*
*/
+#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
#define _POSIX_C_SOURCE 2 /* On VMS, you need to define this to get
the declaration of fileno(). The value
2 is to make sure no function defined
in POSIX-2 is left undefined. */
+#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#ifndef OPENSSL_SYSNAME_WIN32
+#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
#include <strings.h>
#endif
#include <sys/types.h>
#include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
#include <openssl/jpake.h>
+#endif
#define NON_MAIN
#include "apps.h"
int str2fmt(char *s)
{
+ if (s == NULL)
+ return FORMAT_UNDEF;
if ((*s == 'D') || (*s == 'd'))
return(FORMAT_ASN1);
else if ((*s == 'T') || (*s == 't'))
return(FORMAT_TEXT);
- else if ((*s == 'P') || (*s == 'p'))
- {
- if (s[1] == 'V' || s[1] == 'v')
- return FORMAT_PVK;
- else
- return(FORMAT_PEM);
- }
else if ((*s == 'N') || (*s == 'n'))
return(FORMAT_NETSCAPE);
else if ((*s == 'S') || (*s == 's'))
return(FORMAT_PKCS12);
else if ((*s == 'E') || (*s == 'e'))
return(FORMAT_ENGINE);
+ else if ((*s == 'P') || (*s == 'p'))
+ {
+ if (s[1] == 'V' || s[1] == 'v')
+ return FORMAT_PVK;
+ else
+ return(FORMAT_PEM);
+ }
else
return(FORMAT_UNDEF);
}
int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
{
- int num,len,i;
+ int num,i;
char *p;
*argc=0;
*argv=NULL;
- len=strlen(buf);
i=0;
if (arg->count == 0)
{
if (file == NULL)
{
#ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
#endif
BIO_set_fp(cert,stdin,BIO_NOCLOSE);
}
if (format == FORMAT_ENGINE)
{
if (!e)
- BIO_printf(bio_err,"no engine specified\n");
+ BIO_printf(err,"no engine specified\n");
else
+ {
pkey = ENGINE_load_private_key(e, file,
ui_method, &cb_data);
+ if (!pkey)
+ {
+ BIO_printf(err,"cannot load %s from engine\n",key_descrip);
+ ERR_print_errors(err);
+ }
+ }
goto end;
}
#endif
if (file == NULL && maybe_stdin)
{
#ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
#endif
BIO_set_fp(key,stdin,BIO_NOCLOSE);
}
&pkey, NULL, NULL))
goto end;
}
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
else if (format == FORMAT_MSBLOB)
pkey = b2i_PrivateKey_bio(key);
else if (format == FORMAT_PVK)
pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
&cb_data);
+#endif
else
{
BIO_printf(err,"bad input format specified for key file\n");
}
end:
if (key != NULL) BIO_free(key);
- if (pkey == NULL)
+ if (pkey == NULL)
+ {
BIO_printf(err,"unable to load %s\n", key_descrip);
+ ERR_print_errors(err);
+ }
return(pkey);
}
if (file == NULL && maybe_stdin)
{
#ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
#endif
BIO_set_fp(key,stdin,BIO_NOCLOSE);
}
{
pkey=d2i_PUBKEY_bio(key, NULL);
}
+#ifndef OPENSSL_NO_RSA
else if (format == FORMAT_ASN1RSA)
{
RSA *rsa;
else
pkey = NULL;
}
-
+#endif
else if (format == FORMAT_PEM)
{
pkey=PEM_read_bio_PUBKEY(key,NULL,
else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
pkey = load_netscape_key(err, key, file, key_descrip, format);
#endif
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
else if (format == FORMAT_MSBLOB)
pkey = b2i_PublicKey_bio(key);
+#endif
else
{
BIO_printf(err,"bad input format specified for key file\n");
}
#endif /* ndef OPENSSL_NO_RC4 */
-STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
- const char *pass, ENGINE *e, const char *cert_descrip)
+static int load_certs_crls(BIO *err, const char *file, int format,
+ const char *pass, ENGINE *e, const char *desc,
+ STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls)
{
- BIO *certs;
int i;
- STACK_OF(X509) *othercerts = NULL;
- STACK_OF(X509_INFO) *allcerts = NULL;
+ BIO *bio;
+ STACK_OF(X509_INFO) *xis = NULL;
X509_INFO *xi;
PW_CB_DATA cb_data;
+ int rv = 0;
cb_data.password = pass;
cb_data.prompt_info = file;
- if((certs = BIO_new(BIO_s_file())) == NULL)
+ if (format != FORMAT_PEM)
{
- ERR_print_errors(err);
- goto end;
+ BIO_printf(err,"bad input format specified for %s\n", desc);
+ return 0;
}
if (file == NULL)
- BIO_set_fp(certs,stdin,BIO_NOCLOSE);
+ bio = BIO_new_fp(stdin,BIO_NOCLOSE);
else
+ bio = BIO_new_file(file, "r");
+
+ if (bio == NULL)
{
- if (BIO_read_filename(certs,file) <= 0)
- {
- BIO_printf(err, "Error opening %s %s\n",
