diff options
Diffstat (limited to 'openssl/apps')
52 files changed, 4240 insertions, 2569 deletions
diff --git a/openssl/apps/CA.pl b/openssl/apps/CA.pl index 05f11dd61..a3965ecea 100644 --- a/openssl/apps/CA.pl +++ b/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl5 +#!/usr/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/openssl/apps/CA.sh b/openssl/apps/CA.sh index a0b20d85a..7ad6b8c52 100644 --- a/openssl/apps/CA.sh +++ b/openssl/apps/CA.sh @@ -5,10 +5,10 @@ # things easier between now and when Eric is convinced to fix it :-) # # CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request -# CA -sign ... will sign the generated request and output +# CA -newreq ... will generate a certificate request +# CA -sign ... will sign the generated request and output # -# At the end of that grab newreq.pem and newcert.pem (one has the key +# At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what # you want/need ... I'll make even this a little cleaner later. # @@ -16,8 +16,8 @@ # 12-Jan-96 tjh Added more things ... including CA -signcert which # converts a certificate to a request and then signs it. # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG -# environment variable so this can be driven from -# a script. +# environment variable so this can be driven from +# a script. # 25-Jul-96 eay Cleaned up filenames some more. # 11-Jun-96 eay Fixed a few filename missmatches. # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. @@ -29,52 +29,87 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +cp_pem() { + infile=$1 + outfile=$2 + bound=$3 + flag=0 + exec <$infile; + while read line; do + if [ $flag -eq 1 ]; then + echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null + if [ $? -eq 0 ] ; then + echo $line >>$outfile + break + else + echo $line >>$outfile + fi + fi + + echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null + if [ $? -eq 0 ]; then + echo $line >$outfile + flag=1 + fi + done +} + +usage() { + echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 +} if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi -DAYS="-days 365" # 1 year +if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year CADAYS="-days 1095" # 3 years REQ="$OPENSSL req $SSLEAY_CONFIG" CA="$OPENSSL ca $SSLEAY_CONFIG" VERIFY="$OPENSSL verify" X509="$OPENSSL x509" +PKCS12="openssl pkcs12" -CATOP=./demoCA +if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi CAKEY=./cakey.pem CAREQ=./careq.pem CACERT=./cacert.pem -for i -do -case $i in +RET=0 + +while [ "$1" != "" ] ; do +case $1 in -\?|-h|-help) - echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 + usage exit 0 ;; --newcert) +-newcert) # create a certificate $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS RET=$? echo "Certificate is in newcert.pem, private key is in newkey.pem" ;; --newreq) +-newreq) # create a certificate request $REQ -new -keyout newkey.pem -out newreq.pem $DAYS RET=$? echo "Request is in newreq.pem, private key is in newkey.pem" ;; --newca) +-newreq-nodes) + # create a certificate request + $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS + RET=$? + echo "Request (and private key) is in newreq.pem" + ;; +-newca) # if explicitly asked for or it doesn't exist then setup the directory - # structure that Eric likes to manage things + # structure that Eric likes to manage things NEW="1" if [ "$NEW" -o ! -f ${CATOP}/serial ]; then # create the directory hierarchy - mkdir ${CATOP} - mkdir ${CATOP}/certs - mkdir ${CATOP}/crl - mkdir ${CATOP}/newcerts - mkdir ${CATOP}/private - echo "00" > ${CATOP}/serial + mkdir -p ${CATOP} + mkdir -p ${CATOP}/certs + mkdir -p ${CATOP}/crl + mkdir -p ${CATOP}/newcerts + mkdir -p ${CATOP}/private touch ${CATOP}/index.txt fi if [ ! -f ${CATOP}/private/$CAKEY ]; then @@ -83,37 +118,60 @@ case $i in # ask user for existing CA certificate if [ "$FILE" ]; then - cp $FILE ${CATOP}/private/$CAKEY + cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE + cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE RET=$? + if [ ! -f "${CATOP}/serial" ]; then + $X509 -in ${CATOP}/$CACERT -noout -next_serial \ + -out ${CATOP}/serial + fi else echo "Making CA certificate ..." $REQ -new -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CAREQ - $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ -keyfile ${CATOP}/private/$CAKEY -selfsign \ - -infiles ${CATOP}/$CAREQ + -extensions v3_ca \ + -infiles ${CATOP}/$CAREQ RET=$? fi fi ;; -xsign) - $CA -policy policy_anything -infiles newreq.pem + $CA -policy policy_anything -infiles newreq.pem RET=$? ;; --sign|-signreq) +-pkcs12) + if [ -z "$2" ] ; then + CNAME="My Certificate" + else + CNAME="$2" + fi + $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ + -out newcert.p12 -export -name "$CNAME" + RET=$? + exit $RET + ;; +-sign|-signreq) $CA -policy policy_anything -out newcert.pem -infiles newreq.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; --signcert) +-signCA) + $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem + RET=$? + echo "Signed CA certificate is in newcert.pem" + ;; +-signcert) echo "Cert passphrase will be requested twice - bug?" $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem $CA -policy policy_anything -out newcert.pem -infiles tmp.pem + RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; --verify) +-verify) shift if [ -z "$1" ]; then $VERIFY -CAfile $CATOP/$CACERT newcert.pem @@ -127,13 +185,14 @@ case $i in fi done fi - exit 0 + exit $RET ;; *) - echo "Unknown arg $i"; + echo "Unknown arg $i" >&2 + usage exit 1 ;; esac +shift done exit $RET - diff --git a/openssl/apps/Makefile b/openssl/apps/Makefile index 402981aed..fa32d2d7e 100644 --- a/openssl/apps/Makefile +++ b/openssl/apps/Makefile @@ -31,15 +31,15 @@ LIBSSL=-L.. -lssl PROGRAM= openssl -SCRIPTS=CA.sh CA.pl +SCRIPTS=CA.sh CA.pl tsget EXE= $(PROGRAM)$(EXE_EXT) E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ ca crl rsa rsautl dsa dsaparam ec ecparam \ - x509 genrsa gendsa s_server s_client speed \ + x509 genrsa gendsa genpkey s_server s_client speed \ s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \ - pkcs8 spkac smime rand engine ocsp prime + pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts PROGS= $(PROGRAM).c @@ -53,18 +53,18 @@ RAND_SRC=app_rand.c E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \ ca.o pkcs7.o crl2p7.o crl.o \ rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \ - x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \ + x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o \ s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \ - ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \ - ocsp.o prime.o cms.o + ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o \ + spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \ pkcs7.c crl2p7.c crl.c \ rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \ - x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \ + x509.c genrsa.c gendsa.c genpkey.c s_server.c s_client.c speed.c \ s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \ - ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \ - ocsp.c prime.c cms.c + ciphers.c nseq.c pkcs12.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \ + spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c SRC=$(E_SRC) @@ -137,9 +137,10 @@ depend: dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) + rm -f CA.pl clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) + rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE) rm -f req $(DLIBSSL): @@ -152,18 +153,13 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(EXE) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ - [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ + APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} - -(cd ..; \ - OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ - $(PERL) tools/c_rehash certs) + @(cd ..; $(MAKE) rehash) progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h @@ -176,150 +172,149 @@ app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h app_rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -app_rand.o: ../include/openssl/evp.h ../include/openssl/fips.h -app_rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -app_rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -app_rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h -app_rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h -app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h -app_rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -app_rand.o: ../include/openssl/x509v3.h app_rand.c apps.h +app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h +app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +app_rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +app_rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h +app_rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +app_rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +app_rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h +app_rand.o: app_rand.c apps.h apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h apps.o: ../include/openssl/engine.h ../include/openssl/err.h -apps.o: ../include/openssl/evp.h ../include/openssl/fips.h -apps.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -apps.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -apps.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h -apps.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h -apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -apps.o: ../include/openssl/x509v3.h apps.c apps.h +apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h +apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h +apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h +apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +apps.o: ../include/openssl/sha.h ../include/openssl/stack.h +apps.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +apps.o: ../include/openssl/ui.h ../include/openssl/x509.h +apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdh.h asn1pars.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h -asn1pars.o: ../include/openssl/fips.h ../include/openssl/lhash.h -asn1pars.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -asn1pars.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -asn1pars.o: ../include/openssl/pem.h ../include/openssl/pem2.h -asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h -asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -asn1pars.o: ../include/openssl/x509v3.h apps.h asn1pars.c +asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +asn1pars.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +asn1pars.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +asn1pars.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +asn1pars.o: ../include/openssl/safestack.h ../include/openssl/sha.h +asn1pars.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +asn1pars.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +asn1pars.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +asn1pars.o: asn1pars.c ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ca.o: ../include/openssl/engine.h ../include/openssl/err.h -ca.o: ../include/openssl/evp.h ../include/openssl/fips.h -ca.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ca.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ca.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ca.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ca.c +ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ca.o: ../include/openssl/sha.h ../include/openssl/stack.h +ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ca.o: ../include/openssl/x509v3.h apps.h ca.c ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h -ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ciphers.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -ciphers.o: ../include/openssl/engine.h ../include/openssl/err.h -ciphers.o: ../include/openssl/evp.h ../include/openssl/fips.h +ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h +ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ciphers.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +ciphers.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ciphers.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h ciphers.o: ../include/openssl/hmac.h ../include/openssl/kssl.h ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ciphers.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c +ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +ciphers.o: ciphers.c cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -cms.o: ../include/openssl/buffer.h ../include/openssl/conf.h -cms.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -cms.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -cms.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -cms.o: ../include/openssl/evp.h ../include/openssl/fips.h -cms.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -cms.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -cms.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -cms.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h -cms.o: ../include/openssl/safestack.h ../include/openssl/sha.h -cms.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -cms.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -cms.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h cms.c +cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h +cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h +cms.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +cms.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +cms.o: ../include/openssl/engine.h ../include/openssl/err.h +cms.o: ../include/openssl/evp.h ../include/openssl/lhash.h +cms.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +cms.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +cms.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +cms.o: ../include/openssl/pem.h ../include/openssl/pem2.h +cms.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +cms.o: ../include/openssl/sha.h ../include/openssl/stack.h +cms.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +cms.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +cms.o: ../include/openssl/x509v3.h apps.h cms.c crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h crl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h crl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h crl.o: ../include/openssl/err.h ../include/openssl/evp.h -crl.o: ../include/openssl/fips.h ../include/openssl/lhash.h -crl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -crl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -crl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -crl.o: ../include/openssl/pem.h ../include/openssl/pem2.h -crl.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -crl.o: ../include/openssl/sha.h ../include/openssl/stack.h -crl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -crl.o: ../include/openssl/x509v3.h apps.h crl.c +crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +crl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +crl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +crl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +crl.o: ../include/openssl/safestack.h ../include/openssl/sha.h +crl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +crl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h crl.c crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h crl2p7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h -crl2p7.o: ../include/openssl/fips.h ../include/openssl/lhash.h -crl2p7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -crl2p7.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -crl2p7.o: ../include/openssl/pem.h ../include/openssl/pem2.h -crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h -crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -crl2p7.o: ../include/openssl/x509v3.h apps.h crl2p7.c +crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +crl2p7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +crl2p7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +crl2p7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +crl2p7.o: ../include/openssl/safestack.h ../include/openssl/sha.h +crl2p7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +crl2p7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +crl2p7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +crl2p7.o: crl2p7.c dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h dgst.o: ../include/openssl/err.h ../include/openssl/evp.h -dgst.o: ../include/openssl/fips.h ../include/openssl/hmac.h -dgst.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dgst.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dgst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -dgst.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dgst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -dgst.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -dgst.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dgst.c +dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dgst.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h +dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h +dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +dgst.o: ../include/openssl/x509v3.h apps.h dgst.c dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -327,16 +322,15 @@ dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h dh.o: ../include/openssl/err.h ../include/openssl/evp.h -dh.o: ../include/openssl/fips.h ../include/openssl/lhash.h -dh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -dh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -dh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h -dh.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -dh.o: ../include/openssl/sha.h ../include/openssl/stack.h -dh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -dh.o: ../include/openssl/x509v3.h apps.h dh.c +dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +dh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +dh.o: ../include/openssl/safestack.h ../include/openssl/sha.h +dh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +dh.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +dh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dh.c dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -344,16 +338,15 @@ dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h dsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h dsa.o: ../include/openssl/err.h ../include/openssl/evp.h -dsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h -dsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -dsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -dsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h -dsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -dsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -dsa.o: ../include/openssl/x509v3.h apps.h dsa.c +dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +dsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +dsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +dsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +dsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +dsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -361,15 +354,14 @@ dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h -dsaparam.o: ../include/openssl/evp.h ../include/openssl/fips.h -dsaparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dsaparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -dsaparam.o: ../include/openssl/rand.h ../include/openssl/rsa.h -dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dsaparam.o: ../include/openssl/stack.h ../include/openssl/store.h +dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h +dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dsaparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h +dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h @@ -380,40 +372,38 @@ ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h ec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h ec.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h ec.o: ../include/openssl/err.h ../include/openssl/evp.h -ec.o: ../include/openssl/fips.h ../include/openssl/lhash.h -ec.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ec.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -ec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ec.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ec.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -ec.o: ../include/openssl/sha.h ../include/openssl/stack.h -ec.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -ec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ec.o: ../include/openssl/x509v3.h apps.h ec.c +ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +ec.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +ec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ec.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ec.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ec.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ec.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ec.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ec.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ec.c ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ecparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h -ecparam.o: ../include/openssl/evp.h ../include/openssl/fips.h -ecparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ecparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -ecparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ecparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ecparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ecparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ecparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ecparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ecparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -ecparam.o: ecparam.c +ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ecparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ecparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ecparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ecparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ecparam.o: ../include/openssl/sha.h ../include/openssl/stack.h +ecparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +ecparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -enc.o: ../include/openssl/buffer.h ../include/openssl/conf.h -enc.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h -enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -enc.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -enc.o: ../include/openssl/err.h ../include/openssl/evp.h -enc.o: ../include/openssl/fips.h ../include/openssl/lhash.h +enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h +enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h +enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +enc.o: ../include/openssl/engine.h ../include/openssl/err.h +enc.o: ../include/openssl/evp.h ../include/openssl/lhash.h enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h enc.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h @@ -424,49 +414,47 @@ enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h -engine.o: ../include/openssl/comp.h ../include/openssl/conf.h -engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -engine.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -engine.o: ../include/openssl/engine.h ../include/openssl/err.h -engine.o: ../include/openssl/evp.h ../include/openssl/fips.h +engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h +engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h +engine.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +engine.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +engine.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +engine.o: ../include/openssl/err.h ../include/openssl/evp.h engine.o: ../include/openssl/hmac.h ../include/openssl/kssl.h engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -engine.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -engine.o: ../include/openssl/safestack.h ../include/openssl/sha.h -engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -engine.o: ../include/openssl/x509v3.h apps.h engine.c +engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h +engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +engine.o: engine.c errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h -errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h -errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -errstr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -errstr.o: ../include/openssl/engine.h ../include/openssl/err.h -errstr.o: ../include/openssl/evp.h ../include/openssl/fips.h +errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h +errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h +errstr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +errstr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +errstr.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +errstr.o: ../include/openssl/err.h ../include/openssl/evp.h errstr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -errstr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -errstr.o: ../include/openssl/x509v3.h apps.h errstr.c +errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +errstr.o: errstr.c gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -474,15 +462,14 @@ gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h gendh.o: ../include/openssl/engine.h ../include/openssl/err.h -gendh.o: ../include/openssl/evp.h ../include/openssl/fips.h -gendh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -gendh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -gendh.o: ../include/openssl/rand.h ../include/openssl/rsa.h -gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h -gendh.o: ../include/openssl/stack.h ../include/openssl/store.h +gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h +gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +gendh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h +gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h @@ -494,16 +481,32 @@ gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h gendsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h -gendsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h -gendsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -gendsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -gendsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h -gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -gendsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -gendsa.o: ../include/openssl/x509v3.h apps.h gendsa.c +gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +gendsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +gendsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +gendsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +gendsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +gendsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +gendsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +gendsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +gendsa.o: gendsa.c +genpkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +genpkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h +genpkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +genpkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +genpkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +genpkey.o: ../include/openssl/err.h ../include/openssl/evp.h +genpkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +genpkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +genpkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +genpkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +genpkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +genpkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h +genpkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +genpkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +genpkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +genpkey.o: genpkey.c genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -511,15 +514,14 @@ genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h -genrsa.o: ../include/openssl/evp.h ../include/openssl/fips.h -genrsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -genrsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -genrsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -genrsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -genrsa.o: ../include/openssl/rand.h ../include/openssl/rsa.h -genrsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h -genrsa.o: ../include/openssl/stack.h ../include/openssl/store.h +genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h +genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +genrsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h +genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h @@ -530,16 +532,15 @@ nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h nseq.o: ../include/openssl/ec.h ../include/openssl/ecdh.h nseq.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h nseq.o: ../include/openssl/err.h ../include/openssl/evp.h -nseq.o: ../include/openssl/fips.h ../include/openssl/lhash.h -nseq.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -nseq.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -nseq.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -nseq.o: ../include/openssl/pem.h ../include/openssl/pem2.h -nseq.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h -nseq.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -nseq.o: ../include/openssl/x509v3.h apps.h nseq.c +nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +nseq.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +nseq.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +nseq.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +nseq.o: ../include/openssl/safestack.h ../include/openssl/sha.h +nseq.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +nseq.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +nseq.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h nseq.c ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -547,14 +548,13 @@ ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h -ocsp.o: ../include/openssl/evp.h ../include/openssl/fips.h -ocsp.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -ocsp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ocsp.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +ocsp.o: ../include/openssl/evp.h ../include/openssl/hmac.h +ocsp.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ocsp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ocsp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h @@ -563,27 +563,26 @@ ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h -openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h -openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -openssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -openssl.o: ../include/openssl/engine.h ../include/openssl/err.h -openssl.o: ../include/openssl/evp.h ../include/openssl/fips.h +openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h +openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h +openssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +openssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +openssl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +openssl.o: ../include/openssl/err.h ../include/openssl/evp.h openssl.o: ../include/openssl/hmac.h ../include/openssl/kssl.h openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -openssl.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h -openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h +openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h +openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +openssl.o: openssl.c progs.h s_apps.h passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h @@ -591,97 +590,142 @@ passwd.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h passwd.o: ../include/openssl/ec.h ../include/openssl/ecdh.h passwd.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h passwd.o: ../include/openssl/err.h ../include/openssl/evp.h -passwd.o: ../include/openssl/fips.h ../include/openssl/lhash.h -passwd.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h -passwd.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -passwd.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -passwd.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h -passwd.o: ../include/openssl/rand.h ../include/openssl/safestack.h -passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h -passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -passwd.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -passwd.o: ../include/openssl/x509v3.h apps.h passwd.c +passwd.o: ../include/openssl/lhash.h ../include/openssl/md5.h +passwd.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +passwd.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +passwd.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +passwd.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +passwd.o: ../include/openssl/safestack.h ../include/openssl/sha.h +passwd.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +passwd.o: ../include/openssl/txt_db.h ../include/openssl/ui.h +passwd.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +passwd.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +passwd.o: passwd.c pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdh.h pkcs12.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h -pkcs12.o: ../include/openssl/fips.h ../include/openssl/lhash.h -pkcs12.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -pkcs12.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h -pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h -pkcs12.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -pkcs12.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkcs12.o: pkcs12.c +pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkcs12.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkcs12.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkcs12.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h +pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +pkcs12.o: ../include/openssl/sha.h ../include/openssl/stack.h +pkcs12.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +pkcs12.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h pkcs7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h -pkcs7.o: ../include/openssl/fips.h ../include/openssl/lhash.h -pkcs7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -pkcs7.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h -pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h -pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -pkcs7.o: ../include/openssl/x509v3.h apps.h pkcs7.c +pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkcs7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkcs7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkcs7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkcs7.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkcs7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkcs7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkcs7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkcs7.o: pkcs7.c pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdh.h pkcs8.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h -pkcs8.o: ../include/openssl/fips.h ../include/openssl/lhash.h -pkcs8.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -pkcs8.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h -pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h -pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -pkcs8.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkcs8.o: pkcs8.c +pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkcs8.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkcs8.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkcs8.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h +pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +pkcs8.o: ../include/openssl/sha.h ../include/openssl/stack.h +pkcs8.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c +pkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkey.o: ../include/openssl/err.h ../include/openssl/evp.h +pkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h pkey.c +pkeyparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkeyparam.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkeyparam.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkeyparam.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkeyparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkeyparam.o: ../include/openssl/err.h ../include/openssl/evp.h +pkeyparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkeyparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkeyparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkeyparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkeyparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkeyparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkeyparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkeyparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkeyparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkeyparam.o: pkeyparam.c +pkeyutl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +pkeyutl.o: ../include/openssl/buffer.h ../include/openssl/conf.h +pkeyutl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pkeyutl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +pkeyutl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +pkeyutl.o: ../include/openssl/err.h ../include/openssl/evp.h +pkeyutl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +pkeyutl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +pkeyutl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +pkeyutl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +pkeyutl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +pkeyutl.o: ../include/openssl/safestack.h ../include/openssl/sha.h +pkeyutl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +pkeyutl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +pkeyutl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +pkeyutl.o: pkeyutl.c prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h prime.o: ../include/openssl/engine.h ../include/openssl/evp.h -prime.o: ../include/openssl/fips.h ../include/openssl/lhash.h -prime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -prime.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -prime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -prime.o: ../include/openssl/sha.h ../include/openssl/stack.h -prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -prime.o: ../include/openssl/x509v3.h apps.h prime.c +prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +prime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +prime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +prime.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h +prime.o: ../include/openssl/safestack.h ../include/openssl/sha.h +prime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +prime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +prime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +prime.o: prime.c rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h rand.o: ../include/openssl/err.h ../include/openssl/evp.h -rand.o: ../include/openssl/fips.h ../include/openssl/lhash.h -rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h -rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rand.c +rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h +rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h +rand.o: ../include/openssl/sha.h ../include/openssl/stack.h +rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +rand.o: ../include/openssl/x509v3.h apps.h rand.c req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h req.o: ../include/openssl/bn.h ../include/openssl/buffer.h req.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -689,15 +733,14 @@ req.o: ../include/openssl/dh.h ../include/openssl/dsa.h req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h req.o: ../include/openssl/engine.h ../include/openssl/err.h -req.o: ../include/openssl/evp.h ../include/openssl/fips.h -req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -req.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -req.o: ../include/openssl/rand.h ../include/openssl/rsa.h -req.o: ../include/openssl/safestack.h ../include/openssl/sha.h -req.o: ../include/openssl/stack.h ../include/openssl/store.h +req.o: ../include/openssl/evp.h ../include/openssl/lhash.h +req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +req.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +req.o: ../include/openssl/pem.h ../include/openssl/pem2.h +req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +req.o: ../include/openssl/sha.h ../include/openssl/stack.h req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h req.o: ../include/openssl/ui.h ../include/openssl/x509.h req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c @@ -707,49 +750,46 @@ rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h rsa.o: ../include/openssl/engine.h ../include/openssl/err.h -rsa.o: ../include/openssl/evp.h ../include/openssl/fips.h -rsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -rsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h -rsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -rsa.o: ../include/openssl/x509v3.h apps.h rsa.c +rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h +rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +rsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h +rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h +rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +rsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rsa.c rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h rsautl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h -rsautl.o: ../include/openssl/fips.h ../include/openssl/lhash.h -rsautl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -rsautl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -rsautl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h -rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -rsautl.o: ../include/openssl/safestack.h ../include/openssl/sha.h -rsautl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -rsautl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -rsautl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -rsautl.o: rsautl.c +rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +rsautl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +rsautl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rsautl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +rsautl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h +rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +rsautl.o: ../include/openssl/x509v3.h apps.h rsautl.c s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_cb.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s_cb.o: ../include/openssl/engine.h ../include/openssl/err.h -s_cb.o: ../include/openssl/evp.h ../include/openssl/fips.h +s_cb.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_cb.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s_cb.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h s_cb.o: ../include/openssl/hmac.h ../include/openssl/kssl.h s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_cb.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h @@ -764,14 +804,13 @@ s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h s_client.o: ../include/openssl/engine.h ../include/openssl/err.h -s_client.o: ../include/openssl/evp.h ../include/openssl/fips.h -s_client.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -s_client.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s_client.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s_client.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_client.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_client.o: ../include/openssl/evp.h ../include/openssl/hmac.h +s_client.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h @@ -788,37 +827,35 @@ s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h s_server.o: ../include/openssl/engine.h ../include/openssl/err.h -s_server.o: ../include/openssl/evp.h ../include/openssl/fips.h -s_server.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_server.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h +s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_server.o: ../include/openssl/stack.h ../include/openssl/store.h -s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h -s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h +s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_server.o: s_apps.h s_server.c timeouts.h +s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h +s_socket.o: ../include/openssl/bio.h ../include/openssl/buffer.h s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h -s_socket.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h +s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h @@ -828,88 +865,87 @@ s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h s_socket.o: s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h -s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s_time.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s_time.o: ../include/openssl/engine.h ../include/openssl/err.h -s_time.o: ../include/openssl/evp.h ../include/openssl/fips.h +s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h +s_time.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s_time.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s_time.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +s_time.o: ../include/openssl/err.h ../include/openssl/evp.h s_time.o: ../include/openssl/hmac.h ../include/openssl/kssl.h s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_time.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c +s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_time.o: s_apps.h s_time.c sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h -sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h -sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h -sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -sess_id.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -sess_id.o: ../include/openssl/engine.h ../include/openssl/err.h -sess_id.o: ../include/openssl/evp.h ../include/openssl/fips.h +sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h +sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h +sess_id.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +sess_id.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +sess_id.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h sess_id.o: ../include/openssl/hmac.h ../include/openssl/kssl.h sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -sess_id.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h -sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h -sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c +sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h +sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h +sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +sess_id.o: sess_id.c smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h smime.o: ../include/openssl/ec.h ../include/openssl/ecdh.h smime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h smime.o: ../include/openssl/err.h ../include/openssl/evp.h -smime.o: ../include/openssl/fips.h ../include/openssl/lhash.h -smime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -smime.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -smime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h -smime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -smime.o: ../include/openssl/sha.h ../include/openssl/stack.h -smime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -smime.o: ../include/openssl/x509v3.h apps.h smime.c +smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +smime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +smime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +smime.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +smime.o: ../include/openssl/safestack.h ../include/openssl/sha.h +smime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +smime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +smime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +smime.o: smime.c speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h -speed.o: ../include/openssl/cast.h ../include/openssl/conf.h -speed.o: ../include/openssl/crypto.h ../include/openssl/des.h -speed.o: ../include/openssl/des_old.h ../include/openssl/dsa.h -speed.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -speed.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -speed.o: ../include/openssl/engine.h ../include/openssl/err.h -speed.o: ../include/openssl/evp.h ../include/openssl/fips.h +speed.o: ../include/openssl/camellia.h ../include/openssl/cast.h +speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h +speed.o: ../include/openssl/des.h ../include/openssl/des_old.h +speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +speed.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +speed.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +speed.o: ../include/openssl/err.h ../include/openssl/evp.h speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h -speed.o: ../include/openssl/lhash.h ../include/openssl/md2.h -speed.o: ../include/openssl/md4.h ../include/openssl/md5.h +speed.o: ../include/openssl/lhash.h ../include/openssl/md4.h +speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h speed.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h -speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -speed.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +speed.o: ../include/openssl/safestack.h ../include/openssl/seed.h +speed.o: ../include/openssl/sha.h ../include/openssl/stack.h +speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +speed.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +speed.o: ../include/openssl/whrlpool.h ../include/openssl/x509.h speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h speed.o: speed.c testdsa.h testrsa.h spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h @@ -918,32 +954,50 @@ spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h spkac.o: ../include/openssl/ec.h ../include/openssl/ecdh.h spkac.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h spkac.o: ../include/openssl/err.h ../include/openssl/evp.h -spkac.o: ../include/openssl/fips.h ../include/openssl/lhash.h -spkac.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -spkac.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -spkac.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h -spkac.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h -spkac.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -spkac.o: ../include/openssl/x509v3.h apps.h spkac.c +spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +spkac.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +spkac.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +spkac.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +spkac.o: ../include/openssl/safestack.h ../include/openssl/sha.h +spkac.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +spkac.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +spkac.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +spkac.o: spkac.c +ts.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ts.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ts.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ts.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ts.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +ts.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ts.o: ../include/openssl/engine.h ../include/openssl/err.h +ts.o: ../include/openssl/evp.h ../include/openssl/lhash.h +ts.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ts.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +ts.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ts.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ts.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +ts.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ts.o: ../include/openssl/sha.h ../include/openssl/stack.h +ts.o: ../include/openssl/symhacks.h ../include/openssl/ts.h +ts.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ts.c verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h verify.o: ../include/openssl/ec.h ../include/openssl/ecdh.h verify.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h verify.o: ../include/openssl/err.h ../include/openssl/evp.h -verify.o: ../include/openssl/fips.h ../include/openssl/lhash.h -verify.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -verify.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -verify.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h -verify.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h -verify.o: ../include/openssl/sha.h ../include/openssl/stack.h -verify.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -verify.o: ../include/openssl/x509v3.h apps.h verify.c +verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +verify.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +verify.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +verify.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +verify.o: ../include/openssl/safestack.h ../include/openssl/sha.h +verify.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +verify.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +verify.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +verify.o: verify.c version.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h version.o: ../include/openssl/buffer.h ../include/openssl/conf.h @@ -951,9 +1005,8 @@ version.o: ../include/openssl/crypto.h ../include/openssl/des.h version.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h version.o: ../include/openssl/ec.h ../include/openssl/ecdh.h version.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -version.o: ../include/openssl/evp.h ../include/openssl/fips.h -version.o: ../include/openssl/idea.h ../include/openssl/lhash.h -version.o: ../include/openssl/md2.h ../include/openssl/obj_mac.h +version.o: ../include/openssl/evp.h ../include/openssl/idea.h +version.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h version.o: ../include/openssl/objects.h ../include/openssl/ocsp.h version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h version.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h @@ -970,13 +1023,13 @@ x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h x509.o: ../include/openssl/ec.h ../include/openssl/ecdh.h x509.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h x509.o: ../include/openssl/err.h ../include/openssl/evp.h -x509.o: ../include/openssl/fips.h ../include/openssl/lhash.h -x509.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -x509.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -x509.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h -x509.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -x509.o: ../include/openssl/safestack.h ../include/openssl/sha.h -x509.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -x509.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -x509.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h x509.c +x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +x509.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +x509.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +x509.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +x509.o: ../include/openssl/sha.h ../include/openssl/stack.h +x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +x509.o: ../include/openssl/x509v3.h apps.h x509.c diff --git a/openssl/apps/apps.c b/openssl/apps/apps.c index 498722a5a..5dccea70d 100644 --- a/openssl/apps/apps.c +++ b/openssl/apps/apps.c @@ -109,12 +109,21 @@ * */ +#ifndef _POSIX_C_SOURCE +#define _POSIX_C_SOURCE 2 /* On VMS, you need to define this to get + the declaration of fileno(). The value + 2 is to make sure no function defined + in POSIX-2 is left undefined. */ +#endif #include <stdio.h> #include <stdlib.h> #include <string.h> +#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB) +#include <strings.h> +#endif #include <sys/types.h> -#include <sys/stat.h> #include <ctype.h> +#include <errno.h> #include <assert.h> #include <openssl/err.h> #include <openssl/x509.h> @@ -138,6 +147,11 @@ #include "apps.h" #undef NON_MAIN +#ifdef _WIN32 +static int WIN32_rename(const char *from, const char *to); +#define rename(from,to) WIN32_rename((from),(to)) +#endif + typedef struct { const char *name; unsigned long flag; @@ -166,18 +180,23 @@ int args_from_file(char *file, int *argc, char **argv[]) static char *buf=NULL; static char **arg=NULL; char *p; - struct stat stbuf; - - if (stat(file,&stbuf) < 0) return(0); fp=fopen(file,"r"); if (fp == NULL) return(0); + if (fseek(fp,0,SEEK_END)==0) + len=ftell(fp), rewind(fp); + else len=-1; + if (len<=0) + { + fclose(fp); + return(0); + } + *argc=0; *argv=NULL; - len=(unsigned int)stbuf.st_size; if (buf != NULL) OPENSSL_free(buf); buf=(char *)OPENSSL_malloc(len+1); if (buf == NULL) return(0); @@ -242,18 +261,25 @@ int str2fmt(char *s) return(FORMAT_ASN1); else if ((*s == 'T') || (*s == 't')) return(FORMAT_TEXT); - else if ((*s == 'P') || (*s == 'p')) - return(FORMAT_PEM); - else if ((*s == 'N') || (*s == 'n')) - return(FORMAT_NETSCAPE); - else if ((*s == 'S') || (*s == 's')) - return(FORMAT_SMIME); + else if ((*s == 'N') || (*s == 'n')) + return(FORMAT_NETSCAPE); + else if ((*s == 'S') || (*s == 's')) + return(FORMAT_SMIME); + else if ((*s == 'M') || (*s == 'm')) + return(FORMAT_MSBLOB); else if ((*s == '1') || (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0) || (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0)) return(FORMAT_PKCS12); else if ((*s == 'E') || (*s == 'e')) return(FORMAT_ENGINE); + else if ((*s == 'P') || (*s == 'p')) + { + if (s[1] == 'V' || s[1] == 'v') + return FORMAT_PVK; + else + return(FORMAT_PEM); + } else return(FORMAT_UNDEF); } @@ -639,6 +665,15 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) BIO_printf(err, "Can't open file %s\n", arg + 5); return NULL; } +#if !defined(_WIN32) + /* + * Under _WIN32, which covers even Win64 and CE, file + * descriptors referenced by BIO_s_fd are not inherited + * by child process and therefore below is not an option. + * It could have been an option if bss_fd.c was operating + * on real Windows descriptors, such as those obtained + * with CreateFile. + */ } else if(!strncmp(arg, "fd:", 3)) { BIO *btmp; i = atoi(arg + 3); @@ -650,6 +685,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) /* Can't do BIO_gets on an fd BIO so add a buffering BIO */ btmp = BIO_new(BIO_f_buffer()); pwdbio = BIO_push(btmp, pwdbio); +#endif } else if(!strcmp(arg, "stdin")) { pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE); if(!pwdbio) { @@ -749,8 +785,6 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc, X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) { - ASN1_HEADER *ah=NULL; - BUF_MEM *buf=NULL; X509 *x=NULL; BIO *cert; @@ -762,7 +796,9 @@ X509 *load_cert(BIO *err, const char *file, int format, if (file == NULL) { +#ifdef _IONBF setvbuf(stdin, NULL, _IONBF, 0); +#endif BIO_set_fp(cert,stdin,BIO_NOCLOSE); } else @@ -780,46 +816,21 @@ X509 *load_cert(BIO *err, const char *file, int format, x=d2i_X509_bio(cert,NULL); else if (format == FORMAT_NETSCAPE) { - const unsigned char *p,*op; - int size=0,i; - - /* We sort of have to do it this way because it is sort of nice - * to read the header first and check it, then - * try to read the certificate */ - buf=BUF_MEM_new(); - for (;;) - { - if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10))) - goto end; - i=BIO_read(cert,&(buf->data[size]),1024*10); - size+=i; - if (i == 0) break; - if (i < 0) - { - perror("reading certificate"); + NETSCAPE_X509 *nx; + nx=ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),cert,NULL); + if (nx == NULL) goto end; - } - } - p=(unsigned char *)buf->data; - op=p; - /* First load the header */ - if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL) - goto end; - if ((ah->header == NULL) || (ah->header->data == NULL) || - (strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data, - ah->header->length) != 0)) + if ((strncmp(NETSCAPE_CERT_HDR,(char *)nx->header->data, + nx->header->length) != 0)) { + NETSCAPE_X509_free(nx); BIO_printf(err,"Error reading header on certificate\n"); goto end; } - /* header is ok, so now read the object */ - p=op; - ah->meth=X509_asn1_meth(); - if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL) - goto end; - x=(X509 *)ah->data; - ah->data=NULL; + x=nx->cert; + nx->cert = NULL; + NETSCAPE_X509_free(nx); } else if (format == FORMAT_PEM) x=PEM_read_bio_X509_AUX(cert,NULL, @@ -841,9 +852,7 @@ end: BIO_printf(err,"unable to load certificate\n"); ERR_print_errors(err); } - if (ah != NULL) ASN1_HEADER_free(ah); if (cert != NULL) BIO_free(cert); - if (buf != NULL) BUF_MEM_free(buf); return(x); } @@ -881,7 +890,9 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, } if (file == NULL && maybe_stdin) { +#ifdef _IONBF setvbuf(stdin, NULL, _IONBF, 0); +#endif BIO_set_fp(key,stdin,BIO_NOCLOSE); } else @@ -912,6 +923,13 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, &pkey, NULL, NULL)) goto end; } +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) + else if (format == FORMAT_MSBLOB) + pkey = b2i_PrivateKey_bio(key); + else if (format == FORMAT_PVK) + pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback, + &cb_data); +#endif else { BIO_printf(err,"bad input format specified for key file\n"); @@ -958,7 +976,9 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, } if (file == NULL && maybe_stdin) { +#ifdef _IONBF setvbuf(stdin, NULL, _IONBF, 0); +#endif BIO_set_fp(key,stdin,BIO_NOCLOSE); } else @@ -973,6 +993,37 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, { pkey=d2i_PUBKEY_bio(key, NULL); } +#ifndef OPENSSL_NO_RSA + else if (format == FORMAT_ASN1RSA) + { + RSA *rsa; + rsa = d2i_RSAPublicKey_bio(key, NULL); + if (rsa) + { + pkey = EVP_PKEY_new(); + if (pkey) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + else + pkey = NULL; + } + else if (format == FORMAT_PEMRSA) + { + RSA *rsa; + rsa = PEM_read_bio_RSAPublicKey(key, NULL, + (pem_password_cb *)password_callback, &cb_data); + if (rsa) + { + pkey = EVP_PKEY_new(); + if (pkey) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + else + pkey = NULL; + } +#endif else if (format == FORMAT_PEM) { pkey=PEM_read_bio_PUBKEY(key,NULL, @@ -982,6 +1033,10 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) pkey = load_netscape_key(err, key, file, key_descrip, format); #endif +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) + else if (format == FORMAT_MSBLOB) + pkey = b2i_PublicKey_bio(key); +#endif else { BIO_printf(err,"bad input format specified for key file\n"); @@ -1040,76 +1095,120 @@ error: } #endif /* ndef OPENSSL_NO_RC4 */ -STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, - const char *pass, ENGINE *e, const char *cert_descrip) +static int load_certs_crls(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *desc, + STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls) { - BIO *certs; int i; - STACK_OF(X509) *othercerts = NULL; - STACK_OF(X509_INFO) *allcerts = NULL; + BIO *bio; + STACK_OF(X509_INFO) *xis = NULL; X509_INFO *xi; PW_CB_DATA cb_data; + int rv = 0; cb_data.password = pass; cb_data.prompt_info = file; - if((certs = BIO_new(BIO_s_file())) == NULL) + if (format != FORMAT_PEM) { - ERR_print_errors(err); - goto end; + BIO_printf(err,"bad input format specified for %s\n", desc); + return 0; } if (file == NULL) - BIO_set_fp(certs,stdin,BIO_NOCLOSE); + bio = BIO_new_fp(stdin,BIO_NOCLOSE); else + bio = BIO_new_file(file, "r"); + + if (bio == NULL) { - if (BIO_read_filename(certs,file) <= 0) - { - BIO_printf(err, "Error opening %s %s\n", - cert_descrip, file); - ERR_print_errors(err); + BIO_printf(err, "Error opening %s %s\n", + desc, file ? file : "stdin"); + ERR_print_errors(err); + return 0; + } + + xis = PEM_X509_INFO_read_bio(bio, NULL, + (pem_password_cb *)password_callback, &cb_data); + + BIO_free(bio); + + if (pcerts) + { + *pcerts = sk_X509_new_null(); + if (!*pcerts) goto end; - } } - if (format == FORMAT_PEM) + if (pcrls) { - othercerts = sk_X509_new_null(); - if(!othercerts) - { - sk_X509_free(othercerts); - othercerts = NULL; + *pcrls = sk_X509_CRL_new_null(); + if (!*pcrls) goto end; + } + + for(i = 0; i < sk_X509_INFO_num(xis); i++) + { + xi = sk_X509_INFO_value (xis, i); + if (xi->x509 && pcerts) + { + if (!sk_X509_push(*pcerts, xi->x509)) + goto end; + xi->x509 = NULL; } - allcerts = PEM_X509_INFO_read_bio(certs, NULL, - (pem_password_cb *)password_callback, &cb_data); - for(i = 0; i < sk_X509_INFO_num(allcerts); i++) + if (xi->crl && pcrls) { - xi = sk_X509_INFO_value (allcerts, i); - if (xi->x509) - { - sk_X509_push(othercerts, xi->x509); - xi->x509 = NULL; - } + if (!sk_X509_CRL_push(*pcrls, xi->crl)) + goto end; + xi->crl = NULL; } - goto end; } - else { - BIO_printf(err,"bad input format specified for %s\n", - cert_descrip); - goto end; - } -end: - if (othercerts == NULL) + + if (pcerts && sk_X509_num(*pcerts) > 0) + rv = 1; + + if (pcrls && sk_X509_CRL_num(*pcrls) > 0) + rv = 1; + + end: + + if (xis) + sk_X509_INFO_pop_free(xis, X509_INFO_free); + + if (rv == 0) { - BIO_printf(err,"unable to load certificates\n"); + if (pcerts) + { + sk_X509_pop_free(*pcerts, X509_free); + *pcerts = NULL; + } + if (pcrls) + { + sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); + *pcrls = NULL; + } + BIO_printf(err,"unable to load %s\n", + pcerts ? "certificates" : "CRLs"); ERR_print_errors(err); } - if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free); - if (certs != NULL) BIO_free(certs); - return(othercerts); + return rv; } +STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *desc) + { + STACK_OF(X509) *certs; + load_certs_crls(err, file, format, pass, e, desc, &certs, NULL); + return certs; + } + +STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *desc) + { + STACK_OF(X509_CRL) *crls; + load_certs_crls(err, file, format, pass, e, desc, NULL, &crls); + return crls; + } #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) /* Return error for unknown extensions */ @@ -1396,6 +1495,10 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) int load_config(BIO *err, CONF *cnf) { + static int load_config_called = 0; + if (load_config_called) + return 1; + load_config_called = 1; if (!cnf) cnf = config; if (!cnf) @@ -1429,7 +1532,7 @@ char *make_config_name() return p; } -static unsigned long index_serial_hash(const char **a) +static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) { const char *n; @@ -1438,7 +1541,7 @@ static unsigned long index_serial_hash(const char **a) return(lh_strhash(n)); } -static int index_serial_cmp(const char **a, const char **b) +static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) { const char *aa,*bb; @@ -1450,17 +1553,16 @@ static int index_serial_cmp(const char **a, const char **b) static int index_name_qual(char **a) { return(a[0][0] == 'V'); } -static unsigned long index_name_hash(const char **a) +static unsigned long index_name_hash(const OPENSSL_CSTRING *a) { return(lh_strhash(a[DB_name])); } -int index_name_cmp(const char **a, const char **b) - { return(strcmp(a[DB_name], - b[DB_name])); } +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) + { return(strcmp(a[DB_name], b[DB_name])); } -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) #undef BSIZE #define BSIZE 256 @@ -1588,7 +1690,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) { char buf[5][BSIZE]; int i,j; - struct stat sb; i = strlen(serialfile) + strlen(old_suffix); j = strlen(serialfile) + strlen(new_suffix); @@ -1613,30 +1714,21 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix); #endif - if (stat(serialfile,&sb) < 0) - { - if (errno != ENOENT +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + serialfile, buf[1]); +#endif + if (rename(serialfile,buf[1]) < 0 && errno != ENOENT #ifdef ENOTDIR && errno != ENOTDIR #endif - ) - goto err; - } - else - { -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - serialfile, buf[1]); -#endif - if (rename(serialfile,buf[1]) < 0) - { + ) { BIO_printf(bio_err, "unable to rename %s to %s\n", serialfile, buf[1]); perror("reason"); goto err; } - } #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0],serialfile); @@ -1703,10 +1795,7 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) goto err; } if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) - { - if (tmpdb != NULL) TXT_DB_free(tmpdb); goto err; - } #ifndef OPENSSL_SYS_VMS BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); @@ -1767,8 +1856,8 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) int index_index(CA_DB *db) { if (!TXT_DB_create_index(db->db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) + LHASH_HASH_FN(index_serial), + LHASH_COMP_FN(index_serial))) { BIO_printf(bio_err, "error creating serial number index:(%ld,%ld,%ld)\n", @@ -1778,8 +1867,8 @@ int index_index(CA_DB *db) if (db->attributes.unique_subject && !TXT_DB_create_index(db->db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) + LHASH_HASH_FN(index_name), + LHASH_COMP_FN(index_name))) { BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", db->db->error,db->db->arg1,db->db->arg2); @@ -1859,7 +1948,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf { char buf[5][BSIZE]; int i,j; - struct stat sb; i = strlen(dbfile) + strlen(old_suffix); j = strlen(dbfile) + strlen(new_suffix); @@ -1903,30 +1991,21 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix); #endif - if (stat(dbfile,&sb) < 0) - { - if (errno != ENOENT -#ifdef ENOTDIR - && errno != ENOTDIR -#endif - ) - goto err; - } - else - { #ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - dbfile, buf[1]); + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + dbfile, buf[1]); #endif - if (rename(dbfile,buf[1]) < 0) - { + if (rename(dbfile,buf[1]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]); perror("reason"); goto err; } - } #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0],dbfile); @@ -1940,23 +2019,15 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf rename(buf[1],dbfile); goto err; } - if (stat(buf[4],&sb) < 0) - { - if (errno != ENOENT -#ifdef ENOTDIR - && errno != ENOTDIR -#endif - ) - goto err; - } - else - { #ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - buf[4],buf[3]); + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[4],buf[3]); #endif - if (rename(buf[4],buf[3]) < 0) - { + if (rename(buf[4],buf[3]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]); @@ -1965,7 +2036,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf rename(buf[1],dbfile); goto err; } - } #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2],buf[4]); @@ -2160,52 +2230,13 @@ error: return NULL; } -/* This code MUST COME AFTER anything that uses rename() */ -#ifdef OPENSSL_SYS_WIN32 -int WIN32_rename(const char *from, const char *to) - { -#ifndef OPENSSL_SYS_WINCE - /* Windows rename gives an error if 'to' exists, so delete it - * first and ignore file not found errror - */ - if((remove(to) != 0) && (errno != ENOENT)) - return -1; -#undef rename - return rename(from, to); -#else - /* convert strings to UNICODE */ - { - BOOL result = FALSE; - WCHAR* wfrom; - WCHAR* wto; - int i; - wfrom = malloc((strlen(from)+1)*2); - wto = malloc((strlen(to)+1)*2); - if (wfrom != NULL && wto != NULL) - { - for (i=0; i<(int)strlen(from)+1; i++) - wfrom[i] = (short)from[i]; - for (i=0; i<(int)strlen(to)+1; i++) - wto[i] = (short)to[i]; - result = MoveFile(wfrom, wto); - } - if (wfrom != NULL) - free(wfrom); - if (wto != NULL) - free(wto); - return result; - } -#endif - } -#endif - int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, X509_VERIFY_PARAM **pm) { ASN1_OBJECT *otmp = NULL; unsigned long flags = 0; int i; - int purpose = 0; + int purpose = 0, depth = -1; char **oldargs = *pargs; char *arg = **pargs, *argn = (*pargs)[1]; if (!strcmp(arg, "-policy")) @@ -2245,6 +2276,21 @@ int args_verify(char ***pargs, int *pargc, } (*pargs)++; } + else if (strcmp(arg,"-verify_depth") == 0) + { + if (!argn) + *badarg = 1; + else + { + depth = atoi(argn); + if(depth < 0) + { + BIO_printf(err, "invalid depth\n"); + *badarg = 1; + } + } + (*pargs)++; + } else if (!strcmp(arg, "-ignore_critical")) flags |= X509_V_FLAG_IGNORE_CRITICAL; else if (!strcmp(arg, "-issuer_checks")) @@ -2257,10 +2303,20 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_POLICY_CHECK; else if (!strcmp(arg, "-explicit_policy")) flags |= X509_V_FLAG_EXPLICIT_POLICY; + else if (!strcmp(arg, "-inhibit_any")) + flags |= X509_V_FLAG_INHIBIT_ANY; + else if (!strcmp(arg, "-inhibit_map")) + flags |= X509_V_FLAG_INHIBIT_MAP; else if (!strcmp(arg, "-x509_strict")) flags |= X509_V_FLAG_X509_STRICT; + else if (!strcmp(arg, "-extended_crl")) + flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT; + else if (!strcmp(arg, "-use_deltas")) + flags |= X509_V_FLAG_USE_DELTAS; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; @@ -2286,6 +2342,9 @@ int args_verify(char ***pargs, int *pargc, if (purpose) X509_VERIFY_PARAM_set_purpose(*pm, purpose); + if (depth >= 0) + X509_VERIFY_PARAM_set_depth(*pm, depth); + end: (*pargs)++; @@ -2297,6 +2356,61 @@ int args_verify(char ***pargs, int *pargc, } +/* Read whole contents of a BIO into an allocated memory buffer and + * return it. + */ + +int bio_to_mem(unsigned char **out, int maxlen, BIO *in) + { + BIO *mem; + int len, ret; + unsigned char tbuf[1024]; + mem = BIO_new(BIO_s_mem()); + if (!mem) + return -1; + for(;;) + { + if ((maxlen != -1) && maxlen < 1024) + len = maxlen; + else + len = 1024; + len = BIO_read(in, tbuf, len); + if (len <= 0) + break; + if (BIO_write(mem, tbuf, len) != len) + { + BIO_free(mem); + return -1; + } + maxlen -= len; + + if (maxlen == 0) + break; + } + ret = BIO_get_mem_data(mem, (char **)out); + BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY); + BIO_free(mem); + return ret; + } + +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value) + { + int rv; + char *stmp, *vtmp = NULL; + stmp = BUF_strdup(value); + if (!stmp) + return -1; + vtmp = strchr(stmp, ':'); + if (vtmp) + { + *vtmp = 0; + vtmp++; + } + rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp); + OPENSSL_free(stmp); + return rv; + } + static void nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes) { @@ -2338,7 +2452,7 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx) BIO_free(out); } -#ifndef OPENSSL_NO_JPAKE +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) static JPAKE_CTX *jpake_init(const char *us, const char *them, const char *secret) @@ -2521,17 +2635,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret) jpake_send_step3a(bconn, ctx); jpake_receive_step3b(ctx, bconn); - /* - * The problem is that you must use the derived key in the - * session key or you are subject to man-in-the-middle - * attacks. - */ - BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can" - " be MitMed. See the version in HEAD for how to do it" - " properly)\n"); + BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + + psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); BIO_pop(bconn); BIO_free(bconn); + + JPAKE_CTX_free(ctx); } void jpake_server_auth(BIO *out, BIO *conn, const char *secret) @@ -2553,17 +2664,340 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret) jpake_receive_step3a(ctx, bconn); jpake_send_step3b(bconn, ctx); - /* - * The problem is that you must use the derived key in the - * session key or you are subject to man-in-the-middle - * attacks. - */ - BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can" - " be MitMed. See the version in HEAD for how to do it" - " properly)\n"); + BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + + psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); BIO_pop(bconn); BIO_free(bconn); + + JPAKE_CTX_free(ctx); + } + +#endif + +/* + * Platform-specific sections + */ +#if defined(_WIN32) +# ifdef fileno +# undef fileno +# define fileno(a) (int)_fileno(a) +# endif + +# include <windows.h> +# include <tchar.h> + +static int WIN32_rename(const char *from, const char *to) + { + TCHAR *tfrom=NULL,*tto; + DWORD err; + int ret=0; + + if (sizeof(TCHAR) == 1) + { + tfrom = (TCHAR *)from; + tto = (TCHAR *)to; + } + else /* UNICODE path */ + { + size_t i,flen=strlen(from)+1,tlen=strlen(to)+1; + tfrom = (TCHAR *)malloc(sizeof(TCHAR)*(flen+tlen)); + if (tfrom==NULL) goto err; + tto=tfrom+flen; +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP,0,from,flen,(WCHAR *)tfrom,flen)) +#endif + for (i=0;i<flen;i++) tfrom[i]=(TCHAR)from[i]; +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP,0,to, tlen,(WCHAR *)tto, tlen)) +#endif + for (i=0;i<tlen;i++) tto[i] =(TCHAR)to[i]; + } + + if (MoveFile(tfrom,tto)) goto ok; + err=GetLastError(); + if (err==ERROR_ALREADY_EXISTS || err==ERROR_FILE_EXISTS) + { + if (DeleteFile(tto) && MoveFile(tfrom,tto)) + goto ok; + err=GetLastError(); + } + if (err==ERROR_FILE_NOT_FOUND || err==ERROR_PATH_NOT_FOUND) + errno = ENOENT; + else if (err==ERROR_ACCESS_DENIED) + errno = EACCES; + else + errno = EINVAL; /* we could map more codes... */ +err: + ret=-1; +ok: + if (tfrom!