*
*/
+#ifndef _POSIX_C_SOURCE
#define _POSIX_C_SOURCE 2 /* On VMS, you need to define this to get
the declaration of fileno(). The value
2 is to make sure no function defined
in POSIX-2 is left undefined. */
+#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
+#include <strings.h>
+#endif
#include <sys/types.h>
#include <ctype.h>
#include <errno.h>
+#include <assert.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
+#include <openssl/jpake.h>
+#endif
#define NON_MAIN
#include "apps.h"
return(FORMAT_ASN1);
else if ((*s == 'T') || (*s == 't'))
return(FORMAT_TEXT);
- else if ((*s == 'P') || (*s == 'p'))
- {
- if (s[1] == 'V' || s[1] == 'v')
- return FORMAT_PVK;
- else
- return(FORMAT_PEM);
- }
else if ((*s == 'N') || (*s == 'n'))
return(FORMAT_NETSCAPE);
else if ((*s == 'S') || (*s == 's'))
return(FORMAT_PKCS12);
else if ((*s == 'E') || (*s == 'e'))
return(FORMAT_ENGINE);
+ else if ((*s == 'P') || (*s == 'p'))
+ {
+ if (s[1] == 'V' || s[1] == 'v')
+ return FORMAT_PVK;
+ else
+ return(FORMAT_PEM);
+ }
else
return(FORMAT_UNDEF);
}
if (format == FORMAT_ENGINE)
{
if (!e)
- BIO_printf(bio_err,"no engine specified\n");
+ BIO_printf(err,"no engine specified\n");
else
+ {
pkey = ENGINE_load_private_key(e, file,
ui_method, &cb_data);
+ if (!pkey)
+ {
+ BIO_printf(err,"cannot load %s from engine\n",key_descrip);
+ ERR_print_errors(err);
+ }
+ }
goto end;
}
#endif
&pkey, NULL, NULL))
goto end;
}
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
else if (format == FORMAT_MSBLOB)
pkey = b2i_PrivateKey_bio(key);
else if (format == FORMAT_PVK)
pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
&cb_data);
+#endif
else
{
BIO_printf(err,"bad input format specified for key file\n");
}
end:
if (key != NULL) BIO_free(key);
- if (pkey == NULL)
+ if (pkey == NULL)
+ {
BIO_printf(err,"unable to load %s\n", key_descrip);
+ ERR_print_errors(err);
+ }
return(pkey);
}
{
pkey=d2i_PUBKEY_bio(key, NULL);
}
+#ifndef OPENSSL_NO_RSA
else if (format == FORMAT_ASN1RSA)
{
RSA *rsa;
else
pkey = NULL;
}
-
+#endif
else if (format == FORMAT_PEM)
{
pkey=PEM_read_bio_PUBKEY(key,NULL,
else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
pkey = load_netscape_key(err, key, file, key_descrip, format);
#endif
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
else if (format == FORMAT_MSBLOB)
pkey = b2i_PublicKey_bio(key);
+#endif
else
{
BIO_printf(err,"bad input format specified for key file\n");
}
#endif /* ndef OPENSSL_NO_RC4 */
-STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
- const char *pass, ENGINE *e, const char *cert_descrip)
+static int load_certs_crls(BIO *err, const char *file, int format,
+ const char *pass, ENGINE *e, const char *desc,
+ STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls)
{
- BIO *certs;
int i;
- STACK_OF(X509) *othercerts = NULL;
- STACK_OF(X509_INFO) *allcerts = NULL;
+ BIO *bio;
+ STACK_OF(X509_INFO) *xis = NULL;
X509_INFO *xi;
PW_CB_DATA cb_data;
+ int rv = 0;
cb_data.password = pass;
cb_data.prompt_info = file;
- if((certs = BIO_new(BIO_s_file())) == NULL)
+ if (format != FORMAT_PEM)
{
- ERR_print_errors(err);
- goto end;
+ BIO_printf(err,"bad input format specified for %s\n", desc);
+ return 0;
}
if (file == NULL)
- BIO_set_fp(certs,stdin,BIO_NOCLOSE);
+ bio = BIO_new_fp(stdin,BIO_NOCLOSE);
else
+ bio = BIO_new_file(file, "r");
+
+ if (bio == NULL)
{
- if (BIO_read_filename(certs,file) <= 0)
- {
- BIO_printf(err, "Error opening %s %s\n",
- cert_descrip, file);
- ERR_print_errors(err);
+ BIO_printf(err, "Error opening %s %s\n",
+ desc, file ? file : "stdin");
+ ERR_print_errors(err);
+ return 0;
+ }
+
+ xis = PEM_X509_INFO_read_bio(bio, NULL,
+ (pem_password_cb *)password_callback, &cb_data);
+
+ BIO_free(bio);
+
+ if (pcerts)
+ {
