diff options
author | simon <simon@FreeBSD.org> | 2007-03-15 20:03:30 +0000 |
---|---|---|
committer | simon <simon@FreeBSD.org> | 2007-03-15 20:03:30 +0000 |
commit | 699a8581f98495705b6c4fa8f75d5b9e815d63aa (patch) | |
tree | e7e76085d46ef861077be893200a8581676b8160 /crypto/openssl/apps | |
parent | ec2c02499c0b252a95c60473ae5bbe44a359f104 (diff) | |
parent | ee48ceb6a84c702d0f80bc72ce8be558bdcb0de3 (diff) | |
download | FreeBSD-src-699a8581f98495705b6c4fa8f75d5b9e815d63aa.zip FreeBSD-src-699a8581f98495705b6c4fa8f75d5b9e815d63aa.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r167612,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'crypto/openssl/apps')
-rwxr-xr-x | crypto/openssl/apps/CA.pl | 2 | ||||
-rw-r--r-- | crypto/openssl/apps/Makefile | 17 | ||||
-rw-r--r-- | crypto/openssl/apps/ca.c | 1 | ||||
-rw-r--r-- | crypto/openssl/apps/dgst.c | 48 | ||||
-rw-r--r-- | crypto/openssl/apps/ec.c | 3 | ||||
-rw-r--r-- | crypto/openssl/apps/enc.c | 8 | ||||
-rw-r--r-- | crypto/openssl/apps/ocsp.c | 6 | ||||
-rw-r--r-- | crypto/openssl/apps/pkcs12.c | 19 | ||||
-rw-r--r-- | crypto/openssl/apps/s_client.c | 107 | ||||
-rw-r--r-- | crypto/openssl/apps/s_server.c | 4 |
10 files changed, 176 insertions, 39 deletions
diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index c783a6e..a3965ec 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/crypto/openssl/apps/Makefile b/crypto/openssl/apps/Makefile index 79ea8a7..41cd3ca 100644 --- a/crypto/openssl/apps/Makefile +++ b/crypto/openssl/apps/Makefile @@ -290,14 +290,15 @@ dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h dgst.o: ../include/openssl/err.h ../include/openssl/evp.h -dgst.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h -dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h -dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dgst.c +dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dgst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +dgst.o: ../include/openssl/safestack.h ../include/openssl/sha.h +dgst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +dgst.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +dgst.o: ../include/openssl/x509_vfy.h apps.h dgst.c dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 210b5e1..e9d79de 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -1520,6 +1520,7 @@ err: if (x509) X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); + NCONF_free(extconf); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c index c13535f..09d0934 100644 --- a/crypto/openssl/apps/dgst.c +++ b/crypto/openssl/apps/dgst.c @@ -66,6 +66,7 @@ #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/pem.h> +#include <openssl/hmac.h> #undef BUFSIZE #define BUFSIZE 1024*8 @@ -75,7 +76,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file); + const char *file,BIO *bmd,const char *hmac_key); int MAIN(int, char **); @@ -104,6 +105,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif + char *hmac_key=NULL; apps_startup(); @@ -188,6 +190,12 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; + else if (!strcmp(*argv,"-hmac")) + { + if (--argc < 1) + break; + hmac_key=*++argv; + } else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else @@ -261,7 +269,7 @@ int MAIN(int argc, char **argv) { BIO_set_callback(in,BIO_debug_callback); /* needed for windows 3.1 */ - BIO_set_callback_arg(in,bio_err); + BIO_set_callback_arg(in,(char *)bio_err); } if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) @@ -358,7 +366,7 @@ int MAIN(int argc, char **argv) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)"); + siglen,"","(stdin)",bmd,hmac_key); } else { @@ -376,14 +384,15 @@ int MAIN(int argc, char **argv) } if(!out_bin) { - size_t len = strlen(name)+strlen(argv[i])+5; + size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; tmp=tofree=OPENSSL_malloc(len); - BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]); + BIO_snprintf(tmp,len,"%s%s(%s)= ", + hmac_key ? "HMAC-" : "",name,argv[i]); } else tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i]); + siglen,tmp,argv[i],bmd,hmac_key); if(r) err=r; if(tofree) @@ -410,11 +419,23 @@ end: int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file) + const char *file,BIO *bmd,const char *hmac_key) { - int len; + unsigned int len; int i; + EVP_MD_CTX *md_ctx; + HMAC_CTX hmac_ctx; + + if (hmac_key) + { + EVP_MD *md; + BIO_get_md(bmd,&md); + HMAC_CTX_init(&hmac_ctx); + HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); + BIO_get_md_ctx(bmd,&md_ctx); + BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); + } for (;;) { i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -457,6 +478,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, return 1; } } + else if(hmac_key) + { + HMAC_Final(&hmac_ctx,buf,&len); + HMAC_CTX_cleanup(&hmac_ctx); + } else len=BIO_gets(bp,(char *)buf,BUFSIZE); @@ -464,7 +490,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, else { BIO_write(out,title,strlen(title)); - for (i=0; i<len; i++) + for (i=0; i<(int)len; i++) { if (sep && (i != 0)) BIO_printf(out, ":"); @@ -472,6 +498,10 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, } BIO_printf(out, "\n"); } + if (hmac_key) + { + BIO_set_md_ctx(bmd,md_ctx); + } return 0; } diff --git a/crypto/openssl/apps/ec.c b/crypto/openssl/apps/ec.c index 9ddaddf..c63437f 100644 --- a/crypto/openssl/apps/ec.c +++ b/crypto/openssl/apps/ec.c @@ -347,7 +347,10 @@ bad: } if (noout) + { + ret = 0; goto end; + } BIO_printf(bio_err, "writing EC key\n"); if (outformat == FORMAT_ASN1) diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 3e3e8eb..a41ea80 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -365,8 +365,8 @@ bad: { BIO_set_callback(in,BIO_debug_callback); BIO_set_callback(out,BIO_debug_callback); - BIO_set_callback_arg(in,bio_err); - BIO_set_callback_arg(out,bio_err); + BIO_set_callback_arg(in,(char *)bio_err); + BIO_set_callback_arg(out,(char *)bio_err); } if (inf == NULL) @@ -453,7 +453,7 @@ bad: if (debug) { BIO_set_callback(b64,BIO_debug_callback); - BIO_set_callback_arg(b64,bio_err); + BIO_set_callback_arg(b64,(char *)bio_err); } if (olb64) BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); @@ -571,7 +571,7 @@ bad: if (debug) { BIO_set_callback(benc,BIO_debug_callback); - BIO_set_callback_arg(benc,bio_err); + BIO_set_callback_arg(benc,(char *)bio_err); } if (printkey) diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index 52af592..3ee6dfb 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -139,6 +139,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; SSL_load_error_strings(); + OpenSSL_add_ssl_algorithms(); args = argv + 1; reqnames = sk_new_null(); ids = sk_OCSP_CERTID_new_null(); @@ -726,6 +727,11 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "SSL is disabled\n"); goto end; #endif + if (ctx == NULL) + { + BIO_printf(bio_err, "Error creating SSL context.\n"); + goto end; + } SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index 688a0ce..d5873e9 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -536,8 +536,11 @@ int MAIN(int argc, char **argv) X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { - BIO_printf (bio_err, "Error %s getting chain.\n", + if (vret >= 0) + BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); + else + ERR_print_errors(bio_err); goto export_end; } } @@ -811,7 +814,7 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; STACK_OF(X509) *chn; - int i; + int i = 0; /* FIXME: Should really check the return status of X509_STORE_CTX_init * for an error, but how that fits into the return value of this @@ -819,13 +822,17 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (X509_verify_cert(&store_ctx) <= 0) { i = X509_STORE_CTX_get_error (&store_ctx); + if (i == 0) + /* avoid returning 0 if X509_verify_cert() did not + * set an appropriate error value in the context */ + i = -1; + chn = NULL; goto err; - } - chn = X509_STORE_CTX_get1_chain(&store_ctx); - i = 0; - *chain = chn; + } else + chn = X509_STORE_CTX_get1_chain(&store_ctx); err: X509_STORE_CTX_cleanup(&store_ctx); + *chain = chn; return i; } diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c