diff options
Diffstat (limited to 'openssl/apps')
52 files changed, 4240 insertions, 2569 deletions
| diff --git a/openssl/apps/CA.pl b/openssl/apps/CA.pl index 05f11dd61..a3965ecea 100644 --- a/openssl/apps/CA.pl +++ b/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl5 +#!/usr/bin/perl  #  # CA - wrapper around ca to make it easier to use ... basically ca requires  #      some setup stuff to be done before you can use it and this makes diff --git a/openssl/apps/CA.sh b/openssl/apps/CA.sh index a0b20d85a..7ad6b8c52 100644 --- a/openssl/apps/CA.sh +++ b/openssl/apps/CA.sh @@ -5,10 +5,10 @@  #      things easier between now and when Eric is convinced to fix it :-)  #  # CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request  -# CA -sign ... will sign the generated request and output  +# CA -newreq ... will generate a certificate request +# CA -sign ... will sign the generated request and output  # -# At the end of that grab newreq.pem and newcert.pem (one has the key  +# At the end of that grab newreq.pem and newcert.pem (one has the key  # and the other the certificate) and cat them together and that is what  # you want/need ... I'll make even this a little cleaner later.  # @@ -16,8 +16,8 @@  # 12-Jan-96 tjh    Added more things ... including CA -signcert which  #                  converts a certificate to a request and then signs it.  # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG -#		   environment variable so this can be driven from -#		   a script. +#                  environment variable so this can be driven from +#                  a script.  # 25-Jul-96 eay    Cleaned up filenames some more.  # 11-Jun-96 eay    Fixed a few filename missmatches.  # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'. @@ -29,52 +29,87 @@  # default openssl.cnf file has setup as per the following  # demoCA ... where everything is stored +cp_pem() { +    infile=$1 +    outfile=$2 +    bound=$3 +    flag=0 +    exec <$infile; +    while read line; do +	if [ $flag -eq 1 ]; then +		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null +		if [ $? -eq 0 ] ; then +			echo $line >>$outfile +			break +		else +			echo $line >>$outfile +		fi +	fi + +	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null +	if [ $? -eq 0 ]; then +		echo $line >$outfile +		flag=1 +	fi +    done +} + +usage() { + echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 +}  if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi -DAYS="-days 365"	# 1 year +if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year  CADAYS="-days 1095"	# 3 years  REQ="$OPENSSL req $SSLEAY_CONFIG"  CA="$OPENSSL ca $SSLEAY_CONFIG"  VERIFY="$OPENSSL verify"  X509="$OPENSSL x509" +PKCS12="openssl pkcs12" -CATOP=./demoCA +if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi  CAKEY=./cakey.pem  CAREQ=./careq.pem  CACERT=./cacert.pem -for i -do -case $i in +RET=0 + +while [ "$1" != "" ] ; do +case $1 in  -\?|-h|-help) -    echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 +    usage      exit 0      ;; --newcert)  +-newcert)      # create a certificate      $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS      RET=$?      echo "Certificate is in newcert.pem, private key is in newkey.pem"      ;; --newreq)  +-newreq)      # create a certificate request      $REQ -new -keyout newkey.pem -out newreq.pem $DAYS      RET=$?      echo "Request is in newreq.pem, private key is in newkey.pem"      ;; --newca)      +-newreq-nodes)  +    # create a certificate request +    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS +    RET=$? +    echo "Request (and private key) is in newreq.pem" +    ;; +-newca)      # if explicitly asked for or it doesn't exist then setup the directory -    # structure that Eric likes to manage things  +    # structure that Eric likes to manage things      NEW="1"      if [ "$NEW" -o ! -f ${CATOP}/serial ]; then  	# create the directory hierarchy -	mkdir ${CATOP}  -	mkdir ${CATOP}/certs  -	mkdir ${CATOP}/crl  -	mkdir ${CATOP}/newcerts -	mkdir ${CATOP}/private -	echo "00" > ${CATOP}/serial +	mkdir -p ${CATOP} +	mkdir -p ${CATOP}/certs +	mkdir -p ${CATOP}/crl +	mkdir -p ${CATOP}/newcerts +	mkdir -p ${CATOP}/private  	touch ${CATOP}/index.txt      fi      if [ ! -f ${CATOP}/private/$CAKEY ]; then @@ -83,37 +118,60 @@ case $i in  	# ask user for existing CA certificate  	if [ "$FILE" ]; then -	    cp $FILE ${CATOP}/private/$CAKEY +	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE +	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE  	    RET=$? +	    if [ ! -f "${CATOP}/serial" ]; then +		$X509 -in ${CATOP}/$CACERT -noout -next_serial \ +		      -out ${CATOP}/serial +	    fi  	else  	    echo "Making CA certificate ..."  	    $REQ -new -keyout ${CATOP}/private/$CAKEY \  			   -out ${CATOP}/$CAREQ -	    $CA -out ${CATOP}/$CACERT $CADAYS -batch \ +	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \  			   -keyfile ${CATOP}/private/$CAKEY -selfsign \ -			   -infiles ${CATOP}/$CAREQ  +			   -extensions v3_ca \ +			   -infiles ${CATOP}/$CAREQ  	    RET=$?  	fi      fi      ;;  -xsign) -    $CA -policy policy_anything -infiles newreq.pem  +    $CA -policy policy_anything -infiles newreq.pem      RET=$?      ;; --sign|-signreq)  +-pkcs12) +    if [ -z "$2" ] ; then +	CNAME="My Certificate" +    else +	CNAME="$2" +    fi +    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ +	    -out newcert.p12 -export -name "$CNAME" +    RET=$? +    exit $RET +    ;; +-sign|-signreq)      $CA -policy policy_anything -out newcert.pem -infiles newreq.pem      RET=$?      cat newcert.pem      echo "Signed certificate is in newcert.pem"      ;; --signcert)  +-signCA) +    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem +    RET=$? +    echo "Signed CA certificate is in newcert.pem" +    ;; +-signcert)      echo "Cert passphrase will be requested twice - bug?"      $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem      $CA -policy policy_anything -out newcert.pem -infiles tmp.pem +    RET=$?      cat newcert.pem      echo "Signed certificate is in newcert.pem"      ;; --verify)  +-verify)      shift      if [ -z "$1" ]; then  	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem @@ -127,13 +185,14 @@ case $i in  	    fi  	done      fi -    exit 0 +    exit $RET      ;;  *) -    echo "Unknown arg $i"; +    echo "Unknown arg $i" >&2 +    usage      exit 1      ;;  esac +shift  done  exit $RET - diff --git a/openssl/apps/Makefile b/openssl/apps/Makefile index 402981aed..fa32d2d7e 100644 --- a/openssl/apps/Makefile +++ b/openssl/apps/Makefile @@ -31,15 +31,15 @@ LIBSSL=-L.. -lssl  PROGRAM= openssl -SCRIPTS=CA.sh CA.pl +SCRIPTS=CA.sh CA.pl tsget  EXE= $(PROGRAM)$(EXE_EXT)  E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \  	ca crl rsa rsautl dsa dsaparam ec ecparam \ -	x509 genrsa gendsa s_server s_client speed \ +	x509 genrsa gendsa genpkey s_server s_client speed \  	s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \ -	pkcs8 spkac smime rand engine ocsp prime +	pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts  PROGS= $(PROGRAM).c @@ -53,18 +53,18 @@ RAND_SRC=app_rand.c  E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \  	ca.o pkcs7.o crl2p7.o crl.o \  	rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \ -	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \ +	x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o \  	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \ -	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \ -	ocsp.o prime.o cms.o +	ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o \ +	spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o  E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \  	pkcs7.c crl2p7.c crl.c \  	rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \ -	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \ +	x509.c genrsa.c gendsa.c genpkey.c s_server.c s_client.c speed.c \  	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \ -	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \ -	ocsp.c prime.c cms.c +	ciphers.c nseq.c pkcs12.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \ +	spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c  SRC=$(E_SRC) @@ -137,9 +137,10 @@ depend:  dclean:  	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new  	mv -f Makefile.new $(MAKEFILE) +	rm -f CA.pl  clean: -	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) +	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)  	rm -f req  $(DLIBSSL): @@ -152,18 +153,13 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)  	$(RM) $(EXE)  	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \  		shlib_target="$(SHLIB_TARGET)"; \ -	elif [ -n "$(FIPSCANLIB)" ]; then \ -	  FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \  	fi; \  	LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ -	[ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \  	$(MAKE) -f $(TOP)/Makefile.shared -e \ -		CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ +		APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \  		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \  		link_app.$${shlib_target} -	-(cd ..; \ -	  OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ -	  $(PERL) tools/c_rehash certs) +	@(cd ..; $(MAKE) rehash)  progs.h: progs.pl  	$(PERL) progs.pl $(E_EXE) >progs.h @@ -176,150 +172,149 @@ app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h  app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  app_rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -app_rand.o: ../include/openssl/evp.h ../include/openssl/fips.h -app_rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -app_rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -app_rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h -app_rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h -app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h -app_rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -app_rand.o: ../include/openssl/x509v3.h app_rand.c apps.h +app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h +app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +app_rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +app_rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h +app_rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +app_rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +app_rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h +app_rand.o: app_rand.c apps.h  apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h  apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h  apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  apps.o: ../include/openssl/engine.h ../include/openssl/err.h -apps.o: ../include/openssl/evp.h ../include/openssl/fips.h -apps.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -apps.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -apps.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h -apps.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h -apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -apps.o: ../include/openssl/x509v3.h apps.c apps.h +apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h +apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h +apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h +apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +apps.o: ../include/openssl/sha.h ../include/openssl/stack.h +apps.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +apps.o: ../include/openssl/ui.h ../include/openssl/x509.h +apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h  asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h  asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  asn1pars.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h -asn1pars.o: ../include/openssl/fips.h ../include/openssl/lhash.h -asn1pars.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -asn1pars.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -asn1pars.o: ../include/openssl/pem.h ../include/openssl/pem2.h -asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h -asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -asn1pars.o: ../include/openssl/x509v3.h apps.h asn1pars.c +asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +asn1pars.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +asn1pars.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +asn1pars.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +asn1pars.o: ../include/openssl/safestack.h ../include/openssl/sha.h +asn1pars.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +asn1pars.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +asn1pars.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +asn1pars.o: asn1pars.c  ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h  ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h  ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  ca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  ca.o: ../include/openssl/engine.h ../include/openssl/err.h -ca.o: ../include/openssl/evp.h ../include/openssl/fips.h -ca.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ca.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ca.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ca.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ca.c +ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ca.o: ../include/openssl/sha.h ../include/openssl/stack.h +ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ca.o: ../include/openssl/x509v3.h apps.h ca.c  ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h -ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ciphers.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -ciphers.o: ../include/openssl/engine.h ../include/openssl/err.h -ciphers.o: ../include/openssl/evp.h ../include/openssl/fips.h +ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h +ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ciphers.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +ciphers.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ciphers.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h  ciphers.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ciphers.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c +ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +ciphers.o: ciphers.c  cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -cms.o: ../include/openssl/buffer.h ../include/openssl/conf.h -cms.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -cms.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -cms.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -cms.o: ../include/openssl/evp.h ../include/openssl/fips.h -cms.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -cms.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -cms.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -cms.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h -cms.o: ../include/openssl/safestack.h ../include/openssl/sha.h -cms.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -cms.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -cms.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h cms.c +cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h +cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h +cms.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +cms.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +cms.o: ../include/openssl/engine.h ../include/openssl/err.h +cms.o: ../include/openssl/evp.h ../include/openssl/lhash.h +cms.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +cms.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +cms.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +cms.o: ../include/openssl/pem.h ../include/openssl/pem2.h +cms.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +cms.o: ../include/openssl/sha.h ../include/openssl/stack.h +cms.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +cms.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +cms.o: ../include/openssl/x509v3.h apps.h cms.c  crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h  crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  crl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  crl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  crl.o: ../include/openssl/err.h ../include/openssl/evp.h -crl.o: ../include/openssl/fips.h ../include/openssl/lhash.h -crl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -crl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -crl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -crl.o: ../include/openssl/pem.h ../include/openssl/pem2.h -crl.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -crl.o: ../include/openssl/sha.h ../include/openssl/stack.h -crl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -crl.o: ../include/openssl/x509v3.h apps.h crl.c +crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +crl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +crl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +crl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +crl.o: ../include/openssl/safestack.h ../include/openssl/sha.h +crl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +crl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h crl.c  crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h  crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  crl2p7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h -crl2p7.o: ../include/openssl/fips.h ../include/openssl/lhash.h -crl2p7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -crl2p7.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -crl2p7.o: ../include/openssl/pem.h ../include/openssl/pem2.h -crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h -crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -crl2p7.o: ../include/openssl/x509v3.h apps.h crl2p7.c +crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +crl2p7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +crl2p7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +crl2p7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +crl2p7.o: ../include/openssl/safestack.h ../include/openssl/sha.h +crl2p7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +crl2p7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +crl2p7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +crl2p7.o: crl2p7.c  dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h  dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  dgst.o: ../include/openssl/err.h ../include/openssl/evp.h -dgst.o: ../include/openssl/fips.h ../include/openssl/hmac.h -dgst.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dgst.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dgst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -dgst.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dgst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -dgst.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -dgst.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dgst.c +dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dgst.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h +dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h +dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +dgst.o: ../include/openssl/x509v3.h apps.h dgst.c  dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h  dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -327,16 +322,15 @@ dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h  dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  dh.o: ../include/openssl/err.h ../include/openssl/evp.h -dh.o: ../include/openssl/fips.h ../include/openssl/lhash.h -dh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -dh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -dh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h -dh.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -dh.o: ../include/openssl/sha.h ../include/openssl/stack.h -dh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -dh.o: ../include/openssl/x509v3.h apps.h dh.c +dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +dh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +dh.o: ../include/openssl/safestack.h ../include/openssl/sha.h +dh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +dh.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +dh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dh.c  dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h  dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -344,16 +338,15 @@ dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h  dsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  dsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  dsa.o: ../include/openssl/err.h ../include/openssl/evp.h -dsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h -dsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -dsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -dsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h -dsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -dsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -dsa.o: ../include/openssl/x509v3.h apps.h dsa.c +dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +dsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +dsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +dsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +dsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +dsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c  dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h  dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -361,15 +354,14 @@ dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h  dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h -dsaparam.o: ../include/openssl/evp.h ../include/openssl/fips.h -dsaparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dsaparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -dsaparam.o: ../include/openssl/rand.h ../include/openssl/rsa.h -dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dsaparam.o: ../include/openssl/stack.h ../include/openssl/store.h +dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h +dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dsaparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h +dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h  dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h  dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h  dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h @@ -380,40 +372,38 @@ ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  ec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  ec.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  ec.o: ../include/openssl/err.h ../include/openssl/evp.h -ec.o: ../include/openssl/fips.h ../include/openssl/lhash.h -ec.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ec.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -ec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ec.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ec.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -ec.o: ../include/openssl/sha.h ../include/openssl/stack.h -ec.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -ec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ec.o: ../include/openssl/x509v3.h apps.h ec.c +ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +ec.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +ec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ec.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ec.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ec.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ec.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ec.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ec.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ec.c  ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h  ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h  ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  ecparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h -ecparam.o: ../include/openssl/evp.h ../include/openssl/fips.h -ecparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ecparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -ecparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ecparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ecparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ecparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ecparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ecparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ecparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -ecparam.o: ecparam.c +ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ecparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ecparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ecparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ecparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ecparam.o: ../include/openssl/sha.h ../include/openssl/stack.h +ecparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +ecparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c  enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -enc.o: ../include/openssl/buffer.h ../include/openssl/conf.h -enc.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -enc.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -enc.o: ../include/openssl/err.h ../include/openssl/evp.h -enc.o: ../include/openssl/fips.h ../include/openssl/lhash.h +enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h +enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h +enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +enc.o: ../include/openssl/engine.h ../include/openssl/err.h +enc.o: ../include/openssl/evp.h ../include/openssl/lhash.h  enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h  enc.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h  enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -424,49 +414,47 @@ enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h  enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h  enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c  engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h -engine.o: ../include/openssl/comp.h ../include/openssl/conf.h -engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -engine.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -engine.o: ../include/openssl/engine.h ../include/openssl/err.h -engine.o: ../include/openssl/evp.h ../include/openssl/fips.h +engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h +engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h +engine.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +engine.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +engine.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +engine.o: ../include/openssl/err.h ../include/openssl/evp.h  engine.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -engine.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -engine.o: ../include/openssl/safestack.h ../include/openssl/sha.h -engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -engine.o: ../include/openssl/x509v3.h apps.h engine.c +engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h +engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +engine.o: engine.c  errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h -errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h -errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -errstr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -errstr.o: ../include/openssl/engine.h ../include/openssl/err.h -errstr.o: ../include/openssl/evp.h ../include/openssl/fips.h +errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h +errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h +errstr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +errstr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +errstr.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +errstr.o: ../include/openssl/err.h ../include/openssl/evp.h  errstr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -errstr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -errstr.o: ../include/openssl/x509v3.h apps.h errstr.c +errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +errstr.o: errstr.c  gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h  gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -474,15 +462,14 @@ gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h  gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  gendh.o: ../include/openssl/engine.h ../include/openssl/err.h -gendh.o: ../include/openssl/evp.h ../include/openssl/fips.h -gendh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -gendh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -gendh.o: ../include/openssl/rand.h ../include/openssl/rsa.h -gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h -gendh.o: ../include/openssl/stack.h ../include/openssl/store.h +gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h +gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +gendh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h +gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h  gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h  gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h  gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h @@ -494,16 +481,32 @@ gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h  gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  gendsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h -gendsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h -gendsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -gendsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -gendsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h -gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -gendsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -gendsa.o: ../include/openssl/x509v3.h apps.h gendsa.c +gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +gendsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +gendsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +gendsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +gendsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +gendsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +gendsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +gendsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +gendsa.o: gendsa.c +genpkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +genpkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h +genpkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +genpkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +genpkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +genpkey.o: ../include/openssl/err.h ../include/openssl/evp.h +genpkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +genpkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +genpkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +genpkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +genpkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +genpkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h +genpkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +genpkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +genpkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +genpkey.o: genpkey.c  genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h  genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -511,15 +514,14 @@ genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h  genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h -genrsa.o: ../include/openssl/evp.h ../include/openssl/fips.h -genrsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -genrsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -genrsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -genrsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -genrsa.o: ../include/openssl/rand.h ../include/openssl/rsa.h -genrsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h -genrsa.o: ../include/openssl/stack.h ../include/openssl/store.h +genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h +genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +genrsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h +genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h  genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h  genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h  genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h @@ -530,16 +532,15 @@ nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  nseq.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  nseq.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  nseq.o: ../include/openssl/err.h ../include/openssl/evp.h -nseq.o: ../include/openssl/fips.h ../include/openssl/lhash.h -nseq.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -nseq.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -nseq.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -nseq.o: ../include/openssl/pem.h ../include/openssl/pem2.h -nseq.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h -nseq.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -nseq.o: ../include/openssl/x509v3.h apps.h nseq.c +nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +nseq.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +nseq.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +nseq.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +nseq.o: ../include/openssl/safestack.h ../include/openssl/sha.h +nseq.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +nseq.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +nseq.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h nseq.c  ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h  ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -547,14 +548,13 @@ ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h  ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h -ocsp.o: ../include/openssl/evp.h ../include/openssl/fips.h -ocsp.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -ocsp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ocsp.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +ocsp.o: ../include/openssl/evp.h ../include/openssl/hmac.h +ocsp.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ocsp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ocsp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h  ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h  ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h  ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h @@ -563,27 +563,26 @@ ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h  ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h  ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c  openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h -openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h -openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -openssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -openssl.o: ../include/openssl/engine.h ../include/openssl/err.h -openssl.o: ../include/openssl/evp.h ../include/openssl/fips.h +openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h +openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h +openssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +openssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +openssl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +openssl.o: ../include/openssl/err.h ../include/openssl/evp.h  openssl.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -openssl.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h -openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h +openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h +openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +openssl.o: openssl.c progs.h s_apps.h  passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h  passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h @@ -591,97 +590,142 @@ passwd.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h  passwd.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  passwd.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  passwd.o: ../include/openssl/err.h ../include/openssl/evp.h -passwd.o: ../include/openssl/fips.h ../include/openssl/lhash.h -passwd.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h -passwd.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -passwd.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -passwd.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h -passwd.o: ../include/openssl/rand.h ../include/openssl/safestack.h -passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h -passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -passwd.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -passwd.o: ../include/openssl/x509v3.h apps.h passwd.c +passwd.o: ../include/openssl/lhash.h ../include/openssl/md5.h +passwd.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +passwd.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +passwd.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +passwd.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +passwd.o: ../include/openssl/safestack.h ../include/openssl/sha.h +passwd.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +passwd.o: ../include/openssl/txt_db.h ../include/openssl/ui.h +passwd.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +passwd.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +passwd.o: passwd.c  pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h  pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  pkcs12.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h -pkcs12.o: ../include/openssl/fips.h ../include/openssl/lhash.h -pkcs12.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -pkcs12.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h -pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h -pkcs12.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -pkcs12.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkcs12.o: pkcs12.c +pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkcs12.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkcs12.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkcs12.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h +pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +pkcs12.o: ../include/openssl/sha.h ../include/openssl/stack.h +pkcs12.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +pkcs12.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c  pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h  pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  pkcs7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h -pkcs7.o: ../include/openssl/fips.h ../include/openssl/lhash.h -pkcs7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -pkcs7.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h -pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h -pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -pkcs7.o: ../include/openssl/x509v3.h apps.h pkcs7.c +pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkcs7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkcs7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkcs7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkcs7.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkcs7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkcs7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkcs7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkcs7.o: pkcs7.c  pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h  pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  pkcs8.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h -pkcs8.o: ../include/openssl/fips.h ../include/openssl/lhash.h -pkcs8.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -pkcs8.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h -pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h -pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -pkcs8.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkcs8.o: pkcs8.c +pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkcs8.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkcs8.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkcs8.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h +pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +pkcs8.o: ../include/openssl/sha.h ../include/openssl/stack.h +pkcs8.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c +pkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkey.o: ../include/openssl/err.h ../include/openssl/evp.h +pkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h pkey.c +pkeyparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkeyparam.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkeyparam.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkeyparam.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkeyparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkeyparam.o: ../include/openssl/err.h ../include/openssl/evp.h +pkeyparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkeyparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkeyparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkeyparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkeyparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkeyparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkeyparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkeyparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkeyparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkeyparam.o: pkeyparam.c +pkeyutl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkeyutl.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkeyutl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkeyutl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkeyutl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkeyutl.o: ../include/openssl/err.h ../include/openssl/evp.h +pkeyutl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkeyutl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkeyutl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkeyutl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkeyutl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkeyutl.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkeyutl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkeyutl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkeyutl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkeyutl.o: pkeyutl.c  prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h  prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h  prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  prime.o: ../include/openssl/engine.h ../include/openssl/evp.h -prime.o: ../include/openssl/fips.h ../include/openssl/lhash.h -prime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -prime.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -prime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -prime.o: ../include/openssl/sha.h ../include/openssl/stack.h -prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -prime.o: ../include/openssl/x509v3.h apps.h prime.c +prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +prime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +prime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +prime.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h +prime.o: ../include/openssl/safestack.h ../include/openssl/sha.h +prime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +prime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +prime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +prime.o: prime.c  rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h  rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  rand.o: ../include/openssl/err.h ../include/openssl/evp.h -rand.o: ../include/openssl/fips.h ../include/openssl/lhash.h -rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h -rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rand.c +rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h +rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h +rand.o: ../include/openssl/sha.h ../include/openssl/stack.h +rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +rand.o: ../include/openssl/x509v3.h apps.h rand.c  req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  req.o: ../include/openssl/bn.h ../include/openssl/buffer.h  req.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -689,15 +733,14 @@ req.o: ../include/openssl/dh.h ../include/openssl/dsa.h  req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  req.o: ../include/openssl/engine.h ../include/openssl/err.h -req.o: ../include/openssl/evp.h ../include/openssl/fips.h -req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -req.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -req.o: ../include/openssl/rand.h ../include/openssl/rsa.h -req.o: ../include/openssl/safestack.h ../include/openssl/sha.h -req.o: ../include/openssl/stack.h ../include/openssl/store.h +req.o: ../include/openssl/evp.h ../include/openssl/lhash.h +req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +req.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +req.o: ../include/openssl/pem.h ../include/openssl/pem2.h +req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +req.o: ../include/openssl/sha.h ../include/openssl/stack.h  req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h  req.o: ../include/openssl/ui.h ../include/openssl/x509.h  req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c @@ -707,49 +750,46 @@ rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h  rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  rsa.o: ../include/openssl/engine.h ../include/openssl/err.h -rsa.o: ../include/openssl/evp.h ../include/openssl/fips.h -rsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -rsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -rsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -rsa.o: ../include/openssl/x509v3.h apps.h rsa.c +rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h +rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +rsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h +rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h +rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +rsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rsa.c  rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h  rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  rsautl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h -rsautl.o: ../include/openssl/fips.h ../include/openssl/lhash.h -rsautl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -rsautl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -rsautl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h -rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -rsautl.o: ../include/openssl/safestack.h ../include/openssl/sha.h -rsautl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -rsautl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -rsautl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -rsautl.o: rsautl.c +rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +rsautl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +rsautl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rsautl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +rsautl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h +rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +rsautl.o: ../include/openssl/x509v3.h apps.h rsautl.c  s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_cb.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s_cb.o: ../include/openssl/engine.h ../include/openssl/err.h -s_cb.o: ../include/openssl/evp.h ../include/openssl/fips.h +s_cb.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_cb.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s_cb.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h  s_cb.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_cb.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h  s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h  s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h  s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h @@ -764,14 +804,13 @@ s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h  s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  s_client.o: ../include/openssl/engine.h ../include/openssl/err.h -s_client.o: ../include/openssl/evp.h ../include/openssl/fips.h -s_client.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -s_client.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s_client.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s_client.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_client.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_client.o: ../include/openssl/evp.h ../include/openssl/hmac.h +s_client.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h  s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h  s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h  s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h @@ -788,37 +827,35 @@ s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h  s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  s_server.o: ../include/openssl/engine.h ../include/openssl/err.h -s_server.o: ../include/openssl/evp.h ../include/openssl/fips.h -s_server.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_server.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h +s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h  s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h  s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h  s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h  s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_server.o: ../include/openssl/stack.h ../include/openssl/store.h -s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h -s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h +s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_server.o: s_apps.h s_server.c timeouts.h +s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h +s_socket.o: ../include/openssl/bio.h ../include/openssl/buffer.h  s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h  s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h  s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h  s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h  s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h -s_socket.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h  s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h  s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h  s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h @@ -828,88 +865,87 @@ s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h  s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h  s_socket.o: s_apps.h s_socket.c  s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_time.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s_time.o: ../include/openssl/engine.h ../include/openssl/err.h -s_time.o: ../include/openssl/evp.h ../include/openssl/fips.h +s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_time.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_time.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s_time.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +s_time.o: ../include/openssl/err.h ../include/openssl/evp.h  s_time.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_time.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c +s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_time.o: s_apps.h s_time.c  sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h -sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h -sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -sess_id.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -sess_id.o: ../include/openssl/engine.h ../include/openssl/err.h -sess_id.o: ../include/openssl/evp.h ../include/openssl/fips.h +sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h +sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h +sess_id.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +sess_id.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +sess_id.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h  sess_id.o: ../include/openssl/hmac.h ../include/openssl/kssl.h  sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h  sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -sess_id.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h -sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c +sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h +sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +sess_id.o: sess_id.c  smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h  smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  smime.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  smime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  smime.o: ../include/openssl/err.h ../include/openssl/evp.h -smime.o: ../include/openssl/fips.h ../include/openssl/lhash.h -smime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -smime.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -smime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h -smime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -smime.o: ../include/openssl/sha.h ../include/openssl/stack.h -smime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -smime.o: ../include/openssl/x509v3.h apps.h smime.c +smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +smime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +smime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +smime.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +smime.o: ../include/openssl/safestack.h ../include/openssl/sha.h +smime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +smime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +smime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +smime.o: smime.c  speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h  speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h  speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h -speed.o: ../include/openssl/cast.h ../include/openssl/conf.h -speed.o: ../include/openssl/crypto.h ../include/openssl/des.h -speed.o: ../include/openssl/des_old.h ../include/openssl/dsa.h -speed.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -speed.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -speed.o: ../include/openssl/engine.h ../include/openssl/err.h -speed.o: ../include/openssl/evp.h ../include/openssl/fips.h +speed.o: ../include/openssl/camellia.h ../include/openssl/cast.h +speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h +speed.o: ../include/openssl/des.h ../include/openssl/des_old.h +speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +speed.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +speed.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +speed.o: ../include/openssl/err.h ../include/openssl/evp.h  speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h -speed.o: ../include/openssl/lhash.h ../include/openssl/md2.h -speed.o: ../include/openssl/md4.h ../include/openssl/md5.h +speed.o: ../include/openssl/lhash.h ../include/openssl/md4.h +speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h  speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h  speed.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h  speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h  speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h  speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h  speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h -speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -speed.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +speed.o: ../include/openssl/safestack.h ../include/openssl/seed.h +speed.o: ../include/openssl/sha.h ../include/openssl/stack.h +speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +speed.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +speed.o: ../include/openssl/whrlpool.h ../include/openssl/x509.h  speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h  speed.o: speed.c testdsa.h testrsa.h  spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h @@ -918,32 +954,50 @@ spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  spkac.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  spkac.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  spkac.o: ../include/openssl/err.h ../include/openssl/evp.h -spkac.o: ../include/openssl/fips.h ../include/openssl/lhash.h -spkac.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -spkac.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -spkac.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h -spkac.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h -spkac.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -spkac.o: ../include/openssl/x509v3.h apps.h spkac.c +spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +spkac.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +spkac.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +spkac.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +spkac.o: ../include/openssl/safestack.h ../include/openssl/sha.h +spkac.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +spkac.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +spkac.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +spkac.o: spkac.c +ts.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ts.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ts.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ts.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ts.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +ts.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ts.o: ../include/openssl/engine.h ../include/openssl/err.h +ts.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ts.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ts.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ts.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ts.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ts.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +ts.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ts.o: ../include/openssl/sha.h ../include/openssl/stack.h +ts.o: ../include/openssl/symhacks.h ../include/openssl/ts.h +ts.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ts.c  verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h  verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h  verify.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  verify.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  verify.o: ../include/openssl/err.h ../include/openssl/evp.h -verify.o: ../include/openssl/fips.h ../include/openssl/lhash.h -verify.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -verify.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -verify.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h -verify.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -verify.o: ../include/openssl/sha.h ../include/openssl/stack.h -verify.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -verify.o: ../include/openssl/x509v3.h apps.h verify.c +verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +verify.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +verify.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +verify.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +verify.o: ../include/openssl/safestack.h ../include/openssl/sha.h +verify.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +verify.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +verify.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +verify.o: verify.c  version.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h  version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h  version.o: ../include/openssl/buffer.h ../include/openssl/conf.h @@ -951,9 +1005,8 @@ version.o: ../include/openssl/crypto.h ../include/openssl/des.h  version.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h  version.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  version.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -version.o: ../include/openssl/evp.h ../include/openssl/fips.h -version.o: ../include/openssl/idea.h ../include/openssl/lhash.h -version.o: ../include/openssl/md2.h ../include/openssl/obj_mac.h +version.o: ../include/openssl/evp.h ../include/openssl/idea.h +version.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h  version.o: ../include/openssl/objects.h ../include/openssl/ocsp.h  version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h  version.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h @@ -970,13 +1023,13 @@ x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h  x509.o: ../include/openssl/ec.h ../include/openssl/ecdh.h  x509.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h  x509.o: ../include/openssl/err.h ../include/openssl/evp.h -x509.o: ../include/openssl/fips.h ../include/openssl/lhash.h -x509.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -x509.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -x509.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h -x509.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -x509.o: ../include/openssl/safestack.h ../include/openssl/sha.h -x509.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -x509.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -x509.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h x509.c +x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +x509.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +x509.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +x509.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +x509.o: ../include/openssl/sha.h ../include/openssl/stack.h +x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +x509.o: ../include/openssl/x509v3.h apps.h x509.c diff --git a/openssl/apps/apps.c b/openssl/apps/apps.c index 498722a5a..5dccea70d 100644 --- a/openssl/apps/apps.c +++ b/openssl/apps/apps.c @@ -109,12 +109,21 @@   *   */ +#ifndef _POSIX_C_SOURCE +#define _POSIX_C_SOURCE 2	/* On VMS, you need to define this to get +				   the declaration of fileno().  The value +				   2 is to make sure no function defined +				   in POSIX-2 is left undefined. */ +#endif  #include <stdio.h>  #include <stdlib.h>  #include <string.h> +#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB) +#include <strings.h> +#endif  #include <sys/types.h> -#include <sys/stat.h>  #include <ctype.h> +#include <errno.h>  #include <assert.h>  #include <openssl/err.h>  #include <openssl/x509.h> @@ -138,6 +147,11 @@  #include "apps.h"  #undef NON_MAIN +#ifdef _WIN32 +static int WIN32_rename(const char *from, const char *to); +#define rename(from,to) WIN32_rename((from),(to)) +#endif +  typedef struct {  	const char *name;  	unsigned long flag; @@ -166,18 +180,23 @@ int args_from_file(char *file, int *argc, char **argv[])  	static char *buf=NULL;  	static char **arg=NULL;  	char *p; -	struct stat stbuf; - -	if (stat(file,&stbuf) < 0) return(0);  	fp=fopen(file,"r");  	if (fp == NULL)  		return(0); +	if (fseek(fp,0,SEEK_END)==0) +		len=ftell(fp), rewind(fp); +	else	len=-1; +	if (len<=0) +		{ +		fclose(fp); +		return(0); +		} +  	*argc=0;  	*argv=NULL; -	len=(unsigned int)stbuf.st_size;  	if (buf != NULL) OPENSSL_free(buf);  	buf=(char *)OPENSSL_malloc(len+1);  	if (buf == NULL) return(0); @@ -242,18 +261,25 @@ int str2fmt(char *s)  		return(FORMAT_ASN1);  	else if ((*s == 'T') || (*s == 't'))  		return(FORMAT_TEXT); -	else if ((*s == 'P') || (*s == 'p')) -		return(FORMAT_PEM); -	else if ((*s == 'N') || (*s == 'n')) -		return(FORMAT_NETSCAPE); -	else if ((*s == 'S') || (*s == 's')) -		return(FORMAT_SMIME); +  	else if ((*s == 'N') || (*s == 'n')) +  		return(FORMAT_NETSCAPE); +  	else if ((*s == 'S') || (*s == 's')) +  		return(FORMAT_SMIME); + 	else if ((*s == 'M') || (*s == 'm')) + 		return(FORMAT_MSBLOB);  	else if ((*s == '1')  		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)  		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))  		return(FORMAT_PKCS12);  	else if ((*s == 'E') || (*s == 'e'))  		return(FORMAT_ENGINE); +	else if ((*s == 'P') || (*s == 'p')) + 		{ + 		if (s[1] == 'V' || s[1] == 'v') + 			return FORMAT_PVK; + 		else +  			return(FORMAT_PEM); + 		}  	else  		return(FORMAT_UNDEF);  	} @@ -639,6 +665,15 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)  				BIO_printf(err, "Can't open file %s\n", arg + 5);  				return NULL;  			} +#if !defined(_WIN32) +		/* +		 * Under _WIN32, which covers even Win64 and CE, file +		 * descriptors referenced by BIO_s_fd are not inherited +		 * by child process and therefore below is not an option. +		 * It could have been an option if bss_fd.c was operating +		 * on real Windows descriptors, such as those obtained +		 * with CreateFile. +		 */  		} else if(!strncmp(arg, "fd:", 3)) {  			BIO *btmp;  			i = atoi(arg + 3); @@ -650,6 +685,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)  			/* Can't do BIO_gets on an fd BIO so add a buffering BIO */  			btmp = BIO_new(BIO_f_buffer());  			pwdbio = BIO_push(btmp, pwdbio); +#endif  		} else if(!strcmp(arg, "stdin")) {  			pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);  			if(!pwdbio) { @@ -749,8 +785,6 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc,  X509 *load_cert(BIO *err, const char *file, int format,  	const char *pass, ENGINE *e, const char *cert_descrip)  	{ -	ASN1_HEADER *ah=NULL; -	BUF_MEM *buf=NULL;  	X509 *x=NULL;  	BIO *cert; @@ -762,7 +796,9 @@ X509 *load_cert(BIO *err, const char *file, int format,  	if (file == NULL)  		{ +#ifdef _IONBF  		setvbuf(stdin, NULL, _IONBF, 0); +#endif  		BIO_set_fp(cert,stdin,BIO_NOCLOSE);  		}  	else @@ -780,46 +816,21 @@ X509 *load_cert(BIO *err, const char *file, int format,  		x=d2i_X509_bio(cert,NULL);  	else if (format == FORMAT_NETSCAPE)  		{ -		const unsigned char *p,*op; -		int size=0,i; - -		/* We sort of have to do it this way because it is sort of nice -		 * to read the header first and check it, then -		 * try to read the certificate */ -		buf=BUF_MEM_new(); -		for (;;) -			{ -			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10))) -				goto end; -			i=BIO_read(cert,&(buf->data[size]),1024*10); -			size+=i; -			if (i == 0) break; -			if (i < 0) -				{ -				perror("reading certificate"); +		NETSCAPE_X509 *nx; +		nx=ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),cert,NULL); +		if (nx == NULL)  				goto end; -				} -			} -		p=(unsigned char *)buf->data; -		op=p; -		/* First load the header */ -		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL) -			goto end; -		if ((ah->header == NULL) || (ah->header->data == NULL) || -			(strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data, -			ah->header->length) != 0)) +		if ((strncmp(NETSCAPE_CERT_HDR,(char *)nx->header->data, +			nx->header->length) != 0))  			{ +			NETSCAPE_X509_free(nx);  			BIO_printf(err,"Error reading header on certificate\n");  			goto end;  			} -		/* header is ok, so now read the object */ -		p=op; -		ah->meth=X509_asn1_meth(); -		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL) -			goto end; -		x=(X509 *)ah->data; -		ah->data=NULL; +		x=nx->cert; +		nx->cert = NULL; +		NETSCAPE_X509_free(nx);  		}  	else if (format == FORMAT_PEM)  		x=PEM_read_bio_X509_AUX(cert,NULL, @@ -841,9 +852,7 @@ end:  		BIO_printf(err,"unable to load certificate\n");  		ERR_print_errors(err);  		} -	if (ah != NULL) ASN1_HEADER_free(ah);  	if (cert != NULL) BIO_free(cert); -	if (buf != NULL) BUF_MEM_free(buf);  	return(x);  	} @@ -881,7 +890,9 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,  		}  	if (file == NULL && maybe_stdin)  		{ +#ifdef _IONBF  		setvbuf(stdin, NULL, _IONBF, 0); +#endif  		BIO_set_fp(key,stdin,BIO_NOCLOSE);  		}  	else @@ -912,6 +923,13 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,  				&pkey, NULL, NULL))  			goto end;  		} +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) +	else if (format == FORMAT_MSBLOB) +		pkey = b2i_PrivateKey_bio(key); +	else if (format == FORMAT_PVK) +		pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback, +								&cb_data); +#endif  	else  		{  		BIO_printf(err,"bad input format specified for key file\n"); @@ -958,7 +976,9 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,  		}  	if (file == NULL && maybe_stdin)  		{ +#ifdef _IONBF  		setvbuf(stdin, NULL, _IONBF, 0); +#endif  		BIO_set_fp(key,stdin,BIO_NOCLOSE);  		}  	else @@ -973,6 +993,37 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,  		{  		pkey=d2i_PUBKEY_bio(key, NULL);  		} +#ifndef OPENSSL_NO_RSA +	else if (format == FORMAT_ASN1RSA) +		{ +		RSA *rsa; +		rsa = d2i_RSAPublicKey_bio(key, NULL); +		if (rsa) +			{ +			pkey = EVP_PKEY_new(); +			if (pkey) +				EVP_PKEY_set1_RSA(pkey, rsa); +			RSA_free(rsa); +			} +		else +			pkey = NULL; +		} +	else if (format == FORMAT_PEMRSA) +		{ +		RSA *rsa; +		rsa = PEM_read_bio_RSAPublicKey(key, NULL,  +			(pem_password_cb *)password_callback, &cb_data); +		if (rsa) +			{ +			pkey = EVP_PKEY_new(); +			if (pkey) +				EVP_PKEY_set1_RSA(pkey, rsa); +			RSA_free(rsa); +			} +		else +			pkey = NULL; +		} +#endif  	else if (format == FORMAT_PEM)  		{  		pkey=PEM_read_bio_PUBKEY(key,NULL, @@ -982,6 +1033,10 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,  	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)  		pkey = load_netscape_key(err, key, file, key_descrip, format);  #endif +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) +	else if (format == FORMAT_MSBLOB) +		pkey = b2i_PublicKey_bio(key); +#endif  	else  		{  		BIO_printf(err,"bad input format specified for key file\n"); @@ -1040,76 +1095,120 @@ error:  	}  #endif /* ndef OPENSSL_NO_RC4 */ -STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, -	const char *pass, ENGINE *e, const char *cert_descrip) +static int load_certs_crls(BIO *err, const char *file, int format, +	const char *pass, ENGINE *e, const char *desc, +	STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls)  	{ -	BIO *certs;  	int i; -	STACK_OF(X509) *othercerts = NULL; -	STACK_OF(X509_INFO) *allcerts = NULL; +	BIO *bio; +	STACK_OF(X509_INFO) *xis = NULL;  	X509_INFO *xi;  	PW_CB_DATA cb_data; +	int rv = 0;  	cb_data.password = pass;  	cb_data.prompt_info = file; -	if((certs = BIO_new(BIO_s_file())) == NULL) +	if (format != FORMAT_PEM)  		{ -		ERR_print_errors(err); -		goto end; +		BIO_printf(err,"bad input format specified for %s\n", desc); +		return 0;  		}  	if (file == NULL) -		BIO_set_fp(certs,stdin,BIO_NOCLOSE); +		bio = BIO_new_fp(stdin,BIO_NOCLOSE);  	else +		bio = BIO_new_file(file, "r"); + +	if (bio == NULL)  		{ -		if (BIO_read_filename(certs,file) <= 0) -			{ -			BIO_printf(err, "Error opening %s %s\n", -				cert_descrip, file); -			ERR_print_errors(err); +		BIO_printf(err, "Error opening %s %s\n", +				desc, file ? file : "stdin"); +		ERR_print_errors(err); +		return 0; +		} + +	xis = PEM_X509_INFO_read_bio(bio, NULL, +				(pem_password_cb *)password_callback, &cb_data); + +	BIO_free(bio); + +	if (pcerts) +		{ +		*pcerts = sk_X509_new_null(); +		if (!*pcerts)  			goto end; -			}  		} -	if      (format == FORMAT_PEM) +	if (pcrls)  		{ -		othercerts = sk_X509_new_null(); -		if(!othercerts) -			{ -			sk_X509_free(othercerts); -			othercerts = NULL; +		*pcrls = sk_X509_CRL_new_null(); +		if (!*pcrls)  			goto end; +		} + +	for(i = 0; i < sk_X509_INFO_num(xis); i++) +		{ +		xi = sk_X509_INFO_value (xis, i); +		if (xi->x509 && pcerts) +			{ +			if (!sk_X509_push(*pcerts, xi->x509)) +				goto end; +			xi->x509 = NULL;  			} -		allcerts = PEM_X509_INFO_read_bio(certs, NULL, -				(pem_password_cb *)password_callback, &cb_data); -		for(i = 0; i < sk_X509_INFO_num(allcerts); i++) +		if (xi->crl && pcrls)  			{ -			xi = sk_X509_INFO_value (allcerts, i); -			if (xi->x509) -				{ -				sk_X509_push(othercerts, xi->x509); -				xi->x509 = NULL; -				} +			if (!sk_X509_CRL_push(*pcrls, xi->crl)) +				goto end; +			xi->crl = NULL;  			} -		goto end;  		} -	else	{ -		BIO_printf(err,"bad input format specified for %s\n", -			cert_descrip); -		goto end; -		} -end: -	if (othercerts == NULL) + +	if (pcerts && sk_X509_num(*pcerts) > 0) +		rv = 1; + +	if (pcrls && sk_X509_CRL_num(*pcrls) > 0) +		rv = 1; + +	end: + +	if (xis) +		sk_X509_INFO_pop_free(xis, X509_INFO_free); + +	if (rv == 0)  		{ -		BIO_printf(err,"unable to load certificates\n"); +		if (pcerts) +			{ +			sk_X509_pop_free(*pcerts, X509_free); +			*pcerts = NULL; +			} +		if (pcrls) +			{ +			sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); +			*pcrls = NULL; +			} +		BIO_printf(err,"unable to load %s\n", +				pcerts ? "certificates" : "CRLs");  		ERR_print_errors(err);  		} -	if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free); -	if (certs != NULL) BIO_free(certs); -	return(othercerts); +	return rv;  	} +STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, +	const char *pass, ENGINE *e, const char *desc) +	{ +	STACK_OF(X509) *certs; +	load_certs_crls(err, file, format, pass, e, desc, &certs, NULL); +	return certs; +	}	 + +STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, +	const char *pass, ENGINE *e, const char *desc) +	{ +	STACK_OF(X509_CRL) *crls; +	load_certs_crls(err, file, format, pass, e, desc, NULL, &crls); +	return crls; +	}	  #define X509V3_EXT_UNKNOWN_MASK		(0xfL << 16)  /* Return error for unknown extensions */ @@ -1396,6 +1495,10 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)  int load_config(BIO *err, CONF *cnf)  	{ +	static int load_config_called = 0; +	if (load_config_called) +		return 1; +	load_config_called = 1;  	if (!cnf)  		cnf = config;  	if (!cnf) @@ -1429,7 +1532,7 @@ char *make_config_name()  	return p;  	} -static unsigned long index_serial_hash(const char **a) +static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)  	{  	const char *n; @@ -1438,7 +1541,7 @@ static unsigned long index_serial_hash(const char **a)  	return(lh_strhash(n));  	} -static int index_serial_cmp(const char **a, const char **b) +static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)  	{  	const char *aa,*bb; @@ -1450,17 +1553,16 @@ static int index_serial_cmp(const char **a, const char **b)  static int index_name_qual(char **a)  	{ return(a[0][0] == 'V'); } -static unsigned long index_name_hash(const char **a) +static unsigned long index_name_hash(const OPENSSL_CSTRING *a)  	{ return(lh_strhash(a[DB_name])); } -int index_name_cmp(const char **a, const char **b) -	{ return(strcmp(a[DB_name], -	     b[DB_name])); } +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) +	{ return(strcmp(a[DB_name], b[DB_name])); } -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)  #undef BSIZE  #define BSIZE 256 @@ -1588,7 +1690,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)  	{  	char buf[5][BSIZE];  	int i,j; -	struct stat sb;  	i = strlen(serialfile) + strlen(old_suffix);  	j = strlen(serialfile) + strlen(new_suffix); @@ -1613,30 +1714,21 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)  	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",  		serialfile, old_suffix);  #endif -	if (stat(serialfile,&sb) < 0) -		{ -		if (errno != ENOENT  +#ifdef RL_DEBUG +	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", +		serialfile, buf[1]); +#endif +	if (rename(serialfile,buf[1]) < 0 && errno != ENOENT  #ifdef ENOTDIR  			&& errno != ENOTDIR  #endif -		   ) -			goto err; -		} -	else -		{ -#ifdef RL_DEBUG -		BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", -			serialfile, buf[1]); -#endif -		if (rename(serialfile,buf[1]) < 0) -			{ +	   )		{  			BIO_printf(bio_err,  				"unable to rename %s to %s\n",  				serialfile, buf[1]);  			perror("reason");  			goto err;  			} -		}  #ifdef RL_DEBUG  	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",  		buf[0],serialfile); @@ -1703,10 +1795,7 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)  		goto err;  		}  	if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) -		{ -		if (tmpdb != NULL) TXT_DB_free(tmpdb);  		goto err; -		}  #ifndef OPENSSL_SYS_VMS  	BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); @@ -1767,8 +1856,8 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)  int index_index(CA_DB *db)  	{  	if (!TXT_DB_create_index(db->db, DB_serial, NULL, -				LHASH_HASH_FN(index_serial_hash), -				LHASH_COMP_FN(index_serial_cmp))) +				LHASH_HASH_FN(index_serial), +				LHASH_COMP_FN(index_serial)))  		{  		BIO_printf(bio_err,  		  "error creating serial number index:(%ld,%ld,%ld)\n", @@ -1778,8 +1867,8 @@ int index_index(CA_DB *db)  	if (db->attributes.unique_subject  		&& !TXT_DB_create_index(db->db, DB_name, index_name_qual, -			LHASH_HASH_FN(index_name_hash), -			LHASH_COMP_FN(index_name_cmp))) +			LHASH_HASH_FN(index_name), +			LHASH_COMP_FN(index_name)))  		{  		BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",  			db->db->error,db->db->arg1,db->db->arg2); @@ -1859,7 +1948,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf  	{  	char buf[5][BSIZE];  	int i,j; -	struct stat sb;  	i = strlen(dbfile) + strlen(old_suffix);  	j = strlen(dbfile) + strlen(new_suffix); @@ -1903,30 +1991,21 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf  	j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s",  		dbfile, old_suffix);  #endif -	if (stat(dbfile,&sb) < 0) -		{ -		if (errno != ENOENT  -#ifdef ENOTDIR -			&& errno != ENOTDIR -#endif -		   ) -			goto err; -		} -	else -		{  #ifdef RL_DEBUG -		BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", -			dbfile, buf[1]); +	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", +		dbfile, buf[1]);  #endif -		if (rename(dbfile,buf[1]) < 0) -			{ +	if (rename(dbfile,buf[1]) < 0 && errno != ENOENT +#ifdef ENOTDIR +		&& errno != ENOTDIR +#endif +	   )		{  			BIO_printf(bio_err,  				"unable to rename %s to %s\n",  				dbfile, buf[1]);  			perror("reason");  			goto err;  			} -		}  #ifdef RL_DEBUG  	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",  		buf[0],dbfile); @@ -1940,23 +2019,15 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf  		rename(buf[1],dbfile);  		goto err;  		} -	if (stat(buf[4],&sb) < 0) -		{ -		if (errno != ENOENT  -#ifdef ENOTDIR -			&& errno != ENOTDIR -#endif -		   ) -			goto err; -		} -	else -		{  #ifdef RL_DEBUG -		BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", -			buf[4],buf[3]); +	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", +		buf[4],buf[3]);  #endif -		if (rename(buf[4],buf[3]) < 0) -			{ +	if (rename(buf[4],buf[3]) < 0 && errno != ENOENT +#ifdef ENOTDIR +		&& errno != ENOTDIR +#endif +	   )		{  			BIO_printf(bio_err,  				"unable to rename %s to %s\n",  				buf[4], buf[3]); @@ -1965,7 +2036,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf  			rename(buf[1],dbfile);  			goto err;  			} -		}  #ifdef RL_DEBUG  	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",  		buf[2],buf[4]); @@ -2160,52 +2230,13 @@ error:  	return NULL;  } -/* This code MUST COME AFTER anything that uses rename() */ -#ifdef OPENSSL_SYS_WIN32 -int WIN32_rename(const char *from, const char *to) -	{ -#ifndef OPENSSL_SYS_WINCE -	/* Windows rename gives an error if 'to' exists, so delete it -	 * first and ignore file not found errror -	 */ -	if((remove(to) != 0) && (errno != ENOENT)) -		return -1; -#undef rename -	return rename(from, to); -#else -	/* convert strings to UNICODE */ -	{ -	BOOL result = FALSE; -	WCHAR* wfrom; -	WCHAR* wto; -	int i; -	wfrom = malloc((strlen(from)+1)*2); -	wto = malloc((strlen(to)+1)*2); -	if (wfrom != NULL && wto != NULL) -		{ -		for (i=0; i<(int)strlen(from)+1; i++) -			wfrom[i] = (short)from[i]; -		for (i=0; i<(int)strlen(to)+1; i++) -			wto[i] = (short)to[i]; -		result = MoveFile(wfrom, wto); -		} -	if (wfrom != NULL) -		free(wfrom); -	if (wto != NULL) -		free(wto); -	return result; -	} -#endif -	} -#endif -  int args_verify(char ***pargs, int *pargc,  			int *badarg, BIO *err, X509_VERIFY_PARAM **pm)  	{  	ASN1_OBJECT *otmp = NULL;  	unsigned long flags = 0;  	int i; -	int purpose = 0; +	int purpose = 0, depth = -1;  	char **oldargs = *pargs;  	char *arg = **pargs, *argn = (*pargs)[1];  	if (!strcmp(arg, "-policy")) @@ -2245,6 +2276,21 @@ int args_verify(char ***pargs, int *pargc,  			}  		(*pargs)++;  		} +	else if (strcmp(arg,"-verify_depth") == 0) +		{ +		if (!argn) +			*badarg = 1; +		else +			{ +			depth = atoi(argn); +			if(depth < 0) +				{ +				BIO_printf(err, "invalid depth\n"); +				*badarg = 1; +				} +			} +		(*pargs)++; +		}  	else if (!strcmp(arg, "-ignore_critical"))  		flags |= X509_V_FLAG_IGNORE_CRITICAL;  	else if (!strcmp(arg, "-issuer_checks")) @@ -2257,10 +2303,20 @@ int args_verify(char ***pargs, int *pargc,  		flags |= X509_V_FLAG_POLICY_CHECK;  	else if (!strcmp(arg, "-explicit_policy"))  		flags |= X509_V_FLAG_EXPLICIT_POLICY; +	else if (!strcmp(arg, "-inhibit_any")) +		flags |= X509_V_FLAG_INHIBIT_ANY; +	else if (!strcmp(arg, "-inhibit_map")) +		flags |= X509_V_FLAG_INHIBIT_MAP;  	else if (!strcmp(arg, "-x509_strict"))  		flags |= X509_V_FLAG_X509_STRICT; +	else if (!strcmp(arg, "-extended_crl")) +		flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT; +	else if (!strcmp(arg, "-use_deltas")) +		flags |= X509_V_FLAG_USE_DELTAS;  	else if (!strcmp(arg, "-policy_print"))  		flags |= X509_V_FLAG_NOTIFY_POLICY; +	else if (!strcmp(arg, "-check_ss_sig")) +		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;  	else  		return 0; @@ -2286,6 +2342,9 @@ int args_verify(char ***pargs, int *pargc,  	if (purpose)  		X509_VERIFY_PARAM_set_purpose(*pm, purpose); +	if (depth >= 0) +		X509_VERIFY_PARAM_set_depth(*pm, depth); +  	end:  	(*pargs)++; @@ -2297,6 +2356,61 @@ int args_verify(char ***pargs, int *pargc,  	} +/* Read whole contents of a BIO into an allocated memory buffer and + * return it. + */ + +int bio_to_mem(unsigned char **out, int maxlen, BIO *in) +	{ +	BIO *mem; +	int len, ret; +	unsigned char tbuf[1024]; +	mem = BIO_new(BIO_s_mem()); +	if (!mem) +		return -1; +	for(;;) +		{ +		if ((maxlen != -1) && maxlen < 1024) +			len = maxlen; +		else +			len = 1024; +		len = BIO_read(in, tbuf, len); +		if (len <= 0) +			break; +		if (BIO_write(mem, tbuf, len) != len) +			{ +			BIO_free(mem); +			return -1; +			} +		maxlen -= len; + +		if (maxlen == 0) +			break; +		} +	ret = BIO_get_mem_data(mem, (char **)out); +	BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY); +	BIO_free(mem); +	return ret; +	} + +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value) +	{ +	int rv; +	char *stmp, *vtmp = NULL; +	stmp = BUF_strdup(value); +	if (!stmp) +		return -1; +	vtmp = strchr(stmp, ':'); +	if (vtmp) +		{ +		*vtmp = 0; +		vtmp++; +		} +	rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp); +	OPENSSL_free(stmp); +	return rv; +	} +  static void nodes_print(BIO *out, const char *name,  	STACK_OF(X509_POLICY_NODE) *nodes)  	{ @@ -2338,7 +2452,7 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)  		BIO_free(out);  	} -#ifndef OPENSSL_NO_JPAKE +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)  static JPAKE_CTX *jpake_init(const char *us, const char *them,  							 const char *secret) @@ -2521,17 +2635,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)  	jpake_send_step3a(bconn, ctx);  	jpake_receive_step3b(ctx, bconn); -	/* -	 * The problem is that you must use the derived key in the -	 * session key or you are subject to man-in-the-middle -	 * attacks. -	 */ -	BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can" -		 " be MitMed. See the version in HEAD for how to do it" -		 " properly)\n"); +	BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + +	psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));  	BIO_pop(bconn);  	BIO_free(bconn); + +	JPAKE_CTX_free(ctx);  	}  void jpake_server_auth(BIO *out, BIO *conn, const char *secret) @@ -2553,17 +2664,340 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)  	jpake_receive_step3a(ctx, bconn);  	jpake_send_step3b(bconn, ctx); -	/* -	 * The problem is that you must use the derived key in the -	 * session key or you are subject to man-in-the-middle -	 * attacks. -	 */ -	BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can" -		 " be MitMed. See the version in HEAD for how to do it" -		 " properly)\n"); +	BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + +	psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));  	BIO_pop(bconn);  	BIO_free(bconn); + +	JPAKE_CTX_free(ctx); +	} + +#endif + +/* + * Platform-specific sections + */ +#if defined(_WIN32) +# ifdef fileno +#  undef fileno +#  define fileno(a) (int)_fileno(a) +# endif + +# include <windows.h> +# include <tchar.h> + +static int WIN32_rename(const char *from, const char *to) +	{ +	TCHAR  *tfrom=NULL,*tto; +	DWORD	err; +	int	ret=0; + +	if (sizeof(TCHAR) == 1) +		{ +		tfrom = (TCHAR *)from; +		tto   = (TCHAR *)to; +		} +	else	/* UNICODE path */ +		{ +		size_t i,flen=strlen(from)+1,tlen=strlen(to)+1; +		tfrom = (TCHAR *)malloc(sizeof(TCHAR)*(flen+tlen)); +		if (tfrom==NULL) goto err; +		tto=tfrom+flen; +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 +		if (!MultiByteToWideChar(CP_ACP,0,from,flen,(WCHAR *)tfrom,flen)) +#endif +			for (i=0;i<flen;i++)	tfrom[i]=(TCHAR)from[i]; +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 +		if (!MultiByteToWideChar(CP_ACP,0,to,  tlen,(WCHAR *)tto,  tlen)) +#endif +			for (i=0;i<tlen;i++)	tto[i]  =(TCHAR)to[i]; +		} + +	if (MoveFile(tfrom,tto))	goto ok; +	err=GetLastError(); +	if (err==ERROR_ALREADY_EXISTS || err==ERROR_FILE_EXISTS) +		{ +		if (DeleteFile(tto) && MoveFile(tfrom,tto)) +			goto ok; +		err=GetLastError(); +		} +	if (err==ERROR_FILE_NOT_FOUND || err==ERROR_PATH_NOT_FOUND) +		errno = ENOENT; +	else if (err==ERROR_ACCESS_DENIED) +		errno = EACCES; +	else +		errno = EINVAL;	/* we could map more codes... */ +err: +	ret=-1; +ok: +	if (tfrom!