+ *pcerts = sk_X509_new_null();
+ if (!*pcerts)
goto end;
- }
}
- if (format == FORMAT_PEM)
+ if (pcrls)
{
- othercerts = sk_X509_new_null();
- if(!othercerts)
- {
- sk_X509_free(othercerts);
- othercerts = NULL;
+ *pcrls = sk_X509_CRL_new_null();
+ if (!*pcrls)
goto end;
+ }
+
+ for(i = 0; i < sk_X509_INFO_num(xis); i++)
+ {
+ xi = sk_X509_INFO_value (xis, i);
+ if (xi->x509 && pcerts)
+ {
+ if (!sk_X509_push(*pcerts, xi->x509))
+ goto end;
+ xi->x509 = NULL;
}
- allcerts = PEM_X509_INFO_read_bio(certs, NULL,
- (pem_password_cb *)password_callback, &cb_data);
- for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
+ if (xi->crl && pcrls)
{
- xi = sk_X509_INFO_value (allcerts, i);
- if (xi->x509)
- {
- sk_X509_push(othercerts, xi->x509);
- xi->x509 = NULL;
- }
+ if (!sk_X509_CRL_push(*pcrls, xi->crl))
+ goto end;
+ xi->crl = NULL;
}
- goto end;
}
- else {
- BIO_printf(err,"bad input format specified for %s\n",
- cert_descrip);
- goto end;
- }
-end:
- if (othercerts == NULL)
+
+ if (pcerts && sk_X509_num(*pcerts) > 0)
+ rv = 1;
+
+ if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
+ rv = 1;
+
+ end:
+
+ if (xis)
+ sk_X509_INFO_pop_free(xis, X509_INFO_free);
+
+ if (rv == 0)
{
- BIO_printf(err,"unable to load certificates\n");
+ if (pcerts)
+ {
+ sk_X509_pop_free(*pcerts, X509_free);
+ *pcerts = NULL;
+ }
+ if (pcrls)
+ {
+ sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
+ *pcrls = NULL;
+ }
+ BIO_printf(err,"unable to load %s\n",
+ pcerts ? "certificates" : "CRLs");
ERR_print_errors(err);
}
- if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
- if (certs != NULL) BIO_free(certs);
- return(othercerts);
+ return rv;
}
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+ const char *pass, ENGINE *e, const char *desc)
+ {
+ STACK_OF(X509) *certs;
+ load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
+ return certs;
+ }
+
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+ const char *pass, ENGINE *e, const char *desc)
+ {
+ STACK_OF(X509_CRL) *crls;
+ load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
+ return crls;
+ }
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
/* Return error for unknown extensions */
int load_config(BIO *err, CONF *cnf)
{
+ static int load_config_called = 0;
+ if (load_config_called)
+ return 1;
+ load_config_called = 1;
if (!cnf)
cnf = config;
if (!cnf)
return p;
}
-static unsigned long index_serial_hash(const char **a)
+static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
{
const char *n;
return(lh_strhash(n));
}
-static int index_serial_cmp(const char **a, const char **b)
+static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
{
const char *aa,*bb;
static int index_name_qual(char **a)
{ return(a[0][0] == 'V'); }
-static unsigned long index_name_hash(const char **a)
+static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
{ return(lh_strhash(a[DB_name])); }
-int index_name_cmp(const char **a, const char **b)
- { return(strcmp(a[DB_name],
- b[DB_name])); }
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
+ { return(strcmp(a[DB_name], b[DB_name])); }
-static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
-static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
+static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
#undef BSIZE
#define BSIZE 256
int index_index(CA_DB *db)
{
if (!TXT_DB_create_index(db->db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
+ LHASH_HASH_FN(index_serial),
+ LHASH_COMP_FN(index_serial)))
{
BIO_printf(bio_err,
"error creating serial number index:(%ld,%ld,%ld)\n",
if (db->attributes.unique_subject
&& !TXT_DB_create_index(db->db, DB_name, index_name_qual,
- LHASH_HASH_FN(index_name_hash),
- LHASH_COMP_FN(index_name_cmp)))