index 4a1857f..3f302c5 100644 --- a/crypto/openssl/apps/s_client.c +++ b/crypto/openssl/apps/s_client.c @@ -226,7 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n"); + BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif @@ -234,6 +234,15 @@ static void sc_usage(void) } +enum +{ + PROTO_OFF = 0, + PROTO_SMTP, + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP +}; + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -260,7 +269,7 @@ int MAIN(int argc, char **argv) int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; - int starttls_proto = 0; + int starttls_proto = PROTO_OFF; int prexit = 0, vflags = 0; SSL_METHOD *meth=NULL; #ifdef sock_type @@ -269,6 +278,7 @@ int MAIN(int argc, char **argv) int sock_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; + int mbuf_len=0; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; ENGINE *e=NULL; @@ -466,9 +476,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; ++argv; if (strcmp(*argv,"smtp") == 0) - starttls_proto = 1; + starttls_proto = PROTO_SMTP; else if (strcmp(*argv,"pop3") == 0) - starttls_proto = 2; + starttls_proto = PROTO_POP3; + else if (strcmp(*argv,"imap") == 0) + starttls_proto = PROTO_IMAP; + else if (strcmp(*argv,"ftp") == 0) + starttls_proto = PROTO_FTP; else goto bad; } @@ -693,7 +707,7 @@ re_start: { con->debug=1; BIO_set_callback(sbio,bio_dump_callback); - BIO_set_callback_arg(sbio,bio_c_out); + BIO_set_callback_arg(sbio,(char *)bio_c_out); } if (c_msg) { @@ -719,18 +733,93 @@ re_start: sbuf_off=0; /* This is an ugly hack that does a lot of assumptions */ - if (starttls_proto == 1) + /* We do have to handle multi-line responses which may come + in a single packet or not. We therefore have to use + BIO_gets() which does need a buffering BIO. So during + the initial chitchat we do push a buffering BIO into the + chain that is removed again later on to not disturb the + rest of the s_client operation. */ + if (starttls_proto == PROTO_SMTP) { - BIO_read(sbio,mbuf,BUFSIZZ); + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from SMTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + /* STARTTLS command requires EHLO... */ + BIO_printf(fbio,"EHLO openssl.client.net\r\n"); + BIO_flush(fbio); + /* wait for multi-line response to end EHLO SMTP response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found starttls in server response," + " try anyway...\n"); BIO_printf(sbio,"STARTTLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } - if (starttls_proto == 2) + else if (starttls_proto == PROTO_POP3) { BIO_read(sbio,mbuf,BUFSIZZ); BIO_printf(sbio,"STLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } + else if (starttls_proto == PROTO_IMAP) + { + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_gets(fbio,mbuf,BUFSIZZ); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(fbio,". CAPABILITY\r\n"); + BIO_flush(fbio); + /* wait for multi-line CAPABILITY response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[0]!='.'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found STARTTLS in server response," + " try anyway...\n"); + BIO_printf(sbio,". STARTTLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } + else if (starttls_proto == PROTO_FTP) + { + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from FTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + BIO_printf(sbio,"AUTH TLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } for (;;) { @@ -755,7 +844,7 @@ re_start: { BIO_printf(bio_err,"%s",mbuf); /* We don't need to know any more */ - starttls_proto = 0; + starttls_proto = PROTO_OFF; } if (reconnect) diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index 0d6727c..6c433e6 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -1234,7 +1234,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) { con->debug=1; BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } if (s_msg) { @@ -1638,7 +1638,7 @@ static int www_body(char *hostname, int s, unsigned char *context) { con->debug=1; BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } if (s_msg) { |