+
+int parse_yesno(const char *str, int def)
+ {
+ int ret = def;
+ if (str)
+ {
+ switch (*str)
+ {
+ case 'f': /* false */
+ case 'F': /* FALSE */
+ case 'n': /* no */
+ case 'N': /* NO */
+ case '0': /* 0 */
+ ret = 0;
+ break;
+ case 't': /* true */
+ case 'T': /* TRUE */
+ case 'y': /* yes */
+ case 'Y': /* YES */
+ case '1': /* 1 */
+ ret = 1;
+ break;
+ default:
+ ret = def;
+ break;
+ }
+ }
+ return ret;
+ }
+
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+X509_NAME *parse_name(char *subject, long chtype, int multirdn)
+ {
+ size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
+ char *buf = OPENSSL_malloc(buflen);
+ size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
+ char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
+ char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
+ int *mval = OPENSSL_malloc (max_ne * sizeof (int));
+
+ char *sp = subject, *bp = buf;
+ int i, ne_num = 0;
+
+ X509_NAME *n = NULL;
+ int nid;
+
+ if (!buf || !ne_types || !ne_values || !mval)
+ {
+ BIO_printf(bio_err, "malloc error\n");
+ goto error;
+ }
+
+ if (*subject != '/')
+ {
+ BIO_printf(bio_err, "Subject does not start with '/'.\n");
+ goto error;
+ }
+ sp++; /* skip leading / */
+
+ /* no multivalued RDN by default */
+ mval[ne_num] = 0;
+
+ while (*sp)
+ {
+ /* collect type */
+ ne_types[ne_num] = bp;
+ while (*sp)
+ {
+ if (*sp == '\\') /* is there anything to escape in the type...? */
+ {
+ if (*++sp)
+ *bp++ = *sp++;
+ else
+ {
+ BIO_printf(bio_err, "escape character at end of string\n");
+ goto error;
+ }
+ }
+ else if (*sp == '=')
+ {
+ sp++;
+ *bp++ = '\0';
+ break;
+ }
+ else
+ *bp++ = *sp++;
+ }
+ if (!*sp)
+ {
+ BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
+ goto error;
+ }
+ ne_values[ne_num] = bp;
+ while (*sp)
+ {
+ if (*sp == '\\')
+ {
+ if (*++sp)
+ *bp++ = *sp++;
+ else
+ {
+ BIO_printf(bio_err, "escape character at end of string\n");
+ goto error;
+ }
+ }
+ else if (*sp == '/')
+ {
+ sp++;
+ /* no multivalued RDN by default */
+ mval[ne_num+1] = 0;
+ break;
+ }
+ else if (*sp == '+' && multirdn)
+ {
+ /* a not escaped + signals a mutlivalued RDN */
+ sp++;
+ mval[ne_num+1] = -1;
+ break;
+ }
+ else
+ *bp++ = *sp++;
+ }
+ *bp++ = '\0';
+ ne_num++;
+ }
+
+ if (!(n = X509_NAME_new()))
+ goto error;
+
+ for (i = 0; i < ne_num; i++)
+ {
+ if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
+ {
+ BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
+ continue;
+ }
+
+ if (!*ne_values[i])
+ {
+ BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
+ continue;
+ }
+
+ if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i]))
+ goto error;
+ }
+
+ OPENSSL_free(ne_values);
+ OPENSSL_free(ne_types);
+ OPENSSL_free(buf);
+ OPENSSL_free(mval);
+ return n;
+
+error:
+ X509_NAME_free(n);
+ if (ne_values)
+ OPENSSL_free(ne_values);
+ if (ne_types)
+ OPENSSL_free(ne_types);
+ if (mval)
+ OPENSSL_free(mval);
+ if (buf)
+ OPENSSL_free(buf);
+ return NULL;
+}
+
+int args_verify(char ***pargs, int *pargc,
+ int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
+ {
+ ASN1_OBJECT *otmp = NULL;
+ unsigned long flags = 0;
+ int i;
+ int purpose = 0, depth = -1;
+ char **oldargs = *pargs;
+ char *arg = **pargs, *argn = (*pargs)[1];
+ const X509_VERIFY_PARAM *vpm = NULL;
+ time_t at_time = 0;
+ const unsigned char *hostname = NULL, *email = NULL;
