mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-06 16:40:47 +00:00
openssl: Vendor import of OpenSSL-3.0.8
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.8.tar.gz Differential Revision: https://reviews.freebsd.org/D38835 Test Plan: ``` $ git status On branch vendor/openssl-3.0 nothing to commit, working tree clean $ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.8.tar.gz 14 MB 4507 kBps 04s openssl-3.0.8.tar.gz.asc 833 B 10 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.8 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/ngie/.gnupg/pubring.kbx ----------------------------- pub rsa4096 2014-10-04 [SC] 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C uid [ unknown] Richard Levitte <richard@levitte.org> uid [ unknown] Richard Levitte <levitte@lp.se> uid [ unknown] Richard Levitte <levitte@openssl.org> sub rsa4096 2014-10-04 [E] $ gpg --verify openssl-${OSSLVER}.tar.gz.asc openssl-${OSSLVER}.tar.gz gpg: Signature made Tue Feb 7 05:43:55 2023 PST gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown] gpg: aka "Richard Levitte <levitte@lp.se>" [unknown] gpg: aka "Richard Levitte <levitte@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C $ (cd vendor.checkout/; git status; find . -type f -or -type l | cut -c 3- | sort > ../old) On branch vendor/openssl-3.0 nothing to commit, working tree clean $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . $ cat .git gitdir: /home/ngie/git/freebsd-src/.git/worktrees/vendor.checkout $ diff -arq ../openssl-3.0.8 . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 nothing to commit, working tree clean $ ``` Reviewers: emaste, jkim Subscribers: imp, andrew, dab Differential Revision: https://reviews.freebsd.org/D38835
This commit is contained in:
parent
3c320f4e5e
commit
e4520c8bd1
|
@ -1,2 +0,0 @@
|
|||
Please https://www.openssl.org/community/thanks.html for the current
|
||||
acknowledgements.
|
6
ACKNOWLEDGEMENTS.md
Normal file
6
ACKNOWLEDGEMENTS.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
Acknowlegements
|
||||
===============
|
||||
|
||||
Please see our [Thanks!][] page for the current acknowledgements.
|
||||
|
||||
[Thanks!]: https://www.openssl.org/community/thanks.html
|
42
AUTHORS
42
AUTHORS
|
@ -1,42 +0,0 @@
|
|||
# This is the list of OpenSSL authors for copyright purposes.
|
||||
#
|
||||
# This does not necessarily list everyone who has contributed code, since in
|
||||
# some cases, their employer may be the copyright holder. To see the full list
|
||||
# of contributors, see the revision history in source control.
|
||||
OpenSSL Software Services, Inc.
|
||||
OpenSSL Software Foundation, Inc.
|
||||
|
||||
# Individuals
|
||||
Andy Polyakov
|
||||
Ben Laurie
|
||||
Ben Kaduk
|
||||
Bernd Edlinger
|
||||
Bodo Möller
|
||||
David Benjamin
|
||||
David von Oheimb
|
||||
Dmitry Belyavskiy (Дмитрий Белявский)
|
||||
Emilia Käsper
|
||||
Eric Young
|
||||
Geoff Thorpe
|
||||
Holger Reif
|
||||
Kurt Roeckx
|
||||
Lutz Jänicke
|
||||
Mark J. Cox
|
||||
Matt Caswell
|
||||
Matthias St. Pierre
|
||||
Nicola Tuveri
|
||||
Nils Larsch
|
||||
Patrick Steuer
|
||||
Paul Dale
|
||||
Paul C. Sutton
|
||||
Paul Yang
|
||||
Ralf S. Engelschall
|
||||
Rich Salz
|
||||
Richard Levitte
|
||||
Shane Lontis
|
||||
Stephen Henson
|
||||
Steve Marquess
|
||||
Tim Hudson
|
||||
Tomáš Mráz
|
||||
Ulf Möller
|
||||
Viktor Dukhovni
|
51
AUTHORS.md
Normal file
51
AUTHORS.md
Normal file
|
@ -0,0 +1,51 @@
|
|||
Authors
|
||||
=======
|
||||
|
||||
This is the list of OpenSSL authors for copyright purposes.
|
||||
It does not necessarily list everyone who has contributed code,
|
||||
since in some cases, their employer may be the copyright holder.
|
||||
To see the full list of contributors, see the revision history in
|
||||
source control.
|
||||
|
||||
Groups
|
||||
------
|
||||
|
||||
* OpenSSL Software Services, Inc.
|
||||
* OpenSSL Software Foundation, Inc.
|
||||
|
||||
Individuals
|
||||
-----------
|
||||
|
||||
* Andy Polyakov
|
||||
* Ben Laurie
|
||||
* Ben Kaduk
|
||||
* Bernd Edlinger
|
||||
* Bodo Möller
|
||||
* David Benjamin
|
||||
* David von Oheimb
|
||||
* Dmitry Belyavskiy (Дмитрий Белявский)
|
||||
* Emilia Käsper
|
||||
* Eric Young
|
||||
* Geoff Thorpe
|
||||
* Holger Reif
|
||||
* Kurt Roeckx
|
||||
* Lutz Jänicke
|
||||
* Mark J. Cox
|
||||
* Matt Caswell
|
||||
* Matthias St. Pierre
|
||||
* Nicola Tuveri
|
||||
* Nils Larsch
|
||||
* Patrick Steuer
|
||||
* Paul Dale
|
||||
* Paul C. Sutton
|
||||
* Paul Yang
|
||||
* Ralf S. Engelschall
|
||||
* Rich Salz
|
||||
* Richard Levitte
|
||||
* Shane Lontis
|
||||
* Stephen Henson
|
||||
* Steve Marquess
|
||||
* Tim Hudson
|
||||
* Tomáš Mráz
|
||||
* Ulf Möller
|
||||
* Viktor Dukhovni
|
19753
CHANGES.md
Normal file
19753
CHANGES.md
Normal file
File diff suppressed because it is too large
Load diff
72
CONTRIBUTING
72
CONTRIBUTING
|
@ -1,72 +0,0 @@
|
|||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
----------------------------
|
||||
|
||||
(Please visit https://www.openssl.org/community/getting-started.html for
|
||||
other ideas about how to contribute.)
|
||||
|
||||
Development is done on GitHub, https://github.com/openssl/openssl.
|
||||
|
||||
To request new features or report bugs, please open an issue on GitHub
|
||||
|
||||
To submit a patch, please open a pull request on GitHub. If you are thinking
|
||||
of making a large contribution, open an issue for it before starting work,
|
||||
to get comments from the community. Someone may be already working on
|
||||
the same thing or there may be reasons why that feature isn't implemented.
|
||||
|
||||
To make it easier to review and accept your pull request, please follow these
|
||||
guidelines:
|
||||
|
||||
1. Anything other than a trivial contribution requires a Contributor
|
||||
License Agreement (CLA), giving us permission to use your code. See
|
||||
https://www.openssl.org/policies/cla.html for details. If your
|
||||
contribution is too small to require a CLA, put "CLA: trivial" on a
|
||||
line by itself in your commit message body.
|
||||
|
||||
2. All source files should start with the following text (with
|
||||
appropriate comment characters at the start of each line and the
|
||||
year(s) updated):
|
||||
|
||||
Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
https://www.openssl.org/source/license.html
|
||||
|
||||
3. Patches should be as current as possible; expect to have to rebase
|
||||
often. We do not accept merge commits, you will have to remove them
|
||||
(usually by rebasing) before it will be acceptable.
|
||||
|
||||
4. Patches should follow our coding style (see
|
||||
https://www.openssl.org/policies/codingstyle.html) and compile
|
||||
without warnings. Where gcc or clang is available you should use the
|
||||
--strict-warnings Configure option. OpenSSL compiles on many varied
|
||||
platforms: try to ensure you only use portable features. Clean builds via
|
||||
GitHub Actions and AppVeyor are required, and they are started automatically
|
||||
whenever a PR is created or updated.
|
||||
|
||||
5. When at all possible, patches should include tests. These can
|
||||
either be added to an existing test, or completely new. Please see
|
||||
test/README for information on the test framework.
|
||||
|
||||
6. New features or changed functionality must include
|
||||
documentation. Please look at the "pod" files in doc/man[1357] for
|
||||
examples of our style. Run "make doc-nits" to make sure that your
|
||||
documentation changes are clean.
|
||||
|
||||
7. For user visible changes (API changes, behaviour changes, ...),
|
||||
consider adding a note in CHANGES. This could be a summarising
|
||||
description of the change, and could explain the grander details.
|
||||
Have a look through existing entries for inspiration.
|
||||
Please note that this is NOT simply a copy of git-log one-liners.
|
||||
Also note that security fixes get an entry in CHANGES.
|
||||
This file helps users get more in depth information of what comes
|
||||
with a specific release without having to sift through the higher
|
||||
noise ratio in git-log.
|
||||
|
||||
8. For larger or more important user visible changes, as well as
|
||||
security fixes, please add a line in NEWS. On exception, it might be
|
||||
worth adding a multi-line entry (such as the entry that announces all
|
||||
the types that became opaque with OpenSSL 1.1.0).
|
||||
This file helps users get a very quick summary of what comes with a
|
||||
specific release, to see if an upgrade is worth the effort.
|
94
CONTRIBUTING.md
Normal file
94
CONTRIBUTING.md
Normal file
|
@ -0,0 +1,94 @@
|
|||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
============================
|
||||
|
||||
Please visit our [Getting Started] page for other ideas about how to contribute.
|
||||
|
||||
[Getting Started]: <https://www.openssl.org/community/getting-started.html>
|
||||
|
||||
Development is done on GitHub in the [openssl/openssl] repository.
|
||||
|
||||
[openssl/openssl]: <https://github.com/openssl/openssl>
|
||||
|
||||
To request new features or report bugs, please open an issue on GitHub
|
||||
|
||||
To submit a patch, please open a pull request on GitHub. If you are thinking
|
||||
of making a large contribution, open an issue for it before starting work,
|
||||
to get comments from the community. Someone may be already working on
|
||||
the same thing or there may be reasons why that feature isn't implemented.
|
||||
|
||||
To make it easier to review and accept your pull request, please follow these
|
||||
guidelines:
|
||||
|
||||
1. Anything other than a trivial contribution requires a [Contributor
|
||||
License Agreement] (CLA), giving us permission to use your code.
|
||||
If your contribution is too small to require a CLA (e.g. fixing a spelling
|
||||
mistake), place the text "`CLA: trivial`" on a line by itself separated by
|
||||
an empty line from the rest of the commit message. It is not sufficient to
|
||||
only place the text in the GitHub pull request description.
|
||||
|
||||
[Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
|
||||
|
||||
To amend a missing "`CLA: trivial`" line after submission, do the following:
|
||||
|
||||
```
|
||||
git commit --amend
|
||||
[add the line, save and quit the editor]
|
||||
git push -f
|
||||
```
|
||||
|
||||
2. All source files should start with the following text (with
|
||||
appropriate comment characters at the start of each line and the
|
||||
year(s) updated):
|
||||
|
||||
```
|
||||
Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
https://www.openssl.org/source/license.html
|
||||
```
|
||||
|
||||
3. Patches should be as current as possible; expect to have to rebase
|
||||
often. We do not accept merge commits, you will have to remove them
|
||||
(usually by rebasing) before it will be acceptable.
|
||||
|
||||
4. Patches should follow our [coding style] and compile without warnings.
|
||||
Where `gcc` or `clang` is available you should use the
|
||||
`--strict-warnings` `Configure` option. OpenSSL compiles on many varied
|
||||
platforms: try to ensure you only use portable features. Clean builds via
|
||||
GitHub Actions and AppVeyor are required, and they are started automatically
|
||||
whenever a PR is created or updated.