+ LHASH_HASH_FN(index_name),
+ LHASH_COMP_FN(index_name)))
{
BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
db->db->error,db->db->arg1,db->db->arg2);
case 'y': /* yes */
case 'Y': /* YES */
case '1': /* 1 */
- ret = 0;
+ ret = 1;
break;
default:
ret = def;
ASN1_OBJECT *otmp = NULL;
unsigned long flags = 0;
int i;
- int purpose = 0;
+ int purpose = 0, depth = -1;
char **oldargs = *pargs;
char *arg = **pargs, *argn = (*pargs)[1];
if (!strcmp(arg, "-policy"))
}
(*pargs)++;
}
+ else if (strcmp(arg,"-verify_depth") == 0)
+ {
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ depth = atoi(argn);
+ if(depth < 0)
+ {
+ BIO_printf(err, "invalid depth\n");
+ *badarg = 1;
+ }
+ }
+ (*pargs)++;
+ }
else if (!strcmp(arg, "-ignore_critical"))
flags |= X509_V_FLAG_IGNORE_CRITICAL;
else if (!strcmp(arg, "-issuer_checks"))
flags |= X509_V_FLAG_POLICY_CHECK;
else if (!strcmp(arg, "-explicit_policy"))
flags |= X509_V_FLAG_EXPLICIT_POLICY;
+ else if (!strcmp(arg, "-inhibit_any"))
+ flags |= X509_V_FLAG_INHIBIT_ANY;
+ else if (!strcmp(arg, "-inhibit_map"))
+ flags |= X509_V_FLAG_INHIBIT_MAP;
else if (!strcmp(arg, "-x509_strict"))
flags |= X509_V_FLAG_X509_STRICT;
+ else if (!strcmp(arg, "-extended_crl"))
+ flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
+ else if (!strcmp(arg, "-use_deltas"))
+ flags |= X509_V_FLAG_USE_DELTAS;
else if (!strcmp(arg, "-policy_print"))
flags |= X509_V_FLAG_NOTIFY_POLICY;
+ else if (!strcmp(arg, "-check_ss_sig"))
+ flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
else
return 0;
if (purpose)
X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+ if (depth >= 0)
+ X509_VERIFY_PARAM_set_depth(*pm, depth);
+
end:
(*pargs)++;
return ret;
}
-int pkey_ctrl_string(BIO *err, EVP_PKEY_CTX *ctx, char *value)
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
{
+ int rv;
char *stmp, *vtmp = NULL;
stmp = BUF_strdup(value);
- int rv;
if (!stmp)
return -1;
vtmp = strchr(stmp, ':');
BIO_free(out);
}
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+
+static JPAKE_CTX *jpake_init(const char *us, const char *them,
+ const char *secret)
+ {
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ BIGNUM *q = NULL;
+ BIGNUM *bnsecret = BN_new();
+ JPAKE_CTX *ctx;
+
+ /* Use a safe prime for p (that we found earlier) */
+ BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
+ g = BN_new();
+ BN_set_word(g, 2);
+ q = BN_new();
+ BN_rshift1(q, p);
+
+ BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
+
+ ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
+ BN_free(bnsecret);
+ BN_free(q);
+ BN_free(g);
+ BN_free(p);
+
+ return ctx;
+ }
+
+static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
+ {
+ BN_print(conn, p->gx);
+ BIO_puts(conn, "\n");
+ BN_print(conn, p->zkpx.gr);
+ BIO_puts(conn, "\n");
+ BN_print(conn, p->zkpx.b);
+ BIO_puts(conn, "\n");
+ }
+
+static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP1 s1;
+
+ JPAKE_STEP1_init(&s1);
+ JPAKE_STEP1_generate(&s1, ctx);
+ jpake_send_part(bconn, &s1.p1);
+ jpake_send_part(bconn, &s1.p2);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP1_release(&s1);
+ }
+
+static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP2 s2;
+
+ JPAKE_STEP2_init(&s2);
+ JPAKE_STEP2_generate(&s2, ctx);
+ jpake_send_part(bconn, &s2);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP2_release(&s2);
+ }
+
+static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP3A s3a;
+
+ JPAKE_STEP3A_init(&s3a);
+ JPAKE_STEP3A_generate(&s3a, ctx);
+ BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP3A_release(&s3a);
+ }
+
+static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP3B s3b;
+
+ JPAKE_STEP3B_init(&s3b);
+ JPAKE_STEP3B_generate(&s3b, ctx);