=NULL && tfrom!=(TCHAR *)from)	free(tfrom); +	return ret; +	} +#endif + +/* app_tminterval section */ +#if defined(_WIN32) +double app_tminterval(int stop,int usertime) +	{ +	FILETIME		now; +	double			ret=0; +	static ULARGE_INTEGER	tmstart; +	static int		warning=1; +#ifdef _WIN32_WINNT +	static HANDLE		proc=NULL; + +	if (proc==NULL) +		{ +		if (GetVersion() < 0x80000000) +			proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE, +						GetCurrentProcessId()); +		if (proc==NULL) proc = (HANDLE)-1; +		} + +	if (usertime && proc!=(HANDLE)-1) +		{ +		FILETIME junk; +		GetProcessTimes(proc,&junk,&junk,&junk,&now); +		} +	else +#endif +		{ +		SYSTEMTIME systime; + +		if (usertime && warning) +			{ +			BIO_printf(bio_err,"To get meaningful results, run " +					   "this program on idle system.\n"); +			warning=0; +			} +		GetSystemTime(&systime); +		SystemTimeToFileTime(&systime,&now); +		} + +	if (stop==TM_START) +		{ +		tmstart.u.LowPart  = now.dwLowDateTime; +		tmstart.u.HighPart = now.dwHighDateTime; +		} +	else	{ +		ULARGE_INTEGER tmstop; + +		tmstop.u.LowPart   = now.dwLowDateTime; +		tmstop.u.HighPart  = now.dwHighDateTime; + +		ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart)*1e-7; +		} + +	return (ret);  	} +#elif defined(OPENSSL_SYS_NETWARE) +#include <time.h> + +double app_tminterval(int stop,int usertime) +	{ +	double		ret=0; +	static clock_t	tmstart; +	static int	warning=1; + +	if (usertime && warning) +		{ +		BIO_printf(bio_err,"To get meaningful results, run " +				   "this program on idle system.\n"); +		warning=0; +		} + +	if (stop==TM_START)	tmstart = clock(); +	else			ret     = (clock()-tmstart)/(double)CLOCKS_PER_SEC; + +	return (ret); +	} + +#elif defined(OPENSSL_SYSTEM_VXWORKS) +#include <time.h> + +double app_tminterval(int stop,int usertime) +	{ +	double ret=0; +#ifdef CLOCK_REALTIME +	static struct timespec	tmstart; +	struct timespec		now; +#else +	static unsigned long	tmstart; +	unsigned long		now; +#endif +	static int warning=1; + +	if (usertime && warning) +		{ +		BIO_printf(bio_err,"To get meaningful results, run " +				   "this program on idle system.\n"); +		warning=0; +		} + +#ifdef CLOCK_REALTIME +	clock_gettime(CLOCK_REALTIME,&now); +	if (stop==TM_START)	tmstart = now; +	else	ret = ( (now.tv_sec+now.tv_nsec*1e-9) +			- (tmstart.tv_sec+tmstart.tv_nsec*1e-9) ); +#else +	now = tickGet(); +	if (stop==TM_START)	tmstart = now; +	else			ret = (now - tmstart)/(double)sysClkRateGet(); +#endif +	return (ret); +	} + +#elif defined(OPENSSL_SYSTEM_VMS) +#include <time.h> +#include <times.h> + +double app_tminterval(int stop,int usertime) +	{ +	static clock_t	tmstart; +	double		ret = 0; +	clock_t		now; +#ifdef __TMS +	struct tms	rus; + +	now = times(&rus); +	if (usertime)	now = rus.tms_utime; +#else +	if (usertime) +		now = clock(); /* sum of user and kernel times */ +	else	{ +		struct timeval tv; +		gettimeofday(&tv,NULL); +		now = (clock_t)( +			(unsigned long long)tv.tv_sec*CLK_TCK + +			(unsigned long long)tv.tv_usec*(1000000/CLK_TCK) +			); +		} +#endif +	if (stop==TM_START)	tmstart = now; +	else			ret = (now - tmstart)/(double)(CLK_TCK); + +	return (ret); +	} + +#elif defined(_SC_CLK_TCK)	/* by means of unistd.h */ +#include <sys/times.h> + +double app_tminterval(int stop,int usertime) +	{ +	double		ret = 0; +	struct tms	rus; +	clock_t		now = times(&rus); +	static clock_t	tmstart; + +	if (usertime)		now = rus.tms_utime; + +	if (stop==TM_START)	tmstart = now; +	else +		{ +		long int tck = sysconf(_SC_CLK_TCK); +		ret = (now - tmstart)/(double)tck; +		} + +	return (ret); +	} + +#else +#include <sys/time.h> +#include <sys/resource.h> + +double app_tminterval(int stop,int usertime) +	{ +	double		ret = 0; +	struct rusage	rus; +	struct timeval	now; +	static struct timeval tmstart; + +	if (usertime)		getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime; +	else			gettimeofday(&now,NULL); + +	if (stop==TM_START)	tmstart = now; +	else			ret = ( (now.tv_sec+now.tv_usec*1e-6) +					- (tmstart.tv_sec+tmstart.tv_usec*1e-6) ); + +	return ret; +	} +#endif + +/* app_isdir section */ +#ifdef _WIN32 +int app_isdir(const char *name) +	{ +	HANDLE		hList; +	WIN32_FIND_DATA	FileData; +#if defined(UNICODE) || defined(_UNICODE) +	size_t i, len_0 = strlen(name)+1; + +	if (len_0 > sizeof(FileData.cFileName)/sizeof(FileData.cFileName[0])) +		return -1; + +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 +	if (!MultiByteToWideChar(CP_ACP,0,name,len_0,FileData.cFileName,len_0)) +#endif +		for (i=0;i<len_0;i++) +			FileData.cFileName[i] = (WCHAR)name[i]; + +	hList = FindFirstFile(FileData.cFileName,&FileData); +#else +	hList = FindFirstFile(name,&FileData); +#endif +	if (hList == INVALID_HANDLE_VALUE)	return -1; +	FindClose(hList); +	return ((FileData.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)!=0); +	} +#else +#include <sys/stat.h> +#ifndef S_ISDIR +# if defined(_S_IFMT) && defined(_S_IFDIR) +#  define S_ISDIR(a)   (((a) & _S_IFMT) == _S_IFDIR) +# else  +#  define S_ISDIR(a)   (((a) & S_IFMT) == S_IFDIR) +# endif  +#endif  + +int app_isdir(const char *name) +	{ +#if defined(S_ISDIR) +	struct stat st; + +	if (stat(name,&st)==0)	return S_ISDIR(st.st_mode); +	else			return -1; +#else +	return -1; +#endif +	} +#endif + +/* raw_read|write section */ +#if defined(_WIN32) && defined(STD_INPUT_HANDLE) +int raw_read_stdin(void *buf,int siz) +	{ +	DWORD n; +	if (ReadFile(GetStdHandle(STD_INPUT_HANDLE),buf,siz,&n,NULL)) +		return (n); +	else	return (-1); +	} +#else +int raw_read_stdin(void *buf,int siz) +	{	return read(fileno(stdin),buf,siz);	} +#endif + +#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE) +int raw_write_stdout(const void *buf,int siz) +	{ +	DWORD n; +	if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL)) +		return (n); +	else	return (-1); +	} +#else +int raw_write_stdout(const void *buf,int siz) +	{	return write(fileno(stdout),buf,siz);	}  #endif diff --git a/openssl/apps/apps.h b/openssl/apps/apps.h index 88579094b..596a39ace 100644 --- a/openssl/apps/apps.h +++ b/openssl/apps/apps.h @@ -137,11 +137,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,                                         * (see e_os.h).  The string is                                         * destroyed! */ -#ifdef OPENSSL_SYS_WIN32 -#define rename(from,to) WIN32_rename((from),(to)) -int WIN32_rename(const char *oldname,const char *newname); -#endif -  #ifndef MONOLITH  #define MAIN(a,v)	main(a,v) @@ -149,11 +144,9 @@ int WIN32_rename(const char *oldname,const char *newname);  #ifndef NON_MAIN  CONF *config=NULL;  BIO *bio_err=NULL; -int in_FIPS_mode=0;  #else  extern CONF *config;  extern BIO *bio_err; -extern int in_FIPS_mode;  #endif  #else @@ -162,7 +155,6 @@ extern int in_FIPS_mode;  extern CONF *config;  extern char *default_config_file;  extern BIO *bio_err; -extern int in_FIPS_mode;  #endif @@ -176,61 +168,37 @@ extern int in_FIPS_mode;  #define do_pipe_sig()  #endif +#ifdef OPENSSL_NO_COMP +#define zlib_cleanup()  +#else +#define zlib_cleanup() COMP_zlib_cleanup() +#endif +  #if defined(MONOLITH) && !defined(OPENSSL_C)  #  define apps_startup() \  		do_pipe_sig()  #  define apps_shutdown()  #else  #  ifndef OPENSSL_NO_ENGINE -#    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ -     defined(OPENSSL_SYS_WIN32) -#      ifdef _O_BINARY -#        define apps_startup() \ -			do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ -			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ -			ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -#      else -#        define apps_startup() \ -			do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ +#    define apps_startup() \ +			do { do_pipe_sig(); CRYPTO_malloc_init(); \  			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \  			ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -#      endif -#    else -#      define apps_startup() \ -			do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ -			ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ -			setup_ui_method(); } while(0) -#    endif  #    define apps_shutdown() \  			do { CONF_modules_unload(1); destroy_ui_method(); \ -			EVP_cleanup(); ENGINE_cleanup(); \ -			CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ -			ERR_free_strings(); } while(0) +			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \ +			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ +			ERR_free_strings(); zlib_cleanup();} while(0)  #  else -#    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ -     defined(OPENSSL_SYS_WIN32) -#      ifdef _O_BINARY -#        define apps_startup() \ -			do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ +#    define apps_startup() \ +			do { do_pipe_sig(); CRYPTO_malloc_init(); \  			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \  			setup_ui_method(); } while(0) -#      else -#        define apps_startup() \ -			do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ -			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ -			setup_ui_method(); } while(0) -#      endif -#    else -#      define apps_startup() \ -			do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ -			ERR_load_crypto_strings(); \ -			setup_ui_method(); } while(0) -#    endif  #    define apps_shutdown() \  			do { CONF_modules_unload(1); destroy_ui_method(); \ -			EVP_cleanup(); \ -			CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ -			ERR_free_strings(); } while(0) +			OBJ_cleanup(); EVP_cleanup(); \ +			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ +			ERR_free_strings(); zlib_cleanup(); } while(0)  #  endif  #endif @@ -240,6 +208,7 @@ extern int in_FIPS_mode;  #  define openssl_fdset(a,b) FD_SET(a, b)  #endif +  typedef struct args_st  	{  	char **data; @@ -282,6 +251,8 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,  	const char *pass, ENGINE *e, const char *key_descrip);  STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,  	const char *pass, ENGINE *e, const char *cert_descrip); +STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, +	const char *pass, ENGINE *e, const char *cert_descrip);  X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);  #ifndef OPENSSL_NO_ENGINE  ENGINE *setup_engine(BIO *err, const char *engine, int debug); @@ -290,6 +261,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug);  #ifndef OPENSSL_NO_OCSP  OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,  			char *host, char *path, char *port, int use_ssl, +			STACK_OF(CONF_VALUE) *headers,  			int req_timeout);  #endif @@ -331,13 +303,23 @@ int index_index(CA_DB *db);  int save_index(const char *dbfile, const char *suffix, CA_DB *db);  int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix);  void free_index(CA_DB *db); -int index_name_cmp(const char **a, const char **b); +#define index_name_cmp_noconst(a, b) \ +	index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ +	(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);  int parse_yesno(const char *str, int def);  X509_NAME *parse_name(char *str, long chtype, int multirdn);  int args_verify(char ***pargs, int *pargc,  			int *badarg, BIO *err, X509_VERIFY_PARAM **pm);  void policies_print(BIO *out, X509_STORE_CTX *ctx); +int bio_to_mem(unsigned char **out, int maxlen, BIO *in); +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); +int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, +			const char *algname, ENGINE *e, int do_param); +#ifndef OPENSSL_NO_PSK +extern char *psk_key; +#endif  #ifndef OPENSSL_NO_JPAKE  void jpake_client_auth(BIO *out, BIO *conn, const char *secret);  void jpake_server_auth(BIO *out, BIO *conn, const char *secret); @@ -353,6 +335,10 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret);  #define FORMAT_ENGINE   7  #define FORMAT_IISSGC	8	/* XXX this stupid macro helps us to avoid  				 * adding yet another param to load_*key() */ +#define FORMAT_PEMRSA	9	/* PEM RSAPubicKey format */ +#define FORMAT_ASN1RSA	10	/* DER RSAPubicKey format */ +#define FORMAT_MSBLOB	11	/* MS Key blob format */ +#define FORMAT_PVK	12	/* MS PVK file format */  #define EXT_COPY_NONE	0  #define EXT_COPY_ADD	1 @@ -364,4 +350,11 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret);  #define SERIAL_RAND_BITS	64 +int app_isdir(const char *); +int raw_read_stdin(void *,int); +int raw_write_stdout(const void *,int); + +#define TM_START	0 +#define TM_STOP		1 +double app_tminterval (int stop,int usertime);  #endif diff --git a/openssl/apps/asn1pars.c b/openssl/apps/asn1pars.c index bde61d02d..b5d65e725 100644 --- a/openssl/apps/asn1pars.c +++ b/openssl/apps/asn1pars.c @@ -96,7 +96,7 @@ int MAIN(int argc, char **argv)  	unsigned char *tmpbuf;  	const unsigned char *ctmpbuf;  	BUF_MEM *buf=NULL; -	STACK *osk=NULL; +	STACK_OF(OPENSSL_STRING) *osk=NULL;  	ASN1_TYPE *at=NULL;  	informat=FORMAT_PEM; @@ -113,7 +113,7 @@ int MAIN(int argc, char **argv)  	prog=argv[0];  	argc--;  	argv++; -	if ((osk=sk_new_null()) == NULL) +	if ((osk=sk_OPENSSL_STRING_new_null()) == NULL)  		{  		BIO_printf(bio_err,"Memory allocation failure\n");  		goto end; @@ -169,7 +169,7 @@ int MAIN(int argc, char **argv)  		else if (strcmp(*argv,"-strparse") == 0)  			{  			if (--argc < 1) goto bad; -			sk_push(osk,*(++argv)); +			sk_OPENSSL_STRING_push(osk,*(++argv));  			}  		else if (strcmp(*argv,"-genstr") == 0)  			{ @@ -302,18 +302,18 @@ bad:  	/* If any structs to parse go through in sequence */ -	if (sk_num(osk)) +	if (sk_OPENSSL_STRING_num(osk))  		{  		tmpbuf=(unsigned char *)str;  		tmplen=num; -		for (i=0; i<sk_num(osk); i++) +		for (i=0; i<sk_OPENSSL_STRING_num(osk); i++)  			{  			ASN1_TYPE *atmp;  			int typ; -			j=atoi(sk_value(osk,i)); +			j=atoi(sk_OPENSSL_STRING_value(osk,i));  			if (j == 0)  				{ -				BIO_printf(bio_err,"'%s' is an invalid number\n",sk_value(osk,i)); +				BIO_printf(bio_err,"'%s' is an invalid number\n",sk_OPENSSL_STRING_value(osk,i));  				continue;  				}  			tmpbuf+=j; @@ -378,7 +378,7 @@ end:  		ERR_print_errors(bio_err);  	if (buf != NULL) BUF_MEM_free(buf);  	if (at != NULL) ASN1_TYPE_free(at); -	if (osk != NULL) sk_free(osk); +	if (osk != NULL) sk_OPENSSL_STRING_free(osk);  	OBJ_cleanup();  	apps_shutdown();  	OPENSSL_EXIT(ret); diff --git a/openssl/apps/ca.c b/openssl/apps/ca.c index 68516ee9b..6b8b0ef8f 100644 --- a/openssl/apps/ca.c +++ b/openssl/apps/ca.c @@ -63,7 +63,6 @@  #include <string.h>  #include <ctype.h>  #include <sys/types.h> -#include <sys/stat.h>  #include <openssl/conf.h>  #include <openssl/bio.h>  #include <openssl/err.h> @@ -83,7 +82,7 @@  #    else  #      include <unixlib.h>  #    endif -#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM) +#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)  #    include <sys/file.h>  #  endif  #endif @@ -216,7 +215,6 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,  			 char *startdate, char *enddate, long days, char *ext_sect,  			 CONF *conf, int verbose, unsigned long certopt,   			 unsigned long nameopt, int default_op, int ext_copy); -static int fix_data(int nid, int *type);  static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);  static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,  	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, @@ -227,7 +225,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,  static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);  static int get_certificate_status(const char *ser_status, CA_DB *db);  static int do_updatedb(CA_DB *db); -static int check_time_format(char *str); +static int check_time_format(const char *str);  char *make_revocation_str(int rev_type, char *rev_arg);  int make_revoked(X509_REVOKED *rev, const char *str);  int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); @@ -259,6 +257,7 @@ int MAIN(int argc, char **argv)  	int doupdatedb=0;  	long crldays=0;  	long crlhours=0; +	long crlsec=0;  	long errorline= -1;  	char *configfile=NULL;  	char *md=NULL; @@ -306,7 +305,8 @@ int MAIN(int argc, char **argv)  	ASN1_TIME *tmptm;  	ASN1_INTEGER *tmpser;  	char *f; -	const char *p, **pp; +	const char *p; +	char * const *pp;  	int i,j;  	const EVP_MD *dgst=NULL;  	STACK_OF(CONF_VALUE) *attribs=NULL; @@ -457,6 +457,11 @@ EF_ALIGNMENT=0;  			if (--argc < 1) goto bad;  			crlhours= atol(*(++argv));  			} +		else if (strcmp(*argv,"-crlsec") == 0) +			{ +			if (--argc < 1) goto bad; +			crlsec = atol(*(++argv)); +			}  		else if (strcmp(*argv,"-infiles") == 0)  			{  			argc--; @@ -550,8 +555,10 @@ bad:  	if (badops)  		{ -		for (pp=ca_usage; (*pp != NULL); pp++) -			BIO_printf(bio_err,"%s",*pp); +		const char **pp2; + +		for (pp2=ca_usage; (*pp2 != NULL); pp2++) +			BIO_printf(bio_err,"%s",*pp2);  		goto err;  		} @@ -826,7 +833,6 @@ bad:  	/* lookup where to write new certificates */  	if ((outdir == NULL) && (req))  		{ -		struct stat sb;  		if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))  			== NULL) @@ -845,28 +851,24 @@ bad:  	       that to access().  However, time's too short to do that just  	       now.  	    */ +#ifndef _WIN32  		if (access(outdir,R_OK|W_OK|X_OK) != 0) +#else +		if (_access(outdir,R_OK|W_OK|X_OK) != 0) +#endif  			{  			BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);  			perror(outdir);  			goto err;  			} -		if (stat(outdir,&sb) != 0) -			{ -			BIO_printf(bio_err,"unable to stat(%s)\n",outdir); -			perror(outdir); -			goto err; -			} -#ifdef S_IFDIR -		if (!(sb.st_mode & S_IFDIR)) +		if (app_isdir(outdir)<=0)  			{  			BIO_printf(bio_err,"%s need to be a directory\n",outdir);  			perror(outdir);  			goto err;  			}  #endif -#endif  		}  	/*****************************************************************/ @@ -880,9 +882,9 @@ bad:  	if (db == NULL) goto err;  	/* Lets check some fields */ -	for (i=0; i<sk_num(db->db->data); i++) +	for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++)  		{ -		pp=(const char **)sk_value(db->db->data,i); +		pp=sk_OPENSSL_PSTRING_value(db->db->data,i);  		if ((pp[DB_type][0] != DB_TYPE_REV) &&  			(pp[DB_rev_date][0] != '\0'))  			{ @@ -935,7 +937,7 @@ bad:  #endif  		TXT_DB_write(out,db->db);  		BIO_printf(bio_err,"%d entries loaded from the database\n", -			db->db->data->num); +			   sk_OPENSSL_PSTRING_num(db->db->data));  		BIO_printf(bio_err,"generating index\n");  		} @@ -1026,6 +1028,17 @@ bad:  		goto err;  		} +	if (!strcmp(md, "default")) +		{ +		int def_nid; +		if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) +			{ +			BIO_puts(bio_err,"no default digest\n"); +			goto err; +			} +		md = (char *)OBJ_nid2sn(def_nid); +		} +  	if ((dgst=EVP_get_digestbyname(md)) == NULL)  		{  		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); @@ -1095,9 +1108,9 @@ bad:  			if (startdate == NULL)  				ERR_clear_error();  			} -		if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) +		if (startdate && !ASN1_TIME_set_string(NULL, startdate))  			{ -			BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n"); +			BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");  			goto err;  			}  		if (startdate == NULL) startdate="today"; @@ -1109,9 +1122,9 @@ bad:  			if (enddate == NULL)  				ERR_clear_error();  			} -		if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) +		if (enddate && !ASN1_TIME_set_string(NULL, enddate))  			{ -			BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n"); +			BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");  			goto err;  			} @@ -1249,7 +1262,12 @@ bad:  				BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);  				(void)BIO_flush(bio_err);  				buf[0][0]='\0'; -				fgets(buf[0],10,stdin); +				if (!fgets(buf[0],10,stdin)) +					{ +					BIO_printf(bio_err,"CERTIFICATION CANCELED: I/O error\n");  +					ret=0; +					goto err; +					}  				if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))  					{  					BIO_printf(bio_err,"CERTIFICATION CANCELED\n");  @@ -1366,7 +1384,7 @@ bad:  				goto err;  				} -		if (!crldays && !crlhours) +		if (!crldays && !crlhours && !crlsec)  			{  			if (!NCONF_get_number(conf,section,  				ENV_DEFAULT_CRL_DAYS, &crldays)) @@ -1375,7 +1393,7 @@ bad:  				ENV_DEFAULT_CRL_HOURS, &crlhours))  				crlhours = 0;  			} -		if ((crldays == 0) && (crlhours == 0)) +		if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))  			{  			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");  			goto err; @@ -1389,14 +1407,19 @@ bad:  		if (!tmptm) goto err;  		X509_gmtime_adj(tmptm,0);  		X509_CRL_set_lastUpdate(crl, tmptm);	 -		X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); +		if (!X509_time_adj_ex(tmptm, crldays, crlhours*60*60 + crlsec, +			NULL)) +			{ +			BIO_puts(bio_err, "error setting CRL nextUpdate\n"); +			goto err; +			}  		X509_CRL_set_nextUpdate(crl, tmptm);	  		ASN1_TIME_free(tmptm); -		for (i=0; i<sk_num(db->db->data); i++) +		for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++)  			{ -			pp=(const char **)sk_value(db->db->data,i); +			pp=sk_OPENSSL_PSTRING_value(db->db->data,i);  			if (pp[DB_type][0] == DB_TYPE_REV)  				{  				if ((r=X509_REVOKED_new()) == NULL) goto err; @@ -1422,15 +1445,6 @@ bad:  		/* we now have a CRL */  		if (verbose) BIO_printf(bio_err,"signing CRL\n"); -#ifndef OPENSSL_NO_DSA -		if (pkey->type == EVP_PKEY_DSA)  -			dgst=EVP_dss1(); -		else -#endif -#ifndef OPENSSL_NO_ECDSA -		if (pkey->type == EVP_PKEY_EC) -			dgst=EVP_ecdsa(); -#endif  		/* Add any extensions asked for */ @@ -1463,6 +1477,12 @@ bad:  		if (crlnumberfile != NULL)	/* we have a CRL number that need updating */  			if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; +		if (crlnumber) +			{ +			BN_free(crlnumber); +			crlnumber = NULL; +			} +  		if (!X509_CRL_sign(crl,pkey,dgst)) goto err;  		PEM_write_bio_X509_CRL(Sout,crl); @@ -1515,6 +1535,7 @@ err:  	if (free_key && key)  		OPENSSL_free(key);  	BN_free(serial); +	BN_free(crlnumber);  	free_index(db);  	EVP_PKEY_free(pkey);  	if (x509) X509_free(x509); @@ -1673,7 +1694,9 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,  	int ok= -1,i,j,last,nid;  	const char *p;  	CONF_VALUE *cv; -	char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; +	OPENSSL_STRING row[DB_NUMBER]; +	OPENSSL_STRING *irow=NULL; +	OPENSSL_STRING *rrow=NULL;  	char buf[25];  	tmptm=ASN1_UTCTIME_new(); @@ -1915,7 +1938,9 @@ again2:  	if (db->attributes.unique_subject)  		{ -		rrow=TXT_DB_get_by_index(db->db,DB_name,row); +		OPENSSL_STRING *crow=row; + +		rrow=TXT_DB_get_by_index(db->db,DB_name,crow);  		if (rrow != NULL)  			{  			BIO_printf(bio_err, @@ -1991,11 +2016,11 @@ again2:  	if (strcmp(startdate,"today") == 0)  		X509_gmtime_adj(X509_get_notBefore(ret),0); -	else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate); +	else ASN1_TIME_set_string(X509_get_notBefore(ret),startdate);  	if (enddate == NULL) -		X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days); -	else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); +		X509_time_adj_ex(X509_get_notAfter(ret),days, 0, NULL); +	else ASN1_TIME_set_string(X509_get_notAfter(ret),enddate);  	if (!X509_set_subject_name(ret,subject)) goto err; @@ -2091,7 +2116,7 @@ again2:  		}  	BIO_printf(bio_err,"Certificate is to be certified until "); -	ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); +	ASN1_TIME_print(bio_err,X509_get_notAfter(ret));  	if (days) BIO_printf(bio_err," (%ld days)",days);  	BIO_printf(bio_err, "\n"); @@ -2101,7 +2126,12 @@ again2:  		BIO_printf(bio_err,"Sign the certificate? [y/n]:");  		(void)BIO_flush(bio_err);  		buf[0]='\0'; -		fgets(buf,sizeof(buf)-1,stdin); +		if (!fgets(buf,sizeof(buf)-1,stdin)) +			{ +			BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); +			ok=0; +			goto err; +			}  		if (!((buf[0] == 'y') || (buf[0] == 'Y')))  			{  			BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n"); @@ -2110,25 +2140,11 @@ again2:  			}  		} - -#ifndef OPENSSL_NO_DSA -	if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();  	pktmp=X509_get_pubkey(ret);  	if (EVP_PKEY_missing_parameters(pktmp) &&  		!EVP_PKEY_missing_parameters(pkey))  		EVP_PKEY_copy_parameters(pktmp,pkey);  	EVP_PKEY_free(pktmp); -#endif -#ifndef OPENSSL_NO_ECDSA -	if (pkey->type == EVP_PKEY_EC) -		dgst = EVP_ecdsa(); -	pktmp = X509_get_pubkey(ret); -	if (EVP_PKEY_missing_parameters(pktmp) && -		!EVP_PKEY_missing_parameters(pkey)) -		EVP_PKEY_copy_parameters(pktmp, pkey); -	EVP_PKEY_free(pktmp); -#endif -  	if (!X509_sign(ret,pkey,dgst))  		goto err; @@ -2230,7 +2246,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,  	     unsigned long nameopt, int default_op, int ext_copy)  	{  	STACK_OF(CONF_VALUE) *sk=NULL; -	LHASH *parms=NULL; +	LHASH_OF(CONF_VALUE) *parms=NULL;  	X509_REQ *req=NULL;  	CONF_VALUE *cv=NULL;  	NETSCAPE_SPKI *spki = NULL; @@ -2317,25 +2333,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,  			continue;  			} -		/* -		if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) -			continue; -		*/ -		 -		j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); -		if (fix_data(nid, &j) == 0) -			{ -			BIO_printf(bio_err, -				"invalid characters in string %s\n",buf); -			goto err; -			} - -		if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, -			(unsigned char *)buf, -			strlen(buf))) == NULL) +		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, +				(unsigned char *)buf, -1, -1, 0))  			goto err; - -		if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;  		}  	if (spki == NULL)  		{ @@ -2378,29 +2378,9 @@ err:  	return(ok);  	} -static int fix_data(int nid, int *type) +static int check_time_format(const char *str)  	{ -	if (nid == NID_pkcs9_emailAddress) -		*type=V_ASN1_IA5STRING; -	if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) -		*type=V_ASN1_T61STRING; -	if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) -		*type=V_ASN1_T61STRING; -	if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) -		return(0); -	if (nid == NID_pkcs9_unstructuredName) -		*type=V_ASN1_IA5STRING; -	return(1); -	} - -static int check_time_format(char *str) -	{ -	ASN1_UTCTIME tm; - -	tm.data=(unsigned char *)str; -	tm.length=strlen(str); -	tm.type=V_ASN1_UTCTIME; -	return(ASN1_UTCTIME_check(&tm)); +	return ASN1_TIME_set_string(NULL, str);  	}  static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) @@ -2415,6 +2395,8 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)  		row[i]=NULL;  	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);  	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); +	if (!bn) +		goto err;  	if (BN_is_zero(bn))  		row[DB_serial]=BUF_strdup("00");  	else @@ -2484,7 +2466,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)  		goto err;  		} -	else if (index_name_cmp((const char **)row,(const char **)rrow)) +	else if (index_name_cmp_noconst(row, rrow))  		{  		BIO_printf(bio_err,"ERROR:name does not match %s\n",  			   row[DB_name]); @@ -2633,9 +2615,9 @@ static int do_updatedb (CA_DB *db)  	else  		a_y2k = 0; -	for (i = 0; i < sk_num(db->db->data); i++) +	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)  		{ -		rrow = (char **) sk_value(db->db->data, i); +		rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);  		if (rrow[DB_type][0] == 'V')  		 	{ @@ -2882,22 +2864,13 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)  	p=(char *)str->data;  	for (j=str->length; j>0; j--)  		{ -#ifdef CHARSET_EBCDIC -		if ((*p >= 0x20) && (*p <= 0x7e)) -			BIO_printf(bp,"%c",os_toebcdic[*p]); -#else  		if ((*p >= ' ') && (*p <= '~'))  			BIO_printf(bp,"%c",*p); -#endif  		else if (*p & 0x80)  			BIO_printf(bp,"\\0x%02X",*p);  		else if ((unsigned char)*p == 0xf7)  			BIO_printf(bp,"^?"); -#ifdef CHARSET_EBCDIC -		else	BIO_printf(bp,"^%c",os_toebcdic[*p+0x40]); -#else  		else	BIO_printf(bp,"^%c",*p+'@'); -#endif  		p++;  		}  	BIO_printf(bp,"'\n"); diff --git a/openssl/apps/ciphers.c b/openssl/apps/ciphers.c index 43f0ac594..3d4c60db9 100644 --- a/openssl/apps/ciphers.c +++ b/openssl/apps/ciphers.c @@ -71,7 +71,8 @@  static const char *ciphers_usage[]={  "usage: ciphers args\n", -" -v          - verbose mode, a textual listing of the ciphers in SSLeay\n", +" -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", +" -V          - even more verbose\n",  " -ssl2       - SSL2 mode\n",  " -ssl3       - SSL3 mode\n",  " -tls1       - TLS1 mode\n", @@ -83,14 +84,14 @@ int MAIN(int, char **);  int MAIN(int argc, char **argv)  	{  	int ret=1,i; -	int verbose=0; +	int verbose=0,Verbose=0;  	const char **pp;  	const char *p;  	int badops=0;  	SSL_CTX *ctx=NULL;  	SSL *ssl=NULL;  	char *ciphers=NULL; -	SSL_METHOD *meth=NULL; +	const SSL_METHOD *meth=NULL;  	STACK_OF(SSL_CIPHER) *sk;  	char buf[512];  	BIO *STDout=NULL; @@ -114,6 +115,8 @@ int MAIN(int argc, char **argv)  	STDout = BIO_push(tmpbio, STDout);  	}  #endif +	if (!load_config(bio_err, NULL)) +		goto end;  	argc--;  	argv++; @@ -121,6 +124,8 @@ int MAIN(int argc, char **argv)  		{  		if (strcmp(*argv,"-v") == 0)  			verbose=1; +		else if (strcmp(*argv,"-V") == 0) +			verbose=Verbose=1;  #ifndef OPENSSL_NO_SSL2  		else if (strcmp(*argv,"-ssl2") == 0)  			meth=SSLv2_client_method(); @@ -179,15 +184,33 @@ int MAIN(int argc, char **argv)  			}  		BIO_printf(STDout,"\n");  		} -	else +	else /* verbose */  		{  		sk=SSL_get_ciphers(ssl);  		for (i=0; i<sk_SSL_CIPHER_num(sk); i++)  			{ -			BIO_puts(STDout,SSL_CIPHER_description( -				sk_SSL_CIPHER_value(sk,i), -				buf,sizeof buf)); +			SSL_CIPHER *c; + +			c = sk_SSL_CIPHER_value(sk,i); +			 +			if (Verbose) +				{ +				unsigned long id = c->id; +				int id0 = (int)(id >> 24); +				int id1 = (int)((id >> 16) & 0xffL); +				int id2 = (int)((id >> 8) & 0xffL); +				int id3 = (int)(id & 0xffL); +				 +				if ((id & 0xff000000L) == 0x02000000L) +					BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */ +				else if ((id & 0xff000000L) == 0x03000000L) +					BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */ +				else +					BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ +				} + +			BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf));  			}  		} diff --git a/openssl/apps/cms.c b/openssl/apps/cms.c index 6d227acab..d29a88490 100644 --- a/openssl/apps/cms.c +++ b/openssl/apps/cms.c @@ -71,8 +71,9 @@  static int save_certs(char *signerfile, STACK_OF(X509) *signers);  static int cms_cb(int ok, X509_STORE_CTX *ctx);  static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); -static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, -								STACK *rr_from); +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, +						int rr_allorfirst, +					STACK_OF(OPENSSL_STRING) *rr_from);  #define SMIME_OP	0x10  #define SMIME_IP	0x20 @@ -94,6 +95,8 @@ static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst,  #define SMIME_SIGN_RECEIPT	(15 | SMIME_IP | SMIME_OP)  #define SMIME_VERIFY_RECEIPT	(16 | SMIME_IP) +int verify_err = 0; +  int MAIN(int, char **);  int MAIN(int argc, char **argv) @@ -105,7 +108,7 @@ int MAIN(int argc, char **argv)  	const char *inmode = "r", *outmode = "w";  	char *infile = NULL, *outfile = NULL, *rctfile = NULL;  	char *signerfile = NULL, *recipfile = NULL; -	STACK *sksigners = NULL, *skkeys = NULL; +	STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;  	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;  	char *certsoutfile = NULL;  	const EVP_CIPHER *cipher = NULL; @@ -116,9 +119,10 @@ int MAIN(int argc, char **argv)  	STACK_OF(X509) *encerts = NULL, *other = NULL;  	BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;  	int badarg = 0; -	int flags = CMS_DETACHED; +	int flags = CMS_DETACHED, noout = 0, print = 0; +	int verify_retcode = 0;  	int rr_print = 0, rr_allorfirst = -1; -	STACK *rr_to = NULL, *rr_from = NULL; +	STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;  	CMS_ReceiptRequest *rr = NULL;  	char *to = NULL, *from = NULL, *subject = NULL;  	char *CAfile = NULL, *CApath = NULL; @@ -166,6 +170,8 @@ int MAIN(int argc, char **argv)  			operation = SMIME_RESIGN;  		else if (!strcmp (*args, "-verify"))  			operation = SMIME_VERIFY; +		else if (!strcmp (*args, "-verify_retcode")) +			verify_retcode = 1;  		else if (!strcmp(*args,"-verify_receipt"))  			{  			operation = SMIME_VERIFY_RECEIPT; @@ -252,21 +258,17 @@ int MAIN(int argc, char **argv)  		else if (!strcmp (*args, "-no_attr_verify"))  				flags |= CMS_NO_ATTR_VERIFY;  		else if (!strcmp (*args, "-stream")) -				{ -				args++; -				continue; -				} +				flags |= CMS_STREAM;  		else if (!strcmp (*args, "-indef")) -				{ -				args++; -				continue; -				} +				flags |= CMS_STREAM;  		else if (!strcmp (*args, "-noindef"))  				flags &= ~CMS_STREAM;  		else if (!strcmp (*args, "-nooldmime"))  				flags |= CMS_NOOLDMIMETYPE;  		else if (!strcmp (*args, "-crlfeol"))  				flags |= CMS_CRLFEOL; +		else if (!strcmp (*args, "-noout")) +				noout = 1;  		else if (!strcmp (*args, "-receipt_request_print"))  				rr_print = 1;  		else if (!strcmp (*args, "-receipt_request_all")) @@ -279,8 +281,8 @@ int MAIN(int argc, char **argv)  				goto argerr;  			args++;  			if (!rr_from) -				rr_from = sk_new_null(); -			sk_push(rr_from, *args); +				rr_from = sk_OPENSSL_STRING_new_null(); +			sk_OPENSSL_STRING_push(rr_from, *args);  			}  		else if (!strcmp(*args,"-receipt_request_to"))  			{ @@ -288,9 +290,14 @@ int MAIN(int argc, char **argv)  				goto argerr;  			args++;  			if (!rr_to) -				rr_to = sk_new_null(); -			sk_push(rr_to, *args); +				rr_to = sk_OPENSSL_STRING_new_null(); +			sk_OPENSSL_STRING_push(rr_to, *args);  			} +		else if (!strcmp (*args, "-print")) +				{ +				noout = 1; +				print = 1; +				}  		else if (!strcmp(*args,"-secretkey"))  			{  			long ltmp; @@ -380,13 +387,13 @@ int MAIN(int argc, char **argv)  			if (signerfile)  				{  				if (!sksigners) -					sksigners = sk_new_null(); -				sk_push(sksigners, signerfile); +					sksigners = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(sksigners, signerfile);  				if (!keyfile)  					keyfile = signerfile;  				if (!skkeys) -					skkeys = sk_new_null(); -				sk_push(skkeys, keyfile); +					skkeys = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(skkeys, keyfile);  				keyfile = NULL;  				}  			signerfile = *++args; @@ -428,12 +435,12 @@ int MAIN(int argc, char **argv)  					goto argerr;  					}  				if (!sksigners) -					sksigners = sk_new_null(); -				sk_push(sksigners, signerfile); +					sksigners = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(sksigners, signerfile);  				signerfile = NULL;  				if (!skkeys) -					skkeys = sk_new_null(); -				sk_push(skkeys, keyfile); +					skkeys = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(skkeys, keyfile);  				}  			keyfile = *++args;  			} @@ -532,13 +539,13 @@ int MAIN(int argc, char **argv)  		if (signerfile)  			{  			if (!sksigners) -				sksigners = sk_new_null(); -			sk_push(sksigners, signerfile); +				sksigners = sk_OPENSSL_STRING_new_null(); +			sk_OPENSSL_STRING_push(sksigners, signerfile);  			if (!skkeys) -				skkeys = sk_new_null(); +				skkeys = sk_OPENSSL_STRING_new_null();  			if (!keyfile)  				keyfile = signerfile; -			sk_push(skkeys, keyfile); +			sk_OPENSSL_STRING_push(skkeys, keyfile);  			}  		if (!sksigners)  			{ @@ -697,7 +704,7 @@ int MAIN(int argc, char **argv)  		if (secret_key && !secret_keyid)  			{ -			BIO_printf(bio_err, "No sectre key id\n"); +			BIO_printf(bio_err, "No secret key id\n");  			goto end;  			} @@ -873,7 +880,7 @@ int MAIN(int argc, char **argv)  		{  		if (!(store = setup_verify(bio_err, CAfile, CApath)))  			goto end; -		X509_STORE_set_verify_cb_func(store, cms_cb); +		X509_STORE_set_verify_cb(store, cms_cb);  		if (vpm)  			X509_STORE_set1_param(store, vpm);  		} @@ -973,11 +980,11 @@ int MAIN(int argc, char **argv)  			}  		else  			flags |= CMS_REUSE_DIGEST; -		for (i = 0; i < sk_num(sksigners); i++) +		for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++)  			{  			CMS_SignerInfo *si; -			signerfile = sk_value(sksigners, i); -			keyfile = sk_value(skkeys, i); +			signerfile = sk_OPENSSL_STRING_value(sksigners, i); +			keyfile = sk_OPENSSL_STRING_value(skkeys, i);  			signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,  					e, "signer certificate");  			if (!signer) @@ -1075,6 +1082,8 @@ int MAIN(int argc, char **argv)  		else  			{  			BIO_printf(bio_err, "Verification failure\n"); +			if (verify_retcode) +				ret = verify_err + 32;  			goto end;  			}  		if (signerfile) @@ -1107,7 +1116,12 @@ int MAIN(int argc, char **argv)  		}  	else  		{ -		if (outformat == FORMAT_SMIME) +		if (noout) +			{ +			if (print) +				CMS_ContentInfo_print_ctx(out, cms, 0, NULL); +			} +		else if (outformat == FORMAT_SMIME)  			{  			if (to)  				BIO_printf(out, "To: %s\n", to); @@ -1121,9 +1135,9 @@ int MAIN(int argc, char **argv)  				ret = SMIME_write_CMS(out, cms, in, flags);  			}  		else if (outformat == FORMAT_PEM)  -			ret = PEM_write_bio_CMS(out, cms); +			ret = PEM_write_bio_CMS_stream(out, cms, in, flags);  		else if (outformat == FORMAT_ASN1)  -			ret = i2d_CMS_bio(out,cms); +			ret = i2d_CMS_bio_stream(out,cms, in, flags);  		else  			{  			BIO_printf(bio_err, "Bad output format for CMS file\n"); @@ -1146,9 +1160,9 @@ end:  	if (vpm)  		X509_VERIFY_PARAM_free(vpm);  	if (sksigners) -		sk_free(sksigners); +		sk_OPENSSL_STRING_free(sksigners);  	if (skkeys) -		sk_free(skkeys); +		sk_OPENSSL_STRING_free(skkeys);  	if (secret_key)  		OPENSSL_free(secret_key);  	if (secret_keyid) @@ -1158,9 +1172,9 @@ end:  	if (rr)  		CMS_ReceiptRequest_free(rr);  	if (rr_to) -		sk_free(rr_to); +		sk_OPENSSL_STRING_free(rr_to);  	if (rr_from) -		sk_free(rr_from); +		sk_OPENSSL_STRING_free(rr_from);  	X509_STORE_free(store);  	X509_free(cert);  	X509_free(recip); @@ -1199,6 +1213,8 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx)  	error = X509_STORE_CTX_get_error(ctx); +	verify_err = error; +  	if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)  		&& ((error != X509_V_OK) || (ok != 2)))  		return ok; @@ -1280,7 +1296,7 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms)  		}  	} -static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) +static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)  	{  	int i;  	STACK_OF(GENERAL_NAMES) *ret; @@ -1289,12 +1305,10 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns)  	ret = sk_GENERAL_NAMES_new_null();  	if (!ret)  		goto err; -	for (i = 0; i < sk_num(ns); i++) +	for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++)  		{ -		CONF_VALUE cnf; -		cnf.name = "email"; -		cnf.value = sk_value(ns, i); -		gen = v2i_GENERAL_NAME(NULL, NULL, &cnf); +		char *str = sk_OPENSSL_STRING_value(ns, i); +		gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);  		if (!gen)  			goto err;  		gens = GENERAL_NAMES_new(); @@ -1321,8 +1335,9 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns)  	} -static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, -								STACK *rr_from) +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, +						int rr_allorfirst, +						STACK_OF(OPENSSL_STRING) *rr_from)  	{  	STACK_OF(GENERAL_NAMES) *rct_to, *rct_from;  	CMS_ReceiptRequest *rr; diff --git a/openssl/apps/crl2p7.c b/openssl/apps/crl2p7.c index b2f2d121d..bbc83774d 100644 --- a/openssl/apps/crl2p7.c +++ b/openssl/apps/crl2p7.c @@ -63,7 +63,6 @@  #include <stdio.h>  #include <string.h>  #include <sys/types.h> -#include <sys/stat.h>  #include "apps.h"  #include <openssl/err.h>  #include <openssl/evp.h> @@ -93,7 +92,7 @@ int MAIN(int argc, char **argv)  	PKCS7 *p7 = NULL;  	PKCS7_SIGNED *p7s = NULL;  	X509_CRL *crl=NULL; -	STACK *certflst=NULL; +	STACK_OF(OPENSSL_STRING) *certflst=NULL;  	STACK_OF(X509_CRL) *crl_stack=NULL;  	STACK_OF(X509) *cert_stack=NULL;  	int ret=1,nocrl=0; @@ -141,8 +140,8 @@ int MAIN(int argc, char **argv)  		else if (strcmp(*argv,"-certfile") == 0)  			{  			if (--argc < 1) goto bad; -			if(!certflst) certflst = sk_new_null(); -			sk_push(certflst,*(++argv)); +			if(!certflst) certflst = sk_OPENSSL_STRING_new_null(); +			sk_OPENSSL_STRING_push(certflst,*(++argv));  			}  		else  			{ @@ -227,8 +226,8 @@ bad:  	if ((cert_stack=sk_X509_new_null()) == NULL) goto end;  	p7s->cert=cert_stack; -	if(certflst) for(i = 0; i < sk_num(certflst); i++) { -		certfile = sk_value(certflst, i); +	if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { +		certfile = sk_OPENSSL_STRING_value(certflst, i);  		if (add_certs_from_file(cert_stack,certfile) < 0)  			{  			BIO_printf(bio_err, "error loading certificates\n"); @@ -237,7 +236,7 @@ bad:  			}  	} -	sk_free(certflst); +	sk_OPENSSL_STRING_free(certflst);  	if (outfile == NULL)  		{ @@ -295,19 +294,12 @@ end:   */  static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)  	{ -	struct stat st;  	BIO *in=NULL;  	int count=0;  	int ret= -1;  	STACK_OF(X509_INFO) *sk=NULL;  	X509_INFO *xi; -	if ((stat(certfile,&st) != 0)) -		{ -		BIO_printf(bio_err,"unable to load the file, %s\n",certfile); -		goto end; -		} -  	in=BIO_new(BIO_s_file());  	if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0))  		{ diff --git a/openssl/apps/dgst.c b/openssl/apps/dgst.c index 9ebfc22e7..9bf38ce73 100644 --- a/openssl/apps/dgst.c +++ b/openssl/apps/dgst.c @@ -75,8 +75,29 @@  #define PROG	dgst_main  int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, -	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, -	  const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow); +	  EVP_PKEY *key, unsigned char *sigin, int siglen, +	  const char *sig_name, const char *md_name, +	  const char *file,BIO *bmd); + +static void list_md_fn(const EVP_MD *m, +			const char *from, const char *to, void *arg) +	{ +	const char *mname; +	/* Skip aliases */ +	if (!m) +		return; +	mname = OBJ_nid2ln(EVP_MD_type(m)); +	/* Skip shortnames */ +	if (strcmp(from, mname)) +		return; +	/* Skip clones */ +	if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) +		return; +	if (strchr(mname, ' ')) +		mname= EVP_MD_name(m); +	BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n", +			mname, mname); +	}  int MAIN(int, char **); @@ -89,7 +110,6 @@ int MAIN(int argc, char **argv)  	BIO *in=NULL,*inp;  	BIO *bmd=NULL;  	BIO *out = NULL; -	const char *name;  #define PROG_NAME_SIZE  39  	char pname[PROG_NAME_SIZE+1];  	int separator=0; @@ -101,16 +121,16 @@ int MAIN(int argc, char **argv)  	EVP_PKEY *sigkey = NULL;  	unsigned char *sigbuf = NULL;  	int siglen = 0; -	unsigned int sig_flags = 0;  	char *passargin = NULL, *passin = NULL;  #ifndef OPENSSL_NO_ENGINE  	char *engine=NULL;  #endif  	char *hmac_key=NULL; -	int non_fips_allow = 0; +	char *mac_name=NULL; +	STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;  	apps_startup(); -ERR_load_crypto_strings(); +  	if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)  		{  		BIO_printf(bio_err,"out of memory\n"); @@ -135,6 +155,8 @@ ERR_load_crypto_strings();  		if ((*argv)[0] != '-') break;  		if (strcmp(*argv,"-c") == 0)  			separator=1; +		else if (strcmp(*argv,"-r") == 0) +			separator=2;  		else if (strcmp(*argv,"-rand") == 0)  			{  			if (--argc < 1) break; @@ -169,27 +191,6 @@ ERR_load_crypto_strings();  			keyfile=*(++argv);  			do_verify = 1;  			} -		else if (strcmp(*argv,"-x931") == 0) -			sig_flags = EVP_MD_CTX_FLAG_PAD_X931; -		else if (strcmp(*argv,"-pss_saltlen") == 0) -			{ -			int saltlen; -			if (--argc < 1) break; -			saltlen=atoi(*(++argv)); -			if (saltlen == -1) -				sig_flags = EVP_MD_CTX_FLAG_PSS_MREC; -			else if (saltlen == -2) -				sig_flags = EVP_MD_CTX_FLAG_PSS_MDLEN; -			else if (saltlen < -2 || saltlen >= 0xFFFE) -				{ -				BIO_printf(bio_err, "Invalid PSS salt length %d\n", saltlen); -				goto end; -				} -			else -				sig_flags = saltlen; -			sig_flags <<= 16; -			sig_flags |= EVP_MD_CTX_FLAG_PAD_PSS; -			}  		else if (strcmp(*argv,"-signature") == 0)  			{  			if (--argc < 1) break; @@ -205,6 +206,7 @@ ERR_load_crypto_strings();  			{  			if (--argc < 1) break;  			engine= *(++argv); +        		e = setup_engine(bio_err, engine, 0);  			}  #endif  		else if (strcmp(*argv,"-hex") == 0) @@ -213,16 +215,36 @@ ERR_load_crypto_strings();  			out_bin = 1;  		else if (strcmp(*argv,"-d") == 0)  			debug=1; -		else if (strcmp(*argv,"-non-fips-allow") == 0) -			non_fips_allow=1; -		else if (!strcmp(*argv,"-fips-fingerprint")) -			hmac_key = "etaonrishdlcupfm";  		else if (!strcmp(*argv,"-hmac"))  			{  			if (--argc < 1)  				break;  			hmac_key=*++argv;  			} +		else if (!strcmp(*argv,"-mac")) +			{ +			if (--argc < 1) +				break; +			mac_name=*++argv; +			} +		else if (strcmp(*argv,"-sigopt") == 0) +			{ +			if (--argc < 1) +				break; +			if (!sigopts) +				sigopts = sk_OPENSSL_STRING_new_null(); +			if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) +				break; +			} +		else if (strcmp(*argv,"-macopt") == 0) +			{ +			if (--argc < 1) +				break; +			if (!macopts) +				macopts = sk_OPENSSL_STRING_new_null(); +			if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) +				break; +			}  		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)  			md=m;  		else @@ -231,12 +253,9 @@ ERR_load_crypto_strings();  		argv++;  		} -	if (md == NULL) -		md=EVP_md5();  	if(do_verify && !sigfile) {  		BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); -		err = 1;   		goto end;  	} @@ -245,6 +264,7 @@ ERR_load_crypto_strings();  		BIO_printf(bio_err,"unknown option '%s'\n",*argv);  		BIO_printf(bio_err,"options are\n");  		BIO_printf(bio_err,"-c              to output the digest with separating colons\n"); +		BIO_printf(bio_err,"-r              to output the digest in coreutils format\n");  		BIO_printf(bio_err,"-d              to output debug info\n");  		BIO_printf(bio_err,"-hex            output as hex dump\n");  		BIO_printf(bio_err,"-binary         output in binary form\n"); @@ -252,49 +272,20 @@ ERR_load_crypto_strings();  		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");  		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");  		BIO_printf(bio_err,"-keyform arg    key file format (PEM or ENGINE)\n"); +		BIO_printf(bio_err,"-out filename   output to filename rather than stdout\n");  		BIO_printf(bio_err,"-signature file signature to verify\n"); -		BIO_printf(bio_err,"-binary         output in binary form\n"); +		BIO_printf(bio_err,"-sigopt nm:v    signature parameter\n");  		BIO_printf(bio_err,"-hmac key       create hashed MAC with key\n"); +		BIO_printf(bio_err,"-mac algorithm  create MAC (not neccessarily HMAC)\n");  +		BIO_printf(bio_err,"-macopt nm:v    MAC algorithm parameters or key\n");  #ifndef OPENSSL_NO_ENGINE  		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");  #endif -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n", -			LN_md5,LN_md5); -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_md4,LN_md4); -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_md2,LN_md2); -#ifndef OPENSSL_NO_SHA -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_sha1,LN_sha1); -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_sha,LN_sha); -#ifndef OPENSSL_NO_SHA256 -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_sha224,LN_sha224); -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_sha256,LN_sha256); -#endif -#ifndef OPENSSL_NO_SHA512 -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_sha384,LN_sha384); -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_sha512,LN_sha512); -#endif -#endif -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_mdc2,LN_mdc2); -		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", -			LN_ripemd160,LN_ripemd160); -		err=1; +		EVP_MD_do_all_sorted(list_md_fn, bio_err);  		goto end;  		} -#ifndef OPENSSL_NO_ENGINE -        e = setup_engine(bio_err, engine, 0); -#endif -  	in=BIO_new(BIO_s_file());  	bmd=BIO_new(BIO_f_md());  	if (debug) @@ -317,8 +308,10 @@ ERR_load_crypto_strings();  		}  	if(out_bin == -1) { -		if(keyfile) out_bin = 1; -		else out_bin = 0; +		if(keyfile) +			out_bin = 1; +		else +			out_bin = 0;  	}  	if(randfile) @@ -344,6 +337,11 @@ ERR_load_crypto_strings();  		ERR_print_errors(bio_err);  		goto end;  	} +	if ((!!mac_name + !!keyfile + !!hmac_key) > 1) +		{ +		BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); +		goto end; +		}  	if(keyfile)  		{ @@ -361,6 +359,101 @@ ERR_load_crypto_strings();  			}  		} +	if (mac_name) +		{ +		EVP_PKEY_CTX *mac_ctx = NULL; +		int r = 0; +		if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0)) +			goto mac_end; +		if (macopts) +			{ +			char *macopt; +			for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) +				{ +				macopt = sk_OPENSSL_STRING_value(macopts, i); +				if (pkey_ctrl_string(mac_ctx, macopt) <= 0) +					{ +					BIO_printf(bio_err, +						"MAC parameter error \"%s\"\n", +						macopt); +					ERR_print_errors(bio_err); +					goto mac_end; +					} +				} +			} +		if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) +			{ +			BIO_puts(bio_err, "Error generating key\n"); +			ERR_print_errors(bio_err); +			goto mac_end; +			} +		r = 1; +		mac_end: +		if (mac_ctx) +			EVP_PKEY_CTX_free(mac_ctx); +		if (r == 0) +			goto end; +		} + +	if (hmac_key) +		{ +		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e, +					(unsigned char *)hmac_key, -1); +		if (!sigkey) +			goto end; +		} + +	if (sigkey) +		{ +		EVP_MD_CTX *mctx = NULL; +		EVP_PKEY_CTX *pctx = NULL; +		int r; +		if (!BIO_get_md_ctx(bmd, &mctx)) +			{ +			BIO_printf(bio_err, "Error getting context\n"); +			ERR_print_errors(bio_err); +			goto end; +			} +		if (do_verify) +			r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey); +		else +			r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey); +		if (!r) +			{ +			BIO_printf(bio_err, "Error setting context\n"); +			ERR_print_errors(bio_err); +			goto end; +			} +		if (sigopts) +			{ +			char *sigopt; +			for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) +				{ +				sigopt = sk_OPENSSL_STRING_value(sigopts, i); +				if (pkey_ctrl_string(pctx, sigopt) <= 0) +					{ +					BIO_printf(bio_err, +						"parameter error \"%s\"\n", +						sigopt); +					ERR_print_errors(bio_err); +					goto end; +					} +				} +			} +		} +	/* we use md as a filter, reading from 'in' */ +	else +		{ +		if (md == NULL) +			md = EVP_md5();  +		if (!BIO_set_md(bmd,md)) +			{ +			BIO_printf(bio_err, "Error setting digest %s\n", pname); +			ERR_print_errors(bio_err); +			goto end; +			} +		} +  	if(sigfile && sigkey) {  		BIO *sigbio;  		sigbio = BIO_new_file(sigfile, "rb"); @@ -381,67 +474,51 @@ ERR_load_crypto_strings();  			goto end;  		}  	} +	inp=BIO_push(bmd,in); -	if (non_fips_allow) -		{ -		EVP_MD_CTX *md_ctx; -		BIO_get_md_ctx(bmd,&md_ctx); -		EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -		} - -	if (sig_flags) +	if (md == NULL)  		{ -		EVP_MD_CTX *md_ctx; -		BIO_get_md_ctx(bmd,&md_ctx); -		EVP_MD_CTX_set_flags(md_ctx, sig_flags); +		EVP_MD_CTX *tctx; +		BIO_get_md_ctx(bmd, &tctx); +		md = EVP_MD_CTX_md(tctx);  		} -	/* we use md as a filter, reading from 'in' */ -	if (!BIO_set_md(bmd,md)) -		{ -		BIO_printf(bio_err, "Error setting digest %s\n", pname); -		ERR_print_errors(bio_err); -		goto end; -		} -		 -	inp=BIO_push(bmd,in); -  	if (argc == 0)  		{  		BIO_set_fp(in,stdin,BIO_NOCLOSE);  		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, -			  siglen,"","(stdin)",bmd,hmac_key,non_fips_allow); +			  siglen,NULL,NULL,"stdin",bmd);  		}  	else  		{ -		name=OBJ_nid2sn(md->type); +		const char *md_name = NULL, *sig_name = NULL; +		if(!out_bin) +			{ +			if (sigkey) +				{ +				const EVP_PKEY_ASN1_METHOD *ameth; +				ameth = EVP_PKEY_get0_asn1(sigkey); +				if (ameth) +					EVP_PKEY_asn1_get0_info(NULL, NULL, +						NULL, NULL, &sig_name, ameth); +				} +			md_name = EVP_MD_name(md); +			}  		err = 0;  		for (i=0; i<argc; i++)  			{ -			char *tmp,*tofree=NULL;  			int r; -  			if (BIO_read_filename(in,argv[i]) <= 0)  				{  				perror(argv[i]);  				err++;  				continue;  				} -			if(!out_bin) -				{ -				size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; -				tmp=tofree=OPENSSL_malloc(len); -				BIO_snprintf(tmp,len,"%s%s(%s)= ", -							 hmac_key ? "HMAC-" : "",name,argv[i]); -				}  			else -				tmp="";  			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, -				siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow); +				siglen,sig_name,md_name, argv[i],bmd);  			if(r)  			    err=r; -			if(tofree) -				OPENSSL_free(tofree);  			(void)BIO_reset(bmd);  			}  		} @@ -456,6 +533,10 @@ end:  		OPENSSL_free(passin);  	BIO_free_all(out);  	EVP_PKEY_free(sigkey); +	if (sigopts) +		sk_OPENSSL_STRING_free(sigopts); +	if (macopts) +		sk_OPENSSL_STRING_free(macopts);  	if(sigbuf) OPENSSL_free(sigbuf);  	if (bmd != NULL) BIO_free(bmd);  	apps_shutdown(); @@ -463,24 +544,13 @@ end:  	}  int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, -	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, -	  const char *file,BIO *bmd,const char *hmac_key,int non_fips_allow) +	  EVP_PKEY *key, unsigned char *sigin, int siglen, +	  const char *sig_name, const char *md_name, +	  const char *file,BIO *bmd)  	{ -	unsigned int len; +	size_t len;  	int i; -	EVP_MD_CTX *md_ctx; -	HMAC_CTX hmac_ctx; - -	if (hmac_key) -		{ -		EVP_MD *md; -		BIO_get_md(bmd,&md); -		HMAC_CTX_init(&hmac_ctx); -		HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); -		BIO_get_md_ctx(bmd,&md_ctx); -		BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); -		}  	for (;;)  		{  		i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -496,7 +566,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,  		{  		EVP_MD_CTX *ctx;  		BIO_get_md_ctx(bp, &ctx); -		i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key);  +		i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);   		if(i > 0)  			BIO_printf(out, "Verified OK\n");  		else if(i == 0) @@ -516,25 +586,39 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,  		{  		EVP_MD_CTX *ctx;  		BIO_get_md_ctx(bp, &ctx); -		if(!EVP_SignFinal(ctx, buf, (unsigned int *)&len, key))  +		len = BUFSIZE; +		if(!EVP_DigestSignFinal(ctx, buf, &len))   			{  			BIO_printf(bio_err, "Error Signing Data\n");  			ERR_print_errors(bio_err);  			return 1;  			}  		} -	else if(hmac_key) -		{ -		HMAC_Final(&hmac_ctx,buf,&len); -		HMAC_CTX_cleanup(&hmac_ctx); -		}  	else +		{  		len=BIO_gets(bp,(char *)buf,BUFSIZE); +		if ((int)len <0) +			{ +			ERR_print_errors(bio_err); +			return 1; +			} +		}  	if(binout) BIO_write(out, buf, len); +	else if (sep == 2) +		{ +		for (i=0; i<(int)len; i++) +			BIO_printf(out, "%02x",buf[i]); +		BIO_printf(out, " *%s\n", file); +		}  	else   		{ -		BIO_write(out,title,strlen(title)); +		if (sig_name) +			BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file); +		else if (md_name) +			BIO_printf(out, "%s(%s)= ", md_name, file); +		else +			BIO_printf(out, "(%s)= ", file);  		for (i=0; i<(int)len; i++)  			{  			if (sep && (i != 0)) @@ -543,10 +627,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,  			}  		BIO_printf(out, "\n");  		} -	if (hmac_key) -		{ -		BIO_set_md_ctx(bmd,md_ctx); -		}  	return 0;  	} diff --git a/openssl/apps/dh.c b/openssl/apps/dh.c index c4d891e12..e9609d630 100644 --- a/openssl/apps/dh.c +++ b/openssl/apps/dh.c @@ -349,4 +349,10 @@ end:  	apps_shutdown();  	OPENSSL_EXIT(ret);  	} +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/dhparam.c b/openssl/apps/dhparam.c index 04bd57c6e..5fab29eb8 100644 --- a/openssl/apps/dhparam.c +++ b/openssl/apps/dhparam.c @@ -554,4 +554,10 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)  	return 1;  	} +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/dsa.c b/openssl/apps/dsa.c index cbc1fe3f8..1109346f7 100644 --- a/openssl/apps/dsa.c +++ b/openssl/apps/dsa.c @@ -112,6 +112,8 @@ int MAIN(int argc, char **argv)  	char *passin = NULL, *passout = NULL;  	int modulus=0; +	int pvk_encr = 2; +  	apps_startup();  	if (bio_err == NULL) @@ -171,6 +173,12 @@ int MAIN(int argc, char **argv)  			engine= *(++argv);  			}  #endif +		else if (strcmp(*argv,"-pvk-strong") == 0) +			pvk_encr=2; +		else if (strcmp(*argv,"-pvk-weak") == 0) +			pvk_encr=1; +		else if (strcmp(*argv,"-pvk-none") == 0) +			pvk_encr=0;  		else if (strcmp(*argv,"-noout") == 0)  			noout=1;  		else if (strcmp(*argv,"-text") == 0) @@ -238,16 +246,30 @@ bad:  		goto end;  	} +	in=BIO_new(BIO_s_file());  	out=BIO_new(BIO_s_file()); -	if (out == NULL) +	if ((in == NULL) || (out == NULL))  		{  		ERR_print_errors(bio_err);  		goto end;  		} +	if (infile == NULL) +		BIO_set_fp(in,stdin,BIO_NOCLOSE); +	else +		{ +		if (BIO_read_filename(in,infile) <= 0) +			{ +			perror(infile); +			goto end; +			} +		} +  	BIO_printf(bio_err,"read DSA key\n"); -	{ + +		{  		EVP_PKEY	*pkey; +  		if (pubin)  			pkey = load_pubkey(bio_err, infile, informat, 1,  				passin, e, "Public Key"); @@ -255,10 +277,12 @@ bad:  			pkey = load_key(bio_err, infile, informat, 1,  				passin, e, "Private Key"); -		if (pkey != NULL) -		dsa = pkey == NULL ? NULL : EVP_PKEY_get1_DSA(pkey); -		EVP_PKEY_free(pkey); -	} +		if (pkey) +			{ +			dsa = EVP_PKEY_get1_DSA(pkey); +			EVP_PKEY_free(pkey); +			} +		}  	if (dsa == NULL)  		{  		BIO_printf(bio_err,"unable to load Key\n"); @@ -310,11 +334,24 @@ bad:  			i=PEM_write_bio_DSA_PUBKEY(out,dsa);  		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,  							NULL,0,NULL, passout); +#ifndef OPENSSL_NO_RSA +	} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { +		EVP_PKEY *pk; +		pk = EVP_PKEY_new(); +		EVP_PKEY_set1_DSA(pk, dsa); +		if (outformat == FORMAT_PVK) +			i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); +		else if (pubin || pubout) +			i = i2b_PublicKey_bio(out, pk); +		else +			i = i2b_PrivateKey_bio(out, pk); +		EVP_PKEY_free(pk); +#endif  	} else {  		BIO_printf(bio_err,"bad output format specified for outfile\n");  		goto end;  		} -	if (!i) +	if (i <= 0)  		{  		BIO_printf(bio_err,"unable to write private key\n");  		ERR_print_errors(bio_err); @@ -330,4 +367,10 @@ end:  	apps_shutdown();  	OPENSSL_EXIT(ret);  	} +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/dsaparam.c b/openssl/apps/dsaparam.c index c301e81af..4305a739b 100644 --- a/openssl/apps/dsaparam.c +++ b/openssl/apps/dsaparam.c @@ -475,4 +475,10 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)  #endif  	return 1;  	} +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/ec.c b/openssl/apps/ec.c index 771e15f35..31194b48d 100644 --- a/openssl/apps/ec.c +++ b/openssl/apps/ec.c @@ -400,4 +400,10 @@ end:  	apps_shutdown();  	OPENSSL_EXIT(ret);  } +#else /* !OPENSSL_NO_EC */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/ecparam.c b/openssl/apps/ecparam.c index 4e1fc837e..e9aa0a184 100644 --- a/openssl/apps/ecparam.c +++ b/openssl/apps/ecparam.c @@ -725,4 +725,10 @@ static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var,  	BIO_printf(out, "\n\t};\n\n");  	return 1;  	} +#else /* !OPENSSL_NO_EC */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/enc.c b/openssl/apps/enc.c index f4f9a4c4a..3c2c91e92 100644 --- a/openssl/apps/enc.c +++ b/openssl/apps/enc.c @@ -67,6 +67,7 @@  #include <openssl/x509.h>  #include <openssl/rand.h>  #include <openssl/pem.h> +#include <openssl/comp.h>  #include <ctype.h>  int set_hex(char *in,unsigned char *out,int size); @@ -116,6 +117,10 @@ int MAIN(int argc, char **argv)  	char *hkey=NULL,*hiv=NULL,*hsalt = NULL;  	char *md=NULL;  	int enc=1,printkey=0,i,base64=0; +#ifdef ZLIB +	int do_zlib=0; +	BIO *bzl = NULL; +#endif  	int debug=0,olb64=0,nosalt=0;  	const EVP_CIPHER *cipher=NULL,*c;  	EVP_CIPHER_CTX *ctx = NULL; @@ -127,7 +132,6 @@ int MAIN(int argc, char **argv)  	char *engine = NULL;  #endif  	const EVP_MD *dgst=NULL; -	int non_fips_allow = 0;  	apps_startup(); @@ -142,9 +146,18 @@ int MAIN(int argc, char **argv)  	program_name(argv[0],pname,sizeof pname);  	if (strcmp(pname,"base64") == 0)  		base64=1; +#ifdef ZLIB +	if (strcmp(pname,"zlib") == 0) +		do_zlib=1; +#endif  	cipher=EVP_get_cipherbyname(pname); +#ifdef ZLIB +	if (!do_zlib && !base64 && (cipher == NULL) +				&& (strcmp(pname,"enc") != 0)) +#else  	if (!base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0)) +#endif  		{  		BIO_printf(bio_err,"%s is an unknown cipher\n",pname);  		goto bad; @@ -200,6 +213,10 @@ int MAIN(int argc, char **argv)  			base64=1;  		else if	(strcmp(*argv,"-base64") == 0)  			base64=1; +#ifdef ZLIB +		else if	(strcmp(*argv,"-z") == 0) +			do_zlib=1; +#endif  		else if (strcmp(*argv,"-bufsize") == 0)  			{  			if (--argc < 1) goto bad; @@ -226,7 +243,12 @@ int MAIN(int argc, char **argv)  				goto bad;  				}  			buf[0]='\0'; -			fgets(buf,sizeof buf,infile); +			if (!fgets(buf,sizeof buf,infile)) +				{ +				BIO_printf(bio_err,"unable to read key from '%s'\n", +					file); +				goto bad; +				}  			fclose(infile);  			i=strlen(buf);  			if ((i > 0) && @@ -262,8 +284,6 @@ int MAIN(int argc, char **argv)  			if (--argc < 1) goto bad;  			md= *(++argv);  			} -		else if (strcmp(*argv,"-non-fips-allow") == 0) -			non_fips_allow = 1;  		else if	((argv[0][0] == '-') &&  			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))  			{ @@ -286,9 +306,11 @@ bad:  			BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");  			BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");  			BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n",""); +			BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");  			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");  			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");  			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>"); +			BIO_printf(bio_err,"%-14s disable standard block padding\n","-nopad");  #ifndef OPENSSL_NO_ENGINE  			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");  #endif @@ -317,10 +339,7 @@ bad:  	if (dgst == NULL)  		{ -		if (in_FIPS_mode) -			dgst = EVP_sha1(); -		else -			dgst = EVP_md5(); +		dgst = EVP_md5();  		}  	if (bufsize != NULL) @@ -452,6 +471,19 @@ bad:  	rbio=in;  	wbio=out; +#ifdef ZLIB + +	if (do_zlib) +		{ +		if ((bzl=BIO_new(BIO_f_zlib())) == NULL) +			goto end; +		if (enc) +			wbio=BIO_push(bzl,wbio); +		else +			rbio=BIO_push(bzl,rbio); +		} +#endif +  	if (base64)  		{  		if ((b64=BIO_new(BIO_f_base64())) == NULL) @@ -556,11 +588,6 @@ bad:  		 */  		BIO_get_cipher_ctx(benc, &ctx); - -		if (non_fips_allow) -			EVP_CIPHER_CTX_set_flags(ctx, -				EVP_CIPH_FLAG_NON_FIPS_ALLOW); -  		if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))  			{  			BIO_printf(bio_err, "Error setting cipher %s\n", @@ -651,6 +678,9 @@ end:  	if (out != NULL) BIO_free_all(out);  	if (benc != NULL) BIO_free(benc);  	if (b64 != NULL) BIO_free(b64); +#ifdef ZLIB +	if (bzl != NULL) BIO_free(bzl); +#endif  	if(pass) OPENSSL_free(pass);  	apps_shutdown();  	OPENSSL_EXIT(ret); diff --git a/openssl/apps/engine.c b/openssl/apps/engine.c index 17bd81fb7..9a0294398 100644 --- a/openssl/apps/engine.c +++ b/openssl/apps/engine.c @@ -92,7 +92,7 @@ static const char *engine_usage[]={  NULL  }; -static void identity(void *ptr) +static void identity(char *ptr)  	{  	return;  	} @@ -148,11 +148,6 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)  	if(flags & ENGINE_CMD_FLAG_NUMERIC)  		{ -		if(started) -			{ -			BIO_printf(bio_out, "|"); -			err = 1; -			}  		BIO_printf(bio_out, "NUMERIC");  		started = 1;  		} @@ -205,7 +200,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent  	char *desc = NULL;  	int flags;  	int xpos = 0; -	STACK *cmds = NULL; +	STACK_OF(OPENSSL_STRING) *cmds = NULL;  	if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||  			((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,  					0, NULL, NULL)) <= 0)) @@ -216,7 +211,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent  		return 1;  		} -	cmds = sk_new_null(); +	cmds = sk_OPENSSL_STRING_new_null();  	if(!cmds)  		goto err; @@ -289,15 +284,17 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent  		BIO_printf(bio_out, "\n");  	ret = 1;  err: -	if(cmds) sk_pop_free(cmds, identity); +	if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity);  	if(name) OPENSSL_free(name);  	if(desc) OPENSSL_free(desc);  	return ret;  	} -static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *indent) +static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, +			BIO *bio_out, const char *indent)  	{ -	int loop, res, num = sk_num(cmds); +	int loop, res, num = sk_OPENSSL_STRING_num(cmds); +  	if(num < 0)  		{  		BIO_printf(bio_out, "[Error]: internal stack error\n"); @@ -307,7 +304,7 @@ static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *inden  		{  		char buf[256];  		const char *cmd, *arg; -		cmd = sk_value(cmds, loop); +		cmd = sk_OPENSSL_STRING_value(cmds, loop);  		res = 1; /* assume success */  		/* Check if this command has no ":arg" */  		if((arg = strstr(cmd, ":")) == NULL) @@ -347,9 +344,9 @@ int MAIN(int argc, char **argv)  	const char **pp;  	int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0;  	ENGINE *e; -	STACK *engines = sk_new_null(); -	STACK *pre_cmds = sk_new_null(); -	STACK *post_cmds = sk_new_null(); +	STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null(); +	STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); +	STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null();  	int badops=1;  	BIO *bio_out=NULL;  	const char *indent = "     "; @@ -396,20 +393,20 @@ int MAIN(int argc, char **argv)  			argc--; argv++;  			if (argc == 0)  				goto skip_arg_loop; -			sk_push(pre_cmds,*argv); +			sk_OPENSSL_STRING_push(pre_cmds,*argv);  			}  		else if (strcmp(*argv,"-post") == 0)  			{  			argc--; argv++;  			if (argc == 0)  				goto skip_arg_loop; -			sk_push(post_cmds,*argv); +			sk_OPENSSL_STRING_push(post_cmds,*argv);  			}  		else if ((strncmp(*argv,"-h",2) == 0) ||  				(strcmp(*argv,"-?") == 0))  			goto skip_arg_loop;  		else -			sk_push(engines,*argv); +			sk_OPENSSL_STRING_push(engines,*argv);  		argc--;  		argv++;  		} @@ -424,17 +421,17 @@ skip_arg_loop:  		goto end;  		} -	if (sk_num(engines) == 0) +	if (sk_OPENSSL_STRING_num(engines) == 0)  		{  		for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e))  			{ -			sk_push(engines,(char *)ENGINE_get_id(e)); +			sk_OPENSSL_STRING_push(engines,(char *)ENGINE_get_id(e));  			}  		} -	for (i=0; i<sk_num(engines); i++) +	for (i=0; i<sk_OPENSSL_STRING_num(engines); i++)  		{ -		const char *id = sk_value(engines,i); +		const char *id = sk_OPENSSL_STRING_value(engines,i);  		if ((e = ENGINE_by_id(id)) != NULL)  			{  			const char *name = ENGINE_get_name(e); @@ -454,6 +451,7 @@ skip_arg_loop:  				const int *nids;  				ENGINE_CIPHERS_PTR fn_c;  				ENGINE_DIGESTS_PTR fn_d; +				ENGINE_PKEY_METHS_PTR fn_pk;  				if (ENGINE_get_RSA(e) != NULL  					&& !append_buf(&cap_buf, "RSA", @@ -492,6 +490,15 @@ skip_ciphers:  						goto end;  skip_digests: +				fn_pk = ENGINE_get_pkey_meths(e); +				if(!fn_pk) goto skip_pmeths; +				n = fn_pk(e, NULL, &nids, 0); +				for(k=0 ; k < n ; ++k) +					if(!append_buf(&cap_buf, +						       OBJ_nid2sn(nids[k]), +						       &cap_size, 256)) +						goto end; +skip_pmeths:  				if (cap_buf && (*cap_buf != '\0'))  					BIO_printf(bio_out, " [%s]\n", cap_buf); @@ -526,9 +533,9 @@ skip_digests:  end:  	ERR_print_errors(bio_err); -	sk_pop_free(engines, identity); -	sk_pop_free(pre_cmds, identity); -	sk_pop_free(post_cmds, identity); +	sk_OPENSSL_STRING_pop_free(engines, identity); +	sk_OPENSSL_STRING_pop_free(pre_cmds, identity); +	sk_OPENSSL_STRING_pop_free(post_cmds, identity);  	if (bio_out != NULL) BIO_free_all(bio_out);  	apps_shutdown();  	OPENSSL_EXIT(ret); diff --git a/openssl/apps/errstr.c b/openssl/apps/errstr.c index 19489b0df..fe3b98077 100644 --- a/openssl/apps/errstr.c +++ b/openssl/apps/errstr.c @@ -97,10 +97,12 @@ int MAIN(int argc, char **argv)  			out = BIO_push(tmpbio, out);  			}  #endif -			lh_node_stats_bio((LHASH *)ERR_get_string_table(),out); -			lh_stats_bio((LHASH *)ERR_get_string_table(),out); -			lh_node_usage_stats_bio((LHASH *) -				ERR_get_string_table(),out); +			lh_ERR_STRING_DATA_node_stats_bio( +						  ERR_get_string_table(), out); +			lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), +						     out); +			lh_ERR_STRING_DATA_node_usage_stats_bio( +						    ERR_get_string_table(),out);  			}  		if (out != NULL) BIO_free_all(out);  		argc--; diff --git a/openssl/apps/gendh.c b/openssl/apps/gendh.c index 47497864b..caa7327a1 100644 --- a/openssl/apps/gendh.c +++ b/openssl/apps/gendh.c @@ -235,4 +235,10 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)  #endif  	return 1;  	} +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/gendsa.c b/openssl/apps/gendsa.c index 8a296c66e..22c39629e 100644 --- a/openssl/apps/gendsa.c +++ b/openssl/apps/gendsa.c @@ -279,4 +279,10 @@ end:  	apps_shutdown();  	OPENSSL_EXIT(ret);  	} +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/genrsa.c b/openssl/apps/genrsa.c index fdc0d4a07..37e931091 100644 --- a/openssl/apps/genrsa.c +++ b/openssl/apps/genrsa.c @@ -95,7 +95,6 @@ int MAIN(int argc, char **argv)  	int ret=1;  	int i,num=DEFBITS;  	long l; -	int use_x931 = 0;  	const EVP_CIPHER *enc=NULL;  	unsigned long f4=RSA_F4;  	char *outfile=NULL; @@ -106,9 +105,9 @@ int MAIN(int argc, char **argv)  	char *inrand=NULL;  	BIO *out=NULL;  	BIGNUM *bn = BN_new(); -	RSA *rsa = RSA_new(); +	RSA *rsa = NULL; -	if(!bn || !rsa) goto err; +	if(!bn) goto err;  	apps_startup();  	BN_GENCB_set(&cb, genrsa_cb, bio_err); @@ -139,8 +138,6 @@ int MAIN(int argc, char **argv)  			f4=3;  		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)  			f4=RSA_F4; -		else if (strcmp(*argv,"-x931") == 0) -			use_x931 = 1;  #ifndef OPENSSL_NO_ENGINE  		else if (strcmp(*argv,"-engine") == 0)  			{ @@ -268,18 +265,15 @@ bad:  	BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",  		num); +#ifdef OPENSSL_NO_ENGINE +	rsa = RSA_new(); +#else +	rsa = RSA_new_method(e); +#endif +	if (!rsa) +		goto err; -	if (use_x931) -		{ -		BIGNUM *pubexp; -		pubexp = BN_new(); -		if (!BN_set_word(pubexp, f4)) -			goto err; -		if (!RSA_X931_generate_key_ex(rsa, num, pubexp, &cb)) -			goto err; -		BN_free(pubexp); -		} -	else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) +	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))  		goto err;  	app_RAND_write_file(NULL, bio_err); diff --git a/openssl/apps/install.com b/openssl/apps/install.com index f927dc29f..c5821b40e 100644 --- a/openssl/apps/install.com +++ b/openssl/apps/install.com @@ -5,13 +5,23 @@ $! Time of creation: 22-MAY-1998 10:13  $!  $! P1	root of the directory tree  $! +$  $	IF P1 .EQS. ""  $	THEN  $	    WRITE SYS$OUTPUT "First argument missing." -$	    WRITE SYS$OUTPUT "Should be the directory where you want things installed." +$	    WRITE SYS$OUTPUT - +		  "Should be the directory where you want things installed."  $	    EXIT  $	ENDIF  $ +$	IF (F$GETSYI("CPU").LT.128) +$	THEN +$	    ARCH := VAX +$	ELSE +$	    ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") +$	    IF (ARCH .EQS. "") THEN ARCH = "UNK" +$	ENDIF +$  $	ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"  $	ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")  $	ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") - @@ -19,23 +29,16 @@ $	ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -  $	ROOT = ROOT_DEV + "[" + ROOT_DIR  $  $	DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC -$	DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE] -$	DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE] -$	DEFINE/NOLOG WRK_SSLLIB WRK_SSLROOT:[LIB] +$	DEFINE/NOLOG WRK_SSLEXE WRK_SSLROOT:['ARCH'_EXE]  $  $	IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -  	   CREATE/DIR/LOG WRK_SSLROOT:[000000] -$	IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLVEXE: -$	IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLAEXE: -$	IF F$PARSE("WRK_SSLLIB:") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLLIB: +$	IF F$PARSE("WRK_SSLEXE:") .EQS. "" THEN - +	   CREATE/DIR/LOG WRK_SSLEXE:  $  $	EXE := openssl  $ -$	VEXE_DIR := [-.VAX.EXE.APPS] -$	AEXE_DIR := [-.AXP.EXE.APPS] +$	EXE_DIR := [-.'ARCH'.EXE.APPS]  $  $	I = 0  $ LOOP_EXE:  @@ -43,25 +46,18 @@ $	E = F$EDIT(F$ELEMENT(I, ",", EXE),"TRIM")  $	I = I + 1  $	IF E .EQS. "," THEN GOTO LOOP_EXE_END  $	SET NOON -$	IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. "" -$	THEN -$	  COPY 'VEXE_DIR''E'.EXE WRK_SSLVEXE:'E'.EXE/log -$	  SET FILE/PROT=W:RE WRK_SSLVEXE:'E'.EXE -$	ENDIF -$	IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. "" +$	IF F$SEARCH(EXE_DIR+E+".EXE") .NES. ""  $	THEN -$	  COPY 'AEXE_DIR''E'.EXE WRK_SSLAEXE:'E'.EXE/log -$	  SET FILE/PROT=W:RE WRK_SSLAEXE:'E'.EXE +$	  COPY 'EXE_DIR''E'.EXE WRK_SSLEXE:'E'.EXE/log +$	  SET FILE/PROT=W:RE WRK_SSLEXE:'E'.EXE  $	ENDIF  $	SET ON  $	GOTO LOOP_EXE  $ LOOP_EXE_END:  $  $	SET NOON -$	COPY CA.COM WRK_SSLAEXE:CA.COM/LOG -$	SET FILE/PROT=W:RE WRK_SSLAEXE:CA.COM -$	COPY CA.COM WRK_SSLVEXE:CA.COM/LOG -$	SET FILE/PROT=W:RE WRK_SSLVEXE:CA.COM +$	COPY CA.COM WRK_SSLEXE:CA.COM/LOG +$	SET FILE/PROT=W:RE WRK_SSLEXE:CA.COM  $	COPY OPENSSL-VMS.CNF WRK_SSLROOT:[000000]OPENSSL.CNF/LOG  $	SET FILE/PROT=W:R WRK_SSLROOT:[000000]OPENSSL.CNF  $	SET ON diff --git a/openssl/apps/makeapps.com b/openssl/apps/makeapps.com index 0580a1f40..b96c4a1c6 100644 --- a/openssl/apps/makeapps.com +++ b/openssl/apps/makeapps.com @@ -6,11 +6,12 @@ $!               A-Com Computing, Inc.  $!               byer@mail.all-net.net  $!  $!  Changes by Richard Levitte <richard@levitte.org> +$!             Zoltan Arpadffy <zoli@polarhome.com>     $!  $!  This command files compiles and creates all the various different  $!  "application" programs for the different types of encryption for OpenSSL.  $!  The EXE's are placed in the directory [.xxx.EXE.APPS] where "xxx" denotes -$!  either AXP or VAX depending on your machine architecture. +$!  ALPHA, IA64 or VAX, depending on your machine architecture.  $!  $!  It was written so it would try to determine what "C" compiler to  $!  use or you can specify which "C" compiler to use. @@ -46,20 +47,21 @@ $ TCPIP_LIB = ""  $!  $! Check What Architecture We Are Using.  $! -$ IF (F$GETSYI("CPU").GE.128) +$ IF (F$GETSYI("CPU").LT.128)  $ THEN  $! -$!  The Architecture Is AXP. +$!  The Architecture Is VAX.  $! -$   ARCH := AXP +$   ARCH := VAX  $!  $! Else...  $!  $ ELSE  $! -$!  The Architecture Is VAX. +$!  The Architecture Is Alpha, IA64 or whatever comes in the future.  $! -$   ARCH := VAX +$   ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") +$   IF (ARCH .EQS. "") THEN ARCH = "UNK"  $!  $! End The Architecture Check.  $! @@ -68,22 +70,6 @@ $!  $! Define what programs should be compiled  $!  $ PROGRAMS := OPENSSL -$!$ PROGRAMS := VERIFY,ASN1PARS,REQ,DGST,DH,ENC,PASSWD,GENDH,ERRSTR,CA,CRL,- -$!	      RSA,DSA,DSAPARAM,- -$!	      X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,- -$!	      S_TIME,VERSION,PKCS7,CRL2P7,SESS_ID,CIPHERS,NSEQ, -$! -$! Check To Make Sure We Have Valid Command Line Parameters. -$! -$ GOSUB CHECK_OPTIONS -$! -$! Initialise logical names and such -$! -$ GOSUB INITIALISE -$! -$! Tell The User What Kind of Machine We Run On. -$! -$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."  $!  $! Define The CRYPTO Library.  $! @@ -97,6 +83,22 @@ $! Define The OBJ Directory.  $!  $ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.APPS]  $! +$! Define The EXE Directory. +$! +$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS] +$! +$! Check To Make Sure We Have Valid Command Line Parameters. +$! +$ GOSUB CHECK_OPTIONS +$! +$! Initialise logical names and such +$! +$ GOSUB INITIALISE +$! +$! Tell The User What Kind of Machine We Run On. +$! +$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." +$!  $! Check To See If The OBJ Directory Exists.  $!  $ IF (F$PARSE(OBJ_DIR).EQS."") @@ -110,10 +112,6 @@ $! End The OBJ Directory Check.  $!  $ ENDIF  $! -$! Define The EXE Directory. -$! -$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS] -$!  $! Check To See If The EXE Directory Exists.  $!  $ IF (F$PARSE(EXE_DIR).EQS."") @@ -136,140 +134,172 @@ $!  $ GOSUB CHECK_OPT_FILE  $!  $! Define The Application Files. -$! -$ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+- -	      "CA;PKCS7;CRL2P7;CRL;"+- -	      "RSA;RSAUTL;DSA;DSAPARAM;EC;ECPARAM;"+- -	      "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+- -	      "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+- -	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME" +$! NOTE: Some might think this list ugly.  However, it's made this way to +$! reflect the E_OBJ variable in Makefile as closely as possible, thereby +$! making it fairly easy to verify that the lists are the same. +$! +$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+- +	     	"CA,PKCS7,CRL2P7,CRL,"+- +	      	"RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+- +	      	"X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+- +	      	"S_TIME,APPS,S_CB,S_SOCKET,APP_RAND,VERSION,SESS_ID,"+- +	      	"CIPHERS,NSEQ,PKCS12,PKCS8,PKEY,PKEYPARAM,PKEYUTL,"+ - +	      	"SPKAC,SMIME,CMS,RAND,ENGINE,OCSP,PRIME,TS"  $ TCPIP_PROGRAMS = ",,"  $ IF COMPILER .EQS. "VAXC" THEN -       TCPIP_PROGRAMS = ",OPENSSL,"  $!  $! Setup exceptional compilations  $! -$ COMPILEWITH_CC2 = ",S_SERVER,S_CLIENT," +$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT,"  $!  $ PHASE := LIB  $!  $ RESTART:   $! -$!  Define A File Counter And Set It To "0". +$!  Define An App Counter And Set It To "0". +$! +$ APP_COUNTER = 0 +$! +$!  Top Of The App Loop.  $! -$ FILE_COUNTER = 0 +$ NEXT_APP:  $! -$! Top Of The File Loop. +$!  Make The Application File Name  $! -$ NEXT_FILE: +$ CURRENT_APP = F$EDIT(F$ELEMENT(APP_COUNTER,",",PROGRAMS),"TRIM")  $! -$! O.K, Extract The File Name From The File List. +$!  Create The Executable File Name.  $! -$ FILE_NAME0 = F$EDIT(F$ELEMENT(FILE_COUNTER,";",'PHASE'_FILES),"TRIM") -$ FILE_NAME = F$EDIT(F$ELEMENT(0,",",FILE_NAME0),"TRIM") -$ EXTRA_OBJ = FILE_NAME0 - FILE_NAME +$   EXE_FILE = EXE_DIR + CURRENT_APP + ".EXE"  $! -$! Check To See If We Are At The End Of The File List. +$!  Check To See If We Are At The End Of The File List.  $! -$ IF (FILE_NAME0.EQS.";") +$ IF (CURRENT_APP.EQS.",")  $ THEN  $   IF (PHASE.EQS."LIB")  $   THEN  $     PHASE := APP  $     GOTO RESTART  $   ELSE -$     GOTO FILE_DONE +$     GOTO APP_DONE  $   ENDIF  $ ENDIF  $! -$! Increment The Counter. +$!  Increment The Counter.  $! -$ FILE_COUNTER = FILE_COUNTER + 1 +$ APP_COUNTER = APP_COUNTER + 1  $! -$! Check to see if this program should actually be compiled +$!  Decide if we're building the object files or not.  $! -$ IF PHASE .EQS. "APP" .AND. - -     ","+PROGRAMS+"," - (","+F$EDIT(FILE_NAME,"UPCASE")+",") .EQS. ","+PROGRAMS+"," +$ IF (PHASE.EQS."LIB")  $ THEN -$   GOTO NEXT_FILE -$ ENDIF  $! -$! Create The Source File Name. +$!  Define A Library File Counter And Set It To "-1". +$!  -1 Means The Application File Name Is To Be Used.  $! -$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C" +$   LIB_COUNTER = -1  $! -$! Create The Object File Name. +$!  Create a .OPT file for the object files  $! -$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ" +$   OPEN/WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT  $! -$! Create The Executable File Name. +$!  Top Of The File Loop.  $! -$ EXE_FILE = EXE_DIR + FILE_NAME + ".EXE" -$ ON WARNING THEN GOTO NEXT_FILE +$  NEXT_LIB:  $! -$! Check To See If The File We Want To Compile Actually Exists. +$!  O.K, Extract The File Name From The File List.  $! -$ IF (F$SEARCH(SOURCE_FILE).EQS."") -$ THEN +$   IF LIB_COUNTER .GE. 0 +$   THEN +$     FILE_NAME = F$EDIT(F$ELEMENT(LIB_COUNTER,",",LIB_'CURRENT_APP'),"TRIM") +$   ELSE +$     FILE_NAME = CURRENT_APP +$   ENDIF  $! -$!  Tell The User That The File Dosen't Exist. +$!  Check To See If We Are At The End Of The File List.  $! -$   WRITE SYS$OUTPUT "" -$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." -$   WRITE SYS$OUTPUT "" +$   IF (FILE_NAME.EQS.",") +$   THEN +$     CLOSE OBJECTS +$     GOTO NEXT_APP +$   ENDIF  $! -$!  Exit The Build. +$!  Increment The Counter.  $! -$   GOTO EXIT +$   LIB_COUNTER = LIB_COUNTER + 1  $! -$! End The File Exist Check. +$!  Create The Source File Name.  $! -$ ENDIF +$   SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"  $! -$! Tell The User What We Are Building. +$!  Create The Object File Name.  $! -$ IF (PHASE.EQS."LIB") -$ THEN -$   WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File." -$ ELSE -$   WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program." -$ ENDIF +$   OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ" +$   ON WARNING THEN GOTO NEXT_LIB  $! -$! Compile The File. +$!  Check To See If The File We Want To Compile Actually Exists.  $! -$ ON ERROR THEN GOTO NEXT_FILE -$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2 -$ THEN -$   CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE' -$ ELSE -$   CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE' -$ ENDIF +$   IF (F$SEARCH(SOURCE_FILE).EQS."") +$   THEN  $! -$ ON WARNING THEN GOTO NEXT_FILE +$!    Tell The User That The File Dosen't Exist.  $! -$ IF (PHASE.EQS."LIB")  -$ THEN  -$   GOTO NEXT_FILE +$     WRITE SYS$OUTPUT "" +$     WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." +$     WRITE SYS$OUTPUT "" +$! +$!    Exit The Build. +$! +$     GOTO EXIT +$! +$!  End The File Exist Check. +$! +$   ENDIF +$! +$!  Tell The User What We Are Building. +$! +$   IF (PHASE.EQS."LIB") +$   THEN +$     WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File." +$   ELSE +$     WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program." +$   ENDIF +$! +$!  Compile The File. +$! +$   ON ERROR THEN GOTO NEXT_LIB +$   IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2 +$   THEN +$     CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE' +$   ELSE +$     CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE' +$   ENDIF +$   WRITE OBJECTS OBJECT_FILE +$! +$   GOTO NEXT_LIB  $ ENDIF  $!  $!  Check if this program works well without a TCPIP library  $! -$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - FILE_NAME .NES. TCPIP_PROGRAMS +$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - CURRENT_APP .NES. TCPIP_PROGRAMS  $ THEN -$   WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library.  Can't link.  Skipping..." -$   GOTO NEXT_FILE +$   WRITE SYS$OUTPUT CURRENT_APP," needs a TCP/IP library.  Can't link.  Skipping..." +$   GOTO NEXT_APP  $ ENDIF  $!  $! Link The Program.  $! Check To See If We Are To Link With A Specific TCP/IP Library.  $! +$ ON WARNING THEN GOTO NEXT_APP +$!  $ IF (TCPIP_LIB.NES."")  $ THEN  $!  $! Don't Link With The RSAREF Routines And TCP/IP Library.  $!  $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - -	'OBJECT_FILE''EXTRA_OBJ', - +	'EXE_DIR''CURRENT_APP'.OPT/OPTION, -          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -          'TCPIP_LIB','OPT_FILE'/OPTION  $! @@ -280,7 +310,7 @@ $!  $! Don't Link With The RSAREF Routines And Link With A TCP/IP Library.  $!  $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - -	'OBJECT_FILE''EXTRA_OBJ', - +	'EXE_DIR''CURRENT_APP'.OPT/OPTION, -          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -          'OPT_FILE'/OPTION  $! @@ -290,11 +320,11 @@ $ ENDIF  $!  $! Go Back And Do It Again.  $! -$ GOTO NEXT_FILE +$ GOTO NEXT_APP  $!  $! All Done With This File.  $! -$ FILE_DONE: +$ APP_DONE:  $ EXIT:  $!  $! All Done, Time To Clean Up And Exit. @@ -395,19 +425,19 @@ $!    Else...  $!  $     ELSE  $! -$!      Create The AXP Linker Option File. +$!      Create The non-VAX Linker Option File.  $!  $       CREATE 'OPT_FILE'  $DECK  ! -! Default System Options File For AXP To Link Agianst  +! Default System Options File For non-VAX To Link Agianst   ! The Sharable C Runtime Library.  !  SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE  SYS$SHARE:CMA$OPEN_RTL/SHARE  $EOD  $! -$!    End The VAX/AXP DEC C Option File Check. +$!    End The DEC C Option File Check.  $!  $     ENDIF  $! @@ -556,7 +586,7 @@ $   ELSE  $!  $!  Check To See If We Have VAXC Or DECC.  $! -$     IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."") +$     IF (ARCH.NES."VAX").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")  $     THEN   $!  $!      Looks Like DECC, Set To Use DECC. @@ -666,7 +696,7 @@ $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -  $!  $!    Define The Linker Options File Name.  $! -$     OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT" +$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"  $!  $!  End DECC Check.  $! @@ -687,9 +717,9 @@ $!  $!    Compile Using VAXC.  $!  $     CC = "CC" -$     IF ARCH.EQS."AXP" +$     IF ARCH.NES."VAX"  $     THEN -$	WRITE SYS$OUTPUT "There is no VAX C on Alpha!" +$	WRITE SYS$OUTPUT "There is no VAX C on ''ARCH'!"  $	EXIT  $     ENDIF  $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" @@ -703,7 +733,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]  $!  $!    Define The Linker Options File Name.  $! -$     OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT" +$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"  $!  $!  End VAXC Check  $! @@ -730,7 +760,7 @@ $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -  $!  $!    Define The Linker Options File Name.  $! -$     OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT" +$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"  $!  $!  End The GNU C Check.  $! diff --git a/openssl/apps/ocsp.c b/openssl/apps/ocsp.c index 251044d77..01847dfad 100644 --- a/openssl/apps/ocsp.c +++ b/openssl/apps/ocsp.c @@ -56,25 +56,53 @@   *   */  #ifndef OPENSSL_NO_OCSP + +#ifdef OPENSSL_SYS_VMS +#define _XOPEN_SOURCE_EXTENDED	/* So fd_set and friends get properly defined +				   on OpenVMS */ +#endif +  #define USE_SOCKETS +  #include <stdio.h>  #include <stdlib.h>  #include <string.h> +#include <time.h>  #include "apps.h" /* needs to be included before the openssl headers! */  #include <openssl/e_os2.h> -#include <openssl/ssl.h> +#include <openssl/crypto.h>  #include <openssl/err.h> - +#include <openssl/ssl.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/x509v3.h> + +#if defined(NETWARE_CLIB) +#  ifdef NETWARE_BSDSOCK +#    include <sys/socket.h> +#    include <sys/bsdskt.h> +#  else +#    include <novsock2.h> +#  endif +#elif defined(NETWARE_LIBC) +#  ifdef NETWARE_BSDSOCK +#    include <sys/select.h> +#  else +#    include <novsock2.h> +#  endif +#endif +    /* Maximum leeway in validity period: default 5 minutes */  #define MAX_VALIDITY_PERIOD	(5 * 60) -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer,  				STACK_OF(OCSP_CERTID) *ids); -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer,  				STACK_OF(OCSP_CERTID) *ids);  static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, -				STACK *names, STACK_OF(OCSP_CERTID) *ids, -				long nsec, long maxage); +			      STACK_OF(OPENSSL_STRING) *names, +			      STACK_OF(OCSP_CERTID) *ids, long nsec, +			      long maxage);  static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,  			X509 *ca, X509 *rcert, EVP_PKEY *rkey, @@ -86,6 +114,7 @@ static BIO *init_responder(char *port);  static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);  static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);  static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, +				STACK_OF(CONF_VALUE) *headers,  				OCSP_REQUEST *req, int req_timeout);  #undef PROG @@ -104,6 +133,7 @@ int MAIN(int argc, char **argv)  	char *rsignfile = NULL, *rkeyfile = NULL;  	char *outfile = NULL;  	int add_nonce = 1, noverify = 0, use_ssl = -1; +	STACK_OF(CONF_VALUE) *headers = NULL;  	OCSP_REQUEST *req = NULL;  	OCSP_RESPONSE *resp = NULL;  	OCSP_BASICRESP *bs = NULL; @@ -126,7 +156,7 @@ int MAIN(int argc, char **argv)  	int badarg = 0;  	int i;  	int ignore_err = 0; -	STACK *reqnames = NULL; +	STACK_OF(OPENSSL_STRING) *reqnames = NULL;  	STACK_OF(OCSP_CERTID) *ids = NULL;  	X509 *rca_cert = NULL; @@ -134,6 +164,7 @@ int MAIN(int argc, char **argv)  	char *rca_filename = NULL;  	CA_DB *rdb = NULL;  	int nmin = 0, ndays = -1; +	const EVP_MD *cert_id_md = NULL;  	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -142,7 +173,7 @@ int MAIN(int argc, char **argv)  	SSL_load_error_strings();  	OpenSSL_add_ssl_algorithms();  	args = argv + 1; -	reqnames = sk_new_null(); +	reqnames = sk_OPENSSL_STRING_new_null();  	ids = sk_OCSP_CERTID_new_null();  	while (!badarg && *args && *args[0] == '-')  		{ @@ -202,6 +233,16 @@ int MAIN(int argc, char **argv)  				}  			else badarg = 1;  			} +		else if (!strcmp(*args, "-header")) +			{ +			if (args[1] && args[2]) +				{ +				if (!X509V3_add_value(args[1], args[2], &headers)) +					goto end; +				args += 2; +				} +			else badarg = 1; +			}  		else if (!strcmp(*args, "-ignore_err"))  			ignore_err = 1;  		else if (!strcmp(*args, "-noverify")) @@ -401,9 +442,10 @@ int MAIN(int argc, char **argv)  				cert = load_cert(bio_err, *args, FORMAT_PEM,  					NULL, e, "certificate");  				if(!cert) goto end; -				if(!add_ocsp_cert(&req, cert, issuer, ids)) +				if (!cert_id_md) cert_id_md = EVP_sha1(); +				if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))  					goto end; -				if(!sk_push(reqnames, *args)) +				if(!sk_OPENSSL_STRING_push(reqnames, *args))  					goto end;  				}  			else badarg = 1; @@ -413,9 +455,10 @@ int MAIN(int argc, char **argv)  			if (args[1])  				{  				args++; -				if(!add_ocsp_serial(&req, *args, issuer, ids)) +				if (!cert_id_md) cert_id_md = EVP_sha1(); +				if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))  					goto end; -				if(!sk_push(reqnames, *args)) +				if(!sk_OPENSSL_STRING_push(reqnames, *args))  					goto end;  				}  			else badarg = 1; @@ -515,7 +558,10 @@ int MAIN(int argc, char **argv)  				}  			else badarg = 1;  			} -		else badarg = 1; +		else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL) +			{ +			badarg = 1; +			}  		args++;  		} @@ -571,6 +617,7 @@ int MAIN(int argc, char **argv)  		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");  		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");  		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n"); +		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request");  		goto end;  		} @@ -677,7 +724,8 @@ int MAIN(int argc, char **argv)  			"signer private key");  		if (!key)  			goto end; -		if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags)) + +		if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags))  			{  			BIO_printf(bio_err, "Error signing OCSP request\n");  			goto end; @@ -721,7 +769,7 @@ int MAIN(int argc, char **argv)  		{  #ifndef OPENSSL_NO_SOCK  		resp = process_responder(bio_err, req, host, path, -						port, use_ssl, req_timeout); +					port, use_ssl, headers, req_timeout);  		if (!resp)  			goto end;  #else @@ -866,10 +914,11 @@ end:  	OCSP_REQUEST_free(req);  	OCSP_RESPONSE_free(resp);  	OCSP_BASICRESP_free(bs); -	sk_free(reqnames); +	sk_OPENSSL_STRING_free(reqnames);  	sk_OCSP_CERTID_free(ids);  	sk_X509_pop_free(sign_other, X509_free);  	sk_X509_pop_free(verify_other, X509_free); +	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);  	if (use_ssl != -1)  		{ @@ -881,7 +930,7 @@ end:  	OPENSSL_EXIT(ret);  } -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,X509 *issuer,  				STACK_OF(OCSP_CERTID) *ids)  	{  	OCSP_CERTID *id; @@ -892,7 +941,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,  		}  	if(!*req) *req = OCSP_REQUEST_new();  	if(!*req) goto err; -	id = OCSP_cert_to_id(NULL, cert, issuer); +	id = OCSP_cert_to_id(cert_id_md, cert, issuer);  	if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;  	if(!OCSP_request_add0_id(*req, id)) goto err;  	return 1; @@ -902,7 +951,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,  	return 0;  	} -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_id_md, X509 *issuer,  				STACK_OF(OCSP_CERTID) *ids)  	{  	OCSP_CERTID *id; @@ -924,7 +973,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,  		BIO_printf(bio_err, "Error converting serial number %s\n", serial);  		return 0;  		} -	id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno); +	id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);  	ASN1_INTEGER_free(sno);  	if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;  	if(!OCSP_request_add0_id(*req, id)) goto err; @@ -936,8 +985,9 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,  	}  static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, -					STACK *names, STACK_OF(OCSP_CERTID) *ids, -					long nsec, long maxage) +			      STACK_OF(OPENSSL_STRING) *names, +			      STACK_OF(OCSP_CERTID) *ids, long nsec, +			      long maxage)  	{  	OCSP_CERTID *id;  	char *name; @@ -947,13 +997,13 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,  	ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; -	if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids)) +	if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids))  		return 1;  	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)  		{  		id = sk_OCSP_CERTID_value(ids, i); -		name = sk_value(names, i); +		name = sk_OPENSSL_STRING_value(names, i);  		BIO_printf(out, "%s: ", name);  		if(!OCSP_resp_find_status(bs, id, &status, &reason, @@ -1010,7 +1060,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db  	OCSP_BASICRESP *bs = NULL;  	int i, id_count, ret = 1; -  	id_count = OCSP_request_onereq_count(req);  	if (id_count <= 0) @@ -1019,7 +1068,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db  		goto end;  		} -	ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);  	bs = OCSP_BASICRESP_new();  	thisupd = X509_gmtime_adj(NULL, 0); @@ -1032,8 +1080,23 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db  		OCSP_ONEREQ *one;  		ASN1_INTEGER *serial;  		char **inf; +		ASN1_OBJECT *cert_id_md_oid; +		const EVP_MD *cert_id_md;  		one = OCSP_request_onereq_get0(req, i);  		cid = OCSP_onereq_get0_id(one); + +		OCSP_id_get0_info(NULL,&cert_id_md_oid, NULL,NULL, cid); + +		cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);	 +		if (! cert_id_md)  +			{ +			*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, +				NULL); +				goto end; +			}	 +		if (ca_id) OCSP_CERTID_free(ca_id); +		ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca); +  		/* Is this request about our CA? */  		if (OCSP_id_issuer_cmp(ca_id, cid))  			{ @@ -1078,8 +1141,8 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db  		}  	OCSP_copy_nonce(bs, req); -		 -	OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags); +	 +	OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);  	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); @@ -1211,10 +1274,12 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)  	}  static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, +				STACK_OF(CONF_VALUE) *headers,  				OCSP_REQUEST *req, int req_timeout)  	{  	int fd;  	int rv; +	int i;  	OCSP_REQ_CTX *ctx = NULL;  	OCSP_RESPONSE *rsp = NULL;  	fd_set confds; @@ -1231,16 +1296,13 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,  		return NULL;  		} -	if (req_timeout == -1) -		return OCSP_sendreq_bio(cbio, path, req); -  	if (BIO_get_fd(cbio, &fd) <= 0)  		{  		BIO_puts(err, "Can't get connection fd\n");  		goto err;  		} -	if (rv <= 0) +	if (req_timeout != -1 && rv <= 0)  		{  		FD_ZERO(&confds);  		openssl_fdset(fd, &confds); @@ -1255,15 +1317,27 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,  		} -	ctx = OCSP_sendreq_new(cbio, path, req, -1); +	ctx = OCSP_sendreq_new(cbio, path, NULL, -1);  	if (!ctx)  		return NULL; + +	for (i = 0; i < sk_CONF_VALUE_num(headers); i++) +		{ +		CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); +		if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) +			goto err; +		} + +	if (!OCSP_REQ_CTX_set1_req(ctx, req)) +		goto err;  	for (;;)  		{  		rv = OCSP_sendreq_nbio(&rsp, ctx);  		if (rv != -1)  			break; +		if (req_timeout == -1) +			continue;  		FD_ZERO(&confds);  		openssl_fdset(fd, &confds);  		tv.tv_usec = 0; @@ -1287,7 +1361,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,  			BIO_puts(err, "Select error\n");  			break;  			} -			 +  		}  	err:  	if (ctx) @@ -1298,6 +1372,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,  OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,  			char *host, char *path, char *port, int use_ssl, +			STACK_OF(CONF_VALUE) *headers,  			int req_timeout)  	{  	BIO *cbio = NULL; @@ -1332,14 +1407,14 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,  		sbio = BIO_new_ssl(ctx, 1);  		cbio = BIO_push(sbio, cbio);  		} -	resp = query_responder(err, cbio, path, req, req_timeout); +	resp = query_responder(err, cbio, path, headers, req, req_timeout);  	if (!resp)  		BIO_printf(bio_err, "Error querying OCSP responsder\n");  	end: -	if (ctx) -		SSL_CTX_free(ctx);  	if (cbio)  		BIO_free_all(cbio); +	if (ctx) +		SSL_CTX_free(ctx);  	return resp;  	} diff --git a/openssl/apps/openssl-vms.cnf b/openssl/apps/openssl-vms.cnf index fae82b0d5..20ed61bc3 100644 --- a/openssl/apps/openssl-vms.cnf +++ b/openssl/apps/openssl-vms.cnf @@ -21,12 +21,17 @@ oid_section		= new_oids  [ new_oids ] -# We can add new OIDs in here for use by 'ca' and 'req'. +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.  # Add a simple OID like this:  # testoid1=1.2.3.4  # Or use config file substitution like this:  # testoid2=${testoid1}.5.6 +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 +  ####################################################################  [ ca ]  default_ca	= CA_default		# The default ca section @@ -67,7 +72,7 @@ cert_opt 	= ca_default		# Certificate field options  default_days	= 365			# how long to certify for  default_crl_days= 30			# how long before next CRL -default_md	= sha1			# which md to use. +default_md	= default		# use public key default MD  preserve	= no			# keep passed DN ordering  # A few difference way of specifying how similar the request should look @@ -110,13 +115,12 @@ x509_extensions	= v3_ca	# The extentions to add to the self signed cert  # This sets a mask for permitted string types. There are several options.   # default: PrintableString, T61String, BMPString. -# pkix	 : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004).  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).  # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only  # req_extensions = v3_req # The extensions to add to a certificate request @@ -207,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer  #nsCaPolicyUrl  #nsSslServerName +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping +  [ v3_req ]  # Extensions to add to a certificate request @@ -224,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment  subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer  # This is what PKIX recommends but some broken software chokes on critical  # extensions. @@ -257,7 +264,7 @@ basicConstraints = CA:true  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.  # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always  [ proxy_cert_ext ]  # These extensions should be added when creating a proxy certificate @@ -290,7 +297,7 @@ nsComment			= "OpenSSL Generated Certificate"  # PKIX recommendations harmless if included in all certificates.  subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer  # This stuff is for subjectAltName and issuerAltname.  # Import the email address. @@ -311,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always  # This really needs to be in place for it to be a proxy certificate.  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1	# the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir		= sys\$disk:[.demoCA		# TSA root directory +serial		= $dir]tsaserial.	# The current serial number (mandatory) +crypto_device	= builtin		# OpenSSL engine to use for signing +signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate +					# (optional) +certs		= $dir.cacert.pem]	# Certificate chain to include in reply +					# (optional) +signer_key	= $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy	= tsa_policy1		# Policy if request did not specify it +					# (optional) +other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional) +digests		= md5, sha1		# Acceptable message digests (mandatory) +accuracy	= secs:1, millisecs:500, microsecs:100	# (optional) +clock_precision_digits  = 0	# number of digits after dot. (optional) +ordering		= yes	# Is ordering defined for timestamps? +				# (optional, default: no) +tsa_name		= yes	# Must the TSA name be included in the reply? +				# (optional, default: no) +ess_cert_id_chain	= no	# Must the ESS cert id chain be included? +				# (optional, default: no) diff --git a/openssl/apps/openssl.c b/openssl/apps/openssl.c index 7d2b476cf..851e63973 100644 --- a/openssl/apps/openssl.c +++ b/openssl/apps/openssl.c @@ -135,19 +135,17 @@   * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper   * functions. */ -/* static unsigned long MS_CALLBACK hash(FUNCTION *a); */ -static unsigned long MS_CALLBACK hash(const void *a_void); -/* static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b); */ -static int MS_CALLBACK cmp(const void *a_void,const void *b_void); -static LHASH *prog_init(void ); -static int do_cmd(LHASH *prog,int argc,char *argv[]); +static LHASH_OF(FUNCTION) *prog_init(void ); +static int do_cmd(LHASH_OF(FUNCTION) *prog,int argc,char *argv[]); +static void list_pkey(BIO *out); +static void list_cipher(BIO *out); +static void list_md(BIO *out);  char *default_config_file=NULL;  /* Make sure there is only one when MONOLITH is defined */  #ifdef MONOLITH  CONF *config=NULL;  BIO *bio_err=NULL; -int in_FIPS_mode=0;  #endif @@ -227,25 +225,12 @@ int main(int Argc, char *Argv[])  	int n,i,ret=0;  	int argc;  	char **argv,*p; -	LHASH *prog=NULL; +	LHASH_OF(FUNCTION) *prog=NULL;  	long errline;  	arg.data=NULL;  	arg.count=0; -	in_FIPS_mode = 0; - -#ifdef OPENSSL_FIPS -	if(getenv("OPENSSL_FIPS")) { -		if (!FIPS_mode_set(1)) { -			ERR_load_crypto_strings(); -			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); -			EXIT(1); -		} -		in_FIPS_mode = 1; -		} -#endif -  	if (bio_err == NULL)  		if ((bio_err=BIO_new(BIO_s_file())) != NULL)  			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); @@ -287,9 +272,21 @@ int main(int Argc, char *Argv[])  	i=NCONF_load(config,p,&errline);  	if (i == 0)  		{ -		NCONF_free(config); -		config = NULL; -		ERR_clear_error(); +		if (ERR_GET_REASON(ERR_peek_last_error()) +		    == CONF_R_NO_SUCH_FILE) +			{ +			BIO_printf(bio_err, +				   "WARNING: can't open config file: %s\n",p); +			ERR_clear_error(); +			NCONF_free(config); +			config = NULL; +			} +		else +			{ +			ERR_print_errors(bio_err); +			NCONF_free(config); +			exit(1); +			}  		}  	prog=prog_init(); @@ -298,7 +295,7 @@ int main(int Argc, char *Argv[])  	program_name(Argv[0],pname,sizeof pname);  	f.name=pname; -	fp=(FUNCTION *)lh_retrieve(prog,&f); +	fp=lh_FUNCTION_retrieve(prog,&f);  	if (fp != NULL)  		{  		Argv[0]=pname; @@ -333,7 +330,8 @@ int main(int Argc, char *Argv[])  			else	prompt="OpenSSL> ";  			fputs(prompt,stdout);  			fflush(stdout); -			fgets(p,n,stdin); +			if (!fgets(p,n,stdin)) +				goto end;  			if (p[0] == '\0') goto end;  			i=strlen(p);  			if (i <= 1) break; @@ -364,7 +362,7 @@ end:  		NCONF_free(config);  		config=NULL;  		} -	if (prog != NULL) lh_free(prog); +	if (prog != NULL) lh_FUNCTION_free(prog);  	if (arg.data != NULL) OPENSSL_free(arg.data);  	apps_shutdown(); @@ -380,9 +378,13 @@ end:  #define LIST_STANDARD_COMMANDS "list-standard-commands"  #define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands" +#define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms"  #define LIST_CIPHER_COMMANDS "list-cipher-commands" +#define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms" +#define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms" + -static int do_cmd(LHASH *prog, int argc, char *argv[]) +static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])  	{  	FUNCTION f,*fp;  	int i,ret=1,tp,nl; @@ -390,7 +392,22 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])  	if ((argc <= 0) || (argv[0] == NULL))  		{ ret=0; goto end; }  	f.name=argv[0]; -	fp=(FUNCTION *)lh_retrieve(prog,&f); +	fp=lh_FUNCTION_retrieve(prog,&f); +	if (fp == NULL) +		{ +		if (EVP_get_digestbyname(argv[0])) +			{ +			f.type = FUNC_TYPE_MD; +			f.func = dgst_main; +			fp = &f; +			} +		else if (EVP_get_cipherbyname(argv[0])) +			{ +			f.type = FUNC_TYPE_CIPHER; +			f.func = enc_main; +			fp = &f; +			} +		}  	if (fp != NULL)  		{  		ret=fp->func(argc,argv); @@ -405,7 +422,7 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])  		}  #endif  		f.name=argv[0]+3; -		ret = (lh_retrieve(prog,&f) != NULL); +		ret = (lh_FUNCTION_retrieve(prog,&f) != NULL);  		if (!ret)  			BIO_printf(bio_stdout, "%s\n", argv[0]);  		else @@ -423,7 +440,10 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])  		}  	else if ((strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0) ||  		(strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) || -		(strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0)) +		(strcmp(argv[0],LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) || +		(strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0) || +		(strcmp(argv[0],LIST_CIPHER_ALGORITHMS) == 0) || +		(strcmp(argv[0],LIST_PUBLIC_KEY_ALGORITHMS) == 0))  		{  		int list_type;  		BIO *bio_stdout; @@ -432,6 +452,12 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])  			list_type = FUNC_TYPE_GENERAL;  		else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0)  			list_type = FUNC_TYPE_MD; +		else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) +			list_type = FUNC_TYPE_MD_ALG; +		else if (strcmp(argv[0],LIST_PUBLIC_KEY_ALGORITHMS) == 0) +			list_type = FUNC_TYPE_PKEY; +		else if (strcmp(argv[0],LIST_CIPHER_ALGORITHMS) == 0) +			list_type = FUNC_TYPE_CIPHER_ALG;  		else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */  			list_type = FUNC_TYPE_CIPHER;  		bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE); @@ -441,10 +467,23 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])  		bio_stdout = BIO_push(tmpbio, bio_stdout);  		}  #endif -		 -		for (fp=functions; fp->name != NULL; fp++) -			if (fp->type == list_type) -				BIO_printf(bio_stdout, "%s\n", fp->name); + +		if (!load_config(bio_err, NULL)) +			goto end; + +		if (list_type == FUNC_TYPE_PKEY) +			list_pkey(bio_stdout);	 +		if (list_type == FUNC_TYPE_MD_ALG) +			list_md(bio_stdout);	 +		if (list_type == FUNC_TYPE_CIPHER_ALG) +			list_cipher(bio_stdout);	 +		else +			{ +			for (fp=functions; fp->name != NULL; fp++) +				if (fp->type == list_type) +					BIO_printf(bio_stdout, "%s\n", +								fp->name); +			}  		BIO_free_all(bio_stdout);  		ret=0;  		goto end; @@ -507,9 +546,94 @@ static int SortFnByName(const void *_f1,const void *_f2)      return strcmp(f1->name,f2->name);      } -static LHASH *prog_init(void) +static void list_pkey(BIO *out) +	{ +	int i; +	for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) +		{ +		const EVP_PKEY_ASN1_METHOD *ameth; +		int pkey_id, pkey_base_id, pkey_flags; +		const char *pinfo, *pem_str; +		ameth = EVP_PKEY_asn1_get0(i); +		EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, +						&pinfo, &pem_str, ameth); +		if (pkey_flags & ASN1_PKEY_ALIAS) +			{ +			BIO_printf(out, "Name: %s\n",  +					OBJ_nid2ln(pkey_id)); +			BIO_printf(out, "\tType: Alias to %s\n", +					OBJ_nid2ln(pkey_base_id)); +			} +		else +			{ +			BIO_printf(out, "Name: %s\n", pinfo); +			BIO_printf(out, "\tType: %s Algorithm\n",  +				pkey_flags & ASN1_PKEY_DYNAMIC ? +					"External" : "Builtin"); +			BIO_printf(out, "\tOID: %s\n", OBJ_nid2ln(pkey_id)); +			if (pem_str == NULL) +				pem_str = "(none)"; +			BIO_printf(out, "\tPEM string: %s\n", pem_str); +			} +					 +		} +	} + +static void list_cipher_fn(const EVP_CIPHER *c, +			const char *from, const char *to, void *arg) +	{ +	if (c) +		BIO_printf(arg, "%s\n", EVP_CIPHER_name(c)); +	else +		{ +		if (!from) +			from = "<undefined>"; +		if (!to) +			to = "<undefined>"; +		BIO_printf(arg, "%s => %s\n", from, to); +		} +	} + +static void list_cipher(BIO *out) +	{ +	EVP_CIPHER_do_all_sorted(list_cipher_fn, out); +	} + +static void list_md_fn(const EVP_MD *m, +			const char *from, const char *to, void *arg) +	{ +	if (m) +		BIO_printf(arg, "%s\n", EVP_MD_name(m)); +	else +		{ +		if (!from) +			from = "<undefined>"; +		if (!to) +			to = "<undefined>"; +		BIO_printf(arg, "%s => %s\n", from, to); +		} +	} + +static void list_md(BIO *out) +	{ +	EVP_MD_do_all_sorted(list_md_fn, out); +	} + +static int MS_CALLBACK function_cmp(const FUNCTION *a, const FUNCTION *b) +	{ +	return strncmp(a->name,b->name,8); +	} +static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION) + +static unsigned long MS_CALLBACK function_hash(const FUNCTION *a) +	{ +	return lh_strhash(a->name); +	}	 +static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION) + +static LHASH_OF(FUNCTION) *prog_init(void)  	{ -	LHASH *ret; +	LHASH_OF(FUNCTION) *ret;  	FUNCTION *f;  	size_t i; @@ -518,23 +642,11 @@ static LHASH *prog_init(void)  	    ;  	qsort(functions,i,sizeof *functions,SortFnByName); -	if ((ret=lh_new(hash, cmp)) == NULL) +	if ((ret=lh_FUNCTION_new()) == NULL)  		return(NULL);  	for (f=functions; f->name != NULL; f++) -		lh_insert(ret,f); +		(void)lh_FUNCTION_insert(ret,f);  	return(ret);  	} -/* static int MS_CALLBACK cmp(FUNCTION *a, FUNCTION *b) */ -static int MS_CALLBACK cmp(const void *a_void, const void *b_void) -	{ -	return(strncmp(((const FUNCTION *)a_void)->name, -			((const FUNCTION *)b_void)->name,8)); -	} - -/* static unsigned long MS_CALLBACK hash(FUNCTION *a) */ -static unsigned long MS_CALLBACK hash(const void *a_void) -	{ -	return(lh_strhash(((const FUNCTION *)a_void)->name)); -	} diff --git a/openssl/apps/openssl.cnf b/openssl/apps/openssl.cnf index 9e59020c1..9d2cd5bfa 100644 --- a/openssl/apps/openssl.cnf +++ b/openssl/apps/openssl.cnf @@ -21,12 +21,17 @@ oid_section		= new_oids  [ new_oids ] -# We can add new OIDs in here for use by 'ca' and 'req'. +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.  # Add a simple OID like this:  # testoid1=1.2.3.4  # Or use config file substitution like this:  # testoid2=${testoid1}.5.6 +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 +  ####################################################################  [ ca ]  default_ca	= CA_default		# The default ca section @@ -67,7 +72,7 @@ cert_opt 	= ca_default		# Certificate field options  default_days	= 365			# how long to certify for  default_crl_days= 30			# how long before next CRL -default_md	= sha1			# which md to use. +default_md	= default		# use public key default MD  preserve	= no			# keep passed DN ordering  # A few difference way of specifying how similar the request should look @@ -110,13 +115,12 @@ x509_extensions	= v3_ca	# The extentions to add to the self signed cert  # This sets a mask for permitted string types. There are several options.   # default: PrintableString, T61String, BMPString. -# pkix	 : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004).  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).  # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only  # req_extensions = v3_req # The extensions to add to a certificate request @@ -207,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer  #nsCaPolicyUrl  #nsSslServerName +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping +  [ v3_req ]  # Extensions to add to a certificate request @@ -224,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment  subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer  # This is what PKIX recommends but some broken software chokes on critical  # extensions. @@ -257,7 +264,7 @@ basicConstraints = CA:true  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.  # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always  [ proxy_cert_ext ]  # These extensions should be added when creating a proxy certificate @@ -290,7 +297,7 @@ nsComment			= "OpenSSL Generated Certificate"  # PKIX recommendations harmless if included in all certificates.  subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer  # This stuff is for subjectAltName and issuerAltname.  # Import the email address. @@ -311,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always  # This really needs to be in place for it to be a proxy certificate.  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1	# the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir		= ./demoCA		# TSA root directory +serial		= $dir/tsaserial	# The current serial number (mandatory) +crypto_device	= builtin		# OpenSSL engine to use for signing +signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate +					# (optional) +certs		= $dir/cacert.pem	# Certificate chain to include in reply +					# (optional) +signer_key	= $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy	= tsa_policy1		# Policy if request did not specify it +					# (optional) +other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional) +digests		= md5, sha1		# Acceptable message digests (mandatory) +accuracy	= secs:1, millisecs:500, microsecs:100	# (optional) +clock_precision_digits  = 0	# number of digits after dot. (optional) +ordering		= yes	# Is ordering defined for timestamps? +				# (optional, default: no) +tsa_name		= yes	# Must the TSA name be included in the reply? +				# (optional, default: no) +ess_cert_id_chain	= no	# Must the ESS cert id chain be included? +				# (optional, default: no) diff --git a/openssl/apps/pkcs12.c b/openssl/apps/pkcs12.c index 248bc1154..514a02e0f 100644 --- a/openssl/apps/pkcs12.c +++ b/openssl/apps/pkcs12.c @@ -88,6 +88,7 @@ int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name);  void hex_prin(BIO *out, unsigned char *buf, int len);  int alg_print(BIO *x, X509_ALGOR *alg);  int cert_load(BIO *in, STACK_OF(X509) *sk); +static int set_pbe(BIO *err, int *ppbe, const char *str);  int MAIN(int, char **); @@ -111,16 +112,17 @@ int MAIN(int argc, char **argv)      int maciter = PKCS12_DEFAULT_ITER;      int twopass = 0;      int keytype = 0; -    int cert_pbe; +    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;      int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;      int ret = 1;      int macver = 1;      int noprompt = 0; -    STACK *canames = NULL; +    STACK_OF(OPENSSL_STRING) *canames = NULL;      char *cpass = NULL, *mpass = NULL;      char *passargin = NULL, *passargout = NULL, *passarg = NULL;      char *passin = NULL, *passout = NULL;      char *inrand = NULL; +    char *macalg = NULL;      char *CApath = NULL, *CAfile = NULL;  #ifndef OPENSSL_NO_ENGINE      char *engine=NULL; @@ -128,13 +130,6 @@ int MAIN(int argc, char **argv)      apps_startup(); -#ifdef OPENSSL_FIPS -    if (FIPS_mode()) -	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -    else -#endif -    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; -      enc = EVP_des_ede3_cbc();      if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); @@ -185,33 +180,18 @@ int MAIN(int argc, char **argv)  					 maciter = 1;  		else if (!strcmp (*args, "-nomac"))  					 maciter = -1; +		else if (!strcmp (*args, "-macalg")) +		    if (args[1]) { +			args++;	 +			macalg = *args; +		    } else badarg = 1;  		else if (!strcmp (*args, "-nodes")) enc=NULL;  		else if (!strcmp (*args, "-certpbe")) { -			if (args[1]) { -				args++; -				if (!strcmp(*args, "NONE")) -					cert_pbe = -1; -				else -					cert_pbe=OBJ_txt2nid(*args); -				if(cert_pbe == NID_undef) { -					BIO_printf(bio_err, -						 "Unknown PBE algorithm %s\n", *args); -					badarg = 1; -				} -			} else badarg = 1; +			if (!set_pbe(bio_err, &cert_pbe, *++args)) +				badarg = 1;  		} else if (!strcmp (*args, "-keypbe")) { -			if (args[1]) { -				args++; -				if (!strcmp(*args, "NONE")) -					key_pbe = -1; -				else -					key_pbe=OBJ_txt2nid(*args); -				if(key_pbe == NID_undef) { -					BIO_printf(bio_err, -						 "Unknown PBE algorithm %s\n", *args); -					badarg = 1; -				} -			} else badarg = 1; +			if (!set_pbe(bio_err, &key_pbe, *++args)) +				badarg = 1;  		} else if (!strcmp (*args, "-rand")) {  		    if (args[1]) {  			args++;	 @@ -242,8 +222,8 @@ int MAIN(int argc, char **argv)  		} else if (!strcmp (*args, "-caname")) {  		    if (args[1]) {  			args++;	 -			if (!canames) canames = sk_new_null(); -			sk_push(canames, *args); +			if (!canames) canames = sk_OPENSSL_STRING_new_null(); +			sk_OPENSSL_STRING_push(canames, *args);  		    } else badarg = 1;  		} else if (!strcmp (*args, "-in")) {  		    if (args[1]) { @@ -332,11 +312,14 @@ int MAIN(int argc, char **argv)  #endif  	BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");  	BIO_printf (bio_err, "-noiter       don't use encryption iteration\n"); +	BIO_printf (bio_err, "-nomaciter    don't use MAC iteration\n");  	BIO_printf (bio_err, "-maciter      use MAC iteration\n"); +	BIO_printf (bio_err, "-nomac        don't generate MAC\n");  	BIO_printf (bio_err, "-twopass      separate MAC, encryption passwords\n");  	BIO_printf (bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");  	BIO_printf (bio_err, "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");  	BIO_printf (bio_err, "-keypbe alg   specify private key PBE algorithm (default 3DES)\n"); +	BIO_printf (bio_err, "-macalg alg   digest algorithm used in MAC (default SHA1)\n");  	BIO_printf (bio_err, "-keyex        set MS key exchange type\n");  	BIO_printf (bio_err, "-keysig       set MS key signature type\n");  	BIO_printf (bio_err, "-password p   set import/export password source\n"); @@ -348,8 +331,8 @@ int MAIN(int argc, char **argv)  	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);  	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");  	BIO_printf(bio_err,  "              the random number generator\n"); -  	BIO_printf(bio_err,  "-CSP name     Microsoft CSP name\n"); - 	BIO_printf(bio_err,  "-LMK          Add local machine keyset attribute to private key\n"); +	BIO_printf(bio_err,  "-CSP name     Microsoft CSP name\n"); +	BIO_printf(bio_err,  "-LMK          Add local machine keyset attribute to private key\n");      	goto end;      } @@ -439,6 +422,7 @@ int MAIN(int argc, char **argv)  	EVP_PKEY *key = NULL;  	X509 *ucert = NULL, *x = NULL;  	STACK_OF(X509) *certs=NULL; +	const EVP_MD *macmd = NULL;  	unsigned char *catmp = NULL;  	int i; @@ -565,9 +549,9 @@ int MAIN(int argc, char **argv)  	/* Add any CA names */ -	for (i = 0; i < sk_num(canames); i++) +	for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++)  		{ -		catmp = (unsigned char *)sk_value(canames, i); +		catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i);  		X509_alias_set1(sk_X509_value(certs, i), catmp, -1);  		} @@ -605,8 +589,18 @@ int MAIN(int argc, char **argv)  		goto export_end;  		} +	if (macalg) +		{ +		macmd = EVP_get_digestbyname(macalg); +		if (!macmd) +			{ +			BIO_printf(bio_err, "Unknown digest algorithm %s\n",  +						macalg); +			} +		} +  	if (maciter != -1) -		PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL); +		PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);  #ifdef CRYPTO_MDEBUG  	CRYPTO_pop_info(); @@ -693,7 +687,7 @@ int MAIN(int argc, char **argv)  #endif      BIO_free(in);      BIO_free_all(out); -    if (canames) sk_free(canames); +    if (canames) sk_OPENSSL_STRING_free(canames);      if(passin) OPENSSL_free(passin);      if(passout) OPENSSL_free(passout);      apps_shutdown(); @@ -929,7 +923,7 @@ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name)  			av = sk_ASN1_TYPE_value(attr->value.set, 0);  			switch(av->type) {  				case V_ASN1_BMPSTRING: -        			value = uni2asc(av->value.bmpstring->data, +        			value = OPENSSL_uni2asc(av->value.bmpstring->data,                                  	       av->value.bmpstring->length);  				BIO_printf(out, "%s\n", value);  				OPENSSL_free(value); @@ -962,4 +956,22 @@ void hex_prin(BIO *out, unsigned char *buf, int len)  	for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]);  } +static int set_pbe(BIO *err, int *ppbe, const char *str) +	{ +	if (!str) +		return 0; +	if (!strcmp(str, "NONE")) +		{ +		*ppbe = -1; +		return 1; +		} +	*ppbe=OBJ_txt2nid(str); +	if (*ppbe == NID_undef) +		{ +		BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str); +		return 0; +		} +	return 1; +	} +			  #endif diff --git a/openssl/apps/pkcs7.c b/openssl/apps/pkcs7.c index da4dbe7a0..86d31b99a 100644 --- a/openssl/apps/pkcs7.c +++ b/openssl/apps/pkcs7.c @@ -90,7 +90,7 @@ int MAIN(int argc, char **argv)  	BIO *in=NULL,*out=NULL;  	int informat,outformat;  	char *infile,*outfile,*prog; -	int print_certs=0,text=0,noout=0; +	int print_certs=0,text=0,noout=0,p7_print=0;  	int ret=1;  #ifndef OPENSSL_NO_ENGINE  	char *engine=NULL; @@ -139,6 +139,8 @@ int MAIN(int argc, char **argv)  			noout=1;  		else if (strcmp(*argv,"-text") == 0)  			text=1; +		else if (strcmp(*argv,"-print") == 0) +			p7_print=1;  		else if (strcmp(*argv,"-print_certs") == 0)  			print_certs=1;  #ifndef OPENSSL_NO_ENGINE @@ -238,6 +240,9 @@ bad:  			}  		} +	if (p7_print) +		PKCS7_print_ctx(out, p7, 0, NULL); +  	if (print_certs)  		{  		STACK_OF(X509) *certs=NULL; diff --git a/openssl/apps/pkcs8.c b/openssl/apps/pkcs8.c index 9633a149b..7edeb179d 100644 --- a/openssl/apps/pkcs8.c +++ b/openssl/apps/pkcs8.c @@ -80,11 +80,12 @@ int MAIN(int argc, char **argv)  	int informat, outformat;  	int p8_broken = PKCS8_OK;  	int nocrypt = 0; -	X509_SIG *p8; -	PKCS8_PRIV_KEY_INFO *p8inf; +	X509_SIG *p8 = NULL; +	PKCS8_PRIV_KEY_INFO *p8inf = NULL;  	EVP_PKEY *pkey=NULL;  	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;  	int badarg = 0; +	int ret = 1;  #ifndef OPENSSL_NO_ENGINE  	char *engine=NULL;  #endif @@ -225,7 +226,7 @@ int MAIN(int argc, char **argv)  #ifndef OPENSSL_NO_ENGINE  		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");  #endif -		return 1; +		goto end;  		}  #ifndef OPENSSL_NO_ENGINE @@ -235,7 +236,7 @@ int MAIN(int argc, char **argv)  	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))  		{  		BIO_printf(bio_err, "Error getting passwords\n"); -		return 1; +		goto end;  		}  	if ((pbe_nid == -1) && !cipher) @@ -247,7 +248,7 @@ int MAIN(int argc, char **argv)  			{  			BIO_printf(bio_err,  				 "Can't open input file %s\n", infile); -			return (1); +			goto end;  			}  		}  	else @@ -259,7 +260,7 @@ int MAIN(int argc, char **argv)  			{  			BIO_printf(bio_err,  				 "Can't open output file %s\n", outfile); -			return (1); +			goto end;  			}  		}  	else @@ -274,21 +275,15 @@ int MAIN(int argc, char **argv)  		}  	if (topk8)  		{ -		BIO_free(in); /* Not needed in this section */  		pkey = load_key(bio_err, infile, informat, 1,  			passin, e, "key");  		if (!pkey) -			{ -			BIO_free_all(out); -			return 1; -			} +			goto end;  		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)))  			{  			BIO_printf(bio_err, "Error converting key\n");  			ERR_print_errors(bio_err); -			EVP_PKEY_free(pkey); -			BIO_free_all(out); -			return 1; +			goto end;  			}  		if (nocrypt)  			{ @@ -299,10 +294,7 @@ int MAIN(int argc, char **argv)  			else  				{  				BIO_printf(bio_err, "Bad format specified for key\n"); -				PKCS8_PRIV_KEY_INFO_free(p8inf); -				EVP_PKEY_free(pkey); -				BIO_free_all(out); -				return (1); +				goto end;  				}  			}  		else @@ -313,12 +305,7 @@ int MAIN(int argc, char **argv)  				{  				p8pass = pass;  				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1)) -					{ -					PKCS8_PRIV_KEY_INFO_free(p8inf); -					EVP_PKEY_free(pkey); -					BIO_free_all(out); -					return (1); -					} +					goto end;  				}  			app_RAND_load_file(NULL, bio_err, 0);  			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, @@ -327,10 +314,7 @@ int MAIN(int argc, char **argv)  				{  				BIO_printf(bio_err, "Error encrypting key\n");  				ERR_print_errors(bio_err); -				PKCS8_PRIV_KEY_INFO_free(p8inf); -				EVP_PKEY_free(pkey); -				BIO_free_all(out); -				return (1); +				goto end;  				}  			app_RAND_write_file(NULL, bio_err);  			if (outformat == FORMAT_PEM)  @@ -340,22 +324,12 @@ int MAIN(int argc, char **argv)  			else  				{  				BIO_printf(bio_err, "Bad format specified for key\n"); -				PKCS8_PRIV_KEY_INFO_free(p8inf); -				EVP_PKEY_free(pkey); -				BIO_free_all(out); -				return (1); +				goto end;  				} -			X509_SIG_free(p8);  			} -		PKCS8_PRIV_KEY_INFO_free (p8inf); -		EVP_PKEY_free(pkey); -		BIO_free_all(out); -		if (passin) -			OPENSSL_free(passin); -		if (passout) -			OPENSSL_free(passout); -		return (0); +		ret = 0; +		goto end;  		}  	if (nocrypt) @@ -367,7 +341,7 @@ int MAIN(int argc, char **argv)  		else  			{  			BIO_printf(bio_err, "Bad format specified for key\n"); -			return (1); +			goto end;  			}  		}  	else @@ -379,14 +353,14 @@ int MAIN(int argc, char **argv)  		else  			{  			BIO_printf(bio_err, "Bad format specified for key\n"); -			return (1); +			goto end;  			}  		if (!p8)  			{  			BIO_printf (bio_err, "Error reading key\n");  			ERR_print_errors(bio_err); -			return (1); +			goto end;  			}  		if (passin)  			p8pass = passin; @@ -396,21 +370,20 @@ int MAIN(int argc, char **argv)  			EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);  			}  		p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); -		X509_SIG_free(p8);  		}  	if (!p8inf)  		{  		BIO_printf(bio_err, "Error decrypting key\n");  		ERR_print_errors(bio_err); -		return (1); +		goto end;  		}  	if (!