|
||||
|
||||
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
|
||||
|
||||
5. When at all possible, patches should include tests. These can
|
||||
either be added to an existing test, or completely new. Please see
|
||||
[test/README.md](test/README.md) for information on the test framework.
|
||||
|
||||
6. New features or changed functionality must include
|
||||
documentation. Please look at the "pod" files in doc/man[1357] for
|
||||
examples of our style. Run "make doc-nits" to make sure that your
|
||||
documentation changes are clean.
|
||||
|
||||
7. For user visible changes (API changes, behaviour changes, ...),
|
||||
consider adding a note in [CHANGES.md](CHANGES.md).
|
||||
This could be a summarising description of the change, and could
|
||||
explain the grander details.
|
||||
Have a look through existing entries for inspiration.
|
||||
Please note that this is NOT simply a copy of git-log one-liners.
|
||||
Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
|
||||
This file helps users get more in depth information of what comes
|
||||
with a specific release without having to sift through the higher
|
||||
noise ratio in git-log.
|
||||
|
||||
8. For larger or more important user visible changes, as well as
|
||||
security fixes, please add a line in [NEWS.md](NEWS.md).
|
||||
On exception, it might be worth adding a multi-line entry (such as
|
||||
the entry that announces all the types that became opaque with
|
||||
OpenSSL 1.1.0).
|
||||
This file helps users get a very quick summary of what comes with a
|
||||
specific release, to see if an upgrade is worth the effort.
|
||||
|
||||
9. Guidelines how to integrate error output of new crypto library modules
|
||||
can be found in [crypto/err/README.md](crypto/err/README.md).
|
2
FAQ
2
FAQ
|
@ -1,2 +0,0 @@
|
|||
The FAQ is now maintained on the web:
|
||||
https://www.openssl.org/docs/faq.html
|
6
FAQ.md
Normal file
6
FAQ.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
Frequently Asked Questions (FAQ)
|
||||
================================
|
||||
|
||||
The [Frequently Asked Questions][FAQ] are now maintained on the OpenSSL homepage.
|
||||
|
||||
[FAQ]: https://www.openssl.org/docs/faq.html
|
33
HACKING.md
Normal file
33
HACKING.md
Normal file
|
@ -0,0 +1,33 @@
|
|||
MODIFYING OPENSSL SOURCE
|
||||
========================
|
||||
|
||||
This document describes the way to add custom modifications to OpenSSL sources.
|
||||
|
||||
If you are adding new public functions to the custom library build, you need to
|
||||
either add a prototype in one of the existing OpenSSL header files;
|
||||
or provide a new header file and edit
|
||||
[Configurations/unix-Makefile.tmpl](Configurations/unix-Makefile.tmpl)
|
||||
to pick up that file.
|
||||
|
||||
After that perform the following steps:
|
||||
|
||||
./Configure -Werror --strict-warnings [your-options]
|
||||
make update
|
||||
make
|
||||
make test
|
||||
|
||||
`make update` ensures that your functions declarations are added to
|
||||
`util/libcrypto.num` or `util/libssl.num`.
|
||||
If you plan to submit the changes you made to OpenSSL
|
||||
(see [CONTRIBUTING.md](CONTRIBUTING.md)), it's worth running:
|
||||
|
||||
make doc-nits
|
||||
|
||||
after running `make update` to ensure that documentation has correct format.
|
||||
|
||||
`make update` also generates files related to OIDs (in the `crypto/objects/`
|
||||
folder) and errors.
|
||||
If a merge error occurs in one of these generated files then the
|
||||
generated files need to be removed and regenerated using `make update`.
|
||||
To aid in this process the generated files can be committed separately
|
||||
so they can be removed easily.
|
1817
INSTALL.md
Normal file
1817
INSTALL.md
Normal file
File diff suppressed because it is too large
Load diff
125
LICENSE
125
LICENSE
|
@ -1,125 +0,0 @@
|
|||
|
||||
LICENSE ISSUES
|
||||
==============
|
||||
|
||||
The OpenSSL toolkit stays under a double license, i.e. both the conditions of
|
||||
the OpenSSL License and the original SSLeay license apply to the toolkit.
|
||||
See below for the actual license texts.
|
||||
|
||||
OpenSSL License
|
||||
---------------
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
Original SSLeay License
|
||||
-----------------------
|
||||
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
* This package is an SSL implementation written
|
||||
* by Eric Young (eay@cryptsoft.com).
|
||||
* The implementation was written so as to conform with Netscapes SSL.
|
||||
*
|
||||
* This library is free for commercial and non-commercial use as long as
|
||||
* the following conditions are aheared to. The following conditions
|
||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
||||
* included with this distribution is covered by the same copyright terms
|
||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
||||
* the code are not to be removed.
|
||||
* If this package is used in a product, Eric Young should be given attribution
|
||||
* as the author of the parts of the library used.
|
||||
* This can be in the form of a textual message at program startup or
|
||||
* in documentation (online or textual) provided with the package.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* "This product includes cryptographic software written by
|
||||
* Eric Young (eay@cryptsoft.com)"
|
||||
* The word 'cryptographic' can be left out if the rouines from the library
|
||||
* being used are not cryptographic related :-).
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* the apps directory (application code) you must include an acknowledgement:
|
||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* The licence and distribution terms for any publically available version or
|
||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
177
LICENSE.txt
Normal file
177
LICENSE.txt
Normal file
|
@ -0,0 +1,177 @@
|
|||
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
https://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
90
NOTES-ANDROID.md
Normal file
90
NOTES-ANDROID.md
Normal file
|
@ -0,0 +1,90 @@
|
|||
Notes for Android platforms
|
||||
===========================
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
Beside basic tools like perl and make you'll need to download the Android
|
||||
NDK. It's available for Linux, macOS and Windows, but only Linux
|
||||
version was actually tested. There is no reason to believe that macOS
|
||||
wouldn't work. And as for Windows, it's unclear which "shell" would be
|
||||
suitable, MSYS2 might have best chances. NDK version should play lesser
|
||||
role, the goal is to support a range of most recent versions.
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
Android is a cross-compiled target and you can't rely on `./Configure`
|
||||
to find out the configuration target for you. You have to name your
|
||||
target explicitly; there are `android-arm`, `android-arm64`, `android-mips`,
|
||||
`android-mip64`, `android-x86` and `android-x86_64` (`*MIPS` targets are no
|
||||
longer supported with NDK R20+).
|
||||
|
||||
Do not pass --cross-compile-prefix (as you might be tempted), as it
|
||||
will be "calculated" automatically based on chosen platform. However,
|
||||
you still need to know the prefix to extend your PATH, in order to
|
||||
invoke `$(CROSS_COMPILE)clang` [`*gcc` on NDK 19 and lower] and company.
|
||||
(`./Configure` will fail and give you a hint if you get it wrong.)
|
||||
|
||||
Apart from `PATH` adjustment you need to set `ANDROID_NDK_ROOT` environment
|
||||
to point at the `NDK` directory. If you're using a side-by-side NDK the path
|
||||
will look something like `/some/where/android-sdk/ndk/<ver>`, and for a
|
||||
standalone NDK the path will be something like `/some/where/android-ndk-<ver>`.
|
||||
Both variables are significant at both configuration and compilation times.
|
||||
The NDK customarily supports multiple Android API levels, e.g. `android-14`,
|
||||
`android-21`, etc. By default latest API level is chosen. If you need to target
|
||||
an older platform pass the argument `-D__ANDROID_API__=N` to `Configure`,
|
||||
with `N` being the numerical value of the target platform version. For example,
|
||||
to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570
|
||||
|
||||
export ANDROID_NDK_ROOT=/home/whoever/Android/android-sdk/ndk/20.0.5594570
|
||||
PATH=$ANDROID_NDK_ROOT/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_ROOT/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH
|
||||
./Configure android-arm64 -D__ANDROID_API__=29
|
||||
make
|
||||
|
||||
Older versions of the NDK have GCC under their common prebuilt tools
|
||||
directory, so the bin path will be slightly different. EG: to compile
|
||||
for ICS on ARM with NDK 10d:
|
||||
|
||||
export ANDROID_NDK_ROOT=/some/where/android-ndk-10d
|
||||
PATH=$ANDROID_NDK_ROOT/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH
|
||||
./Configure android-arm -D__ANDROID_API__=14
|
||||
make
|
||||
|
||||
Caveat lector! Earlier OpenSSL versions relied on additional `CROSS_SYSROOT`
|
||||
variable set to `$ANDROID_NDK_ROOT/platforms/android-<api>/arch-<arch>` to
|
||||
appoint headers-n-libraries' location. It's still recognized in order
|
||||
to facilitate migration from older projects. However, since API level
|
||||
appears in `CROSS_SYSROOT` value, passing `-D__ANDROID_API__=N` can be in
|
||||
conflict, and mixing the two is therefore not supported. Migration to
|
||||
`CROSS_SYSROOT`-less setup is recommended.
|
||||
|
||||
One can engage clang by adjusting PATH to cover same NDK's clang. Just
|
||||
keep in mind that if you miss it, Configure will try to use gcc...
|
||||
Also, PATH would need even further adjustment to cover unprefixed, yet
|
||||
target-specific, ar and ranlib. It's possible that you don't need to
|
||||
bother, if binutils-multiarch is installed on your Linux system.
|
||||
|
||||
Another option is to create so called "standalone toolchain" tailored
|
||||
for single specific platform including Android API level, and assign its
|
||||
location to `ANDROID_NDK_ROOT`. In such case you have to pass matching
|
||||
target name to Configure and shouldn't use `-D__ANDROID_API__=N`. `PATH`
|
||||
adjustment becomes simpler, `$ANDROID_NDK_ROOT/bin:$PATH` suffices.
|
||||
|
||||
Running tests (on Linux)
|
||||
------------------------
|
||||
|
||||
This is not actually supported. Notes are meant rather as inspiration.
|
||||
|
||||
Even though build output targets alien system, it's possible to execute
|
||||
test suite on Linux system by employing qemu-user. The trick is static
|
||||
linking. Pass -static to Configure, then edit generated Makefile and
|
||||
remove occurrences of -ldl and -pie flags. You would also need to pick
|
||||
API version that comes with usable static libraries, 42/2=21 used to
|
||||
work. Once built, you should be able to
|
||||
|
||||
env EXE_SHELL=qemu-<arch> make test
|
||||
|
||||
If you need to pass additional flag to qemu, quotes are your friend, e.g.
|
||||
|
||||
env EXE_SHELL="qemu-mips64el -cpu MIPS64R6-generic" make test
|
46
NOTES-DJGPP.md
Normal file
46
NOTES-DJGPP.md
Normal file
|
@ -0,0 +1,46 @@
|
|||
Notes for the DOS platform with DJGPP
|
||||
=====================================
|
||||
|
||||
OpenSSL has been ported to DJGPP, a Unix look-alike 32-bit run-time
|
||||
environment for 16-bit DOS, but only with long filename support.
|
||||
If you wish to compile on native DOS with 8+3 filenames, you will
|
||||
have to tweak the installation yourself, including renaming files
|
||||
with illegal or duplicate names.
|
||||
|
||||
You should have a full DJGPP environment installed, including the
|
||||
latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
|
||||
requires that PERL and the PERL module `Text::Template` also be
|
||||
installed (see [NOTES-PERL.md](NOTES-PERL.md)).
|
||||
|
||||
All of these can be obtained from the usual DJGPP mirror sites or
|
||||
directly at <http://www.delorie.com/pub/djgpp>. For help on which
|
||||
files to download, see the DJGPP "ZIP PICKER" page at
|
||||
<http://www.delorie.com/djgpp/zip-picker.html>. You also need to have
|
||||
the WATT-32 networking package installed before you try to compile
|
||||
OpenSSL. This can be obtained from <http://www.watt-32.net/>.