+ char *ipasc = NULL;
+ if (!strcmp(arg, "-policy"))
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ otmp = OBJ_txt2obj(argn, 0);
+ if (!otmp)
+ {
+ BIO_printf(err, "Invalid Policy \"%s\"\n",
+ argn);
+ *badarg = 1;
+ }
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-purpose") == 0)
+ {
+ X509_PURPOSE *xptmp;
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ i = X509_PURPOSE_get_by_sname(argn);
+ if(i < 0)
+ {
+ BIO_printf(err, "unrecognized purpose\n");
+ *badarg = 1;
+ }
+ else
+ {
+ xptmp = X509_PURPOSE_get0(i);
+ purpose = X509_PURPOSE_get_id(xptmp);
+ }
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-verify_name") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ vpm = X509_VERIFY_PARAM_lookup(argn);
+ if(!vpm)
+ {
+ BIO_printf(err, "unrecognized verify name\n");
+ *badarg = 1;
+ }
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-verify_depth") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ depth = atoi(argn);
+ if(depth < 0)
+ {
+ BIO_printf(err, "invalid depth\n");
+ *badarg = 1;
+ }
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-attime") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ long timestamp;
+ /* interpret the -attime argument as seconds since
+ * Epoch */
+ if (sscanf(argn, "%li", ×tamp) != 1)
+ {
+ BIO_printf(bio_err,
+ "Error parsing timestamp %s\n",
+ argn);
+ *badarg = 1;
+ }
+ /* on some platforms time_t may be a float */
+ at_time = (time_t) timestamp;
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-verify_hostname") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ hostname = (unsigned char *)argn;
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-verify_email") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ email = (unsigned char *)argn;
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-verify_ip") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ ipasc = argn;
+ (*pargs)++;
+ }
+ else if (!strcmp(arg, "-ignore_critical"))
+ flags |= X509_V_FLAG_IGNORE_CRITICAL;
+ else if (!strcmp(arg, "-issuer_checks"))
+ flags |= X509_V_FLAG_CB_ISSUER_CHECK;
+ else if (!strcmp(arg, "-crl_check"))
+ flags |= X509_V_FLAG_CRL_CHECK;
+ else if (!strcmp(arg, "-crl_check_all"))
+ flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+ else if (!strcmp(arg, "-policy_check"))
+ flags |= X509_V_FLAG_POLICY_CHECK;
+ else if (!strcmp(arg, "-explicit_policy"))
+ flags |= X509_V_FLAG_EXPLICIT_POLICY;
+ else if (!strcmp(arg, "-inhibit_any"))
+ flags |= X509_V_FLAG_INHIBIT_ANY;
+ else if (!strcmp(arg, "-inhibit_map"))
+ flags |= X509_V_FLAG_INHIBIT_MAP;
+ else if (!strcmp(arg, "-x509_strict"))
+ flags |= X509_V_FLAG_X509_STRICT;
+ else if (!strcmp(arg, "-extended_crl"))
+ flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
+ else if (!strcmp(arg, "-use_deltas"))
+ flags |= X509_V_FLAG_USE_DELTAS;
+ else if (!strcmp(arg, "-policy_print"))
+ flags |= X509_V_FLAG_NOTIFY_POLICY;
+ else if (!strcmp(arg, "-check_ss_sig"))
+ flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+ else if (!strcmp(arg, "-trusted_first"))
+ flags |= X509_V_FLAG_TRUSTED_FIRST;
+ else if (!strcmp(arg, "-suiteB_128_only"))
+ flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY;
+ else if (!strcmp(arg, "-suiteB_128"))
+ flags |= X509_V_FLAG_SUITEB_128_LOS;
+ else if (!strcmp(arg, "-suiteB_192"))