=NULL && tfrom!=(TCHAR *)from) free(tfrom); + return ret; + } +#endif + +/* app_tminterval section */ +#if defined(_WIN32) +double app_tminterval(int stop,int usertime) + { + FILETIME now; + double ret=0; + static ULARGE_INTEGER tmstart; + static int warning=1; +#ifdef _WIN32_WINNT + static HANDLE proc=NULL; + + if (proc==NULL) + { + if (GetVersion() < 0x80000000) + proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE, + GetCurrentProcessId()); + if (proc==NULL) proc = (HANDLE)-1; + } + + if (usertime && proc!=(HANDLE)-1) + { + FILETIME junk; + GetProcessTimes(proc,&junk,&junk,&junk,&now); + } + else +#endif + { + SYSTEMTIME systime; + + if (usertime && warning) + { + BIO_printf(bio_err,"To get meaningful results, run " + "this program on idle system.\n"); + warning=0; + } + GetSystemTime(&systime); + SystemTimeToFileTime(&systime,&now); + } + + if (stop==TM_START) + { + tmstart.u.LowPart = now.dwLowDateTime; + tmstart.u.HighPart = now.dwHighDateTime; + } + else { + ULARGE_INTEGER tmstop; + + tmstop.u.LowPart = now.dwLowDateTime; + tmstop.u.HighPart = now.dwHighDateTime; + + ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart)*1e-7; + } + + return (ret); } +#elif defined(OPENSSL_SYS_NETWARE) +#include <time.h> + +double app_tminterval(int stop,int usertime) + { + double ret=0; + static clock_t tmstart; + static int warning=1; + + if (usertime && warning) + { + BIO_printf(bio_err,"To get meaningful results, run " + "this program on idle system.\n"); + warning=0; + } + + if (stop==TM_START) tmstart = clock(); + else ret = (clock()-tmstart)/(double)CLOCKS_PER_SEC; + + return (ret); + } + +#elif defined(OPENSSL_SYSTEM_VXWORKS) +#include <time.h> + +double app_tminterval(int stop,int usertime) + { + double ret=0; +#ifdef CLOCK_REALTIME + static struct timespec tmstart; + struct timespec now; +#else + static unsigned long tmstart; + unsigned long now; +#endif + static int warning=1; + + if (usertime && warning) + { + BIO_printf(bio_err,"To get meaningful results, run " + "this program on idle system.\n"); + warning=0; + } + +#ifdef CLOCK_REALTIME + clock_gettime(CLOCK_REALTIME,&now); + if (stop==TM_START) tmstart = now; + else ret = ( (now.tv_sec+now.tv_nsec*1e-9) + - (tmstart.tv_sec+tmstart.tv_nsec*1e-9) ); +#else + now = tickGet(); + if (stop==TM_START) tmstart = now; + else ret = (now - tmstart)/(double)sysClkRateGet(); +#endif + return (ret); + } + +#elif defined(OPENSSL_SYSTEM_VMS) +#include <time.h> +#include <times.h> + +double app_tminterval(int stop,int usertime) + { + static clock_t tmstart; + double ret = 0; + clock_t now; +#ifdef __TMS + struct tms rus; + + now = times(&rus); + if (usertime) now = rus.tms_utime; +#else + if (usertime) + now = clock(); /* sum of user and kernel times */ + else { + struct timeval tv; + gettimeofday(&tv,NULL); + now = (clock_t)( + (unsigned long long)tv.tv_sec*CLK_TCK + + (unsigned long long)tv.tv_usec*(1000000/CLK_TCK) + ); + } +#endif + if (stop==TM_START) tmstart = now; + else ret = (now - tmstart)/(double)(CLK_TCK); + + return (ret); + } + +#elif defined(_SC_CLK_TCK) /* by means of unistd.h */ +#include <sys/times.h> + +double app_tminterval(int stop,int usertime) + { + double ret = 0; + struct tms rus; + clock_t now = times(&rus); + static clock_t tmstart; + + if (usertime) now = rus.tms_utime; + + if (stop==TM_START) tmstart = now; + else + { + long int tck = sysconf(_SC_CLK_TCK); + ret = (now - tmstart)/(double)tck; + } + + return (ret); + } + +#else +#include <sys/time.h> +#include <sys/resource.h> + +double app_tminterval(int stop,int usertime) + { + double ret = 0; + struct rusage rus; + struct timeval now; + static struct timeval tmstart; + + if (usertime) getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime; + else gettimeofday(&now,NULL); + + if (stop==TM_START) tmstart = now; + else ret = ( (now.tv_sec+now.tv_usec*1e-6) + - (tmstart.tv_sec+tmstart.tv_usec*1e-6) ); + + return ret; + } +#endif + +/* app_isdir section */ +#ifdef _WIN32 +int app_isdir(const char *name) + { + HANDLE hList; + WIN32_FIND_DATA FileData; +#if defined(UNICODE) || defined(_UNICODE) + size_t i, len_0 = strlen(name)+1; + + if (len_0 > sizeof(FileData.cFileName)/sizeof(FileData.cFileName[0])) + return -1; + +#if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP,0,name,len_0,FileData.cFileName,len_0)) +#endif + for (i=0;i<len_0;i++) + FileData.cFileName[i] = (WCHAR)name[i]; + + hList = FindFirstFile(FileData.cFileName,&FileData); +#else + hList = FindFirstFile(name,&FileData); +#endif + if (hList == INVALID_HANDLE_VALUE) return -1; + FindClose(hList); + return ((FileData.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)!=0); + } +#else +#include <sys/stat.h> +#ifndef S_ISDIR +# if defined(_S_IFMT) && defined(_S_IFDIR) +# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) +# else +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +# endif +#endif + +int app_isdir(const char *name) + { +#if defined(S_ISDIR) + struct stat st; + + if (stat(name,&st)==0) return S_ISDIR(st.st_mode); + else return -1; +#else + return -1; +#endif + } +#endif + +/* raw_read|write section */ +#if defined(_WIN32) && defined(STD_INPUT_HANDLE) +int raw_read_stdin(void *buf,int siz) + { + DWORD n; + if (ReadFile(GetStdHandle(STD_INPUT_HANDLE),buf,siz,&n,NULL)) + return (n); + else return (-1); + } +#else +int raw_read_stdin(void *buf,int siz) + { return read(fileno(stdin),buf,siz); } +#endif + +#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE) +int raw_write_stdout(const void *buf,int siz) + { + DWORD n; + if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL)) + return (n); + else return (-1); + } +#else +int raw_write_stdout(const void *buf,int siz) + { return write(fileno(stdout),buf,siz); } #endif diff --git a/openssl/apps/apps.h b/openssl/apps/apps.h index 88579094b..596a39ace 100644 --- a/openssl/apps/apps.h +++ b/openssl/apps/apps.h @@ -137,11 +137,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read, * (see e_os.h). The string is * destroyed! */ -#ifdef OPENSSL_SYS_WIN32 -#define rename(from,to) WIN32_rename((from),(to)) -int WIN32_rename(const char *oldname,const char *newname); -#endif - #ifndef MONOLITH #define MAIN(a,v) main(a,v) @@ -149,11 +144,9 @@ int WIN32_rename(const char *oldname,const char *newname); #ifndef NON_MAIN CONF *config=NULL; BIO *bio_err=NULL; -int in_FIPS_mode=0; #else extern CONF *config; extern BIO *bio_err; -extern int in_FIPS_mode; #endif #else @@ -162,7 +155,6 @@ extern int in_FIPS_mode; extern CONF *config; extern char *default_config_file; extern BIO *bio_err; -extern int in_FIPS_mode; #endif @@ -176,61 +168,37 @@ extern int in_FIPS_mode; #define do_pipe_sig() #endif +#ifdef OPENSSL_NO_COMP +#define zlib_cleanup() +#else +#define zlib_cleanup() COMP_zlib_cleanup() +#endif + #if defined(MONOLITH) && !defined(OPENSSL_C) # define apps_startup() \ do_pipe_sig() # define apps_shutdown() #else # ifndef OPENSSL_NO_ENGINE -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ - defined(OPENSSL_SYS_WIN32) -# ifdef _O_BINARY -# define apps_startup() \ - do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -# else -# define apps_startup() \ - do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ +# define apps_startup() \ + do { do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -# endif -# else -# define apps_startup() \ - do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ - ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ - setup_ui_method(); } while(0) -# endif # define apps_shutdown() \ do { CONF_modules_unload(1); destroy_ui_method(); \ - EVP_cleanup(); ENGINE_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ - ERR_free_strings(); } while(0) + OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ + ERR_free_strings(); zlib_cleanup();} while(0) # else -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ - defined(OPENSSL_SYS_WIN32) -# ifdef _O_BINARY -# define apps_startup() \ - do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ +# define apps_startup() \ + do { do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ setup_ui_method(); } while(0) -# else -# define apps_startup() \ - do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - setup_ui_method(); } while(0) -# endif -# else -# define apps_startup() \ - do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ - ERR_load_crypto_strings(); \ - setup_ui_method(); } while(0) -# endif # define apps_shutdown() \ do { CONF_modules_unload(1); destroy_ui_method(); \ - EVP_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ - ERR_free_strings(); } while(0) + OBJ_cleanup(); EVP_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ + ERR_free_strings(); zlib_cleanup(); } while(0) # endif #endif @@ -240,6 +208,7 @@ extern int in_FIPS_mode; # define openssl_fdset(a,b) FD_SET(a, b) #endif + typedef struct args_st { char **data; @@ -282,6 +251,8 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); +STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, + const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); #ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); @@ -290,6 +261,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug); #ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, + STACK_OF(CONF_VALUE) *headers, int req_timeout); #endif @@ -331,13 +303,23 @@ int index_index(CA_DB *db); int save_index(const char *dbfile, const char *suffix, CA_DB *db); int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix); void free_index(CA_DB *db); -int index_name_cmp(const char **a, const char **b); +#define index_name_cmp_noconst(a, b) \ + index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ + (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); int parse_yesno(const char *str, int def); X509_NAME *parse_name(char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, X509_VERIFY_PARAM **pm); void policies_print(BIO *out, X509_STORE_CTX *ctx); +int bio_to_mem(unsigned char **out, int maxlen, BIO *in); +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); +int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, + const char *algname, ENGINE *e, int do_param); +#ifndef OPENSSL_NO_PSK +extern char *psk_key; +#endif #ifndef OPENSSL_NO_JPAKE void jpake_client_auth(BIO *out, BIO *conn, const char *secret); void jpake_server_auth(BIO *out, BIO *conn, const char *secret); @@ -353,6 +335,10 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret); #define FORMAT_ENGINE 7 #define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid * adding yet another param to load_*key() */ +#define FORMAT_PEMRSA 9 /* PEM RSAPubicKey format */ +#define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */ +#define FORMAT_MSBLOB 11 /* MS Key blob format */ +#define FORMAT_PVK 12 /* MS PVK file format */ #define EXT_COPY_NONE 0 #define EXT_COPY_ADD 1 @@ -364,4 +350,11 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret); #define SERIAL_RAND_BITS 64 +int app_isdir(const char *); +int raw_read_stdin(void *,int); +int raw_write_stdout(const void *,int); + +#define TM_START 0 +#define TM_STOP 1 +double app_tminterval (int stop,int usertime); #endif diff --git a/openssl/apps/asn1pars.c b/openssl/apps/asn1pars.c index bde61d02d..b5d65e725 100644 --- a/openssl/apps/asn1pars.c +++ b/openssl/apps/asn1pars.c @@ -96,7 +96,7 @@ int MAIN(int argc, char **argv) unsigned char *tmpbuf; const unsigned char *ctmpbuf; BUF_MEM *buf=NULL; - STACK *osk=NULL; + STACK_OF(OPENSSL_STRING) *osk=NULL; ASN1_TYPE *at=NULL; informat=FORMAT_PEM; @@ -113,7 +113,7 @@ int MAIN(int argc, char **argv) prog=argv[0]; argc--; argv++; - if ((osk=sk_new_null()) == NULL) + if ((osk=sk_OPENSSL_STRING_new_null()) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto end; @@ -169,7 +169,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-strparse") == 0) { if (--argc < 1) goto bad; - sk_push(osk,*(++argv)); + sk_OPENSSL_STRING_push(osk,*(++argv)); } else if (strcmp(*argv,"-genstr") == 0) { @@ -302,18 +302,18 @@ bad: /* If any structs to parse go through in sequence */ - if (sk_num(osk)) + if (sk_OPENSSL_STRING_num(osk)) { tmpbuf=(unsigned char *)str; tmplen=num; - for (i=0; i<sk_num(osk); i++) + for (i=0; i<sk_OPENSSL_STRING_num(osk); i++) { ASN1_TYPE *atmp; int typ; - j=atoi(sk_value(osk,i)); + j=atoi(sk_OPENSSL_STRING_value(osk,i)); if (j == 0) { - BIO_printf(bio_err,"'%s' is an invalid number\n",sk_value(osk,i)); + BIO_printf(bio_err,"'%s' is an invalid number\n",sk_OPENSSL_STRING_value(osk,i)); continue; } tmpbuf+=j; @@ -378,7 +378,7 @@ end: ERR_print_errors(bio_err); if (buf != NULL) BUF_MEM_free(buf); if (at != NULL) ASN1_TYPE_free(at); - if (osk != NULL) sk_free(osk); + if (osk != NULL) sk_OPENSSL_STRING_free(osk); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/openssl/apps/ca.c b/openssl/apps/ca.c index 68516ee9b..6b8b0ef8f 100644 --- a/openssl/apps/ca.c +++ b/openssl/apps/ca.c @@ -63,7 +63,6 @@ #include <string.h> #include <ctype.h> #include <sys/types.h> -#include <sys/stat.h> #include <openssl/conf.h> #include <openssl/bio.h> #include <openssl/err.h> @@ -83,7 +82,7 @@ # else # include <unixlib.h> # endif -# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM) +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) # include <sys/file.h> # endif #endif @@ -216,7 +215,6 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, @@ -227,7 +225,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); static int get_certificate_status(const char *ser_status, CA_DB *db); static int do_updatedb(CA_DB *db); -static int check_time_format(char *str); +static int check_time_format(const char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, const char *str); int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); @@ -259,6 +257,7 @@ int MAIN(int argc, char **argv) int doupdatedb=0; long crldays=0; long crlhours=0; + long crlsec=0; long errorline= -1; char *configfile=NULL; char *md=NULL; @@ -306,7 +305,8 @@ int MAIN(int argc, char **argv) ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; char *f; - const char *p, **pp; + const char *p; + char * const *pp; int i,j; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; @@ -457,6 +457,11 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; crlhours= atol(*(++argv)); } + else if (strcmp(*argv,"-crlsec") == 0) + { + if (--argc < 1) goto bad; + crlsec = atol(*(++argv)); + } else if (strcmp(*argv,"-infiles") == 0) { argc--; @@ -550,8 +555,10 @@ bad: if (badops) { - for (pp=ca_usage; (*pp != NULL); pp++) - BIO_printf(bio_err,"%s",*pp); + const char **pp2; + + for (pp2=ca_usage; (*pp2 != NULL); pp2++) + BIO_printf(bio_err,"%s",*pp2); goto err; } @@ -826,7 +833,6 @@ bad: /* lookup where to write new certificates */ if ((outdir == NULL) && (req)) { - struct stat sb; if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR)) == NULL) @@ -845,28 +851,24 @@ bad: that to access(). However, time's too short to do that just now. */ +#ifndef _WIN32 if (access(outdir,R_OK|W_OK|X_OK) != 0) +#else + if (_access(outdir,R_OK|W_OK|X_OK) != 0) +#endif { BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); perror(outdir); goto err; } - if (stat(outdir,&sb) != 0) - { - BIO_printf(bio_err,"unable to stat(%s)\n",outdir); - perror(outdir); - goto err; - } -#ifdef S_IFDIR - if (!(sb.st_mode & S_IFDIR)) + if (app_isdir(outdir)<=0) { BIO_printf(bio_err,"%s need to be a directory\n",outdir); perror(outdir); goto err; } #endif -#endif } /*****************************************************************/ @@ -880,9 +882,9 @@ bad: if (db == NULL) goto err; /* Lets check some fields */ - for (i=0; i<sk_num(db->db->data); i++) + for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp=(const char **)sk_value(db->db->data,i); + pp=sk_OPENSSL_PSTRING_value(db->db->data,i); if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { @@ -935,7 +937,7 @@ bad: #endif TXT_DB_write(out,db->db); BIO_printf(bio_err,"%d entries loaded from the database\n", - db->db->data->num); + sk_OPENSSL_PSTRING_num(db->db->data)); BIO_printf(bio_err,"generating index\n"); } @@ -1026,6 +1028,17 @@ bad: goto err; } + if (!strcmp(md, "default")) + { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) + { + BIO_puts(bio_err,"no default digest\n"); + goto err; + } + md = (char *)OBJ_nid2sn(def_nid); + } + if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); @@ -1095,9 +1108,9 @@ bad: if (startdate == NULL) ERR_clear_error(); } - if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) + if (startdate && !ASN1_TIME_set_string(NULL, startdate)) { - BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n"); + BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); goto err; } if (startdate == NULL) startdate="today"; @@ -1109,9 +1122,9 @@ bad: if (enddate == NULL) ERR_clear_error(); } - if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) + if (enddate && !ASN1_TIME_set_string(NULL, enddate)) { - BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n"); + BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); goto err; } @@ -1249,7 +1262,12 @@ bad: BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total); (void)BIO_flush(bio_err); buf[0][0]='\0'; - fgets(buf[0],10,stdin); + if (!fgets(buf[0],10,stdin)) + { + BIO_printf(bio_err,"CERTIFICATION CANCELED: I/O error\n"); + ret=0; + goto err; + } if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) { BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); @@ -1366,7 +1384,7 @@ bad: goto err; } - if (!crldays && !crlhours) + if (!crldays && !crlhours && !crlsec) { if (!NCONF_get_number(conf,section, ENV_DEFAULT_CRL_DAYS, &crldays)) @@ -1375,7 +1393,7 @@ bad: ENV_DEFAULT_CRL_HOURS, &crlhours)) crlhours = 0; } - if ((crldays == 0) && (crlhours == 0)) + if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n"); goto err; @@ -1389,14 +1407,19 @@ bad: if (!tmptm) goto err; X509_gmtime_adj(tmptm,0); X509_CRL_set_lastUpdate(crl, tmptm); - X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); + if (!X509_time_adj_ex(tmptm, crldays, crlhours*60*60 + crlsec, + NULL)) + { + BIO_puts(bio_err, "error setting CRL nextUpdate\n"); + goto err; + } X509_CRL_set_nextUpdate(crl, tmptm); ASN1_TIME_free(tmptm); - for (i=0; i<sk_num(db->db->data); i++) + for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp=(const char **)sk_value(db->db->data,i); + pp=sk_OPENSSL_PSTRING_value(db->db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; @@ -1422,15 +1445,6 @@ bad: /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - dgst=EVP_dss1(); - else -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - dgst=EVP_ecdsa(); -#endif /* Add any extensions asked for */ @@ -1463,6 +1477,12 @@ bad: if (crlnumberfile != NULL) /* we have a CRL number that need updating */ if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; + if (crlnumber) + { + BN_free(crlnumber); + crlnumber = NULL; + } + if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); @@ -1515,6 +1535,7 @@ err: if (free_key && key) OPENSSL_free(key); BN_free(serial); + BN_free(crlnumber); free_index(db); EVP_PKEY_free(pkey); if (x509) X509_free(x509); @@ -1673,7 +1694,9 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int ok= -1,i,j,last,nid; const char *p; CONF_VALUE *cv; - char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; + OPENSSL_STRING row[DB_NUMBER]; + OPENSSL_STRING *irow=NULL; + OPENSSL_STRING *rrow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); @@ -1915,7 +1938,9 @@ again2: if (db->attributes.unique_subject) { - rrow=TXT_DB_get_by_index(db->db,DB_name,row); + OPENSSL_STRING *crow=row; + + rrow=TXT_DB_get_by_index(db->db,DB_name,crow); if (rrow != NULL) { BIO_printf(bio_err, @@ -1991,11 +2016,11 @@ again2: if (strcmp(startdate,"today") == 0) X509_gmtime_adj(X509_get_notBefore(ret),0); - else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate); + else ASN1_TIME_set_string(X509_get_notBefore(ret),startdate); if (enddate == NULL) - X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days); - else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); + X509_time_adj_ex(X509_get_notAfter(ret),days, 0, NULL); + else ASN1_TIME_set_string(X509_get_notAfter(ret),enddate); if (!X509_set_subject_name(ret,subject)) goto err; @@ -2091,7 +2116,7 @@ again2: } BIO_printf(bio_err,"Certificate is to be certified until "); - ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); + ASN1_TIME_print(bio_err,X509_get_notAfter(ret)); if (days) BIO_printf(bio_err," (%ld days)",days); BIO_printf(bio_err, "\n"); @@ -2101,7 +2126,12 @@ again2: BIO_printf(bio_err,"Sign the certificate? [y/n]:"); (void)BIO_flush(bio_err); buf[0]='\0'; - fgets(buf,sizeof(buf)-1,stdin); + if (!fgets(buf,sizeof(buf)-1,stdin)) + { + BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); + ok=0; + goto err; + } if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n"); @@ -2110,25 +2140,11 @@ again2: } } - -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - dgst = EVP_ecdsa(); - pktmp = X509_get_pubkey(ret); - if (EVP_PKEY_missing_parameters(pktmp) && - !EVP_PKEY_missing_parameters(pkey)) - EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); -#endif - if (!X509_sign(ret,pkey,dgst)) goto err; @@ -2230,7 +2246,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, unsigned long nameopt, int default_op, int ext_copy) { STACK_OF(CONF_VALUE) *sk=NULL; - LHASH *parms=NULL; + LHASH_OF(CONF_VALUE) *parms=NULL; X509_REQ *req=NULL; CONF_VALUE *cv=NULL; NETSCAPE_SPKI *spki = NULL; @@ -2317,25 +2333,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, continue; } - /* - if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) - continue; - */ - - j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); - if (fix_data(nid, &j) == 0) - { - BIO_printf(bio_err, - "invalid characters in string %s\n",buf); - goto err; - } - - if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, - (unsigned char *)buf, - strlen(buf))) == NULL) + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + (unsigned char *)buf, -1, -1, 0)) goto err; - - if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; } if (spki == NULL) { @@ -2378,29 +2378,9 @@ err: return(ok); } -static int fix_data(int nid, int *type) +static int check_time_format(const char *str) { - if (nid == NID_pkcs9_emailAddress) - *type=V_ASN1_IA5STRING; - if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) - *type=V_ASN1_T61STRING; - if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) - *type=V_ASN1_T61STRING; - if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) - return(0); - if (nid == NID_pkcs9_unstructuredName) - *type=V_ASN1_IA5STRING; - return(1); - } - -static int check_time_format(char *str) - { - ASN1_UTCTIME tm; - - tm.data=(unsigned char *)str; - tm.length=strlen(str); - tm.type=V_ASN1_UTCTIME; - return(ASN1_UTCTIME_check(&tm)); + return ASN1_TIME_set_string(NULL, str); } static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) @@ -2415,6 +2395,8 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[i]=NULL; row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); + if (!bn) + goto err; if (BN_is_zero(bn)) row[DB_serial]=BUF_strdup("00"); else @@ -2484,7 +2466,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) goto err; } - else if (index_name_cmp((const char **)row,(const char **)rrow)) + else if (index_name_cmp_noconst(row, rrow)) { BIO_printf(bio_err,"ERROR:name does not match %s\n", row[DB_name]); @@ -2633,9 +2615,9 @@ static int do_updatedb (CA_DB *db) else a_y2k = 0; - for (i = 0; i < sk_num(db->db->data); i++) + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - rrow = (char **) sk_value(db->db->data, i); + rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); if (rrow[DB_type][0] == 'V') { @@ -2882,22 +2864,13 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) p=(char *)str->data; for (j=str->length; j>0; j--) { -#ifdef CHARSET_EBCDIC - if ((*p >= 0x20) && (*p <= 0x7e)) - BIO_printf(bp,"%c",os_toebcdic[*p]); -#else if ((*p >= ' ') && (*p <= '~')) BIO_printf(bp,"%c",*p); -#endif else if (*p & 0x80) BIO_printf(bp,"\\0x%02X",*p); else if ((unsigned char)*p == 0xf7) BIO_printf(bp,"^?"); -#ifdef CHARSET_EBCDIC - else BIO_printf(bp,"^%c",os_toebcdic[*p+0x40]); -#else else BIO_printf(bp,"^%c",*p+'@'); -#endif p++; } BIO_printf(bp,"'\n"); diff --git a/openssl/apps/ciphers.c b/openssl/apps/ciphers.c index 43f0ac594..3d4c60db9 100644 --- a/openssl/apps/ciphers.c +++ b/openssl/apps/ciphers.c @@ -71,7 +71,8 @@ static const char *ciphers_usage[]={ "usage: ciphers args\n", -" -v - verbose mode, a textual listing of the ciphers in SSLeay\n", +" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", +" -V - even more verbose\n", " -ssl2 - SSL2 mode\n", " -ssl3 - SSL3 mode\n", " -tls1 - TLS1 mode\n", @@ -83,14 +84,14 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { int ret=1,i; - int verbose=0; + int verbose=0,Verbose=0; const char **pp; const char *p; int badops=0; SSL_CTX *ctx=NULL; SSL *ssl=NULL; char *ciphers=NULL; - SSL_METHOD *meth=NULL; + const SSL_METHOD *meth=NULL; STACK_OF(SSL_CIPHER) *sk; char buf[512]; BIO *STDout=NULL; @@ -114,6 +115,8 @@ int MAIN(int argc, char **argv) STDout = BIO_push(tmpbio, STDout); } #endif + if (!load_config(bio_err, NULL)) + goto end; argc--; argv++; @@ -121,6 +124,8 @@ int MAIN(int argc, char **argv) { if (strcmp(*argv,"-v") == 0) verbose=1; + else if (strcmp(*argv,"-V") == 0) + verbose=Verbose=1; #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); @@ -179,15 +184,33 @@ int MAIN(int argc, char **argv) } BIO_printf(STDout,"\n"); } - else + else /* verbose */ { sk=SSL_get_ciphers(ssl); for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { - BIO_puts(STDout,SSL_CIPHER_description( - sk_SSL_CIPHER_value(sk,i), - buf,sizeof buf)); + SSL_CIPHER *c; + + c = sk_SSL_CIPHER_value(sk,i); + + if (Verbose) + { + unsigned long id = c->id; + int id0 = (int)(id >> 24); + int id1 = (int)((id >> 16) & 0xffL); + int id2 = (int)((id >> 8) & 0xffL); + int id3 = (int)(id & 0xffL); + + if ((id & 0xff000000L) == 0x02000000L) + BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */ + else if ((id & 0xff000000L) == 0x03000000L) + BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */ + else + BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ + } + + BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf)); } } diff --git a/openssl/apps/cms.c b/openssl/apps/cms.c index 6d227acab..d29a88490 100644 --- a/openssl/apps/cms.c +++ b/openssl/apps/cms.c @@ -71,8 +71,9 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int cms_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); -static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, - STACK *rr_from); +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, + int rr_allorfirst, + STACK_OF(OPENSSL_STRING) *rr_from); #define SMIME_OP 0x10 #define SMIME_IP 0x20 @@ -94,6 +95,8 @@ static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, #define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) #define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) +int verify_err = 0; + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -105,7 +108,7 @@ int MAIN(int argc, char **argv) const char *inmode = "r", *outmode = "w"; char *infile = NULL, *outfile = NULL, *rctfile = NULL; char *signerfile = NULL, *recipfile = NULL; - STACK *sksigners = NULL, *skkeys = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; char *certfile = NULL, *keyfile = NULL, *contfile=NULL; char *certsoutfile = NULL; const EVP_CIPHER *cipher = NULL; @@ -116,9 +119,10 @@ int MAIN(int argc, char **argv) STACK_OF(X509) *encerts = NULL, *other = NULL; BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; int badarg = 0; - int flags = CMS_DETACHED; + int flags = CMS_DETACHED, noout = 0, print = 0; + int verify_retcode = 0; int rr_print = 0, rr_allorfirst = -1; - STACK *rr_to = NULL, *rr_from = NULL; + STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; CMS_ReceiptRequest *rr = NULL; char *to = NULL, *from = NULL, *subject = NULL; char *CAfile = NULL, *CApath = NULL; @@ -166,6 +170,8 @@ int MAIN(int argc, char **argv) operation = SMIME_RESIGN; else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY; + else if (!strcmp (*args, "-verify_retcode")) + verify_retcode = 1; else if (!strcmp(*args,"-verify_receipt")) { operation = SMIME_VERIFY_RECEIPT; @@ -252,21 +258,17 @@ int MAIN(int argc, char **argv) else if (!strcmp (*args, "-no_attr_verify")) flags |= CMS_NO_ATTR_VERIFY; else if (!strcmp (*args, "-stream")) - { - args++; - continue; - } + flags |= CMS_STREAM; else if (!strcmp (*args, "-indef")) - { - args++; - continue; - } + flags |= CMS_STREAM; else if (!strcmp (*args, "-noindef")) flags &= ~CMS_STREAM; else if (!strcmp (*args, "-nooldmime")) flags |= CMS_NOOLDMIMETYPE; else if (!strcmp (*args, "-crlfeol")) flags |= CMS_CRLFEOL; + else if (!strcmp (*args, "-noout")) + noout = 1; else if (!strcmp (*args, "-receipt_request_print")) rr_print = 1; else if (!strcmp (*args, "-receipt_request_all")) @@ -279,8 +281,8 @@ int MAIN(int argc, char **argv) goto argerr; args++; if (!rr_from) - rr_from = sk_new_null(); - sk_push(rr_from, *args); + rr_from = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(rr_from, *args); } else if (!strcmp(*args,"-receipt_request_to")) { @@ -288,9 +290,14 @@ int MAIN(int argc, char **argv) goto argerr; args++; if (!rr_to) - rr_to = sk_new_null(); - sk_push(rr_to, *args); + rr_to = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(rr_to, *args); } + else if (!strcmp (*args, "-print")) + { + noout = 1; + print = 1; + } else if (!strcmp(*args,"-secretkey")) { long ltmp; @@ -380,13 +387,13 @@ int MAIN(int argc, char **argv) if (signerfile) { if (!sksigners) - sksigners = sk_new_null(); - sk_push(sksigners, signerfile); + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); if (!keyfile) keyfile = signerfile; if (!skkeys) - skkeys = sk_new_null(); - sk_push(skkeys, keyfile); + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); keyfile = NULL; } signerfile = *++args; @@ -428,12 +435,12 @@ int MAIN(int argc, char **argv) goto argerr; } if (!sksigners) - sksigners = sk_new_null(); - sk_push(sksigners, signerfile); + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); signerfile = NULL; if (!skkeys) - skkeys = sk_new_null(); - sk_push(skkeys, keyfile); + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); } keyfile = *++args; } @@ -532,13 +539,13 @@ int MAIN(int argc, char **argv) if (signerfile) { if (!sksigners) - sksigners = sk_new_null(); - sk_push(sksigners, signerfile); + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); if (!skkeys) - skkeys = sk_new_null(); + skkeys = sk_OPENSSL_STRING_new_null(); if (!keyfile) keyfile = signerfile; - sk_push(skkeys, keyfile); + sk_OPENSSL_STRING_push(skkeys, keyfile); } if (!sksigners) { @@ -697,7 +704,7 @@ int MAIN(int argc, char **argv) if (secret_key && !secret_keyid) { - BIO_printf(bio_err, "No sectre key id\n"); + BIO_printf(bio_err, "No secret key id\n"); goto end; } @@ -873,7 +880,7 @@ int MAIN(int argc, char **argv) { if (!