|
||||
The Makefile assumes that the WATT-32 code is in the directory
|
||||
specified by the environment variable WATT_ROOT. If you have watt-32
|
||||
in directory `watt32` under your main DJGPP directory, specify
|
||||
`WATT_ROOT="/dev/env/DJDIR/watt32"`.
|
||||
|
||||
To compile OpenSSL, start your BASH shell, then configure for DJGPP by
|
||||
running `./Configure` with appropriate arguments:
|
||||
|
||||
./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
|
||||
|
||||
And finally fire up `make`. You may run out of DPMI selectors when
|
||||
running in a DOS box under Windows. If so, just close the BASH
|
||||
shell, go back to Windows, and restart BASH. Then run `make` again.
|
||||
|
||||
RUN-TIME CAVEAT LECTOR
|
||||
--------------
|
||||
|
||||
Quoting FAQ:
|
||||
|
||||
"Cryptographic software needs a source of unpredictable data to work
|
||||
correctly. Many open source operating systems provide a "randomness
|
||||
device" (`/dev/urandom` or `/dev/random`) that serves this purpose."
|
||||
|
||||
As of version 0.9.7f DJGPP port checks upon `/dev/urandom$` for a 3rd
|
||||
party "randomness" DOS driver. One such driver, `NOISE.SYS`, can be
|
||||
obtained from <http://www.rahul.net/dkaufman/index.html>.
|
245
NOTES-NONSTOP.md
Normal file
245
NOTES-NONSTOP.md
Normal file
|
@ -0,0 +1,245 @@
|
|||
NOTES FOR THE HPE NONSTOP PLATFORM
|
||||
==============================
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
In addition to the requirements and instructions listed
|
||||
in [INSTALL.md](INSTALL.md), the following are required as well:
|
||||
|
||||
* The TNS/X platform supports hardware randomization.
|
||||
Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
|
||||
This is recommended but not required. `egd` is supported at 3.0 but cannot
|
||||
be used if FIPS is selected.
|
||||
* The TNS/E platform does not support hardware randomization, so
|
||||
specify the `--with-rand-seed=egd` option to the `./Configure` script.
|
||||
|
||||
About c99 compiler
|
||||
------------------
|
||||
|
||||
The c99 compiler is required for building OpenSSL from source. While c11
|
||||
may work, it has not been broadly tested. c99 is the only compiler
|
||||
prerequisite needed to build OpenSSL 3.0 on this platform. You should also
|
||||
have the FLOSS package installed on your system. The ITUGLIB FLOSS package
|
||||
is the only FLOSS variant that has been broadly tested.
|
||||
|
||||
Threading Models
|
||||
----------------
|
||||
|
||||
OpenSSL can be built using unthreaded, POSIX User Threads (PUT), or Standard
|
||||
POSIX Threads (SPT). Select the following build configuration for each on
|
||||
the TNS/X (L-Series) platform:
|
||||
|
||||
* `nonstop-nsx` or default will select an unthreaded build.
|
||||
* `nonstop-nsx_put` selects the PUT build.
|
||||
* `nonstop-nsx_64_put` selects the 64 bit file length PUT build.
|
||||
* `nonstop-nsx_spt_floss` selects the SPT build with FLOSS. FLOSS is
|
||||
required for SPT builds because of a known hang when using SPT on its own.
|
||||
|
||||
### TNS/E Considerations
|
||||
|
||||
The TNS/E platform is build using the same set of builds specifying `nse`
|
||||
instead of `nsx` in the set above.
|
||||
|
||||
You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
|
||||
option to `./Configure`.
|
||||
|
||||
About Prefix and OpenSSLDir
|
||||
---------------------------
|
||||
|
||||
Because there are many potential builds that must co-exist on any given
|
||||
NonStop node, managing the location of your build distribution is crucial.
|
||||
Keep each destination separate and distinct. Mixing any mode described in
|
||||
this document can cause application instability. The recommended approach
|
||||
is to specify the OpenSSL version and threading model in your configuration
|
||||
options, and keeping your memory and float options consistent, for example:
|
||||
|
||||
* For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
|
||||
* For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`
|
||||
|
||||
As of 3.0, the NonStop configurations use the multilib attribute to distinguish
|
||||
between different models:
|
||||
|
||||
* For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`
|
||||
|
||||
The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
|
||||
`${prefix}/lib64-put` for 64-bit models.
|
||||
|
||||
Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
|
||||
directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
|
||||
`=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
|
||||
is installed.
|
||||
|
||||
Float Considerations
|
||||
--------------------
|
||||
|
||||
OpenSSL is built using IEEE Float mode by default. If you need a different
|
||||
IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
|
||||
Float) or `nfloat-x86-64` (for Neutral Float).
|
||||
|
||||
Memory Models
|
||||
-------------
|
||||
|
||||
The current OpenSSL default memory model uses the default platform address
|
||||
model. If you need a different address model, you must specify the appropriate
|
||||
c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).
|
||||
|
||||
Cross Compiling on Windows
|
||||
--------------------------
|
||||
|
||||
To configure and compile OpenSSL, you will need to set up a Cygwin environment.
|
||||
The Cygwin tools should include bash, make, and any other normal tools required
|
||||
for building programs.
|
||||
|
||||
Your `PATH` must include the bin directory for the c99 cross-compiler, as in:
|
||||
|
||||
export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH
|
||||
|
||||
This should be set before Configure is run. For the c99 cross-compiler to work
|
||||
correctly, you also need the `COMP_ROOT` set, as in:
|
||||
|
||||
export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"
|
||||
|
||||
`COMP_ROOT` needs to be in Windows form.
|
||||
|
||||
`Configure` must specify the `no-makedepend` option otherwise errors will
|
||||
result when running the build because the c99 cross-compiler does not support
|
||||
the `gcc -MT` option. An example of a `Configure` command to be run from the
|
||||
OpenSSL directory is:
|
||||
|
||||
./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
|
||||
|
||||
Do not forget to include any OpenSSL cross-compiling prefix and certificate
|
||||
options when creating your libraries.
|
||||
|
||||
The OpenSSL test suite will not run on your workstation. In order to verify the
|
||||
build, you will need to perform the build and test steps in OSS in your NonStop
|
||||
server. You can also build under gcc and run the test suite for Windows but that
|
||||
is not equivalent.
|
||||
|
||||
**Note:** In the event that you are attempting a FIPS-compliant cross-compile,
|
||||
be aware that signatures may not match between builds done under OSS and under
|
||||
cross-compiles as the compilers do not necessarily generate identical objects.
|
||||
Anything and everything to do with FIPS is outside the scope of this document.
|
||||
Refer to the FIPS security policy for more information.
|
||||
|
||||
The following build configurations have been successfully attempted at one
|
||||
point or another. If you are successful in your cross-compile efforts, please
|
||||
update this list:
|
||||
|
||||
- nonstop-nsx_64
|
||||
- nonstop-nsx_64_put
|
||||
|
||||
**Note:** Cross-compile builds for TNS/E have not been attempted, but should
|
||||
follow the same considerations as for TNS/X above. SPT builds generally require
|
||||
FLOSS, which is not available for workstation builds. As a result, SPT builds
|
||||
of OpenSSL cannot be cross-compiled.
|
||||
|
||||
Also see the NSDEE discussion below for more historical information.
|
||||
|
||||
Cross Compiling with NSDEE
|
||||
--------------------------
|
||||
|
||||
**Note:** None of these builds have been tested by the platform maintainer and
|
||||
are supplied for historical value. Please submit a Pull Request to OpenSSL
|
||||
should these need to be adjusted.
|
||||
|
||||
If you are attempting to build OpenSSL with NSDEE, you will need to specify
|
||||
the following variables. The following set of compiler defines are required:
|
||||
|
||||
# COMP_ROOT must be a full path for the build system (e.g. windows)
|
||||
COMP_ROOT=$(cygpath -w /path/to/comp_root)
|
||||
# CC must be executable by your shell
|
||||
CC=/path/to/c99
|
||||
|
||||
### Optional Build Variables
|
||||
|
||||
DBGFLAG="--debug"
|
||||
CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"
|
||||
|
||||
### Internal Known TNS/X to TNS/E Cross Compile Variables
|
||||
|
||||
The following definition is required if you are building on TNS/X for TNS/E
|
||||
and have access to a TNS/E machine on your EXPAND network - with an example
|
||||
node named `\CS3`:
|
||||
|
||||
SYSTEMLIBS="-L/E/cs3/usr/local/lib"
|
||||
|
||||
Version Procedure (VPROC) Considerations
|
||||
----------------------------------------
|
||||
|
||||
If you require a VPROC entry for platform version identification, use the
|
||||
following variables:
|
||||
|
||||
### For Itanium
|
||||
|
||||
OPENSSL_VPROC_PREFIX=T0085H06
|
||||
|
||||
### For x86
|
||||
|
||||
OPENSSL_VPROC_PREFIX=T0085L01
|
||||
|
||||
### Common Definition
|
||||
|
||||
export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
|
||||
. VERSION.dat
|
||||
if [ -n "$PRE_RELEASE_TAG" ]; then
|
||||
PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
|
||||
fi
|
||||
if [ -n "$BUILD_METADATA" ]; then
|
||||
BUILD_METADATA="+$BUILD_METADATA"
|
||||
fi
|
||||
echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\
|
||||
sed -e 's/[-.+]/_/g'
|
||||
)
|
||||
|
||||
Example Configure Targets
|
||||
-------------------------
|
||||
|
||||
For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
|
||||
For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
|
||||
assumes that your PWD is set according to your installation standards.
|
||||
|
||||
./Configure nonstop-nsx --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_g --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_spt_floss --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_64 --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_64_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_g_tandem --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
|
||||
./Configure nonstop-nse --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_g --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_spt_floss --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_64 --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_64_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT"
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_g_tandem --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
127
NOTES-PERL.md
Normal file
127
NOTES-PERL.md
Normal file
|
@ -0,0 +1,127 @@
|
|||
Notes on Perl
|
||||
=============
|
||||
|
||||
- [General Notes](#general-notes)
|
||||
- [Perl on Windows](#perl-on-windows)
|
||||
- [Perl on VMS](#perl-on-vms)
|
||||
- [Perl on NonStop](#perl-on-nonstop)
|
||||
- [Required Perl modules](#required-perl-modules)
|
||||
- [Notes on installing a Perl module](#notes-on-installing-a-perl-module])
|
||||
|
||||
General Notes
|
||||
-------------
|
||||
|
||||
For our scripts, we rely quite a bit on Perl, and increasingly on
|
||||
some core Perl modules. These Perl modules are part of the Perl
|
||||
source, so if you build Perl on your own, you should be set.
|
||||
|
||||
However, if you install Perl as binary packages, the outcome might
|
||||
differ, and you may have to check that you do get the core modules
|
||||
installed properly. We do not claim to know them all, but experience
|
||||
has told us the following:
|
||||
|
||||
- on Linux distributions based on Debian, the package `perl` will
|
||||
install the core Perl modules as well, so you will be fine.
|
||||
- on Linux distributions based on RPMs, you will need to install
|
||||
`perl-core` rather than just `perl`.
|
||||
|
||||
You MUST have at least Perl version 5.10.0 installed. This minimum
|
||||
requirement is due to our use of regexp backslash sequence \R among
|
||||
other features that didn't exist in core Perl before that version.
|
||||
|
||||
Perl on Windows
|
||||
---------------
|
||||
|
||||
There are a number of build targets that can be viewed as "Windows".
|
||||
Indeed, there are `VC-*` configs targeting VisualStudio C, as well as
|
||||
MinGW and Cygwin. The key recommendation is to use a Perl installation
|
||||
that matches the build environment. For example, if you will build
|
||||
on Cygwin be sure to use the Cygwin package manager to install Perl.
|
||||
For MSYS builds use the MSYS provided Perl.