+ flags |= X509_V_FLAG_SUITEB_192_LOS;
+ else if (!strcmp(arg, "-partial_chain"))
+ flags |= X509_V_FLAG_PARTIAL_CHAIN;
+ else
+ return 0;
+
+ if (*badarg)
+ {
+ if (*pm)
+ X509_VERIFY_PARAM_free(*pm);
+ *pm = NULL;
+ goto end;
+ }
+
+ if (!*pm && !(*pm = X509_VERIFY_PARAM_new()))
+ {
+ *badarg = 1;
+ goto end;
+ }
+
+ if (vpm)
+ X509_VERIFY_PARAM_set1(*pm, vpm);
+
+ if (otmp)
+ X509_VERIFY_PARAM_add0_policy(*pm, otmp);
+ if (flags)
+ X509_VERIFY_PARAM_set_flags(*pm, flags);
+
+ if (purpose)
+ X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+
+ if (depth >= 0)
+ X509_VERIFY_PARAM_set_depth(*pm, depth);
+
+ if (at_time)
+ X509_VERIFY_PARAM_set_time(*pm, at_time);
+
+ if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
+ *badarg = 1;
+
+ if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
+ *badarg = 1;
+
+ if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
+ *badarg = 1;
+
+ end:
+
+ (*pargs)++;
+
+ if (pargc)
+ *pargc -= *pargs - oldargs;
+
+ return 1;
+
+ }
+
+/* Read whole contents of a BIO into an allocated memory buffer and
+ * return it.
+ */
+
+int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
+ {
+ BIO *mem;
+ int len, ret;
+ unsigned char tbuf[1024];
+ mem = BIO_new(BIO_s_mem());
+ if (!mem)
+ return -1;
+ for(;;)
+ {
+ if ((maxlen != -1) && maxlen < 1024)
+ len = maxlen;
+ else
+ len = 1024;
+ len = BIO_read(in, tbuf, len);
+ if (len <= 0)
+ break;
+ if (BIO_write(mem, tbuf, len) != len)
+ {
+ BIO_free(mem);
+ return -1;
+ }
+ maxlen -= len;
+
+ if (maxlen == 0)
+ break;
+ }
+ ret = BIO_get_mem_data(mem, (char **)out);
+ BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
+ BIO_free(mem);
+ return ret;
+ }
+
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
+ {
+ int rv;
+ char *stmp, *vtmp = NULL;
+ stmp = BUF_strdup(value);
+ if (!stmp)
+ return -1;
+ vtmp = strchr(stmp, ':');
+ if (vtmp)
+ {
+ *vtmp = 0;
+ vtmp++;
+ }
+ rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
+ OPENSSL_free(stmp);
+ return rv;
+ }
+
+static void nodes_print(BIO *out, const char *name,
+ STACK_OF(X509_POLICY_NODE) *nodes)
+ {
+ X509_POLICY_NODE *node;
+ int i;
+ BIO_printf(out, "%s Policies:", name);
+ if (nodes)
+ {
+ BIO_puts(out, "\n");
+ for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++)
+ {
+ node = sk_X509_POLICY_NODE_value(nodes, i);
+ X509_POLICY_NODE_print(out, node, 2);
+ }
+ }
+ else
+ BIO_puts(out, " <empty>\n");
+ }
+
+void policies_print(BIO *out, X509_STORE_CTX *ctx)
+ {
+ X509_POLICY_TREE *tree;
+ int explicit_policy;
+ int free_out = 0;
+ if (out == NULL)
+ {
+ out = BIO_new_fp(stderr, BIO_NOCLOSE);
+ free_out = 1;
+ }
+ tree = X509_STORE_CTX_get0_policy_tree(ctx);
+ explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
+
+ BIO_printf(out, "Require explicit Policy: %s\n",
+ explicit_policy ? "True" : "False");
+
+ nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
+ nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
+ if (free_out)
+ BIO_free(out);
+ }
+
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+
+static JPAKE_CTX *jpake_init(const char *us, const char *them,
+ const char *secret)
+ {
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ BIGNUM *q = NULL;
+ BIGNUM *bnsecret = BN_new();
+ JPAKE_CTX *ctx;
+
+ /* Use a safe prime for p (that we found earlier) */
+ BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
+ g = BN_new();
+ BN_set_word(g, 2);
+ q = BN_new();
+ BN_rshift1(q, p);
+
+ BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
+
+ ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
+ BN_free(bnsecret);
+ BN_free(q);
+ BN_free(g);
+ BN_free(p);
+
+ return ctx;
+ }
+
+static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
+ {
+ BN_print(conn, p->gx);
+ BIO_puts(conn, "\n");
+ BN_print(conn, p->zkpx.gr);
+ BIO_puts(conn, "\n");
+ BN_print(conn, p->zkpx.b);
+ BIO_puts(conn, "\n");
+ }
+
+static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP1 s1;
+
+ JPAKE_STEP1_init(&s1);
+ JPAKE_STEP1_generate(&s1, ctx);
+ jpake_send_part(bconn, &s1.p1);
+ jpake_send_part(bconn, &s1.p2);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP1_release(&s1);
+ }
+
+static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP2 s2;
+
+ JPAKE_STEP2_init(&s2);
+ JPAKE_STEP2_generate(&s2, ctx);
+ jpake_send_part(bconn, &s2);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP2_release(&s2);
+ }
+
+static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP3A s3a;
+
+ JPAKE_STEP3A_init(&s3a);
+ JPAKE_STEP3A_generate(&s3a, ctx);
+ BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP3A_release(&s3a);
+ }
+
+static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP3B s3b;
+
+ JPAKE_STEP3B_init(&s3b);
+ JPAKE_STEP3B_generate(&s3b, ctx);
+ BIO_write(bconn, s3b.hk, sizeof s3b.hk);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP3B_release(&s3b);
+ }
+
+static void readbn(BIGNUM **bn, BIO *bconn)
+ {
+ char buf[10240];
+ int l;
+
+ l = BIO_gets(bconn, buf, sizeof buf);
+ assert(l > 0);
+ assert(buf[l-1] == '\n');
+ buf[l-1] = '\0';
+ BN_hex2bn(bn, buf);
+ }
+
+static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
+ {
+ readbn(&p->gx, bconn);
+ readbn(&p->zkpx.gr, bconn);
+ readbn(&p->zkpx.b, bconn);
+ }
+
+static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP1 s1;
+
+ JPAKE_STEP1_init(&s1);
+ jpake_receive_part(&s1.p1, bconn);
+ jpake_receive_part(&s1.p2, bconn);
+ if(!JPAKE_STEP1_process(ctx, &s1))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP1_release(&s1);
+ }
+
+static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP2 s2;
+
+ JPAKE_STEP2_init(&s2);
+ jpake_receive_part(&s2, bconn);
+ if(!JPAKE_STEP2_process(ctx, &s2))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP2_release(&s2);
+ }
+
+static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP3A s3a;
+ int l;
+
+ JPAKE_STEP3A_init(&s3a);
+ l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
+ assert(l == sizeof s3a.hhk);
+ if(!JPAKE_STEP3A_process(ctx, &s3a))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP3A_release(&s3a);
+ }
+
+static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP3B s3b;
+ int l;
+
+ JPAKE_STEP3B_init(&s3b);
+ l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
+ assert(l == sizeof s3b.hk);
+ if(!JPAKE_STEP3B_process(ctx, &s3b))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP3B_release(&s3b);
+ }
+
+void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
+ {
+ JPAKE_CTX *ctx;
+ BIO *bconn;
+
+ BIO_puts(out, "Authenticating with JPAKE\n");
+
+ ctx = jpake_init("client", "server", secret);
+
+ bconn = BIO_new(BIO_f_buffer());
+ BIO_push(bconn, conn);
+
+ jpake_send_step1(bconn, ctx);
