file); + return 0; + } + + pkey = PEM_read_bio_Parameters(pbio, NULL); + BIO_free(pbio); + + if (!pkey) + { + BIO_printf(bio_err, "Error reading parameter file %s\n", file); + return 0; + } + + ctx = EVP_PKEY_CTX_new(pkey, e); + if (!ctx) + goto err; + if (EVP_PKEY_keygen_init(ctx) <= 0) + goto err; + EVP_PKEY_free(pkey); + *pctx = ctx; + return 1; + + err: + BIO_puts(err, "Error initializing context\n"); + ERR_print_errors(err); + if (ctx) + EVP_PKEY_CTX_free(ctx); + if (pkey) + EVP_PKEY_free(pkey); + return 0; + + } + +int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, + const char *algname, ENGINE *e, int do_param) + { + EVP_PKEY_CTX *ctx = NULL; + const EVP_PKEY_ASN1_METHOD *ameth; + ENGINE *tmpeng = NULL; + int pkey_id; + + if (*pctx) + { + BIO_puts(err, "Algorithm already set!\n"); + return 0; + } + + ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1); + +#ifndef OPENSSL_NO_ENGINE + if (!ameth && e) + ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1); +#endif + + if (!ameth) + { + BIO_printf(bio_err, "Algorithm %s not found\n", algname); + return 0; + } + + ERR_clear_error(); + + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); +#ifndef OPENSSL_NO_ENGINE + if (tmpeng) + ENGINE_finish(tmpeng); +#endif + ctx = EVP_PKEY_CTX_new_id(pkey_id, e); + + if (!ctx) + goto err; + if (do_param) + { + if (EVP_PKEY_paramgen_init(ctx) <= 0) + goto err; + } + else + { + if (EVP_PKEY_keygen_init(ctx) <= 0) + goto err; + } + + *pctx = ctx; + return 1; + + err: + BIO_printf(err, "Error initializing %s context\n", algname); + ERR_print_errors(err); + if (ctx) + EVP_PKEY_CTX_free(ctx); + return 0; + + } + +static int genpkey_cb(EVP_PKEY_CTX *ctx) + { + char c='*'; + BIO *b = EVP_PKEY_CTX_get_app_data(ctx); + int p; + p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); + if (p == 0) c='.'; + if (p == 1) c='+'; + if (p == 2) c='*'; + if (p == 3) c='\n'; + BIO_write(b,&c,1); + (void)BIO_flush(b); +#ifdef LINT + p=n; +#endif + return 1; + } diff --git a/crypto/openssl/apps/genrsa.c b/crypto/openssl/apps/genrsa.c index dfb0139..37e9310 100644 --- a/crypto/openssl/apps/genrsa.c +++ b/crypto/openssl/apps/genrsa.c @@ -89,10 +89,12 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { BN_GENCB cb; +#ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +#endif int ret=1; int i,num=DEFBITS; long l; - int use_x931 = 0; const EVP_CIPHER *enc=NULL; unsigned long f4=RSA_F4; char *outfile=NULL; @@ -136,8 +138,6 @@ int MAIN(int argc, char **argv) f4=3; else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0) f4=RSA_F4; - else if (strcmp(*argv,"-x931") == 0) - use_x931 = 1; #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { @@ -232,7 +232,7 @@ bad: } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif if (outfile == NULL) @@ -265,22 +265,15 @@ bad: BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n", num); - +#ifdef OPENSSL_NO_ENGINE rsa = RSA_new(); +#else + rsa = RSA_new_method(e); +#endif if (!rsa) goto err; - if (use_x931) - { - BIGNUM *pubexp; - pubexp = BN_new(); - if (!BN_set_word(pubexp, f4)) - goto err; - if (!RSA_X931_generate_key_ex(rsa, num, pubexp, &cb)) - goto err; - BN_free(pubexp); - } - else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) + if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) goto err; app_RAND_write_file(NULL, bio_err); diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index 251044d..01847df 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -56,25 +56,53 @@ * */ #ifndef OPENSSL_NO_OCSP + +#ifdef OPENSSL_SYS_VMS +#define _XOPEN_SOURCE_EXTENDED /* So fd_set and friends get properly defined + on OpenVMS */ +#endif + #define USE_SOCKETS + #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <time.h> #include "apps.h" /* needs to be included before the openssl headers! */ #include <openssl/e_os2.h> -#include <openssl/ssl.h> +#include <openssl/crypto.h> #include <openssl/err.h> - +#include <openssl/ssl.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/x509v3.h> + +#if defined(NETWARE_CLIB) +# ifdef NETWARE_BSDSOCK +# include <sys/socket.h> +# include <sys/bsdskt.h> +# else +# include <novsock2.h> +# endif +#elif defined(NETWARE_LIBC) +# ifdef NETWARE_BSDSOCK +# include <sys/select.h> +# else +# include <novsock2.h> +# endif +#endif + /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, - STACK *names, STACK_OF(OCSP_CERTID) *ids, - long nsec, long maxage); + STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage); static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, @@ -86,6 +114,7 @@ static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); #undef PROG @@ -104,6 +133,7 @@ int MAIN(int argc, char **argv) char *rsignfile = NULL, *rkeyfile = NULL; char *outfile = NULL; int add_nonce = 1, noverify = 0, use_ssl = -1; + STACK_OF(CONF_VALUE) *headers = NULL; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bs = NULL; @@ -126,7 +156,7 @@ int MAIN(int argc, char **argv) int badarg = 0; int i; int ignore_err = 0; - STACK *reqnames = NULL; + STACK_OF(OPENSSL_STRING) *reqnames = NULL; STACK_OF(OCSP_CERTID) *ids = NULL; X509 *rca_cert = NULL; @@ -134,6 +164,7 @@ int MAIN(int argc, char **argv) char *rca_filename = NULL; CA_DB *rdb = NULL; int nmin = 0, ndays = -1; + const EVP_MD *cert_id_md = NULL; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -142,7 +173,7 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); args = argv + 1; - reqnames = sk_new_null(); + reqnames = sk_OPENSSL_STRING_new_null(); ids = sk_OCSP_CERTID_new_null(); while (!badarg && *args && *args[0] == '-') { @@ -202,6 +233,16 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp(*args, "-header")) + { + if (args[1] && args[2]) + { + if (!X509V3_add_value(args[1], args[2], &headers)) + goto end; + args += 2; + } + else badarg = 1; + } else if (!strcmp(*args, "-ignore_err")) ignore_err = 1; else if (!strcmp(*args, "-noverify")) @@ -401,9 +442,10 @@ int MAIN(int argc, char **argv) cert = load_cert(bio_err, *args, FORMAT_PEM, NULL, e, "certificate"); if(!cert) goto end; - if(!add_ocsp_cert(&req, cert, issuer, ids)) + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) goto end; - if(!sk_push(reqnames, *args)) + if(!sk_OPENSSL_STRING_push(reqnames, *args)) goto end; } else badarg = 1; @@ -413,9 +455,10 @@ int MAIN(int argc, char **argv) if (args[1]) { args++; - if(!add_ocsp_serial(&req, *args, issuer, ids)) + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) goto end; - if(!sk_push(reqnames, *args)) + if(!sk_OPENSSL_STRING_push(reqnames, *args)) goto end; } else badarg = 1; @@ -515,7 +558,10 @@ int MAIN(int argc, char **argv) } else badarg = 1; } - else badarg = 1; + else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL) + { + badarg = 1; + } args++; } @@ -571,6 +617,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-ndays n number of days before next update\n"); BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); + BIO_printf (bio_err, "-<dgst alg> use specified digest in the request"); goto end; } @@ -677,7 +724,8 @@ int MAIN(int argc, char **argv) "signer private key"); if (!key) goto end; - if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags)) + + if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; @@ -721,7 +769,7 @@ int MAIN(int argc, char **argv) { #ifndef OPENSSL_NO_SOCK resp = process_responder(bio_err, req, host, path, - port, use_ssl, req_timeout); + port, use_ssl, headers, req_timeout); if (!resp) goto end; #else @@ -866,10 +914,11 @@ end: OCSP_REQUEST_free(req); OCSP_RESPONSE_free(resp); OCSP_BASICRESP_free(bs); - sk_free(reqnames); + sk_OPENSSL_STRING_free(reqnames); sk_OCSP_CERTID_free(ids); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); + sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); if (use_ssl != -1) { @@ -881,7 +930,7 @@ end: OPENSSL_EXIT(ret); } -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; @@ -892,7 +941,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, } if(!*req) *req = OCSP_REQUEST_new(); if(!*req) goto err; - id = OCSP_cert_to_id(NULL, cert, issuer); + id = OCSP_cert_to_id(cert_id_md, cert, issuer); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; return 1; @@ -902,7 +951,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, return 0; } -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; @@ -924,7 +973,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, BIO_printf(bio_err, "Error converting serial number %s\n", serial); return 0; } - id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno); + id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); ASN1_INTEGER_free(sno); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; @@ -936,8 +985,9 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, } static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, - STACK *names, STACK_OF(OCSP_CERTID) *ids, - long nsec, long maxage) + STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage) { OCSP_CERTID *id; char *name; @@ -947,13 +997,13 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; - if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids)) + if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) return 1; for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { id = sk_OCSP_CERTID_value(ids, i); - name = sk_value(names, i); + name = sk_OPENSSL_STRING_value(names, i); BIO_printf(out, "%s: ", name); if(!OCSP_resp_find_status(bs, id, &status, &reason, @@ -1010,7 +1060,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_BASICRESP *bs = NULL; int i, id_count, ret = 1; - id_count = OCSP_request_onereq_count(req); if (id_count <= 0) @@ -1019,7 +1068,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db goto end; } - ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca); bs = OCSP_BASICRESP_new(); thisupd = X509_gmtime_adj(NULL, 0); @@ -1032,8 +1080,23 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_ONEREQ *one; ASN1_INTEGER *serial; char **inf; + ASN1_OBJECT *cert_id_md_oid; + const EVP_MD *cert_id_md; one = OCSP_request_onereq_get0(req, i); cid = OCSP_onereq_get0_id(one); + + OCSP_id_get0_info(NULL,&cert_id_md_oid, NULL,NULL, cid); + + cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); + if (! cert_id_md) + { + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, + NULL); + goto end; + } + if (ca_id) OCSP_CERTID_free(ca_id); + ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca); + /* Is this request about our CA? */ if (OCSP_id_issuer_cmp(ca_id, cid)) { @@ -1078,8 +1141,8 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db } OCSP_copy_nonce(bs, req); - - OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags); + + OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags); *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); @@ -1211,10 +1274,12 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) } static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout) { int fd; int rv; + int i; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; fd_set confds; @@ -1231,16 +1296,13 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, return NULL; } - if (req_timeout == -1) - return OCSP_sendreq_bio(cbio, path, req); - if (BIO_get_fd(cbio, &fd) <= 0) { BIO_puts(err, "Can't get connection fd\n"); goto err; } - if (rv <= 0) + if (req_timeout != -1 && rv <= 0) { FD_ZERO(&confds); openssl_fdset(fd, &confds); @@ -1255,15 +1317,27 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, } - ctx = OCSP_sendreq_new(cbio, path, req, -1); + ctx = OCSP_sendreq_new(cbio, path, NULL, -1); if (!ctx) return NULL; + + for (i = 0; i < sk_CONF_VALUE_num(headers); i++) + { + CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) + goto err; + } + + if (!OCSP_REQ_CTX_set1_req(ctx, req)) + goto err; for (;;) { rv = OCSP_sendreq_nbio(&rsp, ctx); if (rv != -1) break; + if (req_timeout == -1) + continue; FD_ZERO(&confds); openssl_fdset(fd, &confds); tv.tv_usec = 0; @@ -1287,7 +1361,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, BIO_puts(err, "Select error\n"); break; } - + } err: if (ctx) @@ -1298,6 +1372,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, + STACK_OF(CONF_VALUE) *headers, int req_timeout) { BIO *cbio = NULL; @@ -1332,14 +1407,14 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, req, req_timeout); + resp = query_responder(err, cbio, path, headers, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responsder\n"); end: - if (ctx) - SSL_CTX_free(ctx); if (cbio) BIO_free_all(cbio); + if (ctx) + SSL_CTX_free(ctx); return resp; } diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c index 480fef9..1c880d9 100644 --- a/crypto/openssl/apps/openssl.c +++ b/crypto/openssl/apps/openssl.c @@ -129,25 +129,26 @@ #include "progs.h" #include "s_apps.h" #include <openssl/err.h> +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the * base prototypes (we cast each variable inside the function to the required * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper * functions. */ -/* static unsigned long MS_CALLBACK hash(FUNCTION *a); */ -static unsigned long MS_CALLBACK hash(const void *a_void); -/* static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b); */ -static int MS_CALLBACK cmp(const void *a_void,const void *b_void); -static LHASH *prog_init(void ); -static int do_cmd(LHASH *prog,int argc,char *argv[]); +static LHASH_OF(FUNCTION) *prog_init(void ); +static int do_cmd(LHASH_OF(FUNCTION) *prog,int argc,char *argv[]); +static void list_pkey(BIO *out); +static void list_cipher(BIO *out); +static void list_md(BIO *out); char *default_config_file=NULL; /* Make sure there is only one when MONOLITH is defined */ #ifdef MONOLITH CONF *config=NULL; BIO *bio_err=NULL; -int in_FIPS_mode=0; #endif @@ -214,8 +215,13 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) } } +#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) +# define ARGV _Argv +#else +# define ARGV Argv +#endif -int main(int Argc, char *Argv[]) +int main(int Argc, char *ARGV[]) { ARGS arg; #define PROG_NAME_SIZE 39 @@ -227,27 +233,59 @@ int main(int Argc, char *Argv[]) int n,i,ret=0; int argc; char **argv,*p; - LHASH *prog=NULL; + LHASH_OF(FUNCTION) *prog=NULL; long errline; - - arg.data=NULL; - arg.count=0; - - in_FIPS_mode = 0; - if(getenv("OPENSSL_FIPS")) { -#ifdef OPENSSL_FIPS - if (!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); - ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); - EXIT(1); +#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) + /* 2011-03-22 SMS. + * If we have 32-bit pointers everywhere, then we're safe, and + * we bypass this mess, as on non-VMS systems. (See ARGV, + * above.) + * Problem 1: Compaq/HP C before V7.3 always used 32-bit + * pointers for argv[]. + * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers + * everywhere else, we always allocate and use a 64-bit + * duplicate of argv[]. + * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed + * to NULL-terminate a 64-bit argv[]. (As this was written, the + * compiler ECO was available only on IA64.) + * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a + * 64-bit argv[argc] for NULL, and, if necessary, use a + * (properly) NULL-terminated (64-bit) duplicate of argv[]. + * The same code is used in either case to duplicate argv[]. + * Some of these decisions could be handled in preprocessing, + * but the code tends to get even uglier, and the penalty for + * deciding at compile- or run-time is tiny. + */ + char **Argv = NULL; + int free_Argv = 0; + + if ((sizeof( _Argv) < 8) /* 32-bit argv[]. */ +# if !defined( VMS_TRUST_ARGV) + || (_Argv[ Argc] != NULL) /* Untrusted argv[argc] not NULL. */ +# endif + ) + { + int i; + Argv = OPENSSL_malloc( (Argc+ 1)* sizeof( char *)); + if (Argv == NULL) + { ret = -1; goto end; } + for(i = 0; i < Argc; i++) + Argv[i] = _Argv[i]; + Argv[ Argc] = NULL; /* Certain NULL termination. */ + free_Argv = 1; } - in_FIPS_mode = 1; -#else - fprintf(stderr, "FIPS mode not supported.\n"); - EXIT(1); -#endif + else + { + /* Use the known-good 32-bit argv[] (which needs the + * type cast to satisfy the compiler), or the trusted or + * tested-good 64-bit argv[] as-is. */ + Argv = (char **)_Argv; } +#endif /* defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) */ + + arg.data=NULL; + arg.count=0; if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) @@ -275,6 +313,19 @@ int main(int Argc, char *Argv[]) CRYPTO_set_locking_callback(lock_dbg_cb); } + if(getenv("OPENSSL_FIPS")) { +#ifdef OPENSSL_FIPS + if (!FIPS_mode_set(1)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } +#else + fprintf(stderr, "FIPS mode not supported.\n"); + EXIT(1); +#endif + } + apps_startup(); /* Lets load up our environment a little */ @@ -290,9 +341,21 @@ int main(int Argc, char *Argv[]) i=NCONF_load(config,p,&errline); if (i == 0) { - NCONF_free(config); - config = NULL; - ERR_clear_error(); + if (ERR_GET_REASON(ERR_peek_last_error()) + == CONF_R_NO_SUCH_FILE) + { + BIO_printf(bio_err, + "WARNING: can't open config file: %s\n",p); + ERR_clear_error(); + NCONF_free(config); + config = NULL; + } + else + { + ERR_print_errors(bio_err); + NCONF_free(config); + exit(1); + } } prog=prog_init(); @@ -301,7 +364,7 @@ int main(int Argc, char *Argv[]) program_name(Argv[0],pname,sizeof pname); f.name=pname; - fp=(FUNCTION *)lh_retrieve(prog,&f); + fp=lh_FUNCTION_retrieve(prog,&f); if (fp != NULL) { Argv[0]=pname; @@ -368,7 +431,7 @@ end: NCONF_free(config); config=NULL; } - if (prog != NULL) lh_free(prog); + if (prog != NULL) lh_FUNCTION_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); apps_shutdown(); @@ -379,14 +442,25 @@ end: BIO_free(bio_err); bio_err=NULL; } +#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) + /* Free any duplicate Argv[] storage. */ + if (free_Argv) + { + OPENSSL_free(Argv); + } +#endif OPENSSL_EXIT(ret); } #define LIST_STANDARD_COMMANDS "list-standard-commands" #define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands" +#define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms" #define LIST_CIPHER_COMMANDS "list-cipher-commands" +#define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms" +#define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms" + -static int do_cmd(LHASH *prog, int argc, char *argv[]) +static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) { FUNCTION f,*fp; int i,ret=1,tp,nl; @@ -394,7 +468,22 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) if ((argc <= 0) || (argv[0] == NULL)) { ret=0; goto end; } f.name=argv[0]; - fp=(FUNCTION *)lh_retrieve(prog,&f); + fp=lh_FUNCTION_retrieve(prog,&f); + if (fp == NULL) + { + if (EVP_get_digestbyname(argv[0])) + { + f.type = FUNC_TYPE_MD; + f.func = dgst_main; + fp = &f; + } + else if (EVP_get_cipherbyname(argv[0])) + { + f.type = FUNC_TYPE_CIPHER; + f.func = enc_main; + fp = &f; + } + } if (fp != NULL) { ret=fp->func(argc,argv); @@ -409,7 +498,7 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) } #endif f.name=argv[0]+3; - ret = (lh_retrieve(prog,&f) != NULL); + ret = (lh_FUNCTION_retrieve(prog,&f) != NULL); if (!ret) BIO_printf(bio_stdout, "%s\n", argv[0]); else @@ -427,7 +516,10 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) } else if ((strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0) || (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) || - (strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0)) + (strcmp(argv[0],LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) || + (strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0) || + (strcmp(argv[0],LIST_CIPHER_ALGORITHMS) == 0) || + (strcmp(argv[0],LIST_PUBLIC_KEY_ALGORITHMS) == 0)) { int list_type; BIO *bio_stdout; @@ -436,6 +528,12 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) list_type = FUNC_TYPE_GENERAL; else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) list_type = FUNC_TYPE_MD; + else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) + list_type = FUNC_TYPE_MD_ALG; + else if (strcmp(argv[0],LIST_PUBLIC_KEY_ALGORITHMS) == 0) + list_type = FUNC_TYPE_PKEY; + else if (strcmp(argv[0],LIST_CIPHER_ALGORITHMS) == 0) + list_type = FUNC_TYPE_CIPHER_ALG; else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */ list_type = FUNC_TYPE_CIPHER; bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE); @@ -445,10 +543,23 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) bio_stdout = BIO_push(tmpbio, bio_stdout); } #endif - - for (fp=functions; fp->name != NULL; fp++) - if (fp->type == list_type) - BIO_printf(bio_stdout, "%s\n", fp->name); + + if (!load_config(bio_err, NULL)) + goto end; + + if (list_type == FUNC_TYPE_PKEY) + list_pkey(bio_stdout); + if (list_type == FUNC_TYPE_MD_ALG) + list_md(bio_stdout); + if (list_type == FUNC_TYPE_CIPHER_ALG) + list_cipher(bio_stdout); + else + { + for (fp=functions; fp->name != NULL; fp++) + if (fp->type == list_type) + BIO_printf(bio_stdout, "%s\n", + fp->name); + } BIO_free_all(bio_stdout); ret=0; goto end; @@ -511,9 +622,94 @@ static int SortFnByName(const void *_f1,const void *_f2) return strcmp(f1->name,f2->name); } -static LHASH *prog_init(void) +static void list_pkey(BIO *out) { - LHASH *ret; + int i; + for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) + { + const EVP_PKEY_ASN1_METHOD *ameth; + int pkey_id, pkey_base_id, pkey_flags; + const char *pinfo, *pem_str; + ameth = EVP_PKEY_asn1_get0(i); + EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth); + if (pkey_flags & ASN1_PKEY_ALIAS) + { + BIO_printf(out, "Name: %s\n", + OBJ_nid2ln(pkey_id)); + BIO_printf(out, "\tType: Alias to %s\n", + OBJ_nid2ln(pkey_base_id)); + } + else + { + BIO_printf(out, "Name: %s\n", pinfo); + BIO_printf(out, "\tType: %s Algorithm\n", + pkey_flags & ASN1_PKEY_DYNAMIC ? + "External" : "Builtin"); + BIO_printf(out, "\tOID: %s\n", OBJ_nid2ln(pkey_id)); + if (pem_str == NULL) + pem_str = "(none)"; + BIO_printf(out, "\tPEM string: %s\n", pem_str); + } + + } + } + +static void list_cipher_fn(const EVP_CIPHER *c, + const char *from, const char *to, void *arg) + { + if (c) + BIO_printf(arg, "%s\n", EVP_CIPHER_name(c)); + else + { + if (!from) + from = "<undefined>"; + if (!to) + to = "<undefined>"; + BIO_printf(arg, "%s => %s\n", from, to); + } + } + +static void list_cipher(BIO *out) + { + EVP_CIPHER_do_all_sorted(list_cipher_fn, out); + } + +static void list_md_fn(const EVP_MD *m, + const char *from, const char *to, void *arg) + { + if (m) + BIO_printf(arg, "%s\n", EVP_MD_name(m)); + else + { + if (!from) + from = "<undefined>"; + if (!to) + to = "<undefined>"; + BIO_printf(arg, "%s => %s\n", from, to); + } + } + +static void list_md(BIO *out) + { + EVP_MD_do_all_sorted(list_md_fn, out); + } + +static int MS_CALLBACK function_cmp(const FUNCTION *a, const FUNCTION *b) + { + return strncmp(a->name,b->name,8); + } +static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION) + +static unsigned long MS_CALLBACK function_hash(const FUNCTION *a) + { + return lh_strhash(a->name); + } +static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION) + +static LHASH_OF(FUNCTION) *prog_init(void) + { + LHASH_OF(FUNCTION) *ret; FUNCTION *f; size_t i; @@ -522,23 +718,11 @@ static LHASH *prog_init(void) ; qsort(functions,i,sizeof *functions,SortFnByName); - if ((ret=lh_new(hash, cmp)) == NULL) + if ((ret=lh_FUNCTION_new()) == NULL) return(NULL); for (f=functions; f->name != NULL; f++) - lh_insert(ret,f); + (void)lh_FUNCTION_insert(ret,f); return(ret); } -/* static int MS_CALLBACK cmp(FUNCTION *a, FUNCTION *b) */ -static int MS_CALLBACK cmp(const void *a_void, const void *b_void) - { - return(strncmp(((const FUNCTION *)a_void)->name, - ((const FUNCTION *)b_void)->name,8)); - } - -/* static unsigned long MS_CALLBACK hash(FUNCTION *a) */ -static unsigned long MS_CALLBACK hash(const void *a_void) - { - return(lh_strhash(((const FUNCTION *)a_void)->name)); - } diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf index 6b51bd6..865efdc 100644 --- a/crypto/openssl/apps/openssl.cnf +++ b/crypto/openssl/apps/openssl.cnf @@ -22,12 +22,17 @@ oid_section = new_oids [ new_oids ] -# We can add new OIDs in here for use by 'ca' and 'req'. +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -68,7 +73,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. +default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -111,13 +116,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request @@ -208,6 +212,9 @@ authorityKeyIdentifier=keyid,issuer #nsCaPolicyUrl #nsSslServerName +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + [ v3_req ] # Extensions to add to a certificate request @@ -225,7 +232,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. @@ -258,7 +265,7 @@ basicConstraints = CA:true # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate @@ -291,7 +298,7 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. @@ -312,3 +319,33 @@ authorityKeyIdentifier=keyid,issuer:always # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index 4860560..b54c6f8 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -68,12 +68,6 @@ #include <openssl/pem.h> #include <openssl/pkcs12.h> -#ifdef OPENSSL_SYS_NETWARE -/* Rename these functions to avoid name clashes on NetWare OS */ -#define uni2asc OPENSSL_uni2asc -#define asc2uni OPENSSL_asc2uni -#endif - #define PROG pkcs12_main const EVP_CIPHER *enc; @@ -94,6 +88,7 @@ int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name); void hex_prin(BIO *out, unsigned char *buf, int len); int alg_print(BIO *x, X509_ALGOR *alg); int cert_load(BIO *in, STACK_OF(X509) *sk); +static int set_pbe(BIO *err, int *ppbe, const char *str); int MAIN(int, char **); @@ -117,16 +112,17 @@ int MAIN(int argc, char **argv) int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; - int cert_pbe; + int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; int noprompt = 0; - STACK *canames = NULL; + STACK_OF(OPENSSL_STRING) *canames = NULL; char *cpass = NULL, *mpass = NULL; char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; char *inrand = NULL; + char *macalg = NULL; char *CApath = NULL, *CAfile = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; @@ -134,13 +130,6 @@ int MAIN(int argc, char **argv) apps_startup(); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -#endif - cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; - enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); @@ -191,33 +180,18 @@ int MAIN(int argc, char **argv) maciter = 1; else if (!strcmp (*args, "-nomac")) maciter = -1; + else if (!strcmp (*args, "-macalg")) + if (args[1]) { + args++; + macalg = *args; + } else badarg = 1; else if (!strcmp (*args, "-nodes")) enc=NULL; else if (!strcmp (*args, "-certpbe")) { - if (args[1]) { - args++; - if (!strcmp(*args, "NONE")) - cert_pbe = -1; - else - cert_pbe=OBJ_txt2nid(*args); - if(cert_pbe == NID_undef) { - BIO_printf(bio_err, - "Unknown PBE algorithm %s\n", *args); - badarg = 1; - } - } else badarg = 1; + if (!set_pbe(bio_err, &cert_pbe, *++args)) + badarg = 1; } else if (!strcmp (*args, "-keypbe")) { - if (args[1]) { - args++; - if (!strcmp(*args, "NONE")) - key_pbe = -1; - else - key_pbe=OBJ_txt2nid(*args); - if(key_pbe == NID_undef) { - BIO_printf(bio_err, - "Unknown PBE algorithm %s\n", *args); - badarg = 1; - } - } else badarg = 1; + if (!set_pbe(bio_err, &key_pbe, *++args)) + badarg = 1; } else if (!strcmp (*args, "-rand")) { if (args[1]) { args++; @@ -248,8 +222,8 @@ int MAIN(int argc, char **argv) } else if (!strcmp (*args, "-caname")) { if (args[1]) { args++; - if (!canames) canames = sk_new_null(); - sk_push(canames, *args); + if (!canames) canames = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(canames, *args); } else badarg = 1; } else if (!strcmp (*args, "-in")) { if (args[1]) { @@ -338,11 +312,14 @@ int MAIN(int argc, char **argv) #endif BIO_printf (bio_err, "-nodes don't encrypt private keys\n"); BIO_printf (bio_err, "-noiter don't use encryption iteration\n"); + BIO_printf (bio_err, "-nomaciter don't use MAC iteration\n"); BIO_printf (bio_err, "-maciter use MAC iteration\n"); + BIO_printf (bio_err, "-nomac don't generate MAC\n"); BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n"); BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); + BIO_printf (bio_err, "-macalg alg digest algorithm used in MAC (default SHA1)\n"); BIO_printf (bio_err, "-keyex set MS key exchange type\n"); BIO_printf (bio_err, "-keysig set MS key signature type\n"); BIO_printf (bio_err, "-password p set import/export password source\n"); @@ -354,8 +331,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); - BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n"); + BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); + BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n"); goto end; } @@ -445,6 +422,7 @@ int MAIN(int argc, char **argv) EVP_PKEY *key = NULL; X509 *ucert = NULL, *x = NULL; STACK_OF(X509) *certs=NULL; + const EVP_MD *macmd = NULL; unsigned char *catmp = NULL; int i; @@ -571,9 +549,9 @@ int MAIN(int argc, char **argv) /* Add any CA names */ - for (i = 0; i < sk_num(canames); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { - catmp = (unsigned char *)sk_value(canames, i); + catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); X509_alias_set1(sk_X509_value(certs, i), catmp, -1); } @@ -611,8 +589,18 @@ int MAIN(int argc, char **argv) goto export_end; } + if (macalg) + { + macmd = EVP_get_digestbyname(macalg); + if (!macmd) + { + BIO_printf(bio_err, "Unknown digest algorithm %s\n", + macalg); + } + } + if (maciter != -1) - PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL); + PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); @@ -699,7 +687,7 @@ int MAIN(int argc, char **argv) #endif BIO_free(in); BIO_free_all(out); - if (canames) sk_free(canames); + if (canames) sk_OPENSSL_STRING_free(canames); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); @@ -935,7 +923,7 @@ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name) av = sk_ASN1_TYPE_value(attr->value.set, 0); switch(av->type) { case V_ASN1_BMPSTRING: - value = uni2asc(av->value.bmpstring->data, + value = OPENSSL_uni2asc(av->value.bmpstring->data, av->value.bmpstring->length); BIO_printf(out, "%s\n", value); OPENSSL_free(value); @@ -968,4 +956,22 @@ void hex_prin(BIO *out, unsigned char *buf, int len) for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]); } +static int set_pbe(BIO *err, int *ppbe, const char *str) + { + if (!str) + return 0; + if (!strcmp(str, "NONE")) + { + *ppbe = -1; + return 1; + } + *ppbe=OBJ_txt2nid(str); + if (*ppbe == NID_undef) + { + BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str); + return 0; + } + return 1; + } + #endif diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index bdbb102..ae6cd33 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -87,7 +87,7 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL; int informat,outformat; char *infile,*outfile,*prog; - int print_certs=0,text=0,noout=0; + int print_certs=0,text=0,noout=0,p7_print=0; int ret=1; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; @@ -136,6 +136,8 @@ int MAIN(int argc, char **argv) noout=1; else if (strcmp(*argv,"-text") == 0) text=1; + else if (strcmp(*argv,"-print") == 0) + p7_print=1; else if (strcmp(*argv,"-print_certs") == 0) print_certs=1; #ifndef OPENSSL_NO_ENGINE @@ -235,6 +237,9 @@ bad: } } + if (p7_print) + PKCS7_print_ctx(out, p7, 0, NULL); + if (print_certs) { STACK_OF(X509) *certs=NULL; diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c index 9633a14..7edeb17 100644 --- a/crypto/openssl/apps/pkcs8.c +++ b/crypto/openssl/apps/pkcs8.c @@ -80,11 +80,12 @@ int MAIN(int argc, char **argv) int informat, outformat; int p8_broken = PKCS8_OK; int nocrypt = 0; - X509_SIG *p8; - PKCS8_PRIV_KEY_INFO *p8inf; + X509_SIG *p8 = NULL; + PKCS8_PRIV_KEY_INFO *p8inf = NULL; EVP_PKEY *pkey=NULL; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int badarg = 0; + int ret = 1; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -225,7 +226,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif - return 1; + goto end; } #ifndef OPENSSL_NO_ENGINE @@ -235,7 +236,7 @@ int MAIN(int argc, char **argv) if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); - return 1; + goto end; } if ((pbe_nid == -1) && !cipher) @@ -247,7 +248,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err, "Can't open input file %s\n", infile); - return (1); + goto end; } } else @@ -259,7 +260,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err, "Can't open output file %s\n", outfile); - return (1); + goto end; } } else @@ -274,21 +275,15 @@ int MAIN(int argc, char **argv) } if (topk8) { - BIO_free(in); /* Not needed in this section */ pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); if (!pkey) - { - BIO_free_all(out); - return 1; - } + goto end; if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return 1; + goto end; } if (nocrypt) { @@ -299,10 +294,7 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); + goto end; } } else @@ -313,12 +305,7 @@ int MAIN(int argc, char **argv) { p8pass = pass; if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1)) - { - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); - } + goto end; } app_RAND_load_file(NULL, bio_err, 0); if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, @@ -327,10 +314,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err, "Error encrypting key\n"); ERR_print_errors(bio_err); - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); + goto end; } app_RAND_write_file(NULL, bio_err); if (outformat == FORMAT_PEM) @@ -340,22 +324,12 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); + goto end; } - X509_SIG_free(p8); } - PKCS8_PRIV_KEY_INFO_free (p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - if (passin) - OPENSSL_free(passin); - if (passout) - OPENSSL_free(passout); - return (0); + ret = 0; + goto end; } if (nocrypt) @@ -367,7 +341,7 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - return (1); + goto end; } } else @@ -379,14 +353,14 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - return (1); + goto end; } if (!p8) { BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); - return (1); + goto end; } if (passin) p8pass = passin; @@ -396,21 +370,20 @@ int MAIN(int argc, char **argv) EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0); } p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); - X509_SIG_free(p8); } if (!p8inf) { BIO_printf(bio_err, "Error decrypting key\n"); ERR_print_errors(bio_err); - return (1); + goto end; } if (!(pkey = EVP_PKCS82PKEY(p8inf))) { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); - return (1); + goto end; } if (p8inf->broken) @@ -430,13 +403,16 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "DSA public key include in PrivateKey\n"); break; + case PKCS8_NEG_PRIVKEY: + BIO_printf(bio_err, "DSA private key value is negative\n"); + break; + default: BIO_printf(bio_err, "Unknown broken type\n"); break; } } - PKCS8_PRIV_KEY_INFO_free(p8inf); if (outformat == FORMAT_PEM) PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout); else if (outformat == FORMAT_ASN1) @@ -444,10 +420,13 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - return (1); + goto end; } + ret = 0; end: + X509_SIG_free(p8); + PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); @@ -456,5 +435,5 @@ int MAIN(int argc, char **argv) if (passout) OPENSSL_free(passout); - return (0); + return ret; } diff --git a/crypto/openssl/apps/pkey.c b/crypto/openssl/apps/pkey.c new file mode 100644 index 0000000..17e6702 --- /dev/null +++ b/crypto/openssl/apps/pkey.c @@ -0,0 +1,284 @@ +/* apps/pkey.