|
||||
For VC-* builds we recommend Strawberry Perl, from <http://strawberryperl.com>.
|
||||
An alternative is ActiveState Perl, from <http://www.activestate.com/ActivePerl>
|
||||
for which you may need to explicitly select the Perl module Win32/Console.pm
|
||||
available via <https://platform.activestate.com/ActiveState>.
|
||||
|
||||
Perl on VMS
|
||||
-----------
|
||||
|
||||
You will need to install Perl separately. One way to do so is to
|
||||
download the source from <http://perl.org/>, unpacking it, reading
|
||||
`README-VMS.md` and follow the instructions. Another way is to download a
|
||||
`.PCSI` file from <http://www.vmsperl.com/> and install it using the
|
||||
POLYCENTER install tool.
|
||||
|
||||
Perl on NonStop
|
||||
---------------
|
||||
|
||||
Perl is installed on HPE NonStop platforms as part of the Scripting Languages
|
||||
package T1203PAX file. The package is shipped as part of a NonStop RVU
|
||||
(Release Version Updates) package. Individual SPRs (Software Product Release)
|
||||
representing fixes can be obtained from the Scout website at
|
||||
<https://h22204.www2.hpe.com/NEP>. Follow the appropriate set of installation
|
||||
instructions for your operating system release as described in the
|
||||
Script Language User Guide available from the NonStop Technical Library.
|
||||
|
||||
Required Perl modules
|
||||
---------------------
|
||||
|
||||
We do our best to limit ourselves to core Perl modules to keep the
|
||||
requirements down. There are just a few exceptions.
|
||||
|
||||
* Text::Template this is required *for building*
|
||||
|
||||
To avoid unnecessary initial hurdles, we include a copy of this module
|
||||
in the source. It will work as a fallback if the module isn't already
|
||||
installed.
|
||||
|
||||
* `Test::More` this is required *for testing*
|
||||
|
||||
We require the minimum version to be 0.96, which appeared in Perl 5.13.4,
|
||||
because that version was the first to have all the features we're using.
|
||||
This module is required for testing only! If you don't plan on running
|
||||
the tests, you don't need to bother with this one.
|
||||
|
||||
Notes on installing a Perl module
|
||||
---------------------------------
|
||||
|
||||
There are a number of ways to install a perl module. In all
|
||||
descriptions below, `Text::Template` will serve as an example.
|
||||
|
||||
1. for Linux users, the easiest is to install with the use of your
|
||||
favorite package manager. Usually, all you need to do is search
|
||||
for the module name and to install the package that comes up.
|
||||
|
||||
On Debian based Linux distributions, it would go like this:
|
||||
|
||||
$ apt-cache search Text::Template
|
||||
...
|
||||
libtext-template-perl - perl module to process text templates
|
||||
$ sudo apt-get install libtext-template-perl
|
||||
|
||||
Perl modules in Debian based distributions use package names like
|
||||
the name of the module in question, with "lib" prepended and
|
||||
"-perl" appended.
|
||||
|
||||
2. Install using CPAN. This is very easy, but usually requires root
|
||||
access:
|
||||
|
||||
$ cpan -i Text::Template
|
||||
|
||||
Note that this runs all the tests that the module to be installed
|
||||
comes with. This is usually a smooth operation, but there are
|
||||
platforms where a failure is indicated even though the actual tests
|
||||
were successful. Should that happen, you can force an
|
||||
installation regardless (that should be safe since you've already
|
||||
seen the tests succeed!):
|
||||
|
||||
$ cpan -f -i Text::Template
|
||||
|
||||
Note: on VMS, you must quote any argument that contains upper case
|
||||
characters, so the lines above would be:
|
||||
|
||||
$ cpan -i "Text::Template"
|
||||
|
||||
and:
|
||||
|
||||
$ cpan -f -i "Text::Template"
|
|
@ -1,9 +1,8 @@
|
|||
Notes for UNIX-like platforms
|
||||
=============================
|
||||
|
||||
NOTES FOR UNIX LIKE PLATFORMS
|
||||
=============================
|
||||
|
||||
For Unix/POSIX runtime systems on Windows, please see NOTES.WIN.
|
||||
|
||||
For Unix/POSIX runtime systems on Windows,
|
||||
please see the [Notes for Windows platforms](NOTES-WINDOWS.md).
|
||||
|
||||
OpenSSL uses the compiler to link programs and shared libraries
|
||||
---------------------------------------------------------------
|
||||
|
@ -13,21 +12,20 @@
|
|||
objects. Because of this, any linking option that's given to the
|
||||
configuration scripts MUST be in a form that the compiler can accept.
|
||||
This varies between systems, where some have compilers that accept
|
||||
linker flags directly, while others take them in '-Wl,' form. You need
|
||||
linker flags directly, while others take them in `-Wl,` form. You need
|
||||
to read your compiler documentation to figure out what is acceptable,
|
||||
and ld(1) to figure out what linker options are available.
|
||||
|
||||
and `ld(1)` to figure out what linker options are available.
|
||||
|
||||
Shared libraries and installation in non-default locations
|
||||
----------------------------------------------------------
|
||||
|
||||
Every Unix system has its own set of default locations for shared
|
||||
libraries, such as /lib, /usr/lib or possibly /usr/local/lib. If
|
||||
libraries, such as `/lib`, `/usr/lib` or possibly `/usr/local/lib`. If
|
||||
libraries are installed in non-default locations, dynamically linked
|
||||
binaries will not find them and therefore fail to run, unless they get
|
||||
a bit of help from a defined runtime shared library search path.
|
||||
|
||||
For OpenSSL's application (the 'openssl' command), our configuration
|
||||
For OpenSSL's application (the `openssl` command), our configuration
|
||||
scripts do NOT generally set the runtime shared library search path for
|
||||
you. It's therefore advisable to set it explicitly when configuring,
|
||||
unless the libraries are to be installed in directories that you know
|
||||
|
@ -42,15 +40,16 @@
|
|||
Possible options to set the runtime shared library search path include
|
||||
the following:
|
||||
|
||||
-Wl,-rpath,/whatever/path # Linux, *BSD, etc.
|
||||
-R /whatever/path # Solaris
|
||||
-Wl,-R,/whatever/path # AIX (-bsvr4 is passed internally)
|
||||
-Wl,+b,/whatever/path # HP-UX
|
||||
-rpath /whatever/path # Tru64, IRIX
|
||||
-Wl,-rpath,/whatever/path # Linux, *BSD, etc.
|
||||
-R /whatever/path # Solaris
|
||||
-Wl,-R,/whatever/path # AIX (-bsvr4 is passed internally)
|
||||
-Wl,+b,/whatever/path # HP-UX
|
||||
-rpath /whatever/path # Tru64, IRIX
|
||||
|
||||
OpenSSL's configuration scripts recognise all these options and pass
|
||||
them to the Makefile that they build. (In fact, all arguments starting
|
||||
with '-Wl,' are recognised as linker options.)
|
||||
with `-Wl,` are recognised as linker options.)
|
||||
Please note that 'l' in '-Wl' is lowercase L and not 1.
|
||||
|
||||
Please do not use verbatim directories in your runtime shared library
|
||||
search path! Some OpenSSL config targets add an extra directory level
|
||||
|
@ -59,41 +58,40 @@
|
|||
used with the runtime shared library search path options, as shown in
|
||||
this example:
|
||||
|
||||
$ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
$ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
'-Wl,-rpath,$(LIBRPATH)'
|
||||
|
||||
On modern ELF based systems, there are two runtime search paths tags to
|
||||
consider, DT_RPATH and DT_RUNPATH. Shared objects are searched for in
|
||||
consider, `DT_RPATH` and `DT_RUNPATH`. Shared objects are searched for in
|
||||
this order:
|
||||
|
||||
1. Using directories specified in DT_RPATH, unless DT_RUNPATH is
|
||||
also set.
|
||||
2. Using the environment variable LD_LIBRARY_PATH
|
||||
3. Using directories specified in DT_RUNPATH.
|
||||
4. Using system shared object caches and default directories.
|
||||
1. Using directories specified in DT_RPATH, unless DT_RUNPATH is also set.
|
||||
2. Using the environment variable LD_LIBRARY_PATH
|
||||
3. Using directories specified in DT_RUNPATH.
|
||||
4. Using system shared object caches and default directories.
|
||||
|
||||
This means that the values in the environment variable LD_LIBRARY_PATH
|
||||
won't matter if the library is found in the paths given by DT_RPATH
|
||||
(and DT_RUNPATH isn't set).
|
||||
This means that the values in the environment variable `LD_LIBRARY_PATH`
|
||||
won't matter if the library is found in the paths given by `DT_RPATH`
|
||||
(and `DT_RUNPATH` isn't set).
|
||||
|
||||
Exactly which of DT_RPATH or DT_RUNPATH is set by default appears to
|
||||
Exactly which of `DT_RPATH` or `DT_RUNPATH` is set by default appears to
|
||||
depend on the system. For example, according to documentation,
|
||||
DT_RPATH appears to be deprecated on Solaris in favor of DT_RUNPATH,
|
||||
while on Debian GNU/Linux, either can be set, and DT_RPATH is the
|
||||
`DT_RPATH` appears to be deprecated on Solaris in favor of `DT_RUNPATH`,
|
||||
while on Debian GNU/Linux, either can be set, and `DT_RPATH` is the
|
||||
default at the time of writing.
|
||||
|
||||
How to choose which runtime search path tag is to be set depends on
|
||||
your system, please refer to ld(1) for the exact information on your
|
||||
system. As an example, the way to ensure the DT_RUNPATH is set on
|
||||
system. As an example, the way to ensure the `DT_RUNPATH` is set on
|
||||
Debian GNU/Linux systems rather than DT_RPATH is to tell the linker to
|
||||
set new dtags, like this:
|
||||
|
||||
$ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
$ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
'-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)'
|
||||
|
||||
It might be worth noting that some/most ELF systems implement support
|
||||
for runtime search path relative to the directory containing current
|
||||
executable, by interpreting $ORIGIN along with some other internal
|
||||
executable, by interpreting `$ORIGIN` along with some other internal
|
||||
variables. Consult your system documentation.
|
||||
|
||||
Linking your application
|
||||
|
@ -104,7 +102,7 @@
|
|||
The OpenSSL config options mentioned above might or might not have bearing
|
||||
on linking of the target application. "Might" means that under some
|
||||
circumstances it would be sufficient to link with OpenSSL shared library
|
||||
"naturally", i.e. with -L/whatever/path -lssl -lcrypto. But there are
|
||||
"naturally", i.e. with `-L/whatever/path -lssl -lcrypto`. But there are
|
||||
also cases when you'd have to explicitly specify runtime search path
|
||||
when linking your application. Consult your system documentation and use
|
||||
above section as inspiration...
|
||||
|
@ -114,4 +112,4 @@
|
|||
for shared libraries first and tend to remain "blind" to static OpenSSL
|
||||
libraries. Referring to system documentation would suffice, if not for
|
||||
a corner case. On AIX static libraries (in shared build) are named
|
||||
differently, add _a suffix to link with them, e.g. -lcrypto_a.
|
||||
differently, add `_a` suffix to link with them, e.g. `-lcrypto_a`.
|
72
NOTES-VALGRIND.md
Normal file
72
NOTES-VALGRIND.md
Normal file
|
@ -0,0 +1,72 @@
|
|||
Notes on Valgrind
|
||||
=================
|
||||
|
||||
Valgrind is a test harness that includes many tools such as memcheck,
|
||||
which is commonly used to check for memory leaks, etc. The default tool
|
||||
run by Valgrind is memcheck. There are other tools available, but this
|
||||
will focus on memcheck.