(store = setup_verify(bio_err, CAfile, CApath))) goto end; - X509_STORE_set_verify_cb_func(store, cms_cb); + X509_STORE_set_verify_cb(store, cms_cb); if (vpm) X509_STORE_set1_param(store, vpm); } @@ -973,11 +980,11 @@ int MAIN(int argc, char **argv) } else flags |= CMS_REUSE_DIGEST; - for (i = 0; i < sk_num(sksigners); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { CMS_SignerInfo *si; - signerfile = sk_value(sksigners, i); - keyfile = sk_value(skkeys, i); + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) @@ -1075,6 +1082,8 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Verification failure\n"); + if (verify_retcode) + ret = verify_err + 32; goto end; } if (signerfile) @@ -1107,7 +1116,12 @@ int MAIN(int argc, char **argv) } else { - if (outformat == FORMAT_SMIME) + if (noout) + { + if (print) + CMS_ContentInfo_print_ctx(out, cms, 0, NULL); + } + else if (outformat == FORMAT_SMIME) { if (to) BIO_printf(out, "To: %s\n", to); @@ -1121,9 +1135,9 @@ int MAIN(int argc, char **argv) ret = SMIME_write_CMS(out, cms, in, flags); } else if (outformat == FORMAT_PEM) - ret = PEM_write_bio_CMS(out, cms); + ret = PEM_write_bio_CMS_stream(out, cms, in, flags); else if (outformat == FORMAT_ASN1) - ret = i2d_CMS_bio(out,cms); + ret = i2d_CMS_bio_stream(out,cms, in, flags); else { BIO_printf(bio_err, "Bad output format for CMS file\n"); @@ -1146,9 +1160,9 @@ end: if (vpm) X509_VERIFY_PARAM_free(vpm); if (sksigners) - sk_free(sksigners); + sk_OPENSSL_STRING_free(sksigners); if (skkeys) - sk_free(skkeys); + sk_OPENSSL_STRING_free(skkeys); if (secret_key) OPENSSL_free(secret_key); if (secret_keyid) @@ -1158,9 +1172,9 @@ end: if (rr) CMS_ReceiptRequest_free(rr); if (rr_to) - sk_free(rr_to); + sk_OPENSSL_STRING_free(rr_to); if (rr_from) - sk_free(rr_from); + sk_OPENSSL_STRING_free(rr_from); X509_STORE_free(store); X509_free(cert); X509_free(recip); @@ -1199,6 +1213,8 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx) error = X509_STORE_CTX_get_error(ctx); + verify_err = error; + if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && ((error != X509_V_OK) || (ok != 2))) return ok; @@ -1280,7 +1296,7 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) } } -static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) +static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) { int i; STACK_OF(GENERAL_NAMES) *ret; @@ -1289,12 +1305,10 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) ret = sk_GENERAL_NAMES_new_null(); if (!ret) goto err; - for (i = 0; i < sk_num(ns); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { - CONF_VALUE cnf; - cnf.name = "email"; - cnf.value = sk_value(ns, i); - gen = v2i_GENERAL_NAME(NULL, NULL, &cnf); + char *str = sk_OPENSSL_STRING_value(ns, i); + gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); if (!gen) goto err; gens = GENERAL_NAMES_new(); @@ -1321,8 +1335,9 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) } -static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, - STACK *rr_from) +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, + int rr_allorfirst, + STACK_OF(OPENSSL_STRING) *rr_from) { STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; CMS_ReceiptRequest *rr; diff --git a/openssl/apps/crl2p7.c b/openssl/apps/crl2p7.c index b2f2d121d..bbc83774d 100644 --- a/openssl/apps/crl2p7.c +++ b/openssl/apps/crl2p7.c @@ -63,7 +63,6 @@ #include <stdio.h> #include <string.h> #include <sys/types.h> -#include <sys/stat.h> #include "apps.h" #include <openssl/err.h> #include <openssl/evp.h> @@ -93,7 +92,7 @@ int MAIN(int argc, char **argv) PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; X509_CRL *crl=NULL; - STACK *certflst=NULL; + STACK_OF(OPENSSL_STRING) *certflst=NULL; STACK_OF(X509_CRL) *crl_stack=NULL; STACK_OF(X509) *cert_stack=NULL; int ret=1,nocrl=0; @@ -141,8 +140,8 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-certfile") == 0) { if (--argc < 1) goto bad; - if(!certflst) certflst = sk_new_null(); - sk_push(certflst,*(++argv)); + if(!certflst) certflst = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(certflst,*(++argv)); } else { @@ -227,8 +226,8 @@ bad: if ((cert_stack=sk_X509_new_null()) == NULL) goto end; p7s->cert=cert_stack; - if(certflst) for(i = 0; i < sk_num(certflst); i++) { - certfile = sk_value(certflst, i); + if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { + certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack,certfile) < 0) { BIO_printf(bio_err, "error loading certificates\n"); @@ -237,7 +236,7 @@ bad: } } - sk_free(certflst); + sk_OPENSSL_STRING_free(certflst); if (outfile == NULL) { @@ -295,19 +294,12 @@ end: */ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile) { - struct stat st; BIO *in=NULL; int count=0; int ret= -1; STACK_OF(X509_INFO) *sk=NULL; X509_INFO *xi; - if ((stat(certfile,&st) != 0)) - { - BIO_printf(bio_err,"unable to load the file, %s\n",certfile); - goto end; - } - in=BIO_new(BIO_s_file()); if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0)) { diff --git a/openssl/apps/dgst.c b/openssl/apps/dgst.c index 9ebfc22e7..9bf38ce73 100644 --- a/openssl/apps/dgst.c +++ b/openssl/apps/dgst.c @@ -75,8 +75,29 @@ #define PROG dgst_main int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, - EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow); + EVP_PKEY *key, unsigned char *sigin, int siglen, + const char *sig_name, const char *md_name, + const char *file,BIO *bmd); + +static void list_md_fn(const EVP_MD *m, + const char *from, const char *to, void *arg) + { + const char *mname; + /* Skip aliases */ + if (!m) + return; + mname = OBJ_nid2ln(EVP_MD_type(m)); + /* Skip shortnames */ + if (strcmp(from, mname)) + return; + /* Skip clones */ + if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) + return; + if (strchr(mname, ' ')) + mname= EVP_MD_name(m); + BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n", + mname, mname); + } int MAIN(int, char **); @@ -89,7 +110,6 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*inp; BIO *bmd=NULL; BIO *out = NULL; - const char *name; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; int separator=0; @@ -101,16 +121,16 @@ int MAIN(int argc, char **argv) EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; - unsigned int sig_flags = 0; char *passargin = NULL, *passin = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif char *hmac_key=NULL; - int non_fips_allow = 0; + char *mac_name=NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; apps_startup(); -ERR_load_crypto_strings(); + if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { BIO_printf(bio_err,"out of memory\n"); @@ -135,6 +155,8 @@ ERR_load_crypto_strings(); if ((*argv)[0] != '-') break; if (strcmp(*argv,"-c") == 0) separator=1; + else if (strcmp(*argv,"-r") == 0) + separator=2; else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) break; @@ -169,27 +191,6 @@ ERR_load_crypto_strings(); keyfile=*(++argv); do_verify = 1; } - else if (strcmp(*argv,"-x931") == 0) - sig_flags = EVP_MD_CTX_FLAG_PAD_X931; - else if (strcmp(*argv,"-pss_saltlen") == 0) - { - int saltlen; - if (--argc < 1) break; - saltlen=atoi(*(++argv)); - if (saltlen == -1) - sig_flags = EVP_MD_CTX_FLAG_PSS_MREC; - else if (saltlen == -2) - sig_flags = EVP_MD_CTX_FLAG_PSS_MDLEN; - else if (saltlen < -2 || saltlen >= 0xFFFE) - { - BIO_printf(bio_err, "Invalid PSS salt length %d\n", saltlen); - goto end; - } - else - sig_flags = saltlen; - sig_flags <<= 16; - sig_flags |= EVP_MD_CTX_FLAG_PAD_PSS; - } else if (strcmp(*argv,"-signature") == 0) { if (--argc < 1) break; @@ -205,6 +206,7 @@ ERR_load_crypto_strings(); { if (--argc < 1) break; engine= *(++argv); + e = setup_engine(bio_err, engine, 0); } #endif else if (strcmp(*argv,"-hex") == 0) @@ -213,16 +215,36 @@ ERR_load_crypto_strings(); out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; - else if (strcmp(*argv,"-non-fips-allow") == 0) - non_fips_allow=1; - else if (!strcmp(*argv,"-fips-fingerprint")) - hmac_key = "etaonrishdlcupfm"; else if (!strcmp(*argv,"-hmac")) { if (--argc < 1) break; hmac_key=*++argv; } + else if (!strcmp(*argv,"-mac")) + { + if (--argc < 1) + break; + mac_name=*++argv; + } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + break; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + break; + } + else if (strcmp(*argv,"-macopt") == 0) + { + if (--argc < 1) + break; + if (!macopts) + macopts = sk_OPENSSL_STRING_new_null(); + if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) + break; + } else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else @@ -231,12 +253,9 @@ ERR_load_crypto_strings(); argv++; } - if (md == NULL) - md=EVP_md5(); if(do_verify && !sigfile) { BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); - err = 1; goto end; } @@ -245,6 +264,7 @@ ERR_load_crypto_strings(); BIO_printf(bio_err,"unknown option '%s'\n",*argv); BIO_printf(bio_err,"options are\n"); BIO_printf(bio_err,"-c to output the digest with separating colons\n"); + BIO_printf(bio_err,"-r to output the digest in coreutils format\n"); BIO_printf(bio_err,"-d to output debug info\n"); BIO_printf(bio_err,"-hex output as hex dump\n"); BIO_printf(bio_err,"-binary output in binary form\n"); @@ -252,49 +272,20 @@ ERR_load_crypto_strings(); BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); + BIO_printf(bio_err,"-out filename output to filename rather than stdout\n"); BIO_printf(bio_err,"-signature file signature to verify\n"); - BIO_printf(bio_err,"-binary output in binary form\n"); + BIO_printf(bio_err,"-sigopt nm:v signature parameter\n"); BIO_printf(bio_err,"-hmac key create hashed MAC with key\n"); + BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n"); + BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); #endif - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n", - LN_md5,LN_md5); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_md4,LN_md4); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_md2,LN_md2); -#ifndef OPENSSL_NO_SHA - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha1,LN_sha1); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha,LN_sha); -#ifndef OPENSSL_NO_SHA256 - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha224,LN_sha224); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha256,LN_sha256); -#endif -#ifndef OPENSSL_NO_SHA512 - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha384,LN_sha384); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_sha512,LN_sha512); -#endif -#endif - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_mdc2,LN_mdc2); - BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n", - LN_ripemd160,LN_ripemd160); - err=1; + EVP_MD_do_all_sorted(list_md_fn, bio_err); goto end; } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - in=BIO_new(BIO_s_file()); bmd=BIO_new(BIO_f_md()); if (debug) @@ -317,8 +308,10 @@ ERR_load_crypto_strings(); } if(out_bin == -1) { - if(keyfile) out_bin = 1; - else out_bin = 0; + if(keyfile) + out_bin = 1; + else + out_bin = 0; } if(randfile) @@ -344,6 +337,11 @@ ERR_load_crypto_strings(); ERR_print_errors(bio_err); goto end; } + if ((!!mac_name + !!keyfile + !!hmac_key) > 1) + { + BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); + goto end; + } if(keyfile) { @@ -361,6 +359,101 @@ ERR_load_crypto_strings(); } } + if (mac_name) + { + EVP_PKEY_CTX *mac_ctx = NULL; + int r = 0; + if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0)) + goto mac_end; + if (macopts) + { + char *macopt; + for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) + { + macopt = sk_OPENSSL_STRING_value(macopts, i); + if (pkey_ctrl_string(mac_ctx, macopt) <= 0) + { + BIO_printf(bio_err, + "MAC parameter error \"%s\"\n", + macopt); + ERR_print_errors(bio_err); + goto mac_end; + } + } + } + if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) + { + BIO_puts(bio_err, "Error generating key\n"); + ERR_print_errors(bio_err); + goto mac_end; + } + r = 1; + mac_end: + if (mac_ctx) + EVP_PKEY_CTX_free(mac_ctx); + if (r == 0) + goto end; + } + + if (hmac_key) + { + sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e, + (unsigned char *)hmac_key, -1); + if (!sigkey) + goto end; + } + + if (sigkey) + { + EVP_MD_CTX *mctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + int r; + if (!BIO_get_md_ctx(bmd, &mctx)) + { + BIO_printf(bio_err, "Error getting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (do_verify) + r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey); + else + r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey); + if (!r) + { + BIO_printf(bio_err, "Error setting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (sigopts) + { + char *sigopt; + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) + { + sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pctx, sigopt) <= 0) + { + BIO_printf(bio_err, + "parameter error \"%s\"\n", + sigopt); + ERR_print_errors(bio_err); + goto end; + } + } + } + } + /* we use md as a filter, reading from 'in' */ + else + { + if (md == NULL) + md = EVP_md5(); + if (!BIO_set_md(bmd,md)) + { + BIO_printf(bio_err, "Error setting digest %s\n", pname); + ERR_print_errors(bio_err); + goto end; + } + } + if(sigfile && sigkey) { BIO *sigbio; sigbio = BIO_new_file(sigfile, "rb"); @@ -381,67 +474,51 @@ ERR_load_crypto_strings(); goto end; } } + inp=BIO_push(bmd,in); - if (non_fips_allow) - { - EVP_MD_CTX *md_ctx; - BIO_get_md_ctx(bmd,&md_ctx); - EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - } - - if (sig_flags) + if (md == NULL) { - EVP_MD_CTX *md_ctx; - BIO_get_md_ctx(bmd,&md_ctx); - EVP_MD_CTX_set_flags(md_ctx, sig_flags); + EVP_MD_CTX *tctx; + BIO_get_md_ctx(bmd, &tctx); + md = EVP_MD_CTX_md(tctx); } - /* we use md as a filter, reading from 'in' */ - if (!BIO_set_md(bmd,md)) - { - BIO_printf(bio_err, "Error setting digest %s\n", pname); - ERR_print_errors(bio_err); - goto end; - } - - inp=BIO_push(bmd,in); - if (argc == 0) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)",bmd,hmac_key,non_fips_allow); + siglen,NULL,NULL,"stdin",bmd); } else { - name=OBJ_nid2sn(md->type); + const char *md_name = NULL, *sig_name = NULL; + if(!out_bin) + { + if (sigkey) + { + const EVP_PKEY_ASN1_METHOD *ameth; + ameth = EVP_PKEY_get0_asn1(sigkey); + if (ameth) + EVP_PKEY_asn1_get0_info(NULL, NULL, + NULL, NULL, &sig_name, ameth); + } + md_name = EVP_MD_name(md); + } err = 0; for (i=0; i<argc; i++) { - char *tmp,*tofree=NULL; int r; - if (BIO_read_filename(in,argv[i]) <= 0) { perror(argv[i]); err++; continue; } - if(!out_bin) - { - size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; - tmp=tofree=OPENSSL_malloc(len); - BIO_snprintf(tmp,len,"%s%s(%s)= ", - hmac_key ? "HMAC-" : "",name,argv[i]); - } else - tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow); + siglen,sig_name,md_name, argv[i],bmd); if(r) err=r; - if(tofree) - OPENSSL_free(tofree); (void)BIO_reset(bmd); } } @@ -456,6 +533,10 @@ end: OPENSSL_free(passin); BIO_free_all(out); EVP_PKEY_free(sigkey); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); + if (macopts) + sk_OPENSSL_STRING_free(macopts); if(sigbuf) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); apps_shutdown(); @@ -463,24 +544,13 @@ end: } int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, - EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file,BIO *bmd,const char *hmac_key,int non_fips_allow) + EVP_PKEY *key, unsigned char *sigin, int siglen, + const char *sig_name, const char *md_name, + const char *file,BIO *bmd) { - unsigned int len; + size_t len; int i; - EVP_MD_CTX *md_ctx; - HMAC_CTX hmac_ctx; - - if (hmac_key) - { - EVP_MD *md; - BIO_get_md(bmd,&md); - HMAC_CTX_init(&hmac_ctx); - HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); - BIO_get_md_ctx(bmd,&md_ctx); - BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); - } for (;;) { i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -496,7 +566,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, { EVP_MD_CTX *ctx; BIO_get_md_ctx(bp, &ctx); - i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); + i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen); if(i > 0) BIO_printf(out, "Verified OK\n"); else if(i == 0) @@ -516,25 +586,39 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, { EVP_MD_CTX *ctx; BIO_get_md_ctx(bp, &ctx); - if(!EVP_SignFinal(ctx, buf, (unsigned int *)&len, key)) + len = BUFSIZE; + if(!EVP_DigestSignFinal(ctx, buf, &len)) { BIO_printf(bio_err, "Error Signing Data\n"); ERR_print_errors(bio_err); return 1; } } - else if(hmac_key) - { - HMAC_Final(&hmac_ctx,buf,&len); - HMAC_CTX_cleanup(&hmac_ctx); - } else + { len=BIO_gets(bp,(char *)buf,BUFSIZE); + if ((int)len <0) + { + ERR_print_errors(bio_err); + return 1; + } + } if(binout) BIO_write(out, buf, len); + else if (sep == 2) + { + for (i=0; i<(int)len; i++) + BIO_printf(out, "%02x",buf[i]); + BIO_printf(out, " *%s\n", file); + } else { - BIO_write(out,title,strlen(title)); + if (sig_name) + BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file); + else if (md_name) + BIO_printf(out, "%s(%s)= ", md_name, file); + else + BIO_printf(out, "(%s)= ", file); for (i=0; i<(int)len; i++) { if (sep && (i != 0)) @@ -543,10 +627,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, } BIO_printf(out, "\n"); } - if (hmac_key) - { - BIO_set_md_ctx(bmd,md_ctx); - } return 0; } diff --git a/openssl/apps/dh.c b/openssl/apps/dh.c index c4d891e12..e9609d630 100644 --- a/openssl/apps/dh.c +++ b/openssl/apps/dh.c @@ -349,4 +349,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/dhparam.c b/openssl/apps/dhparam.c index 04bd57c6e..5fab29eb8 100644 --- a/openssl/apps/dhparam.c +++ b/openssl/apps/dhparam.c @@ -554,4 +554,10 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb) return 1; } +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/dsa.c b/openssl/apps/dsa.c index cbc1fe3f8..1109346f7 100644 --- a/openssl/apps/dsa.c +++ b/openssl/apps/dsa.c @@ -112,6 +112,8 @@ int MAIN(int argc, char **argv) char *passin = NULL, *passout = NULL; int modulus=0; + int pvk_encr = 2; + apps_startup(); if (bio_err == NULL) @@ -171,6 +173,12 @@ int MAIN(int argc, char **argv) engine= *(++argv); } #endif + else if (strcmp(*argv,"-pvk-strong") == 0) + pvk_encr=2; + else if (strcmp(*argv,"-pvk-weak") == 0) + pvk_encr=1; + else if (strcmp(*argv,"-pvk-none") == 0) + pvk_encr=0; else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) @@ -238,16 +246,30 @@ bad: goto end; } + in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); - if (out == NULL) + if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } + if (infile == NULL) + BIO_set_fp(in,stdin,BIO_NOCLOSE); + else + { + if (BIO_read_filename(in,infile) <= 0) + { + perror(infile); + goto end; + } + } + BIO_printf(bio_err,"read DSA key\n"); - { + + { EVP_PKEY *pkey; + if (pubin) pkey = load_pubkey(bio_err, infile, informat, 1, passin, e, "Public Key"); @@ -255,10 +277,12 @@ bad: pkey = load_key(bio_err, infile, informat, 1, passin, e, "Private Key"); - if (pkey != NULL) - dsa = pkey == NULL ? NULL : EVP_PKEY_get1_DSA(pkey); - EVP_PKEY_free(pkey); - } + if (pkey) + { + dsa = EVP_PKEY_get1_DSA(pkey); + EVP_PKEY_free(pkey); + } + } if (dsa == NULL) { BIO_printf(bio_err,"unable to load Key\n"); @@ -310,11 +334,24 @@ bad: i=PEM_write_bio_DSA_PUBKEY(out,dsa); else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc, NULL,0,NULL, passout); +#ifndef OPENSSL_NO_RSA + } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { + EVP_PKEY *pk; + pk = EVP_PKEY_new(); + EVP_PKEY_set1_DSA(pk, dsa); + if (outformat == FORMAT_PVK) + i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); + else if (pubin || pubout) + i = i2b_PublicKey_bio(out, pk); + else + i = i2b_PrivateKey_bio(out, pk); + EVP_PKEY_free(pk); +#endif } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } - if (!i) + if (i <= 0) { BIO_printf(bio_err,"unable to write private key\n"); ERR_print_errors(bio_err); @@ -330,4 +367,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/dsaparam.c b/openssl/apps/dsaparam.c index c301e81af..4305a739b 100644 --- a/openssl/apps/dsaparam.c +++ b/openssl/apps/dsaparam.c @@ -475,4 +475,10 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb) #endif return 1; } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/ec.c b/openssl/apps/ec.c index 771e15f35..31194b48d 100644 --- a/openssl/apps/ec.c +++ b/openssl/apps/ec.c @@ -400,4 +400,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_EC */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/ecparam.c b/openssl/apps/ecparam.c index 4e1fc837e..e9aa0a184 100644 --- a/openssl/apps/ecparam.c +++ b/openssl/apps/ecparam.c @@ -725,4 +725,10 @@ static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var, BIO_printf(out, "\n\t};\n\n"); return 1; } +#else /* !OPENSSL_NO_EC */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/enc.c b/openssl/apps/enc.c index f4f9a4c4a..3c2c91e92 100644 --- a/openssl/apps/enc.c +++ b/openssl/apps/enc.c @@ -67,6 +67,7 @@ #include <openssl/x509.h> #include <openssl/rand.h> #include <openssl/pem.h> +#include <openssl/comp.h> #include <ctype.h> int set_hex(char *in,unsigned char *out,int size); @@ -116,6 +117,10 @@ int MAIN(int argc, char **argv) char *hkey=NULL,*hiv=NULL,*hsalt = NULL; char *md=NULL; int enc=1,printkey=0,i,base64=0; +#ifdef ZLIB + int do_zlib=0; + BIO *bzl = NULL; +#endif int debug=0,olb64=0,nosalt=0; const EVP_CIPHER *cipher=NULL,*c; EVP_CIPHER_CTX *ctx = NULL; @@ -127,7 +132,6 @@ int MAIN(int argc, char **argv) char *engine = NULL; #endif const EVP_MD *dgst=NULL; - int non_fips_allow = 0; apps_startup(); @@ -142,9 +146,18 @@ int MAIN(int argc, char **argv) program_name(argv[0],pname,sizeof pname); if (strcmp(pname,"base64") == 0) base64=1; +#ifdef ZLIB + if (strcmp(pname,"zlib") == 0) + do_zlib=1; +#endif cipher=EVP_get_cipherbyname(pname); +#ifdef ZLIB + if (!do_zlib && !base64 && (cipher == NULL) + && (strcmp(pname,"enc") != 0)) +#else if (!base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0)) +#endif { BIO_printf(bio_err,"%s is an unknown cipher\n",pname); goto bad; @@ -200,6 +213,10 @@ int MAIN(int argc, char **argv) base64=1; else if (strcmp(*argv,"-base64") == 0) base64=1; +#ifdef ZLIB + else if (strcmp(*argv,"-z") == 0) + do_zlib=1; +#endif else if (strcmp(*argv,"-bufsize") == 0) { if (--argc < 1) goto bad; @@ -226,7 +243,12 @@ int MAIN(int argc, char **argv) goto bad; } buf[0]='\0'; - fgets(buf,sizeof buf,infile); + if (!fgets(buf,sizeof buf,infile)) + { + BIO_printf(bio_err,"unable to read key from '%s'\n", + file); + goto bad; + } fclose(infile); i=strlen(buf); if ((i > 0) && @@ -262,8 +284,6 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; md= *(++argv); } - else if (strcmp(*argv,"-non-fips-allow") == 0) - non_fips_allow = 1; else if ((argv[0][0] == '-') && ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { @@ -286,9 +306,11 @@ bad: BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile"); BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md"); BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n",""); + BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S"); BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>"); + BIO_printf(bio_err,"%-14s disable standard block padding\n","-nopad"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e"); #endif @@ -317,10 +339,7 @@ bad: if (dgst == NULL) { - if (in_FIPS_mode) - dgst = EVP_sha1(); - else - dgst = EVP_md5(); + dgst = EVP_md5(); } if (bufsize != NULL) @@ -452,6 +471,19 @@ bad: rbio=in; wbio=out; +#ifdef ZLIB + + if (do_zlib) + { + if ((bzl=BIO_new(BIO_f_zlib())) == NULL) + goto end; + if (enc) + wbio=BIO_push(bzl,wbio); + else + rbio=BIO_push(bzl,rbio); + } +#endif + if (base64) { if ((b64=BIO_new(BIO_f_base64())) == NULL) @@ -556,11 +588,6 @@ bad: */ BIO_get_cipher_ctx(benc, &ctx); - - if (non_fips_allow) - EVP_CIPHER_CTX_set_flags(ctx, - EVP_CIPH_FLAG_NON_FIPS_ALLOW); - if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", @@ -651,6 +678,9 @@ end: if (out != NULL) BIO_free_all(out); if (benc != NULL) BIO_free(benc); if (b64 != NULL) BIO_free(b64); +#ifdef ZLIB + if (bzl != NULL) BIO_free(bzl); +#endif if(pass) OPENSSL_free(pass); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/openssl/apps/engine.c b/openssl/apps/engine.c index 17bd81fb7..9a0294398 100644 --- a/openssl/apps/engine.c +++ b/openssl/apps/engine.c @@ -92,7 +92,7 @@ static const char *engine_usage[]={ NULL }; -static void identity(void *ptr) +static void identity(char *ptr) { return; } @@ -148,11 +148,6 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) if(flags & ENGINE_CMD_FLAG_NUMERIC) { - if(started) - { - BIO_printf(bio_out, "|"); - err = 1; - } BIO_printf(bio_out, "NUMERIC"); started = 1; } @@ -205,7 +200,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent char *desc = NULL; int flags; int xpos = 0; - STACK *cmds = NULL; + STACK_OF(OPENSSL_STRING) *cmds = NULL; if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, 0, NULL, NULL)) <= 0)) @@ -216,7 +211,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent return 1; } - cmds = sk_new_null(); + cmds = sk_OPENSSL_STRING_new_null(); if(!cmds) goto err; @@ -289,15 +284,17 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent BIO_printf(bio_out, "\n"); ret = 1; err: - if(cmds) sk_pop_free(cmds, identity); + if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity); if(name) OPENSSL_free(name); if(desc) OPENSSL_free(desc); return ret; } -static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *indent) +static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, + BIO *bio_out, const char *indent) { - int loop, res, num = sk_num(cmds); + int loop, res, num = sk_OPENSSL_STRING_num(cmds); + if(num < 0) { BIO_printf(bio_out, "[Error]: internal stack error\n"); @@ -307,7 +304,7 @@ static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *inden { char buf[256]; const char *cmd, *arg; - cmd = sk_value(cmds, loop); + cmd = sk_OPENSSL_STRING_value(cmds, loop); res = 1; /* assume success */ /* Check if this command has no ":arg" */ if((arg = strstr(cmd, ":")) == NULL) @@ -347,9 +344,9 @@ int MAIN(int argc, char **argv) const char **pp; int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0; ENGINE *e; - STACK *engines = sk_new_null(); - STACK *pre_cmds = sk_new_null(); - STACK *post_cmds = sk_new_null(); + STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null(); + STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); + STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null(); int badops=1; BIO *bio_out=NULL; const char *indent = " "; @@ -396,20 +393,20 @@ int MAIN(int argc, char **argv) argc--; argv++; if (argc == 0) goto skip_arg_loop; - sk_push(pre_cmds,*argv); + sk_OPENSSL_STRING_push(pre_cmds,*argv); } else if (strcmp(*argv,"-post") == 0) { argc--; argv++; if (argc == 0) goto skip_arg_loop; - sk_push(post_cmds,*argv); + sk_OPENSSL_STRING_push(post_cmds,*argv); } else if ((strncmp(*argv,"-h",2) == 0) || (strcmp(*argv,"-?") == 0)) goto skip_arg_loop; else - sk_push(engines,*argv); + sk_OPENSSL_STRING_push(engines,*argv); argc--; argv++; } @@ -424,17 +421,17 @@ skip_arg_loop: goto end; } - if (sk_num(engines) == 0) + if (sk_OPENSSL_STRING_num(engines) == 0) { for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { - sk_push(engines,(char *)ENGINE_get_id(e)); + sk_OPENSSL_STRING_push(engines,(char *)ENGINE_get_id(e)); } } - for (i=0; i<sk_num(engines); i++) + for (i=0; i<sk_OPENSSL_STRING_num(engines); i++) { - const char *id = sk_value(engines,i); + const char *id = sk_OPENSSL_STRING_value(engines,i); if ((e = ENGINE_by_id(id)) != NULL) { const char *name = ENGINE_get_name(e); @@ -454,6 +451,7 @@ skip_arg_loop: const int *nids; ENGINE_CIPHERS_PTR fn_c; ENGINE_DIGESTS_PTR fn_d; + ENGINE_PKEY_METHS_PTR fn_pk; if (ENGINE_get_RSA(e) != NULL && !append_buf(&cap_buf, "RSA", @@ -492,6 +490,15 @@ skip_ciphers: goto end; skip_digests: + fn_pk = ENGINE_get_pkey_meths(e); + if(!fn_pk) goto skip_pmeths; + n = fn_pk(e, NULL, &nids, 0); + for(k=0 ; k < n ; ++k) + if(!append_buf(&cap_buf, + OBJ_nid2sn(nids[k]), + &cap_size, 256)) + goto end; +skip_pmeths: if (cap_buf && (*cap_buf != '\0')) BIO_printf(bio_out, " [%s]\n", cap_buf); @@ -526,9 +533,9 @@ skip_digests: end: ERR_print_errors(bio_err); - sk_pop_free(engines, identity); - sk_pop_free(pre_cmds, identity); - sk_pop_free(post_cmds, identity); + sk_OPENSSL_STRING_pop_free(engines, identity); + sk_OPENSSL_STRING_pop_free(pre_cmds, identity); + sk_OPENSSL_STRING_pop_free(post_cmds, identity); if (bio_out != NULL) BIO_free_all(bio_out); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/openssl/apps/errstr.c b/openssl/apps/errstr.c index 19489b0df..fe3b98077 100644 --- a/openssl/apps/errstr.c +++ b/openssl/apps/errstr.c @@ -97,10 +97,12 @@ int MAIN(int argc, char **argv) out = BIO_push(tmpbio, out); } #endif - lh_node_stats_bio((LHASH *)ERR_get_string_table(),out); - lh_stats_bio((LHASH *)ERR_get_string_table(),out); - lh_node_usage_stats_bio((LHASH *) - ERR_get_string_table(),out); + lh_ERR_STRING_DATA_node_stats_bio( + ERR_get_string_table(), out); + lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), + out); + lh_ERR_STRING_DATA_node_usage_stats_bio( + ERR_get_string_table(),out); } if (out != NULL) BIO_free_all(out); argc--; diff --git a/openssl/apps/gendh.c b/openssl/apps/gendh.c index 47497864b..caa7327a1 100644 --- a/openssl/apps/gendh.c +++ b/openssl/apps/gendh.c @@ -235,4 +235,10 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb) #endif return 1; } +#else /* !OPENSSL_NO_DH */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/gendsa.c b/openssl/apps/gendsa.c index 8a296c66e..22c39629e 100644 --- a/openssl/apps/gendsa.c +++ b/openssl/apps/gendsa.c @@ -279,4 +279,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else /* !OPENSSL_NO_DSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/genrsa.c b/openssl/apps/genrsa.c index fdc0d4a07..37e931091 100644 --- a/openssl/apps/genrsa.c +++ b/openssl/apps/genrsa.c @@ -95,7 +95,6 @@ int MAIN(int argc, char **argv) int ret=1; int i,num=DEFBITS; long l; - int use_x931 = 0; const EVP_CIPHER *enc=NULL; unsigned long f4=RSA_F4; char *outfile=NULL; @@ -106,9 +105,9 @@ int MAIN(int argc, char **argv) char *inrand=NULL; BIO *out=NULL; BIGNUM *bn = BN_new(); - RSA *rsa = RSA_new(); + RSA *rsa = NULL; - if(!bn || !rsa) goto err; + if(!bn) goto err; apps_startup(); BN_GENCB_set(&cb, genrsa_cb, bio_err); @@ -139,8 +138,6 @@ int MAIN(int argc, char **argv) f4=3; else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0) f4=RSA_F4; - else if (strcmp(*argv,"-x931") == 0) - use_x931 = 1; #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { @@ -268,18 +265,15 @@ bad: BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n", num); +#ifdef OPENSSL_NO_ENGINE + rsa = RSA_new(); +#else + rsa = RSA_new_method(e); +#endif + if (!rsa) + goto err; - if (use_x931) - { - BIGNUM *pubexp; - pubexp = BN_new(); - if (!BN_set_word(pubexp, f4)) - goto err; - if (!RSA_X931_generate_key_ex(rsa, num, pubexp, &cb)) - goto err; - BN_free(pubexp); - } - else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) + if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) goto err; app_RAND_write_file(NULL, bio_err); diff --git a/openssl/apps/install.com b/openssl/apps/install.com index f927dc29f..c5821b40e 100644 --- a/openssl/apps/install.com +++ b/openssl/apps/install.com @@ -5,13 +5,23 @@ $! Time of creation: 22-MAY-1998 10:13 $! $! P1 root of the directory tree $! +$ $ IF P1 .EQS. "" $ THEN $ WRITE SYS$OUTPUT "First argument missing." -$ WRITE SYS$OUTPUT "Should be the directory where you want things installed." +$ WRITE SYS$OUTPUT - + "Should be the directory where you want things installed." $ EXIT $ ENDIF $ +$ IF (F$GETSYI("CPU").LT.128) +$ THEN +$ ARCH := VAX +$ ELSE +$ ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") +$ IF (ARCH .EQS. "") THEN ARCH = "UNK" +$ ENDIF +$ $ ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0" $ ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY") $ ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") - @@ -19,23 +29,16 @@ $ ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") - $ ROOT = ROOT_DEV + "[" + ROOT_DIR $ $ DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC -$ DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE] -$ DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE] -$ DEFINE/NOLOG WRK_SSLLIB WRK_SSLROOT:[LIB] +$ DEFINE/NOLOG WRK_SSLEXE WRK_SSLROOT:['ARCH'_EXE] $ $ IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN - CREATE/DIR/LOG WRK_SSLROOT:[000000] -$ IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN - - CREATE/DIR/LOG WRK_SSLVEXE: -$ IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN - - CREATE/DIR/LOG WRK_SSLAEXE: -$ IF F$PARSE("WRK_SSLLIB:") .EQS. "" THEN - - CREATE/DIR/LOG WRK_SSLLIB: +$ IF F$PARSE("WRK_SSLEXE:") .EQS. "" THEN - + CREATE/DIR/LOG WRK_SSLEXE: $ $ EXE := openssl $ -$ VEXE_DIR := [-.VAX.EXE.APPS] -$ AEXE_DIR := [-.AXP.EXE.APPS] +$ EXE_DIR := [-.'ARCH'.EXE.APPS] $ $ I = 0 $ LOOP_EXE: @@ -43,25 +46,18 @@ $ E = F$EDIT(F$ELEMENT(I, ",", EXE),"TRIM") $ I = I + 1 $ IF E .EQS. "," THEN GOTO LOOP_EXE_END $ SET NOON -$ IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. "" -$ THEN -$ COPY 'VEXE_DIR''E'.EXE WRK_SSLVEXE:'E'.EXE/log -$ SET FILE/PROT=W:RE WRK_SSLVEXE:'E'.EXE -$ ENDIF -$ IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. "" +$ IF F$SEARCH(EXE_DIR+E+".EXE") .NES. "" $ THEN -$ COPY 'AEXE_DIR''E'.EXE WRK_SSLAEXE:'E'.EXE/log -$ SET FILE/PROT=W:RE WRK_SSLAEXE:'E'.EXE +$ COPY 'EXE_DIR''E'.EXE WRK_SSLEXE:'E'.EXE/log +$ SET FILE/PROT=W:RE WRK_SSLEXE:'E'.EXE $ ENDIF $ SET ON $ GOTO LOOP_EXE $ LOOP_EXE_END: $ $ SET NOON -$ COPY CA.COM WRK_SSLAEXE:CA.COM/LOG -$ SET FILE/PROT=W:RE WRK_SSLAEXE:CA.COM -$ COPY CA.COM WRK_SSLVEXE:CA.COM/LOG -$ SET FILE/PROT=W:RE WRK_SSLVEXE:CA.COM +$ COPY CA.COM WRK_SSLEXE:CA.COM/LOG +$ SET FILE/PROT=W:RE WRK_SSLEXE:CA.COM $ COPY OPENSSL-VMS.CNF WRK_SSLROOT:[000000]OPENSSL.CNF/LOG $ SET FILE/PROT=W:R WRK_SSLROOT:[000000]OPENSSL.CNF $ SET ON diff --git a/openssl/apps/makeapps.com b/openssl/apps/makeapps.com index 0580a1f40..b96c4a1c6 100644 --- a/openssl/apps/makeapps.com +++ b/openssl/apps/makeapps.com @@ -6,11 +6,12 @@ $! A-Com Computing, Inc. $! byer@mail.all-net.net $! $! Changes by Richard Levitte <richard@levitte.org> +$! Zoltan Arpadffy <zoli@polarhome.com> $! $! This command files compiles and creates all the various different $! "application" programs for the different types of encryption for OpenSSL. $! The EXE's are placed in the directory [.xxx.EXE.APPS] where "xxx" denotes -$! either AXP or VAX depending on your machine architecture. +$! ALPHA, IA64 or VAX, depending on your machine architecture. $! $! It was written so it would try to determine what "C" compiler to $! use or you can specify which "C" compiler to use. @@ -46,20 +47,21 @@ $ TCPIP_LIB = "" $! $! Check What Architecture We Are Using. $! -$ IF (F$GETSYI("CPU").GE.128) +$ IF (F$GETSYI("CPU").LT.128) $ THEN $! -$! The Architecture Is AXP. +$! The Architecture Is VAX. $! -$ ARCH := AXP +$ ARCH := VAX $! $! Else... $! $ ELSE $! -$! The Architecture Is VAX. +$! The Architecture Is Alpha, IA64 or whatever comes in the future. $! -$ ARCH := VAX +$ ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") +$ IF (ARCH .EQS. "") THEN ARCH = "UNK" $! $! End The Architecture Check. $! @@ -68,22 +70,6 @@ $! $! Define what programs should be compiled $! $ PROGRAMS := OPENSSL -$!$ PROGRAMS := VERIFY,ASN1PARS,REQ,DGST,DH,ENC,PASSWD,GENDH,ERRSTR,CA,CRL,- -$! RSA,DSA,DSAPARAM,- -$! X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,- -$! S_TIME,VERSION,PKCS7,CRL2P7,SESS_ID,CIPHERS,NSEQ, -$! -$! Check To Make Sure We Have Valid Command Line Parameters. -$! -$ GOSUB CHECK_OPTIONS -$! -$! Initialise logical names and such -$! -$ GOSUB INITIALISE -$! -$! Tell The User What Kind of Machine We Run On. -$! -$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." $! $! Define The CRYPTO Library. $! @@ -97,6 +83,22 @@ $! Define The OBJ Directory. $! $ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.APPS] $! +$! Define The EXE Directory. +$! +$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS] +$! +$! Check To Make Sure We Have Valid Command Line Parameters. +$! +$ GOSUB CHECK_OPTIONS +$! +$! Initialise logical names and such +$! +$ GOSUB INITIALISE +$! +$! Tell The User What Kind of Machine We Run On. +$! +$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." +$! $! Check To See If The OBJ Directory Exists. $! $ IF (F$PARSE(OBJ_DIR).EQS."") @@ -110,10 +112,6 @@ $! End The OBJ Directory Check. $! $ ENDIF $! -$! Define The EXE Directory. -$! -$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS] -$! $! Check To See If The EXE Directory Exists. $! $ IF (F$PARSE(EXE_DIR).EQS."") @@ -136,140 +134,172 @@ $! $ GOSUB CHECK_OPT_FILE $! $! Define The Application Files. -$! -$ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+- - "CA;PKCS7;CRL2P7;CRL;"+- - "RSA;RSAUTL;DSA;DSAPARAM;EC;ECPARAM;"+- - "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+- - "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+- - "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME" +$! NOTE: Some might think this list ugly. However, it's made this way to +$! reflect the E_OBJ variable in Makefile as closely as possible, thereby +$! making it fairly easy to verify that the lists are the same. +$! +$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+- + "CA,PKCS7,CRL2P7,CRL,"+- + "RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+- + "X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+- + "S_TIME,APPS,S_CB,S_SOCKET,APP_RAND,VERSION,SESS_ID,"+- + "CIPHERS,NSEQ,PKCS12,PKCS8,PKEY,PKEYPARAM,PKEYUTL,"+ - + "SPKAC,SMIME,CMS,RAND,ENGINE,OCSP,PRIME,TS" $ TCPIP_PROGRAMS = ",," $ IF COMPILER .EQS. "VAXC" THEN - TCPIP_PROGRAMS = ",OPENSSL," $! $! Setup exceptional compilations $! -$ COMPILEWITH_CC2 = ",S_SERVER,S_CLIENT," +$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT," $! $ PHASE := LIB $! $ RESTART: $! -$! Define A File Counter And Set It To "0". +$! Define An App Counter And Set It To "0". +$! +$ APP_COUNTER = 0 +$! +$! Top Of The App Loop. $! -$ FILE_COUNTER = 0 +$ NEXT_APP: $! -$! Top Of The File Loop. +$! Make The Application File Name $! -$ NEXT_FILE: +$ CURRENT_APP = F$EDIT(F$ELEMENT(APP_COUNTER,",",PROGRAMS),"TRIM") $! -$! O.K, Extract The File Name From The File List. +$! Create The Executable File Name. $! -$ FILE_NAME0 = F$EDIT(F$ELEMENT(FILE_COUNTER,";",'PHASE'_FILES),"TRIM") -$ FILE_NAME = F$EDIT(F$ELEMENT(0,",",FILE_NAME0),"TRIM") -$ EXTRA_OBJ = FILE_NAME0 - FILE_NAME +$ EXE_FILE = EXE_DIR + CURRENT_APP + ".EXE" $! -$! Check To See If We Are At The End Of The File List. +$! Check To See If We Are At The End Of The File List. $! -$ IF (FILE_NAME0.EQS.";") +$ IF (CURRENT_APP.EQS.",") $ THEN $ IF (PHASE.EQS."LIB") $ THEN $ PHASE := APP $ GOTO RESTART $ ELSE -$ GOTO FILE_DONE +$ GOTO APP_DONE $ ENDIF $ ENDIF $! -$! Increment The Counter. +$! Increment The Counter. $! -$ FILE_COUNTER = FILE_COUNTER + 1 +$ APP_COUNTER = APP_COUNTER + 1 $! -$! Check to see if this program should actually be compiled +$! Decide if we're building the object files or not. $! -$ IF PHASE .EQS. "APP" .AND. - - ","+PROGRAMS+"," - (","+F$EDIT(FILE_NAME,"UPCASE")+",") .EQS. ","+PROGRAMS+"," +$ IF (PHASE.EQS."LIB") $ THEN -$ GOTO NEXT_FILE -$ ENDIF $! -$! Create The Source File Name. +$! Define A Library File Counter And Set It To "-1". +$! -1 Means The Application File Name Is To Be Used. $! -$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C" +$ LIB_COUNTER = -1 $! -$! Create The Object File Name. +$! Create a .OPT file for the object files $! -$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ" +$ OPEN/WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT $! -$! Create The Executable File Name. +$! Top Of The File Loop. $! -$ EXE_FILE = EXE_DIR + FILE_NAME + ".EXE" -$ ON WARNING THEN GOTO NEXT_FILE +$ NEXT_LIB: $! -$! Check To See If The File We Want To Compile Actually Exists. +$! O.K, Extract The File Name From The File List. $! -$ IF (F$SEARCH(SOURCE_FILE).EQS."") -$ THEN +$ IF LIB_COUNTER .GE. 0 +$ THEN +$ FILE_NAME = F$EDIT(F$ELEMENT(LIB_COUNTER,",",LIB_'CURRENT_APP'),"TRIM") +$ ELSE +$ FILE_NAME = CURRENT_APP +$ ENDIF $! -$! Tell The User That The File Dosen't Exist. +$! Check To See If We Are At The End Of The File List. $! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." -$ WRITE SYS$OUTPUT "" +$ IF (FILE_NAME.EQS.",") +$ THEN +$ CLOSE OBJECTS +$ GOTO NEXT_APP +$ ENDIF $! -$! Exit The Build. +$! Increment The Counter. $! -$ GOTO EXIT +$ LIB_COUNTER = LIB_COUNTER + 1 $! -$! End The File Exist Check. +$! Create The Source File Name. $! -$ ENDIF +$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C" $! -$! Tell The User What We Are Building. +$! Create The Object File Name. $! -$ IF (PHASE.EQS."LIB") -$ THEN -$ WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File." -$ ELSE -$ WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program." -$ ENDIF +$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ" +$ ON WARNING THEN GOTO NEXT_LIB $! -$! Compile The File. +$! Check To See If The File We Want To Compile Actually Exists. $! -$ ON ERROR THEN GOTO NEXT_FILE -$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2 -$ THEN -$ CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE' -$ ELSE -$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE' -$ ENDIF +$ IF (F$SEARCH(SOURCE_FILE).EQS."") +$ THEN $! -$ ON WARNING THEN GOTO NEXT_FILE +$! Tell The User That The File Dosen't Exist. $! -$ IF (PHASE.EQS."LIB") -$ THEN -$ GOTO NEXT_FILE +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." +$ WRITE SYS$OUTPUT "" +$! +$! Exit The Build. +$! +$ GOTO EXIT +$! +$! End The File Exist Check. +$! +$ ENDIF +$! +$! Tell The User What We Are Building. +$! +$ IF (PHASE.EQS."LIB") +$ THEN +$ WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File." +$ ELSE +$ WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program." +$ ENDIF +$! +$! Compile The File. +$! +$ ON ERROR THEN GOTO NEXT_LIB +$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2 +$ THEN +$ CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE' +$ ELSE +$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE' +$ ENDIF +$ WRITE OBJECTS OBJECT_FILE +$! +$ GOTO NEXT_LIB $ ENDIF $! $! Check if this program works well without a TCPIP library $! -$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - FILE_NAME .NES. TCPIP_PROGRAMS +$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - CURRENT_APP .NES. TCPIP_PROGRAMS $ THEN -$ WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library. Can't link. Skipping..." -$ GOTO NEXT_FILE +$ WRITE SYS$OUTPUT CURRENT_APP," needs a TCP/IP library. Can't link. Skipping..." +$ GOTO NEXT_APP $ ENDIF $! $! Link The Program. $! Check To See If We Are To Link With A Specific TCP/IP Library. $! +$ ON WARNING THEN GOTO NEXT_APP +$! $ IF (TCPIP_LIB.NES."") $ THEN $! $! Don't Link With The RSAREF Routines And TCP/IP Library. $! $ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - + 'EXE_DIR''CURRENT_APP'.OPT/OPTION, - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - 'TCPIP_LIB','OPT_FILE'/OPTION $! @@ -280,7 +310,7 @@ $! $! Don't Link With The RSAREF Routines And Link With A TCP/IP Library. $! $ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - + 'EXE_DIR''CURRENT_APP'.OPT/OPTION, - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - 'OPT_FILE'/OPTION $! @@ -290,11 +320,11 @@ $ ENDIF $! $! Go Back And Do It Again. $! -$ GOTO NEXT_FILE +$ GOTO NEXT_APP $! $! All Done With This File. $! -$ FILE_DONE: +$ APP_DONE: $ EXIT: $! $! All Done, Time To Clean Up And Exit. @@ -395,19 +425,19 @@ $! Else... $! $ ELSE $! -$! Create The AXP Linker Option File. +$! Create The non-VAX Linker Option File. $! $ CREATE 'OPT_FILE' $DECK ! -! Default System Options File For AXP To Link Agianst +! Default System Options File For non-VAX To Link Agianst ! The Sharable C Runtime Library. ! SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE SYS$SHARE:CMA$OPEN_RTL/SHARE $EOD $! -$! End The VAX/AXP DEC C Option File Check. +$! End The DEC C Option File Check. $! $ ENDIF $! @@ -556,7 +586,7 @@ $ ELSE $! $! Check To See If We Have VAXC Or DECC. $! -$ IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."") +$ IF (ARCH.NES."VAX").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."") $ THEN $! $! Looks Like DECC, Set To Use DECC. @@ -666,7 +696,7 @@ $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT" +$ OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT" $! $! End DECC Check. $! @@ -687,9 +717,9 @@ $! $! Compile Using VAXC. $! $ CC = "CC" -$ IF ARCH.EQS."AXP" +$ IF ARCH.NES."VAX" $ THEN -$ WRITE SYS$OUTPUT "There is no VAX C on Alpha!" +$ WRITE SYS$OUTPUT "There is no VAX C on ''ARCH'!" $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" @@ -703,7 +733,7 @@ $ DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB] $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT" +$ OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT" $! $! End VAXC Check $! @@ -730,7 +760,7 @@ $ CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT" +$ OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT" $! $! End The GNU C Check. $! diff --git a/openssl/apps/ocsp.c b/openssl/apps/ocsp.c index 251044d77..01847dfad 100644 --- a/openssl/apps/ocsp.c +++ b/openssl/apps/ocsp.c @@ -56,25 +56,53 @@ * */ #ifndef OPENSSL_NO_OCSP + +#ifdef OPENSSL_SYS_VMS +#define _XOPEN_SOURCE_EXTENDED /* So fd_set and friends get properly defined + on OpenVMS */ +#endif + #define USE_SOCKETS + #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <time.h> #include "apps.h" /* needs to be included before the openssl headers! */ #include <openssl/e_os2.h> -#include <openssl/ssl.h> +#include <openssl/crypto.h> #include <openssl/err.h> - +#include <openssl/ssl.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/x509v3.h> + +#if defined(NETWARE_CLIB) +# ifdef NETWARE_BSDSOCK +# include <sys/socket.h> +# include <sys/bsdskt.h> +# else +# include <novsock2.h> +# endif +#elif defined(NETWARE_LIBC) +# ifdef NETWARE_BSDSOCK +# include <sys/select.h> +# else +# include <novsock2.h> +# endif +#endif + /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, - STACK *names, STACK_OF(OCSP_CERTID) *ids, - long nsec, long maxage); + STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage); static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, @@ -86,6 +114,7 @@ static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); #undef PROG @@ -104,6 +133,7 @@ int MAIN(int argc, char **argv) char *rsignfile = NULL, *rkeyfile = NULL; char *outfile = NULL; int add_nonce = 1, noverify = 0, use_ssl = -1; + STACK_OF(CONF_VALUE) *headers = NULL; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bs = NULL; @@ -126,7 +156,7 @@ int MAIN(int argc, char **argv) int badarg = 0; int i; int ignore_err = 0; - STACK *reqnames = NULL; + STACK_OF(OPENSSL_STRING) *reqnames = NULL; STACK_OF(OCSP_CERTID) *ids = NULL; X509 *rca_cert = NULL; @@ -134,6 +164,7 @@ int MAIN(int argc, char **argv) char *rca_filename = NULL; CA_DB *rdb = NULL; int nmin = 0, ndays = -1; + const EVP_MD *cert_id_md = NULL; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -142,7 +173,7 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); args = argv + 1; - reqnames = sk_new_null(); + reqnames = sk_OPENSSL_STRING_new_null(); ids = sk_OCSP_CERTID_new_null(); while (!badarg && *args && *args[0] == '-') { @@ -202,6 +233,16 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp(*args, "-header")) + { + if (args[1] && args[2]) + { + if (!X509V3_add_value(args[1], args[2], &headers)) + goto end; + args += 2; + } + else badarg = 1; + } else if (!strcmp(*args, "-ignore_err")) ignore_err = 1; else if (!strcmp(*args, "-noverify")) @@ -401,9 +442,10 @@ int MAIN(int argc, char **argv) cert = load_cert(bio_err, *args, FORMAT_PEM, NULL, e, "certificate"); if(!cert) goto end; - if(!add_ocsp_cert(&req, cert, issuer, ids)) + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) goto end; - if(!sk_push(reqnames, *args)) + if(!sk_OPENSSL_STRING_push(reqnames, *args)) goto end; } else badarg = 1; @@ -413,9 +455,10 @@ int MAIN(int argc, char **argv) if (args[1]) { args++; - if(!add_ocsp_serial(&req, *args, issuer, ids)) + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) goto end; - if(!sk_push(reqnames, *args)) + if(!sk_OPENSSL_STRING_push(reqnames, *args)) goto end; } else badarg = 1; @@ -515,7 +558,10 @@ int MAIN(int argc, char **argv) } else badarg = 1; } - else badarg = 1; + else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL) + { + badarg = 1; + } args++; } @@ -571,6 +617,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-ndays n number of days before next update\n"); BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); + BIO_printf (bio_err, "-<dgst alg> use specified digest in the request"); goto end; } @@ -677,7 +724,8 @@ int MAIN(int argc, char **argv) "signer private key"); if (!key) goto end; - if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags)) + + if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; @@ -721,7 +769,7 @@ int MAIN(int argc, char **argv) { #ifndef OPENSSL_NO_SOCK resp = process_responder(bio_err, req, host, path, - port, use_ssl, req_timeout); + port, use_ssl, headers, req_timeout); if (!resp) goto end; #else @@ -866,10 +914,11 @@ end: OCSP_REQUEST_free(req); OCSP_RESPONSE_free(resp); OCSP_BASICRESP_free(bs); - sk_free(reqnames); + sk_OPENSSL_STRING_free(reqnames); sk_OCSP_CERTID_free(ids); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); + sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); if (use_ssl != -1) { @@ -881,7 +930,7 @@ end: OPENSSL_EXIT(ret); } -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; @@ -892,7 +941,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, } if(!*req) *req = OCSP_REQUEST_new(); if(!*req) goto err; - id = OCSP_cert_to_id(NULL, cert, issuer); + id = OCSP_cert_to_id(cert_id_md, cert, issuer); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; return 1; @@ -902,7 +951,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, return 0; } -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; @@ -924,7 +973,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, BIO_printf(bio_err, "Error converting serial number %s\n", serial); return 0; } - id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno); + id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); ASN1_INTEGER_free(sno); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; @@ -936,8 +985,9 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, } static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, - STACK *names, STACK_OF(OCSP_CERTID) *ids, - long nsec, long maxage) + STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage) { OCSP_CERTID *id; char *name; @@ -947,13 +997,13 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; - if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids)) + if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) return 1; for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { id = sk_OCSP_CERTID_value(ids, i); - name = sk_value(names, i); + name = sk_OPENSSL_STRING_value(names, i); BIO_printf(out, "%s: ", name); if(!OCSP_resp_find_status(bs, id, &status, &reason, @@ -1010,7 +1060,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_BASICRESP *bs = NULL; int i, id_count, ret = 1; - id_count = OCSP_request_onereq_count(req); if (id_count <= 0) @@ -1019,7 +1068,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db goto end; } - ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca); bs = OCSP_BASICRESP_new(); thisupd = X509_gmtime_adj(NULL, 0); @@ -1032,8 +1080,23 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_ONEREQ *one; ASN1_INTEGER *serial; char **inf; + ASN1_OBJECT *cert_id_md_oid; + const EVP_MD *cert_id_md; one = OCSP_request_onereq_get0(req, i); cid = OCSP_onereq_get0_id(one); + + OCSP_id_get0_info(NULL,&cert_id_md_oid, NULL,NULL, cid); + + cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); + if (! cert_id_md) + { + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, + NULL); + goto end; + } + if (ca_id) OCSP_CERTID_free(ca_id); + ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca); + /* Is this request about our CA? */ if (OCSP_id_issuer_cmp(ca_id, cid)) { @@ -1078,8 +1141,8 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db } OCSP_copy_nonce(bs, req); - - OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags); + + OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags); *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); @@ -1211,10 +1274,12 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) } static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout) { int fd; int rv; + int i; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; fd_set confds; @@ -1231,16 +1296,13 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, return NULL; } - if (req_timeout == -1) - return OCSP_sendreq_bio(cbio, path, req); - if (BIO_get_fd(cbio, &fd) <= 0) { BIO_puts(err, "Can't get connection fd\n"); goto err; } - if (rv <= 0) + if (req_timeout != -1 && rv <= 0) { FD_ZERO(&confds); openssl_fdset(fd, &confds); @@ -1255,15 +1317,27 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, } - ctx = OCSP_sendreq_new(cbio, path, req, -1); + ctx = OCSP_sendreq_new(cbio, path, NULL, -1); if (!ctx) return NULL; + + for (i = 0; i < sk_CONF_VALUE_num(headers); i++) + { + CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) + goto err; + } + + if (!OCSP_REQ_CTX_set1_req(ctx, req)) + goto err; for (;;) { rv = OCSP_sendreq_nbio(&rsp, ctx); if (rv != -1) break; + if (req_timeout == -1) + continue; FD_ZERO(&confds); openssl_fdset(fd, &confds); tv.tv_usec = 0; @@ -1287,7 +1361,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, BIO_puts(err, "Select error\n"); break; } - + } err: if (ctx) @@ -1298,6 +1372,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, + STACK_OF(CONF_VALUE) *headers, int req_timeout) { BIO *cbio = NULL; @@ -1332,14 +1407,14 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, req, req_timeout); + resp = query_responder(err, cbio, path, headers, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responsder\n"); end: - if (ctx) - SSL_CTX_free(ctx); if (cbio) BIO_free_all(cbio); + if (ctx) + SSL_CTX_free(ctx); return resp; } diff --git a/openssl/apps/openssl-vms.cnf b/openssl/apps/openssl-vms.cnf index fae82b0d5..20ed61bc3 100644 --- a/openssl/apps/openssl-vms.cnf +++ b/openssl/apps/openssl-vms.cnf @@ -21,12 +21,17 @@ oid_section = new_oids [ new_oids ] -# We can add new OIDs in here for use by 'ca' and 'req'. +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -67,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. +default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -110,13 +115,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request @@ -207,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer #nsCaPolicyUrl #nsSslServerName +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + [ v3_req ] # Extensions to add to a certificate request @@ -224,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. @@ -257,7 +264,7 @@ basicConstraints = CA:true # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate @@ -290,7 +297,7 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. @@ -311,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = sys\$disk:[.demoCA # TSA root directory +serial = $dir]tsaserial. # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir.cacert.pem] # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/openssl/apps/openssl.c b/openssl/apps/openssl.c index 7d2b476cf..851e63973 100644 --- a/openssl/apps/openssl.c +++ b/openssl/apps/openssl.c @@ -135,19 +135,17 @@ * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper * functions. */ -/* static unsigned long MS_CALLBACK hash(FUNCTION *a); */ -static unsigned long MS_CALLBACK hash(const void *a_void); -/* static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b); */ -static int MS_CALLBACK cmp(const void *a_void,const void *b_void); -static LHASH *prog_init(void ); -static int do_cmd(LHASH *prog,int argc,char *argv[]); +static LHASH_OF(FUNCTION) *prog_init(void ); +static int do_cmd(LHASH_OF(FUNCTION) *prog,int argc,char *argv[]); +static void list_pkey(BIO *out); +static void list_cipher(BIO *out); +static void list_md(BIO *out); char *default_config_file=NULL; /* Make sure there is only one when MONOLITH is defined */ #ifdef MONOLITH CONF *config=NULL; BIO *bio_err=NULL; -int in_FIPS_mode=0; #endif @@ -227,25 +225,12 @@ int main(int Argc, char *Argv[]) int n,i,ret=0; int argc; char **argv,*p; - LHASH *prog=NULL; + LHASH_OF(FUNCTION) *prog=NULL; long errline; arg.data=NULL; arg.count=0; - in_FIPS_mode = 0; - -#ifdef OPENSSL_FIPS - if(getenv("OPENSSL_FIPS")) { - if (!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); - ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); - EXIT(1); - } - in_FIPS_mode = 1; - } -#endif - if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); @@ -287,9 +272,21 @@ int main(int Argc, char *Argv[]) i=NCONF_load(config,p,&errline); if (i == 0) { - NCONF_free(config); - config = NULL; - ERR_clear_error(); + if (ERR_GET_REASON(ERR_peek_last_error()) + == CONF_R_NO_SUCH_FILE) + { + BIO_printf(bio_err, + "WARNING: can't open config file: %s\n",p); + ERR_clear_error(); + NCONF_free(config); + config = NULL; + } + else + { + ERR_print_errors(bio_err); + NCONF_free(config); + exit(1); + } } prog=prog_init(); @@ -298,7 +295,7 @@ int main(int Argc, char *Argv[]) program_name(Argv[0],pname,sizeof pname); f.name=pname; - fp=(FUNCTION *)lh_retrieve(prog,&f); + fp=lh_FUNCTION_retrieve(prog,&f); if (fp != NULL) { Argv[0]=pname; @@ -333,7 +330,8 @@ int main(int Argc, char *Argv[]) else prompt="OpenSSL> "; fputs(prompt,stdout); fflush(stdout); - fgets(p,n,stdin); + if (!fgets(p,n,stdin)) + goto end; if (p[0] == '\0') goto end; i=strlen(p); if (i <= 1) break; @@ -364,7 +362,7 @@ end: NCONF_free(config); config=NULL; } - if (prog != NULL) lh_free(prog); + if (prog != NULL) lh_FUNCTION_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); apps_shutdown(); @@ -380,9 +378,13 @@ end: #define LIST_STANDARD_COMMANDS "list-standard-commands" #define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands" +#define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms" #define LIST_CIPHER_COMMANDS "list-cipher-commands" +#define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms" +#define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms" + -static int do_cmd(LHASH *prog, int argc, char *argv[]) +static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) { FUNCTION f,*fp; int i,ret=1,tp,nl; @@ -390,7 +392,22 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) if ((argc <= 0) || (argv[0] == NULL)) { ret=0; goto end; } f.name=argv[0]; - fp=(FUNCTION *)lh_retrieve(prog,&f); + fp=lh_FUNCTION_retrieve(prog,&f); + if (fp == NULL) + { + if (EVP_get_digestbyname(argv[0])) + { + f.type = FUNC_TYPE_MD; + f.func = dgst_main; + fp = &f; + } + else if (EVP_get_cipherbyname(argv[0])) + { + f.type = FUNC_TYPE_CIPHER; + f.func = enc_main; + fp = &f; + } + } if (fp != NULL) { ret=fp->func(argc,argv); @@ -405,7 +422,7 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) } #endif f.name=argv[0]+3; - ret = (lh_retrieve(prog,&f) != NULL); + ret = (lh_FUNCTION_retrieve(prog,&f) != NULL); if (!ret) BIO_printf(bio_stdout, "%s\n", argv[0]); else @@ -423,7 +440,10 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) } else if ((strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0) || (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) || - (strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0)) + (strcmp(argv[0],LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) || + (strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0) || + (strcmp(argv[0],LIST_CIPHER_ALGORITHMS) == 0) || + (strcmp(argv[0],LIST_PUBLIC_KEY_ALGORITHMS) == 0)) { int list_type; BIO *bio_stdout; @@ -432,6 +452,12 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) list_type = FUNC_TYPE_GENERAL; else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) list_type = FUNC_TYPE_MD; + else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) + list_type = FUNC_TYPE_MD_ALG; + else if (strcmp(argv[0],LIST_PUBLIC_KEY_ALGORITHMS) == 0) + list_type = FUNC_TYPE_PKEY; + else if (strcmp(argv[0],LIST_CIPHER_ALGORITHMS) == 0) + list_type = FUNC_TYPE_CIPHER_ALG; else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */ list_type = FUNC_TYPE_CIPHER; bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE); @@ -441,10 +467,23 @@ static int do_cmd(LHASH *prog, int argc, char *argv[]) bio_stdout = BIO_push(tmpbio, bio_stdout); } #endif - - for (fp=functions; fp->name != NULL; fp++) - if (fp->type == list_type) - BIO_printf(bio_stdout, "%s\n", fp->name); + + if (!load_config(bio_err, NULL)) + goto end; + + if (list_type == FUNC_TYPE_PKEY) + list_pkey(bio_stdout); + if (list_type == FUNC_TYPE_MD_ALG) + list_md(bio_stdout); + if (list_type == FUNC_TYPE_CIPHER_ALG) + list_cipher(bio_stdout); + else + { + for (fp=functions; fp->name != NULL; fp++) + if (fp->type == list_type) + BIO_printf(bio_stdout, "%s\n", + fp->name); + } BIO_free_all(bio_stdout); ret=0; goto end; @@ -507,9 +546,94 @@ static int SortFnByName(const void *_f1,const void *_f2) return strcmp(f1->name,f2->name); } -static LHASH *prog_init(void) +static void list_pkey(BIO *out) + { + int i; + for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) + { + const EVP_PKEY_ASN1_METHOD *ameth; + int pkey_id, pkey_base_id, pkey_flags; + const char *pinfo, *pem_str; + ameth = EVP_PKEY_asn1_get0(i); + EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth); + if (pkey_flags & ASN1_PKEY_ALIAS) + { + BIO_printf(out, "Name: %s\n", + OBJ_nid2ln(pkey_id)); + BIO_printf(out, "\tType: Alias to %s\n", + OBJ_nid2ln(pkey_base_id)); + } + else + { + BIO_printf(out, "Name: %s\n", pinfo); + BIO_printf(out, "\tType: %s Algorithm\n", + pkey_flags & ASN1_PKEY_DYNAMIC ? + "External" : "Builtin"); + BIO_printf(out, "\tOID: %s\n", OBJ_nid2ln(pkey_id)); + if (pem_str == NULL) + pem_str = "(none)"; + BIO_printf(out, "\tPEM string: %s\n", pem_str); + } + + } + } + +static void list_cipher_fn(const EVP_CIPHER *c, + const char *from, const char *to, void *arg) + { + if (c) + BIO_printf(arg, "%s\n", EVP_CIPHER_name(c)); + else + { + if (!from) + from = "<undefined>"; + if (!to) + to = "<undefined>"; + BIO_printf(arg, "%s => %s\n", from, to); + } + } + +static void list_cipher(BIO *out) + { + EVP_CIPHER_do_all_sorted(list_cipher_fn, out); + } + +static void list_md_fn(const EVP_MD *m, + const char *from, const char *to, void *arg) + { + if (m) + BIO_printf(arg, "%s\n", EVP_MD_name(m)); + else + { + if (!from) + from = "<undefined>"; + if (!to) + to = "<undefined>"; + BIO_printf(arg, "%s => %s\n", from, to); + } + } + +static void list_md(BIO *out) + { + EVP_MD_do_all_sorted(list_md_fn, out); + } + +static int MS_CALLBACK function_cmp(const FUNCTION *a, const FUNCTION *b) + { + return strncmp(a->name,b->name,8); + } +static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION) + +static unsigned long MS_CALLBACK function_hash(const FUNCTION *a) + { + return lh_strhash(a->name); + } +static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION) + +static LHASH_OF(FUNCTION) *prog_init(void) { - LHASH *ret; + LHASH_OF(FUNCTION) *ret; FUNCTION *f; size_t i; @@ -518,23 +642,11 @@ static LHASH *prog_init(void) ; qsort(functions,i,sizeof *functions,SortFnByName); - if ((ret=lh_new(hash, cmp)) == NULL) + if ((ret=lh_FUNCTION_new()) == NULL) return(NULL); for (f=functions; f->name != NULL; f++) - lh_insert(ret,f); + (void)lh_FUNCTION_insert(ret,f); return(ret); } -/* static int MS_CALLBACK cmp(FUNCTION *a, FUNCTION *b) */ -static int MS_CALLBACK cmp(const void *a_void, const void *b_void) - { - return(strncmp(((const FUNCTION *)a_void)->name, - ((const FUNCTION *)b_void)->name,8)); - } - -/* static unsigned long MS_CALLBACK hash(FUNCTION *a) */ -static unsigned long MS_CALLBACK hash(const void *a_void) - { - return(lh_strhash(((const FUNCTION *)a_void)->name)); - } diff --git a/openssl/apps/openssl.cnf b/openssl/apps/openssl.cnf index 9e59020c1..9d2cd5bfa 100644 --- a/openssl/apps/openssl.cnf +++ b/openssl/apps/openssl.cnf @@ -21,12 +21,17 @@ oid_section = new_oids [ new_oids ] -# We can add new OIDs in here for use by 'ca' and 'req'. +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -67,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. +default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -110,13 +115,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request @@ -207,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer #nsCaPolicyUrl #nsSslServerName +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + [ v3_req ] # Extensions to add to a certificate request @@ -224,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. @@ -257,7 +264,7 @@ basicConstraints = CA:true # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate @@ -290,7 +297,7 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. @@ -311,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/openssl/apps/pkcs12.c b/openssl/apps/pkcs12.c index 248bc1154..514a02e0f 100644 --- a/openssl/apps/pkcs12.c +++ b/openssl/apps/pkcs12.c @@ -88,6 +88,7 @@ int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name); void hex_prin(BIO *out, unsigned char *buf, int len); int alg_print(BIO *x, X509_ALGOR *alg); int cert_load(BIO *in, STACK_OF(X509) *sk); +static int set_pbe(BIO *err, int *ppbe, const char *str); int MAIN(int, char **); @@ -111,16 +112,17 @@ int MAIN(int argc, char **argv) int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; - int cert_pbe; + int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; int noprompt = 0; - STACK *canames = NULL; + STACK_OF(OPENSSL_STRING) *canames = NULL; char *cpass = NULL, *mpass = NULL; char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; char *inrand = NULL; + char *macalg = NULL; char *CApath = NULL, *CAfile = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; @@ -128,13 +130,6 @@ int MAIN(int argc, char **argv) apps_startup(); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -#endif - cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; - enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); @@ -185,33 +180,18 @@ int MAIN(int argc, char **argv) maciter = 1; else if (!strcmp (*args, "-nomac")) maciter = -1; + else if (!strcmp (*args, "-macalg")) + if (args[1]) { + args++; + macalg = *args; + } else badarg = 1; else if (!strcmp (*args, "-nodes")) enc=NULL; else if (!strcmp (*args, "-certpbe")) { - if (args[1]) { - args++; - if (!strcmp(*args, "NONE")) - cert_pbe = -1; - else - cert_pbe=OBJ_txt2nid(*args); - if(cert_pbe == NID_undef) { - BIO_printf(bio_err, - "Unknown PBE algorithm %s\n", *args); - badarg = 1; - } - } else badarg = 1; + if (!set_pbe(bio_err, &cert_pbe, *++args)) + badarg = 1; } else if (!strcmp (*args, "-keypbe")) { - if (args[1]) { - args++; - if (!strcmp(*args, "NONE")) - key_pbe = -1; - else - key_pbe=OBJ_txt2nid(*args); - if(key_pbe == NID_undef) { - BIO_printf(bio_err, - "Unknown PBE algorithm %s\n", *args); - badarg = 1; - } - } else badarg = 1; + if (!set_pbe(bio_err, &key_pbe, *++args)) + badarg = 1; } else if (!strcmp (*args, "-rand")) { if (args[1]) { args++; @@ -242,8 +222,8 @@ int MAIN(int argc, char **argv) } else if (!strcmp (*args, "-caname")) { if (args[1]) { args++; - if (!canames) canames = sk_new_null(); - sk_push(canames, *args); + if (!canames) canames = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(canames, *args); } else badarg = 1; } else if (!strcmp (*args, "-in")) { if (args[1]) { @@ -332,11 +312,14 @@ int MAIN(int argc, char **argv) #endif BIO_printf (bio_err, "-nodes don't encrypt private keys\n"); BIO_printf (bio_err, "-noiter don't use encryption iteration\n"); + BIO_printf (bio_err, "-nomaciter don't use MAC iteration\n"); BIO_printf (bio_err, "-maciter use MAC iteration\n"); + BIO_printf (bio_err, "-nomac don't generate MAC\n"); BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n"); BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); + BIO_printf (bio_err, "-macalg alg digest algorithm used in MAC (default SHA1)\n"); BIO_printf (bio_err, "-keyex set MS key exchange type\n"); BIO_printf (bio_err, "-keysig set MS key signature type\n"); BIO_printf (bio_err, "-password p set import/export password source\n"); @@ -348,8 +331,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); - BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n"); + BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); + BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n"); goto end; } @@ -439,6 +422,7 @@ int MAIN(int argc, char **argv) EVP_PKEY *key = NULL; X509 *ucert = NULL, *x = NULL; STACK_OF(X509) *certs=NULL; + const EVP_MD *macmd = NULL; unsigned char *catmp = NULL; int i; @@ -565,9 +549,9 @@ int MAIN(int argc, char **argv) /* Add any CA names */ - for (i = 0; i < sk_num(canames); i++) + for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { - catmp = (unsigned char *)sk_value(canames, i); + catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); X509_alias_set1(sk_X509_value(certs, i), catmp, -1); } @@ -605,8 +589,18 @@ int MAIN(int argc, char **argv) goto export_end; } + if (macalg) + { + macmd = EVP_get_digestbyname(macalg); + if (!macmd) + { + BIO_printf(bio_err, "Unknown digest algorithm %s\n", + macalg); + } + } + if (maciter != -1) - PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL); + PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); @@ -693,7 +687,7 @@ int MAIN(int argc, char **argv) #endif BIO_free(in); BIO_free_all(out); - if (canames) sk_free(canames); + if (canames) sk_OPENSSL_STRING_free(canames); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); @@ -929,7 +923,7 @@ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name) av = sk_ASN1_TYPE_value(attr->value.set, 0); switch(av->type) { case V_ASN1_BMPSTRING: - value = uni2asc(av->value.bmpstring->data, + value = OPENSSL_uni2asc(av->value.bmpstring->data, av->value.bmpstring->length); BIO_printf(out, "%s\n", value); OPENSSL_free(value); @@ -962,4 +956,22 @@ void hex_prin(BIO *out, unsigned char *buf, int len) for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]); } +static int set_pbe(BIO *err, int *ppbe, const char *str) + { + if (!str) + return 0; + if (!strcmp(str, "NONE")) + { + *ppbe = -1; + return 1; + } + *ppbe=OBJ_txt2nid(str); + if (*ppbe == NID_undef) + { + BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str); + return 0; + } + return 1; + } + #endif diff --git a/openssl/apps/pkcs7.c b/openssl/apps/pkcs7.c index da4dbe7a0..86d31b99a 100644 --- a/openssl/apps/pkcs7.c +++ b/openssl/apps/pkcs7.c @@ -90,7 +90,7 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL; int informat,outformat; char *infile,*outfile,*prog; - int print_certs=0,text=0,noout=0; + int print_certs=0,text=0,noout=0,p7_print=0; int ret=1; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; @@ -139,6 +139,8 @@ int MAIN(int argc, char **argv) noout=1; else if (strcmp(*argv,"-text") == 0) text=1; + else if (strcmp(*argv,"-print") == 0) + p7_print=1; else if (strcmp(*argv,"-print_certs") == 0) print_certs=1; #ifndef OPENSSL_NO_ENGINE @@ -238,6 +240,9 @@ bad: } } + if (p7_print) + PKCS7_print_ctx(out, p7, 0, NULL); + if (print_certs) { STACK_OF(X509) *certs=NULL; diff --git a/openssl/apps/pkcs8.c b/openssl/apps/pkcs8.c index 9633a149b..7edeb179d 100644 --- a/openssl/apps/pkcs8.c +++ b/openssl/apps/pkcs8.c @@ -80,11 +80,12 @@ int MAIN(int argc, char **argv) int informat, outformat; int p8_broken = PKCS8_OK; int nocrypt = 0; - X509_SIG *p8; - PKCS8_PRIV_KEY_INFO *p8inf; + X509_SIG *p8 = NULL; + PKCS8_PRIV_KEY_INFO *p8inf = NULL; EVP_PKEY *pkey=NULL; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int badarg = 0; + int ret = 1; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -225,7 +226,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif - return 1; + goto end; } #ifndef OPENSSL_NO_ENGINE @@ -235,7 +236,7 @@ int MAIN(int argc, char **argv) if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); - return 1; + goto end; } if ((pbe_nid == -1) && !cipher) @@ -247,7 +248,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err, "Can't open input file %s\n", infile); - return (1); + goto end; } } else @@ -259,7 +260,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err, "Can't open output file %s\n", outfile); - return (1); + goto end; } } else @@ -274,21 +275,15 @@ int MAIN(int argc, char **argv) } if (topk8) { - BIO_free(in); /* Not needed in this section */ pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); if (!pkey) - { - BIO_free_all(out); - return 1; - } + goto end; if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return 1; + goto end; } if (nocrypt) { @@ -299,10 +294,7 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); + goto end; } } else @@ -313,12 +305,7 @@ int MAIN(int argc, char **argv) { p8pass = pass; if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1)) - { - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); - } + goto end; } app_RAND_load_file(NULL, bio_err, 0); if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, @@ -327,10 +314,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err, "Error encrypting key\n"); ERR_print_errors(bio_err); - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); + goto end; } app_RAND_write_file(NULL, bio_err); if (outformat == FORMAT_PEM) @@ -340,22 +324,12 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - PKCS8_PRIV_KEY_INFO_free(p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - return (1); + goto end; } - X509_SIG_free(p8); } - PKCS8_PRIV_KEY_INFO_free (p8inf); - EVP_PKEY_free(pkey); - BIO_free_all(out); - if (passin) - OPENSSL_free(passin); - if (passout) - OPENSSL_free(passout); - return (0); + ret = 0; + goto end; } if (nocrypt) @@ -367,7 +341,7 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - return (1); + goto end; } } else @@ -379,14 +353,14 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - return (1); + goto end; } if (!p8) { BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); - return (1); + goto end; } if (passin) p8pass = passin; @@ -396,21 +370,20 @@ int MAIN(int argc, char **argv) EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0); } p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); - X509_SIG_free(p8); } if (!p8inf) { BIO_printf(bio_err, "Error decrypting key\n"); ERR_print_errors(bio_err); - return (1); + goto end; } if (!