- cert_descrip, file);
- ERR_print_errors(err);
+ BIO_printf(err, "Error opening %s %s\n",
+ desc, file ? file : "stdin");
+ ERR_print_errors(err);
+ return 0;
+ }
+
+ xis = PEM_X509_INFO_read_bio(bio, NULL,
+ (pem_password_cb *)password_callback, &cb_data);
+
+ BIO_free(bio);
+
+ if (pcerts)
+ {
+ *pcerts = sk_X509_new_null();
+ if (!*pcerts)
goto end;
- }
}
- if (format == FORMAT_PEM)
+ if (pcrls)
{
- othercerts = sk_X509_new_null();
- if(!othercerts)
- {
- sk_X509_free(othercerts);
- othercerts = NULL;
+ *pcrls = sk_X509_CRL_new_null();
+ if (!*pcrls)
goto end;
+ }
+
+ for(i = 0; i < sk_X509_INFO_num(xis); i++)
+ {
+ xi = sk_X509_INFO_value (xis, i);
+ if (xi->x509 && pcerts)
+ {
+ if (!sk_X509_push(*pcerts, xi->x509))
+ goto end;
+ xi->x509 = NULL;
}
- allcerts = PEM_X509_INFO_read_bio(certs, NULL,
- (pem_password_cb *)password_callback, &cb_data);
- for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
+ if (xi->crl && pcrls)
{
- xi = sk_X509_INFO_value (allcerts, i);
- if (xi->x509)
- {
- sk_X509_push(othercerts, xi->x509);
- xi->x509 = NULL;
- }
+ if (!sk_X509_CRL_push(*pcrls, xi->crl))
+ goto end;
+ xi->crl = NULL;
}
- goto end;
- }
- else {
- BIO_printf(err,"bad input format specified for %s\n",
- cert_descrip);
- goto end;
}
-end:
- if (othercerts == NULL)
+
+ if (pcerts && sk_X509_num(*pcerts) > 0)
+ rv = 1;
+
+ if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
+ rv = 1;
+
+ end:
+
+ if (xis)
+ sk_X509_INFO_pop_free(xis, X509_INFO_free);
+
+ if (rv == 0)
{
- BIO_printf(err,"unable to load certificates\n");
+ if (pcerts)
+ {
+ sk_X509_pop_free(*pcerts, X509_free);
+ *pcerts = NULL;
+ }
+ if (pcrls)
+ {
+ sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
+ *pcrls = NULL;
+ }
+ BIO_printf(err,"unable to load %s\n",
+ pcerts ? "certificates" : "CRLs");
ERR_print_errors(err);
}
- if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
- if (certs != NULL) BIO_free(certs);
- return(othercerts);
+ return rv;
}
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+ const char *pass, ENGINE *e, const char *desc)
+ {
+ STACK_OF(X509) *certs;
+ if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+ return NULL;
+ return certs;
+ }
+
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+ const char *pass, ENGINE *e, const char *desc)
+ {
+ STACK_OF(X509_CRL) *crls;
+ if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+ return NULL;
+ return crls;
+ }
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
/* Return error for unknown extensions */
return p;
}
-static unsigned long index_serial_hash(const CSTRING *a)
+static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
{
const char *n;
return(lh_strhash(n));
}
-static int index_serial_cmp(const CSTRING *a, const CSTRING *b)
+static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
{
const char *aa,*bb;
static int index_name_qual(char **a)
{ return(a[0][0] == 'V'); }
-static unsigned long index_name_hash(const CSTRING *a)
+static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
{ return(lh_strhash(a[DB_name])); }
-int index_name_cmp(const CSTRING *a, const CSTRING *b)
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
{ return(strcmp(a[DB_name], b[DB_name])); }
-static IMPLEMENT_LHASH_HASH_FN(index_serial, CSTRING)
-static IMPLEMENT_LHASH_COMP_FN(index_serial, CSTRING)
-static IMPLEMENT_LHASH_HASH_FN(index_name, CSTRING)
-static IMPLEMENT_LHASH_COMP_FN(index_name, CSTRING)
+static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
#undef BSIZE
#define BSIZE 256
ASN1_OBJECT *otmp = NULL;
unsigned long flags = 0;
int i;
- int purpose = 0;
+ int purpose = 0, depth = -1;
char **oldargs = *pargs;
char *arg = **pargs, *argn = (*pargs)[1];
+ const X509_VERIFY_PARAM *vpm = NULL;
+ time_t at_time = 0;
if (!strcmp(arg, "-policy"))
{
if (!argn)
}
(*pargs)++;
}
+ else if (strcmp(arg,"-verify_name") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ vpm = X509_VERIFY_PARAM_lookup(argn);
+ if(!vpm)
+ {
+ BIO_printf(err, "unrecognized verify name\n");
+ *badarg = 1;
+ }
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-verify_depth") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ depth = atoi(argn);