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2006 + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +#include <stdio.h> +#include <string.h> +#include "apps.h" +#include <openssl/pem.h> +#include <openssl/err.h> +#include <openssl/evp.h> + +#define PROG pkey_main + +int MAIN(int, char **); + +int MAIN(int argc, char **argv) + { + ENGINE *e = NULL; + char **args, *infile = NULL, *outfile = NULL; + char *passargin = NULL, *passargout = NULL; + BIO *in = NULL, *out = NULL; + const EVP_CIPHER *cipher = NULL; + int informat, outformat; + int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0; + EVP_PKEY *pkey=NULL; + char *passin = NULL, *passout = NULL; + int badarg = 0; +#ifndef OPENSSL_NO_ENGINE + char *engine=NULL; +#endif + int ret = 1; + + if (bio_err == NULL) + bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); + + if (!load_config(bio_err, NULL)) + goto end; + + informat=FORMAT_PEM; + outformat=FORMAT_PEM; + + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + args = argv + 1; + while (!badarg && *args && *args[0] == '-') + { + if (!strcmp(*args,"-inform")) + { + if (args[1]) + { + args++; + informat=str2fmt(*args); + } + else badarg = 1; + } + else if (!strcmp(*args,"-outform")) + { + if (args[1]) + { + args++; + outformat=str2fmt(*args); + } + else badarg = 1; + } + else if (!strcmp(*args,"-passin")) + { + if (!args[1]) goto bad; + passargin= *(++args); + } + else if (!strcmp(*args,"-passout")) + { + if (!args[1]) goto bad; + passargout= *(++args); + } +#ifndef OPENSSL_NO_ENGINE + else if (strcmp(*args,"-engine") == 0) + { + if (!args[1]) goto bad; + engine= *(++args); + } +#endif + else if (!strcmp (*args, "-in")) + { + if (args[1]) + { + args++; + infile = *args; + } + else badarg = 1; + } + else if (!strcmp (*args, "-out")) + { + if (args[1]) + { + args++; + outfile = *args; + } + else badarg = 1; + } + else if (strcmp(*args,"-pubin") == 0) + { + pubin=1; + pubout=1; + pubtext=1; + } + else if (strcmp(*args,"-pubout") == 0) + pubout=1; + else if (strcmp(*args,"-text_pub") == 0) + { + pubtext=1; + text=1; + } + else if (strcmp(*args,"-text") == 0) + text=1; + else if (strcmp(*args,"-noout") == 0) + noout=1; + else + { + cipher = EVP_get_cipherbyname(*args + 1); + if (!cipher) + { + BIO_printf(bio_err, "Unknown cipher %s\n", + *args + 1); + badarg = 1; + } + } + args++; + } + + if (badarg) + { + bad: + BIO_printf(bio_err, "Usage pkey [options]\n"); + BIO_printf(bio_err, "where options are\n"); + BIO_printf(bio_err, "-in file input file\n"); + BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); + BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); + BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-passout arg output file pass phrase source\n"); +#ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif + return 1; + } + +#ifndef OPENSSL_NO_ENGINE + e = setup_engine(bio_err, engine, 0); +#endif + + if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) + { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + if (outfile) + { + if (!(out = BIO_new_file (outfile, "wb"))) + { + BIO_printf(bio_err, + "Can't open output file %s\n", outfile); + goto end; + } + } + else + { + out = BIO_new_fp (stdout, BIO_NOCLOSE); +#ifdef OPENSSL_SYS_VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif + } + + if (pubin) + pkey = load_pubkey(bio_err, infile, informat, 1, + passin, e, "Public Key"); + else + pkey = load_key(bio_err, infile, informat, 1, + passin, e, "key"); + if (!pkey) + goto end; + + if (!noout) + { + if (outformat == FORMAT_PEM) + { + if (pubout) + PEM_write_bio_PUBKEY(out,pkey); + else + PEM_write_bio_PrivateKey(out, pkey, cipher, + NULL, 0, NULL, passout); + } + else if (outformat == FORMAT_ASN1) + { + if (pubout) + i2d_PUBKEY_bio(out, pkey); + else + i2d_PrivateKey_bio(out, pkey); + } + else + { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + + } + + if (text) + { + if (pubtext) + EVP_PKEY_print_public(out, pkey, 0, NULL); + else + EVP_PKEY_print_private(out, pkey, 0, NULL); + } + + ret = 0; + + end: + EVP_PKEY_free(pkey); + BIO_free_all(out); + BIO_free(in); + if (passin) + OPENSSL_free(passin); + if (passout) + OPENSSL_free(passout); + + return ret; + } diff --git a/crypto/openssl/apps/pkeyparam.c b/crypto/openssl/apps/pkeyparam.c new file mode 100644 index 0000000..6f7a357 --- /dev/null +++ b/crypto/openssl/apps/pkeyparam.c @@ -0,0 +1,200 @@ +/* apps/pkeyparam.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2006 + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +#include <stdio.h> +#include <string.h> +#include "apps.h" +#include <openssl/pem.h> +#include <openssl/err.h> +#include <openssl/evp.h> + +#define PROG pkeyparam_main + +int MAIN(int, char **); + +int MAIN(int argc, char **argv) + { + char **args, *infile = NULL, *outfile = NULL; + BIO *in = NULL, *out = NULL; + int text = 0, noout = 0; + EVP_PKEY *pkey=NULL; + int badarg = 0; +#ifndef OPENSSL_NO_ENGINE + char *engine=NULL; +#endif + int ret = 1; + + if (bio_err == NULL) + bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); + + if (!load_config(bio_err, NULL)) + goto end; + + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + args = argv + 1; + while (!badarg && *args && *args[0] == '-') + { + if (!strcmp (*args, "-in")) + { + if (args[1]) + { + args++; + infile = *args; + } + else badarg = 1; + } + else if (!strcmp (*args, "-out")) + { + if (args[1]) + { + args++; + outfile = *args; + } + else badarg = 1; + } +#ifndef OPENSSL_NO_ENGINE + else if (strcmp(*args,"-engine") == 0) + { + if (!args[1]) goto bad; + engine= *(++args); + } +#endif + + else if (strcmp(*args,"-text") == 0) + text=1; + else if (strcmp(*args,"-noout") == 0) + noout=1; + args++; + } + + if (badarg) + { +#ifndef OPENSSL_NO_ENGINE + bad: +#endif + BIO_printf(bio_err, "Usage pkeyparam [options]\n"); + BIO_printf(bio_err, "where options are\n"); + BIO_printf(bio_err, "-in file input file\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-text print parameters as text\n"); + BIO_printf(bio_err, "-noout don't output encoded parameters\n"); +#ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif + return 1; + } + +#ifndef OPENSSL_NO_ENGINE + setup_engine(bio_err, engine, 0); +#endif + + if (infile) + { + if (!(in = BIO_new_file (infile, "r"))) + { + BIO_printf(bio_err, + "Can't open input file %s\n", infile); + goto end; + } + } + else + in = BIO_new_fp (stdin, BIO_NOCLOSE); + + if (outfile) + { + if (!(out = BIO_new_file (outfile, "w"))) + { + BIO_printf(bio_err, + "Can't open output file %s\n", outfile); + goto end; + } + } + else + { + out = BIO_new_fp (stdout, BIO_NOCLOSE); +#ifdef OPENSSL_SYS_VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif + } + + pkey = PEM_read_bio_Parameters(in, NULL); + if (!pkey) + { + BIO_printf(bio_err, "Error reading parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + + if (!noout) + PEM_write_bio_Parameters(out,pkey); + + if (text) + EVP_PKEY_print_params(out, pkey, 0, NULL); + + ret = 0; + + end: + EVP_PKEY_free(pkey); + BIO_free_all(out); + BIO_free(in); + + return ret; + } diff --git a/crypto/openssl/apps/pkeyutl.c b/crypto/openssl/apps/pkeyutl.c new file mode 100644 index 0000000..7eb3f5c --- /dev/null +++ b/crypto/openssl/apps/pkeyutl.c @@ -0,0 +1,570 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2006. + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + +#include "apps.h" +#include <string.h> +#include <openssl/err.h> +#include <openssl/pem.h> +#include <openssl/evp.h> + +#define KEY_PRIVKEY 1 +#define KEY_PUBKEY 2 +#define KEY_CERT 3 + +static void usage(void); + +#undef PROG + +#define PROG pkeyutl_main + +static EVP_PKEY_CTX *init_ctx(int *pkeysize, + char *keyfile, int keyform, int key_type, + char *passargin, int pkey_op, ENGINE *e); + +static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, + const char *file); + +static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + unsigned char *out, size_t *poutlen, + unsigned char *in, size_t inlen); + +int MAIN(int argc, char **); + +int MAIN(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + char *infile = NULL, *outfile = NULL, *sigfile = NULL; + ENGINE *e = NULL; + int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; + int keyform = FORMAT_PEM, peerform = FORMAT_PEM; + char badarg = 0, rev = 0; + char hexdump = 0, asn1parse = 0; + EVP_PKEY_CTX *ctx = NULL; + char *passargin = NULL; + int keysize = -1; + + unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; + size_t buf_outlen; + int buf_inlen = 0, siglen = -1; + + int ret = 1, rv = -1; + + argc--; + argv++; + + if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); + + if (!load_config(bio_err, NULL)) + goto end; + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + + while(argc >= 1) + { + if (!strcmp(*argv,"-in")) + { + if (--argc < 1) badarg = 1; + else infile= *(++argv); + } + else if (!strcmp(*argv,"-out")) + { + if (--argc < 1) badarg = 1; + else outfile= *(++argv); + } + else if (!strcmp(*argv,"-sigfile")) + { + if (--argc < 1) badarg = 1; + else sigfile= *(++argv); + } + else if(!strcmp(*argv, "-inkey")) + { + if (--argc < 1) + badarg = 1; + else + { + ctx = init_ctx(&keysize, + *(++argv), keyform, key_type, + passargin, pkey_op, e); + if (!ctx) + { + BIO_puts(bio_err, + "Error initializing context\n"); + ERR_print_errors(bio_err); + badarg = 1; + } + } + } + else if (!strcmp(*argv,"-peerkey")) + { + if (--argc < 1) + badarg = 1; + else if (!setup_peer(bio_err, ctx, peerform, *(++argv))) + badarg = 1; + } + else if (!strcmp(*argv,"-passin")) + { + if (--argc < 1) badarg = 1; + else passargin= *(++argv); + } + else if (strcmp(*argv,"-peerform") == 0) + { + if (--argc < 1) badarg = 1; + else peerform=str2fmt(*(++argv)); + } + else if (strcmp(*argv,"-keyform") == 0) + { + if (--argc < 1) badarg = 1; + else keyform=str2fmt(*(++argv)); + } +#ifndef OPENSSL_NO_ENGINE + else if(!strcmp(*argv, "-engine")) + { + if (--argc < 1) + badarg = 1; + else + e = setup_engine(bio_err, *(++argv), 0); + } +#endif + else if(!strcmp(*argv, "-pubin")) + key_type = KEY_PUBKEY; + else if(!strcmp(*argv, "-certin")) + key_type = KEY_CERT; + else if(!strcmp(*argv, "-asn1parse")) + asn1parse = 1; + else if(!strcmp(*argv, "-hexdump")) + hexdump = 1; + else if(!strcmp(*argv, "-sign")) + pkey_op = EVP_PKEY_OP_SIGN; + else if(!strcmp(*argv, "-verify")) + pkey_op = EVP_PKEY_OP_VERIFY; + else if(!strcmp(*argv, "-verifyrecover")) + pkey_op = EVP_PKEY_OP_VERIFYRECOVER; + else if(!strcmp(*argv, "-rev")) + rev = 1; + else if(!strcmp(*argv, "-encrypt")) + pkey_op = EVP_PKEY_OP_ENCRYPT; + else if(!strcmp(*argv, "-decrypt")) + pkey_op = EVP_PKEY_OP_DECRYPT; + else if(!strcmp(*argv, "-derive")) + pkey_op = EVP_PKEY_OP_DERIVE; + else if (strcmp(*argv,"-pkeyopt") == 0) + { + if (--argc < 1) + badarg = 1; + else if (!ctx) + { + BIO_puts(bio_err, + "-pkeyopt command before -inkey\n"); + badarg = 1; + } + else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) + { + BIO_puts(bio_err, "parameter setting error\n"); + ERR_print_errors(bio_err); + goto end; + } + } + else badarg = 1; + if(badarg) + { + usage(); + goto end; + } + argc--; + argv++; + } + + if (!ctx) + { + usage(); + goto end; + } + + if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) + { + BIO_puts(bio_err, "Signature file specified for non verify\n"); + goto end; + } + + if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) + { + BIO_puts(bio_err, "No signature file specified for verify\n"); + goto end; + } + +/* FIXME: seed PRNG only if needed */ + app_RAND_load_file(NULL, bio_err, 0); + + if (pkey_op != EVP_PKEY_OP_DERIVE) + { + if(infile) + { + if(!(in = BIO_new_file(infile, "rb"))) + { + BIO_puts(bio_err, + "Error Opening Input File\n"); + ERR_print_errors(bio_err); + goto end; + } + } + else + in = BIO_new_fp(stdin, BIO_NOCLOSE); + } + + if(outfile) + { + if(!(out = BIO_new_file(outfile, "wb"))) + { + BIO_printf(bio_err, "Error Creating Output File\n"); + ERR_print_errors(bio_err); + goto end; + } + } + else + { + out = BIO_new_fp(stdout, BIO_NOCLOSE); +#ifdef OPENSSL_SYS_VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif + } + + if (sigfile) + { + BIO *sigbio = BIO_new_file(sigfile, "rb"); + if (!sigbio) + { + BIO_printf(bio_err, "Can't open signature file %s\n", + sigfile); + goto end; + } + siglen = bio_to_mem(&sig, keysize * 10, sigbio); + BIO_free(sigbio); + if (siglen <= 0) + { + BIO_printf(bio_err, "Error reading signature data\n"); + goto end; + } + } + + if (in) + { + /* Read the input data */ + buf_inlen = bio_to_mem(&buf_in, keysize * 10, in); + if(buf_inlen <= 0) + { + BIO_printf(bio_err, "Error reading input Data\n"); + exit(1); + } + if(rev) + { + size_t i; + unsigned char ctmp; + size_t l = (size_t)buf_inlen; + for(i = 0; i < l/2; i++) + { + ctmp = buf_in[i]; + buf_in[i] = buf_in[l - 1 - i]; + buf_in[l - 1 - i] = ctmp; + } + } + } + + if(pkey_op == EVP_PKEY_OP_VERIFY) + { + rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, + buf_in, (size_t)buf_inlen); + if (rv == 0) + BIO_puts(out, "Signature Verification Failure\n"); + else if (rv == 1) + BIO_puts(out, "Signature Verified Successfully\n"); + if (rv >= 0) + goto end; + } + else + { + rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); + if (rv > 0) + { + buf_out = OPENSSL_malloc(buf_outlen); + if (!buf_out) + rv = -1; + else + rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); + } + } + + if(rv <= 0) + { + BIO_printf(bio_err, "Public Key operation error\n"); + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + if(asn1parse) + { + if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) + ERR_print_errors(bio_err); + } + else if(hexdump) + BIO_dump(out, (char *)buf_out, buf_outlen); + else + BIO_write(out, buf_out, buf_outlen); + + end: + if (ctx) + EVP_PKEY_CTX_free(ctx); + BIO_free(in); + BIO_free_all(out); + if (buf_in) + OPENSSL_free(buf_in); + if (buf_out) + OPENSSL_free(buf_out); + if (sig) + OPENSSL_free(sig); + return ret; +} + +static void usage() +{ + BIO_printf(bio_err, "Usage: pkeyutl [options]\n"); + BIO_printf(bio_err, "-in file input file\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n"); + BIO_printf(bio_err, "-inkey file input key\n"); + BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); + BIO_printf(bio_err, "-pubin input is a public key\n"); + BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n"); + BIO_printf(bio_err, "-pkeyopt X:Y public key options\n"); + BIO_printf(bio_err, "-sign sign with private key\n"); + BIO_printf(bio_err, "-verify verify with public key\n"); + BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n"); + BIO_printf(bio_err, "-encrypt encrypt with public key\n"); + BIO_printf(bio_err, "-decrypt decrypt with private key\n"); + BIO_printf(bio_err, "-derive derive shared secret\n"); + BIO_printf(bio_err, "-hexdump hex dump output\n"); +#ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif + BIO_printf(bio_err, "-passin arg pass phrase source\n"); + +} + +static EVP_PKEY_CTX *init_ctx(int *pkeysize, + char *keyfile, int keyform, int key_type, + char *passargin, int pkey_op, ENGINE *e) + { + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + char *passin = NULL; + int rv = -1; + X509 *x; + if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) + || (pkey_op == EVP_PKEY_OP_DERIVE)) + && (key_type != KEY_PRIVKEY)) + { + BIO_printf(bio_err, "A private key is needed for this operation\n"); + goto end; + } + if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) + { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + switch(key_type) + { + case KEY_PRIVKEY: + pkey = load_key(bio_err, keyfile, keyform, 0, + passin, e, "Private Key"); + break; + + case KEY_PUBKEY: + pkey = load_pubkey(bio_err, keyfile, keyform, 0, + NULL, e, "Public Key"); + break; + + case KEY_CERT: + x = load_cert(bio_err, keyfile, keyform, + NULL, e, "Certificate"); + if(x) + { + pkey = X509_get_pubkey(x); + X509_free(x); + } + break; + + } + + *pkeysize = EVP_PKEY_size(pkey); + + if (!pkey) + goto end; + + ctx = EVP_PKEY_CTX_new(pkey, e); + + EVP_PKEY_free(pkey); + + if (!ctx) + goto end; + + switch(pkey_op) + { + case EVP_PKEY_OP_SIGN: + rv = EVP_PKEY_sign_init(ctx); + break; + + case EVP_PKEY_OP_VERIFY: + rv = EVP_PKEY_verify_init(ctx); + break; + + case EVP_PKEY_OP_VERIFYRECOVER: + rv = EVP_PKEY_verify_recover_init(ctx); + break; + + case EVP_PKEY_OP_ENCRYPT: + rv = EVP_PKEY_encrypt_init(ctx); + break; + + case EVP_PKEY_OP_DECRYPT: + rv = EVP_PKEY_decrypt_init(ctx); + break; + + case EVP_PKEY_OP_DERIVE: + rv = EVP_PKEY_derive_init(ctx); + break; + } + + if (rv <= 0) + { + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + } + + end: + + if (passin) + OPENSSL_free(passin); + + return ctx; + + + } + +static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, + const char *file) + { + EVP_PKEY *peer = NULL; + int ret; + if (!ctx) + { + BIO_puts(err, "-peerkey command before -inkey\n"); + return 0; + } + + peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key"); + + if (!peer) + { + BIO_printf(bio_err, "Error reading peer key %s\n", file); + ERR_print_errors(err); + return 0; + } + + ret = EVP_PKEY_derive_set_peer(ctx, peer); + + EVP_PKEY_free(peer); + if (ret <= 0) + ERR_print_errors(err); + return ret; + } + +static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + unsigned char *out, size_t *poutlen, + unsigned char *in, size_t inlen) + { + int rv = 0; + switch(pkey_op) + { + case EVP_PKEY_OP_VERIFYRECOVER: + rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_SIGN: + rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_ENCRYPT: + rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_DECRYPT: + rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_DERIVE: + rv = EVP_PKEY_derive(ctx, out, poutlen); + break; + + } + return rv; + } diff --git a/crypto/openssl/apps/prime.c b/crypto/openssl/apps/prime.c index af2fed1..f1aaef8 100644 --- a/crypto/openssl/apps/prime.c +++ b/crypto/openssl/apps/prime.c @@ -62,6 +62,9 @@ int MAIN(int argc, char **argv) { int hex=0; int checks=20; + int generate=0; + int bits=0; + int safe=0; BIGNUM *bn=NULL; BIO *bio_out; @@ -77,6 +80,15 @@ int MAIN(int argc, char **argv) { if(!strcmp(*argv,"-hex")) hex=1; + else if(!strcmp(*argv,"-generate")) + generate=1; + else if(!strcmp(*argv,"-bits")) + if(--argc < 1) + goto bad; + else + bits=atoi(*++argv); + else if(!strcmp(*argv,"-safe")) + safe=1; else if(!strcmp(*argv,"-checks")) if(--argc < 1) goto bad; @@ -91,13 +103,13 @@ int MAIN(int argc, char **argv) ++argv; } - if (argv[0] == NULL) + if (argv[0] == NULL && !generate) { BIO_printf(bio_err,"No prime specified\n"); goto bad; } - if ((bio_out=BIO_new(BIO_s_file())) != NULL) + if ((bio_out=BIO_new(BIO_s_file())) != NULL) { BIO_set_fp(bio_out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS @@ -108,14 +120,32 @@ int MAIN(int argc, char **argv) #endif } - if(hex) - BN_hex2bn(&bn,argv[0]); + if(generate) + { + char *s; + + if(!bits) + { + BIO_printf(bio_err,"Specifiy the number of bits.\n"); + return 1; + } + bn=BN_new(); + BN_generate_prime_ex(bn,bits,safe,NULL,NULL,NULL); + s=hex ? BN_bn2hex(bn) : BN_bn2dec(bn); + BIO_printf(bio_out,"%s\n",s); + OPENSSL_free(s); + } else - BN_dec2bn(&bn,argv[0]); + { + if(hex) + BN_hex2bn(&bn,argv[0]); + else + BN_dec2bn(&bn,argv[0]); - BN_print(bio_out,bn); - BIO_printf(bio_out," is %sprime\n", - BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not "); + BN_print(bio_out,bn); + BIO_printf(bio_out," is %sprime\n", + BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not "); + } BN_free(bn); BIO_free_all(bio_out); diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h index aafd800..949e780 100644 --- a/crypto/openssl/apps/progs.h +++ b/crypto/openssl/apps/progs.h @@ -22,6 +22,7 @@ extern int ecparam_main(int argc,char *argv[]); extern int x509_main(int argc,char *argv[]); extern int genrsa_main(int argc,char *argv[]); extern int gendsa_main(int argc,char *argv[]); +extern int genpkey_main(int argc,char *argv[]); extern int s_server_main(int argc,char *argv[]); extern int s_client_main(int argc,char *argv[]); extern int speed_main(int argc,char *argv[]); @@ -35,22 +36,31 @@ extern int ciphers_main(int argc,char *argv[]); extern int nseq_main(int argc,char *argv[]); extern int pkcs12_main(int argc,char *argv[]); extern int pkcs8_main(int argc,char *argv[]); +extern int pkey_main(int argc,char *argv[]); +extern int pkeyparam_main(int argc,char *argv[]); +extern int pkeyutl_main(int argc,char *argv[]); extern int spkac_main(int argc,char *argv[]); extern int smime_main(int argc,char *argv[]); extern int rand_main(int argc,char *argv[]); extern int engine_main(int argc,char *argv[]); extern int ocsp_main(int argc,char *argv[]); extern int prime_main(int argc,char *argv[]); +extern int ts_main(int argc,char *argv[]); +extern int srp_main(int argc,char *argv[]); #define FUNC_TYPE_GENERAL 1 #define FUNC_TYPE_MD 2 #define FUNC_TYPE_CIPHER 3 +#define FUNC_TYPE_PKEY 4 +#define FUNC_TYPE_MD_ALG 5 +#define FUNC_TYPE_CIPHER_ALG 6 typedef struct { int type; const char *name; int (*func)(int argc,char *argv[]); } FUNCTION; +DECLARE_LHASH_OF(FUNCTION); FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"verify",verify_main}, @@ -96,6 +106,7 @@ FUNCTION functions[] = { #ifndef OPENSSL_NO_DSA {FUNC_TYPE_GENERAL,"gendsa",gendsa_main}, #endif + {FUNC_TYPE_GENERAL,"genpkey",genpkey_main}, #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)) {FUNC_TYPE_GENERAL,"s_server",s_server_main}, #endif @@ -123,14 +134,23 @@ FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main}, #endif {FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main}, + {FUNC_TYPE_GENERAL,"pkey",pkey_main}, + {FUNC_TYPE_GENERAL,"pkeyparam",pkeyparam_main}, + {FUNC_TYPE_GENERAL,"pkeyutl",pkeyutl_main}, {FUNC_TYPE_GENERAL,"spkac",spkac_main}, {FUNC_TYPE_GENERAL,"smime",smime_main}, {FUNC_TYPE_GENERAL,"rand",rand_main}, #ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,"engine",engine_main}, #endif +#ifndef OPENSSL_NO_OCSP {FUNC_TYPE_GENERAL,"ocsp",ocsp_main}, +#endif {FUNC_TYPE_GENERAL,"prime",prime_main}, + {FUNC_TYPE_GENERAL,"ts",ts_main}, +#ifndef OPENSSL_NO_SRP + {FUNC_TYPE_GENERAL,"srp",srp_main}, +#endif #ifndef OPENSSL_NO_MD2 {FUNC_TYPE_MD,"md2",dgst_main}, #endif @@ -189,6 +209,9 @@ FUNCTION functions[] = { {FUNC_TYPE_CIPHER,"camellia-256-ecb",enc_main}, #endif {FUNC_TYPE_CIPHER,"base64",enc_main}, +#ifdef ZLIB + {FUNC_TYPE_CIPHER,"zlib",enc_main}, +#endif #ifndef OPENSSL_NO_DES {FUNC_TYPE_CIPHER,"des",enc_main}, #endif diff --git a/crypto/openssl/apps/progs.pl b/crypto/openssl/apps/progs.pl index 645432c..39ca8f7 100644 --- a/crypto/openssl/apps/progs.pl +++ b/crypto/openssl/apps/progs.pl @@ -13,12 +13,16 @@ print <<'EOF'; #define FUNC_TYPE_GENERAL 1 #define FUNC_TYPE_MD 2 #define FUNC_TYPE_CIPHER 3 +#define FUNC_TYPE_PKEY 4 +#define FUNC_TYPE_MD_ALG 5 +#define FUNC_TYPE_CIPHER_ALG 6 typedef struct { int type; const char *name; int (*func)(int argc,char *argv[]); } FUNCTION; +DECLARE_LHASH_OF(FUNCTION); FUNCTION functions[] = { EOF @@ -45,6 +49,10 @@ foreach (@ARGV) { print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; } elsif ( ($_ =~ /^cms$/)) { print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; } + elsif ( ($_ =~ /^ocsp$/)) + { print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; } + elsif ( ($_ =~ /^srp$/)) + { print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; } else { print $str; } } @@ -62,7 +70,7 @@ foreach ( "camellia-128-cbc", "camellia-128-ecb", "camellia-192-cbc", "camellia-192-ecb", "camellia-256-cbc", "camellia-256-ecb", - "base64", + "base64", "zlib", "des", "des3", "desx", "idea", "seed", "rc4", "rc4-40", "rc2", "bf", "cast", "rc5", "des-ecb", "des-ede", "des-ede3", @@ -89,6 +97,7 @@ foreach ( elsif ($_ =~ /bf/) { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; } elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; } elsif ($_ =~ /rc5/) { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; } + elsif ($_ =~ /zlib/) { $t="#ifdef ZLIB\n${t}#endif\n"; } print $t; } diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index 9f55cde..8552658 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -141,39 +141,33 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def, int n_max, unsigned long chtype); static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, int nid,int n_min,int n_max, unsigned long chtype, int mval); -#ifndef OPENSSL_NO_RSA -static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb); -#endif +static int genpkey_cb(EVP_PKEY_CTX *ctx); static int req_check_len(int len,int n_min,int n_max); static int check_end(const char *str, const char *end); +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, + long *pkeylen, char **palgnam, + ENGINE *keygen_engine); #ifndef MONOLITH static char *default_config_file=NULL; #endif static CONF *req_conf=NULL; static int batch=0; -#define TYPE_RSA 1 -#define TYPE_DSA 2 -#define TYPE_DH 3 -#define TYPE_EC 4 - int MAIN(int, char **); int MAIN(int argc, char **argv) { - ENGINE *e = NULL; -#ifndef OPENSSL_NO_DSA - DSA *dsa_params=NULL; -#endif -#ifndef OPENSSL_NO_ECDSA - EC_KEY *ec_params = NULL; -#endif + ENGINE *e = NULL, *gen_eng = NULL; unsigned long nmflag = 0, reqflag = 0; int ex=1,x509=0,days=30; X509 *x509ss=NULL; X509_REQ *req=NULL; + EVP_PKEY_CTX *genctx = NULL; + const char *keyalg = NULL; + char *keyalgstr = NULL; + STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; EVP_PKEY *pkey=NULL; - int i=0,badops=0,newreq=0,verbose=0,pkey_type=TYPE_RSA; + int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1; long newkey = -1; BIO *in=NULL,*out=NULL; int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; @@ -193,7 +187,7 @@ int MAIN(int argc, char **argv) char *p; char *subj = NULL; int multirdn = 0; - const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); + const EVP_MD *md_alg=NULL,*digest=NULL; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; @@ -236,6 +230,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; engine= *(++argv); } + else if (strcmp(*argv,"-keygen_engine") == 0) + { + if (--argc < 1) goto bad; + gen_eng = ENGINE_by_id(*(++argv)); + if (gen_eng == NULL) + { + BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); + goto end; + } + } #endif else if (strcmp(*argv,"-key") == 0) { @@ -292,126 +296,29 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-newkey") == 0) { - int is_numeric; - - if (--argc < 1) goto bad; - p= *(++argv); - is_numeric = p[0] >= '0' && p[0] <= '9'; - if (strncmp("rsa:",p,4) == 0 || is_numeric) - { - pkey_type=TYPE_RSA; - if(!is_numeric) - p+=4; - newkey= atoi(p); - } - else -#ifndef OPENSSL_NO_DSA - if (strncmp("dsa:",p,4) == 0) - { - X509 *xtmp=NULL; - EVP_PKEY *dtmp; - - pkey_type=TYPE_DSA; - p+=4; - if ((in=BIO_new_file(p,"r")) == NULL) - { - perror(p); - goto end; - } - if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL) - { - ERR_clear_error(); - (void)BIO_reset(in); - if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) - { - BIO_printf(bio_err,"unable to load DSA parameters from file\n"); - goto end; - } - - if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end; - if (dtmp->type == EVP_PKEY_DSA) - dsa_params=DSAparams_dup(dtmp->pkey.dsa); - EVP_PKEY_free(dtmp); - X509_free(xtmp); - if (dsa_params == NULL) - { - BIO_printf(bio_err,"Certificate does not contain DSA parameters\n"); - goto end; - } - } - BIO_free(in); - in=NULL; - newkey=BN_num_bits(dsa_params->p); - } - else -#endif -#ifndef OPENSSL_NO_ECDSA - if (strncmp("ec:",p,3) == 0) - { - X509 *xtmp=NULL; - EVP_PKEY *dtmp; - EC_GROUP *group; - - pkey_type=TYPE_EC; - p+=3; - if ((in=BIO_new_file(p,"r")) == NULL) - { - perror(p); - goto end; - } - if ((ec_params = EC_KEY_new()) == NULL) - goto end; - group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL); - if (group == NULL) - { - EC_KEY_free(ec_params); - ERR_clear_error(); - (void)BIO_reset(in); - if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) - { - BIO_printf(bio_err,"unable to load EC parameters from file\n"); - goto end; - } - - if ((dtmp=X509_get_pubkey(xtmp))==NULL) - goto end; - if (dtmp->type == EVP_PKEY_EC) - ec_params = EC_KEY_dup(dtmp->pkey.ec); - EVP_PKEY_free(dtmp); - X509_free(xtmp); - if (ec_params == NULL) - { - BIO_printf(bio_err,"Certificate does not contain EC parameters\n"); - goto end; - } - } - else - { - if (EC_KEY_set_group(ec_params, group) == 0) - goto end; - EC_GROUP_free(group); - } - - BIO_free(in); - in=NULL; - newkey = EC_GROUP_get_degree(EC_KEY_get0_group(ec_params)); - } - else -#endif -#ifndef OPENSSL_NO_DH - if (strncmp("dh:",p,4) == 0) - { - pkey_type=TYPE_DH; - p+=3; - } - else -#endif - { + if (--argc < 1) goto bad; - } - + keyalg = *(++argv); newreq=1; } + else if (strcmp(*argv,"-pkeyopt") == 0) + { + if (--argc < 1) + goto bad; + if (!pkeyopts) + pkeyopts = sk_OPENSSL_STRING_new_null(); + if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) + goto bad; + } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + goto bad; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + goto bad; + } else if (strcmp(*argv,"-batch") == 0) batch=1; else if (strcmp(*argv,"-newhdr") == 0) @@ -467,11 +374,6 @@ int MAIN(int argc, char **argv) serial = s2i_ASN1_INTEGER(NULL, *(++argv)); if (!serial) goto bad; } - else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) - { - /* ok */ - digest=md_alg; - } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; @@ -482,6 +384,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; req_exts = *(++argv); } + else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) + { + /* ok */ + digest=md_alg; + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -730,15 +637,20 @@ bad: if (newreq && (pkey == NULL)) { -#ifndef OPENSSL_NO_RSA - BN_GENCB cb; -#endif char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); if (inrand) app_RAND_load_files(inrand); + + if (keyalg) + { + genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, + &keyalgstr, gen_eng); + if (!genctx) + goto end; + } if (newkey <= 0) { @@ -746,57 +658,54 @@ bad: newkey=DEFAULT_KEY_LENGTH; } - if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA)) + if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { BIO_printf(bio_err,"private key length is too short,\n"); BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey); goto end; } - BIO_printf(bio_err,"Generating a %ld bit %s private key\n", - newkey,(pkey_type == TYPE_RSA)?"RSA": - (pkey_type == TYPE_DSA)?"DSA":"EC"); - if ((pkey=EVP_PKEY_new()) == NULL) goto end; - -#ifndef OPENSSL_NO_RSA - BN_GENCB_set(&cb, req_cb, bio_err); - if (pkey_type == TYPE_RSA) - { - RSA *rsa = RSA_new(); - BIGNUM *bn = BN_new(); - if(!bn || !rsa || !BN_set_word(bn, 0x10001) || - !RSA_generate_key_ex(rsa, newkey, bn, &cb) || - !EVP_PKEY_assign_RSA(pkey, rsa)) - { - if(bn) BN_free(bn); - if(rsa) RSA_free(rsa); + if (!genctx) + { + genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, + &keyalgstr, gen_eng); + if (!genctx) goto end; - } - BN_free(bn); } - else -#endif -#ifndef OPENSSL_NO_DSA - if (pkey_type == TYPE_DSA) + + if (pkeyopts) { - if (!DSA_generate_key(dsa_params)) goto end; - if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end; - dsa_params=NULL; + char *genopt; + for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) + { + genopt = sk_OPENSSL_STRING_value(pkeyopts, i); + if (pkey_ctrl_string(genctx, genopt) <= 0) + { + BIO_printf(bio_err, + "parameter error \"%s\"\n", + genopt); + ERR_print_errors(bio_err); + goto end; + } + } } -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey_type == TYPE_EC) + + BIO_printf(bio_err,"Generating a %ld bit %s private key\n", + newkey, keyalgstr); + + EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); + EVP_PKEY_CTX_set_app_data(genctx, bio_err); + + if (EVP_PKEY_keygen(genctx, &pkey) <= 0) { - if (!EC_KEY_generate_key(ec_params)) goto end; - if (!EVP_PKEY_assign_EC_KEY(pkey, ec_params)) - goto end; - ec_params = NULL; + BIO_puts(bio_err, "Error Generating Key\n"); + goto end; } -#endif - app_RAND_write_file(randfile, bio_err); + EVP_PKEY_CTX_free(genctx); + genctx = NULL; - if (pkey == NULL) goto end; + app_RAND_write_file(randfile, bio_err); if (keyout == NULL) { @@ -895,14 +804,7 @@ loop: BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - digest=EVP_ecdsa(); -#endif + if (req == NULL) { req=X509_REQ_new(); @@ -945,7 +847,7 @@ loop: if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end; - if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end; + if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end; if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; tmppkey = X509_REQ_get_pubkey(req); if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end; @@ -965,9 +867,13 @@ loop: extensions); goto end; } - - if (!(i=X509_sign(x509ss,pkey,digest))) + + i=do_X509_sign(bio_err, x509ss, pkey, digest, sigopts); + if (!i) + { + ERR_print_errors(bio_err); goto end; + } } else { @@ -987,8 +893,12 @@ loop: req_exts); goto end; } - if (!