|
||||
|
||||
Valgrind runs programs in a virtual machine, this means OpenSSL unit
|
||||
tests run under Valgrind will take longer than normal.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
1. Platform supported by Valgrind
|
||||
See <http://valgrind.org/info/platforms.html>
|
||||
2. Valgrind installed on the platform
|
||||
See <http://valgrind.org/downloads/current.html>
|
||||
3. OpenSSL compiled
|
||||
See [INSTALL.md](INSTALL.md)
|
||||
|
||||
Running Tests
|
||||
-------------
|
||||
|
||||
Test behavior can be modified by adjusting environment variables.
|
||||
|
||||
`EXE_SHELL`
|
||||
|
||||
This variable is used to specify the shell used to execute OpenSSL test
|
||||
programs. The default wrapper (`util/wrap.pl`) initializes the environment
|
||||
to allow programs to find shared libraries. The variable can be modified
|
||||
to specify a different executable environment.
|
||||
|
||||
EXE_SHELL=\
|
||||
"`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"
|
||||
|
||||
This will start up Valgrind with the default checker (`memcheck`).
|
||||
The `--error-exitcode=1` option specifies that Valgrind should exit with an
|
||||
error code of 1 when memory leaks occur.
|
||||
The `--leak-check=full` option specifies extensive memory checking.
|
||||
The `-q` option prints only error messages.
|
||||
Additional Valgrind options may be added to the `EXE_SHELL` variable.
|
||||
|
||||
`OPENSSL_ia32cap`
|
||||
|
||||
This variable controls the processor-specific code on Intel processors.
|
||||
By default, OpenSSL will attempt to figure out the capabilities of a
|
||||
processor, and use it to its fullest capability. This variable can be
|
||||
used to control what capabilities OpenSSL uses.
|
||||
|
||||
As of valgrind-3.15.0 on Linux/x86_64, instructions up to AVX2 are
|
||||
supported. Setting the following disables instructions beyond AVX2:
|
||||
|
||||
`OPENSSL_ia32cap=":0"`
|
||||
|
||||
This variable may need to be set to something different based on the
|
||||
processor and Valgrind version you are running tests on. More information
|
||||
may be found in [doc/man3/OPENSSL_ia32cap.pod](doc/man3/OPENSSL_ia32cap.pod).
|
||||
|
||||
Additional variables (such as `VERBOSE` and `TESTS`) are described in the
|
||||
file [test/README.md](test/README.md).
|
||||
|
||||
Example command line:
|
||||
|
||||
$ make test EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 \
|
||||
--leak-check=full -q" OPENSSL_ia32cap=":0"
|
||||
|
||||
If an error occurs, you can then run the specific test via the `TESTS` variable
|
||||
with the `VERBOSE` or `VF` or `VFP` options to gather additional information.
|
||||
|
||||
$ make test VERBOSE=1 TESTS=test_test EXE_SHELL="`/bin/pwd`/util/wrap.pl \
|
||||
valgrind --error-exitcode=1 --leak-check=full -q" OPENSSL_ia32cap=":0"
|
115
NOTES-VMS.md
Normal file
115
NOTES-VMS.md
Normal file
|
@ -0,0 +1,115 @@
|
|||
Notes for the OpenVMS platform
|
||||
==============================
|
||||
|
||||
- [Requirement details](#requirement-details)
|
||||
- [About ANSI C compiler](#about-ansi-c-compiler)
|
||||
- [About ODS-5 directory names and Perl](#about-ods-5-directory-names-and-perl)
|
||||
- [About MMS and DCL](#about-mms-and-dcl)
|
||||
- [About debugging](#about-debugging)
|
||||
- [Checking the distribution](#checking-the-distribution)
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
In addition to the requirements and instructions listed
|
||||
in [INSTALL.md](INSTALL.md), this are required as well:
|
||||
|
||||
* At least ODS-5 disk organization for source and build.
|
||||
Installation can be done on any existing disk organization.
|
||||
|
||||
About ANSI C compiler
|
||||
---------------------
|
||||
|
||||
An ANSI C compiled is needed among other things. This means that
|
||||
VAX C is not and will not be supported.
|
||||
|
||||
We have only tested with DEC C (aka HP VMS C / VSI C) and require
|
||||
version 7.1 or later. Compiling with a different ANSI C compiler may
|
||||
require some work.
|
||||
|
||||
Please avoid using C RTL feature logical names `DECC$*` when building
|
||||
and testing OpenSSL. Most of all, they can be disruptive when
|
||||
running the tests, as they affect the Perl interpreter.
|
||||
|
||||
About ODS-5 directory names and Perl
|
||||
------------------------------------
|
||||
|
||||
It seems that the perl function canonpath() in the `File::Spec` module
|
||||
doesn't treat file specifications where the last directory name
|
||||
contains periods very well. Unfortunately, some versions of VMS tar
|
||||
will keep the periods in the OpenSSL source directory instead of
|
||||
converting them to underscore, thereby leaving your source in
|
||||
something like `[.openssl-1^.1^.0]`. This will lead to issues when
|
||||
configuring and building OpenSSL.
|
||||
|
||||
We have no replacement for Perl's canonpath(), so the best workaround
|
||||
for now is to rename the OpenSSL source directory, as follows (please
|
||||
adjust for the actual source directory name you have):
|
||||
|
||||
$ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR
|
||||
|
||||
About MMS and DCL
|
||||
-----------------
|
||||
|
||||
MMS has certain limitations when it comes to line length, and DCL has
|
||||
certain limitations when it comes to total command length. We do
|
||||
what we can to mitigate, but there is the possibility that it's not
|
||||
enough. Should you run into issues, a very simple solution is to set
|
||||
yourself up a few logical names for the directory trees you're going
|
||||
to use.
|
||||
|
||||
About debugging
|
||||
---------------
|
||||
|
||||
If you build for debugging, the default on VMS is that image
|
||||
activation starts the debugger automatically, giving you a debug
|
||||
prompt. Unfortunately, this disrupts all other uses, such as running
|
||||
test programs in the test framework.
|
||||
|
||||
Generally speaking, if you build for debugging, only use the programs
|
||||
directly for debugging. Do not try to use them from a script, such
|
||||
as running the test suite.
|
||||
|
||||
### The following is not available on Alpha
|
||||
|
||||
As a compromise, we're turning off the flag that makes the debugger
|
||||
start automatically. If there is a program that you need to debug,
|
||||
you need to turn that flag back on first, for example:
|
||||
|
||||
$ set image /flag=call_debug [.test]evp_test.exe
|
||||
|
||||
Then just run it and you will find yourself in a debugging session.
|
||||
When done, we recommend that you turn that flag back off:
|
||||
|
||||
$ set image /flag=nocall_debug [.test]evp_test.exe
|
||||
|
||||
Checking the distribution
|
||||
-------------------------
|
||||
|
||||
There have been reports of places where the distribution didn't quite
|
||||
get through, for example if you've copied the tree from a NFS-mounted
|
||||
Unix mount point.
|
||||
|
||||
The easiest way to check if everything got through as it should is to
|
||||
check that this file exists:
|
||||
|
||||
[.include.openssl]configuration^.h.in
|
||||
|
||||
The best way to get a correct distribution is to download the gzipped
|
||||
tar file from ftp://ftp.openssl.org/source/, use `GZIP -d` to uncompress
|
||||
it and `VMSTAR` to unpack the resulting tar file.
|
||||
|
||||
Gzip and VMSTAR are available here:
|
||||
|
||||
<http://antinode.info/dec/index.html#Software>
|
||||
|
||||
Should you need it, you can find UnZip for VMS here:
|
||||
|
||||
<http://www.info-zip.org/UnZip.html>
|
||||
|
||||
How the value of 'arch' is determined
|
||||
-------------------------------------
|
||||
|
||||
'arch' is mentioned in INSTALL. It's value is determined like this:
|
||||
|
||||
arch = f$edit( f$getsyi( "arch_name"), "upcase")
|
265
NOTES-WINDOWS.md
Normal file
265
NOTES-WINDOWS.md
Normal file
|
@ -0,0 +1,265 @@
|
|||
Notes for Windows platforms
|
||||
===========================
|
||||
|
||||
- [Native builds using Visual C++](#native-builds-using-visual-c++)
|
||||
- [Native builds using Embarcadero C++Builder](
|
||||
#native-builds-using-embarcadero-c++-builder)
|
||||
- [Native builds using MinGW](#native-builds-using-mingw)
|
||||
- [Linking native applications](#linking-native-applications)
|
||||
- [Hosted builds using Cygwin](#hosted-builds-using-cygwin)
|
||||
|
||||
There are various options to build and run OpenSSL on the Windows platforms.
|
||||
|
||||
"Native" OpenSSL uses the Windows APIs directly at run time.
|
||||
To build a native OpenSSL you can either use:
|
||||
|
||||
Microsoft Visual C++ (MSVC) C compiler on the command line
|
||||
or
|
||||
Embarcadero C++Builder
|
||||
or
|
||||
MinGW cross compiler
|
||||
run on the GNU-like development environment MSYS2
|
||||
or run on Linux or Cygwin
|
||||
|
||||
"Hosted" OpenSSL relies on an external POSIX compatibility layer
|
||||
for building (using GNU/Unix shell, compiler, and tools) and at run time.
|
||||
For this option you can use Cygwin.
|
||||
|
||||
Native builds using Visual C++
|
||||
==============================
|
||||
|
||||
The native builds using Visual C++ have a `VC-*` prefix.
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
In addition to the requirements and instructions listed in `INSTALL.md`,
|
||||
these are required as well:
|
||||
|
||||
### Perl
|
||||
|
||||
We recommend Strawberry Perl, available from <http://strawberryperl.com/>
|
||||
Please read NOTES.PERL for more information, including the use of CPAN.
|
||||
An alternative is ActiveState Perl, <https://www.activestate.com/ActivePerl>
|
||||
for which you may need to explicitly build the Perl module Win32/Console.pm
|
||||
via <https://platform.activestate.com/ActiveState> and then download it.
|
||||
|
||||
### Microsoft Visual C compiler.
|
||||
|
||||
Since these are proprietary and ever-changing we cannot test them all.
|
||||
Older versions may not work. Use a recent version wherever possible.
|
||||
|
||||
### Netwide Assembler (NASM)
|
||||
|
||||
NASM is the only supported assembler. It is available from <https://www.nasm.us>.
|
||||
|
||||
Quick start
|
||||
-----------
|
||||
|
||||
1. Install Perl
|
||||
|
||||
2. Install NASM
|
||||
|
||||
3. Make sure both Perl and NASM are on your %PATH%
|
||||
|
||||
4. Use Visual Studio Developer Command Prompt with administrative privileges,
|
||||
choosing one of its variants depending on the intended architecture.
|
||||
Or run `cmd` and execute `vcvarsall.bat` with one of the options `x86`,
|
||||
`x86_amd64`, `x86_arm`, `x86_arm64`, `amd64`, `amd64_x86`, `amd64_arm`,
|
||||
or `amd64_arm64`.
|
||||
This sets up the environment variables needed for `nmake.exe`, `cl.exe`,
|
||||
etc.
|
||||
See also
|
||||
<https://docs.microsoft.com/cpp/build/building-on-the-command-line>
|
||||
|
||||
5. From the root of the OpenSSL source directory enter
|
||||
- `perl Configure VC-WIN32` if you want 32-bit OpenSSL or
|
||||
- `perl Configure VC-WIN64A` if you want 64-bit OpenSSL or
|
||||
- `perl Configure VC-WIN64-ARM` if you want Windows on Arm (win-arm64)
|
||||
OpenSSL or
|
||||
- `perl Configure` to let Configure figure out the platform
|
||||
|
||||
6. `nmake`
|
||||
|
||||
7. `nmake test`
|
||||
|
||||
8. `nmake install`
|
||||
|
||||
For the full installation instructions, or if anything goes wrong at any stage,
|
||||
check the INSTALL.md file.