+ BIO_write(bconn, s3b.hk, sizeof s3b.hk);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP3B_release(&s3b);
+ }
+
+static void readbn(BIGNUM **bn, BIO *bconn)
+ {
+ char buf[10240];
+ int l;
+
+ l = BIO_gets(bconn, buf, sizeof buf);
+ assert(l > 0);
+ assert(buf[l-1] == '\n');
+ buf[l-1] = '\0';
+ BN_hex2bn(bn, buf);
+ }
+
+static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
+ {
+ readbn(&p->gx, bconn);
+ readbn(&p->zkpx.gr, bconn);
+ readbn(&p->zkpx.b, bconn);
+ }
+
+static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP1 s1;
+
+ JPAKE_STEP1_init(&s1);
+ jpake_receive_part(&s1.p1, bconn);
+ jpake_receive_part(&s1.p2, bconn);
+ if(!JPAKE_STEP1_process(ctx, &s1))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP1_release(&s1);
+ }
+
+static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP2 s2;
+
+ JPAKE_STEP2_init(&s2);
+ jpake_receive_part(&s2, bconn);
+ if(!JPAKE_STEP2_process(ctx, &s2))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP2_release(&s2);
+ }
+
+static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP3A s3a;
+ int l;
+
+ JPAKE_STEP3A_init(&s3a);
+ l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
+ assert(l == sizeof s3a.hhk);
+ if(!JPAKE_STEP3A_process(ctx, &s3a))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP3A_release(&s3a);
+ }
+
+static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP3B s3b;
+ int l;
+
+ JPAKE_STEP3B_init(&s3b);
+ l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
+ assert(l == sizeof s3b.hk);
+ if(!JPAKE_STEP3B_process(ctx, &s3b))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP3B_release(&s3b);
+ }
+
+void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
+ {
+ JPAKE_CTX *ctx;
+ BIO *bconn;
+
+ BIO_puts(out, "Authenticating with JPAKE\n");
+
+ ctx = jpake_init("client", "server", secret);
+
+ bconn = BIO_new(BIO_f_buffer());
+ BIO_push(bconn, conn);
+
+ jpake_send_step1(bconn, ctx);
+ jpake_receive_step1(ctx, bconn);
+ jpake_send_step2(bconn, ctx);
+ jpake_receive_step2(ctx, bconn);
+ jpake_send_step3a(bconn, ctx);
+ jpake_receive_step3b(ctx, bconn);
+
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
+
+ BIO_pop(bconn);
+ BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
+ }
+
+void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
+ {
+ JPAKE_CTX *ctx;
+ BIO *bconn;
+
+ BIO_puts(out, "Authenticating with JPAKE\n");
+
+ ctx = jpake_init("server", "client", secret);
+
+ bconn = BIO_new(BIO_f_buffer());
+ BIO_push(bconn, conn);
+
+ jpake_receive_step1(ctx, bconn);
+ jpake_send_step1(bconn, ctx);
+ jpake_receive_step2(ctx, bconn);
+ jpake_send_step2(bconn, ctx);
+ jpake_receive_step3a(ctx, bconn);
+ jpake_send_step3b(bconn, ctx);
+
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
+
+ BIO_pop(bconn);
+ BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
+ }
+
+#endif
+
/*
* Platform-specific sections
*/
return (ret);
}
-#elif defined(OPENSSL_SYSTEM_NETWARE)
+#elif defined(OPENSSL_SYS_NETWARE)
#include <time.h>
double app_tminterval(int stop,int usertime)
if (usertime) now = rus.tms_utime;
if (stop==TM_START) tmstart = now;
- else ret = (now - tmstart)/(double)sysconf(_SC_CLK_TCK);
+ else
+ {
+ long int tck = sysconf(_SC_CLK_TCK);
+ ret = (now - tmstart)/(double)tck;
+ }
return (ret);
}
struct timeval now;
static struct timeval tmstart;
- if (usertime) getrusage(RUSAGE_SELF,&rus), now = rus.ru_time;
+ if (usertime) getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime;
else gettimeofday(&now,NULL);
if (stop==TM_START) tmstart = now;
#endif
#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
-int raw_write_stdout(void *buf,int siz)
+int raw_write_stdout(const void *buf,int siz)
{
DWORD n;
if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL))
projects / openssl.git / blobdiff