(i=X509_REQ_sign(req,pkey,digest))) + i=do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts); + if (!i) + { + ERR_print_errors(bio_err); goto end; + } } } @@ -1125,7 +1035,7 @@ loop: } fprintf(stdout,"Modulus="); #ifndef OPENSSL_NO_RSA - if (tpubkey->type == EVP_PKEY_RSA) + if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) BN_print(out,tpubkey->pkey.rsa->n); else #endif @@ -1181,18 +1091,24 @@ end: BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); + if (genctx) + EVP_PKEY_CTX_free(genctx); + if (pkeyopts) + sk_OPENSSL_STRING_free(pkeyopts); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); +#ifndef OPENSSL_NO_ENGINE + if (gen_eng) + ENGINE_free(gen_eng); +#endif + if (keyalgstr) + OPENSSL_free(keyalgstr); X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); if(passargin && passin) OPENSSL_free(passin); if(passargout && passout) OPENSSL_free(passout); OBJ_cleanup(); -#ifndef OPENSSL_NO_DSA - if (dsa_params != NULL) DSA_free(dsa_params); -#endif -#ifndef OPENSSL_NO_ECDSA - if (ec_params != NULL) EC_KEY_free(ec_params); -#endif apps_shutdown(); OPENSSL_EXIT(ex); } @@ -1647,24 +1563,6 @@ err: return(0); } -#ifndef OPENSSL_NO_RSA -static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb) - { - char c='*'; - - if (p == 0) c='.'; - if (p == 1) c='+'; - if (p == 2) c='*'; - if (p == 3) c='\n'; - BIO_write(cb->arg,&c,1); - (void)BIO_flush(cb->arg); -#ifdef LINT - p=n; -#endif - return 1; - } -#endif - static int req_check_len(int len, int n_min, int n_max) { if ((n_min > 0) && (len < n_min)) @@ -1691,3 +1589,248 @@ static int check_end(const char *str, const char *end) tmp = str + slen - elen; return strcmp(tmp, end); } + +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, + long *pkeylen, char **palgnam, + ENGINE *keygen_engine) + { + EVP_PKEY_CTX *gctx = NULL; + EVP_PKEY *param = NULL; + long keylen = -1; + BIO *pbio = NULL; + const char *paramfile = NULL; + + if (gstr == NULL) + { + *pkey_type = EVP_PKEY_RSA; + keylen = *pkeylen; + } + else if (gstr[0] >= '0' && gstr[0] <= '9') + { + *pkey_type = EVP_PKEY_RSA; + keylen = atol(gstr); + *pkeylen = keylen; + } + else if (!strncmp(gstr, "param:", 6)) + paramfile = gstr + 6; + else + { + const char *p = strchr(gstr, ':'); + int len; + ENGINE *tmpeng; + const EVP_PKEY_ASN1_METHOD *ameth; + + if (p) + len = p - gstr; + else + len = strlen(gstr); + /* The lookup of a the string will cover all engines so + * keep a note of the implementation. + */ + + ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); + + if (!ameth) + { + BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr); + return NULL; + } + + EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, + ameth); +#ifndef OPENSSL_NO_ENGINE + if (tmpeng) + ENGINE_finish(tmpeng); +#endif + if (*pkey_type == EVP_PKEY_RSA) + { + if (p) + { + keylen = atol(p + 1); + *pkeylen = keylen; + } + } + else if (p) + paramfile = p + 1; + } + + if (paramfile) + { + pbio = BIO_new_file(paramfile, "r"); + if (!pbio) + { + BIO_printf(err, "Can't open parameter file %s\n", + paramfile); + return NULL; + } + param = PEM_read_bio_Parameters(pbio, NULL); + + if (!param) + { + X509 *x; + (void)BIO_reset(pbio); + x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); + if (x) + { + param = X509_get_pubkey(x); + X509_free(x); + } + } + + BIO_free(pbio); + + if (!param) + { + BIO_printf(err, "Error reading parameter file %s\n", + paramfile); + return NULL; + } + if (*pkey_type == -1) + *pkey_type = EVP_PKEY_id(param); + else if (*pkey_type != EVP_PKEY_base_id(param)) + { + BIO_printf(err, "Key Type does not match parameters\n"); + EVP_PKEY_free(param); + return NULL; + } + } + + if (palgnam) + { + const EVP_PKEY_ASN1_METHOD *ameth; + ENGINE *tmpeng; + const char *anam; + ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); + if (!ameth) + { + BIO_puts(err, "Internal error: can't find key algorithm\n"); + return NULL; + } + EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); + *palgnam = BUF_strdup(anam); +#ifndef OPENSSL_NO_ENGINE + if (tmpeng) + ENGINE_finish(tmpeng); +#endif + } + + if (param) + { + gctx = EVP_PKEY_CTX_new(param, keygen_engine); + *pkeylen = EVP_PKEY_bits(param); + EVP_PKEY_free(param); + } + else + gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); + + if (!gctx) + { + BIO_puts(err, "Error allocating keygen context\n"); + ERR_print_errors(err); + return NULL; + } + + if (EVP_PKEY_keygen_init(gctx) <= 0) + { + BIO_puts(err, "Error initializing keygen context\n"); + ERR_print_errors(err); + return NULL; + } +#ifndef OPENSSL_NO_RSA + if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) + { + if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) + { + BIO_puts(err, "Error setting RSA keysize\n"); + ERR_print_errors(err); + EVP_PKEY_CTX_free(gctx); + return NULL; + } + } +#endif + + return gctx; + } + +static int genpkey_cb(EVP_PKEY_CTX *ctx) + { + char c='*'; + BIO *b = EVP_PKEY_CTX_get_app_data(ctx); + int p; + p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); + if (p == 0) c='.'; + if (p == 1) c='+'; + if (p == 2) c='*'; + if (p == 3) c='\n'; + BIO_write(b,&c,1); + (void)BIO_flush(b); +#ifdef LINT + p=n; +#endif + return 1; + } + +static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey, + const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) + { + EVP_PKEY_CTX *pkctx = NULL; + int i; + EVP_MD_CTX_init(ctx); + if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) + return 0; + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) + { + char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pkctx, sigopt) <= 0) + { + BIO_printf(err, "parameter error \"%s\"\n", sigopt); + ERR_print_errors(bio_err); + return 0; + } + } + return 1; + } + +int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) + { + int rv; + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + rv = do_sign_init(err, &mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_sign_ctx(x, &mctx); + EVP_MD_CTX_cleanup(&mctx); + return rv > 0 ? 1 : 0; + } + + +int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) + { + int rv; + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + rv = do_sign_init(err, &mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_REQ_sign_ctx(x, &mctx); + EVP_MD_CTX_cleanup(&mctx); + return rv > 0 ? 1 : 0; + } + + + +int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) + { + int rv; + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + rv = do_sign_init(err, &mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_CRL_sign_ctx(x, &mctx); + EVP_MD_CTX_cleanup(&mctx); + return rv > 0 ? 1 : 0; + } + + diff --git a/crypto/openssl/apps/rsa.c b/crypto/openssl/apps/rsa.c index 930f1f0..a17708f 100644 --- a/crypto/openssl/apps/rsa.c +++ b/crypto/openssl/apps/rsa.c @@ -115,6 +115,8 @@ int MAIN(int argc, char **argv) #endif int modulus=0; + int pvk_encr = 2; + apps_startup(); if (bio_err == NULL) @@ -177,6 +179,16 @@ int MAIN(int argc, char **argv) pubin=1; else if (strcmp(*argv,"-pubout") == 0) pubout=1; + else if (strcmp(*argv,"-RSAPublicKey_in") == 0) + pubin = 2; + else if (strcmp(*argv,"-RSAPublicKey_out") == 0) + pubout = 2; + else if (strcmp(*argv,"-pvk-strong") == 0) + pvk_encr=2; + else if (strcmp(*argv,"-pvk-weak") == 0) + pvk_encr=1; + else if (strcmp(*argv,"-pvk-none") == 0) + pvk_encr=0; else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) @@ -257,10 +269,23 @@ bad: EVP_PKEY *pkey; if (pubin) - pkey = load_pubkey(bio_err, infile, - (informat == FORMAT_NETSCAPE && sgckey ? - FORMAT_IISSGC : informat), 1, + { + int tmpformat=-1; + if (pubin == 2) + { + if (informat == FORMAT_PEM) + tmpformat = FORMAT_PEMRSA; + else if (informat == FORMAT_ASN1) + tmpformat = FORMAT_ASN1RSA; + } + else if (informat == FORMAT_NETSCAPE && sgckey) + tmpformat = FORMAT_IISSGC; + else + tmpformat = informat; + + pkey = load_pubkey(bio_err, infile, tmpformat, 1, passin, e, "Public Key"); + } else pkey = load_key(bio_err, infile, (informat == FORMAT_NETSCAPE && sgckey ? @@ -268,7 +293,7 @@ bad: passin, e, "Private Key"); if (pkey != NULL) - rsa = pkey == NULL ? NULL : EVP_PKEY_get1_RSA(pkey); + rsa = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_free(pkey); } @@ -346,7 +371,13 @@ bad: } BIO_printf(bio_err,"writing RSA key\n"); if (outformat == FORMAT_ASN1) { - if(pubout || pubin) i=i2d_RSA_PUBKEY_bio(out,rsa); + if(pubout || pubin) + { + if (pubout == 2) + i=i2d_RSAPublicKey_bio(out,rsa); + else + i=i2d_RSA_PUBKEY_bio(out,rsa); + } else i=i2d_RSAPrivateKey_bio(out,rsa); } #ifndef OPENSSL_NO_RC4 @@ -370,14 +401,32 @@ bad: #endif else if (outformat == FORMAT_PEM) { if(pubout || pubin) - i=PEM_write_bio_RSA_PUBKEY(out,rsa); + { + if (pubout == 2) + i=PEM_write_bio_RSAPublicKey(out,rsa); + else + i=PEM_write_bio_RSA_PUBKEY(out,rsa); + } else i=PEM_write_bio_RSAPrivateKey(out,rsa, enc,NULL,0,NULL,passout); +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4) + } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { + EVP_PKEY *pk; + pk = EVP_PKEY_new(); + EVP_PKEY_set1_RSA(pk, rsa); + if (outformat == FORMAT_PVK) + i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); + else if (pubin || pubout) + i = i2b_PublicKey_bio(out, pk); + else + i = i2b_PrivateKey_bio(out, pk); + EVP_PKEY_free(pk); +#endif } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } - if (!i) + if (i <= 0) { BIO_printf(bio_err,"unable to write key\n"); ERR_print_errors(bio_err); diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c index 923e2b6..b01f004 100644 --- a/crypto/openssl/apps/rsautl.c +++ b/crypto/openssl/apps/rsautl.c @@ -342,4 +342,10 @@ static void usage() } +#else /* !OPENSSL_NO_RSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/s_apps.h b/crypto/openssl/apps/s_apps.h index f5a39ba..820e5c5 100644 --- a/crypto/openssl/apps/s_apps.h +++ b/crypto/openssl/apps/s_apps.h @@ -117,7 +117,7 @@ #include <conio.h> #endif -#ifdef OPENSSL_SYS_MSDOS +#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) #define _kbhit kbhit #endif @@ -162,7 +162,7 @@ int extract_port(char *str, short *port_ptr); int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret); + int argi, long argl, long ret); #ifdef HEADER_SSL_H void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret); diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c index 97caffc..2cd7337 100644 --- a/crypto/openssl/apps/s_cb.c +++ b/crypto/openssl/apps/s_cb.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -126,12 +126,12 @@ int verify_depth=0; int verify_error=X509_V_OK; +int verify_return_error=0; unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; int cookie_initialized=0; int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { - char buf[256]; X509 *err_cert; int err,depth; @@ -139,15 +139,23 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); - BIO_printf(bio_err,"depth=%d %s\n",depth,buf); + BIO_printf(bio_err,"depth=%d ",depth); + if (err_cert) + { + X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + } + else + BIO_puts(bio_err, "<no cert>\n"); if (!ok) { BIO_printf(bio_err,"verify error:num=%d:%s\n",err, X509_verify_cert_error_string(err)); if (verify_depth >= depth) { - ok=1; + if (!verify_return_error) + ok=1; verify_error=X509_V_OK; } else @@ -156,25 +164,33 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; } } - switch (ctx->error) + switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); - BIO_printf(bio_err,"issuer= %s\n",buf); + BIO_puts(bio_err,"issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err,"notBefore="); - ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err,"notAfter="); - ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); BIO_printf(bio_err,"\n"); break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(bio_err, ctx); + break; } + if (err == X509_V_OK && ok == 2) + policies_print(bio_err, ctx); + BIO_printf(bio_err,"verify return:%d\n",ok); return(ok); } @@ -263,7 +279,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key) } long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret) + int argi, long argl, long ret) { BIO *out; @@ -272,15 +288,15 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { - BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", - (void *)bio,argp,argi,ret,ret); + BIO_printf(out,"read from %p [%p] (%lu bytes => %ld (0x%lX))\n", + (void *)bio,argp,(unsigned long)argi,ret,ret); BIO_dump(out,argp,(int)ret); return(ret); } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { - BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", - (void *)bio,argp,argi,ret,ret); + BIO_printf(out,"write to %p [%p] (%lu bytes => %ld (0x%lX))\n", + (void *)bio,argp,(unsigned long)argi,ret,ret); BIO_dump(out,argp,(int)ret); } return(ret); @@ -341,14 +357,20 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case TLS1_VERSION: str_version = "TLS 1.0 "; break; - default: - str_version = "???"; + case TLS1_1_VERSION: + str_version = "TLS 1.1 "; + break; + case TLS1_2_VERSION: + str_version = "TLS 1.2 "; + break; case DTLS1_VERSION: str_version = "DTLS 1.0 "; break; case DTLS1_BAD_VER: str_version = "DTLS 1.0 (bad) "; break; + default: + str_version = "???"; } if (version == SSL2_VERSION) @@ -518,6 +540,24 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 100: str_details2 = " no_renegotiation"; break; + case 110: + str_details2 = " unsupported_extension"; + break; + case 111: + str_details2 = " certificate_unobtainable"; + break; + case 112: + str_details2 = " unrecognized_name"; + break; + case 113: + str_details2 = " bad_certificate_status_response"; + break; + case 114: + str_details2 = " bad_certificate_hash_value"; + break; + case 115: + str_details2 = " unknown_psk_identity"; + break; } } } @@ -539,6 +579,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 2: str_details1 = ", ServerHello"; break; + case 3: + str_details1 = ", HelloVerifyRequest"; + break; case 11: str_details1 = ", Certificate"; break; @@ -554,9 +597,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 15: str_details1 = ", CertificateVerify"; break; - case 3: - str_details1 = ", HelloVerifyRequest"; - break; case 16: str_details1 = ", ClientKeyExchange"; break; @@ -566,6 +606,26 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * } } } + +#ifndef OPENSSL_NO_HEARTBEATS + if (content_type == 24) /* Heartbeat */ + { + str_details1 = ", Heartbeat"; + + if (len > 0) + { + switch (((const unsigned char*)buf)[0]) + { + case 1: + str_details1 = ", HeartbeatRequest"; + break; + case 2: + str_details1 = ", HeartbeatResponse"; + break; + } + } + } +#endif } BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version, str_content_type, (unsigned long)len, str_details1, str_details2); @@ -626,6 +686,22 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, extname = "status request"; break; + case TLSEXT_TYPE_user_mapping: + extname = "user mapping"; + break; + + case TLSEXT_TYPE_client_authz: + extname = "client authz"; + break; + + case TLSEXT_TYPE_server_authz: + extname = "server authz"; + break; + + case TLSEXT_TYPE_cert_type: + extname = "cert type"; + break; + case TLSEXT_TYPE_elliptic_curves: extname = "elliptic curves"; break; @@ -634,14 +710,41 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, extname = "EC point formats"; break; + case TLSEXT_TYPE_srp: + extname = "SRP"; + break; + + case TLSEXT_TYPE_signature_algorithms: + extname = "signature algorithms"; + break; + + case TLSEXT_TYPE_use_srtp: + extname = "use SRTP"; + break; + + case TLSEXT_TYPE_heartbeat: + extname = "heartbeat"; + break; + case TLSEXT_TYPE_session_ticket: - extname = "server ticket"; + extname = "session ticket"; break; - case TLSEXT_TYPE_renegotiate: - extname = "renegotiate"; + case TLSEXT_TYPE_renegotiate: + extname = "renegotiation info"; break; +#ifdef TLSEXT_TYPE_opaque_prf_input + case TLSEXT_TYPE_opaque_prf_input: + extname = "opaque PRF input"; + break; +#endif +#ifdef TLSEXT_TYPE_next_proto_neg + case TLSEXT_TYPE_next_proto_neg: + extname = "next protocol"; + break; +#endif + default: extname = "unknown"; break; @@ -659,8 +762,14 @@ int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsign { unsigned char *buffer, result[EVP_MAX_MD_SIZE]; unsigned int length, resultlength; - struct sockaddr_in peer; - + union { + struct sockaddr sa; + struct sockaddr_in s4; +#if OPENSSL_USE_IPV6 + struct sockaddr_in6 s6; +#endif + } peer; + /* Initialize a random secret */ if (!cookie_initialized) { @@ -676,8 +785,23 @@ int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsign (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); /* Create buffer with peer's address and port */ - length = sizeof(peer.sin_addr); - length += sizeof(peer.sin_port); + length = 0; + switch (peer.sa.sa_family) + { + case AF_INET: + length += sizeof(struct in_addr); + length += sizeof(peer.s4.sin_port); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + length += sizeof(struct in6_addr); + length += sizeof(peer.s6.sin6_port); + break; +#endif + default: + OPENSSL_assert(0); + break; + } buffer = OPENSSL_malloc(length); if (buffer == NULL) @@ -685,9 +809,31 @@ int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsign BIO_printf(bio_err,"out of memory\n"); return 0; } - - memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr)); - memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port)); + + switch (peer.sa.sa_family) + { + case AF_INET: + memcpy(buffer, + &peer.s4.sin_port, + sizeof(peer.s4.sin_port)); + memcpy(buffer + sizeof(peer.s4.sin_port), + &peer.s4.sin_addr, + sizeof(struct in_addr)); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + memcpy(buffer, + &peer.s6.sin6_port, + sizeof(peer.s6.sin6_port)); + memcpy(buffer + sizeof(peer.s6.sin6_port), + &peer.s6.sin6_addr, + sizeof(struct in6_addr)); + break; +#endif + default: + OPENSSL_assert(0); + break; + } /* Calculate HMAC of buffer using the secret */ HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, @@ -704,8 +850,14 @@ int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned { unsigned char *buffer, result[EVP_MAX_MD_SIZE]; unsigned int length, resultlength; - struct sockaddr_in peer; - + union { + struct sockaddr sa; + struct sockaddr_in s4; +#if OPENSSL_USE_IPV6 + struct sockaddr_in6 s6; +#endif + } peer; + /* If secret isn't initialized yet, the cookie can't be valid */ if (!cookie_initialized) return 0; @@ -714,24 +866,61 @@ int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); /* Create buffer with peer's address and port */ - length = sizeof(peer.sin_addr); - length += sizeof(peer.sin_port); - buffer = (unsigned char*) OPENSSL_malloc(length); + length = 0; + switch (peer.sa.sa_family) + { + case AF_INET: + length += sizeof(struct in_addr); + length += sizeof(peer.s4.sin_port); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + length += sizeof(struct in6_addr); + length += sizeof(peer.s6.sin6_port); + break; +#endif + default: + OPENSSL_assert(0); + break; + } + buffer = OPENSSL_malloc(length); if (buffer == NULL) { BIO_printf(bio_err,"out of memory\n"); return 0; } - - memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr)); - memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port)); + + switch (peer.sa.sa_family) + { + case AF_INET: + memcpy(buffer, + &peer.s4.sin_port, + sizeof(peer.s4.sin_port)); + memcpy(buffer + sizeof(peer.s4.sin_port), + &peer.s4.sin_addr, + sizeof(struct in_addr)); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + memcpy(buffer, + &peer.s6.sin6_port, + sizeof(peer.s6.sin6_port)); + memcpy(buffer + sizeof(peer.s6.sin6_port), + &peer.s6.sin6_addr, + sizeof(struct in6_addr)); + break; +#endif + default: + OPENSSL_assert(0); + break; + } /* Calculate HMAC of buffer using the secret */ HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, buffer, length, result, &resultlength); OPENSSL_free(buffer); - + if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) return 1; diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c index 54a32ec..fc806eb 100644 --- a/crypto/openssl/apps/s_client.c +++ b/crypto/openssl/apps/s_client.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -108,8 +108,35 @@ * Hudson (tjh@cryptsoft.com). * */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ #include <assert.h> +#include <ctype.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -135,23 +162,22 @@ typedef unsigned int u_int; #include <openssl/pem.h> #include <openssl/rand.h> #include <openssl/ocsp.h> +#include <openssl/bn.h> +#ifndef OPENSSL_NO_SRP +#include <openssl/srp.h> +#endif #include "s_apps.h" #include "timeouts.h" -#ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) -#endif - - #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ #undef FIONBIO #endif +#if defined(OPENSSL_SYS_BEOS_R5) +#include <fcntl.h> +#endif + #undef PROG #define PROG s_client_main @@ -166,6 +192,7 @@ typedef unsigned int u_int; extern int verify_depth; extern int verify_error; +extern int verify_return_error; #ifdef FIONBIO static int c_nbio=0; @@ -179,6 +206,9 @@ static int c_status_req=0; static int c_msg=0; static int c_showcerts=0; +static char *keymatexportlabel=NULL; +static int keymatexportlen=20; + static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT @@ -188,6 +218,69 @@ static BIO *bio_c_out=NULL; static int c_quiet=0; static int c_ign_eof=0; +#ifndef OPENSSL_NO_PSK +/* Default PSK identity and key */ +static char *psk_identity="Client_identity"; +/*char *psk_key=NULL; by default PSK is not used */ + +static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, + unsigned int max_identity_len, unsigned char *psk, + unsigned int max_psk_len) + { + unsigned int psk_len = 0; + int ret; + BIGNUM *bn=NULL; + + if (c_debug) + BIO_printf(bio_c_out, "psk_client_cb\n"); + if (!hint) + { + /* no ServerKeyExchange message*/ + if (c_debug) + BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n"); + } + else if (c_debug) + BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); + + /* lookup PSK identity and PSK key based on the given identity hint here */ + ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); + if (ret < 0 || (unsigned int)ret > max_identity_len) + goto out_err; + if (c_debug) + BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); + ret=BN_hex2bn(&bn, psk_key); + if (!ret) + { + BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); + if (bn) + BN_free(bn); + return 0; + } + + if ((unsigned int)BN_num_bytes(bn) > max_psk_len) + { + BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", + max_psk_len, BN_num_bytes(bn)); + BN_free(bn); + return 0; + } + + psk_len=BN_bn2bin(bn, psk); + BN_free(bn); + if (psk_len == 0) + goto out_err; + + if (c_debug) + BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); + + return psk_len; + out_err: + if (c_debug) + BIO_printf(bio_err, "Error in PSK client callback\n"); + return 0; + } +#endif + static void sc_usage(void) { BIO_printf(bio_err,"usage: s_client args\n"); @@ -196,7 +289,7 @@ static void sc_usage(void) BIO_printf(bio_err," -port port - use -connect instead\n"); BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); - BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n"); + BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); @@ -222,12 +315,28 @@ static void sc_usage(void) BIO_printf(bio_err," -quiet - no s_client output\n"); BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); +#ifndef OPENSSL_NO_PSK + BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); + BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); +# endif +#endif +#ifndef OPENSSL_NO_SRP + BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n"); + BIO_printf(bio_err," -srppass arg - password for 'user'\n"); + BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n"); + BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); + BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); +#endif BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); + BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); + BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); - BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); + BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); @@ -248,8 +357,14 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); +# if !defined(OPENSSL_NO_NEXTPROTONEG) + BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); +# endif #endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); + BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); + BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); + BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); } #ifndef OPENSSL_NO_TLSEXT @@ -272,7 +387,158 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } + +#ifndef OPENSSL_NO_SRP + +/* This is a context that we pass to all callbacks */ +typedef struct srp_arg_st + { + char *srppassin; + char *srplogin; + int msg; /* copy from c_msg */ + int debug; /* copy from c_debug */ + int amp; /* allow more groups */ + int strength /* minimal size for N */ ; + } SRP_ARG; + +#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 + +static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g) + { + BN_CTX *bn_ctx = BN_CTX_new(); + BIGNUM *p = BN_new(); + BIGNUM *r = BN_new(); + int ret = + g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && + BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && + p != NULL && BN_rshift1(p, N) && + + /* p = (N-1)/2 */ + BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && + r != NULL && + + /* verify g^((N-1)/2) == -1 (mod N) */ + BN_mod_exp(r, g, p, N, bn_ctx) && + BN_add_word(r, 1) && + BN_cmp(r, N) == 0; + + if(r) + BN_free(r); + if(p) + BN_free(p); + if(bn_ctx) + BN_CTX_free(bn_ctx); + return ret; + } + +/* This callback is used here for two purposes: + - extended debugging + - making some primality tests for unknown groups + The callback is only called for a non default group. + + An application does not need the call back at all if + only the stanard groups are used. In real life situations, + client and server already share well known groups, + thus there is no need to verify them. + Furthermore, in case that a server actually proposes a group that + is not one of those defined in RFC 5054, it is more appropriate + to add the group to a static list and then compare since + primality tests are rather cpu consuming. +*/ + +static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) + { + SRP_ARG *srp_arg = (SRP_ARG *)arg; + BIGNUM *N = NULL, *g = NULL; + if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s))) + return 0; + if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) + { + BIO_printf(bio_err, "SRP parameters:\n"); + BIO_printf(bio_err,"\tN="); BN_print(bio_err,N); + BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g); + BIO_printf(bio_err,"\n"); + } + + if (SRP_check_known_gN_param(g,N)) + return 1; + + if (srp_arg->amp == 1) + { + if (srp_arg->debug) + BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n"); + +/* The srp_moregroups is a real debugging feature. + Implementors should rather add the value to the known ones. + The minimal size has already been tested. +*/ + if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g)) + return 1; + } + BIO_printf(bio_err, "SRP param N and g rejected.\n"); + return 0; + } + +#define PWD_STRLEN 1024 + +static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) + { + SRP_ARG *srp_arg = (SRP_ARG *)arg; + char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1); + PW_CB_DATA cb_tmp; + int l; + + cb_tmp.password = (char *)srp_arg->srppassin; + cb_tmp.prompt_info = "SRP user"; + if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0) + { + BIO_printf (bio_err, "Can't read Password\n"); + OPENSSL_free(pass); + return NULL; + } + *(pass+l)= '\0'; + + return pass; + } + +#endif + char *srtp_profiles = NULL; + +# ifndef OPENSSL_NO_NEXTPROTONEG +/* This the context that we pass to next_proto_cb */ +typedef struct tlsextnextprotoctx_st { + unsigned char *data; + unsigned short len; + int status; +} tlsextnextprotoctx; + +static tlsextnextprotoctx next_proto; + +static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) + { + tlsextnextprotoctx *ctx = arg; + + if (!c_quiet) + { + /* We can assume that |in| is syntactically valid. */ + unsigned i; + BIO_printf(bio_c_out, "Protocols advertised by server: "); + for (i = 0; i < inlen; ) + { + if (i) + BIO_write(bio_c_out, ", ", 2); + BIO_write(bio_c_out, &in[i + 1], in[i]); + i += in[i] + 1; + } + BIO_write(bio_c_out, "\n", 1); + } + + ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); + return SSL_TLSEXT_ERR_OK; + } +# endif #endif + enum { PROTO_OFF = 0, @@ -287,9 +553,11 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - int off=0, clr = 0; - SSL *con=NULL,*con2=NULL; - X509_STORE *store = NULL; + unsigned int off=0, clr=0; + SSL *con=NULL; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; +#endif int s,k,width,state=0; char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; int cbuf_len,cbuf_off; @@ -310,12 +578,11 @@ int MAIN(int argc, char **argv) SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; int starttls_proto = PROTO_OFF; - int prexit = 0, vflags = 0; - SSL_METHOD *meth=NULL; -#ifdef sock_type -#undef sock_type -#endif - int sock_type=SOCK_STREAM; + int prexit = 0; + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; + const SSL_METHOD *meth=NULL; + int socket_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; int mbuf_len=0; @@ -326,14 +593,19 @@ int MAIN(int argc, char **argv) ENGINE *ssl_client_engine=NULL; #endif ENGINE *e=NULL; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) struct timeval tv; +#if defined(OPENSSL_SYS_BEOS_R5) + int stdin_set = 0; +#endif #endif - #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; tlsextctx tlsextcbp = {NULL,0}; +# ifndef OPENSSL_NO_NEXTPROTONEG + const char *next_proto_neg_in = NULL; +# endif #endif char *sess_in = NULL; char *sess_out = NULL; @@ -344,6 +616,11 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_JPAKE char *jpake_secret = NULL; #endif +#ifndef OPENSSL_NO_SRP + char * srppass = NULL; + int srp_lateuser = 0; + SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; +#endif meth=SSLv23_client_method(); @@ -423,10 +700,14 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_format = str2fmt(*(++argv)); } - else if (strcmp(*argv,"-crl_check") == 0) - vflags |= X509_V_FLAG_CRL_CHECK; - else if (strcmp(*argv,"-crl_check_all") == 0) - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) + { + if (badarg) + goto bad; + continue; + } + else if (strcmp(*argv,"-verify_return_error") == 0) + verify_return_error = 1; else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -462,6 +743,58 @@ int MAIN(int argc, char **argv) nbio_test=1; else if (strcmp(*argv,"-state") == 0) state=1; +#ifndef OPENSSL_NO_PSK + else if (strcmp(*argv,"-psk_identity") == 0) + { + if (--argc < 1) goto bad; + psk_identity=*(++argv); + } + else if (strcmp(*argv,"-psk") == 0) + { + size_t j; + + if (--argc < 1) goto bad; + psk_key=*(++argv); + for (j = 0; j < strlen(psk_key); j++) + { + if (isxdigit((unsigned char)psk_key[j])) + continue; + BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); + goto bad; + } + } +#endif +#ifndef OPENSSL_NO_SRP + else if (strcmp(*argv,"-srpuser") == 0) + { + if (--argc < 1) goto bad; + srp_arg.srplogin= *(++argv); + meth=TLSv1_client_method(); + } + else if (strcmp(*argv,"-srppass") == 0) + { + if (--argc < 1) goto bad; + srppass= *(++argv); + meth=TLSv1_client_method(); + } + else if (strcmp(*argv,"-srp_strength") == 0) + { + if (--argc < 1) goto bad; + srp_arg.strength=atoi(*(++argv)); + BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength); + meth=TLSv1_client_method(); + } + else if (strcmp(*argv,"-srp_lateuser") == 0) + { + srp_lateuser= 1; + meth=TLSv1_client_method(); + } + else if (strcmp(*argv,"-srp_moregroups") == 0) + { + srp_arg.amp=1; + meth=TLSv1_client_method(); + } +#endif #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); @@ -471,6 +804,10 @@ int MAIN(int argc, char **argv) meth=SSLv3_client_method(); #endif #ifndef OPENSSL_NO_TLS1 + else if (strcmp(*argv,"-tls1_2") == 0) + meth=TLSv1_2_client_method(); + else if (strcmp(*argv,"-tls1_1") == 0) + meth=TLSv1_1_client_method(); else if (strcmp(*argv,"-tls1") == 0) meth=TLSv1_client_method(); #endif @@ -478,7 +815,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-dtls1") == 0) { meth=DTLSv1_client_method(); - sock_type=SOCK_DGRAM; + socket_type=SOCK_DGRAM; } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; @@ -519,15 +856,28 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-no_tls1_2") == 0) + off|=SSL_OP_NO_TLSv1_2; + else if (strcmp(*argv,"-no_tls1_1") == 0) + off|=SSL_OP_NO_TLSv1_1; else if (strcmp(*argv,"-no_tls1") == 0) off|=SSL_OP_NO_TLSv1; else if (strcmp(*argv,"-no_ssl3") == 0) off|=SSL_OP_NO_SSLv3; else if (strcmp(*argv,"-no_ssl2") == 0) off|=SSL_OP_NO_SSLv2; + else if (strcmp(*argv,"-no_comp") == 0) + { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } +# ifndef OPENSSL_NO_NEXTPROTONEG + else if (strcmp(*argv,"-nextprotoneg") == 0) + { + if (--argc < 1) goto bad; + next_proto_neg_in = *(++argv); + } +# endif #endif else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; @@ -595,7 +945,23 @@ int MAIN(int argc, char **argv) jpake_secret = *++argv; } #endif - else + else if (strcmp(*argv,"-use_srtp") == 0) + { + if (--argc < 1) goto bad; + srtp_profiles = *(++argv); + } + else if (strcmp(*argv,"-keymatexport") == 0) + { + if (--argc < 1) goto bad; + keymatexportlabel= *(++argv); + } + else if (strcmp(*argv,"-keymatexportlen") == 0) + { + if (--argc < 1) goto bad; + keymatexportlen=atoi(*(++argv)); + if (keymatexportlen == 0) goto bad; + } + else { BIO_printf(bio_err,"unknown option %s\n",*argv); badop=1; @@ -611,9 +977,43 @@ bad: goto end; } +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + if (jpake_secret) + { + if (psk_key) + { + BIO_printf(bio_err, + "Can't use JPAKE and PSK together\n"); + goto end; + } + psk_identity = "JPAKE"; + if (cipher) + { + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); + goto end; + } + cipher = "PSK"; + } +#endif + OpenSSL_add_ssl_algorithms(); SSL_load_error_strings(); +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + next_proto.status = -1; + if (next_proto_neg_in) + { + next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); + if (next_proto.data == NULL) + { + BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); + goto end; + } + } + else + next_proto.data = NULL; +#endif + #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine_id, 1); if (ssl_client_engine_id) @@ -626,6 +1026,7 @@ bad: goto end; } } + #endif if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { @@ -686,6 +1087,14 @@ bad: } } +#ifndef OPENSSL_NO_SRP + if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) + { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } +#endif + ctx=SSL_CTX_new(meth); if (ctx == NULL) { @@ -693,6 +1102,9 @@ bad: goto end; } + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -707,6 +1119,20 @@ bad: } #endif +#ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE + if (psk_key != NULL) +#else + if (psk_key != NULL || jpake_secret) +#endif + { + if (c_debug) + BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); + SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); + } + if (srtp_profiles != NULL) + SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); +#endif if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else @@ -717,7 +1143,12 @@ bad: /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ - if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); + if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); + +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.data) + SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); +#endif if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) @@ -743,8 +1174,6 @@ bad: /* goto end; */ } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { @@ -752,6 +1181,24 @@ bad: SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } +#ifndef OPENSSL_NO_SRP + if (srp_arg.srplogin) + { + if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) + { + BIO_printf(bio_err,"Unable to set SRP username\n"); + goto end; + } + srp_arg.msg = c_msg; + srp_arg.debug = c_debug ; + SSL_CTX_set_srp_cb_arg(ctx,&srp_arg); + SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); + SSL_CTX_set_srp_strength(ctx, srp_arg.strength); + if (c_msg || c_debug || srp_arg.amp == 0) + SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb); + } + +#endif #endif con=SSL_new(ctx); @@ -789,18 +1236,23 @@ bad: } } #endif - #ifndef OPENSSL_NO_KRB5 - if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL) + if (con && (kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host); + SSL_set0_kssl_ctx(con, kctx); + kssl_ctx_setstring(kctx, KSSL_SERVER, host); } #endif /* OPENSSL_NO_KRB5 */ /* SSL_set_cipher_list(con,"RC4-MD5"); */ +#if 0 +#ifdef TLSEXT_TYPE_opaque_prf_input + SSL_set_tlsext_opaque_prf_input(con, "Test client", 11); +#endif +#endif re_start: - if (init_client(&s,host,port,sock_type) == 0) + if (init_client(&s,host,port,socket_type) == 0) { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); @@ -820,7 +1272,7 @@ re_start: } } #endif - if (c_Pause & 0x01) con->debug=1; + if (c_Pause & 0x01) SSL_set_debug(con, 1); if ( SSL_version(con) == DTLS1_VERSION) { @@ -836,7 +1288,7 @@ re_start: (void)BIO_ctrl_set_connected(sbio, 1, &peer); - if ( enable_timeouts) + if (enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; @@ -869,7 +1321,7 @@ re_start: if (c_debug) { - con->debug=1; + SSL_set_debug(con, 1); BIO_set_callback(sbio,bio_dump_callback); BIO_set_callback_arg(sbio,(char *)bio_c_out); } @@ -1057,6 +1509,14 @@ SSL_set_tlsext_status_ids(con, ids); if (in_init) { in_init=0; +#if 0 /* This test doesn't really work as intended (needs to be fixed) */ +#ifndef OPENSSL_NO_TLSEXT + if (servername != NULL && !SSL_session_reused(con)) + { + BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); + } +#endif +#endif if (sess_out) { BIO *stmp = BIO_new_file(sess_out, "w"); @@ -1094,22 +1554,22 @@ SSL_set_tlsext_status_ids(con, ids); if (!ssl_pending) { -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5) if (tty_on) { - if (read_tty) FD_SET(fileno(stdin),&readfds); - if (write_tty) FD_SET(fileno(stdout),&writefds); + if (read_tty) openssl_fdset(fileno(stdin),&readfds); + if (write_tty) openssl_fdset(fileno(stdout),&writefds); } if (read_ssl) - FD_SET(SSL_get_fd(con),&readfds); + openssl_fdset(SSL_get_fd(con),&readfds); if (write_ssl) - FD_SET(SSL_get_fd(con),&writefds); + openssl_fdset(SSL_get_fd(con),&writefds); #else if(!tty_on || !write_tty) { if (read_ssl) - FD_SET(SSL_get_fd(con),&readfds); + openssl_fdset(SSL_get_fd(con),&readfds); if (write_ssl) - FD_SET(SSL_get_fd(con),&writefds); + openssl_fdset(SSL_get_fd(con),&writefds); } #endif /* printf("mode tty(%d %d%d) ssl(%d%d)\n", @@ -1154,6 +1614,25 @@ SSL_set_tlsext_status_ids(con, ids); } else i=select(width,(void *)&readfds,(void *)&writefds, NULL,timeoutp); } +#elif defined(OPENSSL_SYS_BEOS_R5) + /* Under BeOS-R5 the situation is similar to DOS */ + i=0; + stdin_set = 0; + (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); + if(!write_tty) { + if(read_tty) { + tv.tv_sec = 1; + tv.tv_usec = 0; + i=select(width,(void *)&readfds,(void *)&writefds, + NULL,&tv); + if (read(fileno(stdin), sbuf, 0) >= 0) + stdin_set = 1; + if (!i && (stdin_set != 1 || !read_tty)) + continue; + } else i=select(width,(void *)&readfds,(void *)&writefds, + NULL,timeoutp); + } + (void)fcntl(fileno(stdin), F_SETFL, 0); #else i=select(width,(void *)&readfds,(void *)&writefds, NULL,timeoutp); @@ -1212,6 +1691,7 @@ SSL_set_tlsext_status_ids(con, ids); if (cbuf_len != 0) { BIO_printf(bio_c_out,"shutdown\n"); + ret = 0; goto shut; } else @@ -1239,8 +1719,8 @@ SSL_set_tlsext_status_ids(con, ids); goto shut; } } -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) - /* Assume Windows/DOS can always write */ +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) + /* Assume Windows/DOS/BeOS can always write */ else if (!ssl_pending && write_tty) #else else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) @@ -1249,11 +1729,12 @@ SSL_set_tlsext_status_ids(con, ids); #ifdef CHARSET_EBCDIC ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len); #endif - i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len); + i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len); if (i <= 0) { BIO_printf(bio_c_out,"DONE\n"); + ret = 0; goto shut; /* goto end; */ } @@ -1308,10 +1789,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 BIO_printf(bio_c_out,"read X BLOCK\n"); break; case SSL_ERROR_SYSCALL: - BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error()); + ret=get_last_socket_error(); + BIO_printf(bio_err,"read:errno=%d\n",ret); goto shut; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_c_out,"closed\n"); + ret=0; goto shut; case SSL_ERROR_SSL: ERR_print_errors(bio_err); @@ -1327,7 +1810,9 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) #endif #elif defined (OPENSSL_SYS_NETWARE) - else if (_kbhit()) + else if (_kbhit()) +#elif defined(OPENSSL_SYS_BEOS_R5) + else if (stdin_set) #else else if (FD_ISSET(fileno(stdin),&readfds)) #endif @@ -1336,7 +1821,7 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 { int j, lf_num; - i=read(fileno(stdin),cbuf,BUFSIZZ/2); + i=raw_read_stdin(cbuf,BUFSIZZ/2); lf_num = 0; /* both loops are skipped when i <= 0 */ for (j = 0; j < i; j++) @@ -1355,11 +1840,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 assert(lf_num == 0); } else - i=read(fileno(stdin),cbuf,BUFSIZZ); + i=raw_read_stdin(cbuf,BUFSIZZ); if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { BIO_printf(bio_err,"DONE\n"); + ret=0; goto shut; } @@ -1369,6 +1855,14 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 SSL_renegotiate(con); cbuf_len=0; } +#ifndef OPENSSL_NO_HEARTBEATS + else if ((!c_ign_eof) && (cbuf[0] == 'B')) + { + BIO_printf(bio_err,"HEARTBEATING\n"); + SSL_heartbeat(con); + cbuf_len=0; + } +#endif else { cbuf_len=i; @@ -1382,14 +1876,20 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 read_tty=0; } } + + ret=0; shut: + if (in_init) + print_stuff(bio_c_out,con,full_log); SSL_shutdown(con); SHUTDOWN(SSL_get_fd(con)); - ret=0; end: - if(prexit) print_stuff(bio_c_out,con,1); - if (con != NULL) SSL_free(con); - if (con2 != NULL) SSL_free(con2); + if (con != NULL) + { + if (prexit != 0) + print_stuff(bio_c_out,con,1); + SSL_free(con); + } if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); @@ -1418,12 +1918,13 @@ static void print_stuff(BIO *bio, SSL *s, int full) char buf[BUFSIZ]; STACK_OF(X509) *sk; STACK_OF(X509_NAME) *sk2; - SSL_CIPHER *c; + const SSL_CIPHER *c; X509_NAME *xn; int j,i; #ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; #endif + unsigned char *exportedkeymat; if (full) { @@ -1514,7 +2015,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } - BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, ")); + BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, ")); c=SSL_get_current_cipher(s); BIO_printf(bio,"%s, Cipher is %s\n", SSL_CIPHER_get_version(c), @@ -1536,7 +2037,66 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio,"Expansion: %s\n", expansion ? SSL_COMP_get_name(expansion) : "NONE"); #endif + +#ifdef SSL_DEBUG + { + /* Print out local port of connection: useful for debugging */ + int sock; + struct sockaddr_in ladd; + socklen_t ladd_size = sizeof(ladd); + sock = SSL_get_fd(s); + getsockname(sock, (struct sockaddr *)&ladd, &ladd_size); + BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); + } +#endif + +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.status != -1) { + const unsigned char *proto; + unsigned int proto_len; + SSL_get0_next_proto_negotiated(s, &proto, &proto_len); + BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); + BIO_write(bio, proto, proto_len); + BIO_write(bio, "\n", 1); + } +#endif + + { + SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s); + + if(srtp_profile) + BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n", + srtp_profile->name); + } + SSL_SESSION_print(bio,SSL_get_session(s)); + if (keymatexportlabel != NULL) + { + BIO_printf(bio, "Keying material exporter:\n"); + BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); + BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); + exportedkeymat = OPENSSL_malloc(keymatexportlen); + if (exportedkeymat != NULL) + { + if (!SSL_export_keying_material(s, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) + { + BIO_printf(bio, " Error\n"); + } + else + { + BIO_printf(bio, " Keying material: "); + for (i=0; i<keymatexportlen; i++) + BIO_printf(bio, "%02X", + exportedkeymat[i]); + BIO_printf(bio, "\n"); + } + OPENSSL_free(exportedkeymat); + } + } BIO_printf(bio,"---\n"); if (peer != NULL) X509_free(peer); @@ -1571,4 +2131,5 @@ static int ocsp_resp_cb(SSL *s, void *arg) OCSP_RESPONSE_free(rsp); return 1; } -#endif /* ndef OPENSSL_NO_TLSEXT */ + +#endif diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index d1d3ccc..3f9b370 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -113,6 +113,32 @@ * ECC cipher suite support in OpenSSL originally developed by * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ /* Until the key-gen callbacks are modified to use newer prototypes, we allow * deprecated functions for openssl-internal code */ @@ -121,11 +147,11 @@ #endif #include <assert.h> +#include <ctype.h> #include <stdio.h> #include <stdlib.h> #include <string.h> -#include <sys/stat.h> #include <openssl/e_os2.h> #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 @@ -160,22 +186,21 @@ typedef unsigned int u_int; #ifndef OPENSSL_NO_RSA #include <openssl/rsa.h> #endif +#ifndef OPENSSL_NO_SRP +#include <openssl/srp.h> +#endif #include "s_apps.h" #include "timeouts.h" -#ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) -#endif - #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ #undef FIONBIO #endif +#if defined(OPENSSL_SYS_BEOS_R5) +#include <fcntl.h> +#endif + #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif @@ -196,14 +221,6 @@ static DH *get_dh512(void); static void s_server_init(void); #endif -#ifndef S_ISDIR -# if defined(_S_IFMT) && defined(_S_IFDIR) -# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) -# else -# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) -# endif -#endif - #ifndef OPENSSL_NO_DH static unsigned char dh512_p[]={ 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, @@ -245,7 +262,7 @@ static int accept_socket= -1; #undef PROG #define PROG s_server_main -extern int verify_depth; +extern int verify_depth, verify_return_error; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; @@ -276,6 +293,9 @@ static int cert_status_cb(SSL *s, void *arg); static int s_msg=0; static int s_quiet=0; +static char *keymatexportlabel=NULL; +static int keymatexportlen=20; + static int hack=0; #ifndef OPENSSL_NO_ENGINE static char *engine_id=NULL; @@ -289,6 +309,119 @@ static int cert_chain = 0; #endif +#ifndef OPENSSL_NO_PSK +static char *psk_identity="Client_identity"; +char *psk_key=NULL; /* by default PSK is not used */ + +static unsigned int psk_server_cb(SSL *ssl, const char *identity, + unsigned char *psk, unsigned int max_psk_len) + { + unsigned int psk_len = 0; + int ret; + BIGNUM *bn = NULL; + + if (s_debug) + BIO_printf(bio_s_out,"psk_server_cb\n"); + if (!identity) + { + BIO_printf(bio_err,"Error: client did not send PSK identity\n"); + goto out_err; + } + if (s_debug) + BIO_printf(bio_s_out,"identity_len=%d identity=%s\n", + identity ? (int)strlen(identity) : 0, identity); + + /* here we could lookup the given identity e.g. from a database */ + if (strcmp(identity, psk_identity) != 0) + { + BIO_printf(bio_s_out, "PSK error: client identity not found" + " (got '%s' expected '%s')\n", identity, + psk_identity); + goto out_err; + } + if (s_debug) + BIO_printf(bio_s_out, "PSK client identity found\n"); + + /* convert the PSK key to binary */ + ret = BN_hex2bn(&bn, psk_key); + if (!ret) + { + BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); + if (bn) + BN_free(bn); + return 0; + } + if (BN_num_bytes(bn) > (int)max_psk_len) + { + BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", + max_psk_len, BN_num_bytes(bn)); + BN_free(bn); + return 0; + } + + ret = BN_bn2bin(bn, psk); + BN_free(bn); + + if (ret < 0) + goto out_err; + psk_len = (unsigned int)ret; + + if (s_debug) + BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); + return psk_len; + out_err: + if (s_debug) + BIO_printf(bio_err, "Error in PSK server callback\n"); + return 0; + } +#endif + +#ifndef OPENSSL_NO_SRP +/* This is a context that we pass to callbacks */ +typedef struct srpsrvparm_st + { + char *login; + SRP_VBASE *vb; + SRP_user_pwd *user; + } srpsrvparm; + +/* This callback pretends to require some asynchronous logic in order to obtain + a verifier. When the callback is called for a new connection we return + with a negative value. This will provoke the accept etc to return with + an LOOKUP_X509. The main logic of the reinvokes the suspended call + (which would normally occur after a worker has finished) and we + set the user parameters. +*/ +static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) + { + srpsrvparm *p = (srpsrvparm *)arg; + if (p->login == NULL && p->user == NULL ) + { + p->login = SSL_get_srp_username(s); + BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); + return (-1) ; + } + + if (p->user == NULL) + { + BIO_printf(bio_err, "User %s doesn't exist\n", p->login); + return SSL3_AL_FATAL; + } + if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v, + p->user->info) < 0) + { + *ad = SSL_AD_INTERNAL_ERROR; + return SSL3_AL_FATAL; + } + BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info); + /* need to check whether there are memory leaks */ + p->user = NULL; + p->login = NULL; + return SSL_ERROR_NONE; + } + +#endif + #ifdef MONOLITH static void s_server_init(void) { @@ -352,7 +485,7 @@ static void sv_usage(void) #ifndef OPENSSL_NO_ECDH BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ " Use \"openssl ecparam -list_curves\" for all names\n" \ - " (default is sect163r2).\n"); + " (default is nistp256).\n"); #endif #ifdef FIONBIO BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); @@ -369,8 +502,21 @@ static void sv_usage(void) BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); BIO_printf(bio_err," -quiet - No server output\n"); BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); +#ifndef OPENSSL_NO_PSK + BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); + BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); +# endif +#endif +#ifndef OPENSSL_NO_SRP + BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); + BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); +#endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); + BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); + BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); @@ -379,6 +525,8 @@ static void sv_usage(void) BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); + BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); + BIO_printf(bio_err," -no_tls1_2 - Just disable TLSv1.2\n"); #ifndef OPENSSL_NO_DH BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); #endif @@ -405,7 +553,13 @@ static void sv_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +# ifndef OPENSSL_NO_NEXTPROTONEG + BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); +# endif + BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); #endif + BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); + BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); } static int local_argc=0; @@ -587,7 +741,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) return p->extension_error; if (ctx2) { - BIO_printf(p->biodebug,"Swiching server context.\n"); + BIO_printf(p->biodebug,"Switching server context.\n"); SSL_set_SSL_CTX(s,ctx2); } } @@ -626,7 +780,7 @@ static int cert_status_cb(SSL *s, void *arg) int use_ssl; unsigned char *rspder = NULL; int rspderlen; - STACK *aia = NULL; + STACK_OF(OPENSSL_STRING) *aia = NULL; X509 *x = NULL; X509_STORE_CTX inctx; X509_OBJECT obj; @@ -648,7 +802,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); aia = X509_get1_ocsp(x); if (aia) { - if (!OCSP_parse_url(sk_value(aia, 0), + if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &host, &port, &path, &use_ssl)) { BIO_puts(err, "cert_status: can't parse AIA URL\n"); @@ -656,7 +810,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); } if (srctx->verbose) BIO_printf(err, "cert_status: AIA URL: %s\n", - sk_value(aia, 0)); + sk_OPENSSL_STRING_value(aia, 0)); } else { @@ -701,7 +855,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err; } - resp = process_responder(err, req, host, path, port, use_ssl, + resp = process_responder(err, req, host, path, port, use_ssl, NULL, srctx->timeout); if (!resp) { @@ -739,17 +893,42 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); ret = SSL_TLSEXT_ERR_ALERT_FATAL; goto done; } + +# ifndef OPENSSL_NO_NEXTPROTONEG +/* This is the context that we pass to next_proto_cb */ +typedef struct tlsextnextprotoctx_st { + unsigned char *data; + unsigned int len; +} tlsextnextprotoctx; + +static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg) + { + tlsextnextprotoctx *next_proto = arg; + + *data = next_proto->data; + *len = next_proto->len; + + return SSL_TLSEXT_ERR_OK; + } +# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ + + #endif + int MAIN(int, char **); #ifndef OPENSSL_NO_JPAKE static char *jpake_secret = NULL; #endif +#ifndef OPENSSL_NO_SRP + static srpsrvparm srp_callback_parm; +#endif +static char *srtp_profiles = NULL; int MAIN(int argc, char *argv[]) { - X509_STORE *store = NULL; - int vflags = 0; + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; unsigned char *context = NULL; @@ -762,8 +941,8 @@ int MAIN(int argc, char *argv[]) int off=0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; - SSL_METHOD *meth=NULL; - int socket_type=SOCK_STREAM; + const SSL_METHOD *meth=NULL; + int socket_type=SOCK_STREAM; ENGINE *e=NULL; char *inrand=NULL; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; @@ -776,11 +955,20 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; -#endif -#ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; +# ifndef OPENSSL_NO_NEXTPROTONEG + const char *next_proto_neg_in = NULL; + tlsextnextprotoctx next_proto; +# endif +#endif +#ifndef OPENSSL_NO_PSK + /* by default do not send a PSK identity hint */ + static char *psk_identity_hint=NULL; +#endif +#ifndef OPENSSL_NO_SRP + char *srpuserseed = NULL; + char *srp_verifier_file = NULL; #endif - meth=SSLv23_server_method(); local_argc=argc; @@ -908,14 +1096,14 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-no_cache") == 0) no_cache = 1; - else if (strcmp(*argv,"-crl_check") == 0) - { - vflags |= X509_V_FLAG_CRL_CHECK; - } - else if (strcmp(*argv,"-crl_check_all") == 0) + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + if (badarg) + goto bad; + continue; } + else if (strcmp(*argv,"-verify_return_error") == 0) + verify_return_error = 1; else if (strcmp(*argv,"-serverpref") == 0) { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } else if (strcmp(*argv,"-legacy_renegotiation") == 0) @@ -992,6 +1180,41 @@ int MAIN(int argc, char *argv[]) { no_dhe=1; } else if (strcmp(*argv,"-no_ecdhe") == 0) { no_ecdhe=1; } +#ifndef OPENSSL_NO_PSK + else if (strcmp(*argv,"-psk_hint") == 0) + { + if (--argc < 1) goto bad; + psk_identity_hint= *(++argv); + } + else if (strcmp(*argv,"-psk") == 0) + { + size_t i; + + if (--argc < 1) goto bad; + psk_key=*(++argv); + for (i=0; i<strlen(psk_key); i++) + { + if (isxdigit((unsigned char)psk_key[i])) + continue; + BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); + goto bad; + } + } +#endif +#ifndef OPENSSL_NO_SRP + else if (strcmp(*argv, "-srpvfile") == 0) + { + if (--argc < 1) goto bad; + srp_verifier_file = *(++argv); + meth=TLSv1_server_method(); + } + else if (strcmp(*argv, "-srpuserseed") == 0) + { + if (--argc < 1) goto bad; + srpuserseed = *(++argv); + meth=TLSv1_server_method(); + } +#endif else if (strcmp(*argv,"-www") == 0) { www=1; } else if (strcmp(*argv,"-WWW") == 0) @@ -1004,6 +1227,12 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_SSLv3; } else if (strcmp(*argv,"-no_tls1") == 0) { off|=SSL_OP_NO_TLSv1; } + else if (strcmp(*argv,"-no_tls1_1") == 0) + { off|=SSL_OP_NO_TLSv1_1; } + else if (strcmp(*argv,"-no_tls1_2") == 0) + { off|=SSL_OP_NO_TLSv1_2; } + else if (strcmp(*argv,"-no_comp") == 0) + { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } @@ -1019,6 +1248,10 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLS1 else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } + else if (strcmp(*argv,"-tls1_1") == 0) + { meth=TLSv1_1_server_method(); } + else if (strcmp(*argv,"-tls1_2") == 0) + { meth=TLSv1_2_server_method(); } #endif #ifndef OPENSSL_NO_DTLS1 else if (strcmp(*argv,"-dtls1") == 0) @@ -1071,15 +1304,37 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2= *(++argv); } - +# ifndef OPENSSL_NO_NEXTPROTONEG + else if (strcmp(*argv,"-nextprotoneg") == 0) + { + if (--argc < 1) goto bad; + next_proto_neg_in = *(++argv); + } +# endif #endif -#ifndef OPENSSL_NO_JPAKE +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) else if (strcmp(*argv,"-jpake") == 0) { if (--argc < 1) goto bad; jpake_secret = *(++argv); } #endif + else if (strcmp(*argv,"-use_srtp") == 0) + { + if (--argc < 1) goto bad; + srtp_profiles = *(++argv); + } + else if (strcmp(*argv,"-keymatexport") == 0) + { + if (--argc < 1) goto bad; + keymatexportlabel= *(++argv); + } + else if (strcmp(*argv,"-keymatexportlen") == 0) + { + if (--argc < 1) goto bad; + keymatexportlen=atoi(*(++argv)); + if (keymatexportlen == 0) goto bad; + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1096,6 +1351,26 @@ bad: goto end; } +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + if (jpake_secret) + { + if (psk_key) + { + BIO_printf(bio_err, + "Can't use JPAKE and PSK together\n"); + goto end; + } + psk_identity = "JPAKE"; + if (cipher) + { + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); + goto end; + } + cipher = "PSK"; + } + +#endif + SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); @@ -1156,8 +1431,26 @@ bad: goto end; } } + +# ifndef OPENSSL_NO_NEXTPROTONEG + if (next_proto_neg_in) + { + unsigned short len; + next_proto.data = next_protos_parse(&len, + next_proto_neg_in); + if (next_proto.data == NULL) + goto end; + next_proto.len = len; + } + else + { + next_proto.data = NULL; + } +# endif #endif } + + if (s_dcert_file) { @@ -1257,6 +1550,9 @@ bad: else SSL_CTX_sess_set_cache_size(ctx,128); + if (srtp_profiles != NULL) + SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); + #if 0 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); #endif @@ -1276,8 +1572,9 @@ bad: ERR_print_errors(bio_err); /* goto end; */ } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + #ifndef OPENSSL_NO_TLSEXT if (s_cert2) { @@ -1313,13 +1610,11 @@ bad: if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx2,off); - /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1); - if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); if (no_cache) @@ -1332,11 +1627,15 @@ bad: { ERR_print_errors(bio_err); } - store = SSL_CTX_get_cert_store(ctx2); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx2, vpm); } -#endif +# ifndef OPENSSL_NO_NEXTPROTONEG + if (next_proto.data) + SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); +# endif +#endif #ifndef OPENSSL_NO_DH if (!no_dhe) @@ -1413,10 +1712,10 @@ bad: else { BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); - ecdh = EC_KEY_new_by_curve_name(NID_sect163r2); + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve (sect163r2)\n"); + BIO_printf(bio_err, "unable to create curve (nistp256)\n"); goto end; } } @@ -1451,7 +1750,7 @@ bad: #ifndef OPENSSL_NO_TLSEXT if (ctx2) SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb); -#endif +#endif } #else if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) @@ -1484,11 +1783,34 @@ bad: #endif #endif - if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); +#ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE + if (psk_key != NULL) +#else + if (psk_key != NULL || jpake_secret) +#endif + { + if (s_debug) + BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); + SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); + } + + if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) + { + BIO_printf(bio_err,"error setting PSK identity hint to context\n"); ERR_print_errors(bio_err); goto end; + } +#endif + + if (cipher != NULL) + { + if(!SSL_CTX_set_cipher_list(ctx,cipher)) + { + BIO_printf(bio_err,"error setting cipher list\n"); + ERR_print_errors(bio_err); + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher)) { @@ -1497,7 +1819,7 @@ bad: goto end; } #endif - } + } SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); @@ -1520,6 +1842,26 @@ bad: SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } #endif + +#ifndef OPENSSL_NO_SRP + if (srp_verifier_file != NULL) + { + srp_callback_parm.vb = SRP_VBASE_new(srpuserseed); + srp_callback_parm.user = NULL; + srp_callback_parm.login = NULL; + if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) + { + BIO_printf(bio_err, + "Cannot initialize SRP verifier file \"%s\":ret=%d\n", + srp_verifier_file, ret); + goto end; + } + SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback); + SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm); + SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb); + } + else +#endif if (CAfile != NULL) { SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); @@ -1528,7 +1870,9 @@ bad: SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile)); #endif } + BIO_printf(bio_s_out,"ACCEPT\n"); + (void)BIO_flush(bio_s_out); if (www) do_server(port,socket_type,&accept_socket,www_body, context); else @@ -1599,8 +1943,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; +#endif struct timeval timeout; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) struct timeval tv; #else struct timeval *timeoutp; @@ -1639,12 +1986,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) } #endif #ifndef OPENSSL_NO_KRB5 - if ((con->kssl_ctx = kssl_ctx_new()) != NULL) + if ((kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, - KRB5SVC); - kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, - KRB5KEYTAB); + SSL_set0_kssl_ctx(con, kctx); + kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); + kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); } #endif /* OPENSSL_NO_KRB5 */ if(context) @@ -1652,13 +1998,18 @@ static int sv_body(char *hostname, int s, unsigned char *context) strlen((char *)context)); } SSL_clear(con); +#if 0 +#ifdef TLSEXT_TYPE_opaque_prf_input + SSL_set_tlsext_opaque_prf_input(con, "Test server", 11); +#endif +#endif if (SSL_version(con) == DTLS1_VERSION) { sbio=BIO_new_dgram(s,BIO_NOCLOSE); - if ( enable_timeouts) + if (enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; @@ -1669,7 +2020,6 @@ static int sv_body(char *hostname, int s, unsigned char *context) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); @@ -1703,7 +2053,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (s_debug) { - con->debug=1; + SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } @@ -1732,10 +2082,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (!read_from_sslcon) { FD_ZERO(&readfds); -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) - FD_SET(fileno(stdin),&readfds); +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5) + openssl_fdset(fileno(stdin),&readfds); #endif - FD_SET(s,&readfds); + openssl_fdset(s,&readfds); /* Note: under VMS with SOCKETSHR the second parameter is * currently of type (int *) whereas under other systems * it is (void *) if you don't have a cast it will choke @@ -1754,6 +2104,17 @@ static int sv_body(char *hostname, int s, unsigned char *context) if((i < 0) || (!i && !_kbhit() ) )continue; if(_kbhit()) read_from_terminal = 1; +#elif defined(OPENSSL_SYS_BEOS_R5) + /* Under BeOS-R5 the situation is similar to DOS */ + tv.tv_sec = 1; + tv.tv_usec = 0; + (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); + i=select(width,(void *)&readfds,NULL,NULL,&tv); + if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0)) + continue; + if (read(fileno(stdin), buf, 0) >= 0) + read_from_terminal = 1; + (void)fcntl(fileno(stdin), F_SETFL, 0); #else if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_get_timeout(con, &timeout)) @@ -1781,7 +2142,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) { int j, lf_num; - i=read(fileno(stdin), buf, bufsize/2); + i=raw_read_stdin(buf, bufsize/2); lf_num = 0; /* both loops are skipped when i <= 0 */ for (j = 0; j < i; j++) @@ -1800,7 +2161,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) assert(lf_num == 0); } else - i=read(fileno(stdin),buf,bufsize); + i=raw_read_stdin(buf,bufsize); if (!s_quiet) { if ((i <= 0) || (buf[0] == 'Q')) @@ -1820,6 +2181,17 @@ static int sv_body(char *hostname, int s, unsigned char *context) ret= -11;*/ goto err; } + +#ifndef OPENSSL_NO_HEARTBEATS + if ((buf[0] == 'B') && + ((buf[1] == '\n') || (buf[1] == '\r'))) + { + BIO_printf(bio_err,"HEARTBEATING\n"); + SSL_heartbeat(con); + i=0; + continue; + } +#endif if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) { @@ -1863,6 +2235,18 @@ static int sv_body(char *hostname, int s, unsigned char *context) { static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } } #endif k=SSL_write(con,&(buf[l]),(unsigned int)i); +#ifndef OPENSSL_NO_SRP + while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP renego during write\n"); + srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else + BIO_printf(bio_s_out,"LOOKUP not successful\n"); + k=SSL_write(con,&(buf[l]),(unsigned int)i); + } +#endif switch (SSL_get_error(con,k)) { case SSL_ERROR_NONE: @@ -1910,19 +2294,30 @@ static int sv_body(char *hostname, int s, unsigned char *context) { again: i=SSL_read(con,(char *)buf,bufsize); +#ifndef OPENSSL_NO_SRP + while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP renego during read\n"); + srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else + BIO_printf(bio_s_out,"LOOKUP not successful\n"); + i=SSL_read(con,(char *)buf,bufsize); + } +#endif switch (SSL_get_error(con,i)) { case SSL_ERROR_NONE: #ifdef CHARSET_EBCDIC ascii2ebcdic(buf,buf,i); #endif - write(fileno(stdout),buf, + raw_write_stdout(buf, (unsigned int)i); if (SSL_pending(con)) goto again; break; case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_X509_LOOKUP: BIO_printf(bio_s_out,"Read BLOCK\n"); break; case SSL_ERROR_SYSCALL: @@ -1940,13 +2335,16 @@ again: } } err: - BIO_printf(bio_s_out,"shutting down SSL\n"); + if (con != NULL) + { + BIO_printf(bio_s_out,"shutting down SSL\n"); #if 1 - SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); + SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); #else - SSL_shutdown(con); + SSL_shutdown(con); #endif - if (con != NULL) SSL_free(con); + SSL_free(con); + } BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); if (buf != NULL) { @@ -1974,8 +2372,30 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; MS_STATIC char buf[BUFSIZ]; +#ifndef OPENSSL_NO_KRB5 + char *client_princ; +#endif +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + const unsigned char *next_proto_neg; + unsigned next_proto_neg_len; +#endif + unsigned char *exportedkeymat; + - if ((i=SSL_accept(con)) <= 0) + i=SSL_accept(con); +#ifndef OPENSSL_NO_SRP + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); + srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else + BIO_printf(bio_s_out,"LOOKUP not successful\n"); + i=SSL_accept(con); + } +#endif + if (i <= 0) { if (BIO_sock_should_retry(i)) { @@ -2013,19 +2433,67 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); - if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n"); +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); + if (next_proto_neg) + { + BIO_printf(bio_s_out,"NEXTPROTO is "); + BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); + BIO_printf(bio_s_out, "\n"); + } +#endif + { + SRTP_PROTECTION_PROFILE *srtp_profile + = SSL_get_selected_srtp_profile(con); + + if(srtp_profile) + BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n", + srtp_profile->name); + } + if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n"); if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & TLS1_FLAGS_TLS_PADDING_BUG) - BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n"); + BIO_printf(bio_s_out, + "Peer has incorrect TLSv1 block padding\n"); #ifndef OPENSSL_NO_KRB5 - if (con->kssl_ctx->client_princ != NULL) + client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con)); + if (client_princ != NULL) { BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", - con->kssl_ctx->client_princ); + client_princ); } #endif /* OPENSSL_NO_KRB5 */ BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); + if (keymatexportlabel != NULL) + { + BIO_printf(bio_s_out, "Keying material exporter:\n"); + BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); + BIO_printf(bio_s_out, " Length: %i bytes\n", + keymatexportlen); + exportedkeymat = OPENSSL_malloc(keymatexportlen); + if (exportedkeymat != NULL) + { + if (!SSL_export_keying_material(con, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) + { + BIO_printf(bio_s_out, " Error\n"); + } + else + { + BIO_printf(bio_s_out, " Keying material: "); + for (i=0; i<keymatexportlen; i++) + BIO_printf(bio_s_out, "%02X", + exportedkeymat[i]); + BIO_printf(bio_s_out, "\n"); + } + OPENSSL_free(exportedkeymat); + } + } + return(1); } @@ -2043,6 +2511,9 @@ err: return(ret); } #endif +#ifndef OPENSSL_NO_KRB5 + char *client_princ; +#endif #if 0 static int load_CA(SSL_CTX *ctx, char *file) @@ -2070,12 +2541,11 @@ static int www_body(char *hostname, int s, unsigned char *context) char *buf=NULL; int ret=1; int i,j,k,dot; - struct stat st_buf; SSL *con; - SSL_CIPHER *c; + const SSL_CIPHER *c; BIO *io,*ssl_bio,*sbio; -#ifdef RENEG - long total_bytes; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; #endif buf=OPENSSL_malloc(bufsize); @@ -2108,10 +2578,10 @@ static int www_body(char *hostname, int s, unsigned char *context) } #endif #ifndef OPENSSL_NO_KRB5 - if ((con->kssl_ctx = kssl_ctx_new()) != NULL) + if ((kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC); - kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB); + kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); + kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); } #endif /* OPENSSL_NO_KRB5 */ if(context) SSL_set_session_id_context(con, context, @@ -2137,7 +2607,7 @@ static int www_body(char *hostname, int s, unsigned char *context) if (s_debug) { - con->debug=1; + SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } @@ -2152,7 +2622,18 @@ static int www_body(char *hostname, int s, unsigned char *context) if (hack) { i=SSL_accept(con); - +#ifndef OPENSSL_NO_SRP + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); + srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else + BIO_printf(bio_s_out,"LOOKUP not successful\n"); + i=SSL_accept(con); + } +#endif switch (SSL_get_error(con,i)) { case SSL_ERROR_NONE: @@ -2258,7 +2739,7 @@ static int www_body(char *hostname, int s, unsigned char *context) } BIO_puts(io,"\n"); } - BIO_printf(io,((con->hit) + BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); c=SSL_get_current_cipher(con); @@ -2343,14 +2824,7 @@ static int www_body(char *hostname, int s, unsigned char *context) #endif /* if a directory, do the index thang */ - if (stat(p,&st_buf) < 0) - { - BIO_puts(io,text); - BIO_printf(io,"Error accessing '%s'\r\n",p); - ERR_print_errors(io); - break; - } - if (S_ISDIR(st_buf.st_mode)) + if (app_isdir(p)>0) { #if 0 /* must check buffer size */ strcat(p,"/index.html"); @@ -2383,9 +2857,6 @@ static int www_body(char *hostname, int s, unsigned char *context) BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"); } /* send the file */ -#ifdef RENEG - total_bytes=0; -#endif for (;;) { i=BIO_read(file,buf,bufsize); diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c index 6d1d7d7..380efdb 100644 --- a/crypto/openssl/apps/s_socket.c +++ b/crypto/openssl/apps/s_socket.c @@ -237,14 +237,11 @@ static int ssl_sock_init(void) int init_client(int *sock, char *host, int port, int type) { unsigned char ip[4]; - short p=0; + memset(ip, '\0', sizeof ip); if (!host_ip(host,&(ip[0]))) - { - return(0); - } - if (p != 0) port=p; - return(init_client_ip(sock,ip,port,type)); + return 0; + return init_client_ip(sock,ip,port,type); } static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) @@ -272,7 +269,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) if (s == INVALID_SOCKET) { perror("socket"); return(0); } -#ifndef OPENSSL_SYS_MPE +#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) if (type == SOCK_STREAM) { i=0; @@ -282,7 +279,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) #endif if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) - { close(s); perror("connect"); return(0); } + { closesocket(s); perror("connect"); return(0); } *sock=s; return(1); } @@ -291,7 +288,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns { int sock; char *name = NULL; - int accept_socket; + int accept_socket = 0; int i; if (!init_server(&accept_socket,port,type)) return(0); diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c index 904945e..b823c33 100644 --- a/crypto/openssl/apps/s_time.c +++ b/crypto/openssl/apps/s_time.c @@ -85,54 +85,6 @@ #include OPENSSL_UNISTD #endif -#if !