|
||||
|
||||
Installation directories
|
||||
------------------------
|
||||
|
||||
The default installation directories are derived from environment
|
||||
variables.
|
||||
|
||||
For VC-WIN32, the following defaults are use:
|
||||
|
||||
PREFIX: %ProgramFiles(x86)%\OpenSSL
|
||||
OPENSSLDIR: %CommonProgramFiles(x86)%\SSL
|
||||
|
||||
For VC-WIN64, the following defaults are use:
|
||||
|
||||
PREFIX: %ProgramW6432%\OpenSSL
|
||||
OPENSSLDIR: %CommonProgramW6432%\SSL
|
||||
|
||||
Should those environment variables not exist (on a pure Win32
|
||||
installation for examples), these fallbacks are used:
|
||||
|
||||
PREFIX: %ProgramFiles%\OpenSSL
|
||||
OPENSSLDIR: %CommonProgramFiles%\SSL
|
||||
|
||||
ALSO NOTE that those directories are usually write protected, even if
|
||||
your account is in the Administrators group. To work around that,
|
||||
start the command prompt by right-clicking on it and choosing "Run as
|
||||
Administrator" before running `nmake install`. The other solution
|
||||
is, of course, to choose a different set of directories by using
|
||||
`--prefix` and `--openssldir` when configuring.
|
||||
|
||||
Special notes for Universal Windows Platform builds, aka `VC-*-UWP`
|
||||
-------------------------------------------------------------------
|
||||
|
||||
- UWP targets only support building the static and dynamic libraries.
|
||||
|
||||
- You should define the platform type to `uwp` and the target arch via
|
||||
`vcvarsall.bat` before you compile. For example, if you want to build
|
||||
`arm64` builds, you should run `vcvarsall.bat x86_arm64 uwp`.
|
||||
|
||||
Native builds using Embarcadero C++Builder
|
||||
=========================================
|
||||
|
||||
This toolchain (a descendant of Turbo/Borland C++) is an alternative to MSVC.
|
||||
OpenSSL currently includes an experimental 32-bit configuration targeting the
|
||||
Clang-based compiler (`bcc32c.exe`) in v10.3.3 Community Edition.
|
||||
<https://www.embarcadero.com/products/cbuilder/starter>
|
||||
|
||||
1. Install Perl.
|
||||
|
||||
2. Open the RAD Studio Command Prompt.
|
||||
|
||||
3. Go to the root of the OpenSSL source directory and run:
|
||||
`perl Configure BC-32 --prefix=%CD%`
|
||||
|
||||
4. `make -N`
|
||||
|
||||
5. `make -N test`
|
||||
|
||||
6. Build your program against this OpenSSL:
|
||||
* Set your include search path to the "include" subdirectory of OpenSSL.
|
||||
* Set your library search path to the OpenSSL source directory.
|
||||
|
||||
Note that this is very experimental. Support for 64-bit and other Configure
|
||||
options is still pending.
|
||||
|
||||
Native builds using MinGW
|
||||
=========================
|
||||
|
||||
MinGW offers an alternative way to build native OpenSSL, by cross compilation.
|
||||
|
||||
* Usually the build is done on Windows in a GNU-like environment called MSYS2.
|
||||
|
||||
MSYS2 provides GNU tools, a Unix-like command prompt,
|
||||
and a UNIX compatibility layer for applications.
|
||||
However, in this context it is only used for building OpenSSL.
|
||||
The resulting OpenSSL does not rely on MSYS2 to run and is fully native.
|
||||
|
||||
Requirement details
|
||||
|
||||
- MSYS2 shell, from <https://www.msys2.org/>
|
||||
|
||||
- Perl, at least version 5.10.0, which usually comes pre-installed with MSYS2
|
||||
|
||||
- make, installed using `pacman -S make` into the MSYS2 environment
|
||||
|
||||
- MinGW[64] compiler: `mingw-w64-i686-gcc` and/or `mingw-w64-x86_64-gcc`.
|
||||
These compilers must be on your MSYS2 $PATH.
|
||||
A common error is to not have these on your $PATH.
|
||||
The MSYS2 version of gcc will not work correctly here.
|
||||
|
||||
In the MSYS2 shell do the configuration depending on the target architecture:
|
||||
|
||||
./Configure mingw ...
|
||||
|
||||
or
|
||||
|
||||
./Configure mingw64 ...
|
||||
|
||||
or
|
||||
|
||||
./Configure ...
|
||||
|
||||
for the default architecture.
|
||||
|
||||
Apart from that, follow the Unix / Linux instructions in `INSTALL.md`.
|
||||
|
||||
* It is also possible to build mingw[64] on Linux or Cygwin.
|
||||
|
||||
In this case configure with the corresponding `--cross-compile-prefix=`
|
||||
option. For example
|
||||
|
||||
./Configure mingw --cross-compile-prefix=i686-w64-mingw32- ...
|
||||
|
||||
or
|
||||
|
||||
./Configure mingw64 --cross-compile-prefix=x86_64-w64-mingw32- ...
|
||||
|
||||
This requires that you've installed the necessary add-on packages for
|
||||
mingw[64] cross compilation.
|
||||
|
||||
Linking native applications
|
||||
===========================
|
||||
|
||||
This section applies to all native builds.
|
||||
|
||||
If you link with static OpenSSL libraries then you're expected to
|
||||
additionally link your application with `WS2_32.LIB`, `GDI32.LIB`,
|
||||
`ADVAPI32.LIB`, `CRYPT32.LIB` and `USER32.LIB`. Those developing
|
||||
non-interactive service applications might feel concerned about
|
||||
linking with `GDI32.LIB` and `USER32.LIB`, as they are justly associated
|
||||
with interactive desktop, which is not available to service
|
||||
processes. The toolkit is designed to detect in which context it's
|
||||
currently executed, GUI, console app or service, and act accordingly,
|
||||
namely whether or not to actually make GUI calls. Additionally those
|
||||
who wish to `/DELAYLOAD:GDI32.DLL` and `/DELAYLOAD:USER32.DLL` and
|
||||
actually keep them off service process should consider implementing
|
||||
and exporting from .exe image in question own `_OPENSSL_isservice` not
|
||||
relying on `USER32.DLL`. E.g., on Windows Vista and later you could:
|
||||
|
||||
__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
|
||||
{
|
||||
DWORD sess;
|
||||
|
||||
if (ProcessIdToSessionId(GetCurrentProcessId(), &sess))
|
||||
return sess == 0;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
If you link with OpenSSL .DLLs, then you're expected to include into
|
||||
your application code a small "shim" snippet, which provides
|
||||
the glue between the OpenSSL BIO layer and your compiler run-time.
|
||||
See also the OPENSSL_Applink manual page.
|
||||
|
||||
Hosted builds using Cygwin
|
||||
==========================
|
||||
|
||||
Cygwin implements a POSIX/Unix runtime system (`cygwin1.dll`) on top of the
|
||||
Windows subsystem and provides a Bash shell and GNU tools environment.
|
||||
Consequently, a build of OpenSSL with Cygwin is virtually identical to the
|
||||
Unix procedure.
|
||||
|
||||
To build OpenSSL using Cygwin, you need to:
|
||||
|
||||
* Install Cygwin, see <https://cygwin.com/>
|
||||
|
||||
* Install Cygwin Perl, at least version 5.10.0
|
||||
and ensure it is in the $PATH
|
||||
|
||||
* Run the Cygwin Bash shell
|
||||
|
||||
Apart from that, follow the Unix / Linux instructions in INSTALL.md.
|
||||
|
||||
NOTE: `make test` and normal file operations may fail in directories
|
||||
mounted as text (i.e. `mount -t c:\somewhere /home`) due to Cygwin
|
||||
stripping of carriage returns. To avoid this ensure that a binary
|
||||
mount is used, e.g. `mount -b c:\somewhere /home`.
|
119
NOTES.PERL
119
NOTES.PERL
|
@ -1,119 +0,0 @@
|
|||
TOC
|
||||
===
|
||||
|
||||
- Notes on Perl
|
||||
- Notes on Perl on Windows
|
||||
- Notes on Perl modules we use
|
||||
- Notes on installing a perl module
|
||||
|
||||
Notes on Perl
|
||||
-------------
|
||||
|
||||
For our scripts, we rely quite a bit on Perl, and increasingly on
|
||||
some core Perl modules. These Perl modules are part of the Perl
|
||||
source, so if you build Perl on your own, you should be set.
|
||||
|
||||
However, if you install Perl as binary packages, the outcome might
|
||||
differ, and you may have to check that you do get the core modules
|
||||
installed properly. We do not claim to know them all, but experience
|
||||
has told us the following:
|
||||
|
||||
- on Linux distributions based on Debian, the package 'perl' will
|
||||
install the core Perl modules as well, so you will be fine.
|
||||
- on Linux distributions based on RPMs, you will need to install
|
||||
'perl-core' rather than just 'perl'.
|
||||
|
||||
You MUST have at least Perl version 5.10.0 installed. This minimum
|
||||
requirement is due to our use of regexp backslash sequence \R among
|
||||
other features that didn't exist in core Perl before that version.
|
||||
|
||||
Notes on Perl on Windows
|
||||
------------------------
|
||||
|
||||
There are a number of build targets that can be viewed as "Windows".
|
||||
Indeed, there are VC-* configs targeting VisualStudio C, as well as
|
||||
MinGW and Cygwin. The key recommendation is to use "matching" Perl,
|
||||
one that matches build environment. For example, if you will build
|
||||
on Cygwin be sure to use the Cygwin package manager to install Perl.
|
||||
For MSYS builds use the MSYS provided Perl. For VC-* builds we
|
||||
recommend ActiveState Perl, available from
|
||||
http://www.activestate.com/ActivePerl.
|
||||
|
||||
Notes on Perl on VMS
|
||||
--------------------
|
||||
|
||||
You will need to install Perl separately. One way to do so is to
|
||||
download the source from http://perl.org/, unpacking it, reading
|
||||
README.vms and follow the instructions. Another way is to download a
|
||||
.PCSI file from http://www.vmsperl.com/ and install it using the
|
||||
POLYCENTER install tool.
|
||||
|
||||
Notes on Perl modules we use
|
||||
----------------------------
|
||||
|
||||
We make increasing use of Perl modules, and do our best to limit
|
||||
ourselves to core Perl modules to keep the requirements down. There
|
||||
are just a few exceptions:
|
||||
|
||||
Test::More We require the minimum version to be 0.96, which
|
||||
appeared in Perl 5.13.4, because that version was
|
||||
the first to have all the features we're using.
|
||||
This module is required for testing only! If you
|
||||
don't plan on running the tests, you don't need to
|
||||
bother with this one.
|
||||
|
||||
Text::Template This module is not part of the core Perl modules.
|
||||
As a matter of fact, the core Perl modules do not
|
||||
include any templating module to date.
|
||||
This module is absolutely needed, configuration
|
||||
depends on it.
|
||||
|
||||
To avoid unnecessary initial hurdles, we have bundled a copy of the
|
||||
following modules in our source. They will work as fallbacks if
|
||||
these modules aren't already installed on the system.
|
||||
|
||||
Text::Template
|
||||
|
||||
Notes on installing a perl module
|
||||
---------------------------------
|
||||
|
||||
There are a number of ways to install a perl module. In all
|
||||
descriptions below, Text::Template will serve as an example.
|
||||
|
||||
1. for Linux users, the easiest is to install with the use of your
|
||||
favorite package manager. Usually, all you need to do is search
|
||||
for the module name and to install the package that comes up.
|
||||
|
||||
On Debian based Linux distributions, it would go like this:
|
||||
|
||||
$ apt-cache search Text::Template
|
||||
...
|
||||
libtext-template-perl - perl module to process text templates
|
||||
$ sudo apt-get install libtext-template-perl
|
||||
|
||||
Perl modules in Debian based distributions use package names like
|
||||
the name of the module in question, with "lib" prepended and
|
||||
"-perl" appended.