+ jpake_receive_step1(ctx, bconn);
+ jpake_send_step2(bconn, ctx);
+ jpake_receive_step2(ctx, bconn);
+ jpake_send_step3a(bconn, ctx);
+ jpake_receive_step3b(ctx, bconn);
+
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ if (psk_key)
+ OPENSSL_free(psk_key);
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
+
+ BIO_pop(bconn);
+ BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
+ }
+
+void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
+ {
+ JPAKE_CTX *ctx;
+ BIO *bconn;
+
+ BIO_puts(out, "Authenticating with JPAKE\n");
+
+ ctx = jpake_init("server", "client", secret);
+
+ bconn = BIO_new(BIO_f_buffer());
+ BIO_push(bconn, conn);
+
+ jpake_receive_step1(ctx, bconn);
+ jpake_send_step1(bconn, ctx);
+ jpake_receive_step2(ctx, bconn);
+ jpake_send_step2(bconn, ctx);
+ jpake_receive_step3a(ctx, bconn);
+ jpake_send_step3b(bconn, ctx);
+
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ if (psk_key)
+ OPENSSL_free(psk_key);
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
+
+ BIO_pop(bconn);
+ BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
+ }
+
+#endif
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ * outlen: (output) set to the length of the resulting buffer on success.
+ * err: (maybe NULL) on failure, an error message line is written to this BIO.
+ * in: a NUL termianted string like "abc,def,ghi"
+ *
+ * returns: a malloced buffer or NULL on failure.
+ */
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+ {
+ size_t len;
+ unsigned char *out;
+ size_t i, start = 0;
+
+ len = strlen(in);
+ if (len >= 65535)
+ return NULL;
+
+ out = OPENSSL_malloc(strlen(in) + 1);
+ if (!out)
+ return NULL;
+
+ for (i = 0; i <= len; ++i)
+ {
+ if (i == len || in[i] == ',')
+ {
+ if (i - start > 255)
+ {
+ OPENSSL_free(out);
+ return NULL;
+ }
+ out[start] = i - start;
+ start = i + 1;
+ }
+ else
+ out[i+1] = in[i];
+ }
+
+ *outlen = len + 1;
+ return out;
+ }
+#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+
+void print_cert_checks(BIO *bio, X509 *x,
+ const unsigned char *checkhost,
+ const unsigned char *checkemail,
+ const char *checkip)
+ {
+ if (x == NULL)
+ return;
+ if (checkhost)
+ {
+ BIO_printf(bio, "Hostname %s does%s match certificate\n",
+ checkhost, X509_check_host(x, checkhost, 0, 0)
+ ? "" : " NOT");
+ }
+
+ if (checkemail)
+ {
+ BIO_printf(bio, "Email %s does%s match certificate\n",
+ checkemail, X509_check_email(x, checkemail, 0,
+ 0) ? "" : " NOT");
+ }
+
+ if (checkip)
+ {
+ BIO_printf(bio, "IP %s does%s match certificate\n",
+ checkip, X509_check_ip_asc(x, checkip,
+ 0) ? "" : " NOT");
+ }
+ }
+
+/* Get first http URL from a DIST_POINT structure */
+
+static const char *get_dp_url(DIST_POINT *dp)
+ {
+ GENERAL_NAMES *gens;
+ GENERAL_NAME *gen;
+ int i, gtype;
+ ASN1_STRING *uri;
+ if (!dp->distpoint || dp->distpoint->type != 0)
+ return NULL;
+ gens = dp->distpoint->name.fullname;
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+ {
+ gen = sk_GENERAL_NAME_value(gens, i);
+ uri = GENERAL_NAME_get0_value(gen, >ype);
+ if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6)
+ {
+ char *uptr = (char *)ASN1_STRING_data(uri);
+ if (!strncmp(uptr, "http://", 7))
+ return uptr;
+ }
+ }
+ return NULL;
+ }
+
+
+/* Look through a CRLDP structure and attempt to find an http URL to downloads
+ * a CRL from.