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) -#define TIMES -#endif - -#ifndef _IRIX -#include <time.h> -#endif -#ifdef TIMES -#include <sys/types.h> -#include <sys/times.h> -#endif - -/* Depending on the VMS version, the tms structure is perhaps defined. - The __TMS macro will show if it was. If it wasn't defined, we should - undefine TIMES, since that tells the rest of the program how things - should be handled. -- Richard Levitte */ -#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) -#undef TIMES -#endif - -#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE) -#include <sys/timeb.h> -#endif - -#if defined(sun) || defined(__ultrix) -#define _POSIX_SOURCE -#include <limits.h> -#include <sys/param.h> -#endif - -/* The following if from times(3) man page. It may need to be changed -*/ -#ifndef HZ -# ifdef _SC_CLK_TCK -# define HZ ((double)sysconf(_SC_CLK_TCK)) -# else -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -# define HZ 100.0 -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) -# endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) -# endif -# endif -#endif - #undef PROG #define PROG s_time_main @@ -177,7 +129,7 @@ static char *tm_cipher=NULL; static int tm_verify = SSL_VERIFY_NONE; static int maxTime = SECONDS; static SSL_CTX *tm_ctx=NULL; -static SSL_METHOD *s_time_meth=NULL; +static const SSL_METHOD *s_time_meth=NULL; static char *s_www_path=NULL; static long bytes_read=0; static int st_bugs=0; @@ -372,63 +324,8 @@ bad: static double tm_Time_F(int s) { - static double ret; -#ifdef TIMES - static struct tms tstart,tend; - - if(s == START) { - times(&tstart); - return(0); - } else { - times(&tend); - ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; - return((ret == 0.0)?1e-6:ret); + return app_tminterval(s,1); } -#elif defined(OPENSSL_SYS_NETWARE) - static clock_t tstart,tend; - - if (s == START) - { - tstart=clock(); - return(0); - } - else - { - tend=clock(); - ret=(double)((double)(tend)-(double)(tstart)); - return((ret < 0.001)?0.001:ret); - } -#elif defined(OPENSSL_SYS_VXWORKS) - { - static unsigned long tick_start, tick_end; - - if( s == START ) - { - tick_start = tickGet(); - return 0; - } - else - { - tick_end = tickGet(); - ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); - return((ret == 0.0)?1e-6:ret); - } - } -#else /* !times() */ - static struct timeb tstart,tend; - long i; - - if(s == START) { - ftime(&tstart); - return(0); - } else { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret == 0.0)?1e-6:ret); - } -#endif -} /*********************************************************************** * MAIN - main processing area for client @@ -704,7 +601,7 @@ static SSL *doConnection(SSL *scon) i=SSL_get_fd(serverCon); width=i+1; FD_ZERO(&readfds); - FD_SET(i,&readfds); + openssl_fdset(i,&readfds); /* Note: under VMS with SOCKETSHR the 2nd parameter * is currently of type (int *) whereas under other * systems it is (void *) if you don't have a cast it diff --git a/crypto/openssl/apps/server.pem b/crypto/openssl/apps/server.pem index 56248e5..d0fc265 100644 --- a/crypto/openssl/apps/server.pem +++ b/crypto/openssl/apps/server.pem @@ -1,369 +1,52 @@ -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) ------BEGIN CERTIFICATE----- -MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 -MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG -A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl -cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP -Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// -Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4 -GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM -k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz -itAE+OjGF+PFKbwX8Q== ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD -TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu -OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj -gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz -rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b -PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA -vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU= ------END RSA PRIVATE KEY----- -subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA -issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA -notBefore=950413210656Z -notAfter =970412210656Z ------BEGIN X509 CERTIFICATE----- - -MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV -BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS -ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ -BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD -VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA -MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR -3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM -YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI -hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5 -dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/ -zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8= ------END X509 CERTIFICATE----- -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) ------BEGIN CERTIFICATE----- -MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD -VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw -OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY -BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0 -IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ -DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv -1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2 -mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v -hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4 -YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA -q30KIqGM/uoM60INq97qjDmCJapagcNBGQs= ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425 -gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd -2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB -AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6 -hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2 -J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs -HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL -21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s -nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz -MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa -pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb -KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2 -XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ ------END RSA PRIVATE KEY----- ------BEGIN X509 CERTIFICATE----- -MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT -LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ -MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls -b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG -EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk -bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL -ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb -hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/ -ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb -bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3 -fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX -R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR -Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK ------END X509 CERTIFICATE----- ------BEGIN X509 CERTIFICATE----- - -MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK -Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x -GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp -bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE -BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ -BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+ -ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw -ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI -H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z -WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE -MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM -LC7obsrHD8XAHG+ZRG== ------END X509 CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM -MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT -DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx -CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv -amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB -iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt -U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw -zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd -BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G -A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8 -/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi -lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA -S7ELuYGtmYgYm9NZOIr7yU0= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG -A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0 -aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB -LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB -gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu -ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu -dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD -SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL -bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a -OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW -GJNMJ4L0AJ/ac+SmHZc= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN -BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w -HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0 -IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL -MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls -aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww -GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL -ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc -zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0 -YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq -hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF -cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W -YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w== ------END CERTIFICATE----- - -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) ------BEGIN CERTIFICATE----- -MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD -VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw -OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY -BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy -NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg -40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp -22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y -BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S -Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9 -xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO -cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ +KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi +R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv +vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7 +TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU +41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R +AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI +AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW +BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49 +hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK +WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp +yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7 +vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds +xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t +JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg -wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ -vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB -AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc -z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz -xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7 -HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD -yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS -xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj -7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG -h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL -QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q -hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc= +MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv +h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL +tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu +D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI +uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6 +qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn +zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3 +r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D +AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R +5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm +W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH +674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg +utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY +BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX +4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a +WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8 +bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH +6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex +4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa +WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g +n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB +JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+ +OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX +xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK +UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== -----END RSA PRIVATE KEY----- -subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority -issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority -notBefore=941104185834Z -notAfter =991103185834Z ------BEGIN X509 CERTIFICATE----- - -MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw -HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy -Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05 -OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT -ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o -975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/ -touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE -7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j -9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI -0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb -MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU= ------END X509 CERTIFICATE----- -subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -notBefore=941109235417Z -notAfter =991231235417Z ------BEGIN X509 CERTIFICATE----- - -MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw -HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl -IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda -Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0 -YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB -roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12 -aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc -HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A -iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7 -suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h -cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk= ------END X509 CERTIFICATE----- -subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc - /OU=Certification Services Division/CN=Thawte Server CA - /Email=server-certs@thawte.com -issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc - /OU=Certification Services Division/CN=Thawte Server CA - /Email=server-certs@thawte.com ------BEGIN CERTIFICATE----- -MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD -VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU -VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy -dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq -hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1 -N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 -ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv -bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2 -aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW -F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1 -Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A -KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG -SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX -7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM -qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD -VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU -VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy -dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD -QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05 -NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG -A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT -FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl -cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg -Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c -G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU -c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH -jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR -w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2 -GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK -3VZdLbCVIhNoEsysrxCpxcI= ------END CERTIFICATE----- -Tims test GCI CA - ------BEGIN CERTIFICATE----- -MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD -VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5 -cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD -cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow -gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC -cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl -dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN -AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw -OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF -AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA -TfdbFZtAAD2Hx9jUtY3tfdrJOb8= ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD -VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5 -cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O -IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB -VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1 -NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH -EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT -I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta -RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ -KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR -Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG -9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4 -WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0 -MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh -c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda -Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W -ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu -ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2 -FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j -W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari -QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG -9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C -TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW -8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA ------END CERTIFICATE----- - - subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber - issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber - ------BEGIN CERTIFICATE----- -MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw -YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw -MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp -YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI -SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp -U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG -SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb -RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp -3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv -z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg -hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg -YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv -LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg -KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ -Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv -ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v -dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw -IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS -ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ -TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w -LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU -BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs -53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq -2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB -p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY= ------END CERTIFICATE----- - - subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ------BEGIN CERTIFICATE----- -MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw -FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg -UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa -Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln -biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ -nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma -AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga -IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF -AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ -Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6 -NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ== ------END CERTIFICATE----- - subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority ------BEGIN CERTIFICATE----- -MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw -FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg -UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa -Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln -biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1 -9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj -IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd -O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF -AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ -g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am -yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q== ------END CERTIFICATE----- diff --git a/crypto/openssl/apps/server2.pem b/crypto/openssl/apps/server2.pem index 8bb6641..a3927cf 100644 --- a/crypto/openssl/apps/server2.pem +++ b/crypto/openssl/apps/server2.pem @@ -1,376 +1,52 @@ -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (1024 bit) ------BEGIN CERTIFICATE----- -MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU0WhcNOTgwNjA5 -MTM1NzU0WjBkMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG -A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxJDAiBgNVBAMTG1NlcnZlciB0ZXN0IGNl -cnQgKDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsxH1PBPm -RkxrR11eV4bzNi4N9n11CI8nV29+ARlT1+qDe/mjVUvXlmsr1v/vf71G9GgqopSa -6RXrICLVdk/FYYYzhPvl1M+OrjaXDFO8BzBAF1Lnz6c7aRZvGRJNrRSr2nZEkqDf -JW9dY7r2VZEpD5QeuaRYUnuECkqeieB65GMCAwEAATANBgkqhkiG9w0BAQQFAAOB -gQCWsOta6C0wiVzXz8wPmJKyTrurMlgUss2iSuW9366iwofZddsNg7FXniMzkIf6 -dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh -8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA== ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV -S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP -pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB -AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0 -dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY -bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E -Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq -zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM -6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf -QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD -dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M -0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv -nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA== ------END RSA PRIVATE KEY----- -subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA -issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA -notBefore=950413210656Z -notAfter =970412210656Z ------BEGIN X509 CERTIFICATE----- - -MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV -BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS -ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ -BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD -VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA -MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR -3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM -YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI -hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5 -dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/ -zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8= ------END X509 CERTIFICATE----- -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) ------BEGIN CERTIFICATE----- -MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD -VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw -OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY -BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0 -IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ -DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv -1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2 -mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v -hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4 -YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA -q30KIqGM/uoM60INq97qjDmCJapagcNBGQs= ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425 -gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd -2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB -AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6 -hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2 -J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs -HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL -21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s -nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz -MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa -pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb -KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2 -XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ ------END RSA PRIVATE KEY----- ------BEGIN X509 CERTIFICATE----- -MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT -LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ -MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls -b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG -EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk -bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL -ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb -hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/ -ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb -bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3 -fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX -R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR -Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK ------END X509 CERTIFICATE----- ------BEGIN X509 CERTIFICATE----- - -MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK -Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x -GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp -bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE -BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ -BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+ -ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw -ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI -H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z -WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE -MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM -LC7obsrHD8XAHG+ZRG== ------END X509 CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM -MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT -DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx -CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv -amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB -iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt -U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw -zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd -BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G -A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8 -/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi -lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA -S7ELuYGtmYgYm9NZOIr7yU0= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG -A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0 -aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB -LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB -gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu -ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu -dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD -SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL -bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a -OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW -GJNMJ4L0AJ/ac+SmHZc= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN -BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w -HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0 -IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL -MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls -aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww -GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL -ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc -zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0 -YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq -hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF -cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W -YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w== ------END CERTIFICATE----- - -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) ------BEGIN CERTIFICATE----- -MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV -BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD -VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw -OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY -BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy -NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg -40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp -22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y -BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S -Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9 -xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO -cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert #2 +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID6jCCAtKgAwIBAgIJALnu1NlVpZ60MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZzELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxHDAaBgNVBAMME1Rlc3QgU2VydmVyIENlcnQg +IzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrdi7j9yctG+L4EjBy +gjPmEqZzOJEQba26MoQGzglU7e5Xf59Rb/hgVQuKAoiZe7/R8rK4zJ4W7iXdXw0L +qBpyG8B5aGKeI32w+A9TcBApoXXL2CrYQEQjZwUIpLlYBIi2NkJj3nVkq5dgl1gO +ALiQ+W8jg3kzg5Ec9rimp9r93N8wsSL3awsafurmYCvOf7leHaMP1WJ/zDRGUNHG +/WtDjXc8ZUG1+6EXU9Jc2Fs+2Omf7fcN0l00AK/wPg8OaNS0rKyGq9JdIT9FRGV1 +bXe/rx58FaE5CItdwCSYhJvF/O95LWQoxJXye5bCFLmvDTEyVq9FMSCptfsmbXjE +ZGsXAgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJ +YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud +DgQWBBR52UaWWTKzZGDH/X4mWNcuqeQVazAfBgNVHSMEGDAWgBQ2w2yI55X+sL3s +zj49hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEANBW+XYLlHBqVY/31ie+3gRlS +LPfy4SIqn0t3RJjagT29MXprblBO2cbMO8VGjkQdKGpmMXjxbht2arOOUXRHX4n/ +XTyn/QHEf0bcwIITMReO3DZUPAEw8hSjn9xEOM0IRVOCP+mH5fi74QzzQaZVCyYg +5VtLKdww/+sc0nCbKl2KWgDluriH0nfVx95qgW3mg9dhXRr0zmf1w2zkBHYpARYL +Dew6Z8EE4tS3HJu8/qM6meWzNtrfonQ3eiiMxjZBxzV46jchBwa2z9XYhP6AmpPb +oeTSzcQNbWsxaGYzWo46oLDUZmJOwSBawbS31bZNMCoPIY6ukoesCzFSsUKZww== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg -wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ -vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB -AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc -z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz -xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7 -HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD -yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS -xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj -7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG -h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL -QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q -hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc= +MIIEowIBAAKCAQEA63Yu4/cnLRvi+BIwcoIz5hKmcziREG2tujKEBs4JVO3uV3+f +UW/4YFULigKImXu/0fKyuMyeFu4l3V8NC6gachvAeWhiniN9sPgPU3AQKaF1y9gq +2EBEI2cFCKS5WASItjZCY951ZKuXYJdYDgC4kPlvI4N5M4ORHPa4pqfa/dzfMLEi +92sLGn7q5mArzn+5Xh2jD9Vif8w0RlDRxv1rQ413PGVBtfuhF1PSXNhbPtjpn+33 +DdJdNACv8D4PDmjUtKyshqvSXSE/RURldW13v68efBWhOQiLXcAkmISbxfzveS1k +KMSV8nuWwhS5rw0xMlavRTEgqbX7Jm14xGRrFwIDAQABAoIBAHLsTPihIfLnYIE5 +x4GsQQ5zXeBw5ITDM37ktwHnQDC+rIzyUl1aLD1AZRBoKinXd4lOTqLZ4/NHKx4A +DYr58mZtWyUmqLOMmQVuHXTZBlp7XtYuXMMNovQwjQlp9LicBeoBU6gQ5PVMtubD +F4xGF89Sn0cTHW3iMkqTtQ5KcR1j57OcJO0FEb1vPvk2MXI5ZyAatUYE7YacbEzd +rg02uIwx3FqNSkuSI79uz4hMdV5TPtuhxx9nTwj9aLUhXFeZ0mn2PVgVzEnnMoJb ++znlsZDgzDlJqdaD744YGWh8Z3OEssB35KfzFcdOeO6yH8lmv2Zfznk7pNPT7LTb +Lae9VgkCgYEA92p1qnAB3NtJtNcaW53i0S5WJgS1hxWKvUDx3lTB9s8X9fHpqL1a +E94fDfWzp/hax6FefUKIvBOukPLQ6bYjTMiFoOHzVirghAIuIUoMI5VtLhwD1hKs +Lr7l/dptMgKb1nZHyXoKHRBthsy3K4+udsPi8TzMvYElgEqyQIe/Rk0CgYEA86GL +8HC6zLszzKERDPBxrboRmoFvVUCTQDhsfj1M8aR3nQ8V5LkdIJc7Wqm/Ggfk9QRf +rJ8M2WUMlU5CNnCn/KCrKzCNZIReze3fV+HnKdbcXGLvgbHPrhnz8yYehUFG+RGq +bVyDWRU94T38izy2s5qMYrMJWZEYyXncSPbfcPMCgYAtaXfxcZ+V5xYPQFARMtiX +5nZfggvDoJuXgx0h3tK/N2HBfcaSdzbaYLG4gTmZggc/jwnl2dl5E++9oSPhUdIG +3ONSFUbxsOsGr9PBvnKd8WZZyUCXAVRjPBzAzF+whzQNWCZy/5htnz9LN7YDI9s0 +5113Q96cheDZPFydZY0hHQKBgQDVbEhNukM5xCiNcu+f2SaMnLp9EjQ4h5g3IvaP +5B16daw/Dw8LzcohWboqIxeAsze0GD/D1ZUJAEd0qBjC3g+a9BjefervCjKOzXng +38mEUm+6EwVjJSQcjSmycEs+Sr/kwr/8i5WYvU32+jk4tFgMoC+o6tQe/Uesf68k +z/dPVwKBgGbF7Vv1/3SmhlOy+zYyvJ0CrWtKxH9QP6tLIEgEpd8x7YTSuCH94yok +kToMXYA3sWNPt22GbRDZ+rcp4c7HkDx6I6vpdP9aQEwJTp0EPy0sgWr2XwYmreIQ +NFmkk8Itn9EY2R9VBaP7GLv5kvwxDdLAnmwGmzVtbmaVdxCaBwUk -----END RSA PRIVATE KEY----- -subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority -issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority -notBefore=941104185834Z -notAfter =991103185834Z ------BEGIN X509 CERTIFICATE----- - -MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw -HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy -Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05 -OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT -ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o -975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/ -touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE -7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j -9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI -0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb -MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU= ------END X509 CERTIFICATE----- -subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -notBefore=941109235417Z -notAfter =991231235417Z ------BEGIN X509 CERTIFICATE----- - -MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw -HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl -IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda -Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0 -YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB -roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12 -aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc -HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A -iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7 -suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h -cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk= ------END X509 CERTIFICATE----- -subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc - /OU=Certification Services Division/CN=Thawte Server CA - /Email=server-certs@thawte.com -issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc - /OU=Certification Services Division/CN=Thawte Server CA - /Email=server-certs@thawte.com ------BEGIN CERTIFICATE----- -MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD -VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU -VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy -dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq -hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1 -N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 -ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv -bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2 -aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW -F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1 -Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A -KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG -SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX -7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM -qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD -VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU -VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy -dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD -QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05 -NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG -A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT -FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl -cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg -Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c -G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU -c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH -jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR -w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2 -GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK -3VZdLbCVIhNoEsysrxCpxcI= ------END CERTIFICATE----- -Tims test GCI CA - ------BEGIN CERTIFICATE----- -MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD -VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5 -cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD -cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow -gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC -cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl -dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN -AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw -OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF -AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA -TfdbFZtAAD2Hx9jUtY3tfdrJOb8= ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD -VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5 -cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O -IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB -VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1 -NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH -EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT -I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta -RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ -KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR -Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG -9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4 -WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0 -MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh -c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda -Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W -ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu -ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2 -FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j -W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari -QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG -9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C -TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW -8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA ------END CERTIFICATE----- - - subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber - issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber - ------BEGIN CERTIFICATE----- -MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw -YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw -MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp -YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI -SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp -U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG -SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb -RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp -3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv -z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg -hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg -YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv -LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg -KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ -Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv -ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v -dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw -IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS -ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ -TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w -LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU -BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs -53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq -2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB -p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY= ------END CERTIFICATE----- - - subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ------BEGIN CERTIFICATE----- -MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw -FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg -UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa -Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln -biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ -nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma -AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga -IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF -AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ -Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6 -NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ== ------END CERTIFICATE----- - subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority ------BEGIN CERTIFICATE----- -MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw -FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg -UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa -Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln -biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1 -9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj -IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd -O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF -AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ -g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am -yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q== ------END CERTIFICATE----- diff --git a/crypto/openssl/apps/sess_id.c b/crypto/openssl/apps/sess_id.c index b99179f..b16686c 100644 --- a/crypto/openssl/apps/sess_id.c +++ b/crypto/openssl/apps/sess_id.c @@ -90,6 +90,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { SSL_SESSION *x=NULL; + X509 *peer = NULL; int ret=1,i,num,badops=0; BIO *out=NULL; int informat,outformat; @@ -163,16 +164,17 @@ bad: ERR_load_crypto_strings(); x=load_sess_id(infile,informat); if (x == NULL) { goto end; } + peer = SSL_SESSION_get0_peer(x); if(context) { - x->sid_ctx_length=strlen(context); - if(x->sid_ctx_length > SSL_MAX_SID_CTX_LENGTH) + size_t ctx_len = strlen(context); + if(ctx_len > SSL_MAX_SID_CTX_LENGTH) { BIO_printf(bio_err,"Context too long\n"); goto end; } - memcpy(x->sid_ctx,context,x->sid_ctx_length); + SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len); } #ifdef undef @@ -231,10 +233,10 @@ bad: if (cert) { - if (x->peer == NULL) + if (peer == NULL) BIO_puts(out,"No certificate present\n"); else - X509_print(out,x->peer); + X509_print(out,peer); } } @@ -253,12 +255,12 @@ bad: goto end; } } - else if (!noout && (x->peer != NULL)) /* just print the certificate */ + else if (!noout && (peer != NULL)) /* just print the certificate */ { if (outformat == FORMAT_ASN1) - i=(int)i2d_X509_bio(out,x->peer); + i=(int)i2d_X509_bio(out,peer); else if (outformat == FORMAT_PEM) - i=PEM_write_bio_X509(out,x->peer); + i=PEM_write_bio_X509(out,peer); else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c index 75804b8..c583f8a 100644 --- a/crypto/openssl/apps/smime.c +++ b/crypto/openssl/apps/smime.c @@ -73,11 +73,14 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int smime_cb(int ok, X509_STORE_CTX *ctx); #define SMIME_OP 0x10 +#define SMIME_IP 0x20 +#define SMIME_SIGNERS 0x40 #define SMIME_ENCRYPT (1 | SMIME_OP) -#define SMIME_DECRYPT 2 -#define SMIME_SIGN (3 | SMIME_OP) -#define SMIME_VERIFY 4 -#define SMIME_PK7OUT 5 +#define SMIME_DECRYPT (2 | SMIME_IP) +#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) +#define SMIME_VERIFY (4 | SMIME_IP) +#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP) +#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) int MAIN(int, char **); @@ -90,6 +93,7 @@ int MAIN(int argc, char **argv) const char *inmode = "r", *outmode = "w"; char *infile = NULL, *outfile = NULL; char *signerfile = NULL, *recipfile = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; char *certfile = NULL, *keyfile = NULL, *contfile=NULL; const EVP_CIPHER *cipher = NULL; PKCS7 *p7 = NULL; @@ -105,6 +109,8 @@ int MAIN(int argc, char **argv) char *passargin = NULL, *passin = NULL; char *inrand = NULL; int need_rand = 0; + int indef = 0; + const EVP_MD *sign_md = NULL; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int keyform = FORMAT_PEM; #ifndef OPENSSL_NO_ENGINE @@ -135,6 +141,8 @@ int MAIN(int argc, char **argv) operation = SMIME_DECRYPT; else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN; + else if (!strcmp (*args, "-resign")) + operation = SMIME_RESIGN; else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY; else if (!strcmp (*args, "-pk7out")) @@ -193,205 +201,209 @@ int MAIN(int argc, char **argv) flags |= PKCS7_BINARY; else if (!strcmp (*args, "-nosigs")) flags |= PKCS7_NOSIGS; + else if (!strcmp (*args, "-stream")) + indef = 1; + else if (!strcmp (*args, "-indef")) + indef = 1; + else if (!strcmp (*args, "-noindef")) + indef = 0; else if (!strcmp (*args, "-nooldmime")) flags |= PKCS7_NOOLDMIMETYPE; else if (!strcmp (*args, "-crlfeol")) flags |= PKCS7_CRLFEOL; else if (!strcmp(*args,"-rand")) { - if (args[1]) - { - args++; - inrand = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + args++; + inrand = *args; need_rand = 1; } #ifndef OPENSSL_NO_ENGINE else if (!strcmp(*args,"-engine")) { - if (args[1]) - { - args++; - engine = *args; - } - else badarg = 1; + if (!args[1]) + goto argerr; + engine = *++args; } #endif else if (!strcmp(*args,"-passin")) { - if (args[1]) - { - args++; - passargin = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + passargin = *++args; } else if (!strcmp (*args, "-to")) { - if (args[1]) - { - args++; - to = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + to = *++args; } else if (!strcmp (*args, "-from")) { - if (args[1]) - { - args++; - from = *args; - } - else badarg = 1; + if (!args[1]) + goto argerr; + from = *++args; } else if (!strcmp (*args, "-subject")) { - if (args[1]) - { - args++; - subject = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + subject = *++args; } else if (!strcmp (*args, "-signer")) { - if (args[1]) + if (!args[1]) + goto argerr; + /* If previous -signer argument add signer to list */ + + if (signerfile) { - args++; - signerfile = *args; + if (!sksigners) + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!keyfile) + keyfile = signerfile; + if (!skkeys) + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); + keyfile = NULL; } - else - badarg = 1; + signerfile = *++args; } else if (!strcmp (*args, "-recip")) { - if (args[1]) + if (!args[1]) + goto argerr; + recipfile = *++args; + } + else if (!strcmp (*args, "-md")) + { + if (!args[1]) + goto argerr; + sign_md = EVP_get_digestbyname(*++args); + if (sign_md == NULL) { - args++; - recipfile = *args; + BIO_printf(bio_err, "Unknown digest %s\n", + *args); + goto argerr; } - else badarg = 1; } else if (!strcmp (*args, "-inkey")) { - if (args[1]) + if (!args[1]) + goto argerr; + /* If previous -inkey arument add signer to list */ + if (keyfile) { - args++; - keyfile = *args; + if (!signerfile) + { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto argerr; + } + if (!sksigners) + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); + signerfile = NULL; + if (!skkeys) + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); } - else - badarg = 1; - } + keyfile = *++args; + } else if (!strcmp (*args, "-keyform")) { - if (args[1]) - { - args++; - keyform = str2fmt(*args); - } - else - badarg = 1; + if (!args[1]) + goto argerr; + keyform = str2fmt(*++args); } else if (!strcmp (*args, "-certfile")) { - if (args[1]) - { - args++; - certfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + certfile = *++args; } else if (!strcmp (*args, "-CAfile")) { - if (args[1]) - { - args++; - CAfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + CAfile = *++args; } else if (!strcmp (*args, "-CApath")) { - if (args[1]) - { - args++; - CApath = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + CApath = *++args; } else if (!strcmp (*args, "-in")) { - if (args[1]) - { - args++; - infile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + infile = *++args; } else if (!strcmp (*args, "-inform")) { - if (args[1]) - { - args++; - informat = str2fmt(*args); - } - else - badarg = 1; + if (!args[1]) + goto argerr; + informat = str2fmt(*++args); } else if (!strcmp (*args, "-outform")) { - if (args[1]) - { - args++; - outformat = str2fmt(*args); - } - else - badarg = 1; + if (!args[1]) + goto argerr; + outformat = str2fmt(*++args); } else if (!strcmp (*args, "-out")) { - if (args[1]) - { - args++; - outfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + outfile = *++args; } else if (!strcmp (*args, "-content")) { - if (args[1]) - { - args++; - contfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + contfile = *++args; } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) continue; - else + else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) badarg = 1; args++; } + if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) + { + BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); + goto argerr; + } - if (operation == SMIME_SIGN) + if (operation & SMIME_SIGNERS) { - if (!signerfile) + /* Check to see if any final signer needs to be appended */ + if (keyfile && !signerfile) + { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto argerr; + } + if (signerfile) + { + if (!sksigners) + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!skkeys) + skkeys = sk_OPENSSL_STRING_new_null(); + if (!keyfile) + keyfile = signerfile; + sk_OPENSSL_STRING_push(skkeys, keyfile); + } + if (!sksigners) { BIO_printf(bio_err, "No signer certificate specified\n"); badarg = 1; } + signerfile = NULL; + keyfile = NULL; need_rand = 1; } else if (operation == SMIME_DECRYPT) @@ -416,6 +428,7 @@ int MAIN(int argc, char **argv) if (badarg) { + argerr: BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n"); BIO_printf (bio_err, "where options are\n"); BIO_printf (bio_err, "-encrypt encrypt message\n"); @@ -499,13 +512,11 @@ int MAIN(int argc, char **argv) ret = 2; - if (operation != SMIME_SIGN) + if (!(operation & SMIME_SIGNERS)) flags &= ~PKCS7_DETACHED; if (operation & SMIME_OP) { - if (flags & PKCS7_BINARY) - inmode = "rb"; if (outformat == FORMAT_ASN1) outmode = "wb"; } @@ -513,9 +524,18 @@ int MAIN(int argc, char **argv) { if (flags & PKCS7_BINARY) outmode = "wb"; + } + + if (operation & SMIME_IP) + { if (informat == FORMAT_ASN1) inmode = "rb"; } + else + { + if (flags & PKCS7_BINARY) + inmode = "rb"; + } if (operation == SMIME_ENCRYPT) { @@ -545,26 +565,11 @@ int MAIN(int argc, char **argv) } } - if (signerfile && (operation == SMIME_SIGN)) - { - if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL, - e, "signer certificate"))) - { -#if 0 /* An appropri message has already been printed */ - BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile); -#endif - goto end; - } - } - if (certfile) { if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL, e, "certificate file"))) { -#if 0 /* An appropriate message has already been printed */ - BIO_printf(bio_err, "Can't read certificate file %s\n", certfile); -#endif ERR_print_errors(bio_err); goto end; } @@ -575,9 +580,6 @@ int MAIN(int argc, char **argv) if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL, e, "recipient certificate file"))) { -#if 0 /* An appropriate message has alrady been printed */ - BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile); -#endif ERR_print_errors(bio_err); goto end; } @@ -615,6 +617,36 @@ int MAIN(int argc, char **argv) else in = BIO_new_fp(stdin, BIO_NOCLOSE); + if (operation & SMIME_IP) + { + if (informat == FORMAT_SMIME) + p7 = SMIME_read_PKCS7(in, &indata); + else if (informat == FORMAT_PEM) + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + p7 = d2i_PKCS7_bio(in, NULL); + else + { + BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); + goto end; + } + + if (!p7) + { + BIO_printf(bio_err, "Error reading S/MIME message\n"); + goto end; + } + if (contfile) + { + BIO_free(indata); + if (!(indata = BIO_new_file(contfile, "rb"))) + { + BIO_printf(bio_err, "Can't read content file %s\n", contfile); + goto end; + } + } + } + if (outfile) { if (!(out = BIO_new_file(outfile, outmode))) @@ -639,7 +671,7 @@ int MAIN(int argc, char **argv) { if (!(store = setup_verify(bio_err, CAfile, CApath))) goto end; - X509_STORE_set_verify_cb_func(store, smime_cb); + X509_STORE_set_verify_cb(store, smime_cb); if (vpm) X509_STORE_set1_param(store, vpm); } @@ -648,43 +680,58 @@ int MAIN(int argc, char **argv) ret = 3; if (operation == SMIME_ENCRYPT) - p7 = PKCS7_encrypt(encerts, in, cipher, flags); - else if (operation == SMIME_SIGN) { - /* If detached data and SMIME output enable partial - * signing. - */ - if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME)) + if (indef) flags |= PKCS7_STREAM; - p7 = PKCS7_sign(signer, key, other, in, flags); + p7 = PKCS7_encrypt(encerts, in, cipher, flags); } - else + else if (operation & SMIME_SIGNERS) { - if (informat == FORMAT_SMIME) - p7 = SMIME_read_PKCS7(in, &indata); - else if (informat == FORMAT_PEM) - p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); - else if (informat == FORMAT_ASN1) - p7 = d2i_PKCS7_bio(in, NULL); - else + int i; + /* If detached data content we only enable streaming if + * S/MIME output format. + */ + if (operation == SMIME_SIGN) { - BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); - goto end; + if (flags & PKCS7_DETACHED) + { + if (outformat == FORMAT_SMIME) + flags |= PKCS7_STREAM; + } + else if (indef) + flags |= PKCS7_STREAM; + flags |= PKCS7_PARTIAL; + p7 = PKCS7_sign(NULL, NULL, other, in, flags); + if (!p7) + goto end; } - - if (!p7) - { - BIO_printf(bio_err, "Error reading S/MIME message\n"); - goto end; + else + flags |= PKCS7_REUSE_DIGEST; + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) + { + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); + signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, + e, "signer certificate"); + if (!signer) + goto end; + key = load_key(bio_err, keyfile, keyform, 0, passin, e, + "signing key file"); + if (!key) + goto end; + if (!PKCS7_sign_add_signer(p7, signer, key, + sign_md, flags)) + goto end; + X509_free(signer); + signer = NULL; + EVP_PKEY_free(key); + key = NULL; } - if (contfile) + /* If not streaming or resigning finalize structure */ + if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) { - BIO_free(indata); - if (!(indata = BIO_new_file(contfile, "rb"))) - { - BIO_printf(bio_err, "Can't read content file %s\n", contfile); + if (!PKCS7_final(p7, in, flags)) goto end; - } } } @@ -734,11 +781,16 @@ int MAIN(int argc, char **argv) if (subject) BIO_printf(out, "Subject: %s\n", subject); if (outformat == FORMAT_SMIME) - SMIME_write_PKCS7(out, p7, in, flags); + { + if (operation == SMIME_RESIGN) + SMIME_write_PKCS7(out, p7, indata, flags); + else + SMIME_write_PKCS7(out, p7, in, flags); + } else if (outformat == FORMAT_PEM) - PEM_write_bio_PKCS7(out,p7); + PEM_write_bio_PKCS7_stream(out, p7, in, flags); else if (outformat == FORMAT_ASN1) - i2d_PKCS7_bio(out,p7); + i2d_PKCS7_bio_stream(out,p7, in, flags); else { BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); @@ -754,6 +806,10 @@ end: sk_X509_pop_free(other, X509_free); if (vpm) X509_VERIFY_PARAM_free(vpm); + if (sksigners) + sk_OPENSSL_STRING_free(sksigners); + if (skkeys) + sk_OPENSSL_STRING_free(skkeys); X509_STORE_free(store); X509_free(cert); X509_free(recip); diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index 84ce35d..8358b12 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -108,53 +108,14 @@ #include <signal.h> #endif -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(OPENSSL_SYS_MACOSX) -# define USE_TOD -#elif !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) -# define TIMES -#endif -#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(OPENSSL_SYS_MPE) && !defined(__NetBSD__) && !defined(OPENSSL_SYS_VXWORKS) /* FIXME */ -# define TIMEB -#endif - -#if defined(OPENSSL_SYS_NETWARE) -#undef TIMES -#undef TIMEB -#include <time.h> -#endif - -#ifndef _IRIX -# include <time.h> -#endif -#ifdef TIMES -# include <sys/types.h> -# include <sys/times.h> -#endif -#ifdef USE_TOD -# include <sys/time.h> -# include <sys/resource.h> -#endif - -/* Depending on the VMS version, the tms structure is perhaps defined. - The __TMS macro will show if it was. If it wasn't defined, we should - undefine TIMES, since that tells the rest of the program how things - should be handled. -- Richard Levitte */ -#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) -#undef TIMES -#endif - -#ifdef TIMEB -#include <sys/timeb.h> -#endif - -#if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE) -#error "It seems neither struct tms nor struct timeb is supported in this platform!" -#endif - -#if defined(sun) || defined(__ultrix) -#define _POSIX_SOURCE -#include <limits.h> -#include <sys/param.h> +#if defined(_WIN32) || defined(__CYGWIN__) +#include <windows.h> +# if defined(__CYGWIN__) && !defined(_WIN32) + /* <windows.h> should define _WIN32, which normally is mutually + * exclusive with __CYGWIN__, but if it didn't... */ +# define _WIN32 + /* this is done because Cygwin alarm() fails sometimes. */ +# endif #endif #include <openssl/bn.h> @@ -189,6 +150,9 @@ #ifndef OPENSSL_NO_RIPEMD #include <openssl/ripemd.h> #endif +#ifndef OPENSSL_NO_WHIRLPOOL +#include <openssl/whrlpool.h> +#endif #ifndef OPENSSL_NO_RC4 #include <openssl/rc4.h> #endif @@ -225,33 +189,24 @@ #ifndef OPENSSL_NO_ECDH #include <openssl/ecdh.h> #endif +#include <openssl/modes.h> -/* - * The following "HZ" timing stuff should be sync'd up with the code in - * crypto/tmdiff.[ch]. That appears to try to do the same job, though I think - * this code is more up to date than libcrypto's so there may be features to - * migrate over first. This is used in two places further down AFAICS. - * The point is that nothing in openssl actually *uses* that tmdiff stuff, so - * either speed.c should be using it or it should go because it's obviously not - * useful enough. Anyone want to do a janitorial job on this? - */ - -/* The following if from times(3) man page. It may need to be changed */ -#ifndef HZ -# if defined(_SC_CLK_TCK) \ - && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) -# define HZ sysconf(_SC_CLK_TCK) -# else -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -# define HZ 100.0 -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) -# endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) -# endif -# endif +#ifdef OPENSSL_FIPS +#ifdef OPENSSL_DOING_MAKEDEPEND +#undef AES_set_encrypt_key +#undef AES_set_decrypt_key +#undef DES_set_key_unchecked +#endif +#define BF_set_key private_BF_set_key +#define CAST_set_key private_CAST_set_key +#define idea_set_encrypt_key private_idea_set_encrypt_key +#define SEED_set_key private_SEED_set_key +#define RC2_set_key private_RC2_set_key +#define RC4_set_key private_RC4_set_key +#define DES_set_key_unchecked private_DES_set_key_unchecked +#define AES_set_encrypt_key private_AES_set_encrypt_key +#define AES_set_decrypt_key private_AES_set_decrypt_key +#define Camellia_set_key private_Camellia_set_key #endif #ifndef HAVE_FORK @@ -263,16 +218,15 @@ #endif #if HAVE_FORK -# undef NO_FORK +#undef NO_FORK #else -# define NO_FORK +#define NO_FORK #endif #undef BUFSIZE #define BUFSIZE ((long)1024*8+1) int run=0; -static char ftime_used = 0, times_used = 0, gettimeofday_used = 0, getrusage_used = 0; static int mr=0; static int usertime=1; @@ -285,7 +239,7 @@ static void print_result(int alg,int run_no,int count,double time_used); static int do_multi(int multi); #endif -#define ALGOR_NUM 28 +#define ALGOR_NUM 30 #define SIZE_NUM 5 #define RSA_NUM 4 #define DSA_NUM 3 @@ -299,8 +253,8 @@ static const char *names[ALGOR_NUM]={ "rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc", "aes-128 cbc","aes-192 cbc","aes-256 cbc", "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc", - "evp","sha256","sha512", - "aes-128 ige","aes-192 ige","aes-256 ige"}; + "evp","sha256","sha512","whirlpool", + "aes-128 ige","aes-192 ige","aes-256 ige","ghash"}; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; #ifndef OPENSSL_NO_RSA @@ -342,141 +296,49 @@ static SIGRETTYPE sig_done(int sig) #define START 0 #define STOP 1 -#if defined(OPENSSL_SYS_NETWARE) +#if defined(_WIN32) - /* for NetWare the best we can do is use clock() which returns the - * time, in hundredths of a second, since the NLM began executing - */ -static double Time_F(int s) - { - double ret; - - static clock_t tstart,tend; - - if (s == START) - { - tstart=clock(); - return(0); - } - else - { - tend=clock(); - ret=(double)((double)(tend)-(double)(tstart)); - return((ret < 0.001)?0.001:ret); - } - } +#if !defined(SIGALRM) +#define SIGALRM +#endif +static unsigned int lapse,schlock; +static void alarm_win32(unsigned int secs) { lapse = secs*1000; } +#define alarm alarm_win32 -#else +static DWORD WINAPI sleepy(VOID *arg) + { + schlock = 1; + Sleep(lapse); + run = 0; + return 0; + } static double Time_F(int s) { - double ret; - -#ifdef USE_TOD - if(usertime) + if (s == START) { - static struct rusage tstart,tend; - - getrusage_used = 1; - if (s == START) + HANDLE thr; + schlock = 0; + thr = CreateThread(NULL,4096,sleepy,NULL,0,NULL); + if (thr==NULL) { - getrusage(RUSAGE_SELF,&tstart); - return(0); - } - else - { - long i; - - getrusage(RUSAGE_SELF,&tend); - i=(long)tend.ru_utime.tv_usec-(long)tstart.ru_utime.tv_usec; - ret=((double)(tend.ru_utime.tv_sec-tstart.ru_utime.tv_sec)) - +((double)i)/1000000.0; - return((ret < 0.001)?0.001:ret); + DWORD ret=GetLastError(); + BIO_printf(bio_err,"unable to CreateThread (%d)",ret); + ExitProcess(ret); } + CloseHandle(thr); /* detach the thread */ + while (!schlock) Sleep(0); /* scheduler spinlock */ } - else - { - static struct timeval tstart,tend; - long i; - gettimeofday_used = 1; - if (s == START) - { - gettimeofday(&tstart,NULL); - return(0); - } - else - { - gettimeofday(&tend,NULL); - i=(long)tend.tv_usec-(long)tstart.tv_usec; - ret=((double)(tend.tv_sec-tstart.tv_sec))+((double)i)/1000000.0; - return((ret < 0.001)?0.001:ret); - } - } -#else /* ndef USE_TOD */ - -# ifdef TIMES - if (usertime) - { - static struct tms tstart,tend; - - times_used = 1; - if (s == START) - { - times(&tstart); - return(0); - } - else - { - times(&tend); - ret = HZ; - ret=(double)(tend.tms_utime-tstart.tms_utime) / ret; - return((ret < 1e-3)?1e-3:ret); - } - } -# endif /* times() */ -# if defined(TIMES) && defined(TIMEB) - else -# endif -# ifdef OPENSSL_SYS_VXWORKS - { - static unsigned long tick_start, tick_end; - - if( s == START ) - { - tick_start = tickGet(); - return 0; - } - else - { - tick_end = tickGet(); - ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); - return((ret < 0.001)?0.001:ret); - } - } -# elif defined(TIMEB) - { - static struct timeb tstart,tend; - long i; + return app_tminterval(s,usertime); + } +#else - ftime_used = 1; - if (s == START) - { - ftime(&tstart); - return(0); - } - else - { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret < 0.001)?0.001:ret); - } - } -# endif -#endif +static double Time_F(int s) + { + return app_tminterval(s,usertime); } -#endif /* if defined(OPENSSL_SYS_NETWARE) */ +#endif #ifndef OPENSSL_NO_ECDH @@ -533,6 +395,9 @@ int MAIN(int argc, char **argv) unsigned char sha512[SHA512_DIGEST_LENGTH]; #endif #endif +#ifndef OPENSSL_NO_WHIRLPOOL + unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH]; +#endif #ifndef OPENSSL_NO_RIPEMD unsigned char rmd160[RIPEMD160_DIGEST_LENGTH]; #endif @@ -628,9 +493,11 @@ int MAIN(int argc, char **argv) #define D_EVP 22 #define D_SHA256 23 #define D_SHA512 24 -#define D_IGE_128_AES 25 -#define D_IGE_192_AES 26 -#define D_IGE_256_AES 27 +#define D_WHIRLPOOL 25 +#define D_IGE_128_AES 26 +#define D_IGE_192_AES 27 +#define D_IGE_256_AES 28 +#define D_GHASH 29 double d=0.0; long c[ALGOR_NUM][SIZE_NUM]; #define R_DSA_512 0 @@ -947,6 +814,10 @@ int MAIN(int argc, char **argv) else #endif #endif +#ifndef OPENSSL_NO_WHIRLPOOL + if (strcmp(*argv,"whirlpool") == 0) doit[D_WHIRLPOOL]=1; + else +#endif #ifndef OPENSSL_NO_RIPEMD if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1; else @@ -1052,6 +923,10 @@ int MAIN(int argc, char **argv) doit[D_CBC_192_AES]=1; doit[D_CBC_256_AES]=1; } + else if (strcmp(*argv,"ghash") == 0) + { + doit[D_GHASH]=1; + } else #endif #ifndef OPENSSL_NO_CAMELLIA @@ -1158,12 +1033,16 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_SHA512 BIO_printf(bio_err,"sha512 "); #endif +#ifndef OPENSSL_NO_WHIRLPOOL + BIO_printf(bio_err,"whirlpool"); +#endif #ifndef OPENSSL_NO_RIPEMD160 BIO_printf(bio_err,"rmd160"); #endif #if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \ !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \ - !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) + !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \ + !defined(OPENSSL_NO_WHIRLPOOL) BIO_printf(bio_err,"\n"); #endif @@ -1290,17 +1169,20 @@ int MAIN(int argc, char **argv) rsa_doit[i]=1; for (i=0; i<DSA_NUM; i++) dsa_doit[i]=1; +#ifndef OPENSSL_NO_ECDSA + for (i=0; i<EC_NUM; i++) + ecdsa_doit[i]=1; +#endif +#ifndef OPENSSL_NO_ECDH + for (i=0; i<EC_NUM; i++) + ecdh_doit[i]=1; +#endif } for (i=0; i<ALGOR_NUM; i++) if (doit[i]) pr_header++; if (usertime == 0 && !mr) BIO_printf(bio_err,"You have chosen to measure elapsed time instead of user CPU time.\n"); - if (usertime <= 0 && !mr) - { - BIO_printf(bio_err,"To get the most accurate results, try to run this\n"); - BIO_printf(bio_err,"program when this computer is idle.