|
||||
|
||||
2. Install using CPAN. This is very easy, but usually requires root
|
||||
access:
|
||||
|
||||
$ cpan -i Text::Template
|
||||
|
||||
Note that this runs all the tests that the module to be installed
|
||||
comes with. This is usually a smooth operation, but there are
|
||||
platforms where a failure is indicated even though the actual tests
|
||||
were successful. Should that happen, you can force an
|
||||
installation regardless (that should be safe since you've already
|
||||
seen the tests succeed!):
|
||||
|
||||
$ cpan -f -i Text::Template
|
||||
|
||||
Note: on VMS, you must quote any argument that contains uppercase
|
||||
characters, so the lines above would be:
|
||||
|
||||
$ cpan -i "Text::Template"
|
||||
|
||||
and:
|
||||
|
||||
$ cpan -f -i "Text::Template"
|
93
README
93
README
|
@ -1,93 +0,0 @@
|
|||
|
||||
OpenSSL 1.1.1t 7 Feb 2023
|
||||
|
||||
Copyright (c) 1998-2022 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
|
||||
The OpenSSL Project is a collaborative effort to develop a robust,
|
||||
commercial-grade, fully featured, and Open Source toolkit implementing the
|
||||
Transport Layer Security (TLS) protocols (including SSLv3) as well as a
|
||||
full-strength general purpose cryptographic library.
|
||||
|
||||
OpenSSL is descended from the SSLeay library developed by Eric A. Young
|
||||
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
|
||||
OpenSSL license plus the SSLeay license), which means that you are free to
|
||||
get and use it for commercial and non-commercial purposes as long as you
|
||||
fulfill the conditions of both licenses.
|
||||
|
||||
OVERVIEW
|
||||
--------
|
||||
|
||||
The OpenSSL toolkit includes:
|
||||
|
||||
libssl (with platform specific naming):
|
||||
Provides the client and server-side implementations for SSLv3 and TLS.
|
||||
|
||||
libcrypto (with platform specific naming):
|
||||
Provides general cryptographic and X.509 support needed by SSL/TLS but
|
||||
not logically part of it.
|
||||
|
||||
openssl:
|
||||
A command line tool that can be used for:
|
||||
Creation of key parameters
|
||||
Creation of X.509 certificates, CSRs and CRLs
|
||||
Calculation of message digests
|
||||
Encryption and decryption
|
||||
SSL/TLS client and server tests
|
||||
Handling of S/MIME signed or encrypted mail
|
||||
And more...
|
||||
|
||||
INSTALLATION
|
||||
------------
|
||||
|
||||
See the appropriate file:
|
||||
INSTALL Linux, Unix, Windows, OpenVMS, ...
|
||||
NOTES.* INSTALL addendums for different platforms
|
||||
|
||||
SUPPORT
|
||||
-------
|
||||
|
||||
See the OpenSSL website www.openssl.org for details on how to obtain
|
||||
commercial technical support. Free community support is available through the
|
||||
openssl-users email list (see
|
||||
https://www.openssl.org/community/mailinglists.html for further details).
|
||||
|
||||
If you have any problems with OpenSSL then please take the following steps
|
||||
first:
|
||||
|
||||
- Download the latest version from the repository
|
||||
to see if the problem has already been addressed
|
||||
- Configure with no-asm
|
||||
- Remove compiler optimization flags
|
||||
|
||||
If you wish to report a bug then please include the following information
|
||||
and create an issue on GitHub:
|
||||
|
||||
- OpenSSL version: output of 'openssl version -a'
|
||||
- Configuration data: output of 'perl configdata.pm --dump'
|
||||
- OS Name, Version, Hardware platform
|
||||
- Compiler Details (name, version)
|
||||
- Application Details (name, version)
|
||||
- Problem Description (steps that will reproduce the problem, if known)
|
||||
- Stack Traceback (if the application dumps core)
|
||||
|
||||
Just because something doesn't work the way you expect does not mean it
|
||||
is necessarily a bug in OpenSSL. Use the openssl-users email list for this type
|
||||
of query.
|
||||
|
||||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
----------------------------
|
||||
|
||||
See CONTRIBUTING
|
||||
|
||||
LEGALITIES
|
||||
----------
|
||||
|
||||
A number of nations restrict the use or export of cryptography. If you
|
||||
are potentially subject to such restrictions you should seek competent
|
||||
professional legal advice before attempting to develop or distribute
|
||||
cryptographic code.
|
316
README-ENGINES.md
Normal file
316
README-ENGINES.md
Normal file
|
@ -0,0 +1,316 @@
|
|||
Engines
|
||||
=======
|
||||
|
||||
Deprecation Note
|
||||
----------------
|
||||
|
||||
The ENGINE API was introduced in OpenSSL version 0.9.6 as a low level
|
||||
interface for adding alternative implementations of cryptographic
|
||||
primitives, most notably for integrating hardware crypto devices.
|
||||
|
||||
The ENGINE interface has its limitations and it has been superseeded
|
||||
by the [PROVIDER API](README-PROVIDERS.md), it is deprecated in OpenSSL
|
||||
version 3.0. The following documentation is retained as an aid for
|
||||
users who need to maintain or support existing ENGINE implementations.
|
||||
Support for new hardware devices or new algorithms should be added
|
||||
via providers, and existing engines should be converted to providers
|
||||
as soon as possible.
|
||||
|
||||
Built-in ENGINE implementations
|
||||
-------------------------------
|
||||
|
||||
There are currently built-in ENGINE implementations for the following
|
||||
crypto devices:
|
||||
|
||||
* Microsoft CryptoAPI
|
||||
* VIA Padlock
|
||||
* nCipher CHIL
|
||||
|
||||
In addition, dynamic binding to external ENGINE implementations is now
|
||||
provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"
|
||||
section below for details.
|
||||
|
||||
At this stage, a number of things are still needed and are being worked on:
|
||||
|
||||
1. Integration of EVP support.
|
||||
2. Configuration support.
|
||||
3. Documentation!
|
||||
|
||||
Integration of EVP support
|
||||
--------------------------
|
||||
|
||||
With respect to EVP, this relates to support for ciphers and digests in
|
||||
the ENGINE model so that alternative implementations of existing
|
||||
algorithms/modes (or previously unimplemented ones) can be provided by
|
||||
ENGINE implementations.
|
||||
|
||||
Configuration support
|
||||
---------------------
|
||||
|
||||
Configuration support currently exists in the ENGINE API itself, in the
|
||||
form of "control commands". These allow an application to expose to the
|
||||
user/admin the set of commands and parameter types a given ENGINE
|
||||
implementation supports, and for an application to directly feed string
|
||||
based input to those ENGINEs, in the form of name-value pairs. This is an
|
||||
extensible way for ENGINEs to define their own "configuration" mechanisms
|
||||
that are specific to a given ENGINE (eg. for a particular hardware
|
||||
device) but that should be consistent across *all* OpenSSL-based
|
||||
applications when they use that ENGINE. Work is in progress (or at least
|
||||
in planning) for supporting these control commands from the CONF (or
|
||||
NCONF) code so that applications using OpenSSL's existing configuration
|
||||
file format can have ENGINE settings specified in much the same way.
|
||||
Presently however, applications must use the ENGINE API itself to provide
|
||||
such functionality. To see first hand the types of commands available
|
||||
with the various compiled-in ENGINEs (see further down for dynamic
|
||||
ENGINEs), use the "engine" openssl utility with full verbosity, i.e.:
|
||||
|
||||
openssl engine -vvvv
|
||||
|
||||
Documentation
|
||||
-------------
|
||||
|
||||
Documentation? Volunteers welcome! The source code is reasonably well
|
||||
self-documenting, but some summaries and usage instructions are needed -
|
||||
moreover, they are needed in the same POD format the existing OpenSSL
|
||||
documentation is provided in. Any complete or incomplete contributions
|
||||
would help make this happen.
|
||||
|
||||
STABILITY & BUG-REPORTS
|
||||
=======================
|
||||
|
||||
What already exists is fairly stable as far as it has been tested, but
|
||||
the test base has been a bit small most of the time. For the most part,
|
||||
the vendors of the devices these ENGINEs support have contributed to the
|
||||
development and/or testing of the implementations, and *usually* (with no
|
||||
guarantees) have experience in using the ENGINE support to drive their
|
||||
devices from common OpenSSL-based applications. Bugs and/or inexplicable
|
||||
behaviour in using a specific ENGINE implementation should be sent to the
|
||||
author of that implementation (if it is mentioned in the corresponding C
|
||||
file), and in the case of implementations for commercial hardware
|
||||
devices, also through whatever vendor support channels are available. If
|
||||
none of this is possible, or the problem seems to be something about the
|
||||
ENGINE API itself (ie. not necessarily specific to a particular ENGINE
|
||||
implementation) then you should mail complete details to the relevant
|
||||
OpenSSL mailing list. For a definition of "complete details", refer to
|
||||
the OpenSSL "README" file. As for which list to send it to:
|
||||
|
||||
* openssl-users: if you are *using* the ENGINE abstraction, either in an
|
||||
pre-compiled application or in your own application code.
|
||||
|
||||
* openssl-dev: if you are discussing problems with OpenSSL source code.
|
||||
|
||||
USAGE
|
||||
=====
|
||||
|
||||
The default "openssl" ENGINE is always chosen when performing crypto
|
||||
operations unless you specify otherwise. You must actively tell the
|
||||
openssl utility commands to use anything else through a new command line
|
||||
switch called "-engine". Also, if you want to use the ENGINE support in
|
||||
your own code to do something similar, you must likewise explicitly
|
||||
select the ENGINE implementation you want.
|
||||
|
||||
Depending on the type of hardware, system, and configuration, "settings"
|
||||
may need to be applied to an ENGINE for it to function as expected/hoped.
|
||||
The recommended way of doing this is for the application to support
|
||||
ENGINE "control commands" so that each ENGINE implementation can provide
|
||||
whatever configuration primitives it might require and the application
|
||||
can allow the user/admin (and thus the hardware vendor's support desk
|
||||
also) to provide any such input directly to the ENGINE implementation.
|
||||
This way, applications do not need to know anything specific to any
|
||||
device, they only need to provide the means to carry such user/admin
|
||||
input through to the ENGINE in question. Ie. this connects *you* (and
|
||||
your helpdesk) to the specific ENGINE implementation (and device), and
|
||||
allows application authors to not get buried in hassle supporting
|
||||
arbitrary devices they know (and care) nothing about.
|
||||
|
||||
A new "openssl" utility, "openssl engine", has been added in that allows
|
||||
for testing and examination of ENGINE implementations. Basic usage
|
||||
instructions are available by specifying the "-?" command line switch.
|
||||
|
||||
DYNAMIC ENGINES
|
||||
===============
|
||||
|
||||
The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
|
||||
implementations that aren't pre-compiled and linked into OpenSSL-based
|
||||
applications. This could be because existing compiled-in implementations
|
||||
have known problems and you wish to use a newer version with an existing
|
||||
application. It could equally be because the application (or OpenSSL
|
||||
library) you are using simply doesn't have support for the ENGINE you
|
||||
wish to use, and the ENGINE provider (eg. hardware vendor) is providing
|
||||
you with a self-contained implementation in the form of a shared-library.
|
||||
The other use-case for "dynamic" is with applications that wish to
|
||||
maintain the smallest foot-print possible and so do not link in various
|
||||
ENGINE implementations from OpenSSL, but instead leaves you to provide
|
||||
them, if you want them, in the form of "dynamic"-loadable
|
||||
shared-libraries. It should be possible for hardware vendors to provide
|
||||
their own shared-libraries to support arbitrary hardware to work with
|
||||
applications based on OpenSSL 0.9.7 or later. If you're using an
|
||||
application based on 0.9.7 (or later) and the support you desire is only
|
||||
announced for versions later than the one you need, ask the vendor to
|
||||
backport their ENGINE to the version you need.