(pkey = EVP_PKCS82PKEY(p8inf))) { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); - return (1); + goto end; } if (p8inf->broken) @@ -430,13 +403,16 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "DSA public key include in PrivateKey\n"); break; + case PKCS8_NEG_PRIVKEY: + BIO_printf(bio_err, "DSA private key value is negative\n"); + break; + default: BIO_printf(bio_err, "Unknown broken type\n"); break; } } - PKCS8_PRIV_KEY_INFO_free(p8inf); if (outformat == FORMAT_PEM) PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout); else if (outformat == FORMAT_ASN1) @@ -444,10 +420,13 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Bad format specified for key\n"); - return (1); + goto end; } + ret = 0; end: + X509_SIG_free(p8); + PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); @@ -456,5 +435,5 @@ int MAIN(int argc, char **argv) if (passout) OPENSSL_free(passout); - return (0); + return ret; } diff --git a/openssl/apps/pkeyparam.c b/openssl/apps/pkeyparam.c index 4319eb4de..7f18010f9 100644 --- a/openssl/apps/pkeyparam.c +++ b/openssl/apps/pkeyparam.c @@ -179,7 +179,7 @@ int MAIN(int argc, char **argv) pkey = PEM_read_bio_Parameters(in, NULL); if (!pkey) { - BIO_printf(bio_err, "Error reading paramters\n"); + BIO_printf(bio_err, "Error reading parameters\n"); ERR_print_errors(bio_err); goto end; } diff --git a/openssl/apps/pkeyutl.c b/openssl/apps/pkeyutl.c index b808e1ef4..22a6c4bf3 100644 --- a/openssl/apps/pkeyutl.c +++ b/openssl/apps/pkeyutl.c @@ -390,7 +390,7 @@ static void usage() BIO_printf(bio_err, "Usage: pkeyutl [options]\n"); BIO_printf(bio_err, "-in file input file\n"); BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-signature file signature file (verify operation only)\n"); + BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n"); BIO_printf(bio_err, "-inkey file input key\n"); BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); BIO_printf(bio_err, "-pubin input is a public key\n"); diff --git a/openssl/apps/prime.c b/openssl/apps/prime.c index af2fed15a..f1aaef872 100644 --- a/openssl/apps/prime.c +++ b/openssl/apps/prime.c @@ -62,6 +62,9 @@ int MAIN(int argc, char **argv) { int hex=0; int checks=20; + int generate=0; + int bits=0; + int safe=0; BIGNUM *bn=NULL; BIO *bio_out; @@ -77,6 +80,15 @@ int MAIN(int argc, char **argv) { if(!strcmp(*argv,"-hex")) hex=1; + else if(!strcmp(*argv,"-generate")) + generate=1; + else if(!strcmp(*argv,"-bits")) + if(--argc < 1) + goto bad; + else + bits=atoi(*++argv); + else if(!strcmp(*argv,"-safe")) + safe=1; else if(!strcmp(*argv,"-checks")) if(--argc < 1) goto bad; @@ -91,13 +103,13 @@ int MAIN(int argc, char **argv) ++argv; } - if (argv[0] == NULL) + if (argv[0] == NULL && !generate) { BIO_printf(bio_err,"No prime specified\n"); goto bad; } - if ((bio_out=BIO_new(BIO_s_file())) != NULL) + if ((bio_out=BIO_new(BIO_s_file())) != NULL) { BIO_set_fp(bio_out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS @@ -108,14 +120,32 @@ int MAIN(int argc, char **argv) #endif } - if(hex) - BN_hex2bn(&bn,argv[0]); + if(generate) + { + char *s; + + if(!bits) + { + BIO_printf(bio_err,"Specifiy the number of bits.\n"); + return 1; + } + bn=BN_new(); + BN_generate_prime_ex(bn,bits,safe,NULL,NULL,NULL); + s=hex ? BN_bn2hex(bn) : BN_bn2dec(bn); + BIO_printf(bio_out,"%s\n",s); + OPENSSL_free(s); + } else - BN_dec2bn(&bn,argv[0]); + { + if(hex) + BN_hex2bn(&bn,argv[0]); + else + BN_dec2bn(&bn,argv[0]); - BN_print(bio_out,bn); - BIO_printf(bio_out," is %sprime\n", - BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not "); + BN_print(bio_out,bn); + BIO_printf(bio_out," is %sprime\n", + BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not "); + } BN_free(bn); BIO_free_all(bio_out); diff --git a/openssl/apps/progs.h b/openssl/apps/progs.h index aafd800bd..79e479a33 100644 --- a/openssl/apps/progs.h +++ b/openssl/apps/progs.h @@ -22,6 +22,7 @@ extern int ecparam_main(int argc,char *argv[]); extern int x509_main(int argc,char *argv[]); extern int genrsa_main(int argc,char *argv[]); extern int gendsa_main(int argc,char *argv[]); +extern int genpkey_main(int argc,char *argv[]); extern int s_server_main(int argc,char *argv[]); extern int s_client_main(int argc,char *argv[]); extern int speed_main(int argc,char *argv[]); @@ -35,22 +36,30 @@ extern int ciphers_main(int argc,char *argv[]); extern int nseq_main(int argc,char *argv[]); extern int pkcs12_main(int argc,char *argv[]); extern int pkcs8_main(int argc,char *argv[]); +extern int pkey_main(int argc,char *argv[]); +extern int pkeyparam_main(int argc,char *argv[]); +extern int pkeyutl_main(int argc,char *argv[]); extern int spkac_main(int argc,char *argv[]); extern int smime_main(int argc,char *argv[]); extern int rand_main(int argc,char *argv[]); extern int engine_main(int argc,char *argv[]); extern int ocsp_main(int argc,char *argv[]); extern int prime_main(int argc,char *argv[]); +extern int ts_main(int argc,char *argv[]); #define FUNC_TYPE_GENERAL 1 #define FUNC_TYPE_MD 2 #define FUNC_TYPE_CIPHER 3 +#define FUNC_TYPE_PKEY 4 +#define FUNC_TYPE_MD_ALG 5 +#define FUNC_TYPE_CIPHER_ALG 6 typedef struct { int type; const char *name; int (*func)(int argc,char *argv[]); } FUNCTION; +DECLARE_LHASH_OF(FUNCTION); FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"verify",verify_main}, @@ -96,6 +105,7 @@ FUNCTION functions[] = { #ifndef OPENSSL_NO_DSA {FUNC_TYPE_GENERAL,"gendsa",gendsa_main}, #endif + {FUNC_TYPE_GENERAL,"genpkey",genpkey_main}, #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)) {FUNC_TYPE_GENERAL,"s_server",s_server_main}, #endif @@ -123,14 +133,20 @@ FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main}, #endif {FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main}, + {FUNC_TYPE_GENERAL,"pkey",pkey_main}, + {FUNC_TYPE_GENERAL,"pkeyparam",pkeyparam_main}, + {FUNC_TYPE_GENERAL,"pkeyutl",pkeyutl_main}, {FUNC_TYPE_GENERAL,"spkac",spkac_main}, {FUNC_TYPE_GENERAL,"smime",smime_main}, {FUNC_TYPE_GENERAL,"rand",rand_main}, #ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,"engine",engine_main}, #endif +#ifndef OPENSSL_NO_OCSP {FUNC_TYPE_GENERAL,"ocsp",ocsp_main}, +#endif {FUNC_TYPE_GENERAL,"prime",prime_main}, + {FUNC_TYPE_GENERAL,"ts",ts_main}, #ifndef OPENSSL_NO_MD2 {FUNC_TYPE_MD,"md2",dgst_main}, #endif @@ -189,6 +205,9 @@ FUNCTION functions[] = { {FUNC_TYPE_CIPHER,"camellia-256-ecb",enc_main}, #endif {FUNC_TYPE_CIPHER,"base64",enc_main}, +#ifdef ZLIB + {FUNC_TYPE_CIPHER,"zlib",enc_main}, +#endif #ifndef OPENSSL_NO_DES {FUNC_TYPE_CIPHER,"des",enc_main}, #endif diff --git a/openssl/apps/progs.pl b/openssl/apps/progs.pl index 645432cfc..de6fdeabb 100644 --- a/openssl/apps/progs.pl +++ b/openssl/apps/progs.pl @@ -13,12 +13,16 @@ print <<'EOF'; #define FUNC_TYPE_GENERAL 1 #define FUNC_TYPE_MD 2 #define FUNC_TYPE_CIPHER 3 +#define FUNC_TYPE_PKEY 4 +#define FUNC_TYPE_MD_ALG 5 +#define FUNC_TYPE_CIPHER_ALG 6 typedef struct { int type; const char *name; int (*func)(int argc,char *argv[]); } FUNCTION; +DECLARE_LHASH_OF(FUNCTION); FUNCTION functions[] = { EOF @@ -45,6 +49,8 @@ foreach (@ARGV) { print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; } elsif ( ($_ =~ /^cms$/)) { print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; } + elsif ( ($_ =~ /^ocsp$/)) + { print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; } else { print $str; } } @@ -62,7 +68,7 @@ foreach ( "camellia-128-cbc", "camellia-128-ecb", "camellia-192-cbc", "camellia-192-ecb", "camellia-256-cbc", "camellia-256-ecb", - "base64", + "base64", "zlib", "des", "des3", "desx", "idea", "seed", "rc4", "rc4-40", "rc2", "bf", "cast", "rc5", "des-ecb", "des-ede", "des-ede3", @@ -89,6 +95,7 @@ foreach ( elsif ($_ =~ /bf/) { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; } elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; } elsif ($_ =~ /rc5/) { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; } + elsif ($_ =~ /zlib/) { $t="#ifdef ZLIB\n${t}#endif\n"; } print $t; } diff --git a/openssl/apps/req.c b/openssl/apps/req.c index 5ed08960c..820cd18fc 100644 --- a/openssl/apps/req.c +++ b/openssl/apps/req.c @@ -141,39 +141,33 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def, int n_max, unsigned long chtype); static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, int nid,int n_min,int n_max, unsigned long chtype, int mval); -#ifndef OPENSSL_NO_RSA -static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb); -#endif +static int genpkey_cb(EVP_PKEY_CTX *ctx); static int req_check_len(int len,int n_min,int n_max); static int check_end(const char *str, const char *end); +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, + long *pkeylen, char **palgnam, + ENGINE *keygen_engine); #ifndef MONOLITH static char *default_config_file=NULL; #endif static CONF *req_conf=NULL; static int batch=0; -#define TYPE_RSA 1 -#define TYPE_DSA 2 -#define TYPE_DH 3 -#define TYPE_EC 4 - int MAIN(int, char **); int MAIN(int argc, char **argv) { - ENGINE *e = NULL; -#ifndef OPENSSL_NO_DSA - DSA *dsa_params=NULL; -#endif -#ifndef OPENSSL_NO_ECDSA - EC_KEY *ec_params = NULL; -#endif + ENGINE *e = NULL, *gen_eng = NULL; unsigned long nmflag = 0, reqflag = 0; int ex=1,x509=0,days=30; X509 *x509ss=NULL; X509_REQ *req=NULL; + EVP_PKEY_CTX *genctx = NULL; + const char *keyalg = NULL; + char *keyalgstr = NULL; + STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; EVP_PKEY *pkey=NULL; - int i=0,badops=0,newreq=0,verbose=0,pkey_type=TYPE_RSA; + int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1; long newkey = -1; BIO *in=NULL,*out=NULL; int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; @@ -193,7 +187,7 @@ int MAIN(int argc, char **argv) char *p; char *subj = NULL; int multirdn = 0; - const EVP_MD *md_alg=NULL,*digest=EVP_sha1(); + const EVP_MD *md_alg=NULL,*digest=NULL; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; @@ -236,6 +230,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; engine= *(++argv); } + else if (strcmp(*argv,"-keygen_engine") == 0) + { + if (--argc < 1) goto bad; + gen_eng = ENGINE_by_id(*(++argv)); + if (gen_eng == NULL) + { + BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); + goto end; + } + } #endif else if (strcmp(*argv,"-key") == 0) { @@ -292,126 +296,20 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-newkey") == 0) { - int is_numeric; - - if (--argc < 1) goto bad; - p= *(++argv); - is_numeric = p[0] >= '0' && p[0] <= '9'; - if (strncmp("rsa:",p,4) == 0 || is_numeric) - { - pkey_type=TYPE_RSA; - if(!is_numeric) - p+=4; - newkey= atoi(p); - } - else -#ifndef OPENSSL_NO_DSA - if (strncmp("dsa:",p,4) == 0) - { - X509 *xtmp=NULL; - EVP_PKEY *dtmp; - - pkey_type=TYPE_DSA; - p+=4; - if ((in=BIO_new_file(p,"r")) == NULL) - { - perror(p); - goto end; - } - if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL) - { - ERR_clear_error(); - (void)BIO_reset(in); - if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) - { - BIO_printf(bio_err,"unable to load DSA parameters from file\n"); - goto end; - } - - if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end; - if (dtmp->type == EVP_PKEY_DSA) - dsa_params=DSAparams_dup(dtmp->pkey.dsa); - EVP_PKEY_free(dtmp); - X509_free(xtmp); - if (dsa_params == NULL) - { - BIO_printf(bio_err,"Certificate does not contain DSA parameters\n"); - goto end; - } - } - BIO_free(in); - in=NULL; - newkey=BN_num_bits(dsa_params->p); - } - else -#endif -#ifndef OPENSSL_NO_ECDSA - if (strncmp("ec:",p,3) == 0) - { - X509 *xtmp=NULL; - EVP_PKEY *dtmp; - EC_GROUP *group; - - pkey_type=TYPE_EC; - p+=3; - if ((in=BIO_new_file(p,"r")) == NULL) - { - perror(p); - goto end; - } - if ((ec_params = EC_KEY_new()) == NULL) - goto end; - group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL); - if (group == NULL) - { - EC_KEY_free(ec_params); - ERR_clear_error(); - (void)BIO_reset(in); - if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) - { - BIO_printf(bio_err,"unable to load EC parameters from file\n"); - goto end; - } - - if ((dtmp=X509_get_pubkey(xtmp))==NULL) - goto end; - if (dtmp->type == EVP_PKEY_EC) - ec_params = EC_KEY_dup(dtmp->pkey.ec); - EVP_PKEY_free(dtmp); - X509_free(xtmp); - if (ec_params == NULL) - { - BIO_printf(bio_err,"Certificate does not contain EC parameters\n"); - goto end; - } - } - else - { - if (EC_KEY_set_group(ec_params, group) == 0) - goto end; - EC_GROUP_free(group); - } - - BIO_free(in); - in=NULL; - newkey = EC_GROUP_get_degree(EC_KEY_get0_group(ec_params)); - } - else -#endif -#ifndef OPENSSL_NO_DH - if (strncmp("dh:",p,4) == 0) - { - pkey_type=TYPE_DH; - p+=3; - } - else -#endif - { + if (--argc < 1) goto bad; - } - + keyalg = *(++argv); newreq=1; } + else if (strcmp(*argv,"-pkeyopt") == 0) + { + if (--argc < 1) + goto bad; + if (!pkeyopts) + pkeyopts = sk_OPENSSL_STRING_new_null(); + if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) + goto bad; + } else if (strcmp(*argv,"-batch") == 0) batch=1; else if (strcmp(*argv,"-newhdr") == 0) @@ -467,11 +365,6 @@ int MAIN(int argc, char **argv) serial = s2i_ASN1_INTEGER(NULL, *(++argv)); if (!serial) goto bad; } - else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) - { - /* ok */ - digest=md_alg; - } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; @@ -482,6 +375,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; req_exts = *(++argv); } + else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) + { + /* ok */ + digest=md_alg; + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -730,15 +628,20 @@ bad: if (newreq && (pkey == NULL)) { -#ifndef OPENSSL_NO_RSA - BN_GENCB cb; -#endif char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); if (inrand) app_RAND_load_files(inrand); + + if (keyalg) + { + genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, + &keyalgstr, gen_eng); + if (!genctx) + goto end; + } if (newkey <= 0) { @@ -746,57 +649,54 @@ bad: newkey=DEFAULT_KEY_LENGTH; } - if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA)) + if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { BIO_printf(bio_err,"private key length is too short,\n"); BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey); goto end; } - BIO_printf(bio_err,"Generating a %ld bit %s private key\n", - newkey,(pkey_type == TYPE_RSA)?"RSA": - (pkey_type == TYPE_DSA)?"DSA":"EC"); - - if ((pkey=EVP_PKEY_new()) == NULL) goto end; -#ifndef OPENSSL_NO_RSA - BN_GENCB_set(&cb, req_cb, bio_err); - if (pkey_type == TYPE_RSA) - { - RSA *rsa = RSA_new(); - BIGNUM *bn = BN_new(); - if(!bn || !rsa || !BN_set_word(bn, 0x10001) || - !RSA_generate_key_ex(rsa, newkey, bn, &cb) || - !EVP_PKEY_assign_RSA(pkey, rsa)) - { - if(bn) BN_free(bn); - if(rsa) RSA_free(rsa); + if (!genctx) + { + genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, + &keyalgstr, gen_eng); + if (!genctx) goto end; - } - BN_free(bn); } - else -#endif -#ifndef OPENSSL_NO_DSA - if (pkey_type == TYPE_DSA) + + if (pkeyopts) { - if (!DSA_generate_key(dsa_params)) goto end; - if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end; - dsa_params=NULL; + char *genopt; + for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) + { + genopt = sk_OPENSSL_STRING_value(pkeyopts, i); + if (pkey_ctrl_string(genctx, genopt) <= 0) + { + BIO_printf(bio_err, + "parameter error \"%s\"\n", + genopt); + ERR_print_errors(bio_err); + goto end; + } + } } -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey_type == TYPE_EC) + + BIO_printf(bio_err,"Generating a %ld bit %s private key\n", + newkey, keyalgstr); + + EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); + EVP_PKEY_CTX_set_app_data(genctx, bio_err); + + if (EVP_PKEY_keygen(genctx, &pkey) <= 0) { - if (!EC_KEY_generate_key(ec_params)) goto end; - if (!EVP_PKEY_assign_EC_KEY(pkey, ec_params)) - goto end; - ec_params = NULL; + BIO_puts(bio_err, "Error Generating Key\n"); + goto end; } -#endif - app_RAND_write_file(randfile, bio_err); + EVP_PKEY_CTX_free(genctx); + genctx = NULL; - if (pkey == NULL) goto end; + app_RAND_write_file(randfile, bio_err); if (keyout == NULL) { @@ -895,14 +795,7 @@ loop: BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - digest=EVP_ecdsa(); -#endif + if (req == NULL) { req=X509_REQ_new(); @@ -945,7 +838,7 @@ loop: if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end; - if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end; + if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end; if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; tmppkey = X509_REQ_get_pubkey(req); if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end; @@ -967,7 +860,10 @@ loop: } if (!(i=X509_sign(x509ss,pkey,digest))) + { + ERR_print_errors(bio_err); goto end; + } } else { @@ -988,7 +884,10 @@ loop: goto end; } if (!(i=X509_REQ_sign(req,pkey,digest))) + { + ERR_print_errors(bio_err); goto end; + } } } @@ -1125,7 +1024,7 @@ loop: } fprintf(stdout,"Modulus="); #ifndef OPENSSL_NO_RSA - if (tpubkey->type == EVP_PKEY_RSA) + if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) BN_print(out,tpubkey->pkey.rsa->n); else #endif @@ -1181,18 +1080,22 @@ end: BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); + if (genctx) + EVP_PKEY_CTX_free(genctx); + if (pkeyopts) + sk_OPENSSL_STRING_free(pkeyopts); +#ifndef OPENSSL_NO_ENGINE + if (gen_eng) + ENGINE_free(gen_eng); +#endif + if (keyalgstr) + OPENSSL_free(keyalgstr); X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); if(passargin && passin) OPENSSL_free(passin); if(passargout && passout) OPENSSL_free(passout); OBJ_cleanup(); -#ifndef OPENSSL_NO_DSA - if (dsa_params != NULL) DSA_free(dsa_params); -#endif -#ifndef OPENSSL_NO_ECDSA - if (ec_params != NULL) EC_KEY_free(ec_params); -#endif apps_shutdown(); OPENSSL_EXIT(ex); } @@ -1433,11 +1336,17 @@ start2: for (;;) BIO_snprintf(buf,sizeof buf,"%s_min",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) + { + ERR_clear_error(); n_min = -1; + } BIO_snprintf(buf,sizeof buf,"%s_max",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) + { + ERR_clear_error(); n_max = -1; + } if (!add_attribute_object(req, v->value,def,value,nid,n_min,n_max, chtype)) @@ -1538,7 +1447,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { @@ -1596,7 +1506,8 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,sizeof buf,stdin); + if (!fgets(buf,sizeof buf,stdin)) + return 0; } else { @@ -1639,24 +1550,6 @@ err: return(0); } -#ifndef OPENSSL_NO_RSA -static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb) - { - char c='*'; - - if (p == 0) c='.'; - if (p == 1) c='+'; - if (p == 2) c='*'; - if (p == 3) c='\n'; - BIO_write(cb->arg,&c,1); - (void)BIO_flush(cb->arg); -#ifdef LINT - p=n; -#endif - return 1; - } -#endif - static int req_check_len(int len, int n_min, int n_max) { if ((n_min > 0) && (len < n_min)) @@ -1683,3 +1576,183 @@ static int check_end(const char *str, const char *end) tmp = str + slen - elen; return strcmp(tmp, end); } + +static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, + long *pkeylen, char **palgnam, + ENGINE *keygen_engine) + { + EVP_PKEY_CTX *gctx = NULL; + EVP_PKEY *param = NULL; + long keylen = -1; + BIO *pbio = NULL; + const char *paramfile = NULL; + + if (gstr == NULL) + { + *pkey_type = EVP_PKEY_RSA; + keylen = *pkeylen; + } + else if (gstr[0] >= '0' && gstr[0] <= '9') + { + *pkey_type = EVP_PKEY_RSA; + keylen = atol(gstr); + *pkeylen = keylen; + } + else if (!strncmp(gstr, "param:", 6)) + paramfile = gstr + 6; + else + { + const char *p = strchr(gstr, ':'); + int len; + ENGINE *tmpeng; + const EVP_PKEY_ASN1_METHOD *ameth; + + if (p) + len = p - gstr; + else + len = strlen(gstr); + /* The lookup of a the string will cover all engines so + * keep a note of the implementation. + */ + + ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); + + if (!ameth) + { + BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr); + return NULL; + } + + EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, + ameth); +#ifndef OPENSSL_NO_ENGINE + if (tmpeng) + ENGINE_finish(tmpeng); +#endif + if (*pkey_type == EVP_PKEY_RSA) + { + if (p) + { + keylen = atol(p + 1); + *pkeylen = keylen; + } + } + else if (p) + paramfile = p + 1; + } + + if (paramfile) + { + pbio = BIO_new_file(paramfile, "r"); + if (!pbio) + { + BIO_printf(err, "Can't open parameter file %s\n", + paramfile); + return NULL; + } + param = PEM_read_bio_Parameters(pbio, NULL); + + if (!param) + { + X509 *x; + (void)BIO_reset(pbio); + x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); + if (x) + { + param = X509_get_pubkey(x); + X509_free(x); + } + } + + BIO_free(pbio); + + if (!param) + { + BIO_printf(err, "Error reading parameter file %s\n", + paramfile); + return NULL; + } + if (*pkey_type == -1) + *pkey_type = EVP_PKEY_id(param); + else if (*pkey_type != EVP_PKEY_base_id(param)) + { + BIO_printf(err, "Key Type does not match parameters\n"); + EVP_PKEY_free(param); + return NULL; + } + } + + if (palgnam) + { + const EVP_PKEY_ASN1_METHOD *ameth; + ENGINE *tmpeng; + const char *anam; + ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); + if (!ameth) + { + BIO_puts(err, "Internal error: can't find key algorithm\n"); + return NULL; + } + EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); + *palgnam = BUF_strdup(anam); +#ifndef OPENSSL_NO_ENGINE + if (tmpeng) + ENGINE_finish(tmpeng); +#endif + } + + if (param) + { + gctx = EVP_PKEY_CTX_new(param, keygen_engine); + *pkeylen = EVP_PKEY_bits(param); + EVP_PKEY_free(param); + } + else + gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); + + if (!gctx) + { + BIO_puts(err, "Error allocating keygen context\n"); + ERR_print_errors(err); + return NULL; + } + + if (EVP_PKEY_keygen_init(gctx) <= 0) + { + BIO_puts(err, "Error initializing keygen context\n"); + ERR_print_errors(err); + return NULL; + } +#ifndef OPENSSL_NO_RSA + if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) + { + if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) + { + BIO_puts(err, "Error setting RSA keysize\n"); + ERR_print_errors(err); + EVP_PKEY_CTX_free(gctx); + return NULL; + } + } +#endif + + return gctx; + } + +static int genpkey_cb(EVP_PKEY_CTX *ctx) + { + char c='*'; + BIO *b = EVP_PKEY_CTX_get_app_data(ctx); + int p; + p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); + if (p == 0) c='.'; + if (p == 1) c='+'; + if (p == 2) c='*'; + if (p == 3) c='\n'; + BIO_write(b,&c,1); + (void)BIO_flush(b); +#ifdef LINT + p=n; +#endif + return 1; + } diff --git a/openssl/apps/rsa.c b/openssl/apps/rsa.c index 930f1f038..b3c8aff7e 100644 --- a/openssl/apps/rsa.c +++ b/openssl/apps/rsa.c @@ -115,6 +115,8 @@ int MAIN(int argc, char **argv) #endif int modulus=0; + int pvk_encr = 2; + apps_startup(); if (bio_err == NULL) @@ -177,6 +179,16 @@ int MAIN(int argc, char **argv) pubin=1; else if (strcmp(*argv,"-pubout") == 0) pubout=1; + else if (strcmp(*argv,"-RSAPublicKey_in") == 0) + pubin = 2; + else if (strcmp(*argv,"-RSAPublicKey_out") == 0) + pubout = 2; + else if (strcmp(*argv,"-pvk-strong") == 0) + pvk_encr=2; + else if (strcmp(*argv,"-pvk-weak") == 0) + pvk_encr=1; + else if (strcmp(*argv,"-pvk-none") == 0) + pvk_encr=0; else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) @@ -257,10 +269,23 @@ bad: EVP_PKEY *pkey; if (pubin) - pkey = load_pubkey(bio_err, infile, - (informat == FORMAT_NETSCAPE && sgckey ? - FORMAT_IISSGC : informat), 1, + { + int tmpformat=-1; + if (pubin == 2) + { + if (informat == FORMAT_PEM) + tmpformat = FORMAT_PEMRSA; + else if (informat == FORMAT_ASN1) + tmpformat = FORMAT_ASN1RSA; + } + else if (informat == FORMAT_NETSCAPE && sgckey) + tmpformat = FORMAT_IISSGC; + else + tmpformat = informat; + + pkey = load_pubkey(bio_err, infile, tmpformat, 1, passin, e, "Public Key"); + } else pkey = load_key(bio_err, infile, (informat == FORMAT_NETSCAPE && sgckey ? @@ -268,7 +293,7 @@ bad: passin, e, "Private Key"); if (pkey != NULL) - rsa = pkey == NULL ? NULL : EVP_PKEY_get1_RSA(pkey); + rsa = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_free(pkey); } @@ -346,7 +371,13 @@ bad: } BIO_printf(bio_err,"writing RSA key\n"); if (outformat == FORMAT_ASN1) { - if(pubout || pubin) i=i2d_RSA_PUBKEY_bio(out,rsa); + if(pubout || pubin) + { + if (pubout == 2) + i=i2d_RSAPublicKey_bio(out,rsa); + else + i=i2d_RSA_PUBKEY_bio(out,rsa); + } else i=i2d_RSAPrivateKey_bio(out,rsa); } #ifndef OPENSSL_NO_RC4 @@ -370,14 +401,32 @@ bad: #endif else if (outformat == FORMAT_PEM) { if(pubout || pubin) - i=PEM_write_bio_RSA_PUBKEY(out,rsa); + { + if (pubout == 2) + i=PEM_write_bio_RSAPublicKey(out,rsa); + else + i=PEM_write_bio_RSA_PUBKEY(out,rsa); + } else i=PEM_write_bio_RSAPrivateKey(out,rsa, enc,NULL,0,NULL,passout); +#ifndef OPENSSL_NO_DSA + } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { + EVP_PKEY *pk; + pk = EVP_PKEY_new(); + EVP_PKEY_set1_RSA(pk, rsa); + if (outformat == FORMAT_PVK) + i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); + else if (pubin || pubout) + i = i2b_PublicKey_bio(out, pk); + else + i = i2b_PrivateKey_bio(out, pk); + EVP_PKEY_free(pk); +#endif } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } - if (!i) + if (i <= 0) { BIO_printf(bio_err,"unable to write key\n"); ERR_print_errors(bio_err); diff --git a/openssl/apps/rsautl.c b/openssl/apps/rsautl.c index 923e2b682..b01f004eb 100644 --- a/openssl/apps/rsautl.c +++ b/openssl/apps/rsautl.c @@ -342,4 +342,10 @@ static void usage() } +#else /* !OPENSSL_NO_RSA */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/openssl/apps/s_apps.h b/openssl/apps/s_apps.h index 08fbbc222..820e5c581 100644 --- a/openssl/apps/s_apps.h +++ b/openssl/apps/s_apps.h @@ -117,7 +117,7 @@ #include <conio.h> #endif -#ifdef OPENSSL_SYS_MSDOS +#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) #define _kbhit kbhit #endif @@ -162,7 +162,7 @@ int extract_port(char *str, short *port_ptr); int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret); + int argi, long argl, long ret); #ifdef HEADER_SSL_H void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret); @@ -171,3 +171,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); #endif + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len); +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len); diff --git a/openssl/apps/s_cb.c b/openssl/apps/s_cb.c index a512589e8..c4f551224 100644 --- a/openssl/apps/s_cb.c +++ b/openssl/apps/s_cb.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -117,16 +117,21 @@ #undef NON_MAIN #undef USE_SOCKETS #include <openssl/err.h> +#include <openssl/rand.h> #include <openssl/x509.h> #include <openssl/ssl.h> #include "s_apps.h" +#define COOKIE_SECRET_LENGTH 16 + int verify_depth=0; int verify_error=X509_V_OK; +int verify_return_error=0; +unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +int cookie_initialized=0; int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { - char buf[256]; X509 *err_cert; int err,depth; @@ -134,15 +139,23 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); - BIO_printf(bio_err,"depth=%d %s\n",depth,buf); + BIO_printf(bio_err,"depth=%d ",depth); + if (err_cert) + { + X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + } + else + BIO_puts(bio_err, "<no cert>\n"); if (!ok) { BIO_printf(bio_err,"verify error:num=%d:%s\n",err, X509_verify_cert_error_string(err)); if (verify_depth >= depth) { - ok=1; + if (!verify_return_error) + ok=1; verify_error=X509_V_OK; } else @@ -151,25 +164,33 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; } } - switch (ctx->error) + switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); - BIO_printf(bio_err,"issuer= %s\n",buf); + BIO_puts(bio_err,"issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err,"notBefore="); - ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err,"notAfter="); - ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); BIO_printf(bio_err,"\n"); break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(bio_err, ctx); + break; } + if (err == X509_V_OK && ok == 2) + policies_print(bio_err, ctx); + BIO_printf(bio_err,"verify return:%d\n",ok); return(ok); } @@ -258,7 +279,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key) } long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret) + int argi, long argl, long ret) { BIO *out; @@ -267,15 +288,15 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { - BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", - (void *)bio,argp,argi,ret,ret); + BIO_printf(out,"read from %p [%p] (%lu bytes => %ld (0x%lX))\n", + (void *)bio,argp,(unsigned long)argi,ret,ret); BIO_dump(out,argp,(int)ret); return(ret); } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { - BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", - (void *)bio,argp,argi,ret,ret); + BIO_printf(out,"write to %p [%p] (%lu bytes => %ld (0x%lX))\n", + (void *)bio,argp,(unsigned long)argi,ret,ret); BIO_dump(out,argp,(int)ret); } return(ret); @@ -336,6 +357,12 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case TLS1_VERSION: str_version = "TLS 1.0 "; break; + case DTLS1_VERSION: + str_version = "DTLS 1.0 "; + break; + case DTLS1_BAD_VER: + str_version = "DTLS 1.0 (bad) "; + break; default: str_version = "???"; } @@ -401,7 +428,10 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * } } - if (version == SSL3_VERSION || version == TLS1_VERSION) + if (version == SSL3_VERSION || + version == TLS1_VERSION || + version == DTLS1_VERSION || + version == DTLS1_BAD_VER) { switch (content_type) { @@ -504,6 +534,21 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 100: str_details2 = " no_renegotiation"; break; + case 110: + str_details2 = " unsupported_extension"; + break; + case 111: + str_details2 = " certificate_unobtainable"; + break; + case 112: + str_details2 = " unrecognized_name"; + break; + case 113: + str_details2 = " bad_certificate_status_response"; + break; + case 114: + str_details2 = " bad_certificate_hash_value"; + break; } } } @@ -525,6 +570,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 2: str_details1 = ", ServerHello"; break; + case 3: + str_details1 = ", HelloVerifyRequest"; + break; case 11: str_details1 = ", Certificate"; break; @@ -621,6 +669,15 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, extname = "server ticket"; break; + case TLSEXT_TYPE_renegotiate: + extname = "renegotiate"; + break; + +#ifdef TLSEXT_TYPE_opaque_prf_input + case TLSEXT_TYPE_opaque_prf_input: + extname = "opaque PRF input"; + break; +#endif default: extname = "unknown"; @@ -634,3 +691,172 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, BIO_dump(bio, (char *)data, len); (void)BIO_flush(bio); } + +int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) + { + unsigned char *buffer, result[EVP_MAX_MD_SIZE]; + unsigned int length, resultlength; + union { + struct sockaddr sa; + struct sockaddr_in s4; +#if OPENSSL_USE_IPV6 + struct sockaddr_in6 s6; +#endif + } peer; + + /* Initialize a random secret */ + if (!cookie_initialized) + { + if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) + { + BIO_printf(bio_err,"error setting random cookie secret\n"); + return 0; + } + cookie_initialized = 1; + } + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + + /* Create buffer with peer's address and port */ + length = 0; + switch (peer.sa.sa_family) + { + case AF_INET: + length += sizeof(struct in_addr); + length += sizeof(peer.s4.sin_port); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + length += sizeof(struct in6_addr); + length += sizeof(peer.s6.sin6_port); + break; +#endif + default: + OPENSSL_assert(0); + break; + } + buffer = OPENSSL_malloc(length); + + if (buffer == NULL) + { + BIO_printf(bio_err,"out of memory\n"); + return 0; + } + + switch (peer.sa.sa_family) + { + case AF_INET: + memcpy(buffer, + &peer.s4.sin_port, + sizeof(peer.s4.sin_port)); + memcpy(buffer + sizeof(peer.s4.sin_port), + &peer.s4.sin_addr, + sizeof(struct in_addr)); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + memcpy(buffer, + &peer.s6.sin6_port, + sizeof(peer.s6.sin6_port)); + memcpy(buffer + sizeof(peer.s6.sin6_port), + &peer.s6.sin6_addr, + sizeof(struct in6_addr)); + break; +#endif + default: + OPENSSL_assert(0); + break; + } + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, result, &resultlength); + OPENSSL_free(buffer); + + memcpy(cookie, result, resultlength); + *cookie_len = resultlength; + + return 1; + } + +int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len) + { + unsigned char *buffer, result[EVP_MAX_MD_SIZE]; + unsigned int length, resultlength; + union { + struct sockaddr sa; + struct sockaddr_in s4; +#if OPENSSL_USE_IPV6 + struct sockaddr_in6 s6; +#endif + } peer; + + /* If secret isn't initialized yet, the cookie can't be valid */ + if (!cookie_initialized) + return 0; + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); + + /* Create buffer with peer's address and port */ + length = 0; + switch (peer.sa.sa_family) + { + case AF_INET: + length += sizeof(struct in_addr); + length += sizeof(peer.s4.sin_port); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + length += sizeof(struct in6_addr); + length += sizeof(peer.s6.sin6_port); + break; +#endif + default: + OPENSSL_assert(0); + break; + } + buffer = OPENSSL_malloc(length); + + if (buffer == NULL) + { + BIO_printf(bio_err,"out of memory\n"); + return 0; + } + + switch (peer.sa.sa_family) + { + case AF_INET: + memcpy(buffer, + &peer.s4.sin_port, + sizeof(peer.s4.sin_port)); + memcpy(buffer + sizeof(peer.s4.sin_port), + &peer.s4.sin_addr, + sizeof(struct in_addr)); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + memcpy(buffer, + &peer.s6.sin6_port, + sizeof(peer.s6.sin6_port)); + memcpy(buffer + sizeof(peer.s6.sin6_port), + &peer.s6.sin6_addr, + sizeof(struct in6_addr)); + break; +#endif + default: + OPENSSL_assert(0); + break; + } + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, result, &resultlength); + OPENSSL_free(buffer); + + if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) + return 1; + + return 0; + } diff --git a/openssl/apps/s_client.c b/openssl/apps/s_client.c index 4974f5fc9..34ad2cec7 100644 --- a/openssl/apps/s_client.c +++ b/openssl/apps/s_client.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -108,8 +108,35 @@ * Hudson (tjh@cryptsoft.com). * */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ #include <assert.h> +#include <ctype.