+ */
+
+static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
+ {
+ int i;
+ const char *urlptr = NULL;
+ for (i = 0; i < sk_DIST_POINT_num(crldp); i++)
+ {
+ DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
+ urlptr = get_dp_url(dp);
+ if (urlptr)
+ return load_crl(urlptr, FORMAT_HTTP);
+ }
+ return NULL;
+ }
+
+/* Example of downloading CRLs from CRLDP: not usable for real world
+ * as it always downloads, doesn't support non-blocking I/O and doesn't
+ * cache anything.
+ */
+
+static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+ {
+ X509 *x;
+ STACK_OF(X509_CRL) *crls = NULL;
+ X509_CRL *crl;
+ STACK_OF(DIST_POINT) *crldp;
+ x = X509_STORE_CTX_get_current_cert(ctx);
+ crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
+ crl = load_crl_crldp(crldp);
+ sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
+ if (!crl)
+ return NULL;
+ crls = sk_X509_CRL_new_null();
+ sk_X509_CRL_push(crls, crl);
+ /* Try to download delta CRL */
+ crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
+ crl = load_crl_crldp(crldp);
+ sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
+ if (crl)
+ sk_X509_CRL_push(crls, crl);
+ return crls;
+ }
+
+void store_setup_crl_download(X509_STORE *st)
+ {
+ X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
+ }
+
+/*
+ * Platform-specific sections
+ */
+#if defined(_WIN32)
+# ifdef fileno
+# undef fileno
+# define fileno(a) (int)_fileno(a)
+# endif
+
+# include <windows.h>
+# include <tchar.h>
+
+static int WIN32_rename(const char *from, const char *to)
+ {
+ TCHAR *tfrom=NULL,*tto;
+ DWORD err;
+ int ret=0;
+
+ if (sizeof(TCHAR) == 1)
+ {
+ tfrom = (TCHAR *)from;
+ tto = (TCHAR *)to;
+ }
+ else /* UNICODE path */
+ {
+ size_t i,flen=strlen(from)+1,tlen=strlen(to)+1;
+ tfrom = (TCHAR *)malloc(sizeof(TCHAR)*(flen+tlen));
+ if (tfrom==NULL) goto err;
+ tto=tfrom+flen;
+#if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+ if (!MultiByteToWideChar(CP_ACP,0,from,flen,(WCHAR *)tfrom,flen))
+#endif
+ for (i=0;i<flen;i++) tfrom[i]=(TCHAR)from[i];
+#if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+ if (!MultiByteToWideChar(CP_ACP,0,to, tlen,(WCHAR *)tto, tlen))
+#endif
+ for (i=0;i<tlen;i++) tto[i] =(TCHAR)to[i];
+ }
+
+ if (MoveFile(tfrom,tto)) goto ok;
+ err=GetLastError();
+ if (err==ERROR_ALREADY_EXISTS || err==ERROR_FILE_EXISTS)
+ {
+ if (DeleteFile(tto) && MoveFile(tfrom,tto))
+ goto ok;
+ err=GetLastError();
+ }
+ if (err==ERROR_FILE_NOT_FOUND || err==ERROR_PATH_NOT_FOUND)
+ errno = ENOENT;
+ else if (err==ERROR_ACCESS_DENIED)
+ errno = EACCES;
+ else
+ errno = EINVAL; /* we could map more codes... */
+err:
+ ret=-1;
+ok:
+ if (tfrom!=NULL && tfrom!=(TCHAR *)from) free(tfrom);
+ return ret;
+ }
+#endif
+
+/* app_tminterval section */
+#if defined(_WIN32)
+double app_tminterval(int stop,int usertime)