+ if(depth < 0)
+ {
+ BIO_printf(err, "invalid depth\n");
+ *badarg = 1;
+ }
+ }
+ (*pargs)++;
+ }
+ else if (strcmp(arg,"-attime") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ long timestamp;
+ /* interpret the -attime argument as seconds since
+ * Epoch */
+ if (sscanf(argn, "%li", ×tamp) != 1)
+ {
+ BIO_printf(bio_err,
+ "Error parsing timestamp %s\n",
+ argn);
+ *badarg = 1;
+ }
+ /* on some platforms time_t may be a float */
+ at_time = (time_t) timestamp;
+ }
+ (*pargs)++;
+ }
else if (!strcmp(arg, "-ignore_critical"))
flags |= X509_V_FLAG_IGNORE_CRITICAL;
else if (!strcmp(arg, "-issuer_checks"))
flags |= X509_V_FLAG_USE_DELTAS;
else if (!strcmp(arg, "-policy_print"))
flags |= X509_V_FLAG_NOTIFY_POLICY;
+ else if (!strcmp(arg, "-check_ss_sig"))
+ flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+ else if (!strcmp(arg, "-trusted_first"))
+ flags |= X509_V_FLAG_TRUSTED_FIRST;
else
return 0;
goto end;
}
+ if (vpm)
+ X509_VERIFY_PARAM_set1(*pm, vpm);
+
if (otmp)
X509_VERIFY_PARAM_add0_policy(*pm, otmp);
if (flags)
if (purpose)
X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+ if (depth >= 0)
+ X509_VERIFY_PARAM_set_depth(*pm, depth);
+
+ if (at_time)
+ X509_VERIFY_PARAM_set_time(*pm, at_time);
+
end:
(*pargs)++;
BIO_free(out);
}
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+
static JPAKE_CTX *jpake_init(const char *us, const char *them,
const char *secret)
{
BIGNUM *bnsecret = BN_new();
JPAKE_CTX *ctx;
- // Use a safe prime for p (that we found earlier)
+ /* Use a safe prime for p (that we found earlier) */
BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
g = BN_new();
BN_set_word(g, 2);
q = BN_new();
BN_rshift1(q, p);
- BN_bin2bn(secret, strlen(secret), bnsecret);
+ BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
BN_free(bnsecret);
JPAKE_STEP1_generate(&s1, ctx);
jpake_send_part(bconn, &s1.p1);
jpake_send_part(bconn, &s1.p2);
- BIO_flush(bconn);
+ (void)BIO_flush(bconn);
JPAKE_STEP1_release(&s1);
}
JPAKE_STEP2_init(&s2);
JPAKE_STEP2_generate(&s2, ctx);
jpake_send_part(bconn, &s2);
- BIO_flush(bconn);
+ (void)BIO_flush(bconn);
JPAKE_STEP2_release(&s2);
}
JPAKE_STEP3A_init(&s3a);
JPAKE_STEP3A_generate(&s3a, ctx);
BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
- BIO_flush(bconn);
+ (void)BIO_flush(bconn);
JPAKE_STEP3A_release(&s3a);
}
JPAKE_STEP3B_init(&s3b);
JPAKE_STEP3B_generate(&s3b, ctx);
BIO_write(bconn, s3b.hk, sizeof s3b.hk);
- BIO_flush(bconn);
+ (void)BIO_flush(bconn);
JPAKE_STEP3B_release(&s3b);
}
int l;
l = BIO_gets(bconn, buf, sizeof buf);
- assert(l >= 0);
+ assert(l > 0);
assert(buf[l-1] == '\n');
buf[l-1] = '\0';
BN_hex2bn(bn, buf);
jpake_send_step3a(bconn, ctx);
jpake_receive_step3b(ctx, bconn);
- BIO_puts(out, "JPAKE authentication succeeded\n");
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn);
BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
}
void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
jpake_receive_step3a(ctx, bconn);
jpake_send_step3b(bconn, ctx);
- BIO_puts(out, "JPAKE authentication succeeded\n");
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn);
BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
+ }
+
+#endif
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ * outlen: (output) set to the length of the resulting buffer on success.
+ * err: (maybe NULL) on failure, an error message line is written to this BIO.
+ * in: a NUL termianted string like "abc,def,ghi"
+ *
+ * returns: a malloced buffer or NULL on failure.
+ */
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+ {
+ size_t len;
+ unsigned char *out;
+ size_t i, start = 0;
+
+ len = strlen(in);
+ if (len >= 65535)
+ return NULL;
+
+ out = OPENSSL_malloc(strlen(in) + 1);
+ if (!out)
+ return NULL;
+
+ for (i = 0; i <= len; ++i)
+ {
+ if (i == len || in[i] == ',')
+ {
+ if (i - start > 255)
+ {
+ OPENSSL_free(out);
+ return NULL;
+ }
+ out[start] = i - start;
+ start = i + 1;
+ }
+ else
+ out[i+1] = in[i];
+ }
+
+ *outlen = len + 1;
+ return out;
}
+#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
/*
* Platform-specific sections
projects / openssl.git / blobdiff