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -135,23 +162,19 @@ typedef unsigned int u_int; #include <openssl/pem.h> #include <openssl/rand.h> #include <openssl/ocsp.h> +#include <openssl/bn.h> #include "s_apps.h" #include "timeouts.h" -#ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) -#endif - - #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ #undef FIONBIO #endif +#if defined(OPENSSL_SYS_BEOS_R5) +#include <fcntl.h> +#endif + #undef PROG #define PROG s_client_main @@ -166,6 +189,7 @@ typedef unsigned int u_int; extern int verify_depth; extern int verify_error; +extern int verify_return_error; #ifdef FIONBIO static int c_nbio=0; @@ -188,6 +212,69 @@ static BIO *bio_c_out=NULL; static int c_quiet=0; static int c_ign_eof=0; +#ifndef OPENSSL_NO_PSK +/* Default PSK identity and key */ +static char *psk_identity="Client_identity"; +/*char *psk_key=NULL; by default PSK is not used */ + +static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, + unsigned int max_identity_len, unsigned char *psk, + unsigned int max_psk_len) + { + unsigned int psk_len = 0; + int ret; + BIGNUM *bn=NULL; + + if (c_debug) + BIO_printf(bio_c_out, "psk_client_cb\n"); + if (!hint) + { + /* no ServerKeyExchange message*/ + if (c_debug) + BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n"); + } + else if (c_debug) + BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); + + /* lookup PSK identity and PSK key based on the given identity hint here */ + ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); + if (ret < 0 || (unsigned int)ret > max_identity_len) + goto out_err; + if (c_debug) + BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); + ret=BN_hex2bn(&bn, psk_key); + if (!ret) + { + BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); + if (bn) + BN_free(bn); + return 0; + } + + if ((unsigned int)BN_num_bytes(bn) > max_psk_len) + { + BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", + max_psk_len, BN_num_bytes(bn)); + BN_free(bn); + return 0; + } + + psk_len=BN_bn2bin(bn, psk); + BN_free(bn); + if (psk_len == 0) + goto out_err; + + if (c_debug) + BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); + + return psk_len; + out_err: + if (c_debug) + BIO_printf(bio_err, "Error in PSK client callback\n"); + return 0; + } +#endif + static void sc_usage(void) { BIO_printf(bio_err,"usage: s_client args\n"); @@ -196,7 +283,7 @@ static void sc_usage(void) BIO_printf(bio_err," -port port - use -connect instead\n"); BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); - BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n"); + BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); @@ -222,11 +309,18 @@ static void sc_usage(void) BIO_printf(bio_err," -quiet - no s_client output\n"); BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); +#ifndef OPENSSL_NO_PSK + BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); + BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); +# endif +#endif BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err," -mtu - set the MTU\n"); + BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); @@ -249,6 +343,7 @@ static void sc_usage(void) BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); #endif + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); } #ifndef OPENSSL_NO_TLSEXT @@ -272,6 +367,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } #endif + enum { PROTO_OFF = 0, @@ -286,9 +382,8 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - int off=0; - SSL *con=NULL,*con2=NULL; - X509_STORE *store = NULL; + unsigned int off=0, clr=0; + SSL *con=NULL; int s,k,width,state=0; char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; int cbuf_len,cbuf_off; @@ -309,25 +404,27 @@ int MAIN(int argc, char **argv) SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; int starttls_proto = PROTO_OFF; - int prexit = 0, vflags = 0; - SSL_METHOD *meth=NULL; -#ifdef sock_type -#undef sock_type -#endif - int sock_type=SOCK_STREAM; + int prexit = 0; + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; + const SSL_METHOD *meth=NULL; + int socket_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; int mbuf_len=0; + struct timeval timeout, *timeoutp; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; char *ssl_client_engine_id=NULL; ENGINE *ssl_client_engine=NULL; #endif ENGINE *e=NULL; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) struct timeval tv; +#if defined(OPENSSL_SYS_BEOS_R5) + int stdin_set = 0; +#endif #endif - #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; tlsextctx tlsextcbp = @@ -338,7 +435,7 @@ int MAIN(int argc, char **argv) struct sockaddr peer; int peerlen = sizeof(peer); int enable_timeouts = 0 ; - long mtu = 0; + long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE char *jpake_secret = NULL; #endif @@ -427,10 +524,14 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_format = str2fmt(*(++argv)); } - else if (strcmp(*argv,"-crl_check") == 0) - vflags |= X509_V_FLAG_CRL_CHECK; - else if (strcmp(*argv,"-crl_check_all") == 0) - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) + { + if (badarg) + goto bad; + continue; + } + else if (strcmp(*argv,"-verify_return_error") == 0) + verify_return_error = 1; else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -466,6 +567,27 @@ int MAIN(int argc, char **argv) nbio_test=1; else if (strcmp(*argv,"-state") == 0) state=1; +#ifndef OPENSSL_NO_PSK + else if (strcmp(*argv,"-psk_identity") == 0) + { + if (--argc < 1) goto bad; + psk_identity=*(++argv); + } + else if (strcmp(*argv,"-psk") == 0) + { + size_t j; + + if (--argc < 1) goto bad; + psk_key=*(++argv); + for (j = 0; j < strlen(psk_key); j++) + { + if (isxdigit((int)psk_key[j])) + continue; + BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); + goto bad; + } + } +#endif #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); @@ -482,14 +604,14 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-dtls1") == 0) { meth=DTLSv1_client_method(); - sock_type=SOCK_DGRAM; + socket_type=SOCK_DGRAM; } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; else if (strcmp(*argv,"-mtu") == 0) { if (--argc < 1) goto bad; - mtu = atol(*(++argv)); + socket_mtu = atol(*(++argv)); } #endif else if (strcmp(*argv,"-bugs") == 0) @@ -529,12 +651,20 @@ int MAIN(int argc, char **argv) off|=SSL_OP_NO_SSLv3; else if (strcmp(*argv,"-no_ssl2") == 0) off|=SSL_OP_NO_SSLv2; + else if (strcmp(*argv,"-no_comp") == 0) + { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } #endif else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; + else if (strcmp(*argv,"-legacy_renegotiation") == 0) + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + else if (strcmp(*argv,"-legacy_server_connect") == 0) + { off|=SSL_OP_LEGACY_SERVER_CONNECT; } + else if (strcmp(*argv,"-no_legacy_server_connect") == 0) + { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -609,6 +739,26 @@ bad: goto end; } +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + if (jpake_secret) + { + if (psk_key) + { + BIO_printf(bio_err, + "Can't use JPAKE and PSK together\n"); + goto end; + } + psk_identity = "JPAKE"; + } + + if (cipher) + { + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); + goto end; + } + cipher = "PSK"; +#endif + OpenSSL_add_ssl_algorithms(); SSL_load_error_strings(); @@ -624,6 +774,7 @@ bad: goto end; } } + #endif if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { @@ -691,6 +842,9 @@ bad: goto end; } + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -705,14 +859,29 @@ bad: } #endif +#ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE + if (psk_key != NULL) +#else + if (psk_key != NULL || jpake_secret) +#endif + { + if (c_debug) + BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); + SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); + } +#endif if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); + + if (clr) + SSL_CTX_clear_options(ctx, clr); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ - if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); + if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) @@ -738,8 +907,6 @@ bad: /* goto end; */ } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { @@ -784,7 +951,6 @@ bad: } } #endif - #ifndef OPENSSL_NO_KRB5 if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL) { @@ -792,10 +958,15 @@ bad: } #endif /* OPENSSL_NO_KRB5 */ /* SSL_set_cipher_list(con,"RC4-MD5"); */ +#if 0 +#ifdef TLSEXT_TYPE_opaque_prf_input + SSL_set_tlsext_opaque_prf_input(con, "Test client", 11); +#endif +#endif re_start: - if (init_client(&s,host,port,sock_type) == 0) + if (init_client(&s,host,port,socket_type) == 0) { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); @@ -819,7 +990,6 @@ re_start: if ( SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); if (getsockname(s, &peer, (void *)&peerlen) < 0) @@ -832,7 +1002,7 @@ re_start: (void)BIO_ctrl_set_connected(sbio, 1, &peer); - if ( enable_timeouts) + if (enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; @@ -843,10 +1013,10 @@ re_start: BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if ( mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1036,6 +1206,12 @@ SSL_set_tlsext_status_ids(con, ids); FD_ZERO(&readfds); FD_ZERO(&writefds); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { in_init=1; @@ -1047,6 +1223,14 @@ SSL_set_tlsext_status_ids(con, ids); if (in_init) { in_init=0; +#if 0 /* This test doesn't really work as intended (needs to be fixed) */ +#ifndef OPENSSL_NO_TLSEXT + if (servername != NULL && !SSL_session_reused(con)) + { + BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); + } +#endif +#endif if (sess_out) { BIO *stmp = BIO_new_file(sess_out, "w"); @@ -1084,22 +1268,22 @@ SSL_set_tlsext_status_ids(con, ids); if (!ssl_pending) { -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5) if (tty_on) { - if (read_tty) FD_SET(fileno(stdin),&readfds); - if (write_tty) FD_SET(fileno(stdout),&writefds); + if (read_tty) openssl_fdset(fileno(stdin),&readfds); + if (write_tty) openssl_fdset(fileno(stdout),&writefds); } if (read_ssl) - FD_SET(SSL_get_fd(con),&readfds); + openssl_fdset(SSL_get_fd(con),&readfds); if (write_ssl) - FD_SET(SSL_get_fd(con),&writefds); + openssl_fdset(SSL_get_fd(con),&writefds); #else if(!tty_on || !write_tty) { if (read_ssl) - FD_SET(SSL_get_fd(con),&readfds); + openssl_fdset(SSL_get_fd(con),&readfds); if (write_ssl) - FD_SET(SSL_get_fd(con),&writefds); + openssl_fdset(SSL_get_fd(con),&writefds); } #endif /* printf("mode tty(%d %d%d) ssl(%d%d)\n", @@ -1132,7 +1316,7 @@ SSL_set_tlsext_status_ids(con, ids); if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; #endif } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #elif defined(OPENSSL_SYS_NETWARE) if(!write_tty) { @@ -1142,11 +1326,30 @@ SSL_set_tlsext_status_ids(con, ids); i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); + } +#elif defined(OPENSSL_SYS_BEOS_R5) + /* Under BeOS-R5 the situation is similar to DOS */ + i=0; + stdin_set = 0; + (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); + if(!write_tty) { + if(read_tty) { + tv.tv_sec = 1; + tv.tv_usec = 0; + i=select(width,(void *)&readfds,(void *)&writefds, + NULL,&tv); + if (read(fileno(stdin), sbuf, 0) >= 0) + stdin_set = 1; + if (!i && (stdin_set != 1 || !read_tty)) + continue; + } else i=select(width,(void *)&readfds,(void *)&writefds, + NULL,timeoutp); } + (void)fcntl(fileno(stdin), F_SETFL, 0); #else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); #endif if ( i < 0) { @@ -1157,6 +1360,11 @@ SSL_set_tlsext_status_ids(con, ids); } } + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) { k=SSL_write(con,&(cbuf[cbuf_off]), @@ -1197,6 +1405,7 @@ SSL_set_tlsext_status_ids(con, ids); if (cbuf_len != 0) { BIO_printf(bio_c_out,"shutdown\n"); + ret = 0; goto shut; } else @@ -1224,8 +1433,8 @@ SSL_set_tlsext_status_ids(con, ids); goto shut; } } -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) - /* Assume Windows/DOS can always write */ +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) + /* Assume Windows/DOS/BeOS can always write */ else if (!ssl_pending && write_tty) #else else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) @@ -1234,11 +1443,12 @@ SSL_set_tlsext_status_ids(con, ids); #ifdef CHARSET_EBCDIC ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len); #endif - i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len); + i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len); if (i <= 0) { BIO_printf(bio_c_out,"DONE\n"); + ret = 0; goto shut; /* goto end; */ } @@ -1293,10 +1503,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 BIO_printf(bio_c_out,"read X BLOCK\n"); break; case SSL_ERROR_SYSCALL: - BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error()); + ret=get_last_socket_error(); + BIO_printf(bio_err,"read:errno=%d\n",ret); goto shut; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_c_out,"closed\n"); + ret=0; goto shut; case SSL_ERROR_SSL: ERR_print_errors(bio_err); @@ -1312,7 +1524,9 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) #endif #elif defined (OPENSSL_SYS_NETWARE) - else if (_kbhit()) + else if (_kbhit()) +#elif defined(OPENSSL_SYS_BEOS_R5) + else if (stdin_set) #else else if (FD_ISSET(fileno(stdin),&readfds)) #endif @@ -1321,7 +1535,7 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 { int j, lf_num; - i=read(fileno(stdin),cbuf,BUFSIZZ/2); + i=raw_read_stdin(cbuf,BUFSIZZ/2); lf_num = 0; /* both loops are skipped when i <= 0 */ for (j = 0; j < i; j++) @@ -1340,11 +1554,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 assert(lf_num == 0); } else - i=read(fileno(stdin),cbuf,BUFSIZZ); + i=raw_read_stdin(cbuf,BUFSIZZ); if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { BIO_printf(bio_err,"DONE\n"); + ret=0; goto shut; } @@ -1367,14 +1582,20 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 read_tty=0; } } + + ret=0; shut: + if (in_init) + print_stuff(bio_c_out,con,full_log); SSL_shutdown(con); SHUTDOWN(SSL_get_fd(con)); - ret=0; end: - if(prexit) print_stuff(bio_c_out,con,1); - if (con != NULL) SSL_free(con); - if (con2 != NULL) SSL_free(con2); + if (con != NULL) + { + if (prexit != 0) + print_stuff(bio_c_out,con,1); + SSL_free(con); + } if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); @@ -1403,7 +1624,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) char buf[BUFSIZ]; STACK_OF(X509) *sk; STACK_OF(X509_NAME) *sk2; - SSL_CIPHER *c; + const SSL_CIPHER *c; X509_NAME *xn; int j,i; #ifndef OPENSSL_NO_COMP @@ -1511,6 +1732,8 @@ static void print_stuff(BIO *bio, SSL *s, int full) EVP_PKEY_bits(pktmp)); EVP_PKEY_free(pktmp); } + BIO_printf(bio, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); #ifndef OPENSSL_NO_COMP comp=SSL_get_current_compression(s); expansion=SSL_get_current_expansion(s); @@ -1554,4 +1777,5 @@ static int ocsp_resp_cb(SSL *s, void *arg) OCSP_RESPONSE_free(rsp); return 1; } -#endif /* ndef OPENSSL_NO_TLSEXT */ + +#endif diff --git a/openssl/apps/s_server.c b/openssl/apps/s_server.c index 84b1b2846..1a06d19bb 100644 --- a/openssl/apps/s_server.c +++ b/openssl/apps/s_server.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -113,6 +113,32 @@ * ECC cipher suite support in OpenSSL originally developed by * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ /* Until the key-gen callbacks are modified to use newer prototypes, we allow * deprecated functions for openssl-internal code */ @@ -121,11 +147,11 @@ #endif #include <assert.h> +#include <ctype.h> #include <stdio.h> #include <stdlib.h> #include <string.h> -#include <sys/stat.h> #include <openssl/e_os2.h> #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 @@ -163,19 +189,15 @@ typedef unsigned int u_int; #include "s_apps.h" #include "timeouts.h" -#ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) -#endif - #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ #undef FIONBIO #endif +#if defined(OPENSSL_SYS_BEOS_R5) +#include <fcntl.h> +#endif + #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif @@ -196,14 +218,6 @@ static DH *get_dh512(void); static void s_server_init(void); #endif -#ifndef S_ISDIR -# if defined(_S_IFMT) && defined(_S_IFDIR) -# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) -# else -# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) -# endif -#endif - #ifndef OPENSSL_NO_DH static unsigned char dh512_p[]={ 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, @@ -245,7 +259,7 @@ static int accept_socket= -1; #undef PROG #define PROG s_server_main -extern int verify_depth; +extern int verify_depth, verify_return_error; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; @@ -283,12 +297,77 @@ static char *engine_id=NULL; static const char *session_id_prefix=NULL; static int enable_timeouts = 0; -#ifdef mtu -#undef mtu -#endif -static long mtu; +static long socket_mtu; +#ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; +#endif + +#ifndef OPENSSL_NO_PSK +static char *psk_identity="Client_identity"; +char *psk_key=NULL; /* by default PSK is not used */ + +static unsigned int psk_server_cb(SSL *ssl, const char *identity, + unsigned char *psk, unsigned int max_psk_len) + { + unsigned int psk_len = 0; + int ret; + BIGNUM *bn = NULL; + if (s_debug) + BIO_printf(bio_s_out,"psk_server_cb\n"); + if (!identity) + { + BIO_printf(bio_err,"Error: client did not send PSK identity\n"); + goto out_err; + } + if (s_debug) + BIO_printf(bio_s_out,"identity_len=%d identity=%s\n", + identity ? (int)strlen(identity) : 0, identity); + + /* here we could lookup the given identity e.g. from a database */ + if (strcmp(identity, psk_identity) != 0) + { + BIO_printf(bio_s_out, "PSK error: client identity not found" + " (got '%s' expected '%s')\n", identity, + psk_identity); + goto out_err; + } + if (s_debug) + BIO_printf(bio_s_out, "PSK client identity found\n"); + + /* convert the PSK key to binary */ + ret = BN_hex2bn(&bn, psk_key); + if (!ret) + { + BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); + if (bn) + BN_free(bn); + return 0; + } + if (BN_num_bytes(bn) > (int)max_psk_len) + { + BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", + max_psk_len, BN_num_bytes(bn)); + BN_free(bn); + return 0; + } + + ret = BN_bn2bin(bn, psk); + BN_free(bn); + + if (ret < 0) + goto out_err; + psk_len = (unsigned int)ret; + + if (s_debug) + BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); + return psk_len; + out_err: + if (s_debug) + BIO_printf(bio_err, "Error in PSK server callback\n"); + return 0; + } +#endif #ifdef MONOLITH static void s_server_init(void) @@ -353,7 +432,7 @@ static void sv_usage(void) #ifndef OPENSSL_NO_ECDH BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ " Use \"openssl ecparam -list_curves\" for all names\n" \ - " (default is sect163r2).\n"); + " (default is nistp256).\n"); #endif #ifdef FIONBIO BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); @@ -370,12 +449,19 @@ static void sv_usage(void) BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); BIO_printf(bio_err," -quiet - No server output\n"); BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); +#ifndef OPENSSL_NO_PSK + BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); + BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); +# endif +#endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); @@ -405,6 +491,7 @@ static void sv_usage(void) BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); #endif } @@ -587,7 +674,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) return p->extension_error; if (ctx2) { - BIO_printf(p->biodebug,"Swiching server context.\n"); + BIO_printf(p->biodebug,"Switching server context.\n"); SSL_set_SSL_CTX(s,ctx2); } } @@ -626,7 +713,7 @@ static int cert_status_cb(SSL *s, void *arg) int use_ssl; unsigned char *rspder = NULL; int rspderlen; - STACK *aia = NULL; + STACK_OF(OPENSSL_STRING) *aia = NULL; X509 *x = NULL; X509_STORE_CTX inctx; X509_OBJECT obj; @@ -648,7 +735,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); aia = X509_get1_ocsp(x); if (aia) { - if (!OCSP_parse_url(sk_value(aia, 0), + if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &host, &port, &path, &use_ssl)) { BIO_puts(err, "cert_status: can't parse AIA URL\n"); @@ -656,7 +743,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); } if (srctx->verbose) BIO_printf(err, "cert_status: AIA URL: %s\n", - sk_value(aia, 0)); + sk_OPENSSL_STRING_value(aia, 0)); } else { @@ -701,7 +788,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err; } - resp = process_responder(err, req, host, path, port, use_ssl, + resp = process_responder(err, req, host, path, port, use_ssl, NULL, srctx->timeout); if (!resp) { @@ -740,6 +827,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); goto done; } #endif + int MAIN(int, char **); #ifndef OPENSSL_NO_JPAKE @@ -748,8 +836,8 @@ static char *jpake_secret = NULL; int MAIN(int argc, char *argv[]) { - X509_STORE *store = NULL; - int vflags = 0; + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; unsigned char *context = NULL; @@ -762,8 +850,8 @@ int MAIN(int argc, char *argv[]) int off=0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; - SSL_METHOD *meth=NULL; - int socket_type=SOCK_STREAM; + const SSL_METHOD *meth=NULL; + int socket_type=SOCK_STREAM; ENGINE *e=NULL; char *inrand=NULL; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; @@ -772,6 +860,7 @@ int MAIN(int argc, char *argv[]) int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; X509 *s_cert = NULL, *s_dcert = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; + int no_cache = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; @@ -779,7 +868,10 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif - +#ifndef OPENSSL_NO_PSK + /* by default do not send a PSK identity hint */ + static char *psk_identity_hint=NULL; +#endif #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); #elif !defined(OPENSSL_NO_SSL3) @@ -911,16 +1003,20 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } - else if (strcmp(*argv,"-crl_check") == 0) - { - vflags |= X509_V_FLAG_CRL_CHECK; - } - else if (strcmp(*argv,"-crl_check_all") == 0) + else if (strcmp(*argv,"-no_cache") == 0) + no_cache = 1; + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + if (badarg) + goto bad; + continue; } + else if (strcmp(*argv,"-verify_return_error") == 0) + verify_return_error = 1; else if (strcmp(*argv,"-serverpref") == 0) { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } + else if (strcmp(*argv,"-legacy_renegotiation") == 0) + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -993,6 +1089,27 @@ int MAIN(int argc, char *argv[]) { no_dhe=1; } else if (strcmp(*argv,"-no_ecdhe") == 0) { no_ecdhe=1; } +#ifndef OPENSSL_NO_PSK + else if (strcmp(*argv,"-psk_hint") == 0) + { + if (--argc < 1) goto bad; + psk_identity_hint= *(++argv); + } + else if (strcmp(*argv,"-psk") == 0) + { + size_t i; + + if (--argc < 1) goto bad; + psk_key=*(++argv); + for (i=0; i<strlen(psk_key); i++) + { + if (isxdigit((int)psk_key[i])) + continue; + BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); + goto bad; + } + } +#endif else if (strcmp(*argv,"-www") == 0) { www=1; } else if (strcmp(*argv,"-WWW") == 0) @@ -1005,6 +1122,8 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_SSLv3; } else if (strcmp(*argv,"-no_tls1") == 0) { off|=SSL_OP_NO_TLSv1; } + else if (strcmp(*argv,"-no_comp") == 0) + { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } @@ -1032,7 +1151,7 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-mtu") == 0) { if (--argc < 1) goto bad; - mtu = atol(*(++argv)); + socket_mtu = atol(*(++argv)); } else if (strcmp(*argv, "-chain") == 0) cert_chain = 1; @@ -1074,7 +1193,7 @@ int MAIN(int argc, char *argv[]) } #endif -#ifndef OPENSSL_NO_JPAKE +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) else if (strcmp(*argv,"-jpake") == 0) { if (--argc < 1) goto bad; @@ -1097,6 +1216,26 @@ bad: goto end; } +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + if (jpake_secret) + { + if (psk_key) + { + BIO_printf(bio_err, + "Can't use JPAKE and PSK together\n"); + goto end; + } + psk_identity = "JPAKE"; + if (cipher) + { + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); + goto end; + } + cipher = "PSK"; + } + +#endif + SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); @@ -1159,6 +1298,8 @@ bad: } #endif } + + if (s_dcert_file) { @@ -1253,8 +1394,10 @@ bad: if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - - SSL_CTX_sess_set_cache_size(ctx,128); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + else + SSL_CTX_sess_set_cache_size(ctx,128); #if 0 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); @@ -1275,8 +1418,9 @@ bad: ERR_print_errors(bio_err); /* goto end; */ } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + #ifndef OPENSSL_NO_TLSEXT if (s_cert2) { @@ -1312,28 +1456,28 @@ bad: if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx2,off); - /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1); - if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); - SSL_CTX_sess_set_cache_size(ctx2,128); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF); + else + SSL_CTX_sess_set_cache_size(ctx2,128); if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx2))) { ERR_print_errors(bio_err); } - store = SSL_CTX_get_cert_store(ctx2); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx2, vpm); } #endif - #ifndef OPENSSL_NO_DH if (!no_dhe) { @@ -1409,10 +1553,10 @@ bad: else { BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); - ecdh = EC_KEY_new_by_curve_name(NID_sect163r2); + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve (sect163r2)\n"); + BIO_printf(bio_err, "unable to create curve (nistp256)\n"); goto end; } } @@ -1447,7 +1591,7 @@ bad: #ifndef OPENSSL_NO_TLSEXT if (ctx2) SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb); -#endif +#endif } #else if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) @@ -1480,11 +1624,34 @@ bad: #endif #endif - if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); +#ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE + if (psk_key != NULL) +#else + if (psk_key != NULL || jpake_secret) +#endif + { + if (s_debug) + BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); + SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); + } + + if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) + { + BIO_printf(bio_err,"error setting PSK identity hint to context\n"); ERR_print_errors(bio_err); goto end; + } +#endif + + if (cipher != NULL) + { + if(!SSL_CTX_set_cipher_list(ctx,cipher)) + { + BIO_printf(bio_err,"error setting cipher list\n"); + ERR_print_errors(bio_err); + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher)) { @@ -1493,11 +1660,15 @@ bad: goto end; } #endif - } + } SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); + /* Set DTLS cookie generation and verification callbacks */ + SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); + SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); + #ifndef OPENSSL_NO_TLSEXT if (ctx2) { @@ -1512,6 +1683,7 @@ bad: SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } #endif + if (CAfile != NULL) { SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); @@ -1520,7 +1692,9 @@ bad: SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile)); #endif } + BIO_printf(bio_s_out,"ACCEPT\n"); + (void)BIO_flush(bio_s_out); if (www) do_server(port,socket_type,&accept_socket,www_body, context); else @@ -1591,8 +1765,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) + struct timeval timeout; +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) struct timeval tv; +#else + struct timeval *timeoutp; #endif if ((buf=OPENSSL_malloc(bufsize)) == NULL) @@ -1641,14 +1818,18 @@ static int sv_body(char *hostname, int s, unsigned char *context) strlen((char *)context)); } SSL_clear(con); +#if 0 +#ifdef TLSEXT_TYPE_opaque_prf_input + SSL_set_tlsext_opaque_prf_input(con, "Test server", 11); +#endif +#endif if (SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); - if ( enable_timeouts) + if (enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; @@ -1659,11 +1840,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - - if ( mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1722,10 +1902,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (!read_from_sslcon) { FD_ZERO(&readfds); -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) - FD_SET(fileno(stdin),&readfds); +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5) + openssl_fdset(fileno(stdin),&readfds); #endif - FD_SET(s,&readfds); + openssl_fdset(s,&readfds); /* Note: under VMS with SOCKETSHR the second parameter is * currently of type (int *) whereas under other systems * it is (void *) if you don't have a cast it will choke @@ -1744,8 +1924,31 @@ static int sv_body(char *hostname, int s, unsigned char *context) if((i < 0) || (!i && !_kbhit() ) )continue; if(_kbhit()) read_from_terminal = 1; +#elif defined(OPENSSL_SYS_BEOS_R5) + /* Under BeOS-R5 the situation is similar to DOS */ + tv.tv_sec = 1; + tv.tv_usec = 0; + (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); + i=select(width,(void *)&readfds,NULL,NULL,&tv); + if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0)) + continue; + if (read(fileno(stdin), buf, 0) >= 0) + read_from_terminal = 1; + (void)fcntl(fileno(stdin), F_SETFL, 0); #else - i=select(width,(void *)&readfds,NULL,NULL,NULL); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + + i=select(width,(void *)&readfds,NULL,NULL,timeoutp); + + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (i <= 0) continue; if (FD_ISSET(fileno(stdin),&readfds)) read_from_terminal = 1; @@ -1759,7 +1962,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) { int j, lf_num; - i=read(fileno(stdin), buf, bufsize/2); + i=raw_read_stdin(buf, bufsize/2); lf_num = 0; /* both loops are skipped when i <= 0 */ for (j = 0; j < i; j++) @@ -1778,7 +1981,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) assert(lf_num == 0); } else - i=read(fileno(stdin),buf,bufsize); + i=raw_read_stdin(buf,bufsize); if (!s_quiet) { if ((i <= 0) || (buf[0] == 'Q')) @@ -1798,6 +2001,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) ret= -11;*/ goto err; } + if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) { @@ -1894,7 +2098,7 @@ again: #ifdef CHARSET_EBCDIC ascii2ebcdic(buf,buf,i); #endif - write(fileno(stdout),buf, + raw_write_stdout(buf, (unsigned int)i); if (SSL_pending(con)) goto again; break; @@ -1918,13 +2122,16 @@ again: } } err: - BIO_printf(bio_s_out,"shutting down SSL\n"); + if (con != NULL) + { + BIO_printf(bio_s_out,"shutting down SSL\n"); #if 1 - SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); + SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); #else - SSL_shutdown(con); + SSL_shutdown(con); #endif - if (con != NULL) SSL_free(con); + SSL_free(con); + } BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); if (buf != NULL) { @@ -2002,6 +2209,8 @@ static int init_ssl_connection(SSL *con) con->kssl_ctx->client_princ); } #endif /* OPENSSL_NO_KRB5 */ + BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); return(1); } @@ -2046,9 +2255,8 @@ static int www_body(char *hostname, int s, unsigned char *context) char *buf=NULL; int ret=1; int i,j,k,blank,dot; - struct stat st_buf; SSL *con; - SSL_CIPHER *c; + const SSL_CIPHER *c; BIO *io,*ssl_bio,*sbio; long total_bytes; @@ -2318,14 +2526,7 @@ static int www_body(char *hostname, int s, unsigned char *context) #endif /* if a directory, do the index thang */ - if (stat(p,&st_buf) < 0) - { - BIO_puts(io,text); - BIO_printf(io,"Error accessing '%s'\r\n",p); - ERR_print_errors(io); - break; - } - if (S_ISDIR(st_buf.st_mode)) + if (app_isdir(p)>0) { #if 0 /* must check buffer size */ strcat(p,"/index.html"); diff --git a/openssl/apps/s_socket.c b/openssl/apps/s_socket.c index 4a922e16a..6b8713de6 100644 --- a/openssl/apps/s_socket.c +++ b/openssl/apps/s_socket.c @@ -62,6 +62,12 @@ #include <errno.h> #include <signal.h> +#ifdef FLAT_INC +#include "e_os2.h" +#else +#include "../e_os2.h" +#endif + /* With IPv6, it looks like Digital has mixed up the proper order of recursive header file inclusion, resulting in the compiler complaining that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which @@ -231,13 +237,11 @@ static int ssl_sock_init(void) int init_client(int *sock, char *host, int port, int type) { unsigned char ip[4]; - short p=0; if (!host_ip(host,&(ip[0]))) { return(0); } - if (p != 0) port=p; return(init_client_ip(sock,ip,port,type)); } @@ -266,7 +270,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) if (s == INVALID_SOCKET) { perror("socket"); return(0); } -#ifndef OPENSSL_SYS_MPE +#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) if (type == SOCK_STREAM) { i=0; @@ -276,7 +280,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) #endif if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) - { close(s); perror("connect"); return(0); } + { closesocket(s); perror("connect"); return(0); } *sock=s; return(1); } @@ -285,7 +289,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns { int sock; char *name = NULL; - int accept_socket; + int accept_socket = 0; int i; if (!init_server(&accept_socket,port,type)) return(0); diff --git a/openssl/apps/s_time.c b/openssl/apps/s_time.c index 904945e1a..b823c33c5 100644 --- a/openssl/apps/s_time.c +++ b/openssl/apps/s_time.c @@ -85,54 +85,6 @@ #include OPENSSL_UNISTD #endif -#if !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) -#define TIMES -#endif - -#ifndef _IRIX -#include <time.h> -#endif -#ifdef TIMES -#include <sys/types.h> -#include <sys/times.h> -#endif - -/* Depending on the VMS version, the tms structure is perhaps defined. - The __TMS macro will show if it was. If it wasn't defined, we should - undefine TIMES, since that tells the rest of the program how things - should be handled. -- Richard Levitte */ -#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) -#undef TIMES -#endif - -#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE) -#include <sys/timeb.h> -#endif - -#if defined(sun) || defined(__ultrix) -#define _POSIX_SOURCE -#include <limits.h> -#include <sys/param.h> -#endif - -/* The following if from times(3) man page. It may need to be changed -*/ -#ifndef HZ -# ifdef _SC_CLK_TCK -# define HZ ((double)sysconf(_SC_CLK_TCK)) -# else -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -# define HZ 100.0 -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) -# endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) -# endif -# endif -#endif - #undef PROG #define PROG s_time_main @@ -177,7 +129,7 @@ static char *tm_cipher=NULL; static int tm_verify = SSL_VERIFY_NONE; static int maxTime = SECONDS; static SSL_CTX *tm_ctx=NULL; -static SSL_METHOD *s_time_meth=NULL; +static const SSL_METHOD *s_time_meth=NULL; static char *s_www_path=NULL; static long bytes_read=0; static int st_bugs=0; @@ -372,63 +324,8 @@ bad: static double tm_Time_F(int s) { - static double ret; -#ifdef TIMES - static struct tms tstart,tend; - - if(s == START) { - times(&tstart); - return(0); - } else { - times(&tend); - ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; - return((ret == 0.0)?1e-6:ret); + return app_tminterval(s,1); } -#elif defined(OPENSSL_SYS_NETWARE) - static clock_t tstart,tend; - - if (s == START) - { - tstart=clock(); - return(0); - } - else - { - tend=clock(); - ret=(double)((double)(tend)-(double)(tstart)); - return((ret < 0.001)?0.001:ret); - } -#elif defined(OPENSSL_SYS_VXWORKS) - { - static unsigned long tick_start, tick_end; - - if( s == START ) - { - tick_start = tickGet(); - return 0; - } - else - { - tick_end = tickGet(); - ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); - return((ret == 0.0)?1e-6:ret); - } - } -#else /* !times() */ - static struct timeb tstart,tend; - long i; - - if(s == START) { - ftime(&tstart); - return(0); - } else { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret == 0.0)?1e-6:ret); - } -#endif -} /*********************************************************************** * MAIN - main processing area for client @@ -704,7 +601,7 @@ static SSL *doConnection(SSL *scon) i=SSL_get_fd(serverCon); width=i+1; FD_ZERO(&readfds); - FD_SET(i,&readfds); + openssl_fdset(i,&readfds); /* Note: under VMS with SOCKETSHR the 2nd parameter * is currently of type (int *) whereas under other * systems it is (void *) if you don't have a cast it diff --git a/openssl/apps/smime.c b/openssl/apps/smime.c index 75804b8d7..c583f8a0e 100644 --- a/openssl/apps/smime.c +++ b/openssl/apps/smime.c @@ -73,11 +73,14 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int smime_cb(int ok, X509_STORE_CTX *ctx); #define SMIME_OP 0x10 +#define SMIME_IP 0x20 +#define SMIME_SIGNERS 0x40 #define SMIME_ENCRYPT (1 | SMIME_OP) -#define SMIME_DECRYPT 2 -#define SMIME_SIGN (3 | SMIME_OP) -#define SMIME_VERIFY 4 -#define SMIME_PK7OUT 5 +#define SMIME_DECRYPT (2 | SMIME_IP) +#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) +#define SMIME_VERIFY (4 | SMIME_IP) +#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP) +#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) int MAIN(int, char **); @@ -90,6 +93,7 @@ int MAIN(int argc, char **argv) const char *inmode = "r", *outmode = "w"; char *infile = NULL, *outfile = NULL; char *signerfile = NULL, *recipfile = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; char *certfile = NULL, *keyfile = NULL, *contfile=NULL; const EVP_CIPHER *cipher = NULL; PKCS7 *p7 = NULL; @@ -105,6 +109,8 @@ int MAIN(int argc, char **argv) char *passargin = NULL, *passin = NULL; char *inrand = NULL; int need_rand = 0; + int indef = 0; + const EVP_MD *sign_md = NULL; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int keyform = FORMAT_PEM; #ifndef OPENSSL_NO_ENGINE @@ -135,6 +141,8 @@ int MAIN(int argc, char **argv) operation = SMIME_DECRYPT; else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN; + else if (!strcmp (*args, "-resign")) + operation = SMIME_RESIGN; else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY; else if (!strcmp (*args, "-pk7out")) @@ -193,205 +201,209 @@ int MAIN(int argc, char **argv) flags |= PKCS7_BINARY; else if (!strcmp (*args, "-nosigs")) flags |= PKCS7_NOSIGS; + else if (!strcmp (*args, "-stream")) + indef = 1; + else if (!strcmp (*args, "-indef")) + indef = 1; + else if (!strcmp (*args, "-noindef")) + indef = 0; else if (!strcmp (*args, "-nooldmime")) flags |= PKCS7_NOOLDMIMETYPE; else if (!strcmp (*args, "-crlfeol")) flags |= PKCS7_CRLFEOL; else if (!strcmp(*args,"-rand")) { - if (args[1]) - { - args++; - inrand = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + args++; + inrand = *args; need_rand = 1; } #ifndef OPENSSL_NO_ENGINE else if (!strcmp(*args,"-engine")) { - if (args[1]) - { - args++; - engine = *args; - } - else badarg = 1; + if (!args[1]) + goto argerr; + engine = *++args; } #endif else if (!strcmp(*args,"-passin")) { - if (args[1]) - { - args++; - passargin = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + passargin = *++args; } else if (!strcmp (*args, "-to")) { - if (args[1]) - { - args++; - to = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + to = *++args; } else if (!strcmp (*args, "-from")) { - if (args[1]) - { - args++; - from = *args; - } - else badarg = 1; + if (!args[1]) + goto argerr; + from = *++args; } else if (!strcmp (*args, "-subject")) { - if (args[1]) - { - args++; - subject = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + subject = *++args; } else if (!strcmp (*args, "-signer")) { - if (args[1]) + if (!args[1]) + goto argerr; + /* If previous -signer argument add signer to list */ + + if (signerfile) { - args++; - signerfile = *args; + if (!sksigners) + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!keyfile) + keyfile = signerfile; + if (!skkeys) + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); + keyfile = NULL; } - else - badarg = 1; + signerfile = *++args; } else if (!strcmp (*args, "-recip")) { - if (args[1]) + if (!args[1]) + goto argerr; + recipfile = *++args; + } + else if (!strcmp (*args, "-md")) + { + if (!args[1]) + goto argerr; + sign_md = EVP_get_digestbyname(*++args); + if (sign_md == NULL) { - args++; - recipfile = *args; + BIO_printf(bio_err, "Unknown digest %s\n", + *args); + goto argerr; } - else badarg = 1; } else if (!strcmp (*args, "-inkey")) { - if (args[1]) + if (!args[1]) + goto argerr; + /* If previous -inkey arument add signer to list */ + if (keyfile) { - args++; - keyfile = *args; + if (!signerfile) + { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto argerr; + } + if (!sksigners) + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); + signerfile = NULL; + if (!skkeys) + skkeys = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(skkeys, keyfile); } - else - badarg = 1; - } + keyfile = *++args; + } else if (!strcmp (*args, "-keyform")) { - if (args[1]) - { - args++; - keyform = str2fmt(*args); - } - else - badarg = 1; + if (!args[1]) + goto argerr; + keyform = str2fmt(*++args); } else if (!strcmp (*args, "-certfile")) { - if (args[1]) - { - args++; - certfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + certfile = *++args; } else if (!strcmp (*args, "-CAfile")) { - if (args[1]) - { - args++; - CAfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + CAfile = *++args; } else if (!strcmp (*args, "-CApath")) { - if (args[1]) - { - args++; - CApath = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + CApath = *++args; } else if (!strcmp (*args, "-in")) { - if (args[1]) - { - args++; - infile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + infile = *++args; } else if (!strcmp (*args, "-inform")) { - if (args[1]) - { - args++; - informat = str2fmt(*args); - } - else - badarg = 1; + if (!args[1]) + goto argerr; + informat = str2fmt(*++args); } else if (!strcmp (*args, "-outform")) { - if (args[1]) - { - args++; - outformat = str2fmt(*args); - } - else - badarg = 1; + if (!args[1]) + goto argerr; + outformat = str2fmt(*++args); } else if (!strcmp (*args, "-out")) { - if (args[1]) - { - args++; - outfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + outfile = *++args; } else if (!strcmp (*args, "-content")) { - if (args[1]) - { - args++; - contfile = *args; - } - else - badarg = 1; + if (!args[1]) + goto argerr; + contfile = *++args; } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) continue; - else + else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) badarg = 1; args++; } + if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) + { + BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); + goto argerr; + } - if (operation == SMIME_SIGN) + if (operation & SMIME_SIGNERS) { - if (!signerfile) + /* Check to see if any final signer needs to be appended */ + if (keyfile && !signerfile) + { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto argerr; + } + if (signerfile) + { + if (!sksigners) + sksigners = sk_OPENSSL_STRING_new_null(); + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!skkeys) + skkeys = sk_OPENSSL_STRING_new_null(); + if (!keyfile) + keyfile = signerfile; + sk_OPENSSL_STRING_push(skkeys, keyfile); + } + if (!sksigners) { BIO_printf(bio_err, "No signer certificate specified\n"); badarg = 1; } + signerfile = NULL; + keyfile = NULL; need_rand = 1; } else if (operation == SMIME_DECRYPT) @@ -416,6 +428,7 @@ int MAIN(int argc, char **argv) if (badarg) { + argerr: BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n"); BIO_printf (bio_err, "where options are\n"); BIO_printf (bio_err, "-encrypt encrypt message\n"); @@ -499,13 +512,11 @@ int MAIN(int argc, char **argv) ret = 2; - if (operation != SMIME_SIGN) + if (!