\n"); - } #ifndef OPENSSL_NO_RSA for (i=0; i<RSA_NUM; i++) @@ -1411,9 +1293,11 @@ int MAIN(int argc, char **argv) c[D_CBC_256_CML][0]=count; c[D_SHA256][0]=count; c[D_SHA512][0]=count; + c[D_WHIRLPOOL][0]=count; c[D_IGE_128_AES][0]=count; c[D_IGE_192_AES][0]=count; c[D_IGE_256_AES][0]=count; + c[D_GHASH][0]=count; for (i=1; i<SIZE_NUM; i++) { @@ -1426,6 +1310,7 @@ int MAIN(int argc, char **argv) c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i]; c[D_SHA256][i]=c[D_SHA256][0]*4*lengths[0]/lengths[i]; c[D_SHA512][i]=c[D_SHA512][0]*4*lengths[0]/lengths[i]; + c[D_WHIRLPOOL][i]=c[D_WHIRLPOOL][0]*4*lengths[0]/lengths[i]; } for (i=1; i<SIZE_NUM; i++) { @@ -1607,9 +1492,11 @@ int MAIN(int argc, char **argv) # error "You cannot disable DES on systems without SIGALRM." #endif /* OPENSSL_NO_DES */ #else -#define COND(c) (run) +#define COND(c) (run && count<0x7fffffff) #define COUNT(d) (count) +#ifndef _WIN32 signal(SIGALRM,sig_done); +#endif #endif /* SIGALRM */ #ifndef OPENSSL_NO_MD2 @@ -1739,8 +1626,23 @@ int MAIN(int argc, char **argv) } } #endif +#endif +#ifndef OPENSSL_NO_WHIRLPOOL + if (doit[D_WHIRLPOOL]) + { + for (j=0; j<SIZE_NUM; j++) + { + print_message(names[D_WHIRLPOOL],c[D_WHIRLPOOL][j],lengths[j]); + Time_F(START); + for (count=0,run=1; COND(c[D_WHIRLPOOL][j]); count++) + WHIRLPOOL(buf,lengths[j],whirlpool); + d=Time_F(STOP); + print_result(D_WHIRLPOOL,j,count,d); + } + } #endif + #ifndef OPENSSL_NO_RIPEMD if (doit[D_RMD160]) { @@ -1886,6 +1788,23 @@ int MAIN(int argc, char **argv) print_result(D_IGE_256_AES,j,count,d); } } + if (doit[D_GHASH]) + { + GCM128_CONTEXT *ctx = CRYPTO_gcm128_new(&aes_ks1,(block128_f)AES_encrypt); + CRYPTO_gcm128_setiv (ctx,(unsigned char *)"0123456789ab",12); + + for (j=0; j<SIZE_NUM; j++) + { + print_message(names[D_GHASH],c[D_GHASH][j],lengths[j]); + Time_F(START); + for (count=0,run=1; COND(c[D_GHASH][j]); count++) + CRYPTO_gcm128_aad(ctx,buf,lengths[j]); + d=Time_F(STOP); + print_result(D_GHASH,j,count,d); + } + CRYPTO_gcm128_release(ctx); + } + #endif #ifndef OPENSSL_NO_CAMELLIA if (doit[D_CBC_128_CML]) @@ -2498,35 +2417,6 @@ show_res: printf("%s ",BF_options()); #endif fprintf(stdout,"\n%s\n",SSLeay_version(SSLEAY_CFLAGS)); - printf("available timing options: "); -#ifdef TIMES - printf("TIMES "); -#endif -#ifdef TIMEB - printf("TIMEB "); -#endif -#ifdef USE_TOD - printf("USE_TOD "); -#endif -#ifdef HZ -#define as_string(s) (#s) - { - double dbl = HZ; - printf("HZ=%g", dbl); - } -# ifdef _SC_CLK_TCK - printf(" [sysconf value]"); -# endif -#endif - printf("\n"); - printf("timing function used: %s%s%s%s%s%s%s\n", - (ftime_used ? "ftime" : ""), - (ftime_used + times_used > 1 ? "," : ""), - (times_used ? "times" : ""), - (ftime_used + times_used + gettimeofday_used > 1 ? "," : ""), - (gettimeofday_used ? "gettimeofday" : ""), - (ftime_used + times_used + gettimeofday_used + getrusage_used > 1 ? "," : ""), - (getrusage_used ? "getrusage" : "")); } if (pr_header) @@ -2707,7 +2597,7 @@ static void pkey_print_message(const char *str, const char *str2, long num, BIO_printf(bio_err,mr ? "+DTP:%d:%s:%s:%d\n" : "Doing %d bit %s %s's for %ds: ",bits,str,str2,tm); (void)BIO_flush(bio_err); - alarm(RSA_SECONDS); + alarm(tm); #else BIO_printf(bio_err,mr ? "+DNP:%ld:%d:%s:%s\n" : "Doing %ld %d bit %s %s's: ",num,bits,str,str2); @@ -2767,7 +2657,11 @@ static int do_multi(int multi) fds=malloc(multi*sizeof *fds); for(n=0 ; n < multi ; ++n) { - pipe(fd); + if (pipe(fd) == -1) + { + fprintf(stderr, "pipe failure\n"); + exit(1); + } fflush(stdout); fflush(stderr); if(fork()) @@ -2779,10 +2673,15 @@ static int do_multi(int multi) { close(fd[0]); close(1); - dup(fd[1]); + if (dup(fd[1]) == -1) + { + fprintf(stderr, "dup failed\n"); + exit(1); + } close(fd[1]); mr=1; usertime=0; + free(fds); return 0; } printf("Forked child %d\n",n); @@ -2861,6 +2760,7 @@ static int do_multi(int multi) else rsa_results[k][1]=d; } +#ifndef OPENSSL_NO_DSA else if(!strncmp(buf,"+F3:",4)) { int k; @@ -2882,6 +2782,7 @@ static int do_multi(int multi) else dsa_results[k][1]=d; } +#endif #ifndef OPENSSL_NO_ECDSA else if(!strncmp(buf,"+F4:",4)) { @@ -2931,7 +2832,10 @@ static int do_multi(int multi) else fprintf(stderr,"Unknown type '%s' from child %d\n",buf,n); } + + fclose(f); } + free(fds); return 1; } #endif diff --git a/crypto/openssl/apps/srp.c b/crypto/openssl/apps/srp.c new file mode 100644 index 0000000..80e1b8a --- /dev/null +++ b/crypto/openssl/apps/srp.c @@ -0,0 +1,756 @@ +/* apps/srp.c */ +/* Written by Peter Sylvester (peter.sylvester@edelweb.fr) + * for the EdelKey project and contributed to the OpenSSL project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +#include <openssl/opensslconf.h> + +#ifndef OPENSSL_NO_SRP +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <openssl/conf.h> +#include <openssl/bio.h> +#include <openssl/err.h> +#include <openssl/txt_db.h> +#include <openssl/buffer.h> +#include <openssl/srp.h> + +#include "apps.h" + +#undef PROG +#define PROG srp_main + +#define BASE_SECTION "srp" +#define CONFIG_FILE "openssl.cnf" + +#define ENV_RANDFILE "RANDFILE" + +#define ENV_DATABASE "srpvfile" +#define ENV_DEFAULT_SRP "default_srp" + +static char *srp_usage[]={ +"usage: srp [args] [user] \n", +"\n", +" -verbose Talk alot while doing things\n", +" -config file A config file\n", +" -name arg The particular srp definition to use\n", +" -srpvfile arg The srp verifier file name\n", +" -add add an user and srp verifier\n", +" -modify modify the srp verifier of an existing user\n", +" -delete delete user from verifier file\n", +" -list list user\n", +" -gn arg g and N values to be used for new verifier\n", +" -userinfo arg additional info to be set for user\n", +" -passin arg input file pass phrase source\n", +" -passout arg output file pass phrase source\n", +#ifndef OPENSSL_NO_ENGINE +" -engine e - use engine e, possibly a hardware device.\n", +#endif +NULL +}; + +#ifdef EFENCE +extern int EF_PROTECT_FREE; +extern int EF_PROTECT_BELOW; +extern int EF_ALIGNMENT; +#endif + +static CONF *conf=NULL; +static char *section=NULL; + +#define VERBOSE if (verbose) +#define VVERBOSE if (verbose>1) + + +int MAIN(int, char **); + +static int get_index(CA_DB *db, char* id, char type) + { + char ** pp; + int i; + if (id == NULL) return -1; + if (type == DB_SRP_INDEX) + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) + { + pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid])) + return i; + } + else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) + { + pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) + return i; + } + + return -1 ; + } + +static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s) + { + if (indx >= 0 && verbose) + { + int j; + char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx); + BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]); + for (j = 0; j < DB_NUMBER; j++) + { + BIO_printf(bio_err," %d = \"%s\"\n", j, pp[j]); + } + } + } + +static void print_index(CA_DB *db, BIO *bio, int indexindex, int verbose) + { + print_entry(db, bio, indexindex, verbose, "g N entry") ; + } + +static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose) + { + if (verbose > 0) + { + char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + + if (pp[DB_srptype][0] != 'I') + { + print_entry(db, bio, userindex, verbose, "User entry"); + print_entry(db, bio, get_index(db, pp[DB_srpgN], 'I'), verbose, "g N entry"); + } + + } + } + +static int update_index(CA_DB *db, BIO *bio, char **row) + { + char ** irow; + int i; + + if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) + { + BIO_printf(bio_err,"Memory allocation failure\n"); + return 0; + } + + for (i=0; i<DB_NUMBER; i++) + { + irow[i]=row[i]; + row[i]=NULL; + } + irow[DB_NUMBER]=NULL; + + if (!TXT_DB_insert(db->db,irow)) + { + BIO_printf(bio,"failed to update srpvfile\n"); + BIO_printf(bio,"TXT_DB error number %ld\n",db->db->error); + OPENSSL_free(irow); + return 0; + } + return 1; + } + +static void lookup_fail(const char *name, char *tag) + { + BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); + } + + +static char *srp_verify_user(const char *user, const char *srp_verifier, + char *srp_usersalt, const char *g, const char *N, + const char *passin, BIO *bio, int verbose) + { + char password[1024]; + PW_CB_DATA cb_tmp; + char *verifier = NULL; + char *gNid = NULL; + + cb_tmp.prompt_info = user; + cb_tmp.password = passin; + + if (password_callback(password, 1024, 0, &cb_tmp) >0) + { + VERBOSE BIO_printf(bio,"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",user,srp_verifier,srp_usersalt, g, N); + BIO_printf(bio, "Pass %s\n", password); + + if (!(gNid=SRP_create_verifier(user, password, &srp_usersalt, &verifier, N, g))) + { + BIO_printf(bio, "Internal error validating SRP verifier\n"); + } + else + { + if (strcmp(verifier, srp_verifier)) + gNid = NULL; + OPENSSL_free(verifier); + } + } + return gNid; + } + +static char *srp_create_user(char *user, char **srp_verifier, + char **srp_usersalt, char *g, char *N, + char *passout, BIO *bio, int verbose) + { + char password[1024]; + PW_CB_DATA cb_tmp; + char *gNid = NULL; + char *salt = NULL; + cb_tmp.prompt_info = user; + cb_tmp.password = passout; + + if (password_callback(password,1024,1,&cb_tmp) >0) + { + VERBOSE BIO_printf(bio,"Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",user,g,N); + if (!(gNid =SRP_create_verifier(user, password, &salt, srp_verifier, N, g))) + { + BIO_printf(bio,"Internal error creating SRP verifier\n"); + } + else + *srp_usersalt = salt; + VVERBOSE BIO_printf(bio,"gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", gNid,salt, *srp_verifier); + + } + return gNid; + } + +int MAIN(int argc, char **argv) + { + int add_user = 0; + int list_user= 0; + int delete_user= 0; + int modify_user= 0; + char * user = NULL; + + char *passargin = NULL, *passargout = NULL; + char *passin = NULL, *passout = NULL; + char * gN = NULL; + int gNindex = -1; + char ** gNrow = NULL; + int maxgN = -1; + + char * userinfo = NULL; + + int badops=0; + int ret=1; + int errors=0; + int verbose=0; + int doupdatedb=0; + char *configfile=NULL; + char *dbfile=NULL; + CA_DB *db=NULL; + char **pp ; + int i; + long errorline = -1; + char *randfile=NULL; +#ifndef OPENSSL_NO_ENGINE + char *engine = NULL; +#endif + char *tofree=NULL; + DB_ATTR db_attr; + +#ifdef EFENCE +EF_PROTECT_FREE=1; +EF_PROTECT_BELOW=1; +EF_ALIGNMENT=0; +#endif + + apps_startup(); + + conf = NULL; + section = NULL; + + if (bio_err == NULL) + if ((bio_err=BIO_new(BIO_s_file())) != NULL) + BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + + argc--; + argv++; + while (argc >= 1 && badops == 0) + { + if (strcmp(*argv,"-verbose") == 0) + verbose++; + else if (strcmp(*argv,"-config") == 0) + { + if (--argc < 1) goto bad; + configfile= *(++argv); + } + else if (strcmp(*argv,"-name") == 0) + { + if (--argc < 1) goto bad; + section= *(++argv); + } + else if (strcmp(*argv,"-srpvfile") == 0) + { + if (--argc < 1) goto bad; + dbfile= *(++argv); + } + else if (strcmp(*argv,"-add") == 0) + add_user=1; + else if (strcmp(*argv,"-delete") == 0) + delete_user=1; + else if (strcmp(*argv,"-modify") == 0) + modify_user=1; + else if (strcmp(*argv,"-list") == 0) + list_user=1; + else if (strcmp(*argv,"-gn") == 0) + { + if (--argc < 1) goto bad; + gN= *(++argv); + } + else if (strcmp(*argv,"-userinfo") == 0) + { + if (--argc < 1) goto bad; + userinfo= *(++argv); + } + else if (strcmp(*argv,"-passin") == 0) + { + if (--argc < 1) goto bad; + passargin= *(++argv); + } + else if (strcmp(*argv,"-passout") == 0) + { + if (--argc < 1) goto bad; + passargout= *(++argv); + } +#ifndef OPENSSL_NO_ENGINE + else if (strcmp(*argv,"-engine") == 0) + { + if (--argc < 1) goto bad; + engine= *(++argv); + } +#endif + + else if (**argv == '-') + { +bad: + BIO_printf(bio_err,"unknown option %s\n",*argv); + badops=1; + break; + } + else + break; + + argc--; + argv++; + } + + if (dbfile && configfile) + { + BIO_printf(bio_err,"-dbfile and -configfile cannot be specified together.\n"); + badops = 1; + } + if (add_user+delete_user+modify_user+list_user != 1) + { + BIO_printf(bio_err,"Exactly one of the options -add, -delete, -modify -list must be specified.\n"); + badops = 1; + } + if (delete_user+modify_user+delete_user== 1 && argc <= 0) + { + BIO_printf(bio_err,"Need at least one user for options -add, -delete, -modify. \n"); + badops = 1; + } + if ((passin || passout) && argc != 1 ) + { + BIO_printf(bio_err,"-passin, -passout arguments only valid with one user.\n"); + badops = 1; + } + + if (badops) + { + for (pp=srp_usage; (*pp != NULL); pp++) + BIO_printf(bio_err,"%s",*pp); + + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); + BIO_printf(bio_err," load the file (or the files in the directory) into\n"); + BIO_printf(bio_err," the random number generator\n"); + goto err; + } + + ERR_load_crypto_strings(); + +#ifndef OPENSSL_NO_ENGINE + setup_engine(bio_err, engine, 0); +#endif + + if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) + { + BIO_printf(bio_err, "Error getting passwords\n"); + goto err; + } + + if (!dbfile) + { + + + /*****************************************************************/ + tofree=NULL; + if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); + if (configfile == NULL) configfile = getenv("SSLEAY_CONF"); + if (configfile == NULL) + { + const char *s=X509_get_default_cert_area(); + size_t len; + +#ifdef OPENSSL_SYS_VMS + len = strlen(s)+sizeof(CONFIG_FILE); + tofree=OPENSSL_malloc(len); + strcpy(tofree,s); +#else + len = strlen(s)+sizeof(CONFIG_FILE)+1; + tofree=OPENSSL_malloc(len); + BUF_strlcpy(tofree,s,len); + BUF_strlcat(tofree,"/",len); +#endif + BUF_strlcat(tofree,CONFIG_FILE,len); + configfile=tofree; + } + + VERBOSE BIO_printf(bio_err,"Using configuration from %s\n",configfile); + conf = NCONF_new(NULL); + if (NCONF_load(conf,configfile,&errorline) <= 0) + { + if (errorline <= 0) + BIO_printf(bio_err,"error loading the config file '%s'\n", + configfile); + else + BIO_printf(bio_err,"error on line %ld of config file '%s'\n" + ,errorline,configfile); + goto err; + } + if(tofree) + { + OPENSSL_free(tofree); + tofree = NULL; + } + + if (!load_config(bio_err, conf)) + goto err; + + /* Lets get the config section we are using */ + if (section == NULL) + { + VERBOSE BIO_printf(bio_err,"trying to read " ENV_DEFAULT_SRP " in \" BASE_SECTION \"\n"); + + section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_SRP); + if (section == NULL) + { + lookup_fail(BASE_SECTION,ENV_DEFAULT_SRP); + goto err; + } + } + + if (randfile == NULL && conf) + randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); + + + VERBOSE BIO_printf(bio_err,"trying to read " ENV_DATABASE " in section \"%s\"\n",section); + + if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL) + { + lookup_fail(section,ENV_DATABASE); + goto err; + } + + } + if (randfile == NULL) + ERR_clear_error(); + else + app_RAND_load_file(randfile, bio_err, 0); + + VERBOSE BIO_printf(bio_err,"Trying to read SRP verifier file \"%s\"\n",dbfile); + + db = load_index(dbfile, &db_attr); + if (db == NULL) goto err; + + /* Lets check some fields */ + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) + { + pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (pp[DB_srptype][0] == DB_SRP_INDEX) + { + maxgN = i; + if (gNindex < 0 && gN != NULL && !strcmp(gN, pp[DB_srpid])) + gNindex = i; + + print_index(db, bio_err, i, verbose > 1); + } + } + + VERBOSE BIO_printf(bio_err, "Database initialised\n"); + + if (gNindex >= 0) + { + gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex); + print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ; + } + else if (maxgN > 0 && !SRP_get_default_gN(gN)) + { + BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN); + goto err; + } + else + { + VERBOSE BIO_printf(bio_err, "Database has no g N information.\n"); + gNrow = NULL; + } + + + VVERBOSE BIO_printf(bio_err,"Starting user processing\n"); + + if (argc > 0) + user = *(argv++) ; + + while (list_user || user) + { + int userindex = -1; + if (user) + VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n", user); + if ((userindex = get_index(db, user, 'U')) >= 0) + { + print_user(db, bio_err, userindex, (verbose > 0) || list_user); + } + + if (list_user) + { + if (user == NULL) + { + BIO_printf(bio_err,"List all users\n"); + + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) + { + print_user(db,bio_err, i, 1); + } + list_user = 0; + } + else if (userindex < 0) + { + BIO_printf(bio_err, "user \"%s\" does not exist, ignored. t\n", + user); + errors++; + } + } + else if (add_user) + { + if (userindex >= 0) + { + /* reactivation of a new user */ + char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + BIO_printf(bio_err, "user \"%s\" reactivated.\n", user); + row[DB_srptype][0] = 'V'; + + doupdatedb = 1; + } + else + { + char *row[DB_NUMBER] ; char *gNid; + row[DB_srpverifier] = NULL; + row[DB_srpsalt] = NULL; + row[DB_srpinfo] = NULL; + if (!(gNid = srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:gN,gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose))) + { + BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned .\n", user); + errors++; + goto err; + } + row[DB_srpid] = BUF_strdup(user); + row[DB_srptype] = BUF_strdup("v"); + row[DB_srpgN] = BUF_strdup(gNid); + + if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] || !row[DB_srpverifier] || !row[DB_srpsalt] || + (userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))) || + !update_index(db, bio_err, row)) + { + if (row[DB_srpid]) OPENSSL_free(row[DB_srpid]); + if (row[DB_srpgN]) OPENSSL_free(row[DB_srpgN]); + if (row[DB_srpinfo]) OPENSSL_free(row[DB_srpinfo]); + if (row[DB_srptype]) OPENSSL_free(row[DB_srptype]); + if (row[DB_srpverifier]) OPENSSL_free(row[DB_srpverifier]); + if (row[DB_srpsalt]) OPENSSL_free(row[DB_srpsalt]); + goto err; + } + doupdatedb = 1; + } + } + else if (modify_user) + { + if (userindex < 0) + { + BIO_printf(bio_err,"user \"%s\" does not exist, operation ignored.\n",user); + errors++; + } + else + { + + char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char type = row[DB_srptype][0]; + if (type == 'v') + { + BIO_printf(bio_err,"user \"%s\" already updated, operation ignored.\n",user); + errors++; + } + else + { + char *gNid; + + if (row[DB_srptype][0] == 'V') + { + int user_gN; + char **irow = NULL; + VERBOSE BIO_printf(bio_err,"Verifying password for user \"%s\"\n",user); + if ( (user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0) + irow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + + if (!srp_verify_user(user, row[DB_srpverifier], row[DB_srpsalt], irow ? irow[DB_srpsalt] : row[DB_srpgN], irow ? irow[DB_srpverifier] : NULL, passin, bio_err, verbose)) + { + BIO_printf(bio_err, "Invalid password for user \"%s\", operation abandoned.\n", user); + errors++; + goto err; + } + } + VERBOSE BIO_printf(bio_err,"Password for user \"%s\" ok.\n",user); + + if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose))) + { + BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user); + errors++; + goto err; + } + + row[DB_srptype][0] = 'v'; + row[DB_srpgN] = BUF_strdup(gNid); + + if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] || !row[DB_srpverifier] || !row[DB_srpsalt] || + (userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo))))) + goto err; + + doupdatedb = 1; + } + } + } + else if (delete_user) + { + if (userindex < 0) + { + BIO_printf(bio_err, "user \"%s\" does not exist, operation ignored. t\n", user); + errors++; + } + else + { + char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + BIO_printf(bio_err, "user \"%s\" revoked. t\n", user); + + xpp[DB_srptype][0] = 'R'; + + doupdatedb = 1; + } + } + if (--argc > 0) + user = *(argv++) ; + else + { + user = NULL; + list_user = 0; + } + } + + VERBOSE BIO_printf(bio_err,"User procession done.\n"); + + + if (doupdatedb) + { + /* Lets check some fields */ + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) + { + pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (pp[DB_srptype][0] == 'v') + { + pp[DB_srptype][0] = 'V'; + print_user(db, bio_err, i, verbose); + } + } + + VERBOSE BIO_printf(bio_err, "Trying to update srpvfile.\n"); + if (!save_index(dbfile, "new", db)) goto err; + + VERBOSE BIO_printf(bio_err, "Temporary srpvfile created.\n"); + if (!rotate_index(dbfile, "new", "old")) goto err; + + VERBOSE BIO_printf(bio_err, "srpvfile updated.\n"); + } + + ret = (errors != 0); +err: + if (errors != 0) + VERBOSE BIO_printf(bio_err,"User errors %d.\n",errors); + + VERBOSE BIO_printf(bio_err,"SRP terminating with code %d.\n",ret); + if(tofree) + OPENSSL_free(tofree); + if (ret) ERR_print_errors(bio_err); + if (randfile) app_RAND_write_file(randfile, bio_err); + if (conf) NCONF_free(conf); + if (db) free_index(db); + + OBJ_cleanup(); + apps_shutdown(); + OPENSSL_EXIT(ret); + } + + + +#endif + diff --git a/crypto/openssl/apps/ts.c b/crypto/openssl/apps/ts.c new file mode 100644 index 0000000..5fa9f7f --- /dev/null +++ b/crypto/openssl/apps/ts.c @@ -0,0 +1,1147 @@ +/* apps/ts.c */ +/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL + * project 2002. + */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include "apps.h" +#include <openssl/bio.h> +#include <openssl/err.h> +#include <openssl/pem.h> +#include <openssl/rand.h> +#include <openssl/ts.h> +#include <openssl/bn.h> + +#undef PROG +#define PROG ts_main + +/* Length of the nonce of the request in bits (must be a multiple of 8). */ +#define NONCE_LENGTH 64 + +/* Macro definitions for the configuration file. */ +#define ENV_OID_FILE "oid_file" + +/* Local function declarations. */ + +static ASN1_OBJECT *txt2obj(const char *oid); +static CONF *load_config_file(const char *configfile); + +/* Query related functions. */ +static int query_command(const char *data, char *digest, + const EVP_MD *md, const char *policy, int no_nonce, + int cert, const char *in, const char *out, int text); +static BIO *BIO_open_with_default(const char *file, const char *mode, + FILE *default_fp); +static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, + const char *policy, int no_nonce, int cert); +static int create_digest(BIO *input, char *digest, + const EVP_MD *md, unsigned char **md_value); +static ASN1_INTEGER *create_nonce(int bits); + +/* Reply related functions. */ +static int reply_command(CONF *conf, char *section, char *engine, + char *queryfile, char *passin, char *inkey, + char *signer, char *chain, const char *policy, + char *in, int token_in, char *out, int token_out, + int text); +static TS_RESP *read_PKCS7(BIO *in_bio); +static TS_RESP *create_response(CONF *conf, const char *section, char *engine, + char *queryfile, char *passin, char *inkey, + char *signer, char *chain, const char *policy); +static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data); +static ASN1_INTEGER *next_serial(const char *serialfile); +static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); + +/* Verify related functions. */ +static int verify_command(char *data, char *digest, char *queryfile, + char *in, int token_in, + char *ca_path, char *ca_file, char *untrusted); +static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, + char *queryfile, + char *ca_path, char *ca_file, + char *untrusted); +static X509_STORE *create_cert_store(char *ca_path, char *ca_file); +static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx); + +/* Main function definition. */ +int MAIN(int, char **); + +int MAIN(int argc, char **argv) + { + int ret = 1; + char *configfile = NULL; + char *section = NULL; + CONF *conf = NULL; + enum mode { + CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY + } mode = CMD_NONE; + char *data = NULL; + char *digest = NULL; + const EVP_MD *md = NULL; + char *rnd = NULL; + char *policy = NULL; + int no_nonce = 0; + int cert = 0; + char *in = NULL; + char *out = NULL; + int text = 0; + char *queryfile = NULL; + char *passin = NULL; /* Password source. */ + char *password =NULL; /* Password itself. */ + char *inkey = NULL; + char *signer = NULL; + char *chain = NULL; + char *ca_path = NULL; + char *ca_file = NULL; + char *untrusted = NULL; + char *engine = NULL; + /* Input is ContentInfo instead of TimeStampResp. */ + int token_in = 0; + /* Output is ContentInfo instead of TimeStampResp. */ + int token_out = 0; + int free_bio_err = 0; + + ERR_load_crypto_strings(); + apps_startup(); + + if (bio_err == NULL && (bio_err = BIO_new(BIO_s_file())) != NULL) + { + free_bio_err = 1; + BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); + } + + if (!load_config(bio_err, NULL)) + goto cleanup; + + for (argc--, argv++; argc > 0; argc--, argv++) + { + if (strcmp(*argv, "-config") == 0) + { + if (argc-- < 1) goto usage; + configfile = *++argv; + } + else if (strcmp(*argv, "-section") == 0) + { + if (argc-- < 1) goto usage; + section = *++argv; + } + else if (strcmp(*argv, "-query") == 0) + { + if (mode != CMD_NONE) goto usage; + mode = CMD_QUERY; + } + else if (strcmp(*argv, "-data") == 0) + { + if (argc-- < 1) goto usage; + data = *++argv; + } + else if (strcmp(*argv, "-digest") == 0) + { + if (argc-- < 1) goto usage; + digest = *++argv; + } + else if (strcmp(*argv, "-rand") == 0) + { + if (argc-- < 1) goto usage; + rnd = *++argv; + } + else if (strcmp(*argv, "-policy") == 0) + { + if (argc-- < 1) goto usage; + policy = *++argv; + } + else if (strcmp(*argv, "-no_nonce") == 0) + { + no_nonce = 1; + } + else if (strcmp(*argv, "-cert") == 0) + { + cert = 1; + } + else if (strcmp(*argv, "-in") == 0) + { + if (argc-- < 1) goto usage; + in = *++argv; + } + else if (strcmp(*argv, "-token_in") == 0) + { + token_in = 1; + } + else if (strcmp(*argv, "-out") == 0) + { + if (argc-- < 1) goto usage; + out = *++argv; + } + else if (strcmp(*argv, "-token_out") == 0) + { + token_out = 1; + } + else if (strcmp(*argv, "-text") == 0) + { + text = 1; + } + else if (strcmp(*argv, "-reply") == 0) + { + if (mode != CMD_NONE) goto usage; + mode = CMD_REPLY; + } + else if (strcmp(*argv, "-queryfile") == 0) + { + if (argc-- < 1) goto usage; + queryfile = *++argv; + } + else if (strcmp(*argv, "-passin") == 0) + { + if (argc-- < 1) goto usage; + passin = *++argv; + } + else if (strcmp(*argv, "-inkey") == 0) + { + if (argc-- < 1) goto usage; + inkey = *++argv; + } + else if (strcmp(*argv, "-signer") == 0) + { + if (argc-- < 1) goto usage; + signer = *++argv; + } + else if (strcmp(*argv, "-chain") == 0) + { + if (argc-- < 1) goto usage; + chain = *++argv; + } + else if (strcmp(*argv, "-verify") == 0) + { + if (mode != CMD_NONE) goto usage; + mode = CMD_VERIFY; + } + else if (strcmp(*argv, "-CApath") == 0) + { + if (argc-- < 1) goto usage; + ca_path = *++argv; + } + else if (strcmp(*argv, "-CAfile") == 0) + { + if (argc-- < 1) goto usage; + ca_file = *++argv; + } + else if (strcmp(*argv, "-untrusted") == 0) + { + if (argc-- < 1) goto usage; + untrusted = *++argv; + } + else if (strcmp(*argv, "-engine") == 0) + { + if (argc-- < 1) goto usage; + engine = *++argv; + } + else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) + { + /* empty. */ + } + else + goto usage; + } + + /* Seed the random number generator if it is going to be used. */ + if (mode == CMD_QUERY && !no_nonce) + { + if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL) + BIO_printf(bio_err, "warning, not much extra random " + "data, consider using the -rand option\n"); + if (rnd != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(rnd)); + } + + /* Get the password if required. */ + if(mode == CMD_REPLY && passin && + !app_passwd(bio_err, passin, NULL, &password, NULL)) + { + BIO_printf(bio_err,"Error getting password.\n"); + goto cleanup; + } + + /* Check consistency of parameters and execute + the appropriate function. */ + switch (mode) + { + case CMD_NONE: + goto usage; + case CMD_QUERY: + /* Data file and message imprint cannot be specified + at the same time. */ + ret = data != NULL && digest != NULL; + if (ret) goto usage; + /* Load the config file for possible policy OIDs. */ + conf = load_config_file(configfile); + ret = !query_command(data, digest, md, policy, no_nonce, cert, + in, out, text); + break; + case CMD_REPLY: + conf = load_config_file(configfile); + if (in == NULL) + { + ret = !(queryfile != NULL && conf != NULL && !token_in); + if (ret) goto usage; + } + else + { + /* 'in' and 'queryfile' are exclusive. */ + ret = !(queryfile == NULL); + if (ret) goto usage; + } + + ret = !reply_command(conf, section, engine, queryfile, + password, inkey, signer, chain, policy, + in, token_in, out, token_out, text); + break; + case CMD_VERIFY: + ret = !(((queryfile && !data && !digest) + || (!queryfile && data && !digest) + || (!queryfile && !data && digest)) + && in != NULL); + if (ret) goto usage; + + ret = !verify_command(data, digest, queryfile, in, token_in, + ca_path, ca_file, untrusted); + } + + goto cleanup; + + usage: + BIO_printf(bio_err, "usage:\n" + "ts -query [-rand file%cfile%c...] [-config configfile] " + "[-data file_to_hash] [-digest digest_bytes]" + "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " + "[-policy object_id] [-no_nonce] [-cert] " + "[-in request.tsq] [-out request.tsq] [-text]\n", + LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); + BIO_printf(bio_err, "or\n" + "ts -reply [-config configfile] [-section tsa_section] " + "[-queryfile request.tsq] [-passin password] " + "[-signer tsa_cert.pem] [-inkey private_key.pem] " + "[-chain certs_file.pem] [-policy object_id] " + "[-in response.tsr] [-token_in] " + "[-out response.tsr] [-token_out] [-text] [-engine id]\n"); + BIO_printf(bio_err, "or\n" + "ts -verify [-data file_to_hash] [-digest digest_bytes] " + "[-queryfile request.tsq] " + "-in response.tsr [-token_in] " + "-CApath ca_path -CAfile ca_file.pem " + "-untrusted cert_file.pem\n"); + cleanup: + /* Clean up. */ + app_RAND_write_file(NULL, bio_err); + NCONF_free(conf); + OPENSSL_free(password); + OBJ_cleanup(); + if (free_bio_err) + { + BIO_free_all(bio_err); + bio_err = NULL; + } + + OPENSSL_EXIT(ret); + } + +/* + * Configuration file-related function definitions. + */ + +static ASN1_OBJECT *txt2obj(const char *oid) + { + ASN1_OBJECT *oid_obj = NULL; + + if (!(oid_obj = OBJ_txt2obj(oid, 0))) + BIO_printf(bio_err, "cannot convert %s to OID\n", oid); + + return oid_obj; + } + +static CONF *load_config_file(const char *configfile) + { + CONF *conf = NULL; + long errorline = -1; + + if (!configfile) configfile = getenv("OPENSSL_CONF"); + if (!configfile) configfile = getenv("SSLEAY_CONF"); + + if (configfile && + (!(conf = NCONF_new(NULL)) || + NCONF_load(conf, configfile, &errorline) <= 0)) + { + if (errorline <= 0) + BIO_printf(bio_err, "error loading the config file " + "'%s'\n", configfile); + else + BIO_printf(bio_err, "error on line %ld of config file " + "'%s'\n", errorline, configfile); + } + + if (conf != NULL) + { + const char *p; + + BIO_printf(bio_err,"Using configuration from %s\n", configfile); + p = NCONF_get_string(conf, NULL, ENV_OID_FILE); + if (p != NULL) + { + BIO *oid_bio = BIO_new_file(p, "r"); + if (!oid_bio) + ERR_print_errors(bio_err); + else + { + OBJ_create_objects(oid_bio); + BIO_free_all(oid_bio); + } + } + else + ERR_clear_error(); + if(!add_oid_section(bio_err, conf)) + ERR_print_errors(bio_err); + } + return conf; + } + +/* + * Query-related method definitions. + */ + +static int query_command(const char *data, char *digest, const EVP_MD *md, + const char *policy, int no_nonce, + int cert, const char *in, const char *out, int text) + { + int ret = 0; + TS_REQ *query = NULL; + BIO *in_bio = NULL; + BIO *data_bio = NULL; + BIO *out_bio = NULL; + + /* Build query object either from file or from scratch. */ + if (in != NULL) + { + if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; + query = d2i_TS_REQ_bio(in_bio, NULL); + } + else + { + /* Open the file if no explicit digest bytes were specified. */ + if (!digest + && !(data_bio = BIO_open_with_default(data, "rb", stdin))) + goto end; + /* Creating the query object. */ + query = create_query(data_bio, digest, md, + policy, no_nonce, cert); + /* Saving the random number generator state. */ + } + if (query == NULL) goto end; + + /* Write query either in ASN.1 or in text format. */ + if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) + goto end; + if (text) + { + /* Text output. */ + if (!TS_REQ_print_bio(out_bio, query)) + goto end; + } + else + { + /* ASN.1 output. */ + if (!i2d_TS_REQ_bio(out_bio, query)) + goto end; + } + + ret = 1; + + end: + ERR_print_errors(bio_err); + + /* Clean up. */ + BIO_free_all(in_bio); + BIO_free_all(data_bio); + BIO_free_all(out_bio); + TS_REQ_free(query); + + return ret; + } + +static BIO *BIO_open_with_default(const char *file, const char *mode, + FILE *default_fp) + { + return file == NULL ? + BIO_new_fp(default_fp, BIO_NOCLOSE) + : BIO_new_file(file, mode); + } + +static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, + const char *policy, int no_nonce, int cert) + { + int ret = 0; + TS_REQ *ts_req = NULL; + int len; + TS_MSG_IMPRINT *msg_imprint = NULL; + X509_ALGOR *algo = NULL; + unsigned char *data = NULL; + ASN1_OBJECT *policy_obj = NULL; + ASN1_INTEGER *nonce_asn1 = NULL; + + /* Setting default message digest. */ + if (!md && !(md = EVP_get_digestbyname("sha1"))) goto err; + + /* Creating request object. */ + if (!(ts_req = TS_REQ_new())) goto err; + + /* Setting version. */ + if (!TS_REQ_set_version(ts_req, 1)) goto err; + + /* Creating and adding MSG_IMPRINT object. */ + if (!(msg_imprint = TS_MSG_IMPRINT_new())) goto err; + + /* Adding algorithm. */ + if (!(algo = X509_ALGOR_new())) goto err; + if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md)))) goto err; + if (!(algo->parameter = ASN1_TYPE_new())) goto err; + algo->parameter->type = V_ASN1_NULL; + if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo)) goto err; + + /* Adding message digest. */ + if ((len = create_digest(data_bio, digest, md, &data)) == 0) + goto err; + if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len)) goto err; + + if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint)) goto err; + + /* Setting policy if requested. */ + if (policy && !(policy_obj = txt2obj(policy))) goto err; + if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj)) goto err; + + /* Setting nonce if requested. */ + if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH))) goto err; + if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1)) goto err; + + /* Setting certificate request flag if requested. */ + if (!TS_REQ_set_cert_req(ts_req, cert)) goto err; + + ret = 1; + err: + if (!ret) + { + TS_REQ_free(ts_req); + ts_req = NULL; + BIO_printf(bio_err, "could not create query\n"); + } + TS_MSG_IMPRINT_free(msg_imprint); + X509_ALGOR_free(algo); + OPENSSL_free(data); + ASN1_OBJECT_free(policy_obj); + ASN1_INTEGER_free(nonce_asn1); + return ts_req; + } + +static int create_digest(BIO *input, char *digest, const EVP_MD *md, + unsigned char **md_value) + { + int md_value_len; + + md_value_len = EVP_MD_size(md); + if (md_value_len < 0) + goto err; + if (input) + { + /* Digest must be computed from an input file. */ + EVP_MD_CTX md_ctx; + unsigned char buffer[4096]; + int length; + + *md_value = OPENSSL_malloc(md_value_len); + if (*md_value == 0) goto err; + + EVP_DigestInit(&md_ctx, md); + while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) + { + EVP_DigestUpdate(&md_ctx, buffer, length); + } + EVP_DigestFinal(&md_ctx, *md_value, NULL); + } + else + { + /* Digest bytes are specified with digest. */ + long digest_len; + *md_value = string_to_hex(digest, &digest_len); + if (!