+ {
+ FILETIME now;
+ double ret=0;
+ static ULARGE_INTEGER tmstart;
+ static int warning=1;
+#ifdef _WIN32_WINNT
+ static HANDLE proc=NULL;
+
+ if (proc==NULL)
+ {
+ if (GetVersion() < 0x80000000)
+ proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
+ GetCurrentProcessId());
+ if (proc==NULL) proc = (HANDLE)-1;
+ }
+
+ if (usertime && proc!=(HANDLE)-1)
+ {
+ FILETIME junk;
+ GetProcessTimes(proc,&junk,&junk,&junk,&now);
+ }
+ else
+#endif
+ {
+ SYSTEMTIME systime;
+
+ if (usertime && warning)
+ {
+ BIO_printf(bio_err,"To get meaningful results, run "
+ "this program on idle system.\n");
+ warning=0;
+ }
+ GetSystemTime(&systime);
+ SystemTimeToFileTime(&systime,&now);
+ }
+
+ if (stop==TM_START)
+ {
+ tmstart.u.LowPart = now.dwLowDateTime;
+ tmstart.u.HighPart = now.dwHighDateTime;
+ }
+ else {
+ ULARGE_INTEGER tmstop;
+
+ tmstop.u.LowPart = now.dwLowDateTime;
+ tmstop.u.HighPart = now.dwHighDateTime;
+
+ ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart)*1e-7;
+ }
+
+ return (ret);
+ }
+
+#elif defined(OPENSSL_SYS_NETWARE)
+#include <time.h>
+
+double app_tminterval(int stop,int usertime)
+ {
+ double ret=0;
+ static clock_t tmstart;
+ static int warning=1;
+
+ if (usertime && warning)
+ {
+ BIO_printf(bio_err,"To get meaningful results, run "
+ "this program on idle system.\n");
+ warning=0;
+ }
+
+ if (stop==TM_START) tmstart = clock();
+ else ret = (clock()-tmstart)/(double)CLOCKS_PER_SEC;
+
+ return (ret);
+ }
+
+#elif defined(OPENSSL_SYSTEM_VXWORKS)
+#include <time.h>
+
+double app_tminterval(int stop,int usertime)
+ {
+ double ret=0;
+#ifdef CLOCK_REALTIME
+ static struct timespec tmstart;
+ struct timespec now;
+#else
+ static unsigned long tmstart;
+ unsigned long now;
+#endif
+ static int warning=1;
+
+ if (usertime && warning)
+ {
+ BIO_printf(bio_err,"To get meaningful results, run "
+ "this program on idle system.\n");
+ warning=0;
+ }
+
+#ifdef CLOCK_REALTIME
+ clock_gettime(CLOCK_REALTIME,&now);
+ if (stop==TM_START) tmstart = now;
+ else ret = ( (now.tv_sec+now.tv_nsec*1e-9)
+ - (tmstart.tv_sec+tmstart.tv_nsec*1e-9) );
+#else
+ now = tickGet();
+ if (stop==TM_START) tmstart = now;
+ else ret = (now - tmstart)/(double)sysClkRateGet();
+#endif
+ return (ret);
+ }
+
+#elif defined(OPENSSL_SYSTEM_VMS)
+#include <time.h>
+#include <times.h>
+
+double app_tminterval(int stop,int usertime)
+ {
+ static clock_t tmstart;
+ double ret = 0;
+ clock_t now;
+#ifdef __TMS
+ struct tms rus;
+
+ now = times(&rus);
+ if (usertime) now = rus.tms_utime;
+#else
+ if (usertime)
+ now = clock(); /* sum of user and kernel times */
+ else {
+ struct timeval tv;
+ gettimeofday(&tv,NULL);
+ now = (clock_t)(
+ (unsigned long long)tv.tv_sec*CLK_TCK +
+ (unsigned long long)tv.tv_usec*(1000000/CLK_TCK)
+ );
+ }
+#endif
+ if (stop==TM_START) tmstart = now;
