PR: 2115

[openssl.git] / apps / apps.c

diff --git a/apps/apps.c b/apps/apps.c
index 890d20114284023f1cc9b638da98c15f802e659b..35b62b8b096e17898b01877de3988624f3a8ccf0 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -130,7 +130,9 @@
 #include <openssl/rsa.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
 #include <openssl/jpake.h>
+#endif
 
 #define NON_MAIN
 #include "apps.h"
@@ -2259,6 +2261,8 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_X509_STRICT;
        else if (!strcmp(arg, "-policy_print"))
                flags |= X509_V_FLAG_NOTIFY_POLICY;
+       else if (!strcmp(arg, "-check_ss_sig"))
+               flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
        else
                return 0;
 
@@ -2336,6 +2340,8 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
                BIO_free(out);
        }
 
+#ifndef OPENSSL_NO_JPAKE
+
 static JPAKE_CTX *jpake_init(const char *us, const char *them,
                                                         const char *secret)
        {
@@ -2381,7 +2387,7 @@ static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
        JPAKE_STEP1_generate(&s1, ctx);
        jpake_send_part(bconn, &s1.p1);
        jpake_send_part(bconn, &s1.p2);
-       BIO_flush(bconn);
+       (void)BIO_flush(bconn);
        JPAKE_STEP1_release(&s1);
        }
 
@@ -2392,7 +2398,7 @@ static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
        JPAKE_STEP2_init(&s2);
        JPAKE_STEP2_generate(&s2, ctx);
        jpake_send_part(bconn, &s2);
-       BIO_flush(bconn);
+       (void)BIO_flush(bconn);
        JPAKE_STEP2_release(&s2);
        }
 
@@ -2403,7 +2409,7 @@ static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
        JPAKE_STEP3A_init(&s3a);
        JPAKE_STEP3A_generate(&s3a, ctx);
        BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
-       BIO_flush(bconn);
+       (void)BIO_flush(bconn);
        JPAKE_STEP3A_release(&s3a);
        }
 
@@ -2414,7 +2420,7 @@ static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
        JPAKE_STEP3B_init(&s3b);
        JPAKE_STEP3B_generate(&s3b, ctx);
        BIO_write(bconn, s3b.hk, sizeof s3b.hk);
-       BIO_flush(bconn);
+       (void)BIO_flush(bconn);
        JPAKE_STEP3B_release(&s3b);
        }
 
@@ -2424,7 +2430,7 @@ static void readbn(BIGNUM **bn, BIO *bconn)
        int l;
 
        l = BIO_gets(bconn, buf, sizeof buf);
-       assert(l >= 0);
+       assert(l > 0);
        assert(buf[l-1] == '\n');
        buf[l-1] = '\0';
        BN_hex2bn(bn, buf);
@@ -2517,7 +2523,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
        jpake_send_step3a(bconn, ctx);
        jpake_receive_step3b(ctx, bconn);
 
-       BIO_puts(out, "JPAKE authentication succeeded\n");
+       /*
+        * The problem is that you must use the derived key in the
+        * session key or you are subject to man-in-the-middle
+        * attacks.
+        */
+       BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+                " be MitMed. See the version in HEAD for how to do it"
+                " properly)\n");
 
        BIO_pop(bconn);
        BIO_free(bconn);
@@ -2542,8 +2555,17 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
        jpake_receive_step3a(ctx, bconn);
        jpake_send_step3b(bconn, ctx);
 
-       BIO_puts(out, "JPAKE authentication succeeded\n");
+       /*
+        * The problem is that you must use the derived key in the
+        * session key or you are subject to man-in-the-middle
+        * attacks.
+        */
+       BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+                " be MitMed. See the version in HEAD for how to do it"
+                " properly)\n");
 
        BIO_pop(bconn);
        BIO_free(bconn);
        }
+
+#endif