(pkey = EVP_PKCS82PKEY(p8inf)))  		{  		BIO_printf(bio_err, "Error converting key\n");  		ERR_print_errors(bio_err); -		return (1); +		goto end;  		}  	if (p8inf->broken) @@ -430,13 +403,16 @@ int MAIN(int argc, char **argv)  			BIO_printf(bio_err, "DSA public key include in PrivateKey\n");  			break; +			case PKCS8_NEG_PRIVKEY: +			BIO_printf(bio_err, "DSA private key value is negative\n"); +			break; +  			default:  			BIO_printf(bio_err, "Unknown broken type\n");  			break;  		}  	} -	PKCS8_PRIV_KEY_INFO_free(p8inf);  	if (outformat == FORMAT_PEM)   		PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);  	else if (outformat == FORMAT_ASN1) @@ -444,10 +420,13 @@ int MAIN(int argc, char **argv)  	else  		{  		BIO_printf(bio_err, "Bad format specified for key\n"); -			return (1); +			goto end;  		} +	ret = 0;  	end: +	X509_SIG_free(p8); +	PKCS8_PRIV_KEY_INFO_free(p8inf);  	EVP_PKEY_free(pkey);  	BIO_free_all(out);  	BIO_free(in); @@ -456,5 +435,5 @@ int MAIN(int argc, char **argv)  	if (passout)  		OPENSSL_free(passout); -	return (0); +	return ret;  	} diff --git a/openssl/apps/pkeyparam.c b/openssl/apps/pkeyparam.c index 4319eb4de..7f18010f9 100644 --- a/openssl/apps/pkeyparam.c +++ b/openssl/apps/pkeyparam.c @@ -179,7 +179,7 @@ int MAIN(int argc, char **argv)  	pkey = PEM_read_bio_Parameters(in, NULL);  	if (!pkey)  		{ -		BIO_printf(bio_err, "Error reading paramters\n"); +		BIO_printf(bio_err, "Error reading parameters\n");  		ERR_print_errors(bio_err);  		goto end;  		} diff --git a/openssl/apps/pkeyutl.c b/openssl/apps/pkeyutl.c index b808e1ef4..22a6c4bf3 100644 --- a/openssl/apps/pkeyutl.c +++ b/openssl/apps/pkeyutl.c @@ -390,7 +390,7 @@ static void usage()  	BIO_printf(bio_err, "Usage: pkeyutl [options]\n");  	BIO_printf(bio_err, "-in file        input file\n");  	BIO_printf(bio_err, "-out file       output file\n"); -	BIO_printf(bio_err, "-signature file signature file (verify operation only)\n"); +	BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");  	BIO_printf(bio_err, "-inkey file     input key\n");  	BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");  	BIO_printf(bio_err, "-pubin          input is a public key\n"); diff --git a/openssl/apps/prime.c b/openssl/apps/prime.c index af2fed15a..f1aaef872 100644 --- a/openssl/apps/prime.c +++ b/openssl/apps/prime.c @@ -62,6 +62,9 @@ int MAIN(int argc, char **argv)      {      int hex=0;      int checks=20; +    int generate=0; +    int bits=0; +    int safe=0;      BIGNUM *bn=NULL;      BIO *bio_out; @@ -77,6 +80,15 @@ int MAIN(int argc, char **argv)  	{  	if(!strcmp(*argv,"-hex"))  	    hex=1; +	else if(!strcmp(*argv,"-generate")) +	    generate=1; +	else if(!strcmp(*argv,"-bits")) +	    if(--argc < 1) +		goto bad; +	    else +		bits=atoi(*++argv); +	else if(!strcmp(*argv,"-safe")) +	    safe=1;  	else if(!strcmp(*argv,"-checks"))  	    if(--argc < 1)  		goto bad; @@ -91,13 +103,13 @@ int MAIN(int argc, char **argv)  	++argv;  	} -    if (argv[0] == NULL) +    if (argv[0] == NULL && !generate)  	{  	BIO_printf(bio_err,"No prime specified\n");  	goto bad;  	} -   if ((bio_out=BIO_new(BIO_s_file())) != NULL) +    if ((bio_out=BIO_new(BIO_s_file())) != NULL)  	{  	BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);  #ifdef OPENSSL_SYS_VMS @@ -108,14 +120,32 @@ int MAIN(int argc, char **argv)  #endif  	} -    if(hex) -	BN_hex2bn(&bn,argv[0]); +    if(generate) +	{ +	char *s; + +	if(!bits) +	    { +	    BIO_printf(bio_err,"Specifiy the number of bits.\n"); +	    return 1; +	    } +	bn=BN_new(); +	BN_generate_prime_ex(bn,bits,safe,NULL,NULL,NULL); +	s=hex ? BN_bn2hex(bn) : BN_bn2dec(bn); +	BIO_printf(bio_out,"%s\n",s); +	OPENSSL_free(s); +	}      else -	BN_dec2bn(&bn,argv[0]); +	{ +	if(hex) +	    BN_hex2bn(&bn,argv[0]); +	else +	    BN_dec2bn(&bn,argv[0]); -    BN_print(bio_out,bn); -    BIO_printf(bio_out," is %sprime\n", -	       BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not "); +	BN_print(bio_out,bn); +	BIO_printf(bio_out," is %sprime\n", +		   BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not "); +	}      BN_free(bn);      BIO_free_all(bio_out); diff --git a/openssl/apps/progs.h b/openssl/apps/progs.h index aafd800bd..79e479a33 100644 --- a/openssl/apps/progs.h +++ b/openssl/apps/progs.h @@ -22,6 +22,7 @@ extern int ecparam_main(int argc,char *argv[]);  extern int x509_main(int argc,char *argv[]);  extern int genrsa_main(int argc,char *argv[]);  extern int gendsa_main(int argc,char *argv[]); +extern int genpkey_main(int argc,char *argv[]);  extern int s_server_main(int argc,char *argv[]);  extern int s_client_main(int argc,char *argv[]);  extern int speed_main(int argc,char *argv[]); @@ -35,22 +36,30 @@ extern int ciphers_main(int argc,char *argv[]);  extern int nseq_main(int argc,char *argv[]);  extern int pkcs12_main(int argc,char *argv[]);  extern int pkcs8_main(int argc,char *argv[]); +extern int pkey_main(int argc,char *argv[]); +extern int pkeyparam_main(int argc,char *argv[]); +extern int pkeyutl_main(int argc,char *argv[]);  extern int spkac_main(int argc,char *argv[]);  extern int smime_main(int argc,char *argv[]);  extern int rand_main(int argc,char *argv[]);  extern int engine_main(int argc,char *argv[]);  extern int ocsp_main(int argc,char *argv[]);  extern int prime_main(int argc,char *argv[]); +extern int ts_main(int argc,char *argv[]);  #define FUNC_TYPE_GENERAL	1  #define FUNC_TYPE_MD		2  #define FUNC_TYPE_CIPHER	3 +#define FUNC_TYPE_PKEY		4 +#define FUNC_TYPE_MD_ALG	5 +#define FUNC_TYPE_CIPHER_ALG	6  typedef struct {  	int type;  	const char *name;  	int (*func)(int argc,char *argv[]);  	} FUNCTION; +DECLARE_LHASH_OF(FUNCTION);  FUNCTION functions[] = {  	{FUNC_TYPE_GENERAL,"verify",verify_main}, @@ -96,6 +105,7 @@ FUNCTION functions[] = {  #ifndef OPENSSL_NO_DSA  	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},  #endif +	{FUNC_TYPE_GENERAL,"genpkey",genpkey_main},  #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))  	{FUNC_TYPE_GENERAL,"s_server",s_server_main},  #endif @@ -123,14 +133,20 @@ FUNCTION functions[] = {  	{FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main},  #endif  	{FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main}, +	{FUNC_TYPE_GENERAL,"pkey",pkey_main}, +	{FUNC_TYPE_GENERAL,"pkeyparam",pkeyparam_main}, +	{FUNC_TYPE_GENERAL,"pkeyutl",pkeyutl_main},  	{FUNC_TYPE_GENERAL,"spkac",spkac_main},  	{FUNC_TYPE_GENERAL,"smime",smime_main},  	{FUNC_TYPE_GENERAL,"rand",rand_main},  #ifndef OPENSSL_NO_ENGINE  	{FUNC_TYPE_GENERAL,"engine",engine_main},  #endif +#ifndef OPENSSL_NO_OCSP  	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main}, +#endif  	{FUNC_TYPE_GENERAL,"prime",prime_main}, +	{FUNC_TYPE_GENERAL,"ts",ts_main},  #ifndef OPENSSL_NO_MD2  	{FUNC_TYPE_MD,"md2",dgst_main},  #endif @@ -189,6 +205,9 @@ FUNCTION functions[] = {  	{FUNC_TYPE_CIPHER,"camellia-256-ecb",enc_main},  #endif  	{FUNC_TYPE_CIPHER,"base64",enc_main}, +#ifdef ZLIB +	{FUNC_TYPE_CIPHER,"zlib",enc_main}, +#endif  #ifndef OPENSSL_NO_DES  	{FUNC_TYPE_CIPHER,"des",enc_main},  #endif diff --git a/openssl/apps/progs.pl b/openssl/apps/progs.pl index 645432cfc..de6fdeabb 100644 --- a/openssl/apps/progs.pl +++ b/openssl/apps/progs.pl @@ -13,12 +13,16 @@ print <<'EOF';  #define FUNC_TYPE_GENERAL	1  #define FUNC_TYPE_MD		2  #define FUNC_TYPE_CIPHER	3 +#define FUNC_TYPE_PKEY		4 +#define FUNC_TYPE_MD_ALG	5 +#define FUNC_TYPE_CIPHER_ALG	6  typedef struct {  	int type;  	const char *name;  	int (*func)(int argc,char *argv[]);  	} FUNCTION; +DECLARE_LHASH_OF(FUNCTION);  FUNCTION functions[] = {  EOF @@ -45,6 +49,8 @@ foreach (@ARGV)  		{ print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; }  	elsif ( ($_ =~ /^cms$/))  		{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; } +	elsif ( ($_ =~ /^ocsp$/)) +		{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }  	else  		{ print $str; }  	} @@ -62,7 +68,7 @@ foreach (  	"camellia-128-cbc", "camellia-128-ecb",  	"camellia-192-cbc", "camellia-192-ecb",  	"camellia-256-cbc", "camellia-256-ecb", -	"base64", +	"base64", "zlib",  	"des", "des3", "desx", "idea", "seed", "rc4", "rc4-40",  	"rc2", "bf", "cast", "rc5",  	"des-ecb", "des-ede",    "des-ede3", @@ -89,6 +95,7 @@ foreach (  	elsif ($_ =~ /bf/)   { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; }  	elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; }  	elsif ($_ =~ /rc5/)  { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; } +	elsif ($_ =~ /zlib/)  { $t="#ifdef ZLIB\n${t}#endif\n"; }  	print $t;  	} diff --git a/openssl/apps/req.c b/openssl/apps/req.c index 5ed08960c..820cd18fc 100644 --- a/openssl/apps/req.c +++ b/openssl/apps/req.c @@ -141,39 +141,33 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def,  				int n_max, unsigned long chtype);  static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,  	int nid,int n_min,int n_max, unsigned long chtype, int mval); -#ifndef OPENSSL_NO_RSA -static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb); -#endif +static int genpkey_cb(EVP_PKEY_CTX *ctx);  static int req_check_len(int len,int n_min,int n_max);  static int check_end(const char *str, const char *end); +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, +					long *pkeylen, char **palgnam, +					ENGINE *keygen_engine);  #ifndef MONOLITH  static char *default_config_file=NULL;  #endif  static CONF *req_conf=NULL;  static int batch=0; -#define TYPE_RSA	1 -#define TYPE_DSA	2 -#define TYPE_DH		3 -#define TYPE_EC		4 -  int MAIN(int, char **);  int MAIN(int argc, char **argv)  	{ -	ENGINE *e = NULL; -#ifndef OPENSSL_NO_DSA -	DSA *dsa_params=NULL; -#endif -#ifndef OPENSSL_NO_ECDSA -	EC_KEY *ec_params = NULL; -#endif +	ENGINE *e = NULL, *gen_eng = NULL;  	unsigned long nmflag = 0, reqflag = 0;  	int ex=1,x509=0,days=30;  	X509 *x509ss=NULL;  	X509_REQ *req=NULL; +	EVP_PKEY_CTX *genctx = NULL; +	const char *keyalg = NULL; +	char *keyalgstr = NULL; +	STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;  	EVP_PKEY *pkey=NULL; -	int i=0,badops=0,newreq=0,verbose=0,pkey_type=TYPE_RSA; +	int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1;  	long newkey = -1;  	BIO *in=NULL,*out=NULL;  	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; @@ -193,7 +187,7 @@ int MAIN(int argc, char **argv)  	char *p;  	char *subj = NULL;  	int multirdn = 0; -	const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); +	const EVP_MD *md_alg=NULL,*digest=NULL;  	unsigned long chtype = MBSTRING_ASC;  #ifndef MONOLITH  	char *to_free; @@ -236,6 +230,16 @@ int MAIN(int argc, char **argv)  			if (--argc < 1) goto bad;  			engine= *(++argv);  			} +		else if (strcmp(*argv,"-keygen_engine") == 0) +			{ +			if (--argc < 1) goto bad; +			gen_eng = ENGINE_by_id(*(++argv)); +			if (gen_eng == NULL) +				{ +				BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); +				goto end; +				} +			}  #endif  		else if (strcmp(*argv,"-key") == 0)  			{ @@ -292,126 +296,20 @@ int MAIN(int argc, char **argv)  			}  		else if (strcmp(*argv,"-newkey") == 0)  			{ -			int is_numeric; - -			if (--argc < 1) goto bad; -			p= *(++argv); -			is_numeric = p[0] >= '0' && p[0] <= '9'; -			if (strncmp("rsa:",p,4) == 0 || is_numeric) -				{ -				pkey_type=TYPE_RSA; -				if(!is_numeric) -				    p+=4; -				newkey= atoi(p); -				} -			else -#ifndef OPENSSL_NO_DSA -				if (strncmp("dsa:",p,4) == 0) -				{ -				X509 *xtmp=NULL; -				EVP_PKEY *dtmp; - -				pkey_type=TYPE_DSA; -				p+=4; -				if ((in=BIO_new_file(p,"r")) == NULL) -					{ -					perror(p); -					goto end; -					} -				if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL) -					{ -					ERR_clear_error(); -					(void)BIO_reset(in); -					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) -						{ -						BIO_printf(bio_err,"unable to load DSA parameters from file\n"); -						goto end; -						} - -					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end; -					if (dtmp->type == EVP_PKEY_DSA) -						dsa_params=DSAparams_dup(dtmp->pkey.dsa); -					EVP_PKEY_free(dtmp); -					X509_free(xtmp); -					if (dsa_params == NULL) -						{ -						BIO_printf(bio_err,"Certificate does not contain DSA parameters\n"); -						goto end; -						} -					} -				BIO_free(in); -				in=NULL; -				newkey=BN_num_bits(dsa_params->p); -				} -			else  -#endif -#ifndef OPENSSL_NO_ECDSA -				if (strncmp("ec:",p,3) == 0) -				{ -				X509 *xtmp=NULL; -				EVP_PKEY *dtmp; -				EC_GROUP *group; - -				pkey_type=TYPE_EC; -				p+=3; -				if ((in=BIO_new_file(p,"r")) == NULL) -					{ -					perror(p); -					goto end; -					} -				if ((ec_params = EC_KEY_new()) == NULL) -					goto end; -				group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL); -				if (group == NULL) -					{ -					EC_KEY_free(ec_params); -					ERR_clear_error(); -					(void)BIO_reset(in); -					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) -						{	 -						BIO_printf(bio_err,"unable to load EC parameters from file\n"); -						goto end; -						} - -					if ((dtmp=X509_get_pubkey(xtmp))==NULL) -						goto end; -					if (dtmp->type == EVP_PKEY_EC) -						ec_params = EC_KEY_dup(dtmp->pkey.ec); -					EVP_PKEY_free(dtmp); -					X509_free(xtmp); -					if (ec_params == NULL) -						{ -						BIO_printf(bio_err,"Certificate does not contain EC parameters\n"); -						goto end; -						} -					} -				else -					{ -					if (EC_KEY_set_group(ec_params, group) == 0) -						goto end; -					EC_GROUP_free(group); -					} - -				BIO_free(in); -				in=NULL; -				newkey = EC_GROUP_get_degree(EC_KEY_get0_group(ec_params)); -				} -			else -#endif -#ifndef OPENSSL_NO_DH -				if (strncmp("dh:",p,4) == 0) -				{ -				pkey_type=TYPE_DH; -				p+=3; -				} -			else -#endif -				{ +			if (--argc < 1)  				goto bad; -				} - +			keyalg = *(++argv);  			newreq=1;  			} +		else if (strcmp(*argv,"-pkeyopt") == 0) +			{ +			if (--argc < 1) +				goto bad; +			if (!pkeyopts) +				pkeyopts = sk_OPENSSL_STRING_new_null(); +			if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) +				goto bad; +			}  		else if (strcmp(*argv,"-batch") == 0)  			batch=1;  		else if (strcmp(*argv,"-newhdr") == 0) @@ -467,11 +365,6 @@ int MAIN(int argc, char **argv)  			serial = s2i_ASN1_INTEGER(NULL, *(++argv));  			if (!serial) goto bad;  			} -		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) -			{ -			/* ok */ -			digest=md_alg; -			}  		else if (strcmp(*argv,"-extensions") == 0)  			{  			if (--argc < 1) goto bad; @@ -482,6 +375,11 @@ int MAIN(int argc, char **argv)  			if (--argc < 1) goto bad;  			req_exts = *(++argv);  			} +		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) +			{ +			/* ok */ +			digest=md_alg; +			}  		else  			{  			BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -730,15 +628,20 @@ bad:  	if (newreq && (pkey == NULL))  		{ -#ifndef OPENSSL_NO_RSA -		BN_GENCB cb; -#endif  		char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");  		if (randfile == NULL)  			ERR_clear_error();  		app_RAND_load_file(randfile, bio_err, 0);  		if (inrand)  			app_RAND_load_files(inrand); + +		if (keyalg) +			{ +			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, +							&keyalgstr, gen_eng); +			if (!genctx) +				goto end; +			}  		if (newkey <= 0)  			{ @@ -746,57 +649,54 @@ bad:  				newkey=DEFAULT_KEY_LENGTH;  			} -		if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA)) +		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))  			{  			BIO_printf(bio_err,"private key length is too short,\n");  			BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey);  			goto end;  			} -		BIO_printf(bio_err,"Generating a %ld bit %s private key\n", -			newkey,(pkey_type == TYPE_RSA)?"RSA": -			(pkey_type == TYPE_DSA)?"DSA":"EC"); - -		if ((pkey=EVP_PKEY_new()) == NULL) goto end; -#ifndef OPENSSL_NO_RSA -		BN_GENCB_set(&cb, req_cb, bio_err); -		if (pkey_type == TYPE_RSA) -			{ -			RSA *rsa = RSA_new(); -			BIGNUM *bn = BN_new(); -			if(!bn || !rsa || !BN_set_word(bn, 0x10001) || -					!RSA_generate_key_ex(rsa, newkey, bn, &cb) || -					!EVP_PKEY_assign_RSA(pkey, rsa)) -				{ -				if(bn) BN_free(bn); -				if(rsa) RSA_free(rsa); +		if (!genctx) +			{ +			genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, +							&keyalgstr, gen_eng); +			if (!genctx)  				goto end; -				} -			BN_free(bn);  			} -		else -#endif -#ifndef OPENSSL_NO_DSA -			if (pkey_type == TYPE_DSA) + +		if (pkeyopts)  			{ -			if (!DSA_generate_key(dsa_params)) goto end; -			if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end; -			dsa_params=NULL; +			char *genopt; +			for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) +				{ +				genopt = sk_OPENSSL_STRING_value(pkeyopts, i); +				if (pkey_ctrl_string(genctx, genopt) <= 0) +					{ +					BIO_printf(bio_err, +						"parameter error \"%s\"\n", +						genopt); +					ERR_print_errors(bio_err); +					goto end; +					} +				}  			} -#endif -#ifndef OPENSSL_NO_ECDSA -			if (pkey_type == TYPE_EC) + +		BIO_printf(bio_err,"Generating a %ld bit %s private key\n", +				newkey, keyalgstr); + +		EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); +		EVP_PKEY_CTX_set_app_data(genctx, bio_err); + +		if (EVP_PKEY_keygen(genctx, &pkey) <= 0)  			{ -			if (!EC_KEY_generate_key(ec_params)) goto end; -			if (!EVP_PKEY_assign_EC_KEY(pkey, ec_params))  -				goto end; -			ec_params = NULL; +			BIO_puts(bio_err, "Error Generating Key\n"); +			goto end;  			} -#endif -		app_RAND_write_file(randfile, bio_err); +		EVP_PKEY_CTX_free(genctx); +		genctx = NULL; -		if (pkey == NULL) goto end; +		app_RAND_write_file(randfile, bio_err);  		if (keyout == NULL)  			{ @@ -895,14 +795,7 @@ loop:  			BIO_printf(bio_err,"you need to specify a private key\n");  			goto end;  			} -#ifndef OPENSSL_NO_DSA -		if (pkey->type == EVP_PKEY_DSA) -			digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA -		if (pkey->type == EVP_PKEY_EC) -			digest=EVP_ecdsa(); -#endif +  		if (req == NULL)  			{  			req=X509_REQ_new(); @@ -945,7 +838,7 @@ loop:  			if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;  			if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end; -			if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end; +			if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end;  			if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;  			tmppkey = X509_REQ_get_pubkey(req);  			if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end; @@ -967,7 +860,10 @@ loop:  				}  			if (!(i=X509_sign(x509ss,pkey,digest))) +				{ +				ERR_print_errors(bio_err);  				goto end; +				}  			}  		else  			{ @@ -988,7 +884,10 @@ loop:  				goto end;  				}  			if (!(i=X509_REQ_sign(req,pkey,digest))) +				{ +				ERR_print_errors(bio_err);  				goto end; +				}  			}  		} @@ -1125,7 +1024,7 @@ loop:  			}  		fprintf(stdout,"Modulus=");  #ifndef OPENSSL_NO_RSA -		if (tpubkey->type == EVP_PKEY_RSA) +		if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)  			BN_print(out,tpubkey->pkey.rsa->n);  		else  #endif @@ -1181,18 +1080,22 @@ end:  	BIO_free(in);  	BIO_free_all(out);  	EVP_PKEY_free(pkey); +	if (genctx) +		EVP_PKEY_CTX_free(genctx); +	if (pkeyopts) +		sk_OPENSSL_STRING_free(pkeyopts); +#ifndef OPENSSL_NO_ENGINE +	if (gen_eng) +		ENGINE_free(gen_eng); +#endif +	if (keyalgstr) +		OPENSSL_free(keyalgstr);  	X509_REQ_free(req);  	X509_free(x509ss);  	ASN1_INTEGER_free(serial);  	if(passargin && passin) OPENSSL_free(passin);  	if(passargout && passout) OPENSSL_free(passout);  	OBJ_cleanup(); -#ifndef OPENSSL_NO_DSA -	if (dsa_params != NULL) DSA_free(dsa_params); -#endif -#ifndef OPENSSL_NO_ECDSA -	if (ec_params != NULL) EC_KEY_free(ec_params); -#endif  	apps_shutdown();  	OPENSSL_EXIT(ex);  	} @@ -1433,11 +1336,17 @@ start2:			for (;;)  				BIO_snprintf(buf,sizeof buf,"%s_min",type);  				if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) +					{ +					ERR_clear_error();  					n_min = -1; +					}  				BIO_snprintf(buf,sizeof buf,"%s_max",type);  				if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) +					{ +					ERR_clear_error();  					n_max = -1; +					}  				if (!add_attribute_object(req,  					v->value,def,value,nid,n_min,n_max, chtype)) @@ -1538,7 +1447,8 @@ start:  		buf[0]='\0';  		if (!batch)  			{ -			fgets(buf,sizeof buf,stdin); +			if (!fgets(buf,sizeof buf,stdin)) +				return 0;  			}  		else  			{ @@ -1596,7 +1506,8 @@ start:  		buf[0]='\0';  		if (!batch)  			{ -			fgets(buf,sizeof buf,stdin); +			if (!fgets(buf,sizeof buf,stdin)) +				return 0;  			}  		else  			{ @@ -1639,24 +1550,6 @@ err:  	return(0);  	} -#ifndef OPENSSL_NO_RSA -static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb) -	{ -	char c='*'; - -	if (p == 0) c='.'; -	if (p == 1) c='+'; -	if (p == 2) c='*'; -	if (p == 3) c='\n'; -	BIO_write(cb->arg,&c,1); -	(void)BIO_flush(cb->arg); -#ifdef LINT -	p=n; -#endif -	return 1; -	} -#endif -  static int req_check_len(int len, int n_min, int n_max)  	{  	if ((n_min > 0) && (len < n_min)) @@ -1683,3 +1576,183 @@ static int check_end(const char *str, const char *end)  	tmp = str + slen - elen;  	return strcmp(tmp, end);  } + +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, +					long *pkeylen, char **palgnam, +					ENGINE *keygen_engine) +	{ +	EVP_PKEY_CTX *gctx = NULL; +	EVP_PKEY *param = NULL; +	long keylen = -1; +	BIO *pbio = NULL; +	const char *paramfile = NULL; + +	if (gstr == NULL) +		{ +		*pkey_type = EVP_PKEY_RSA; +		keylen = *pkeylen; +		} +	else if (gstr[0] >= '0' && gstr[0] <= '9') +		{ +		*pkey_type = EVP_PKEY_RSA; +		keylen = atol(gstr); +		*pkeylen = keylen; +		} +	else if (!strncmp(gstr, "param:", 6)) +		paramfile = gstr + 6; +	else +		{ +		const char *p = strchr(gstr, ':'); +		int len; +		ENGINE *tmpeng; +		const EVP_PKEY_ASN1_METHOD *ameth; + +		if (p) +			len = p - gstr; +		else +			len = strlen(gstr); +		/* The lookup of a the string will cover all engines so +		 * keep a note of the implementation. +		 */ + +		ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); + +		if (!ameth) +			{ +			BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr); +			return NULL; +			} + +		EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, +									ameth); +#ifndef OPENSSL_NO_ENGINE +		if (tmpeng) +			ENGINE_finish(tmpeng); +#endif +		if (*pkey_type == EVP_PKEY_RSA) +			{ +			if (p) +				{ +				keylen = atol(p + 1); +				*pkeylen = keylen; +				} +			} +		else if (p) +			paramfile = p + 1; +		} + +	if (paramfile) +		{ +		pbio = BIO_new_file(paramfile, "r"); +		if (!pbio) +			{ +			BIO_printf(err, "Can't open parameter file %s\n", +					paramfile); +			return NULL; +			} +		param = PEM_read_bio_Parameters(pbio, NULL); + +		if (!param) +			{ +			X509 *x; +			(void)BIO_reset(pbio); +			x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); +			if (x) +				{ +				param = X509_get_pubkey(x); +				X509_free(x); +				} +			} + +		BIO_free(pbio); + +		if (!param) +			{ +			BIO_printf(err, "Error reading parameter file %s\n", +					paramfile); +			return NULL; +			} +		if (*pkey_type == -1) +			*pkey_type = EVP_PKEY_id(param); +		else if (*pkey_type != EVP_PKEY_base_id(param)) +			{ +			BIO_printf(err, "Key Type does not match parameters\n"); +			EVP_PKEY_free(param); +			return NULL; +			} +		} + +	if (palgnam) +		{ +		const EVP_PKEY_ASN1_METHOD *ameth; +		ENGINE *tmpeng; +		const char *anam; +		ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); +		if (!ameth) +			{ +			BIO_puts(err, "Internal error: can't find key algorithm\n"); +			return NULL; +			} +		EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); +		*palgnam = BUF_strdup(anam); +#ifndef OPENSSL_NO_ENGINE +		if (tmpeng) +			ENGINE_finish(tmpeng); +#endif +		} + +	if (param) +		{ +		gctx = EVP_PKEY_CTX_new(param, keygen_engine); +		*pkeylen = EVP_PKEY_bits(param); +		EVP_PKEY_free(param); +		} +	else +		gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); + +	if (!gctx) +		{ +		BIO_puts(err, "Error allocating keygen context\n"); +		ERR_print_errors(err); +		return NULL; +		} + +	if (EVP_PKEY_keygen_init(gctx) <= 0) +		{ +		BIO_puts(err, "Error initializing keygen context\n"); +		ERR_print_errors(err); +		return NULL; +		} +#ifndef OPENSSL_NO_RSA +	if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) +		{ +		if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) +			{ +			BIO_puts(err, "Error setting RSA keysize\n"); +			ERR_print_errors(err); +			EVP_PKEY_CTX_free(gctx); +			return NULL; +			} +		} +#endif + +	return gctx; +	} + +static int genpkey_cb(EVP_PKEY_CTX *ctx) +	{ +	char c='*'; +	BIO *b = EVP_PKEY_CTX_get_app_data(ctx); +	int p; +	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); +	if (p == 0) c='.'; +	if (p == 1) c='+'; +	if (p == 2) c='*'; +	if (p == 3) c='\n'; +	BIO_write(b,&c,1); +	(void)BIO_flush(b); +#ifdef LINT +	p=n; +#endif +	return 1; +	} diff --git a/openssl/apps/rsa.c b/openssl/apps/rsa.c index 930f1f038..b3c8aff7e 100644 --- a/openssl/apps/rsa.c +++ b/openssl/apps/rsa.c @@ -115,6 +115,8 @@ int MAIN(int argc, char **argv)  #endif  	int modulus=0; +	int pvk_encr = 2; +  	apps_startup();  	if (bio_err == NULL) @@ -177,6 +179,16 @@ int MAIN(int argc, char **argv)  			pubin=1;  		else if (strcmp(*argv,"-pubout") == 0)  			pubout=1; +		else if (strcmp(*argv,"-RSAPublicKey_in") == 0) +			pubin = 2; +		else if (strcmp(*argv,"-RSAPublicKey_out") == 0) +			pubout = 2; +		else if (strcmp(*argv,"-pvk-strong") == 0) +			pvk_encr=2; +		else if (strcmp(*argv,"-pvk-weak") == 0) +			pvk_encr=1; +		else if (strcmp(*argv,"-pvk-none") == 0) +			pvk_encr=0;  		else if (strcmp(*argv,"-noout") == 0)  			noout=1;  		else if (strcmp(*argv,"-text") == 0) @@ -257,10 +269,23 @@ bad:  		EVP_PKEY	*pkey;  		if (pubin) -			pkey = load_pubkey(bio_err, infile, -				(informat == FORMAT_NETSCAPE && sgckey ? -					FORMAT_IISSGC : informat), 1, +			{ +			int tmpformat=-1; +			if (pubin == 2) +				{ +				if (informat == FORMAT_PEM) +					tmpformat = FORMAT_PEMRSA; +				else if (informat == FORMAT_ASN1) +					tmpformat = FORMAT_ASN1RSA; +				} +			else if (informat == FORMAT_NETSCAPE && sgckey) +				tmpformat = FORMAT_IISSGC; +			else +				tmpformat = informat; +					 +			pkey = load_pubkey(bio_err, infile, tmpformat, 1,  				passin, e, "Public Key"); +			}  		else  			pkey = load_key(bio_err, infile,  				(informat == FORMAT_NETSCAPE && sgckey ? @@ -268,7 +293,7 @@ bad:  				passin, e, "Private Key");  		if (pkey != NULL) -		rsa = pkey == NULL ? NULL : EVP_PKEY_get1_RSA(pkey); +			rsa = EVP_PKEY_get1_RSA(pkey);  		EVP_PKEY_free(pkey);  	} @@ -346,7 +371,13 @@ bad:  		}  	BIO_printf(bio_err,"writing RSA key\n");  	if 	(outformat == FORMAT_ASN1) { -		if(pubout || pubin) i=i2d_RSA_PUBKEY_bio(out,rsa); +		if(pubout || pubin)  +			{ +			if (pubout == 2) +				i=i2d_RSAPublicKey_bio(out,rsa); +			else +				i=i2d_RSA_PUBKEY_bio(out,rsa); +			}  		else i=i2d_RSAPrivateKey_bio(out,rsa);  	}  #ifndef OPENSSL_NO_RC4 @@ -370,14 +401,32 @@ bad:  #endif  	else if (outformat == FORMAT_PEM) {  		if(pubout || pubin) -		    i=PEM_write_bio_RSA_PUBKEY(out,rsa); +			{ +			if (pubout == 2) +		    		i=PEM_write_bio_RSAPublicKey(out,rsa); +			else +		    		i=PEM_write_bio_RSA_PUBKEY(out,rsa); +			}  		else i=PEM_write_bio_RSAPrivateKey(out,rsa,  						enc,NULL,0,NULL,passout); +#ifndef OPENSSL_NO_DSA +	} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { +		EVP_PKEY *pk; +		pk = EVP_PKEY_new(); +		EVP_PKEY_set1_RSA(pk, rsa); +		if (outformat == FORMAT_PVK) +			i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); +		else if (pubin || pubout) +			i = i2b_PublicKey_bio(out, pk); +		else +			i = i2b_PrivateKey_bio(out, pk); +		EVP_PKEY_free(pk); +#endif  	} else	{  		BIO_printf(bio_err,"bad output format specified for outfile\n");  		goto end;  		} -	if (!i) +	if (i <= 0)  		{  		BIO_printf(bio_err,"unable to write key\n");  		ERR_print_errors(bio_err); diff --git a/openssl/apps/rsautl.c b/openssl/apps/rsautl.c index 923e2b682..b01f004eb 100644 --- a/openssl/apps/rsautl.c +++ b/openssl/apps/rsautl.c @@ -342,4 +342,10 @@ static void usage()  } +#else /* !OPENSSL_NO_RSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif +  #endif diff --git a/openssl/apps/s_apps.h b/openssl/apps/s_apps.h index 08fbbc222..820e5c581 100644 --- a/openssl/apps/s_apps.h +++ b/openssl/apps/s_apps.h @@ -117,7 +117,7 @@  #include <conio.h>  #endif -#ifdef OPENSSL_SYS_MSDOS +#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)  #define _kbhit kbhit  #endif @@ -162,7 +162,7 @@ int extract_port(char *str, short *port_ptr);  int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);  long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, -	int argi, long argl, long ret); +				   int argi, long argl, long ret);  #ifdef HEADER_SSL_H  void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret); @@ -171,3 +171,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,  					unsigned char *data, int len,  					void *arg);  #endif + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len); +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len); diff --git a/openssl/apps/s_cb.c b/openssl/apps/s_cb.c index a512589e8..c4f551224 100644 --- a/openssl/apps/s_cb.c +++ b/openssl/apps/s_cb.c @@ -56,7 +56,7 @@   * [including the GNU Public Licence.]   */  /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.   *   * Redistribution and use in source and binary forms, with or without   * modification, are permitted provided that the following conditions @@ -117,16 +117,21 @@  #undef NON_MAIN  #undef USE_SOCKETS  #include <openssl/err.h> +#include <openssl/rand.h>  #include <openssl/x509.h>  #include <openssl/ssl.h>  #include "s_apps.h" +#define	COOKIE_SECRET_LENGTH	16 +  int verify_depth=0;  int verify_error=X509_V_OK; +int verify_return_error=0; +unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +int cookie_initialized=0;  int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)  	{ -	char buf[256];  	X509 *err_cert;  	int err,depth; @@ -134,15 +139,23 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)  	err=	X509_STORE_CTX_get_error(ctx);  	depth=	X509_STORE_CTX_get_error_depth(ctx); -	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); -	BIO_printf(bio_err,"depth=%d %s\n",depth,buf); +	BIO_printf(bio_err,"depth=%d ",depth); +	if (err_cert) +		{ +		X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), +					0, XN_FLAG_ONELINE); +		BIO_puts(bio_err, "\n"); +		} +	else +		BIO_puts(bio_err, "<no cert>\n");  	if (!ok)  		{  		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,  			X509_verify_cert_error_string(err));  		if (verify_depth >= depth)  			{ -			ok=1; +			if (!verify_return_error) +				ok=1;  			verify_error=X509_V_OK;  			}  		else @@ -151,25 +164,33 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)  			verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;  			}  		} -	switch (ctx->error) +	switch (err)  		{  	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: -		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); -		BIO_printf(bio_err,"issuer= %s\n",buf); +		BIO_puts(bio_err,"issuer= "); +		X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), +					0, XN_FLAG_ONELINE); +		BIO_puts(bio_err, "\n");  		break;  	case X509_V_ERR_CERT_NOT_YET_VALID:  	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:  		BIO_printf(bio_err,"notBefore="); -		ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); +		ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));  		BIO_printf(bio_err,"\n");  		break;  	case X509_V_ERR_CERT_HAS_EXPIRED:  	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:  		BIO_printf(bio_err,"notAfter="); -		ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); +		ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));  		BIO_printf(bio_err,"\n");  		break; +	case X509_V_ERR_NO_EXPLICIT_POLICY: +		policies_print(bio_err, ctx); +		break;  		} +	if (err == X509_V_OK && ok == 2) +		policies_print(bio_err, ctx); +  	BIO_printf(bio_err,"verify return:%d\n",ok);  	return(ok);  	} @@ -258,7 +279,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)  	}  long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, -	int argi, long argl, long ret) +				   int argi, long argl, long ret)  	{  	BIO *out; @@ -267,15 +288,15 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,  	if (cmd == (BIO_CB_READ|BIO_CB_RETURN))  		{ -		BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", - 			(void *)bio,argp,argi,ret,ret); +		BIO_printf(out,"read from %p [%p] (%lu bytes => %ld (0x%lX))\n", + 			(void *)bio,argp,(unsigned long)argi,ret,ret);  		BIO_dump(out,argp,(int)ret);  		return(ret);  		}  	else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN))  		{ -		BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", -			(void *)bio,argp,argi,ret,ret); +		BIO_printf(out,"write to %p [%p] (%lu bytes => %ld (0x%lX))\n", +			(void *)bio,argp,(unsigned long)argi,ret,ret);  		BIO_dump(out,argp,(int)ret);  		}  	return(ret); @@ -336,6 +357,12 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *  	case TLS1_VERSION:  		str_version = "TLS 1.0 ";  		break; +	case DTLS1_VERSION: +		str_version = "DTLS 1.0 "; +		break; +	case DTLS1_BAD_VER: +		str_version = "DTLS 1.0 (bad) "; +		break;  	default:  		str_version = "???";  		} @@ -401,7 +428,10 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *  			}  		} -	if (version == SSL3_VERSION || version == TLS1_VERSION) +	if (version == SSL3_VERSION || +	    version == TLS1_VERSION || +	    version == DTLS1_VERSION || +	    version == DTLS1_BAD_VER)  		{  		switch (content_type)  			{ @@ -504,6 +534,21 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *  				case 100:  					str_details2 = " no_renegotiation";  					break; +				case 110: +					str_details2 = " unsupported_extension"; +					break; +				case 111: +					str_details2 = " certificate_unobtainable"; +					break; +				case 112: +					str_details2 = " unrecognized_name"; +					break; +				case 113: +					str_details2 = " bad_certificate_status_response"; +					break; +				case 114: +					str_details2 = " bad_certificate_hash_value"; +					break;  					}  				}  			} @@ -525,6 +570,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *  				case 2:  					str_details1 = ", ServerHello";  					break; +				case 3: +					str_details1 = ", HelloVerifyRequest"; +					break;  				case 11:  					str_details1 = ", Certificate";  					break; @@ -621,6 +669,15 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,  		extname = "server ticket";  		break; +		case TLSEXT_TYPE_renegotiate: +		extname = "renegotiate"; +		break; + +#ifdef TLSEXT_TYPE_opaque_prf_input +		case TLSEXT_TYPE_opaque_prf_input: +		extname = "opaque PRF input"; +		break; +#endif  		default:  		extname = "unknown"; @@ -634,3 +691,172 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,  	BIO_dump(bio, (char *)data, len);  	(void)BIO_flush(bio);  	} + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) +	{ +	unsigned char *buffer, result[EVP_MAX_MD_SIZE]; +	unsigned int length, resultlength; +	union { +		struct sockaddr sa; +		struct sockaddr_in s4; +#if OPENSSL_USE_IPV6 +		struct sockaddr_in6 s6; +#endif +	} peer; + +	/* Initialize a random secret */ +	if (!cookie_initialized) +		{ +		if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) +			{ +			BIO_printf(bio_err,"error setting random cookie secret\n"); +			return 0; +			} +		cookie_initialized = 1; +		} + +	/* Read peer information */ +	(void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + +	/* Create buffer with peer's address and port */ +	length = 0; +	switch (peer.sa.sa_family) +		{ +	case AF_INET: +		length += sizeof(struct in_addr); +		length += sizeof(peer.s4.sin_port); +		break; +#if OPENSSL_USE_IPV6 +	case AF_INET6: +		length += sizeof(struct in6_addr); +		length += sizeof(peer.s6.sin6_port); +		break; +#endif +	default: +		OPENSSL_assert(0); +		break; +		} +	buffer = OPENSSL_malloc(length); + +	if (buffer == NULL) +		{ +		BIO_printf(bio_err,"out of memory\n"); +		return 0; +		} + +	switch (peer.sa.sa_family) +		{ +	case AF_INET: +		memcpy(buffer, +		       &peer.s4.sin_port, +		       sizeof(peer.s4.sin_port)); +		memcpy(buffer + sizeof(peer.s4.sin_port), +		       &peer.s4.sin_addr, +		       sizeof(struct in_addr)); +		break; +#if OPENSSL_USE_IPV6 +	case AF_INET6: +		memcpy(buffer, +		       &peer.s6.sin6_port, +		       sizeof(peer.s6.sin6_port)); +		memcpy(buffer + sizeof(peer.s6.sin6_port), +		       &peer.s6.sin6_addr, +		       sizeof(struct in6_addr)); +		break; +#endif +	default: +		OPENSSL_assert(0); +		break; +		} + +	/* Calculate HMAC of buffer using the secret */ +	HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, +	     buffer, length, result, &resultlength); +	OPENSSL_free(buffer); + +	memcpy(cookie, result, resultlength); +	*cookie_len = resultlength; + +	return 1; +	} + +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len) +	{ +	unsigned char *buffer, result[EVP_MAX_MD_SIZE]; +	unsigned int length, resultlength; +	union { +		struct sockaddr sa; +		struct sockaddr_in s4; +#if OPENSSL_USE_IPV6 +		struct sockaddr_in6 s6; +#endif +	} peer; + +	/* If secret isn't initialized yet, the cookie can't be valid */ +	if (!cookie_initialized) +		return 0; + +	/* Read peer information */ +	(void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + +	/* Create buffer with peer's address and port */ +	length = 0; +	switch (peer.sa.sa_family) +		{ +	case AF_INET: +		length += sizeof(struct in_addr); +		length += sizeof(peer.s4.sin_port); +		break; +#if OPENSSL_USE_IPV6 +	case AF_INET6: +		length += sizeof(struct in6_addr); +		length += sizeof(peer.s6.sin6_port); +		break; +#endif +	default: +		OPENSSL_assert(0); +		break; +		} +	buffer = OPENSSL_malloc(length); +	 +	if (buffer == NULL) +		{ +		BIO_printf(bio_err,"out of memory\n"); +		return 0; +		} + +	switch (peer.sa.sa_family) +		{ +	case AF_INET: +		memcpy(buffer, +		       &peer.s4.sin_port, +		       sizeof(peer.s4.sin_port)); +		memcpy(buffer + sizeof(peer.s4.sin_port), +		       &peer.s4.sin_addr, +		       sizeof(struct in_addr)); +		break; +#if OPENSSL_USE_IPV6 +	case AF_INET6: +		memcpy(buffer, +		       &peer.s6.sin6_port, +		       sizeof(peer.s6.sin6_port)); +		memcpy(buffer + sizeof(peer.s6.sin6_port), +		       &peer.s6.sin6_addr, +		       sizeof(struct in6_addr)); +		break; +#endif +	default: +		OPENSSL_assert(0); +		break; +		} + +	/* Calculate HMAC of buffer using the secret */ +	HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, +	     buffer, length, result, &resultlength); +	OPENSSL_free(buffer); + +	if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) +		return 1; + +	return 0; +	} diff --git a/openssl/apps/s_client.c b/openssl/apps/s_client.c index 4974f5fc9..34ad2cec7 100644 --- a/openssl/apps/s_client.c +++ b/openssl/apps/s_client.c @@ -56,7 +56,7 @@   * [including the GNU Public Licence.]   */  /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.   *   * Redistribution and use in source and binary forms, with or without   * modification, are permitted provided that the following conditions @@ -108,8 +108,35 @@   * Hudson (tjh@cryptsoft.com).   *   */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */  #include <assert.h> +#include <ctype.h>  #include <stdio.h>  #include <stdlib.h>  #include <string.h> @@ -135,23 +162,19 @@ typedef unsigned int u_int;  #include <openssl/pem.h>  #include <openssl/rand.h>  #include <openssl/ocsp.h> +#include <openssl/bn.h>  #include "s_apps.h"  #include "timeouts.h" -#ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) -#endif - -  #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)  /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */  #undef FIONBIO  #endif +#if defined(OPENSSL_SYS_BEOS_R5) +#include <fcntl.h> +#endif +  #undef PROG  #define PROG	s_client_main @@ -166,6 +189,7 @@ typedef unsigned int u_int;  extern int verify_depth;  extern int verify_error; +extern int verify_return_error;  #ifdef FIONBIO  static int c_nbio=0; @@ -188,6 +212,69 @@ static BIO *bio_c_out=NULL;  static int c_quiet=0;  static int c_ign_eof=0; +#ifndef OPENSSL_NO_PSK +/* Default PSK identity and key */ +static char *psk_identity="Client_identity"; +/*char *psk_key=NULL;  by default PSK is not used */ + +static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, +	unsigned int max_identity_len, unsigned char *psk, +	unsigned int max_psk_len) +	{ +	unsigned int psk_len = 0; +	int ret; +        BIGNUM *bn=NULL; + +	if (c_debug) +		BIO_printf(bio_c_out, "psk_client_cb\n"); +	if (!hint) +                { +                /* no ServerKeyExchange message*/ +		if (c_debug) +			BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n"); +                } +        else if (c_debug) +		BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); + +	/* lookup PSK identity and PSK key based on the given identity hint here */ +	ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); +	if (ret < 0 || (unsigned int)ret > max_identity_len) +		goto out_err; +	if (c_debug) +		BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); +        ret=BN_hex2bn(&bn, psk_key); +        if (!ret) +                { +                BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); +                if (bn) +                        BN_free(bn); +                return 0; +                } + +        if ((unsigned int)BN_num_bytes(bn) > max_psk_len) +                { +                BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", +                        max_psk_len, BN_num_bytes(bn)); +                BN_free(bn); +                return 0; +                } + +        psk_len=BN_bn2bin(bn, psk); +        BN_free(bn); +        if (psk_len == 0) +                goto out_err; + +	if (c_debug) +		BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); + +        return psk_len; + out_err: +	if (c_debug) +		BIO_printf(bio_err, "Error in PSK client callback\n"); +        return 0; +	} +#endif +  static void sc_usage(void)  	{  	BIO_printf(bio_err,"usage: s_client args\n"); @@ -196,7 +283,7 @@ static void sc_usage(void)  	BIO_printf(bio_err," -port port     - use -connect instead\n");  	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); -	BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n"); +	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");  	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");  	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");  	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n"); @@ -222,11 +309,18 @@ static void sc_usage(void)  	BIO_printf(bio_err," -quiet        - no s_client output\n");  	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");  	BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n"); +#ifndef OPENSSL_NO_PSK +	BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); +	BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE +	BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n"); +# endif +#endif  	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");  	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");  	BIO_printf(bio_err," -tls1         - just use TLSv1\n");  	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");     -	BIO_printf(bio_err," -mtu          - set the MTU\n"); +	BIO_printf(bio_err," -mtu          - set the link layer MTU\n");  	BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");  	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");  	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n"); @@ -249,6 +343,7 @@ static void sc_usage(void)  	BIO_printf(bio_err," -status           - request certificate status from server\n");  	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");  #endif +	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");  	}  #ifndef OPENSSL_NO_TLSEXT @@ -272,6 +367,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)  	return SSL_TLSEXT_ERR_OK;  	}  #endif +  enum  {  	PROTO_OFF	= 0, @@ -286,9 +382,8 @@ int MAIN(int, char **);  int MAIN(int argc, char **argv)  	{ -	int off=0; -	SSL *con=NULL,*con2=NULL; -	X509_STORE *store = NULL; +	unsigned int off=0, clr=0; +	SSL *con=NULL;  	int s,k,width,state=0;  	char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;  	int cbuf_len,cbuf_off; @@ -309,25 +404,27 @@ int MAIN(int argc, char **argv)  	SSL_CTX *ctx=NULL;  	int ret=1,in_init=1,i,nbio_test=0;  	int starttls_proto = PROTO_OFF; -	int prexit = 0, vflags = 0; -	SSL_METHOD *meth=NULL; -#ifdef sock_type -#undef sock_type -#endif -	int sock_type=SOCK_STREAM; +	int prexit = 0; +	X509_VERIFY_PARAM *vpm = NULL; +	int badarg = 0; +	const SSL_METHOD *meth=NULL; +	int socket_type=SOCK_STREAM;  	BIO *sbio;  	char *inrand=NULL;  	int mbuf_len=0; +	struct timeval timeout, *timeoutp;  #ifndef OPENSSL_NO_ENGINE  	char *engine_id=NULL;  	char *ssl_client_engine_id=NULL;  	ENGINE *ssl_client_engine=NULL;  #endif  	ENGINE *e=NULL; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)  	struct timeval tv; +#if defined(OPENSSL_SYS_BEOS_R5) +	int stdin_set = 0; +#endif  #endif -  #ifndef OPENSSL_NO_TLSEXT  	char *servername = NULL;           tlsextctx tlsextcbp =  @@ -338,7 +435,7 @@ int MAIN(int argc, char **argv)  	struct sockaddr peer;  	int peerlen = sizeof(peer);  	int enable_timeouts = 0 ; -	long mtu = 0; +	long socket_mtu = 0;  #ifndef OPENSSL_NO_JPAKE  	char *jpake_secret = NULL;  #endif @@ -427,10 +524,14 @@ int MAIN(int argc, char **argv)  			if (--argc < 1) goto bad;  			cert_format = str2fmt(*(++argv));  			} -		else if	(strcmp(*argv,"-crl_check") == 0) -			vflags |= X509_V_FLAG_CRL_CHECK; -		else if	(strcmp(*argv,"-crl_check_all") == 0) -			vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; +		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) +			{ +			if (badarg) +				goto bad; +			continue; +			} +		else if (strcmp(*argv,"-verify_return_error") == 0) +			verify_return_error = 1;  		else if	(strcmp(*argv,"-prexit") == 0)  			prexit=1;  		else if	(strcmp(*argv,"-crlf") == 0) @@ -466,6 +567,27 @@ int MAIN(int argc, char **argv)  			nbio_test=1;  		else if	(strcmp(*argv,"-state") == 0)  			state=1; +#ifndef OPENSSL_NO_PSK +                else if (strcmp(*argv,"-psk_identity") == 0) +			{ +			if (--argc < 1) goto bad; +			psk_identity=*(++argv); +			} +                else if (strcmp(*argv,"-psk") == 0) +			{ +                        size_t j; + +			if (--argc < 1) goto bad; +			psk_key=*(++argv); +			for (j = 0; j < strlen(psk_key); j++) +                                { +                                if (isxdigit((int)psk_key[j])) +                                        continue; +                                BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); +                                goto bad; +                                } +			} +#endif  #ifndef OPENSSL_NO_SSL2  		else if	(strcmp(*argv,"-ssl2") == 0)  			meth=SSLv2_client_method(); @@ -482,14 +604,14 @@ int MAIN(int argc, char **argv)  		else if	(strcmp(*argv,"-dtls1") == 0)  			{  			meth=DTLSv1_client_method(); -			sock_type=SOCK_DGRAM; +			socket_type=SOCK_DGRAM;  			}  		else if (strcmp(*argv,"-timeout") == 0)  			enable_timeouts=1;  		else if (strcmp(*argv,"-mtu") == 0)  			{  			if (--argc < 1) goto bad; -			mtu = atol(*(++argv)); +			socket_mtu = atol(*(++argv));  			}  #endif  		else if (strcmp(*argv,"-bugs") == 0) @@ -529,12 +651,20 @@ int MAIN(int argc, char **argv)  			off|=SSL_OP_NO_SSLv3;  		else if (strcmp(*argv,"-no_ssl2") == 0)  			off|=SSL_OP_NO_SSLv2; +		else if	(strcmp(*argv,"-no_comp") == 0) +			{ off|=SSL_OP_NO_COMPRESSION; }  #ifndef OPENSSL_NO_TLSEXT  		else if	(strcmp(*argv,"-no_ticket") == 0)  			{ off|=SSL_OP_NO_TICKET; }  #endif  		else if (strcmp(*argv,"-serverpref") == 0)  			off|=SSL_OP_CIPHER_SERVER_PREFERENCE; +		else if (strcmp(*argv,"-legacy_renegotiation") == 0) +			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; +		else if	(strcmp(*argv,"-legacy_server_connect") == 0) +			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; } +		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0) +			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }  		else if	(strcmp(*argv,"-cipher") == 0)  			{  			if (--argc < 1) goto bad; @@ -609,6 +739,26 @@ bad:  		goto end;  		} +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) +	if (jpake_secret) +		{ +		if (psk_key) +			{ +			BIO_printf(bio_err, +				   "Can't use JPAKE and PSK together\n"); +			goto end; +			} +		psk_identity = "JPAKE"; +		} + +	if (cipher) +		{ +		BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); +		goto end; +		} +	cipher = "PSK"; +#endif +  	OpenSSL_add_ssl_algorithms();  	SSL_load_error_strings(); @@ -624,6 +774,7 @@ bad:  			goto end;  			}  		} +  #endif  	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))  		{ @@ -691,6 +842,9 @@ bad:  		goto end;  		} +	if (vpm) +		SSL_CTX_set1_param(ctx, vpm); +  #ifndef OPENSSL_NO_ENGINE  	if (ssl_client_engine)  		{ @@ -705,14 +859,29 @@ bad:  		}  #endif +#ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE +	if (psk_key != NULL) +#else +	if (psk_key != NULL || jpake_secret) +#endif +		{ +		if (c_debug) +			BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); +		SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); +		} +#endif  	if (bugs)  		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);  	else  		SSL_CTX_set_options(ctx,off); + +	if (clr) +		SSL_CTX_clear_options(ctx, clr);  	/* DTLS: partial reads end up discarding unread UDP bytes :-(   	 * Setting read ahead solves this problem.  	 */ -	if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); +	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);  	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);  	if (cipher != NULL) @@ -738,8 +907,6 @@ bad:  		/* goto end; */  		} -	store = SSL_CTX_get_cert_store(ctx); -	X509_STORE_set_flags(store, vflags);  #ifndef OPENSSL_NO_TLSEXT  	if (servername != NULL)  		{ @@ -784,7 +951,6 @@ bad:  			}  		}  #endif -  #ifndef OPENSSL_NO_KRB5  	if (con  &&  (con->kssl_ctx = kssl_ctx_new()) != NULL)                  { @@ -792,10 +958,15 @@ bad:  		}  #endif	/* OPENSSL_NO_KRB5  */  /*	SSL_set_cipher_list(con,"RC4-MD5"); */ +#if 0 +#ifdef TLSEXT_TYPE_opaque_prf_input +	SSL_set_tlsext_opaque_prf_input(con, "Test client", 11); +#endif +#endif  re_start: -	if (init_client(&s,host,port,sock_type) == 0) +	if (init_client(&s,host,port,socket_type) == 0)  		{  		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());  		SHUTDOWN(s); @@ -819,7 +990,6 @@ re_start:  	if ( SSL_version(con) == DTLS1_VERSION)  		{ -		struct timeval timeout;  		sbio=BIO_new_dgram(s,BIO_NOCLOSE);  		if (getsockname(s, &peer, (void *)&peerlen) < 0) @@ -832,7 +1002,7 @@ re_start:  		(void)BIO_ctrl_set_connected(sbio, 1, &peer); -		if ( enable_timeouts) +		if (enable_timeouts)  			{  			timeout.tv_sec = 0;  			timeout.tv_usec = DGRAM_RCV_TIMEOUT; @@ -843,10 +1013,10 @@ re_start:  			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);  			} -		if ( mtu > 0) +		if (socket_mtu > 28)  			{  			SSL_set_options(con, SSL_OP_NO_QUERY_MTU); -			SSL_set_mtu(con, mtu); +			SSL_set_mtu(con, socket_mtu - 28);  			}  		else  			/* want to do MTU discovery */ @@ -1036,6 +1206,12 @@ SSL_set_tlsext_status_ids(con, ids);  		FD_ZERO(&readfds);  		FD_ZERO(&writefds); +		if ((SSL_version(con) == DTLS1_VERSION) && +			DTLSv1_get_timeout(con, &timeout)) +			timeoutp = &timeout; +		else +			timeoutp = NULL; +  		if (SSL_in_init(con) && !SSL_total_renegotiations(con))  			{  			in_init=1; @@ -1047,6 +1223,14 @@ SSL_set_tlsext_status_ids(con, ids);  			if (in_init)  				{  				in_init=0; +#if 0 /* This test doesn't really work as intended (needs to be fixed) */ +#ifndef OPENSSL_NO_TLSEXT +				if (servername != NULL && !SSL_session_reused(con)) +					{ +					BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); +					} +#endif +#endif  				if (sess_out)  					{  					BIO *stmp = BIO_new_file(sess_out, "w"); @@ -1084,22 +1268,22 @@ SSL_set_tlsext_status_ids(con, ids);  		if (!ssl_pending)  			{ -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)  			if (tty_on)  				{ -				if (read_tty)  FD_SET(fileno(stdin),&readfds); -				if (write_tty) FD_SET(fileno(stdout),&writefds); +				if (read_tty)  openssl_fdset(fileno(stdin),&readfds); +				if (write_tty) openssl_fdset(fileno(stdout),&writefds);  				}  			if (read_ssl) -				FD_SET(SSL_get_fd(con),&readfds); +				openssl_fdset(SSL_get_fd(con),&readfds);  			if (write_ssl) -				FD_SET(SSL_get_fd(con),&writefds); +				openssl_fdset(SSL_get_fd(con),&writefds);  #else  			if(!tty_on || !write_tty) {  				if (read_ssl) -					FD_SET(SSL_get_fd(con),&readfds); +					openssl_fdset(SSL_get_fd(con),&readfds);  				if (write_ssl) -					FD_SET(SSL_get_fd(con),&writefds); +					openssl_fdset(SSL_get_fd(con),&writefds);  			}  #endif  /*			printf("mode tty(%d %d%d) ssl(%d%d)\n", @@ -1132,7 +1316,7 @@ SSL_set_tlsext_status_ids(con, ids);  					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;  #endif  				} else 	i=select(width,(void *)&readfds,(void *)&writefds, -					 NULL,NULL); +					 NULL,timeoutp);  			}  #elif defined(OPENSSL_SYS_NETWARE)  			if(!write_tty) { @@ -1142,11 +1326,30 @@ SSL_set_tlsext_status_ids(con, ids);  					i=select(width,(void *)&readfds,(void *)&writefds,  						NULL,&tv);  				} else 	i=select(width,(void *)&readfds,(void *)&writefds, -					NULL,NULL); +					NULL,timeoutp); +			} +#elif defined(OPENSSL_SYS_BEOS_R5) +			/* Under BeOS-R5 the situation is similar to DOS */ +			i=0; +			stdin_set = 0; +			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); +			if(!write_tty) { +				if(read_tty) { +					tv.tv_sec = 1; +					tv.tv_usec = 0; +					i=select(width,(void *)&readfds,(void *)&writefds, +						 NULL,&tv); +					if (read(fileno(stdin), sbuf, 0) >= 0) +						stdin_set = 1; +					if (!i && (stdin_set != 1 || !read_tty)) +						continue; +				} else 	i=select(width,(void *)&readfds,(void *)&writefds, +					 NULL,timeoutp);  			} +			(void)fcntl(fileno(stdin), F_SETFL, 0);  #else  			i=select(width,(void *)&readfds,(void *)&writefds, -				 NULL,NULL); +				 NULL,timeoutp);  #endif  			if ( i < 0)  				{ @@ -1157,6 +1360,11 @@ SSL_set_tlsext_status_ids(con, ids);  				}  			} +		if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) +			{ +			BIO_printf(bio_err,"TIMEOUT occured\n"); +			} +  		if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))  			{  			k=SSL_write(con,&(cbuf[cbuf_off]), @@ -1197,6 +1405,7 @@ SSL_set_tlsext_status_ids(con, ids);  				if (cbuf_len != 0)  					{  					BIO_printf(bio_c_out,"shutdown\n"); +					ret = 0;  					goto shut;  					}  				else @@ -1224,8 +1433,8 @@ SSL_set_tlsext_status_ids(con, ids);  				goto shut;  				}  			} -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) -		/* Assume Windows/DOS can always write */ +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) +		/* Assume Windows/DOS/BeOS can always write */  		else if (!ssl_pending && write_tty)  #else  		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) @@ -1234,11 +1443,12 @@ SSL_set_tlsext_status_ids(con, ids);  #ifdef CHARSET_EBCDIC  			ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);  #endif -			i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len); +			i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);  			if (i <= 0)  				{  				BIO_printf(bio_c_out,"DONE\n"); +				ret = 0;  				goto shut;  				/* goto end; */  				} @@ -1293,10 +1503,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240  				BIO_printf(bio_c_out,"read X BLOCK\n");  				break;  			case SSL_ERROR_SYSCALL: -				BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error()); +				ret=get_last_socket_error(); +				BIO_printf(bio_err,"read:errno=%d\n",ret);  				goto shut;  			case SSL_ERROR_ZERO_RETURN:  				BIO_printf(bio_c_out,"closed\n"); +				ret=0;  				goto shut;  			case SSL_ERROR_SSL:  				ERR_print_errors(bio_err); @@ -1312,7 +1524,9 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240  		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))  #endif  #elif defined (OPENSSL_SYS_NETWARE) -        else if (_kbhit()) +		else if (_kbhit()) +#elif defined(OPENSSL_SYS_BEOS_R5) +		else if (stdin_set)  #else  		else if (FD_ISSET(fileno(stdin),&readfds))  #endif @@ -1321,7 +1535,7 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240  				{  				int j, lf_num; -				i=read(fileno(stdin),cbuf,BUFSIZZ/2); +				i=raw_read_stdin(cbuf,BUFSIZZ/2);  				lf_num = 0;  				/* both loops are skipped when i <= 0 */  				for (j = 0; j < i; j++) @@ -1340,11 +1554,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240  				assert(lf_num == 0);  				}  			else -				i=read(fileno(stdin),cbuf,BUFSIZZ); +				i=raw_read_stdin(cbuf,BUFSIZZ);  			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))  				{  				BIO_printf(bio_err,"DONE\n"); +				ret=0;  				goto shut;  				} @@ -1367,14 +1582,20 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240  			read_tty=0;  			}  		} + +	ret=0;  shut: +	if (in_init) +		print_stuff(bio_c_out,con,full_log);  	SSL_shutdown(con);  	SHUTDOWN(SSL_get_fd(con)); -	ret=0;  end: -	if(prexit) print_stuff(bio_c_out,con,1); -	if (con != NULL) SSL_free(con); -	if (con2 != NULL) SSL_free(con2); +	if (con != NULL) +		{ +		if (prexit != 0) +			print_stuff(bio_c_out,con,1); +		SSL_free(con); +		}  	if (ctx != NULL) SSL_CTX_free(ctx);  	if (cert)  		X509_free(cert); @@ -1403,7 +1624,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)  	char buf[BUFSIZ];  	STACK_OF(X509) *sk;  	STACK_OF(X509_NAME) *sk2; -	SSL_CIPHER *c; +	const SSL_CIPHER *c;  	X509_NAME *xn;  	int j,i;  #ifndef OPENSSL_NO_COMP @@ -1511,6 +1732,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)  							 EVP_PKEY_bits(pktmp));  		EVP_PKEY_free(pktmp);  	} +	BIO_printf(bio, "Secure Renegotiation IS%s supported\n", +			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");  #ifndef OPENSSL_NO_COMP  	comp=SSL_get_current_compression(s);  	expansion=SSL_get_current_expansion(s); @@ -1554,4 +1777,5 @@ static int ocsp_resp_cb(SSL *s, void *arg)  	OCSP_RESPONSE_free(rsp);  	return 1;  	} -#endif  /* ndef OPENSSL_NO_TLSEXT */ + +#endif diff --git a/openssl/apps/s_server.c b/openssl/apps/s_server.c index 84b1b2846..1a06d19bb 100644 --- a/openssl/apps/s_server.c +++ b/openssl/apps/s_server.c @@ -56,7 +56,7 @@   * [including the GNU Public Licence.]   */  /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.   *   * Redistribution and use in source and binary forms, with or without   * modification, are permitted provided that the following conditions @@ -113,6 +113,32 @@   * ECC cipher suite support in OpenSSL originally developed by    * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.   */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */  /* Until the key-gen callbacks are modified to use newer prototypes, we allow   * deprecated functions for openssl-internal code */ @@ -121,11 +147,11 @@  #endif  #include <assert.h> +#include <ctype.h>  #include <stdio.h>  #include <stdlib.h>  #include <string.h> -#include <sys/stat.h>  #include <openssl/e_os2.h>  #ifdef OPENSSL_NO_STDIO  #define APPS_WIN16 @@ -163,19 +189,15 @@ typedef unsigned int u_int;  #include "s_apps.h"  #include "timeouts.h" -#ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) -#endif -  #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)  /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */  #undef FIONBIO  #endif +#if defined(OPENSSL_SYS_BEOS_R5) +#include <fcntl.h> +#endif +  #ifndef OPENSSL_NO_RSA  static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);  #endif @@ -196,14 +218,6 @@ static DH *get_dh512(void);  static void s_server_init(void);  #endif -#ifndef S_ISDIR -# if defined(_S_IFMT) && defined(_S_IFDIR) -#  define S_ISDIR(a)	(((a) & _S_IFMT) == _S_IFDIR) -# else -#  define S_ISDIR(a)	(((a) & S_IFMT) == S_IFDIR) -# endif -#endif -  #ifndef OPENSSL_NO_DH  static unsigned char dh512_p[]={  	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, @@ -245,7 +259,7 @@ static int accept_socket= -1;  #undef PROG  #define PROG		s_server_main -extern int verify_depth; +extern int verify_depth, verify_return_error;  static char *cipher=NULL;  static int s_server_verify=SSL_VERIFY_NONE; @@ -283,12 +297,77 @@ static char *engine_id=NULL;  static const char *session_id_prefix=NULL;  static int enable_timeouts = 0; -#ifdef mtu -#undef mtu -#endif -static long mtu; +static long socket_mtu; +#ifndef OPENSSL_NO_DTLS1  static int cert_chain = 0; +#endif + +#ifndef OPENSSL_NO_PSK +static char *psk_identity="Client_identity"; +char *psk_key=NULL; /* by default PSK is not used */ + +static unsigned int psk_server_cb(SSL *ssl, const char *identity, +	unsigned char *psk, unsigned int max_psk_len) +	{ +	unsigned int psk_len = 0; +	int ret; +	BIGNUM *bn = NULL; +	if (s_debug) +		BIO_printf(bio_s_out,"psk_server_cb\n"); +	if (!identity) +		{ +		BIO_printf(bio_err,"Error: client did not send PSK identity\n"); +		goto out_err; +		} +	if (s_debug) +		BIO_printf(bio_s_out,"identity_len=%d identity=%s\n", +			identity ? (int)strlen(identity) : 0, identity); + +	/* here we could lookup the given identity e.g. from a database */ +  	if (strcmp(identity, psk_identity) != 0) +		{ +                BIO_printf(bio_s_out, "PSK error: client identity not found" +			   " (got '%s' expected '%s')\n", identity, +			   psk_identity); +		goto out_err; +                } +	if (s_debug) +		BIO_printf(bio_s_out, "PSK client identity found\n"); + +	/* convert the PSK key to binary */ +	ret = BN_hex2bn(&bn, psk_key); +	if (!ret) +		{ +		BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); +		if (bn) +			BN_free(bn); +		return 0; +		} +	if (BN_num_bytes(bn) > (int)max_psk_len) +		{ +		BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", +			max_psk_len, BN_num_bytes(bn)); +		BN_free(bn); +		return 0; +		} + +	ret = BN_bn2bin(bn, psk); +	BN_free(bn); + +	if (ret < 0) +		goto out_err; +	psk_len = (unsigned int)ret; + +	if (s_debug) +		BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); +        return psk_len; + out_err: +	if (s_debug) +		BIO_printf(bio_err, "Error in PSK server callback\n"); +	return 0; +        } +#endif  #ifdef MONOLITH  static void s_server_init(void) @@ -353,7 +432,7 @@ static void sv_usage(void)  #ifndef OPENSSL_NO_ECDH  	BIO_printf(bio_err," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \  	                   "                 Use \"openssl ecparam -list_curves\" for all names\n" \ -	                   "                 (default is sect163r2).\n"); +	                   "                 (default is nistp256).\n");  #endif  #ifdef FIONBIO  	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n"); @@ -370,12 +449,19 @@ static void sv_usage(void)  	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");  	BIO_printf(bio_err," -quiet        - No server output\n");  	BIO_printf(bio_err," -no_tmp_rsa   - Do not generate a tmp RSA key\n"); +#ifndef OPENSSL_NO_PSK +	BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); +	BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE +	BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n"); +# endif +#endif  	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");  	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");  	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");  	BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");  	BIO_printf(bio_err," -timeout      - Enable timeouts\n"); -	BIO_printf(bio_err," -mtu          - Set MTU\n"); +	BIO_printf(bio_err," -mtu          - Set link layer MTU\n");  	BIO_printf(bio_err," -chain        - Read a certificate chain\n");  	BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");  	BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n"); @@ -405,6 +491,7 @@ static void sv_usage(void)  	BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);  	BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");  	BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n"); +	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");  #endif  	} @@ -587,7 +674,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)  			return p->extension_error;  		if (ctx2)  			{ -			BIO_printf(p->biodebug,"Swiching server context.\n"); +			BIO_printf(p->biodebug,"Switching server context.\n");  			SSL_set_SSL_CTX(s,ctx2);  			}       		} @@ -626,7 +713,7 @@ static int cert_status_cb(SSL *s, void *arg)  	int use_ssl;  	unsigned char *rspder = NULL;  	int rspderlen; -	STACK *aia = NULL; +	STACK_OF(OPENSSL_STRING) *aia = NULL;  	X509 *x = NULL;  	X509_STORE_CTX inctx;  	X509_OBJECT obj; @@ -648,7 +735,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));  	aia = X509_get1_ocsp(x);  	if (aia)  		{ -		if (!OCSP_parse_url(sk_value(aia, 0), +		if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),  			&host, &port, &path, &use_ssl))  			{  			BIO_puts(err, "cert_status: can't parse AIA URL\n"); @@ -656,7 +743,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));  			}  		if (srctx->verbose)  			BIO_printf(err, "cert_status: AIA URL: %s\n", -					sk_value(aia, 0)); +					sk_OPENSSL_STRING_value(aia, 0));  		}  	else  		{ @@ -701,7 +788,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));  		if (!OCSP_REQUEST_add_ext(req, ext, -1))  			goto err;  		} -	resp = process_responder(err, req, host, path, port, use_ssl, +	resp = process_responder(err, req, host, path, port, use_ssl, NULL,  					srctx->timeout);  	if (!resp)  		{ @@ -740,6 +827,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));  	goto done;  	}  #endif +  int MAIN(int, char **);  #ifndef OPENSSL_NO_JPAKE @@ -748,8 +836,8 @@ static char *jpake_secret = NULL;  int MAIN(int argc, char *argv[])  	{ -	X509_STORE *store = NULL; -	int vflags = 0; +	X509_VERIFY_PARAM *vpm = NULL; +	int badarg = 0;  	short port=PORT;  	char *CApath=NULL,*CAfile=NULL;  	unsigned char *context = NULL; @@ -762,8 +850,8 @@ int MAIN(int argc, char *argv[])  	int off=0;  	int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;  	int state=0; -	SSL_METHOD *meth=NULL; -        int socket_type=SOCK_STREAM; +	const SSL_METHOD *meth=NULL; +	int socket_type=SOCK_STREAM;  	ENGINE *e=NULL;  	char *inrand=NULL;  	int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; @@ -772,6 +860,7 @@ int MAIN(int argc, char *argv[])  	int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;  	X509 *s_cert = NULL, *s_dcert = NULL;  	EVP_PKEY *s_key = NULL, *s_dkey = NULL; +	int no_cache = 0;  #ifndef OPENSSL_NO_TLSEXT  	EVP_PKEY *s_key2 = NULL;  	X509 *s_cert2 = NULL; @@ -779,7 +868,10 @@ int MAIN(int argc, char *argv[])  #ifndef OPENSSL_NO_TLSEXT          tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};  #endif - +#ifndef OPENSSL_NO_PSK +	/* by default do not send a PSK identity hint */ +	static char *psk_identity_hint=NULL; +#endif  #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)  	meth=SSLv23_server_method();  #elif !defined(OPENSSL_NO_SSL3) @@ -911,16 +1003,20 @@ int MAIN(int argc, char *argv[])  			if (--argc < 1) goto bad;  			CApath= *(++argv);  			} -		else if (strcmp(*argv,"-crl_check") == 0) -			{ -			vflags |= X509_V_FLAG_CRL_CHECK; -			} -		else if (strcmp(*argv,"-crl_check_all") == 0) +		else if (strcmp(*argv,"-no_cache") == 0) +			no_cache = 1; +		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))  			{ -			vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; +			if (badarg) +				goto bad; +			continue;  			} +		else if (strcmp(*argv,"-verify_return_error") == 0) +			verify_return_error = 1;  		else if	(strcmp(*argv,"-serverpref") == 0)  			{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } +		else if (strcmp(*argv,"-legacy_renegotiation") == 0) +			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;  		else if	(strcmp(*argv,"-cipher") == 0)  			{  			if (--argc < 1) goto bad; @@ -993,6 +1089,27 @@ int MAIN(int argc, char *argv[])  			{ no_dhe=1; }  		else if	(strcmp(*argv,"-no_ecdhe") == 0)  			{ no_ecdhe=1; } +#ifndef OPENSSL_NO_PSK +                else if (strcmp(*argv,"-psk_hint") == 0) +			{ +                        if (--argc < 1) goto bad; +                        psk_identity_hint= *(++argv); +                        } +                else if (strcmp(*argv,"-psk") == 0) +			{ +			size_t i; + +			if (--argc < 1) goto bad; +			psk_key=*(++argv); +			for (i=0; i<strlen(psk_key); i++) +				{ +				if (isxdigit((int)psk_key[i])) +					continue; +				BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); +				goto bad; +				} +			} +#endif  		else if	(strcmp(*argv,"-www") == 0)  			{ www=1; }  		else if	(strcmp(*argv,"-WWW") == 0) @@ -1005,6 +1122,8 @@ int MAIN(int argc, char *argv[])  			{ off|=SSL_OP_NO_SSLv3; }  		else if	(strcmp(*argv,"-no_tls1") == 0)  			{ off|=SSL_OP_NO_TLSv1; } +		else if	(strcmp(*argv,"-no_comp") == 0) +			{ off|=SSL_OP_NO_COMPRESSION; }  #ifndef OPENSSL_NO_TLSEXT  		else if	(strcmp(*argv,"-no_ticket") == 0)  			{ off|=SSL_OP_NO_TICKET; } @@ -1032,7 +1151,7 @@ int MAIN(int argc, char *argv[])  		else if (strcmp(*argv,"-mtu") == 0)  			{  			if (--argc < 1) goto bad; -			mtu = atol(*(++argv)); +			socket_mtu = atol(*(++argv));  			}  		else if (strcmp(*argv, "-chain") == 0)  			cert_chain = 1; @@ -1074,7 +1193,7 @@ int MAIN(int argc, char *argv[])  			}  #endif -#ifndef OPENSSL_NO_JPAKE +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)  		else if (strcmp(*argv,"-jpake") == 0)  			{  			if (--argc < 1) goto bad; @@ -1097,6 +1216,26 @@ bad:  		goto end;  		} +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) +	if (jpake_secret) +		{ +		if (psk_key) +			{ +			BIO_printf(bio_err, +				   "Can't use JPAKE and PSK together\n"); +			goto end; +			} +		psk_identity = "JPAKE"; +		if (cipher) +			{ +			BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); +			goto end; +			} +		cipher = "PSK"; +		} + +#endif +  	SSL_load_error_strings();  	OpenSSL_add_ssl_algorithms(); @@ -1159,6 +1298,8 @@ bad:  			}  #endif  		} + +  	if (s_dcert_file)  		{ @@ -1253,8 +1394,10 @@ bad:  	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);  	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - -	SSL_CTX_sess_set_cache_size(ctx,128); +	if (no_cache) +		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +	else +		SSL_CTX_sess_set_cache_size(ctx,128);  #if 0  	if (cipher == NULL) cipher=getenv("SSL_CIPHER"); @@ -1275,8 +1418,9 @@ bad:  		ERR_print_errors(bio_err);  		/* goto end; */  		} -	store = SSL_CTX_get_cert_store(ctx); -	X509_STORE_set_flags(store, vflags); +	if (vpm) +		SSL_CTX_set1_param(ctx, vpm); +  #ifndef OPENSSL_NO_TLSEXT  	if (s_cert2)  		{ @@ -1312,28 +1456,28 @@ bad:  		if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);  		if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);  		SSL_CTX_set_options(ctx2,off); -  		/* DTLS: partial reads end up discarding unread UDP bytes :-(   		 * Setting read ahead solves this problem.  		 */  		if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1); -  		if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); -		SSL_CTX_sess_set_cache_size(ctx2,128); +		if (no_cache) +			SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF); +		else +			SSL_CTX_sess_set_cache_size(ctx2,128);  		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||  			(!SSL_CTX_set_default_verify_paths(ctx2)))  			{  			ERR_print_errors(bio_err);  			} -		store = SSL_CTX_get_cert_store(ctx2); -		X509_STORE_set_flags(store, vflags); +		if (vpm) +			SSL_CTX_set1_param(ctx2, vpm);  		}  #endif  -  #ifndef OPENSSL_NO_DH  	if (!no_dhe)  		{ @@ -1409,10 +1553,10 @@ bad:  		else  			{  			BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); -			ecdh = EC_KEY_new_by_curve_name(NID_sect163r2); +			ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);  			if (ecdh == NULL)   				{ -				BIO_printf(bio_err, "unable to create curve (sect163r2)\n"); +				BIO_printf(bio_err, "unable to create curve (nistp256)\n");  				goto end;  				}  			} @@ -1447,7 +1591,7 @@ bad:  #ifndef OPENSSL_NO_TLSEXT  		if (ctx2)   			SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb); -#endif	 +#endif		  		}  #else  	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) @@ -1480,11 +1624,34 @@ bad:  #endif  #endif -	if (cipher != NULL) -		if(!SSL_CTX_set_cipher_list(ctx,cipher)) { -		BIO_printf(bio_err,"error setting cipher list\n"); +#ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE +	if (psk_key != NULL) +#else +	if (psk_key != NULL || jpake_secret) +#endif +		{ +		if (s_debug) +			BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); +		SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); +		} + +	if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) +		{ +		BIO_printf(bio_err,"error setting PSK identity hint to context\n");  		ERR_print_errors(bio_err);  		goto end; +		} +#endif + +	if (cipher != NULL) +		{ +		if(!SSL_CTX_set_cipher_list(ctx,cipher)) +			{ +			BIO_printf(bio_err,"error setting cipher list\n"); +			ERR_print_errors(bio_err); +			goto end; +			}  #ifndef OPENSSL_NO_TLSEXT  		if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))  			{ @@ -1493,11 +1660,15 @@ bad:  			goto end;  			}  #endif -	} +		}  	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);  	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,  		sizeof s_server_session_id_context); +	/* Set DTLS cookie generation and verification callbacks */ +	SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); +	SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); +  #ifndef OPENSSL_NO_TLSEXT  	if (ctx2)  		{ @@ -1512,6 +1683,7 @@ bad:  		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);  		}  #endif +  	if (CAfile != NULL)  		{  		SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); @@ -1520,7 +1692,9 @@ bad:  			SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));  #endif  		} +  	BIO_printf(bio_s_out,"ACCEPT\n"); +	(void)BIO_flush(bio_s_out);  	if (www)  		do_server(port,socket_type,&accept_socket,www_body, context);  	else @@ -1591,8 +1765,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)  	unsigned long l;  	SSL *con=NULL;  	BIO *sbio; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) +	struct timeval timeout; +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)  	struct timeval tv; +#else +	struct timeval *timeoutp;  #endif  	if ((buf=OPENSSL_malloc(bufsize)) == NULL) @@ -1641,14 +1818,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)  						 strlen((char *)context));  	}  	SSL_clear(con); +#if 0 +#ifdef TLSEXT_TYPE_opaque_prf_input +	SSL_set_tlsext_opaque_prf_input(con, "Test server", 11); +#endif +#endif  	if (SSL_version(con) == DTLS1_VERSION)  		{ -		struct timeval timeout;  		sbio=BIO_new_dgram(s,BIO_NOCLOSE); -		if ( enable_timeouts) +		if (enable_timeouts)  			{  			timeout.tv_sec = 0;  			timeout.tv_usec = DGRAM_RCV_TIMEOUT; @@ -1659,11 +1840,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)  			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);  			} -		 -		if ( mtu > 0) +		if (socket_mtu > 28)  			{  			SSL_set_options(con, SSL_OP_NO_QUERY_MTU); -			SSL_set_mtu(con, mtu); +			SSL_set_mtu(con, socket_mtu - 28);  			}  		else  			/* want to do MTU discovery */ @@ -1722,10 +1902,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)  		if (!read_from_sslcon)  			{  			FD_ZERO(&readfds); -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) -			FD_SET(fileno(stdin),&readfds); +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5) +			openssl_fdset(fileno(stdin),&readfds);  #endif -			FD_SET(s,&readfds); +			openssl_fdset(s,&readfds);  			/* Note: under VMS with SOCKETSHR the second parameter is  			 * currently of type (int *) whereas under other systems  			 * it is (void *) if you don't have a cast it will choke @@ -1744,8 +1924,31 @@ static int sv_body(char *hostname, int s, unsigned char *context)  			if((i < 0) || (!i && !_kbhit() ) )continue;  			if(_kbhit())  				read_from_terminal = 1; +#elif defined(OPENSSL_SYS_BEOS_R5) +			/* Under BeOS-R5 the situation is similar to DOS */ +			tv.tv_sec = 1; +			tv.tv_usec = 0; +			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); +			i=select(width,(void *)&readfds,NULL,NULL,&tv); +			if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0)) +				continue; +			if (read(fileno(stdin), buf, 0) >= 0) +				read_from_terminal = 1; +			(void)fcntl(fileno(stdin), F_SETFL, 0);  #else -			i=select(width,(void *)&readfds,NULL,NULL,NULL); +			if ((SSL_version(con) == DTLS1_VERSION) && +				DTLSv1_get_timeout(con, &timeout)) +				timeoutp = &timeout; +			else +				timeoutp = NULL; + +			i=select(width,(void *)&readfds,NULL,NULL,timeoutp); + +			if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) +				{ +				BIO_printf(bio_err,"TIMEOUT occured\n"); +				} +  			if (i <= 0) continue;  			if (FD_ISSET(fileno(stdin),&readfds))  				read_from_terminal = 1; @@ -1759,7 +1962,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)  				{  				int j, lf_num; -				i=read(fileno(stdin), buf, bufsize/2); +				i=raw_read_stdin(buf, bufsize/2);  				lf_num = 0;  				/* both loops are skipped when i <= 0 */  				for (j = 0; j < i; j++) @@ -1778,7 +1981,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)  				assert(lf_num == 0);  				}  			else -				i=read(fileno(stdin),buf,bufsize); +				i=raw_read_stdin(buf,bufsize);  			if (!s_quiet)  				{  				if ((i <= 0) || (buf[0] == 'Q')) @@ -1798,6 +2001,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)  					ret= -11;*/  					goto err;  					} +  				if ((buf[0] == 'r') &&   					((buf[1] == '\n') || (buf[1] == '\r')))  					{ @@ -1894,7 +2098,7 @@ again:  #ifdef CHARSET_EBCDIC  					ascii2ebcdic(buf,buf,i);  #endif -					write(fileno(stdout),buf, +					raw_write_stdout(buf,  						(unsigned int)i);  					if (SSL_pending(con)) goto again;  					break; @@ -1918,13 +2122,16 @@ again:  			}  		}  err: -	BIO_printf(bio_s_out,"shutting down SSL\n"); +	if (con != NULL) +		{ +		BIO_printf(bio_s_out,"shutting down SSL\n");  #if 1 -	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); +		SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);  #else -	SSL_shutdown(con); +		SSL_shutdown(con);  #endif -	if (con != NULL) SSL_free(con); +		SSL_free(con); +		}  	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");  	if (buf != NULL)  		{ @@ -2002,6 +2209,8 @@ static int init_ssl_connection(SSL *con)  			con->kssl_ctx->client_princ);  		}  #endif /* OPENSSL_NO_KRB5 */ +	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", +		      SSL_get_secure_renegotiation_support(con) ? "" : " NOT");  	return(1);  	} @@ -2046,9 +2255,8 @@ static int www_body(char *hostname, int s, unsigned char *context)  	char *buf=NULL;  	int ret=1;  	int i,j,k,blank,dot; -	struct stat st_buf;  	SSL *con; -	SSL_CIPHER *c; +	const SSL_CIPHER *c;  	BIO *io,*ssl_bio,*sbio;  	long total_bytes; @@ -2318,14 +2526,7 @@ static int www_body(char *hostname, int s, unsigned char *context)  #endif  			/* if a directory, do the index thang */ -			if (stat(p,&st_buf) < 0) -				{ -				BIO_puts(io,text); -				BIO_printf(io,"Error accessing '%s'\r\n",p); -				ERR_print_errors(io); -				break; -				} -			if (S_ISDIR(st_buf.st_mode)) +			if (app_isdir(p)>0)  				{  #if 0 /* must check buffer size */  				strcat(p,"/index.html"); diff --git a/openssl/apps/s_socket.c b/openssl/apps/s_socket.c index 4a922e16a..6b8713de6 100644 --- a/openssl/apps/s_socket.c +++ b/openssl/apps/s_socket.c @@ -62,6 +62,12 @@  #include <errno.h>  #include <signal.h> +#ifdef FLAT_INC +#include "e_os2.h" +#else +#include "../e_os2.h" +#endif +  /* With IPv6, it looks like Digital has mixed up the proper order of     recursive header file inclusion, resulting in the compiler complaining     that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which @@ -231,13 +237,11 @@ static int ssl_sock_init(void)  int init_client(int *sock, char *host, int port, int type)  	{  	unsigned char ip[4]; -	short p=0;  	if (!host_ip(host,&(ip[0])))  		{  		return(0);  		} -	if (p != 0) port=p;  	return(init_client_ip(sock,ip,port,type));  	} @@ -266,7 +270,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)  	if (s == INVALID_SOCKET) { perror("socket"); return(0); } -#ifndef OPENSSL_SYS_MPE +#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)  	if (type == SOCK_STREAM)  		{  		i=0; @@ -276,7 +280,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)  #endif  	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) -		{ close(s); perror("connect"); return(0); } +		{ closesocket(s); perror("connect"); return(0); }  	*sock=s;  	return(1);  	} @@ -285,7 +289,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns  	{  	int sock;  	char *name = NULL; -	int accept_socket; +	int accept_socket = 0;  	int i;  	if (!init_server(&accept_socket,port,type)) return(0); diff --git a/openssl/apps/s_time.c b/openssl/apps/s_time.c index 904945e1a..b823c33c5 100644 --- a/openssl/apps/s_time.c +++ b/openssl/apps/s_time.c @@ -85,54 +85,6 @@  #include OPENSSL_UNISTD  #endif -#if !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) -#define TIMES -#endif - -#ifndef _IRIX -#include <time.h> -#endif -#ifdef TIMES -#include <sys/types.h> -#include <sys/times.h> -#endif - -/* Depending on the VMS version, the tms structure is perhaps defined. -   The __TMS macro will show if it was.  If it wasn't defined, we should -   undefine TIMES, since that tells the rest of the program how things -   should be handled.				-- Richard Levitte */ -#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) -#undef TIMES -#endif - -#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE) -#include <sys/timeb.h> -#endif - -#if defined(sun) || defined(__ultrix) -#define _POSIX_SOURCE -#include <limits.h> -#include <sys/param.h> -#endif - -/* The following if from times(3) man page.  