(operation & SMIME_SIGNERS)) flags &= ~PKCS7_DETACHED; if (operation & SMIME_OP) { - if (flags & PKCS7_BINARY) - inmode = "rb"; if (outformat == FORMAT_ASN1) outmode = "wb"; } @@ -513,9 +524,18 @@ int MAIN(int argc, char **argv) { if (flags & PKCS7_BINARY) outmode = "wb"; + } + + if (operation & SMIME_IP) + { if (informat == FORMAT_ASN1) inmode = "rb"; } + else + { + if (flags & PKCS7_BINARY) + inmode = "rb"; + } if (operation == SMIME_ENCRYPT) { @@ -545,26 +565,11 @@ int MAIN(int argc, char **argv) } } - if (signerfile && (operation == SMIME_SIGN)) - { - if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL, - e, "signer certificate"))) - { -#if 0 /* An appropri message has already been printed */ - BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile); -#endif - goto end; - } - } - if (certfile) { if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL, e, "certificate file"))) { -#if 0 /* An appropriate message has already been printed */ - BIO_printf(bio_err, "Can't read certificate file %s\n", certfile); -#endif ERR_print_errors(bio_err); goto end; } @@ -575,9 +580,6 @@ int MAIN(int argc, char **argv) if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL, e, "recipient certificate file"))) { -#if 0 /* An appropriate message has alrady been printed */ - BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile); -#endif ERR_print_errors(bio_err); goto end; } @@ -615,6 +617,36 @@ int MAIN(int argc, char **argv) else in = BIO_new_fp(stdin, BIO_NOCLOSE); + if (operation & SMIME_IP) + { + if (informat == FORMAT_SMIME) + p7 = SMIME_read_PKCS7(in, &indata); + else if (informat == FORMAT_PEM) + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + p7 = d2i_PKCS7_bio(in, NULL); + else + { + BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); + goto end; + } + + if (!p7) + { + BIO_printf(bio_err, "Error reading S/MIME message\n"); + goto end; + } + if (contfile) + { + BIO_free(indata); + if (!(indata = BIO_new_file(contfile, "rb"))) + { + BIO_printf(bio_err, "Can't read content file %s\n", contfile); + goto end; + } + } + } + if (outfile) { if (!(out = BIO_new_file(outfile, outmode))) @@ -639,7 +671,7 @@ int MAIN(int argc, char **argv) { if (!(store = setup_verify(bio_err, CAfile, CApath))) goto end; - X509_STORE_set_verify_cb_func(store, smime_cb); + X509_STORE_set_verify_cb(store, smime_cb); if (vpm) X509_STORE_set1_param(store, vpm); } @@ -648,43 +680,58 @@ int MAIN(int argc, char **argv) ret = 3; if (operation == SMIME_ENCRYPT) - p7 = PKCS7_encrypt(encerts, in, cipher, flags); - else if (operation == SMIME_SIGN) { - /* If detached data and SMIME output enable partial - * signing. - */ - if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME)) + if (indef) flags |= PKCS7_STREAM; - p7 = PKCS7_sign(signer, key, other, in, flags); + p7 = PKCS7_encrypt(encerts, in, cipher, flags); } - else + else if (operation & SMIME_SIGNERS) { - if (informat == FORMAT_SMIME) - p7 = SMIME_read_PKCS7(in, &indata); - else if (informat == FORMAT_PEM) - p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); - else if (informat == FORMAT_ASN1) - p7 = d2i_PKCS7_bio(in, NULL); - else + int i; + /* If detached data content we only enable streaming if + * S/MIME output format. + */ + if (operation == SMIME_SIGN) { - BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); - goto end; + if (flags & PKCS7_DETACHED) + { + if (outformat == FORMAT_SMIME) + flags |= PKCS7_STREAM; + } + else if (indef) + flags |= PKCS7_STREAM; + flags |= PKCS7_PARTIAL; + p7 = PKCS7_sign(NULL, NULL, other, in, flags); + if (!p7) + goto end; } - - if (!p7) - { - BIO_printf(bio_err, "Error reading S/MIME message\n"); - goto end; + else + flags |= PKCS7_REUSE_DIGEST; + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) + { + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); + signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, + e, "signer certificate"); + if (!signer) + goto end; + key = load_key(bio_err, keyfile, keyform, 0, passin, e, + "signing key file"); + if (!key) + goto end; + if (!PKCS7_sign_add_signer(p7, signer, key, + sign_md, flags)) + goto end; + X509_free(signer); + signer = NULL; + EVP_PKEY_free(key); + key = NULL; } - if (contfile) + /* If not streaming or resigning finalize structure */ + if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) { - BIO_free(indata); - if (!(indata = BIO_new_file(contfile, "rb"))) - { - BIO_printf(bio_err, "Can't read content file %s\n", contfile); + if (!PKCS7_final(p7, in, flags)) goto end; - } } } @@ -734,11 +781,16 @@ int MAIN(int argc, char **argv) if (subject) BIO_printf(out, "Subject: %s\n", subject); if (outformat == FORMAT_SMIME) - SMIME_write_PKCS7(out, p7, in, flags); + { + if (operation == SMIME_RESIGN) + SMIME_write_PKCS7(out, p7, indata, flags); + else + SMIME_write_PKCS7(out, p7, in, flags); + } else if (outformat == FORMAT_PEM) - PEM_write_bio_PKCS7(out,p7); + PEM_write_bio_PKCS7_stream(out, p7, in, flags); else if (outformat == FORMAT_ASN1) - i2d_PKCS7_bio(out,p7); + i2d_PKCS7_bio_stream(out,p7, in, flags); else { BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); @@ -754,6 +806,10 @@ end: sk_X509_pop_free(other, X509_free); if (vpm) X509_VERIFY_PARAM_free(vpm); + if (sksigners) + sk_OPENSSL_STRING_free(sksigners); + if (skkeys) + sk_OPENSSL_STRING_free(skkeys); X509_STORE_free(store); X509_free(cert); X509_free(recip); diff --git a/openssl/apps/speed.c b/openssl/apps/speed.c index af077b54a..539bfff22 100644 --- a/openssl/apps/speed.c +++ b/openssl/apps/speed.c @@ -108,53 +108,8 @@ #include <signal.h> #endif -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(OPENSSL_SYS_MACOSX) -# define USE_TOD -#elif !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) -# define TIMES -#endif -#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(OPENSSL_SYS_MPE) && !defined(__NetBSD__) && !defined(OPENSSL_SYS_VXWORKS) /* FIXME */ -# define TIMEB -#endif - -#if defined(OPENSSL_SYS_NETWARE) -#undef TIMES -#undef TIMEB -#include <time.h> -#endif - -#ifndef _IRIX -# include <time.h> -#endif -#ifdef TIMES -# include <sys/types.h> -# include <sys/times.h> -#endif -#ifdef USE_TOD -# include <sys/time.h> -# include <sys/resource.h> -#endif - -/* Depending on the VMS version, the tms structure is perhaps defined. - The __TMS macro will show if it was. If it wasn't defined, we should - undefine TIMES, since that tells the rest of the program how things - should be handled. -- Richard Levitte */ -#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) -#undef TIMES -#endif - -#ifdef TIMEB -#include <sys/timeb.h> -#endif - -#if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE) -#error "It seems neither struct tms nor struct timeb is supported in this platform!" -#endif - -#if defined(sun) || defined(__ultrix) -#define _POSIX_SOURCE -#include <limits.h> -#include <sys/param.h> +#ifdef _WIN32 +#include <windows.h> #endif #include <openssl/bn.h> @@ -189,6 +144,9 @@ #ifndef OPENSSL_NO_RIPEMD #include <openssl/ripemd.h> #endif +#ifndef OPENSSL_NO_WHIRLPOOL +#include <openssl/whrlpool.h> +#endif #ifndef OPENSSL_NO_RC4 #include <openssl/rc4.h> #endif @@ -226,43 +184,24 @@ #include <openssl/ecdh.h> #endif -/* - * The following "HZ" timing stuff should be sync'd up with the code in - * crypto/tmdiff.[ch]. That appears to try to do the same job, though I think - * this code is more up to date than libcrypto's so there may be features to - * migrate over first. This is used in two places further down AFAICS. - * The point is that nothing in openssl actually *uses* that tmdiff stuff, so - * either speed.c should be using it or it should go because it's obviously not - * useful enough. Anyone want to do a janitorial job on this? - */ - -/* The following if from times(3) man page. It may need to be changed */ -#ifndef HZ -# if defined(_SC_CLK_TCK) \ - && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) -# define HZ sysconf(_SC_CLK_TCK) +#ifndef HAVE_FORK +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE) +# define HAVE_FORK 0 # else -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -# define HZ 100.0 -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) -# endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) -# endif +# define HAVE_FORK 1 # endif #endif -#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_NETWARE) -# define HAVE_FORK 1 +#if HAVE_FORK +#undef NO_FORK +#else +#define NO_FORK #endif #undef BUFSIZE #define BUFSIZE ((long)1024*8+1) int run=0; -static char ftime_used = 0, times_used = 0, gettimeofday_used = 0, getrusage_used = 0; static int mr=0; static int usertime=1; @@ -271,11 +210,11 @@ static void print_message(const char *s,long num,int length); static void pkey_print_message(const char *str, const char *str2, long num, int bits, int sec); static void print_result(int alg,int run_no,int count,double time_used); -#ifdef HAVE_FORK +#ifndef NO_FORK static int do_multi(int multi); #endif -#define ALGOR_NUM 28 +#define ALGOR_NUM 29 #define SIZE_NUM 5 #define RSA_NUM 4 #define DSA_NUM 3 @@ -289,12 +228,16 @@ static const char *names[ALGOR_NUM]={ "rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc", "aes-128 cbc","aes-192 cbc","aes-256 cbc", "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc", - "evp","sha256","sha512", + "evp","sha256","sha512","whirlpool", "aes-128 ige","aes-192 ige","aes-256 ige"}; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +#ifndef OPENSSL_NO_RSA static double rsa_results[RSA_NUM][2]; +#endif +#ifndef OPENSSL_NO_DSA static double dsa_results[DSA_NUM][2]; +#endif #ifndef OPENSSL_NO_ECDSA static double ecdsa_results[EC_NUM][2]; #endif @@ -328,141 +271,46 @@ static SIGRETTYPE sig_done(int sig) #define START 0 #define STOP 1 -#if defined(OPENSSL_SYS_NETWARE) +#if defined(_WIN32) - /* for NetWare the best we can do is use clock() which returns the - * time, in hundredths of a second, since the NLM began executing - */ -static double Time_F(int s) - { - double ret; - - static clock_t tstart,tend; - - if (s == START) - { - tstart=clock(); - return(0); - } - else - { - tend=clock(); - ret=(double)((double)(tend)-(double)(tstart)); - return((ret < 0.001)?0.001:ret); - } - } +#define SIGALRM +static unsigned int lapse,schlock; +static void alarm(unsigned int secs) { lapse = secs*1000; } -#else +static DWORD WINAPI sleepy(VOID *arg) + { + schlock = 1; + Sleep(lapse); + run = 0; + return 0; + } static double Time_F(int s) { - double ret; - -#ifdef USE_TOD - if(usertime) - { - static struct rusage tstart,tend; - - getrusage_used = 1; - if (s == START) - { - getrusage(RUSAGE_SELF,&tstart); - return(0); - } - else - { - long i; - - getrusage(RUSAGE_SELF,&tend); - i=(long)tend.ru_utime.tv_usec-(long)tstart.ru_utime.tv_usec; - ret=((double)(tend.ru_utime.tv_sec-tstart.ru_utime.tv_sec)) - +((double)i)/1000000.0; - return((ret < 0.001)?0.001:ret); - } - } - else + if (s == START) { - static struct timeval tstart,tend; - long i; - - gettimeofday_used = 1; - if (s == START) - { - gettimeofday(&tstart,NULL); - return(0); - } - else + HANDLE thr; + schlock = 0; + thr = CreateThread(NULL,4096,sleepy,NULL,0,NULL); + if (thr==NULL) { - gettimeofday(&tend,NULL); - i=(long)tend.tv_usec-(long)tstart.tv_usec; - ret=((double)(tend.tv_sec-tstart.tv_sec))+((double)i)/1000000.0; - return((ret < 0.001)?0.001:ret); + DWORD ret=GetLastError(); + BIO_printf(bio_err,"unable to CreateThread (%d)",ret); + ExitProcess(ret); } + CloseHandle(thr); /* detach the thread */ + while (!schlock) Sleep(0); /* scheduler spinlock */ } -#else /* ndef USE_TOD */ - -# ifdef TIMES - if (usertime) - { - static struct tms tstart,tend; - times_used = 1; - if (s == START) - { - times(&tstart); - return(0); - } - else - { - times(&tend); - ret = HZ; - ret=(double)(tend.tms_utime-tstart.tms_utime) / ret; - return((ret < 1e-3)?1e-3:ret); - } - } -# endif /* times() */ -# if defined(TIMES) && defined(TIMEB) - else -# endif -# ifdef OPENSSL_SYS_VXWORKS - { - static unsigned long tick_start, tick_end; - - if( s == START ) - { - tick_start = tickGet(); - return 0; - } - else - { - tick_end = tickGet(); - ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); - return((ret < 0.001)?0.001:ret); - } - } -# elif defined(TIMEB) - { - static struct timeb tstart,tend; - long i; + return app_tminterval(s,usertime); + } +#else - ftime_used = 1; - if (s == START) - { - ftime(&tstart); - return(0); - } - else - { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret < 0.001)?0.001:ret); - } - } -# endif -#endif +static double Time_F(int s) + { + return app_tminterval(s,usertime); } -#endif /* if defined(OPENSSL_SYS_NETWARE) */ +#endif #ifndef OPENSSL_NO_ECDH @@ -522,6 +370,9 @@ int MAIN(int argc, char **argv) unsigned char sha512[SHA512_DIGEST_LENGTH]; #endif #endif +#ifndef OPENSSL_NO_WHIRLPOOL + unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH]; +#endif #ifndef OPENSSL_NO_RIPEMD unsigned char rmd160[RIPEMD160_DIGEST_LENGTH]; #endif @@ -618,9 +469,10 @@ int MAIN(int argc, char **argv) #define D_EVP 22 #define D_SHA256 23 #define D_SHA512 24 -#define D_IGE_128_AES 25 -#define D_IGE_192_AES 26 -#define D_IGE_256_AES 27 +#define D_WHIRLPOOL 25 +#define D_IGE_128_AES 26 +#define D_IGE_192_AES 27 +#define D_IGE_256_AES 28 double d=0.0; long c[ALGOR_NUM][SIZE_NUM]; #define R_DSA_512 0 @@ -749,7 +601,7 @@ int MAIN(int argc, char **argv) const EVP_CIPHER *evp_cipher=NULL; const EVP_MD *evp_md=NULL; int decrypt=0; -#ifdef HAVE_FORK +#ifndef NO_FORK int multi=0; #endif @@ -877,7 +729,7 @@ int MAIN(int argc, char **argv) j--; } #endif -#ifdef HAVE_FORK +#ifndef NO_FORK else if ((argc > 0) && (strcmp(*argv,"-multi") == 0)) { argc--; @@ -940,6 +792,10 @@ int MAIN(int argc, char **argv) else #endif #endif +#ifndef OPENSSL_NO_WHIRLPOOL + if (strcmp(*argv,"whirlpool") == 0) doit[D_WHIRLPOOL]=1; + else +#endif #ifndef OPENSSL_NO_RIPEMD if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1; else @@ -1151,12 +1007,16 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_SHA512 BIO_printf(bio_err,"sha512 "); #endif +#ifndef OPENSSL_NO_WHIRLPOOL + BIO_printf(bio_err,"whirlpool"); +#endif #ifndef OPENSSL_NO_RIPEMD160 BIO_printf(bio_err,"rmd160"); #endif #if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \ !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \ - !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) + !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \ + !defined(OPENSSL_NO_WHIRLPOOL) BIO_printf(bio_err,"\n"); #endif @@ -1257,7 +1117,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-evp e use EVP e.\n"); BIO_printf(bio_err,"-decrypt time decryption instead of encryption (only EVP).\n"); BIO_printf(bio_err,"-mr produce machine readable output.\n"); -#ifdef HAVE_FORK +#ifndef NO_FORK BIO_printf(bio_err,"-multi n run n benchmarks in parallel.\n"); #endif goto end; @@ -1267,7 +1127,7 @@ int MAIN(int argc, char **argv) j++; } -#ifdef HAVE_FORK +#ifndef NO_FORK if(multi && do_multi(multi)) goto show_res; #endif @@ -1283,17 +1143,20 @@ int MAIN(int argc, char **argv) rsa_doit[i]=1; for (i=0; i<DSA_NUM; i++) dsa_doit[i]=1; +#ifndef OPENSSL_NO_ECDSA + for (i=0; i<EC_NUM; i++) + ecdsa_doit[i]=1; +#endif +#ifndef OPENSSL_NO_ECDH + for (i=0; i<EC_NUM; i++) + ecdh_doit[i]=1; +#endif } for (i=0; i<ALGOR_NUM; i++) if (doit[i]) pr_header++; if (usertime == 0 && !mr) BIO_printf(bio_err,"You have chosen to measure elapsed time instead of user CPU time.\n"); - if (usertime <= 0 && !mr) - { - BIO_printf(bio_err,"To get the most accurate results, try to run this\n"); - BIO_printf(bio_err,"program when this computer is idle.\n"); - } #ifndef OPENSSL_NO_RSA for (i=0; i<RSA_NUM; i++) @@ -1403,6 +1266,7 @@ int MAIN(int argc, char **argv) c[D_CBC_256_CML][0]=count; c[D_SHA256][0]=count; c[D_SHA512][0]=count; + c[D_WHIRLPOOL][0]=count; c[D_IGE_128_AES][0]=count; c[D_IGE_192_AES][0]=count; c[D_IGE_256_AES][0]=count; @@ -1418,6 +1282,7 @@ int MAIN(int argc, char **argv) c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i]; c[D_SHA256][i]=c[D_SHA256][0]*4*lengths[0]/lengths[i]; c[D_SHA512][i]=c[D_SHA512][0]*4*lengths[0]/lengths[i]; + c[D_WHIRLPOOL][i]=c[D_WHIRLPOOL][0]*4*lengths[0]/lengths[i]; } for (i=1; i<SIZE_NUM; i++) { @@ -1601,7 +1466,9 @@ int MAIN(int argc, char **argv) #else #define COND(c) (run) #define COUNT(d) (count) +#ifndef _WIN32 signal(SIGALRM,sig_done); +#endif #endif /* SIGALRM */ #ifndef OPENSSL_NO_MD2 @@ -1731,8 +1598,23 @@ int MAIN(int argc, char **argv) } } #endif +#endif +#ifndef OPENSSL_NO_WHIRLPOOL + if (doit[D_WHIRLPOOL]) + { + for (j=0; j<SIZE_NUM; j++) + { + print_message(names[D_WHIRLPOOL],c[D_WHIRLPOOL][j],lengths[j]); + Time_F(START); + for (count=0,run=1; COND(c[D_WHIRLPOOL][j]); count++) + WHIRLPOOL(buf,lengths[j],whirlpool); + d=Time_F(STOP); + print_result(D_WHIRLPOOL,j,count,d); + } + } #endif + #ifndef OPENSSL_NO_RIPEMD if (doit[D_RMD160]) { @@ -1878,6 +1760,8 @@ int MAIN(int argc, char **argv) print_result(D_IGE_256_AES,j,count,d); } } + + #endif #ifndef OPENSSL_NO_CAMELLIA if (doit[D_CBC_128_CML]) @@ -2462,7 +2346,7 @@ int MAIN(int argc, char **argv) } if (rnd_fake) RAND_cleanup(); #endif -#ifdef HAVE_FORK +#ifndef NO_FORK show_res: #endif if(!mr) @@ -2490,35 +2374,6 @@ show_res: printf("%s ",BF_options()); #endif fprintf(stdout,"\n%s\n",SSLeay_version(SSLEAY_CFLAGS)); - printf("available timing options: "); -#ifdef TIMES - printf("TIMES "); -#endif -#ifdef TIMEB - printf("TIMEB "); -#endif -#ifdef USE_TOD - printf("USE_TOD "); -#endif -#ifdef HZ -#define as_string(s) (#s) - { - double dbl = HZ; - printf("HZ=%g", dbl); - } -# ifdef _SC_CLK_TCK - printf(" [sysconf value]"); -# endif -#endif - printf("\n"); - printf("timing function used: %s%s%s%s%s%s%s\n", - (ftime_used ? "ftime" : ""), - (ftime_used + times_used > 1 ? "," : ""), - (times_used ? "times" : ""), - (ftime_used + times_used + gettimeofday_used > 1 ? "," : ""), - (gettimeofday_used ? "gettimeofday" : ""), - (ftime_used + times_used + gettimeofday_used + getrusage_used > 1 ? "," : ""), - (getrusage_used ? "getrusage" : "")); } if (pr_header) @@ -2717,7 +2572,7 @@ static void print_result(int alg,int run_no,int count,double time_used) results[alg][run_no]=((double)count)/time_used*lengths[run_no]; } -#ifdef HAVE_FORK +#ifndef NO_FORK static char *sstrsep(char **string, const char *delim) { char isdelim[256]; @@ -2775,6 +2630,7 @@ static int do_multi(int multi) close(fd[1]); mr=1; usertime=0; + free(fds); return 0; } printf("Forked child %d\n",n); @@ -2923,7 +2779,10 @@ static int do_multi(int multi) else fprintf(stderr,"Unknown type '%s' from child %d\n",buf,n); } + + fclose(f); } + free(fds); return 1; } #endif diff --git a/openssl/apps/ts.c b/openssl/apps/ts.c index 74e7e932b..5fa9f7fda 100644 --- a/openssl/apps/ts.c +++ b/openssl/apps/ts.c @@ -165,6 +165,9 @@ int MAIN(int argc, char **argv) BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); } + if (!load_config(bio_err, NULL)) + goto cleanup; + for (argc--, argv++; argc > 0; argc--, argv++) { if (strcmp(*argv, "-config") == 0) @@ -646,7 +649,7 @@ static ASN1_INTEGER *create_nonce(int bits) /* Generating random byte sequence. */ if (len > (int)sizeof(buf)) goto err; - if (!RAND_bytes(buf, len)) goto err; + if (RAND_bytes(buf, len) <= 0) goto err; /* Find the first non-zero byte and creating ASN1_INTEGER object. */ for (i = 0; i < len && !buf[i]; ++i); @@ -1080,7 +1083,7 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file) cert_ctx = X509_STORE_new(); /* Setting the callback for certificate chain verification. */ - X509_STORE_set_verify_cb_func(cert_ctx, verify_cb); + X509_STORE_set_verify_cb(cert_ctx, verify_cb); /* Adding a trusted certificate directory source. */ if (ca_path) diff --git a/openssl/apps/tsget b/openssl/apps/tsget index ddae803fb..0d54e9fc9 100644 --- a/openssl/apps/tsget +++ b/openssl/apps/tsget @@ -1,13 +1,13 @@ #!/usr/bin/perl -w # Written by Zoltan Glozik <zglozik@stones.com>. # Copyright (c) 2002 The OpenTSA Project. All rights reserved. -$::version = '$Id: tsget,v 1.1 2006/02/12 23:11:21 ulf Exp $'; +$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $'; use strict; use IO::Handle; use Getopt::Std; use File::Basename; -use WWW::Curl::easy; +use WWW::Curl::Easy; use vars qw(%options); @@ -37,7 +37,7 @@ sub create_curl { my $url = shift; # Create Curl object. - my $curl = WWW::Curl::easy::new(); + my $curl = WWW::Curl::Easy::new(); # Error-handling related options. $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; @@ -49,7 +49,7 @@ sub create_curl { $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); $curl->setopt(CURLOPT_HTTPHEADER, ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply"]); + "Accept: application/timestamp-reply,application/timestamp-response"]); $curl->setopt(CURLOPT_READFUNCTION, \&read_body); $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); @@ -102,7 +102,8 @@ sub get_timestamp { $error_string .= " ($::error_buf)" if defined($::error_buf); } else { my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply") { + if (lc($ct) ne "application/timestamp-reply" + && lc($ct) ne "application/timestamp-response") { $error_string = "unexpected content type returned: $ct"; } } @@ -192,4 +193,4 @@ REQUEST: foreach (@ARGV) { STDERR->printflush(", $output written.\n") if $options{v}; } $curl->cleanup(); -WWW::Curl::easy::global_cleanup(); +WWW::Curl::Easy::global_cleanup(); diff --git a/openssl/apps/verify.c b/openssl/apps/verify.c index 20cc9e354..9163997e9 100644 --- a/openssl/apps/verify.c +++ b/openssl/apps/verify.c @@ -70,8 +70,9 @@ #define PROG verify_main static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx); -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e); -static STACK_OF(X509) *load_untrusted(char *file); +static int check(X509_STORE *ctx, char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, ENGINE *e); static int v_verbose=0, vflags = 0; int MAIN(int, char **); @@ -80,10 +81,10 @@ int MAIN(int argc, char **argv) { ENGINE *e = NULL; int i,ret=1, badarg = 0; - int purpose = -1; char *CApath=NULL,*CAfile=NULL; - char *untfile = NULL, *trustfile = NULL; + char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; STACK_OF(X509) *untrusted = NULL, *trusted = NULL; + STACK_OF(X509_CRL) *crls = NULL; X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; X509_VERIFY_PARAM *vpm = NULL; @@ -93,7 +94,7 @@ int MAIN(int argc, char **argv) cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx,cb); + X509_STORE_set_verify_cb(cert_ctx,cb); ERR_load_crypto_strings(); @@ -139,6 +140,11 @@ int MAIN(int argc, char **argv) if (argc-- < 1) goto end; trustfile= *(++argv); } + else if (strcmp(*argv,"-CRLfile") == 0) + { + if (argc-- < 1) goto end; + crlfile= *(++argv); + } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { @@ -192,26 +198,34 @@ int MAIN(int argc, char **argv) ERR_clear_error(); - if(untfile) { - if(!(untrusted = load_untrusted(untfile))) { - BIO_printf(bio_err, "Error loading untrusted file %s\n", untfile); - ERR_print_errors(bio_err); + if(untfile) + { + untrusted = load_certs(bio_err, untfile, FORMAT_PEM, + NULL, e, "untrusted certificates"); + if(!untrusted) goto end; } - } - if(trustfile) { - if(!(trusted = load_untrusted(trustfile))) { - BIO_printf(bio_err, "Error loading untrusted file %s\n", trustfile); - ERR_print_errors(bio_err); + if(trustfile) + { + trusted = load_certs(bio_err, trustfile, FORMAT_PEM, + NULL, e, "trusted certificates"); + if(!trusted) goto end; } - } - if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose, e); + if(crlfile) + { + crls = load_crls(bio_err, crlfile, FORMAT_PEM, + NULL, e, "other CRLs"); + if(!crls) + goto end; + } + + if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e); else for (i=0; i<argc; i++) - check(cert_ctx,argv[i], untrusted, trusted, purpose, e); + check(cert_ctx,argv[i], untrusted, trusted, crls, e); ret=0; end: if (ret == 1) { @@ -232,11 +246,14 @@ end: if (cert_ctx != NULL) X509_STORE_free(cert_ctx); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); apps_shutdown(); OPENSSL_EXIT(ret); } -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e) +static int check(X509_STORE *ctx, char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, ENGINE *e) { X509 *x=NULL; int i=0,ret=0; @@ -260,7 +277,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X goto end; } if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); - if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose); + if (crls) + X509_STORE_CTX_set0_crls(csc, crls); i=X509_verify_cert(csc); X509_STORE_CTX_free(csc); @@ -278,90 +296,53 @@ end: return(ret); } -static STACK_OF(X509) *load_untrusted(char *certfile) -{ - STACK_OF(X509_INFO) *sk=NULL; - STACK_OF(X509) *stack=NULL, *ret=NULL; - BIO *in=NULL; - X509_INFO *xi; - - if(!(stack = sk_X509_new_null())) { - BIO_printf(bio_err,"memory allocation failure\n"); - goto end; - } - - if(!(in=BIO_new_file(certfile, "r"))) { - BIO_printf(bio_err,"error opening the file, %s\n",certfile); - goto end; - } - - /* This loads from a file, a stack of x509/crl/pkey sets */ - if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) { - BIO_printf(bio_err,"error reading the file, %s\n",certfile); - goto end; - } - - /* scan over it and pull out the certs */ - while (sk_X509_INFO_num(sk)) - { - xi=sk_X509_INFO_shift(sk); - if (xi->x509 != NULL) - { - sk_X509_push(stack,xi->x509); - xi->x509=NULL; - } - X509_INFO_free(xi); - } - if(!sk_X509_num(stack)) { - BIO_printf(bio_err,"no certificates in file, %s\n",certfile); - sk_X509_free(stack); - goto end; - } - ret=stack; -end: - BIO_free(in); - sk_X509_INFO_free(sk); - return(ret); - } - static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) { - char buf[256]; + int cert_error = X509_STORE_CTX_get_error(ctx); + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); if (!ok) { - if (ctx->current_cert) + if (current_cert) + { + X509_NAME_print_ex_fp(stdout, + X509_get_subject_name(current_cert), + 0, XN_FLAG_ONELINE); + printf("\n"); + } + printf("%serror %d at %d depth lookup:%s\n", + X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "", + cert_error, + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(cert_error)); + switch(cert_error) { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert),buf, - sizeof buf); - printf("%s\n",buf); + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(NULL, ctx); + case X509_V_ERR_CERT_HAS_EXPIRED: + + /* since we are just checking the certificates, it is + * ok if they are self signed. But we should still warn + * the user. + */ + + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + /* Continue after extension errors too */ + case X509_V_ERR_INVALID_CA: + case X509_V_ERR_INVALID_NON_CA: + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_CRL_HAS_EXPIRED: + case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + ok = 1; + } - printf("error %d at %d depth lookup:%s\n",ctx->error, - ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); - if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; - /* since we are just checking the certificates, it is - * ok if they are self signed. But we should still warn - * the user. - */ - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; - /* Continue after extension errors too */ - if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; - if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1; - if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; - if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; - if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; - if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; - if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; - if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY) - policies_print(NULL, ctx); return ok; } - if ((ctx->error == X509_V_OK) && (ok == 2)) + if (cert_error == X509_V_OK && ok == 2) policies_print(NULL, ctx); if (!v_verbose) ERR_clear_error(); diff --git a/openssl/apps/x509.c b/openssl/apps/x509.c index 6debce441..e7e46d7b6 100644 --- a/openssl/apps/x509.c +++ b/openssl/apps/x509.c @@ -99,7 +99,13 @@ static const char *x509_usage[]={ " -passin arg - private key password source\n", " -serial - print serial number value\n", " -subject_hash - print subject hash value\n", +#ifndef OPENSSL_NO_MD5 +" -subject_hash_old - print old-style (MD5) subject hash value\n", +#endif " -issuer_hash - print issuer hash value\n", +#ifndef OPENSSL_NO_MD5 +" -issuer_hash_old - print old-style (MD5) issuer hash value\n", +#endif " -hash - synonym for -subject_hash\n", " -subject - print subject DN\n", " -issuer - print issuer DN\n", @@ -179,6 +185,9 @@ int MAIN(int argc, char **argv) int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int next_serial=0; int subject_hash=0,issuer_hash=0,ocspid=0; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old=0,issuer_hash_old=0; +#endif int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -190,7 +199,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; - const EVP_MD *md_alg,*digest=EVP_sha1(); + const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; @@ -225,7 +234,7 @@ int MAIN(int argc, char **argv) ctx=X509_STORE_new(); if (ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(ctx,callb); + X509_STORE_set_verify_cb(ctx,callb); argc--; argv++; @@ -397,8 +406,16 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-hash") == 0 || strcmp(*argv,"-subject_hash") == 0) subject_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-subject_hash_old") == 0) + subject_hash_old= ++num; +#endif else if (strcmp(*argv,"-issuer_hash") == 0) issuer_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-issuer_hash_old") == 0) + issuer_hash_old= ++num; +#endif else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) @@ -626,7 +643,7 @@ bad: if (!X509_set_subject_name(x,req->req_info->subject)) goto end; X509_gmtime_adj(X509_get_notBefore(x),0); - X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); + X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); pkey = X509_REQ_get_pubkey(req); X509_set_pubkey(x,pkey); @@ -738,13 +755,14 @@ bad: else if ((email == i) || (ocsp_uri == i)) { int j; - STACK *emlst; + STACK_OF(OPENSSL_STRING) *emlst; if (email == i) emlst = X509_get1_email(x); else emlst = X509_get1_ocsp(x); - for (j = 0; j < sk_num(emlst); j++) - BIO_printf(STDout, "%s\n", sk_value(emlst, j)); + for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) + BIO_printf(STDout, "%s\n", + sk_OPENSSL_STRING_value(emlst, j)); X509_email_free(emlst); } else if (aliasout == i) @@ -758,10 +776,22 @@ bad: { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (subject_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); + } +#endif else if (issuer_hash == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (issuer_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); + } +#endif else if (pprint == i) { X509_PURPOSE *ptmp; @@ -892,14 +922,18 @@ bad: int j; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *fdig = digest; + + if (!fdig) + fdig = EVP_sha1(); - if (!X509_digest(x,digest,md,&n)) + if (!X509_digest(x,fdig,md,&n)) { BIO_printf(bio_err,"out of memory\n"); goto end; } BIO_printf(STDout,"%s Fingerprint=", - OBJ_nid2sn(EVP_MD_type(digest))); + OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) { BIO_printf(STDout,"%02X%c",md[j], @@ -919,14 +953,6 @@ bad: passin, e, "Private key"); if (Upkey == NULL) goto end; } -#ifndef OPENSSL_NO_DSA - if (Upkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (Upkey->type == EVP_PKEY_EC) - digest=EVP_ecdsa(); -#endif assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, @@ -943,14 +969,6 @@ bad: "CA Private Key"); if (CApkey == NULL) goto end; } -#ifndef OPENSSL_NO_DSA - if (CApkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (CApkey->type == EVP_PKEY_EC) - digest = EVP_ecdsa(); -#endif assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, @@ -978,15 +996,6 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); -#ifndef OPENSSL_NO_DSA - if (pk->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif -#ifndef OPENSSL_NO_ECDSA - if (pk->type == EVP_PKEY_EC) - digest=EVP_ecdsa(); -#endif - rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) @@ -1040,16 +1049,15 @@ bad: } else if (outformat == FORMAT_NETSCAPE) { - ASN1_HEADER ah; - ASN1_OCTET_STRING os; + NETSCAPE_X509 nx; + ASN1_OCTET_STRING hdr; - os.data=(unsigned char *)NETSCAPE_CERT_HDR; - os.length=strlen(NETSCAPE_CERT_HDR); - ah.header= &os; - ah.data=(char *)x; - ah.meth=X509_asn1_meth(); + hdr.data=(unsigned char *)NETSCAPE_CERT_HDR; + hdr.length=strlen(NETSCAPE_CERT_HDR); + nx.header= &hdr; + nx.cert=x; - i=ASN1_i2d_bio_of(ASN1_HEADER,i2d_ASN1_HEADER,out,&ah); + i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); @@ -1151,6 +1159,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); + X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; @@ -1167,7 +1176,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; /* hardwired expired */ - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) + if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL) goto end; if (clrext) |