+ else ret = (now - tmstart)/(double)(CLK_TCK);
+
+ return (ret);
+ }
+
+#elif defined(_SC_CLK_TCK) /* by means of unistd.h */
+#include <sys/times.h>
+
+double app_tminterval(int stop,int usertime)
+ {
+ double ret = 0;
+ struct tms rus;
+ clock_t now = times(&rus);
+ static clock_t tmstart;
+
+ if (usertime) now = rus.tms_utime;
+
+ if (stop==TM_START) tmstart = now;
+ else
+ {
+ long int tck = sysconf(_SC_CLK_TCK);
+ ret = (now - tmstart)/(double)tck;
+ }
+
+ return (ret);
+ }
+
+#else
+#include <sys/time.h>
+#include <sys/resource.h>
+
+double app_tminterval(int stop,int usertime)
+ {
+ double ret = 0;
+ struct rusage rus;
+ struct timeval now;
+ static struct timeval tmstart;
+
+ if (usertime) getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime;
+ else gettimeofday(&now,NULL);
+
+ if (stop==TM_START) tmstart = now;
+ else ret = ( (now.tv_sec+now.tv_usec*1e-6)
+ - (tmstart.tv_sec+tmstart.tv_usec*1e-6) );
+
+ return ret;
+ }
+#endif
+
+/* app_isdir section */
+#ifdef _WIN32
+int app_isdir(const char *name)
+ {
+ HANDLE hList;
+ WIN32_FIND_DATA FileData;
+#if defined(UNICODE) || defined(_UNICODE)
+ size_t i, len_0 = strlen(name)+1;
+
+ if (len_0 > sizeof(FileData.cFileName)/sizeof(FileData.cFileName[0]))
+ return -1;
+
+#if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+ if (!MultiByteToWideChar(CP_ACP,0,name,len_0,FileData.cFileName,len_0))
+#endif
+ for (i=0;i<len_0;i++)
+ FileData.cFileName[i] = (WCHAR)name[i];
+
+ hList = FindFirstFile(FileData.cFileName,&FileData);
+#else
+ hList = FindFirstFile(name,&FileData);
+#endif
+ if (hList == INVALID_HANDLE_VALUE) return -1;
+ FindClose(hList);
+ return ((FileData.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)!=0);
+ }
+#else
+#include <sys/stat.h>
+#ifndef S_ISDIR
+# if defined(_S_IFMT) && defined(_S_IFDIR)
+# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
+# else
+# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
+# endif
+#endif
+
+int app_isdir(const char *name)
+ {
+#if defined(S_ISDIR)
+ struct stat st;
+
+ if (stat(name,&st)==0) return S_ISDIR(st.st_mode);
+ else return -1;
+#else
+ return -1;
+#endif
+ }
+#endif
+
+/* raw_read|write section */
+#if defined(_WIN32) && defined(STD_INPUT_HANDLE)
+int raw_read_stdin(void *buf,int siz)
+ {
+ DWORD n;
+ if (ReadFile(GetStdHandle(STD_INPUT_HANDLE),buf,siz,&n,NULL))
+ return (n);
+ else return (-1);
+ }
+#else
+int raw_read_stdin(void *buf,int siz)
+ { return read(fileno(stdin),buf,siz); }
+#endif
+
+#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
+int raw_write_stdout(const void *buf,int siz)
+ {
+ DWORD n;
+ if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL))
+ return (n);
+ else return (-1);
+ }
+#else
+int raw_write_stdout(const void *buf,int siz)
+ { return write(fileno(stdout),buf,siz); }
+#endif