It may need to be changed -*/ -#ifndef HZ -# ifdef _SC_CLK_TCK -#  define HZ ((double)sysconf(_SC_CLK_TCK)) -# else -#  ifndef CLK_TCK -#   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -#    define HZ	100.0 -#   else /* _BSD_CLK_TCK_ */ -#    define HZ ((double)_BSD_CLK_TCK_) -#   endif -#  else /* CLK_TCK */ -#   define HZ ((double)CLK_TCK) -#  endif -# endif -#endif -  #undef PROG  #define PROG s_time_main @@ -177,7 +129,7 @@ static char *tm_cipher=NULL;  static int tm_verify = SSL_VERIFY_NONE;  static int maxTime = SECONDS;  static SSL_CTX *tm_ctx=NULL; -static SSL_METHOD *s_time_meth=NULL; +static const SSL_METHOD *s_time_meth=NULL;  static char *s_www_path=NULL;  static long bytes_read=0;   static int st_bugs=0; @@ -372,63 +324,8 @@ bad:  static double tm_Time_F(int s)  	{ -	static double ret; -#ifdef TIMES -	static struct tms tstart,tend; - -	if(s == START) { -		times(&tstart); -		return(0); -	} else { -		times(&tend); -		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; -		return((ret == 0.0)?1e-6:ret); +	return app_tminterval(s,1);  	} -#elif defined(OPENSSL_SYS_NETWARE) -    static clock_t tstart,tend; - -    if (s == START) -    { -        tstart=clock(); -        return(0); -    } -    else -    { -        tend=clock(); -        ret=(double)((double)(tend)-(double)(tstart)); -        return((ret < 0.001)?0.001:ret); -    } -#elif defined(OPENSSL_SYS_VXWORKS) -        { -	static unsigned long tick_start, tick_end; - -	if( s == START ) -		{ -		tick_start = tickGet(); -		return 0; -		} -	else -		{ -		tick_end = tickGet(); -		ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); -		return((ret == 0.0)?1e-6:ret); -		} -        } -#else /* !times() */ -	static struct timeb tstart,tend; -	long i; - -	if(s == START) { -		ftime(&tstart); -		return(0); -	} else { -		ftime(&tend); -		i=(long)tend.millitm-(long)tstart.millitm; -		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; -		return((ret == 0.0)?1e-6:ret); -	} -#endif -}  /***********************************************************************   * MAIN - main processing area for client @@ -704,7 +601,7 @@ static SSL *doConnection(SSL *scon)  			i=SSL_get_fd(serverCon);  			width=i+1;  			FD_ZERO(&readfds); -			FD_SET(i,&readfds); +			openssl_fdset(i,&readfds);  			/* Note: under VMS with SOCKETSHR the 2nd parameter  			 * is currently of type (int *) whereas under other  			 * systems it is (void *) if you don't have a cast it diff --git a/openssl/apps/smime.c b/openssl/apps/smime.c index 75804b8d7..c583f8a0e 100644 --- a/openssl/apps/smime.c +++ b/openssl/apps/smime.c @@ -73,11 +73,14 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers);  static int smime_cb(int ok, X509_STORE_CTX *ctx);  #define SMIME_OP	0x10 +#define SMIME_IP	0x20 +#define SMIME_SIGNERS	0x40  #define SMIME_ENCRYPT	(1 | SMIME_OP) -#define SMIME_DECRYPT	2 -#define SMIME_SIGN	(3 | SMIME_OP) -#define SMIME_VERIFY	4 -#define SMIME_PK7OUT	5 +#define SMIME_DECRYPT	(2 | SMIME_IP) +#define SMIME_SIGN	(3 | SMIME_OP | SMIME_SIGNERS) +#define SMIME_VERIFY	(4 | SMIME_IP) +#define SMIME_PK7OUT	(5 | SMIME_IP | SMIME_OP) +#define SMIME_RESIGN	(6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)  int MAIN(int, char **); @@ -90,6 +93,7 @@ int MAIN(int argc, char **argv)  	const char *inmode = "r", *outmode = "w";  	char *infile = NULL, *outfile = NULL;  	char *signerfile = NULL, *recipfile = NULL; +	STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;  	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;  	const EVP_CIPHER *cipher = NULL;  	PKCS7 *p7 = NULL; @@ -105,6 +109,8 @@ int MAIN(int argc, char **argv)  	char *passargin = NULL, *passin = NULL;  	char *inrand = NULL;  	int need_rand = 0; +	int indef = 0; +	const EVP_MD *sign_md = NULL;  	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;          int keyform = FORMAT_PEM;  #ifndef OPENSSL_NO_ENGINE @@ -135,6 +141,8 @@ int MAIN(int argc, char **argv)  			operation = SMIME_DECRYPT;  		else if (!strcmp (*args, "-sign"))  			operation = SMIME_SIGN; +		else if (!strcmp (*args, "-resign")) +			operation = SMIME_RESIGN;  		else if (!strcmp (*args, "-verify"))  			operation = SMIME_VERIFY;  		else if (!strcmp (*args, "-pk7out")) @@ -193,205 +201,209 @@ int MAIN(int argc, char **argv)  				flags |= PKCS7_BINARY;  		else if (!strcmp (*args, "-nosigs"))  				flags |= PKCS7_NOSIGS; +		else if (!strcmp (*args, "-stream")) +				indef = 1; +		else if (!strcmp (*args, "-indef")) +				indef = 1; +		else if (!strcmp (*args, "-noindef")) +				indef = 0;  		else if (!strcmp (*args, "-nooldmime"))  				flags |= PKCS7_NOOLDMIMETYPE;  		else if (!strcmp (*args, "-crlfeol"))  				flags |= PKCS7_CRLFEOL;  		else if (!strcmp(*args,"-rand"))  			{ -			if (args[1]) -				{ -				args++; -				inrand = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			args++; +			inrand = *args;  			need_rand = 1;  			}  #ifndef OPENSSL_NO_ENGINE  		else if (!strcmp(*args,"-engine"))  			{ -			if (args[1]) -				{ -				args++; -				engine = *args; -				} -			else badarg = 1; +			if (!args[1]) +				goto argerr; +			engine = *++args;  			}  #endif  		else if (!strcmp(*args,"-passin"))  			{ -			if (args[1]) -				{ -				args++; -				passargin = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			passargin = *++args;  			}  		else if (!strcmp (*args, "-to"))  			{ -			if (args[1]) -				{ -				args++; -				to = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			to = *++args;  			}  		else if (!strcmp (*args, "-from"))  			{ -			if (args[1]) -				{ -				args++; -				from = *args; -				} -			else badarg = 1; +			if (!args[1]) +				goto argerr; +			from = *++args;  			}  		else if (!strcmp (*args, "-subject"))  			{ -			if (args[1]) -				{ -				args++; -				subject = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			subject = *++args;  			}  		else if (!strcmp (*args, "-signer"))  			{ -			if (args[1]) +			if (!args[1]) +				goto argerr; +			/* If previous -signer argument add signer to list */ + +			if (signerfile)  				{ -				args++; -				signerfile = *args; +				if (!sksigners) +					sksigners = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(sksigners, signerfile); +				if (!keyfile) +					keyfile = signerfile; +				if (!skkeys) +					skkeys = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(skkeys, keyfile); +				keyfile = NULL;  				} -			else -				badarg = 1; +			signerfile = *++args;  			}  		else if (!strcmp (*args, "-recip"))  			{ -			if (args[1]) +			if (!args[1]) +				goto argerr; +			recipfile = *++args; +			} +		else if (!strcmp (*args, "-md")) +			{ +			if (!args[1]) +				goto argerr; +			sign_md = EVP_get_digestbyname(*++args); +			if (sign_md == NULL)  				{ -				args++; -				recipfile = *args; +				BIO_printf(bio_err, "Unknown digest %s\n", +							*args); +				goto argerr;  				} -			else badarg = 1;  			}  		else if (!strcmp (*args, "-inkey"))  			{ -			if (args[1]) +			if (!args[1])	 +				goto argerr; +			/* If previous -inkey arument add signer to list */ +			if (keyfile)  				{ -				args++; -				keyfile = *args; +				if (!signerfile) +					{ +					BIO_puts(bio_err, "Illegal -inkey without -signer\n"); +					goto argerr; +					} +				if (!sksigners) +					sksigners = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(sksigners, signerfile); +				signerfile = NULL; +				if (!skkeys) +					skkeys = sk_OPENSSL_STRING_new_null(); +				sk_OPENSSL_STRING_push(skkeys, keyfile);  				} -			else -				badarg = 1; -		} +			keyfile = *++args; +			}  		else if (!strcmp (*args, "-keyform"))  			{ -			if (args[1]) -				{ -				args++; -				keyform = str2fmt(*args); -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			keyform = str2fmt(*++args);  			}  		else if (!strcmp (*args, "-certfile"))  			{ -			if (args[1]) -				{ -				args++; -				certfile = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			certfile = *++args;  			}  		else if (!strcmp (*args, "-CAfile"))  			{ -			if (args[1]) -				{ -				args++; -				CAfile = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			CAfile = *++args;  			}  		else if (!strcmp (*args, "-CApath"))  			{ -			if (args[1]) -				{ -				args++; -				CApath = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			CApath = *++args;  			}  		else if (!strcmp (*args, "-in"))  			{ -			if (args[1]) -				{ -				args++; -				infile = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			infile = *++args;  			}  		else if (!strcmp (*args, "-inform"))  			{ -			if (args[1]) -				{ -				args++; -				informat = str2fmt(*args); -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			informat = str2fmt(*++args);  			}  		else if (!strcmp (*args, "-outform"))  			{ -			if (args[1]) -				{ -				args++; -				outformat = str2fmt(*args); -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			outformat = str2fmt(*++args);  			}  		else if (!strcmp (*args, "-out"))  			{ -			if (args[1]) -				{ -				args++; -				outfile = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			outfile = *++args;  			}  		else if (!strcmp (*args, "-content"))  			{ -			if (args[1]) -				{ -				args++; -				contfile = *args; -				} -			else -				badarg = 1; +			if (!args[1]) +				goto argerr; +			contfile = *++args;  			}  		else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))  			continue; -		else +		else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)  			badarg = 1;  		args++;  		} +	if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) +		{ +		BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); +		goto argerr; +		} -	if (operation == SMIME_SIGN) +	if (operation & SMIME_SIGNERS)  		{ -		if (!signerfile) +		/* Check to see if any final signer needs to be appended */ +		if (keyfile && !signerfile) +			{ +			BIO_puts(bio_err, "Illegal -inkey without -signer\n"); +			goto argerr; +			} +		if (signerfile) +			{ +			if (!sksigners) +				sksigners = sk_OPENSSL_STRING_new_null(); +			sk_OPENSSL_STRING_push(sksigners, signerfile); +			if (!skkeys) +				skkeys = sk_OPENSSL_STRING_new_null(); +			if (!keyfile) +				keyfile = signerfile; +			sk_OPENSSL_STRING_push(skkeys, keyfile); +			} +		if (!sksigners)  			{  			BIO_printf(bio_err, "No signer certificate specified\n");  			badarg = 1;  			} +		signerfile = NULL; +		keyfile = NULL;  		need_rand = 1;  		}  	else if (operation == SMIME_DECRYPT) @@ -416,6 +428,7 @@ int MAIN(int argc, char **argv)  	if (badarg)  		{ +		argerr:  		BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");  		BIO_printf (bio_err, "where options are\n");  		BIO_printf (bio_err, "-encrypt       encrypt message\n"); @@ -499,13 +512,11 @@ int MAIN(int argc, char **argv)  	ret = 2; -	if (operation != SMIME_SIGN) +	if (!(operation & SMIME_SIGNERS))  		flags &= ~PKCS7_DETACHED;  	if (operation & SMIME_OP)  		{ -		if (flags & PKCS7_BINARY) -			inmode = "rb";  		if (outformat == FORMAT_ASN1)  			outmode = "wb";  		} @@ -513,9 +524,18 @@ int MAIN(int argc, char **argv)  		{  		if (flags & PKCS7_BINARY)  			outmode = "wb"; +		} + +	if (operation & SMIME_IP) +		{  		if (informat == FORMAT_ASN1)  			inmode = "rb";  		} +	else +		{ +		if (flags & PKCS7_BINARY) +			inmode = "rb"; +		}  	if (operation == SMIME_ENCRYPT)  		{ @@ -545,26 +565,11 @@ int MAIN(int argc, char **argv)  			}  		} -	if (signerfile && (operation == SMIME_SIGN)) -		{ -		if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL, -			e, "signer certificate"))) -			{ -#if 0			/* An appropri message has already been printed */ -			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile); -#endif -			goto end; -			} -		} -  	if (certfile)  		{  		if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,  			e, "certificate file")))  			{ -#if 0			/* An appropriate message has already been printed */ -			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile); -#endif  			ERR_print_errors(bio_err);  			goto end;  			} @@ -575,9 +580,6 @@ int MAIN(int argc, char **argv)  		if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,  			e, "recipient certificate file")))  			{ -#if 0			/* An appropriate message has alrady been printed */ -			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile); -#endif  			ERR_print_errors(bio_err);  			goto end;  			} @@ -615,6 +617,36 @@ int MAIN(int argc, char **argv)  	else  		in = BIO_new_fp(stdin, BIO_NOCLOSE); +	if (operation & SMIME_IP) +		{ +		if (informat == FORMAT_SMIME)  +			p7 = SMIME_read_PKCS7(in, &indata); +		else if (informat == FORMAT_PEM)  +			p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); +		else if (informat == FORMAT_ASN1)  +			p7 = d2i_PKCS7_bio(in, NULL); +		else +			{ +			BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); +			goto end; +			} + +		if (!p7) +			{ +			BIO_printf(bio_err, "Error reading S/MIME message\n"); +			goto end; +			} +		if (contfile) +			{ +			BIO_free(indata); +			if (!(indata = BIO_new_file(contfile, "rb"))) +				{ +				BIO_printf(bio_err, "Can't read content file %s\n", contfile); +				goto end; +				} +			} +		} +  	if (outfile)  		{  		if (!(out = BIO_new_file(outfile, outmode))) @@ -639,7 +671,7 @@ int MAIN(int argc, char **argv)  		{  		if (!(store = setup_verify(bio_err, CAfile, CApath)))  			goto end; -		X509_STORE_set_verify_cb_func(store, smime_cb); +		X509_STORE_set_verify_cb(store, smime_cb);  		if (vpm)  			X509_STORE_set1_param(store, vpm);  		} @@ -648,43 +680,58 @@ int MAIN(int argc, char **argv)  	ret = 3;  	if (operation == SMIME_ENCRYPT) -		p7 = PKCS7_encrypt(encerts, in, cipher, flags); -	else if (operation == SMIME_SIGN)  		{ -		/* If detached data and SMIME output enable partial -		 * signing. -		 */ -		if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME)) +		if (indef)  			flags |= PKCS7_STREAM; -		p7 = PKCS7_sign(signer, key, other, in, flags); +		p7 = PKCS7_encrypt(encerts, in, cipher, flags);  		} -	else +	else if (operation & SMIME_SIGNERS)  		{ -		if (informat == FORMAT_SMIME)  -			p7 = SMIME_read_PKCS7(in, &indata); -		else if (informat == FORMAT_PEM)  -			p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); -		else if (informat == FORMAT_ASN1)  -			p7 = d2i_PKCS7_bio(in, NULL); -		else +		int i; +		/* If detached data content we only enable streaming if +		 * S/MIME output format. +		 */ +		if (operation == SMIME_SIGN)  			{ -			BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); -			goto end; +			if (flags & PKCS7_DETACHED) +				{ +				if (outformat == FORMAT_SMIME) +					flags |= PKCS7_STREAM; +				} +			else if (indef) +				flags |= PKCS7_STREAM; +			flags |= PKCS7_PARTIAL; +			p7 = PKCS7_sign(NULL, NULL, other, in, flags); +			if (!p7) +				goto end;  			} - -		if (!p7) -			{ -			BIO_printf(bio_err, "Error reading S/MIME message\n"); -			goto end; +		else +			flags |= PKCS7_REUSE_DIGEST; +		for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) +			{ +			signerfile = sk_OPENSSL_STRING_value(sksigners, i); +			keyfile = sk_OPENSSL_STRING_value(skkeys, i); +			signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, +					e, "signer certificate"); +			if (!signer) +				goto end; +			key = load_key(bio_err, keyfile, keyform, 0, passin, e, +			       "signing key file"); +			if (!key) +				goto end; +			if (!PKCS7_sign_add_signer(p7, signer, key, +						sign_md, flags)) +				goto end; +			X509_free(signer); +			signer = NULL; +			EVP_PKEY_free(key); +			key = NULL;  			} -		if (contfile) +		/* If not streaming or resigning finalize structure */ +		if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM))  			{ -			BIO_free(indata); -			if (!(indata = BIO_new_file(contfile, "rb"))) -				{ -				BIO_printf(bio_err, "Can't read content file %s\n", contfile); +			if (!PKCS7_final(p7, in, flags))  				goto end; -				}  			}  		} @@ -734,11 +781,16 @@ int MAIN(int argc, char **argv)  		if (subject)  			BIO_printf(out, "Subject: %s\n", subject);  		if (outformat == FORMAT_SMIME)  -			SMIME_write_PKCS7(out, p7, in, flags); +			{ +			if (operation == SMIME_RESIGN) +				SMIME_write_PKCS7(out, p7, indata, flags); +			else +				SMIME_write_PKCS7(out, p7, in, flags); +			}  		else if (outformat == FORMAT_PEM)  -			PEM_write_bio_PKCS7(out,p7); +			PEM_write_bio_PKCS7_stream(out, p7, in, flags);  		else if (outformat == FORMAT_ASN1)  -			i2d_PKCS7_bio(out,p7); +			i2d_PKCS7_bio_stream(out,p7, in, flags);  		else  			{  			BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); @@ -754,6 +806,10 @@ end:  	sk_X509_pop_free(other, X509_free);  	if (vpm)  		X509_VERIFY_PARAM_free(vpm); +	if (sksigners) +		sk_OPENSSL_STRING_free(sksigners); +	if (skkeys) +		sk_OPENSSL_STRING_free(skkeys);  	X509_STORE_free(store);  	X509_free(cert);  	X509_free(recip); diff --git a/openssl/apps/speed.c b/openssl/apps/speed.c index af077b54a..539bfff22 100644 --- a/openssl/apps/speed.c +++ b/openssl/apps/speed.c @@ -108,53 +108,8 @@  #include <signal.h>  #endif -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(OPENSSL_SYS_MACOSX) -# define USE_TOD -#elif !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) -# define TIMES -#endif -#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(OPENSSL_SYS_MPE) && !defined(__NetBSD__) && !defined(OPENSSL_SYS_VXWORKS) /* FIXME */ -# define TIMEB -#endif - -#if defined(OPENSSL_SYS_NETWARE) -#undef TIMES -#undef TIMEB -#include <time.h> -#endif - -#ifndef _IRIX -# include <time.h> -#endif -#ifdef TIMES -# include <sys/types.h> -# include <sys/times.h> -#endif -#ifdef USE_TOD -# include <sys/time.h> -# include <sys/resource.h> -#endif - -/* Depending on the VMS version, the tms structure is perhaps defined. -   The __TMS macro will show if it was.  If it wasn't defined, we should -   undefine TIMES, since that tells the rest of the program how things -   should be handled.				-- Richard Levitte */ -#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) -#undef TIMES -#endif - -#ifdef TIMEB -#include <sys/timeb.h> -#endif - -#if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE) -#error "It seems neither struct tms nor struct timeb is supported in this platform!" -#endif - -#if defined(sun) || defined(__ultrix) -#define _POSIX_SOURCE -#include <limits.h> -#include <sys/param.h> +#ifdef _WIN32 +#include <windows.h>  #endif  #include <openssl/bn.h> @@ -189,6 +144,9 @@  #ifndef OPENSSL_NO_RIPEMD  #include <openssl/ripemd.h>  #endif +#ifndef OPENSSL_NO_WHIRLPOOL +#include <openssl/whrlpool.h> +#endif  #ifndef OPENSSL_NO_RC4  #include <openssl/rc4.h>  #endif @@ -226,43 +184,24 @@  #include <openssl/ecdh.h>  #endif -/* - * The following "HZ" timing stuff should be sync'd up with the code in - * crypto/tmdiff.[ch]. That appears to try to do the same job, though I think - * this code is more up to date than libcrypto's so there may be features to - * migrate over first. This is used in two places further down AFAICS.  - * The point is that nothing in openssl actually *uses* that tmdiff stuff, so - * either speed.c should be using it or it should go because it's obviously not - * useful enough. Anyone want to do a janitorial job on this? - */ - -/* The following if from times(3) man page.  It may need to be changed */ -#ifndef HZ -# if defined(_SC_CLK_TCK) \ -     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) -#  define HZ sysconf(_SC_CLK_TCK) +#ifndef HAVE_FORK +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE) +#  define HAVE_FORK 0  # else -#  ifndef CLK_TCK -#   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -#    define HZ	100.0 -#   else /* _BSD_CLK_TCK_ */ -#    define HZ ((double)_BSD_CLK_TCK_) -#   endif -#  else /* CLK_TCK */ -#   define HZ ((double)CLK_TCK) -#  endif +#  define HAVE_FORK 1  # endif  #endif -#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_NETWARE) -# define HAVE_FORK 1 +#if HAVE_FORK +#undef NO_FORK +#else +#define NO_FORK  #endif  #undef BUFSIZE  #define BUFSIZE	((long)1024*8+1)  int run=0; -static char ftime_used = 0, times_used = 0, gettimeofday_used = 0, getrusage_used = 0;  static int mr=0;  static int usertime=1; @@ -271,11 +210,11 @@ static void print_message(const char *s,long num,int length);  static void pkey_print_message(const char *str, const char *str2,  	long num, int bits, int sec);  static void print_result(int alg,int run_no,int count,double time_used); -#ifdef HAVE_FORK +#ifndef NO_FORK  static int do_multi(int multi);  #endif -#define ALGOR_NUM	28 +#define ALGOR_NUM	29  #define SIZE_NUM	5  #define RSA_NUM		4  #define DSA_NUM		3 @@ -289,12 +228,16 @@ static const char *names[ALGOR_NUM]={    "rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc",    "aes-128 cbc","aes-192 cbc","aes-256 cbc",    "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc", -  "evp","sha256","sha512", +  "evp","sha256","sha512","whirlpool",    "aes-128 ige","aes-192 ige","aes-256 ige"};  static double results[ALGOR_NUM][SIZE_NUM];  static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +#ifndef OPENSSL_NO_RSA  static double rsa_results[RSA_NUM][2]; +#endif +#ifndef OPENSSL_NO_DSA  static double dsa_results[DSA_NUM][2]; +#endif  #ifndef OPENSSL_NO_ECDSA  static double ecdsa_results[EC_NUM][2];  #endif @@ -328,141 +271,46 @@ static SIGRETTYPE sig_done(int sig)  #define START	0  #define STOP	1 -#if defined(OPENSSL_SYS_NETWARE) +#if defined(_WIN32) -   /* for NetWare the best we can do is use clock() which returns the -    * time, in hundredths of a second, since the NLM began executing -   */ -static double Time_F(int s) -	{ -	double ret; - -   static clock_t tstart,tend; - -   if (s == START) -   { -      tstart=clock(); -      return(0); -   } -   else -   { -      tend=clock(); -      ret=(double)((double)(tend)-(double)(tstart)); -      return((ret < 0.001)?0.001:ret); -   } -   } +#define SIGALRM +static unsigned int lapse,schlock; +static void alarm(unsigned int secs) { lapse = secs*1000; } -#else +static DWORD WINAPI sleepy(VOID *arg) +	{ +	schlock = 1; +	Sleep(lapse); +	run = 0; +	return 0; +	}  static double Time_F(int s)  	{ -	double ret; - -#ifdef USE_TOD -	if(usertime) -		{ -		static struct rusage tstart,tend; - -		getrusage_used = 1; -		if (s == START) -			{ -			getrusage(RUSAGE_SELF,&tstart); -			return(0); -			} -		else -			{ -			long i; - -			getrusage(RUSAGE_SELF,&tend); -			i=(long)tend.ru_utime.tv_usec-(long)tstart.ru_utime.tv_usec; -			ret=((double)(tend.ru_utime.tv_sec-tstart.ru_utime.tv_sec)) -			  +((double)i)/1000000.0; -			return((ret < 0.001)?0.001:ret); -			} -		} -	else +	if (s == START)  		{ -		static struct timeval tstart,tend; -		long i; - -		gettimeofday_used = 1; -		if (s == START) -			{ -			gettimeofday(&tstart,NULL); -			return(0); -			} -		else +		HANDLE	thr; +		schlock = 0; +		thr = CreateThread(NULL,4096,sleepy,NULL,0,NULL); +		if (thr==NULL)  			{ -			gettimeofday(&tend,NULL); -			i=(long)tend.tv_usec-(long)tstart.tv_usec; -			ret=((double)(tend.tv_sec-tstart.tv_sec))+((double)i)/1000000.0; -			return((ret < 0.001)?0.001:ret); +			DWORD ret=GetLastError(); +			BIO_printf(bio_err,"unable to CreateThread (%d)",ret); +			ExitProcess(ret);  			} +		CloseHandle(thr);		/* detach the thread	*/ +		while (!schlock) Sleep(0);	/* scheduler spinlock	*/  		} -#else  /* ndef USE_TOD */ -		 -# ifdef TIMES -	if (usertime) -		{ -		static struct tms tstart,tend; -		times_used = 1; -		if (s == START) -			{ -			times(&tstart); -			return(0); -			} -		else -			{ -			times(&tend); -			ret = HZ; -			ret=(double)(tend.tms_utime-tstart.tms_utime) / ret; -			return((ret < 1e-3)?1e-3:ret); -			} -		} -# endif /* times() */ -# if defined(TIMES) && defined(TIMEB) -	else -# endif -# ifdef OPENSSL_SYS_VXWORKS -                { -		static unsigned long tick_start, tick_end; - -		if( s == START ) -			{ -			tick_start = tickGet(); -			return 0; -			} -		else -			{ -			tick_end = tickGet(); -			ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); -			return((ret < 0.001)?0.001:ret); -			} -                } -# elif defined(TIMEB) -		{ -		static struct timeb tstart,tend; -		long i; +	return app_tminterval(s,usertime); +	} +#else -		ftime_used = 1; -		if (s == START) -			{ -			ftime(&tstart); -			return(0); -			} -		else -			{ -			ftime(&tend); -			i=(long)tend.millitm-(long)tstart.millitm; -			ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; -			return((ret < 0.001)?0.001:ret); -			} -		} -# endif -#endif +static double Time_F(int s) +	{ +	return app_tminterval(s,usertime);  	} -#endif /* if defined(OPENSSL_SYS_NETWARE) */ +#endif  #ifndef OPENSSL_NO_ECDH @@ -522,6 +370,9 @@ int MAIN(int argc, char **argv)  	unsigned char sha512[SHA512_DIGEST_LENGTH];  #endif  #endif +#ifndef OPENSSL_NO_WHIRLPOOL +	unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH]; +#endif  #ifndef OPENSSL_NO_RIPEMD  	unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];  #endif @@ -618,9 +469,10 @@ int MAIN(int argc, char **argv)  #define D_EVP		22  #define D_SHA256	23	  #define D_SHA512	24 -#define D_IGE_128_AES   25 -#define D_IGE_192_AES   26 -#define D_IGE_256_AES   27 +#define D_WHIRLPOOL	25 +#define D_IGE_128_AES   26 +#define D_IGE_192_AES   27 +#define D_IGE_256_AES   28  	double d=0.0;  	long c[ALGOR_NUM][SIZE_NUM];  #define	R_DSA_512	0 @@ -749,7 +601,7 @@ int MAIN(int argc, char **argv)  	const EVP_CIPHER *evp_cipher=NULL;  	const EVP_MD *evp_md=NULL;  	int decrypt=0; -#ifdef HAVE_FORK +#ifndef NO_FORK  	int multi=0;  #endif @@ -877,7 +729,7 @@ int MAIN(int argc, char **argv)  			j--;  			}  #endif -#ifdef HAVE_FORK +#ifndef NO_FORK  		else if	((argc > 0) && (strcmp(*argv,"-multi") == 0))  			{  			argc--; @@ -940,6 +792,10 @@ int MAIN(int argc, char **argv)  		else  #endif  #endif +#ifndef OPENSSL_NO_WHIRLPOOL +			if (strcmp(*argv,"whirlpool") == 0) doit[D_WHIRLPOOL]=1; +		else +#endif  #ifndef OPENSSL_NO_RIPEMD  			if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1;  		else @@ -1151,12 +1007,16 @@ int MAIN(int argc, char **argv)  #ifndef OPENSSL_NO_SHA512  			BIO_printf(bio_err,"sha512   ");  #endif +#ifndef OPENSSL_NO_WHIRLPOOL +			BIO_printf(bio_err,"whirlpool"); +#endif  #ifndef OPENSSL_NO_RIPEMD160  			BIO_printf(bio_err,"rmd160");  #endif  #if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \      !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \ -    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) +    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \ +    !defined(OPENSSL_NO_WHIRLPOOL)  			BIO_printf(bio_err,"\n");  #endif @@ -1257,7 +1117,7 @@ int MAIN(int argc, char **argv)  			BIO_printf(bio_err,"-evp e          use EVP e.\n");  			BIO_printf(bio_err,"-decrypt        time decryption instead of encryption (only EVP).\n");  			BIO_printf(bio_err,"-mr             produce machine readable output.\n"); -#ifdef HAVE_FORK +#ifndef NO_FORK  			BIO_printf(bio_err,"-multi n        run n benchmarks in parallel.\n");  #endif  			goto end; @@ -1267,7 +1127,7 @@ int MAIN(int argc, char **argv)  		j++;  		} -#ifdef HAVE_FORK +#ifndef NO_FORK  	if(multi && do_multi(multi))  		goto show_res;  #endif @@ -1283,17 +1143,20 @@ int MAIN(int argc, char **argv)  			rsa_doit[i]=1;  		for (i=0; i<DSA_NUM; i++)  			dsa_doit[i]=1; +#ifndef OPENSSL_NO_ECDSA +		for (i=0; i<EC_NUM; i++) +			ecdsa_doit[i]=1; +#endif +#ifndef OPENSSL_NO_ECDH +		for (i=0; i<EC_NUM; i++) +			ecdh_doit[i]=1; +#endif  		}  	for (i=0; i<ALGOR_NUM; i++)  		if (doit[i]) pr_header++;  	if (usertime == 0 && !mr)  		BIO_printf(bio_err,"You have chosen to measure elapsed time instead of user CPU time.\n"); -	if (usertime <= 0 && !mr) -		{ -		BIO_printf(bio_err,"To get the most accurate results, try to run this\n"); -		BIO_printf(bio_err,"program when this computer is idle.\n"); -		}  #ifndef OPENSSL_NO_RSA  	for (i=0; i<RSA_NUM; i++) @@ -1403,6 +1266,7 @@ int MAIN(int argc, char **argv)  	c[D_CBC_256_CML][0]=count;  	c[D_SHA256][0]=count;  	c[D_SHA512][0]=count; +	c[D_WHIRLPOOL][0]=count;  	c[D_IGE_128_AES][0]=count;  	c[D_IGE_192_AES][0]=count;  	c[D_IGE_256_AES][0]=count; @@ -1418,6 +1282,7 @@ int MAIN(int argc, char **argv)  		c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i];  		c[D_SHA256][i]=c[D_SHA256][0]*4*lengths[0]/lengths[i];  		c[D_SHA512][i]=c[D_SHA512][0]*4*lengths[0]/lengths[i]; +		c[D_WHIRLPOOL][i]=c[D_WHIRLPOOL][0]*4*lengths[0]/lengths[i];  		}  	for (i=1; i<SIZE_NUM; i++)  		{ @@ -1601,7 +1466,9 @@ int MAIN(int argc, char **argv)  #else  #define COND(c)	(run)  #define COUNT(d) (count) +#ifndef _WIN32  	signal(SIGALRM,sig_done); +#endif  #endif /* SIGALRM */  #ifndef OPENSSL_NO_MD2 @@ -1731,8 +1598,23 @@ int MAIN(int argc, char **argv)  			}  		}  #endif +#endif +#ifndef OPENSSL_NO_WHIRLPOOL +	if (doit[D_WHIRLPOOL]) +		{ +		for (j=0; j<SIZE_NUM; j++) +			{ +			print_message(names[D_WHIRLPOOL],c[D_WHIRLPOOL][j],lengths[j]); +			Time_F(START); +			for (count=0,run=1; COND(c[D_WHIRLPOOL][j]); count++) +				WHIRLPOOL(buf,lengths[j],whirlpool); +			d=Time_F(STOP); +			print_result(D_WHIRLPOOL,j,count,d); +			} +		}  #endif +  #ifndef OPENSSL_NO_RIPEMD  	if (doit[D_RMD160])  		{ @@ -1878,6 +1760,8 @@ int MAIN(int argc, char **argv)  			print_result(D_IGE_256_AES,j,count,d);  			}  		} + +  #endif  #ifndef OPENSSL_NO_CAMELLIA  	if (doit[D_CBC_128_CML]) @@ -2462,7 +2346,7 @@ int MAIN(int argc, char **argv)  		}  	if (rnd_fake) RAND_cleanup();  #endif -#ifdef HAVE_FORK +#ifndef NO_FORK  show_res:  #endif  	if(!mr) @@ -2490,35 +2374,6 @@ show_res:  		printf("%s ",BF_options());  #endif  		fprintf(stdout,"\n%s\n",SSLeay_version(SSLEAY_CFLAGS)); -		printf("available timing options: "); -#ifdef TIMES -		printf("TIMES "); -#endif -#ifdef TIMEB -		printf("TIMEB "); -#endif -#ifdef USE_TOD -		printf("USE_TOD "); -#endif -#ifdef HZ -#define as_string(s) (#s) -		{ -		double dbl = HZ; -		printf("HZ=%g", dbl); -		} -# ifdef _SC_CLK_TCK -		printf(" [sysconf value]"); -# endif -#endif -		printf("\n"); -		printf("timing function used: %s%s%s%s%s%s%s\n", -		       (ftime_used ? "ftime" : ""), -		       (ftime_used + times_used > 1 ? "," : ""), -		       (times_used ? "times" : ""), -		       (ftime_used + times_used + gettimeofday_used > 1 ? "," : ""), -		       (gettimeofday_used ? "gettimeofday" : ""), -		       (ftime_used + times_used + gettimeofday_used + getrusage_used > 1 ? "," : ""), -		       (getrusage_used ? "getrusage" : ""));  		}  	if (pr_header) @@ -2717,7 +2572,7 @@ static void print_result(int alg,int run_no,int count,double time_used)  	results[alg][run_no]=((double)count)/time_used*lengths[run_no];  	} -#ifdef HAVE_FORK +#ifndef NO_FORK  static char *sstrsep(char **string, const char *delim)      {      char isdelim[256]; @@ -2775,6 +2630,7 @@ static int do_multi(int multi)  			close(fd[1]);  			mr=1;  			usertime=0; +			free(fds);  			return 0;  			}  		printf("Forked child %d\n",n); @@ -2923,7 +2779,10 @@ static int do_multi(int multi)  			else  				fprintf(stderr,"Unknown type '%s' from child %d\n",buf,n);  			} + +		fclose(f);  		} +	free(fds);  	return 1;  	}  #endif diff --git a/openssl/apps/ts.c b/openssl/apps/ts.c index 74e7e932b..5fa9f7fda 100644 --- a/openssl/apps/ts.c +++ b/openssl/apps/ts.c @@ -165,6 +165,9 @@ int MAIN(int argc, char **argv)  		BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);  		} +	if (!load_config(bio_err, NULL)) +		goto cleanup; +  	for (argc--, argv++; argc > 0; argc--, argv++)  		{  		if (strcmp(*argv, "-config") == 0) @@ -646,7 +649,7 @@ static ASN1_INTEGER *create_nonce(int bits)  	/* Generating random byte sequence. */  	if (len > (int)sizeof(buf)) goto err; -	if (!RAND_bytes(buf, len)) goto err; +	if (RAND_bytes(buf, len) <= 0) goto err;  	/* Find the first non-zero byte and creating ASN1_INTEGER object. */  	for (i = 0; i < len && !buf[i]; ++i); @@ -1080,7 +1083,7 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)  	cert_ctx = X509_STORE_new();  	/* Setting the callback for certificate chain verification. */ -	X509_STORE_set_verify_cb_func(cert_ctx, verify_cb); +	X509_STORE_set_verify_cb(cert_ctx, verify_cb);  	/* Adding a trusted certificate directory source. */  	if (ca_path) diff --git a/openssl/apps/tsget b/openssl/apps/tsget index ddae803fb..0d54e9fc9 100644 --- a/openssl/apps/tsget +++ b/openssl/apps/tsget @@ -1,13 +1,13 @@  #!/usr/bin/perl -w  # Written by Zoltan Glozik <zglozik@stones.com>.  # Copyright (c) 2002 The OpenTSA Project.  All rights reserved. -$::version = '$Id: tsget,v 1.1 2006/02/12 23:11:21 ulf Exp $'; +$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $';  use strict;  use IO::Handle;  use Getopt::Std;  use File::Basename; -use WWW::Curl::easy; +use WWW::Curl::Easy;  use vars qw(%options); @@ -37,7 +37,7 @@ sub create_curl {      my $url = shift;      # Create Curl object. -    my $curl = WWW::Curl::easy::new(); +    my $curl = WWW::Curl::Easy::new();      # Error-handling related options.      $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; @@ -49,7 +49,7 @@ sub create_curl {      $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");      $curl->setopt(CURLOPT_HTTPHEADER,  		["Content-Type: application/timestamp-query", -		"Accept: application/timestamp-reply"]); +		"Accept: application/timestamp-reply,application/timestamp-response"]);      $curl->setopt(CURLOPT_READFUNCTION, \&read_body);      $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); @@ -102,7 +102,8 @@ sub get_timestamp {  	$error_string .= " ($::error_buf)" if defined($::error_buf);      } else {          my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); -	if (lc($ct) ne "application/timestamp-reply") { +	if (lc($ct) ne "application/timestamp-reply" +	    && lc($ct) ne "application/timestamp-response") {  	    $error_string = "unexpected content type returned: $ct";          }      } @@ -192,4 +193,4 @@ REQUEST: foreach (@ARGV) {      STDERR->printflush(", $output written.\n") if $options{v};  }  $curl->cleanup(); -WWW::Curl::easy::global_cleanup(); +WWW::Curl::Easy::global_cleanup(); diff --git a/openssl/apps/verify.c b/openssl/apps/verify.c index 20cc9e354..9163997e9 100644 --- a/openssl/apps/verify.c +++ b/openssl/apps/verify.c @@ -70,8 +70,9 @@  #define PROG	verify_main  static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx); -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e); -static STACK_OF(X509) *load_untrusted(char *file); +static int check(X509_STORE *ctx, char *file, +		STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, +		STACK_OF(X509_CRL) *crls, ENGINE *e);  static int v_verbose=0, vflags = 0;  int MAIN(int, char **); @@ -80,10 +81,10 @@ int MAIN(int argc, char **argv)  	{  	ENGINE *e = NULL;  	int i,ret=1, badarg = 0; -	int purpose = -1;  	char *CApath=NULL,*CAfile=NULL; -	char *untfile = NULL, *trustfile = NULL; +	char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;  	STACK_OF(X509) *untrusted = NULL, *trusted = NULL; +	STACK_OF(X509_CRL) *crls = NULL;  	X509_STORE *cert_ctx=NULL;  	X509_LOOKUP *lookup=NULL;  	X509_VERIFY_PARAM *vpm = NULL; @@ -93,7 +94,7 @@ int MAIN(int argc, char **argv)  	cert_ctx=X509_STORE_new();  	if (cert_ctx == NULL) goto end; -	X509_STORE_set_verify_cb_func(cert_ctx,cb); +	X509_STORE_set_verify_cb(cert_ctx,cb);  	ERR_load_crypto_strings(); @@ -139,6 +140,11 @@ int MAIN(int argc, char **argv)  				if (argc-- < 1) goto end;  				trustfile= *(++argv);  				} +			else if (strcmp(*argv,"-CRLfile") == 0) +				{ +				if (argc-- < 1) goto end; +				crlfile= *(++argv); +				}  #ifndef OPENSSL_NO_ENGINE  			else if (strcmp(*argv,"-engine") == 0)  				{ @@ -192,26 +198,34 @@ int MAIN(int argc, char **argv)  	ERR_clear_error(); -	if(untfile) { -		if(!(untrusted = load_untrusted(untfile))) { -			BIO_printf(bio_err, "Error loading untrusted file %s\n", untfile); -			ERR_print_errors(bio_err); +	if(untfile) +		{ +		untrusted = load_certs(bio_err, untfile, FORMAT_PEM, +					NULL, e, "untrusted certificates"); +		if(!untrusted)  			goto end;  		} -	} -	if(trustfile) { -		if(!(trusted = load_untrusted(trustfile))) { -			BIO_printf(bio_err, "Error loading untrusted file %s\n", trustfile); -			ERR_print_errors(bio_err); +	if(trustfile) +		{ +		trusted = load_certs(bio_err, trustfile, FORMAT_PEM, +					NULL, e, "trusted certificates"); +		if(!trusted)  			goto end;  		} -	} -	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose, e); +	if(crlfile) +		{ +		crls = load_crls(bio_err, crlfile, FORMAT_PEM, +					NULL, e, "other CRLs"); +		if(!crls) +			goto end; +		} + +	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);  	else  		for (i=0; i<argc; i++) -			check(cert_ctx,argv[i], untrusted, trusted, purpose, e); +			check(cert_ctx,argv[i], untrusted, trusted, crls, e);  	ret=0;  end:  	if (ret == 1) { @@ -232,11 +246,14 @@ end:  	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);  	sk_X509_pop_free(untrusted, X509_free);  	sk_X509_pop_free(trusted, X509_free); +	sk_X509_CRL_pop_free(crls, X509_CRL_free);  	apps_shutdown();  	OPENSSL_EXIT(ret);  	} -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e) +static int check(X509_STORE *ctx, char *file, +		STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, +		STACK_OF(X509_CRL) *crls, ENGINE *e)  	{  	X509 *x=NULL;  	int i=0,ret=0; @@ -260,7 +277,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X  		goto end;  		}  	if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); -	if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose); +	if (crls) +		X509_STORE_CTX_set0_crls(csc, crls);  	i=X509_verify_cert(csc);  	X509_STORE_CTX_free(csc); @@ -278,90 +296,53 @@ end:  	return(ret);  	} -static STACK_OF(X509) *load_untrusted(char *certfile) -{ -	STACK_OF(X509_INFO) *sk=NULL; -	STACK_OF(X509) *stack=NULL, *ret=NULL; -	BIO *in=NULL; -	X509_INFO *xi; - -	if(!(stack = sk_X509_new_null())) { -		BIO_printf(bio_err,"memory allocation failure\n"); -		goto end; -	} - -	if(!(in=BIO_new_file(certfile, "r"))) { -		BIO_printf(bio_err,"error opening the file, %s\n",certfile); -		goto end; -	} - -	/* This loads from a file, a stack of x509/crl/pkey sets */ -	if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) { -		BIO_printf(bio_err,"error reading the file, %s\n",certfile); -		goto end; -	} - -	/* scan over it and pull out the certs */ -	while (sk_X509_INFO_num(sk)) -		{ -		xi=sk_X509_INFO_shift(sk); -		if (xi->x509 != NULL) -			{ -			sk_X509_push(stack,xi->x509); -			xi->x509=NULL; -			} -		X509_INFO_free(xi); -		} -	if(!sk_X509_num(stack)) { -		BIO_printf(bio_err,"no certificates in file, %s\n",certfile); -		sk_X509_free(stack); -		goto end; -	} -	ret=stack; -end: -	BIO_free(in); -	sk_X509_INFO_free(sk); -	return(ret); -	} -  static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)  	{ -	char buf[256]; +	int cert_error = X509_STORE_CTX_get_error(ctx); +	X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);  	if (!ok)  		{ -		if (ctx->current_cert) +		if (current_cert) +			{ +			X509_NAME_print_ex_fp(stdout, +				X509_get_subject_name(current_cert), +				0, XN_FLAG_ONELINE); +			printf("\n"); +			} +		printf("%serror %d at %d depth lookup:%s\n", +			X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "", +			cert_error, +			X509_STORE_CTX_get_error_depth(ctx), +			X509_verify_cert_error_string(cert_error)); +		switch(cert_error)  			{ -			X509_NAME_oneline( -				X509_get_subject_name(ctx->current_cert),buf, -				sizeof buf); -			printf("%s\n",buf); +			case X509_V_ERR_NO_EXPLICIT_POLICY: +				policies_print(NULL, ctx); +			case X509_V_ERR_CERT_HAS_EXPIRED: + +			/* since we are just checking the certificates, it is +			 * ok if they are self signed. But we should still warn +			 * the user. +			 */ + +			case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: +			/* Continue after extension errors too */ +			case X509_V_ERR_INVALID_CA: +			case X509_V_ERR_INVALID_NON_CA: +			case X509_V_ERR_PATH_LENGTH_EXCEEDED: +			case X509_V_ERR_INVALID_PURPOSE: +			case X509_V_ERR_CRL_HAS_EXPIRED: +			case X509_V_ERR_CRL_NOT_YET_VALID: +			case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: +			ok = 1; +  			} -		printf("error %d at %d depth lookup:%s\n",ctx->error, -			ctx->error_depth, -			X509_verify_cert_error_string(ctx->error)); -		if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; -		/* since we are just checking the certificates, it is -		 * ok if they are self signed. But we should still warn -		 * the user. - 		 */ -		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; -		/* Continue after extension errors too */ -		if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; -		if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1; -		if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; -		if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; -		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; -		if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; -		if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; -		if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; -		if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY) -			policies_print(NULL, ctx);  		return ok;  		} -	if ((ctx->error == X509_V_OK) && (ok == 2)) +	if (cert_error == X509_V_OK && ok == 2)  		policies_print(NULL, ctx);  	if (!v_verbose)  		ERR_clear_error(); diff --git a/openssl/apps/x509.c b/openssl/apps/x509.c index 6debce441..e7e46d7b6 100644 --- a/openssl/apps/x509.c +++ b/openssl/apps/x509.c @@ -99,7 +99,13 @@ static const char *x509_usage[]={  " -passin arg     - private key password source\n",  " -serial         - print serial number value\n",  " -subject_hash   - print subject hash value\n", +#ifndef OPENSSL_NO_MD5 +" -subject_hash_old   - print old-style (MD5) subject hash value\n", +#endif  " -issuer_hash    - print issuer hash value\n", +#ifndef OPENSSL_NO_MD5 +" -issuer_hash_old    - print old-style (MD5) issuer hash value\n", +#endif  " -hash           - synonym for -subject_hash\n",  " -subject        - print subject DN\n",  " -issuer         - print issuer DN\n", @@ -179,6 +185,9 @@ int MAIN(int argc, char **argv)  	int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;  	int next_serial=0;  	int subject_hash=0,issuer_hash=0,ocspid=0; +#ifndef OPENSSL_NO_MD5 +	int subject_hash_old=0,issuer_hash_old=0; +#endif  	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;  	int ocsp_uri=0;  	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -190,7 +199,7 @@ int MAIN(int argc, char **argv)  	X509_REQ *rq=NULL;  	int fingerprint=0;  	char buf[256]; -	const EVP_MD *md_alg,*digest=EVP_sha1(); +	const EVP_MD *md_alg,*digest=NULL;  	CONF *extconf = NULL;  	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;  	int need_rand = 0; @@ -225,7 +234,7 @@ int MAIN(int argc, char **argv)  	ctx=X509_STORE_new();  	if (ctx == NULL) goto end; -	X509_STORE_set_verify_cb_func(ctx,callb); +	X509_STORE_set_verify_cb(ctx,callb);  	argc--;  	argv++; @@ -397,8 +406,16 @@ int MAIN(int argc, char **argv)  		else if (strcmp(*argv,"-hash") == 0  			|| strcmp(*argv,"-subject_hash") == 0)  			subject_hash= ++num; +#ifndef OPENSSL_NO_MD5 +		else if (strcmp(*argv,"-subject_hash_old") == 0) +			subject_hash_old= ++num; +#endif  		else if (strcmp(*argv,"-issuer_hash") == 0)  			issuer_hash= ++num; +#ifndef OPENSSL_NO_MD5 +		else if (strcmp(*argv,"-issuer_hash_old") == 0) +			issuer_hash_old= ++num; +#endif  		else if (strcmp(*argv,"-subject") == 0)  			subject= ++num;  		else if (strcmp(*argv,"-issuer") == 0) @@ -626,7 +643,7 @@ bad:  		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;  		X509_gmtime_adj(X509_get_notBefore(x),0); -	        X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); +	        X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);  		pkey = X509_REQ_get_pubkey(req);  		X509_set_pubkey(x,pkey); @@ -738,13 +755,14 @@ bad:  			else if ((email == i) || (ocsp_uri == i))  				{  				int j; -				STACK *emlst; +				STACK_OF(OPENSSL_STRING) *emlst;  				if (email == i)  					emlst = X509_get1_email(x);  				else  					emlst = X509_get1_ocsp(x); -				for (j = 0; j < sk_num(emlst); j++) -					BIO_printf(STDout, "%s\n", sk_value(emlst, j)); +				for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) +					BIO_printf(STDout, "%s\n", +						   sk_OPENSSL_STRING_value(emlst, j));  				X509_email_free(emlst);  				}  			else if (aliasout == i) @@ -758,10 +776,22 @@ bad:  				{  				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));  				} +#ifndef OPENSSL_NO_MD5 +			else if (subject_hash_old == i) +				{ +				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); +				} +#endif  			else if (issuer_hash == i)  				{  				BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));  				} +#ifndef OPENSSL_NO_MD5 +			else if (issuer_hash_old == i) +				{ +				BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); +				} +#endif  			else if (pprint == i)  				{  				X509_PURPOSE *ptmp; @@ -892,14 +922,18 @@ bad:  				int j;  				unsigned int n;  				unsigned char md[EVP_MAX_MD_SIZE]; +				const EVP_MD *fdig = digest; + +				if (!fdig) +					fdig = EVP_sha1(); -				if (!X509_digest(x,digest,md,&n)) +				if (!X509_digest(x,fdig,md,&n))  					{  					BIO_printf(bio_err,"out of memory\n");  					goto end;  					}  				BIO_printf(STDout,"%s Fingerprint=", -						OBJ_nid2sn(EVP_MD_type(digest))); +						OBJ_nid2sn(EVP_MD_type(fdig)));  				for (j=0; j<(int)n; j++)  					{  					BIO_printf(STDout,"%02X%c",md[j], @@ -919,14 +953,6 @@ bad:  						passin, e, "Private key");  					if (Upkey == NULL) goto end;  					} -#ifndef OPENSSL_NO_DSA -		                if (Upkey->type == EVP_PKEY_DSA) -		                        digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA -				if (Upkey->type == EVP_PKEY_EC) -					digest=EVP_ecdsa(); -#endif  				assert(need_rand);  				if (!sign(x,Upkey,days,clrext,digest, @@ -943,14 +969,6 @@ bad:  						"CA Private Key");  					if (CApkey == NULL) goto end;  					} -#ifndef OPENSSL_NO_DSA -		                if (CApkey->type == EVP_PKEY_DSA) -		                        digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA -				if (CApkey->type == EVP_PKEY_EC) -					digest = EVP_ecdsa(); -#endif  				assert(need_rand);  				if (!x509_certify(ctx,CAfile,digest,x,xca, @@ -978,15 +996,6 @@ bad:  				BIO_printf(bio_err,"Generating certificate request\n"); -#ifndef OPENSSL_NO_DSA -		                if (pk->type == EVP_PKEY_DSA) -		                        digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA -				if (pk->type == EVP_PKEY_EC) -					digest=EVP_ecdsa(); -#endif -  				rq=X509_to_X509_REQ(x,pk,digest);  				EVP_PKEY_free(pk);  				if (rq == NULL) @@ -1040,16 +1049,15 @@ bad:  		}  	else if (outformat == FORMAT_NETSCAPE)  		{ -		ASN1_HEADER ah; -		ASN1_OCTET_STRING os; +		NETSCAPE_X509 nx; +		ASN1_OCTET_STRING hdr; -		os.data=(unsigned char *)NETSCAPE_CERT_HDR; -		os.length=strlen(NETSCAPE_CERT_HDR); -		ah.header= &os; -		ah.data=(char *)x; -		ah.meth=X509_asn1_meth(); +		hdr.data=(unsigned char *)NETSCAPE_CERT_HDR; +		hdr.length=strlen(NETSCAPE_CERT_HDR); +		nx.header= &hdr; +		nx.cert=x; -		i=ASN1_i2d_bio_of(ASN1_HEADER,i2d_ASN1_HEADER,out,&ah); +		i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx);  		}  	else	{  		BIO_printf(bio_err,"bad output format specified for outfile\n"); @@ -1151,6 +1159,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,  	/* NOTE: this certificate can/should be self signed, unless it was  	 * a certificate request in which case it is not. */  	X509_STORE_CTX_set_cert(&xsc,x); +	X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);  	if (!reqfile && X509_verify_cert(&xsc) <= 0)  		goto end; @@ -1167,7 +1176,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,  		goto end;  	/* hardwired expired */ -	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) +	if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)  		goto end;  	if (clrext) | 