*md_value || md_value_len != digest_len) + { + OPENSSL_free(*md_value); + *md_value = NULL; + BIO_printf(bio_err, "bad digest, %d bytes " + "must be specified\n", md_value_len); + goto err; + } + } + + return md_value_len; + err: + return 0; + } + +static ASN1_INTEGER *create_nonce(int bits) + { + unsigned char buf[20]; + ASN1_INTEGER *nonce = NULL; + int len = (bits - 1) / 8 + 1; + int i; + + /* Generating random byte sequence. */ + if (len > (int)sizeof(buf)) goto err; + if (RAND_bytes(buf, len) <= 0) goto err; + + /* Find the first non-zero byte and creating ASN1_INTEGER object. */ + for (i = 0; i < len && !buf[i]; ++i); + if (!(nonce = ASN1_INTEGER_new())) goto err; + OPENSSL_free(nonce->data); + /* Allocate at least one byte. */ + nonce->length = len - i; + if (!(nonce->data = OPENSSL_malloc(nonce->length + 1))) goto err; + memcpy(nonce->data, buf + i, nonce->length); + + return nonce; + err: + BIO_printf(bio_err, "could not create nonce\n"); + ASN1_INTEGER_free(nonce); + return NULL; + } +/* + * Reply-related method definitions. + */ + +static int reply_command(CONF *conf, char *section, char *engine, + char *queryfile, char *passin, char *inkey, + char *signer, char *chain, const char *policy, + char *in, int token_in, + char *out, int token_out, int text) + { + int ret = 0; + TS_RESP *response = NULL; + BIO *in_bio = NULL; + BIO *query_bio = NULL; + BIO *inkey_bio = NULL; + BIO *signer_bio = NULL; + BIO *out_bio = NULL; + + /* Build response object either from response or query. */ + if (in != NULL) + { + if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; + if (token_in) + { + /* We have a ContentInfo (PKCS7) object, add + 'granted' status info around it. */ + response = read_PKCS7(in_bio); + } + else + { + /* We have a ready-made TS_RESP object. */ + response = d2i_TS_RESP_bio(in_bio, NULL); + } + } + else + { + response = create_response(conf, section, engine, queryfile, + passin, inkey, signer, chain, + policy); + if (response) + BIO_printf(bio_err, "Response has been generated.\n"); + else + BIO_printf(bio_err, "Response is not generated.\n"); + } + if (response == NULL) goto end; + + /* Write response either in ASN.1 or text format. */ + if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) + goto end; + if (text) + { + /* Text output. */ + if (token_out) + { + TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); + if (!TS_TST_INFO_print_bio(out_bio, tst_info)) goto end; + } + else + { + if (!TS_RESP_print_bio(out_bio, response)) goto end; + } + } + else + { + /* ASN.1 DER output. */ + if (token_out) + { + PKCS7 *token = TS_RESP_get_token(response); + if (!i2d_PKCS7_bio(out_bio, token)) goto end; + } + else + { + if (!i2d_TS_RESP_bio(out_bio, response)) goto end; + } + } + + ret = 1; + + end: + ERR_print_errors(bio_err); + + /* Clean up. */ + BIO_free_all(in_bio); + BIO_free_all(query_bio); + BIO_free_all(inkey_bio); + BIO_free_all(signer_bio); + BIO_free_all(out_bio); + TS_RESP_free(response); + + return ret; + } + +/* Reads a PKCS7 token and adds default 'granted' status info to it. */ +static TS_RESP *read_PKCS7(BIO *in_bio) + { + int ret = 0; + PKCS7 *token = NULL; + TS_TST_INFO *tst_info = NULL; + TS_RESP *resp = NULL; + TS_STATUS_INFO *si = NULL; + + /* Read PKCS7 object and extract the signed time stamp info. */ + if (!(token = d2i_PKCS7_bio(in_bio, NULL))) goto end; + if (!(tst_info = PKCS7_to_TS_TST_INFO(token))) goto end; + + /* Creating response object. */ + if (!(resp = TS_RESP_new())) goto end; + + /* Create granted status info. */ + if (!(si = TS_STATUS_INFO_new())) goto end; + if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED))) goto end; + if (!TS_RESP_set_status_info(resp, si)) goto end; + + /* Setting encapsulated token. */ + TS_RESP_set_tst_info(resp, token, tst_info); + token = NULL; /* Ownership is lost. */ + tst_info = NULL; /* Ownership is lost. */ + + ret = 1; + end: + PKCS7_free(token); + TS_TST_INFO_free(tst_info); + if (!ret) + { + TS_RESP_free(resp); + resp = NULL; + } + TS_STATUS_INFO_free(si); + return resp; + } + +static TS_RESP *create_response(CONF *conf, const char *section, char *engine, + char *queryfile, char *passin, char *inkey, + char *signer, char *chain, const char *policy) + { + int ret = 0; + TS_RESP *response = NULL; + BIO *query_bio = NULL; + TS_RESP_CTX *resp_ctx = NULL; + + if (!(query_bio = BIO_new_file(queryfile, "rb"))) + goto end; + + /* Getting TSA configuration section. */ + if (!(section = TS_CONF_get_tsa_section(conf, section))) + goto end; + + /* Setting up response generation context. */ + if (!(resp_ctx = TS_RESP_CTX_new())) goto end; + + /* Setting serial number provider callback. */ + if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx)) goto end; +#ifndef OPENSSL_NO_ENGINE + /* Setting default OpenSSL engine. */ + if (!TS_CONF_set_crypto_device(conf, section, engine)) goto end; +#endif + + /* Setting TSA signer certificate. */ + if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx)) goto end; + + /* Setting TSA signer certificate chain. */ + if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) goto end; + + /* Setting TSA signer private key. */ + if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) + goto end; + + /* Setting default policy OID. */ + if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; + + /* Setting acceptable policy OIDs. */ + if (!TS_CONF_set_policies(conf, section, resp_ctx)) goto end; + + /* Setting the acceptable one-way hash algorithms. */ + if (!TS_CONF_set_digests(conf, section, resp_ctx)) goto end; + + /* Setting guaranteed time stamp accuracy. */ + if (!TS_CONF_set_accuracy(conf, section, resp_ctx)) goto end; + + /* Setting the precision of the time. */ + if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx)) + goto end; + + /* Setting the ordering flaf if requested. */ + if (!TS_CONF_set_ordering(conf, section, resp_ctx)) goto end; + + /* Setting the TSA name required flag if requested. */ + if (!TS_CONF_set_tsa_name(conf, section, resp_ctx)) goto end; + + /* Setting the ESS cert id chain flag if requested. */ + if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx)) goto end; + + /* Creating the response. */ + if (!(response = TS_RESP_create_response(resp_ctx, query_bio))) + goto end; + + ret = 1; + end: + if (!ret) + { + TS_RESP_free(response); + response = NULL; + } + TS_RESP_CTX_free(resp_ctx); + BIO_free_all(query_bio); + + return response; + } + +static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data) + { + const char *serial_file = (const char *) data; + ASN1_INTEGER *serial = next_serial(serial_file); + + if (!serial) + { + TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, + "Error during serial number " + "generation."); + TS_RESP_CTX_add_failure_info(ctx, + TS_INFO_ADD_INFO_NOT_AVAILABLE); + } + else + save_ts_serial(serial_file, serial); + + return serial; + } + +static ASN1_INTEGER *next_serial(const char *serialfile) + { + int ret = 0; + BIO *in = NULL; + ASN1_INTEGER *serial = NULL; + BIGNUM *bn = NULL; + + if (!(serial = ASN1_INTEGER_new())) goto err; + + if (!(in = BIO_new_file(serialfile, "r"))) + { + ERR_clear_error(); + BIO_printf(bio_err, "Warning: could not open file %s for " + "reading, using serial number: 1\n", serialfile); + if (!ASN1_INTEGER_set(serial, 1)) goto err; + } + else + { + char buf[1024]; + if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) + { + BIO_printf(bio_err, "unable to load number from %s\n", + serialfile); + goto err; + } + if (!(bn = ASN1_INTEGER_to_BN(serial, NULL))) goto err; + ASN1_INTEGER_free(serial); + serial = NULL; + if (!BN_add_word(bn, 1)) goto err; + if (!(serial = BN_to_ASN1_INTEGER(bn, NULL))) goto err; + } + ret = 1; + err: + if (!ret) + { + ASN1_INTEGER_free(serial); + serial = NULL; + } + BIO_free_all(in); + BN_free(bn); + return serial; + } + +static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial) + { + int ret = 0; + BIO *out = NULL; + + if (!(out = BIO_new_file(serialfile, "w"))) goto err; + if (i2a_ASN1_INTEGER(out, serial) <= 0) goto err; + if (BIO_puts(out, "\n") <= 0) goto err; + ret = 1; + err: + if (!ret) + BIO_printf(bio_err, "could not save serial number to %s\n", + serialfile); + BIO_free_all(out); + return ret; + } + +/* + * Verify-related method definitions. + */ + +static int verify_command(char *data, char *digest, char *queryfile, + char *in, int token_in, + char *ca_path, char *ca_file, char *untrusted) + { + BIO *in_bio = NULL; + PKCS7 *token = NULL; + TS_RESP *response = NULL; + TS_VERIFY_CTX *verify_ctx = NULL; + int ret = 0; + + /* Decode the token (PKCS7) or response (TS_RESP) files. */ + if (!(in_bio = BIO_new_file(in, "rb"))) goto end; + if (token_in) + { + if (!(token = d2i_PKCS7_bio(in_bio, NULL))) goto end; + } + else + { + if (!(response = d2i_TS_RESP_bio(in_bio, NULL))) goto end; + } + + if (!(verify_ctx = create_verify_ctx(data, digest, queryfile, + ca_path, ca_file, untrusted))) + goto end; + + /* Checking the token or response against the request. */ + ret = token_in ? + TS_RESP_verify_token(verify_ctx, token) : + TS_RESP_verify_response(verify_ctx, response); + + end: + printf("Verification: "); + if (ret) + printf("OK\n"); + else + { + printf("FAILED\n"); + /* Print errors, if there are any. */ + ERR_print_errors(bio_err); + } + + /* Clean up. */ + BIO_free_all(in_bio); + PKCS7_free(token); + TS_RESP_free(response); + TS_VERIFY_CTX_free(verify_ctx); + return ret; + } + +static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, + char *queryfile, + char *ca_path, char *ca_file, + char *untrusted) + { + TS_VERIFY_CTX *ctx = NULL; + BIO *input = NULL; + TS_REQ *request = NULL; + int ret = 0; + + if (data != NULL || digest != NULL) + { + if (!(ctx = TS_VERIFY_CTX_new())) goto err; + ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER; + if (data != NULL) + { + ctx->flags |= TS_VFY_DATA; + if (!(ctx->data = BIO_new_file(data, "rb"))) goto err; + } + else if (digest != NULL) + { + long imprint_len; + ctx->flags |= TS_VFY_IMPRINT; + if (!(ctx->imprint = string_to_hex(digest, + &imprint_len))) + { + BIO_printf(bio_err, "invalid digest string\n"); + goto err; + } + ctx->imprint_len = imprint_len; + } + + } + else if (queryfile != NULL) + { + /* The request has just to be read, decoded and converted to + a verify context object. */ + if (!(input = BIO_new_file(queryfile, "rb"))) goto err; + if (!(request = d2i_TS_REQ_bio(input, NULL))) goto err; + if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL))) goto err; + } + else + return NULL; + + /* Add the signature verification flag and arguments. */ + ctx->flags |= TS_VFY_SIGNATURE; + + /* Initialising the X509_STORE object. */ + if (!(ctx->store = create_cert_store(ca_path, ca_file))) goto err; + + /* Loading untrusted certificates. */ + if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted))) + goto err; + + ret = 1; + err: + if (!ret) + { + TS_VERIFY_CTX_free(ctx); + ctx = NULL; + } + BIO_free_all(input); + TS_REQ_free(request); + return ctx; + } + +static X509_STORE *create_cert_store(char *ca_path, char *ca_file) + { + X509_STORE *cert_ctx = NULL; + X509_LOOKUP *lookup = NULL; + int i; + + /* Creating the X509_STORE object. */ + cert_ctx = X509_STORE_new(); + + /* Setting the callback for certificate chain verification. */ + X509_STORE_set_verify_cb(cert_ctx, verify_cb); + + /* Adding a trusted certificate directory source. */ + if (ca_path) + { + lookup = X509_STORE_add_lookup(cert_ctx, + X509_LOOKUP_hash_dir()); + if (lookup == NULL) + { + BIO_printf(bio_err, "memory allocation failure\n"); + goto err; + } + i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM); + if (!i) + { + BIO_printf(bio_err, "Error loading directory %s\n", + ca_path); + goto err; + } + } + + /* Adding a trusted certificate file source. */ + if (ca_file) + { + lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); + if (lookup == NULL) + { + BIO_printf(bio_err, "memory allocation failure\n"); + goto err; + } + i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM); + if (!i) + { + BIO_printf(bio_err, "Error loading file %s\n", ca_file); + goto err; + } + } + + return cert_ctx; + err: + X509_STORE_free(cert_ctx); + return NULL; + } + +static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx) + { + /* + char buf[256]; + + if (!ok) + { + X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), + buf, sizeof(buf)); + printf("%s\n", buf); + printf("error %d at %d depth lookup: %s\n", + ctx->error, ctx->error_depth, + X509_verify_cert_error_string(ctx->error)); + } + */ + + return ok; + } diff --git a/crypto/openssl/apps/tsget b/crypto/openssl/apps/tsget new file mode 100644 index 0000000..0d54e9f --- /dev/null +++ b/crypto/openssl/apps/tsget @@ -0,0 +1,196 @@ +#!/usr/bin/perl -w +# Written by Zoltan Glozik <zglozik@stones.com>. +# Copyright (c) 2002 The OpenTSA Project. All rights reserved. +$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $'; + +use strict; +use IO::Handle; +use Getopt::Std; +use File::Basename; +use WWW::Curl::Easy; + +use vars qw(%options); + +# Callback for reading the body. +sub read_body { + my ($maxlength, $state) = @_; + my $return_data = ""; + my $data_len = length ${$state->{data}}; + if ($state->{bytes} < $data_len) { + $data_len = $data_len - $state->{bytes}; + $data_len = $maxlength if $data_len > $maxlength; + $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; + $state->{bytes} += $data_len; + } + return $return_data; +} + +# Callback for writing the body into a variable. +sub write_body { + my ($data, $pointer) = @_; + ${$pointer} .= $data; + return length($data); +} + +# Initialise a new Curl object. +sub create_curl { + my $url = shift; + + # Create Curl object. + my $curl = WWW::Curl::Easy::new(); + + # Error-handling related options. + $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; + $curl->setopt(CURLOPT_FAILONERROR, 1); + $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split / /, $::version)[2]); + + # Options for POST method. + $curl->setopt(CURLOPT_UPLOAD, 1); + $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); + $curl->setopt(CURLOPT_HTTPHEADER, + ["Content-Type: application/timestamp-query", + "Accept: application/timestamp-reply,application/timestamp-response"]); + $curl->setopt(CURLOPT_READFUNCTION, \&read_body); + $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); + + # Options for getting the result. + $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body); + + # SSL related options. + $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); + $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. + $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. + $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); + $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); + $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); + $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C}); + $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P}); + $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r}); + $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g}); + + # Setting destination. + $curl->setopt(CURLOPT_URL, $url); + + return $curl; +} + +# Send a request and returns the body back. +sub get_timestamp { + my $curl = shift; + my $body = shift; + my $ts_body; + local $::error_buf; + + # Error-handling related options. + $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf"); + + # Options for POST method. + $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0}); + $curl->setopt(CURLOPT_INFILESIZE, length(${$body})); + + # Options for getting the result. + $curl->setopt(CURLOPT_FILE, \$ts_body); + + # Send the request... + my $error_code = $curl->perform(); + my $error_string; + if ($error_code != 0) { + my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); + $error_string = "could not get timestamp"; + $error_string .= ", http code: $http_code" unless $http_code == 0; + $error_string .= ", curl code: $error_code"; + $error_string .= " ($::error_buf)" if defined($::error_buf); + } else { + my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); + if (lc($ct) ne "application/timestamp-reply" + && lc($ct) ne "application/timestamp-response") { + $error_string = "unexpected content type returned: $ct"; + } + } + return ($ts_body, $error_string); + +} + +# Print usage information and exists. +sub usage { + + print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] "; + print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] "; + print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] "; + print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n"; + exit 1; +} + +# ---------------------------------------------------------------------- +# Main program +# ---------------------------------------------------------------------- + +# Getting command-line options (default comes from TSGET environment variable). +my $getopt_arg = "h:e:o:vdk:p:c:C:P:r:g:"; +if (exists $ENV{TSGET}) { + my @old_argv = @ARGV; + @ARGV = split /\s+/, $ENV{TSGET}; + getopts($getopt_arg, \%options) or usage; + @ARGV = @old_argv; +} +getopts($getopt_arg, \%options) or usage; + +# Checking argument consistency. +if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o})) + || (@ARGV > 1 && exists($options{o}))) { + print STDERR "Inconsistent command line options.\n"; + usage; +} +# Setting defaults. +@ARGV = ("-") unless @ARGV != 0; +$options{e} = ".tsr" unless defined($options{e}); + +# Processing requests. +my $curl = create_curl $options{h}; +undef $/; # For reading whole files. +REQUEST: foreach (@ARGV) { + my $input = $_; + my ($base, $path) = fileparse($input, '\.[^.]*'); + my $output_base = $base . $options{e}; + my $output = defined($options{o}) ? $options{o} : $path . $output_base; + + STDERR->printflush("$input: ") if $options{v}; + # Read request. + my $body; + if ($input eq "-") { + # Read the request from STDIN; + $body = <STDIN>; + } else { + # Read the request from file. + open INPUT, "<" . $input + or warn("$input: could not open input file: $!\n"), next REQUEST; + $body = <INPUT>; + close INPUT + or warn("$input: could not close input file: $!\n"), next REQUEST; + } + + # Send request. + STDERR->printflush("sending request") if $options{v}; + + my ($ts_body, $error) = get_timestamp $curl, \$body; + if (defined($error)) { + die "$input: fatal error: $error\n"; + } + STDERR->printflush(", reply received") if $options{v}; + + # Write response. + if ($output eq "-") { + # Write to STDOUT. + print $ts_body; + } else { + # Write to file. + open OUTPUT, ">", $output + or warn("$output: could not open output file: $!\n"), next REQUEST; + print OUTPUT $ts_body; + close OUTPUT + or warn("$output: could not close output file: $!\n"), next REQUEST; + } + STDERR->printflush(", $output written.\n") if $options{v}; +} +$curl->cleanup(); +WWW::Curl::Easy::global_cleanup(); diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c index 20cc9e3..b9749dc 100644 --- a/crypto/openssl/apps/verify.c +++ b/crypto/openssl/apps/verify.c @@ -70,8 +70,9 @@ #define PROG verify_main static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx); -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e); -static STACK_OF(X509) *load_untrusted(char *file); +static int check(X509_STORE *ctx, char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, ENGINE *e); static int v_verbose=0, vflags = 0; int MAIN(int, char **); @@ -80,10 +81,10 @@ int MAIN(int argc, char **argv) { ENGINE *e = NULL; int i,ret=1, badarg = 0; - int purpose = -1; char *CApath=NULL,*CAfile=NULL; - char *untfile = NULL, *trustfile = NULL; + char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; STACK_OF(X509) *untrusted = NULL, *trusted = NULL; + STACK_OF(X509_CRL) *crls = NULL; X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; X509_VERIFY_PARAM *vpm = NULL; @@ -93,7 +94,7 @@ int MAIN(int argc, char **argv) cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx,cb); + X509_STORE_set_verify_cb(cert_ctx,cb); ERR_load_crypto_strings(); @@ -139,6 +140,11 @@ int MAIN(int argc, char **argv) if (argc-- < 1) goto end; trustfile= *(++argv); } + else if (strcmp(*argv,"-CRLfile") == 0) + { + if (argc-- < 1) goto end; + crlfile= *(++argv); + } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { @@ -192,30 +198,39 @@ int MAIN(int argc, char **argv) ERR_clear_error(); - if(untfile) { - if(!(untrusted = load_untrusted(untfile))) { - BIO_printf(bio_err, "Error loading untrusted file %s\n", untfile); - ERR_print_errors(bio_err); + if(untfile) + { + untrusted = load_certs(bio_err, untfile, FORMAT_PEM, + NULL, e, "untrusted certificates"); + if(!untrusted) goto end; } - } - if(trustfile) { - if(!(trusted = load_untrusted(trustfile))) { - BIO_printf(bio_err, "Error loading untrusted file %s\n", trustfile); - ERR_print_errors(bio_err); + if(trustfile) + { + trusted = load_certs(bio_err, trustfile, FORMAT_PEM, + NULL, e, "trusted certificates"); + if(!trusted) goto end; } - } - if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose, e); + if(crlfile) + { + crls = load_crls(bio_err, crlfile, FORMAT_PEM, + NULL, e, "other CRLs"); + if(!crls) + goto end; + } + + if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e); else for (i=0; i<argc; i++) - check(cert_ctx,argv[i], untrusted, trusted, purpose, e); + check(cert_ctx,argv[i], untrusted, trusted, crls, e); ret=0; end: if (ret == 1) { BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); + BIO_printf(bio_err," [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," [-engine e]"); #endif @@ -232,11 +247,14 @@ end: if (cert_ctx != NULL) X509_STORE_free(cert_ctx); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); apps_shutdown(); OPENSSL_EXIT(ret); } -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e) +static int check(X509_STORE *ctx, char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, ENGINE *e) { X509 *x=NULL; int i=0,ret=0; @@ -260,7 +278,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X goto end; } if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); - if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose); + if (crls) + X509_STORE_CTX_set0_crls(csc, crls); i=X509_verify_cert(csc); X509_STORE_CTX_free(csc); @@ -278,90 +297,53 @@ end: return(ret); } -static STACK_OF(X509) *load_untrusted(char *certfile) -{ - STACK_OF(X509_INFO) *sk=NULL; - STACK_OF(X509) *stack=NULL, *ret=NULL; - BIO *in=NULL; - X509_INFO *xi; - - if(!(stack = sk_X509_new_null())) { - BIO_printf(bio_err,"memory allocation failure\n"); - goto end; - } - - if(!(in=BIO_new_file(certfile, "r"))) { - BIO_printf(bio_err,"error opening the file, %s\n",certfile); - goto end; - } - - /* This loads from a file, a stack of x509/crl/pkey sets */ - if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) { - BIO_printf(bio_err,"error reading the file, %s\n",certfile); - goto end; - } - - /* scan over it and pull out the certs */ - while (sk_X509_INFO_num(sk)) - { - xi=sk_X509_INFO_shift(sk); - if (xi->x509 != NULL) - { - sk_X509_push(stack,xi->x509); - xi->x509=NULL; - } - X509_INFO_free(xi); - } - if(!sk_X509_num(stack)) { - BIO_printf(bio_err,"no certificates in file, %s\n",certfile); - sk_X509_free(stack); - goto end; - } - ret=stack; -end: - BIO_free(in); - sk_X509_INFO_free(sk); - return(ret); - } - static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) { - char buf[256]; + int cert_error = X509_STORE_CTX_get_error(ctx); + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); if (!ok) { - if (ctx->current_cert) + if (current_cert) + { + X509_NAME_print_ex_fp(stdout, + X509_get_subject_name(current_cert), + 0, XN_FLAG_ONELINE); + printf("\n"); + } + printf("%serror %d at %d depth lookup:%s\n", + X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "", + cert_error, + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(cert_error)); + switch(cert_error) { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert),buf, - sizeof buf); - printf("%s\n",buf); + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(NULL, ctx); + case X509_V_ERR_CERT_HAS_EXPIRED: + + /* since we are just checking the certificates, it is + * ok if they are self signed. But we should still warn + * the user. + */ + + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + /* Continue after extension errors too */ + case X509_V_ERR_INVALID_CA: + case X509_V_ERR_INVALID_NON_CA: + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_CRL_HAS_EXPIRED: + case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + ok = 1; + } - printf("error %d at %d depth lookup:%s\n",ctx->error, - ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); - if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; - /* since we are just checking the certificates, it is - * ok if they are self signed. But we should still warn - * the user. - */ - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; - /* Continue after extension errors too */ - if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; - if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1; - if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; - if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; - if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; - if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; - if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; - if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY) - policies_print(NULL, ctx); return ok; } - if ((ctx->error == X509_V_OK) && (ok == 2)) + if (cert_error == X509_V_OK && ok == 2) policies_print(NULL, ctx); if (!v_verbose) ERR_clear_error(); diff --git a/crypto/openssl/apps/winrand.c b/crypto/openssl/apps/winrand.c deleted file mode 100644 index 59bede3..0000000 --- a/crypto/openssl/apps/winrand.c +++ /dev/null @@ -1,148 +0,0 @@ -/* apps/winrand.c */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* Usage: winrand [filename] - * - * Collects entropy from mouse movements and other events and writes - * random data to filename or .rnd - */ - -#include <windows.h> -#include <openssl/opensslv.h> -#include <openssl/rand.h> - -LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); -const char *filename; - -int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, - PSTR cmdline, int iCmdShow) - { - static char appname[] = "OpenSSL"; - HWND hwnd; - MSG msg; - WNDCLASSEX wndclass; - char buffer[200]; - - if (cmdline[0] == '\0') - filename = RAND_file_name(buffer, sizeof buffer); - else - filename = cmdline; - - RAND_load_file(filename, -1); - - wndclass.cbSize = sizeof(wndclass); - wndclass.style = CS_HREDRAW | CS_VREDRAW; - wndclass.lpfnWndProc = WndProc; - wndclass.cbClsExtra = 0; - wndclass.cbWndExtra = 0; - wndclass.hInstance = hInstance; - wndclass.hIcon = LoadIcon(NULL, IDI_APPLICATION); - wndclass.hCursor = LoadCursor(NULL, IDC_ARROW); - wndclass.hbrBackground = (HBRUSH) GetStockObject(WHITE_BRUSH); - wndclass.lpszMenuName = NULL; - wndclass.lpszClassName = appname; - wndclass.hIconSm = LoadIcon(NULL, IDI_APPLICATION); - RegisterClassEx(&wndclass); - - hwnd = CreateWindow(appname, OPENSSL_VERSION_TEXT, - WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, - CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance, NULL); - - ShowWindow(hwnd, iCmdShow); - UpdateWindow(hwnd); - - - while (GetMessage(&msg, NULL, 0, 0)) - { - TranslateMessage(&msg); - DispatchMessage(&msg); - } - - return msg.wParam; - } - -LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam) - { - HDC hdc; - PAINTSTRUCT ps; - RECT rect; - static int seeded = 0; - - switch (iMsg) - { - case WM_PAINT: - hdc = BeginPaint(hwnd, &ps); - GetClientRect(hwnd, &rect); - DrawText(hdc, "Seeding the PRNG. Please move the mouse!", -1, - &rect, DT_SINGLELINE | DT_CENTER | DT_VCENTER); - EndPaint(hwnd, &ps); - return 0; - - case WM_DESTROY: - PostQuitMessage(0); - return 0; - } - - if (RAND_event(iMsg, wParam, lParam) == 1 && seeded == 0) - { - seeded = 1; - if (RAND_write_file(filename) <= 0) - MessageBox(hwnd, "Couldn't write random file!", - "OpenSSL", MB_OK | MB_ICONERROR); - PostQuitMessage(0); - } - - return DefWindowProc(hwnd, iMsg, wParam, lParam); - } diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index b16afd0..e6e5e0d 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -99,7 +99,13 @@ static const char *x509_usage[]={ " -passin arg - private key password source\n", " -serial - print serial number value\n", " -subject_hash - print subject hash value\n", +#ifndef OPENSSL_NO_MD5 +" -subject_hash_old - print old-style (MD5) subject hash value\n", +#endif " -issuer_hash - print issuer hash value\n", +#ifndef OPENSSL_NO_MD5 +" -issuer_hash_old - print old-style (MD5) issuer hash value\n", +#endif " -hash - synonym for -subject_hash\n", " -subject - print subject DN\n", " -issuer - print issuer DN\n", @@ -151,9 +157,10 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest, CONF *conf, char *section); static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, - X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, - int create,int days, int clrext, CONF *conf, char *section, - ASN1_INTEGER *sno); + X509 *x,X509 *xca,EVP_PKEY *pkey, + STACK_OF(OPENSSL_STRING) *sigopts, + char *serial, int create ,int days, int clrext, + CONF *conf, char *section, ASN1_INTEGER *sno); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); static int reqfile=0; @@ -166,6 +173,7 @@ int MAIN(int argc, char **argv) X509_REQ *req=NULL; X509 *x=NULL,*xca=NULL; ASN1_OBJECT *objtmp; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; EVP_PKEY *Upkey=NULL,*CApkey=NULL; ASN1_INTEGER *sno = NULL; int i,num,badops=0; @@ -179,6 +187,9 @@ int MAIN(int argc, char **argv) int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int next_serial=0; int subject_hash=0,issuer_hash=0,ocspid=0; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old=0,issuer_hash_old=0; +#endif int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -190,7 +201,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; - const EVP_MD *md_alg,*digest=EVP_sha1(); + const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; @@ -225,7 +236,7 @@ int MAIN(int argc, char **argv) ctx=X509_STORE_new(); if (ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(ctx,callb); + X509_STORE_set_verify_cb(ctx,callb); argc--; argv++; @@ -262,6 +273,15 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAkeyformat=str2fmt(*(++argv)); } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + goto bad; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + goto bad; + } else if (strcmp(*argv,"-days") == 0) { if (--argc < 1) goto bad; @@ -397,8 +417,16 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-hash") == 0 || strcmp(*argv,"-subject_hash") == 0) subject_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-subject_hash_old") == 0) + subject_hash_old= ++num; +#endif else if (strcmp(*argv,"-issuer_hash") == 0) issuer_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-issuer_hash_old") == 0) + issuer_hash_old= ++num; +#endif else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) @@ -624,7 +652,7 @@ bad: if (!X509_set_subject_name(x,req->req_info->subject)) goto end; X509_gmtime_adj(X509_get_notBefore(x),0); - X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); + X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); pkey = X509_REQ_get_pubkey(req); X509_set_pubkey(x,pkey); @@ -736,13 +764,14 @@ bad: else if ((email == i) || (ocsp_uri == i)) { int j; - STACK *emlst; + STACK_OF(OPENSSL_STRING) *emlst; if (email == i) emlst = X509_get1_email(x); else emlst = X509_get1_ocsp(x); - for (j = 0; j < sk_num(emlst); j++) - BIO_printf(STDout, "%s\n", sk_value(emlst, j)); + for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) + BIO_printf(STDout, "%s\n", + sk_OPENSSL_STRING_value(emlst, j)); X509_email_free(emlst); } else if (aliasout == i) @@ -756,10 +785,22 @@ bad: { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (subject_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); + } +#endif else if (issuer_hash == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (issuer_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); + } +#endif else if (pprint == i) { X509_PURPOSE *ptmp; @@ -890,14 +931,18 @@ bad: int j; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *fdig = digest; + + if (!fdig) + fdig = EVP_sha1(); - if (!X509_digest(x,digest,md,&n)) + if (!X509_digest(x,fdig,md,&n)) { BIO_printf(bio_err,"out of memory\n"); goto end; } BIO_printf(STDout,"%s Fingerprint=", - OBJ_nid2sn(EVP_MD_type(digest))); + OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) { BIO_printf(STDout,"%02X%c",md[j], @@ -917,14 +962,6 @@ bad: passin, e, "Private key"); if (Upkey == NULL) goto end; } -#ifndef OPENSSL_NO_DSA - if (Upkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (Upkey->type == EVP_PKEY_EC) - digest=EVP_ecdsa(); -#endif assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, @@ -941,18 +978,11 @@ bad: "CA Private Key"); if (CApkey == NULL) goto end; } -#ifndef OPENSSL_NO_DSA - if (CApkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (CApkey->type == EVP_PKEY_EC) - digest = EVP_ecdsa(); -#endif assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, - CApkey, CAserial,CA_createserial,days, clrext, + CApkey, sigopts, + CAserial,CA_createserial,days, clrext, extconf, extsect, sno)) goto end; } @@ -976,15 +1006,6 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); -#ifndef OPENSSL_NO_DSA - if (pk->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (pk->type == EVP_PKEY_EC) - digest=EVP_ecdsa(); -#endif - rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) @@ -1038,16 +1059,15 @@ bad: } else if (outformat == FORMAT_NETSCAPE) { - ASN1_HEADER ah; - ASN1_OCTET_STRING os; + NETSCAPE_X509 nx; + ASN1_OCTET_STRING hdr; - os.data=(unsigned char *)NETSCAPE_CERT_HDR; - os.length=strlen(NETSCAPE_CERT_HDR); - ah.header= &os; - ah.data=(char *)x; - ah.meth=X509_asn1_meth(); + hdr.data=(unsigned char *)NETSCAPE_CERT_HDR; + hdr.length=strlen(NETSCAPE_CERT_HDR); + nx.header= &hdr; + nx.cert=x; - i=ASN1_i2d_bio_of(ASN1_HEADER,i2d_ASN1_HEADER,out,&ah); + i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); @@ -1073,6 +1093,8 @@ end: X509_free(xca); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); @@ -1123,8 +1145,11 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, - X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, - int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) + X509 *x, X509 *xca, EVP_PKEY *pkey, + STACK_OF(OPENSSL_STRING) *sigopts, + char *serialfile, int create, + int days, int clrext, CONF *conf, char *section, + ASN1_INTEGER *sno) { int ret=0; ASN1_INTEGER *bs=NULL; @@ -1166,7 +1191,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; /* hardwired expired */ - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) + if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL) goto end; if (clrext) @@ -1183,7 +1208,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; } - if (!X509_sign(x,pkey,digest)) goto end; + if (!do_X509_sign(bio_err, x, pkey, digest, sigopts)) + goto end; ret=1; end: X509_STORE_CTX_cleanup(&xsc); |