|
||||
|
||||
How does "dynamic" work?
|
||||
------------------------
|
||||
|
||||
The dynamic ENGINE has a special flag in its implementation such that
|
||||
every time application code asks for the 'dynamic' ENGINE, it in fact
|
||||
gets its own copy of it. As such, multi-threaded code (or code that
|
||||
multiplexes multiple uses of 'dynamic' in a single application in any
|
||||
way at all) does not get confused by 'dynamic' being used to do many
|
||||
independent things. Other ENGINEs typically don't do this so there is
|
||||
only ever 1 ENGINE structure of its type (and reference counts are used
|
||||
to keep order). The dynamic ENGINE itself provides absolutely no
|
||||
cryptographic functionality, and any attempt to "initialise" the ENGINE
|
||||
automatically fails. All it does provide are a few "control commands"
|
||||
that can be used to control how it will load an external ENGINE
|
||||
implementation from a shared-library. To see these control commands,
|
||||
use the command-line;
|
||||
|
||||
openssl engine -vvvv dynamic
|
||||
|
||||
The "SO_PATH" control command should be used to identify the
|
||||
shared-library that contains the ENGINE implementation, and "NO_VCHECK"
|
||||
might possibly be useful if there is a minor version conflict and you
|
||||
(or a vendor helpdesk) is convinced you can safely ignore it.
|
||||
"ID" is probably only needed if a shared-library implements
|
||||
multiple ENGINEs, but if you know the engine id you expect to be using,
|
||||
it doesn't hurt to specify it (and this provides a sanity check if
|
||||
nothing else). "LIST_ADD" is only required if you actually wish the
|
||||
loaded ENGINE to be discoverable by application code later on using the
|
||||
ENGINE's "id". For most applications, this isn't necessary - but some
|
||||
application authors may have nifty reasons for using it. The "LOAD"
|
||||
command is the only one that takes no parameters and is the command
|
||||
that uses the settings from any previous commands to actually *load*
|
||||
the shared-library ENGINE implementation. If this command succeeds, the
|
||||
(copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
|
||||
that has been loaded from the shared-library. As such, any control
|
||||
commands supported by the loaded ENGINE could then be executed as per
|
||||
normal. Eg. if ENGINE "foo" is implemented in the shared-library
|
||||
"libfoo.so" and it supports some special control command "CMD_FOO", the
|
||||
following code would load and use it (NB: obviously this code has no
|
||||
error checking);
|
||||
|
||||
ENGINE *e = ENGINE_by_id("dynamic");
|
||||
ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
|
||||
ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
|
||||
|
||||
For testing, the "openssl engine" utility can be useful for this sort
|
||||
of thing. For example the above code excerpt would achieve much the
|
||||
same result as;
|
||||
|
||||
openssl engine dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD \
|
||||
-pre "CMD_FOO:some input data"
|
||||
|
||||
Or to simply see the list of commands supported by the "foo" ENGINE;
|
||||
|
||||
openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD
|
||||
|
||||
Applications that support the ENGINE API and more specifically, the
|
||||
"control commands" mechanism, will provide some way for you to pass
|
||||
such commands through to ENGINEs. As such, you would select "dynamic"
|
||||
as the ENGINE to use, and the parameters/commands you pass would
|
||||
control the *actual* ENGINE used. Each command is actually a name-value
|
||||
pair and the value can sometimes be omitted (eg. the "LOAD" command).
|
||||
Whilst the syntax demonstrated in "openssl engine" uses a colon to
|
||||
separate the command name from the value, applications may provide
|
||||
their own syntax for making that separation (eg. a win32 registry
|
||||
key-value pair may be used by some applications). The reason for the
|
||||
"-pre" syntax in the "openssl engine" utility is that some commands
|
||||
might be issued to an ENGINE *after* it has been initialised for use.
|
||||
Eg. if an ENGINE implementation requires a smart-card to be inserted
|
||||
during initialisation (or a PIN to be typed, or whatever), there may be
|
||||
a control command you can issue afterwards to "forget" the smart-card
|
||||
so that additional initialisation is no longer possible. In
|
||||
applications such as web-servers, where potentially volatile code may
|
||||
run on the same host system, this may provide some arguable security
|
||||
value. In such a case, the command would be passed to the ENGINE after
|
||||
it has been initialised for use, and so the "-post" switch would be
|
||||
used instead. Applications may provide a different syntax for
|
||||
supporting this distinction, and some may simply not provide it at all
|
||||
("-pre" is almost always what you're after, in reality).
|
||||
|
||||
How do I build a "dynamic" ENGINE?
|
||||
----------------------------------
|
||||
|
||||
This question is trickier - currently OpenSSL bundles various ENGINE
|
||||
implementations that are statically built in, and any application that
|
||||
calls the "ENGINE_load_builtin_engines()" function will automatically
|
||||
have all such ENGINEs available (and occupying memory). Applications
|
||||
that don't call that function have no ENGINEs available like that and
|
||||
would have to use "dynamic" to load any such ENGINE - but on the other
|
||||
hand such applications would only have the memory footprint of any
|
||||
ENGINEs explicitly loaded using user/admin provided control commands.
|
||||
The main advantage of not statically linking ENGINEs and only using
|
||||
"dynamic" for hardware support is that any installation using no
|
||||
"external" ENGINE suffers no unnecessary memory footprint from unused
|
||||
ENGINEs. Likewise, installations that do require an ENGINE incur the
|
||||
overheads from only *that* ENGINE once it has been loaded.
|
||||
|
||||
Sounds good? Maybe, but currently building an ENGINE implementation as
|
||||
a shared-library that can be loaded by "dynamic" isn't automated in
|
||||
OpenSSL's build process. It can be done manually quite easily however.
|
||||
Such a shared-library can either be built with any OpenSSL code it
|
||||
needs statically linked in, or it can link dynamically against OpenSSL
|
||||
if OpenSSL itself is built as a shared library. The instructions are
|
||||
the same in each case, but in the former (statically linked any
|
||||
dependencies on OpenSSL) you must ensure OpenSSL is built with
|
||||
position-independent code ("PIC"). The default OpenSSL compilation may
|
||||
already specify the relevant flags to do this, but you should consult
|
||||
with your compiler documentation if you are in any doubt.
|
||||
|
||||
This example will show building the "atalla" ENGINE in the
|
||||
crypto/engine/ directory as a shared-library for use via the "dynamic"
|
||||
ENGINE.
|
||||
|
||||
1. "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL
|
||||
source tree.
|
||||
|
||||
2. Recompile at least one source file so you can see all the compiler
|
||||
flags (and syntax) being used to build normally. Eg;
|
||||
|
||||
touch hw_atalla.c ; make
|
||||
|
||||
will rebuild "hw_atalla.o" using all such flags.
|
||||
|
||||
3. Manually enter the same compilation line to compile the
|
||||
"hw_atalla.c" file but with the following two changes;
|
||||
* add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches,
|
||||
* change the output file from "hw_atalla.o" to something new,
|
||||
eg. "tmp_atalla.o"
|
||||
|
||||
4. Link "tmp_atalla.o" into a shared-library using the top-level
|
||||
OpenSSL libraries to resolve any dependencies. The syntax for doing
|
||||
this depends heavily on your system/compiler and is a nightmare
|
||||
known well to anyone who has worked with shared-library portability
|
||||
before. 'gcc' on Linux, for example, would use the following syntax;
|
||||
|
||||
gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto
|
||||
|
||||
5. Test your shared library using "openssl engine" as explained in the
|
||||
previous section. Eg. from the top-level directory, you might try
|
||||
|
||||
apps/openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD
|
||||
|
||||
If the shared-library loads successfully, you will see both "-pre"
|
||||
commands marked as "SUCCESS" and the list of control commands
|
||||
displayed (because of "-vvvv") will be the control commands for the
|
||||
*atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add
|
||||
the "-t" switch to the utility if you want it to try and initialise
|
||||
the atalla ENGINE for use to test any possible hardware/driver issues.
|
||||
|
||||
PROBLEMS
|
||||
========
|
||||
|
||||
It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
|
||||
A quick test done right before the release showed that trying "openssl speed
|
||||
-engine cswift" generated errors. If the DSO gets enabled, an attempt is made
|
||||
to write at memory address 0x00000002.
|
86
README-FIPS.md
Normal file
86
README-FIPS.md
Normal file
|
@ -0,0 +1,86 @@
|
|||
OpenSSL FIPS support
|
||||
====================
|
||||
|
||||
This release of OpenSSL includes a cryptographic module that can be
|
||||
FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
|
||||
A provider is essentially a dynamically loadable module which implements
|
||||
cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
|
||||
for further details.
|
||||
|
||||
A cryptographic module is only FIPS validated after it has gone through the complex
|
||||
FIPS 140 validation process. As this process takes a very long time, it is not
|
||||
possible to validate every minor release of OpenSSL.
|
||||
If you need a FIPS validated module then you must ONLY generate a FIPS provider
|
||||
using OpenSSL versions that have valid FIPS certificates. A FIPS certificate
|
||||
contains a link to a Security Policy, and you MUST follow the instructions
|
||||
in the Security Policy in order to be FIPS compliant.
|
||||
See <https://www.openssl.org/source/> for information related to OpenSSL
|
||||
FIPS certificates and Security Policies.
|
||||
|
||||
Newer OpenSSL Releases that include security or bug fixes can be used to build
|
||||
all other components (such as the core API's, TLS and the default, base and
|
||||
legacy providers) without any restrictions, but the FIPS provider must be built
|
||||
as specified in the Security Policy (normally with a different version of the
|
||||
source code).
|
||||
|
||||
The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or
|
||||
resp. `fips.dll` (on Windows). The FIPS provider does not get built and
|
||||
installed automatically. To enable it, you need to configure OpenSSL using
|
||||
the `enable-fips` option.
|
||||
|
||||
Installing the FIPS module
|
||||
==========================
|
||||
|
||||
The following is only a guide.
|
||||
Please read the Security Policy for up to date installation instructions.
|
||||
|
||||
If the FIPS provider is enabled, it gets installed automatically during the
|
||||
normal installation process. Simply follow the normal procedure (configure,
|
||||
make, make test, make install) as described in the [INSTALL](INSTALL.md) file.
|
||||
|
||||
For example, on Unix the final command
|
||||
|
||||
$ make install
|
||||
|
||||
effectively executes the following install targets
|
||||
|
||||
$ make install_sw
|
||||
$ make install_ssldirs
|
||||
$ make install_docs
|
||||
$ make install_fips # for `enable-fips` only
|
||||
|
||||
The `install_fips` make target can also be invoked explicitly to install
|
||||
the FIPS provider independently, without installing the rest of OpenSSL.
|
||||
|
||||
The Installation of the FIPS provider consists of two steps. In the first step,
|
||||
the shared library is copied to its installed location, which by default is
|
||||
|
||||
/usr/local/lib/ossl-modules/fips.so on Unix, and
|
||||
C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll on Windows.
|
||||
|
||||
In the second step, the `openssl fipsinstall` command is executed, which completes
|
||||
the installation by doing the following two things:
|
||||
|
||||
- Runs the FIPS module self tests
|
||||
- Generates the so-called FIPS module configuration file containing information
|
||||
about the module such as the self test status, and the module checksum.
|
||||
|
||||
The FIPS module must have the self tests run, and the FIPS module config file
|
||||
output generated on every machine that it is to be used on. You must not copy
|
||||
the FIPS module config file output data from one machine to another.
|
||||
|
||||
On Unix the `openssl fipsinstall` command will be invoked as follows by default:
|
||||
|
||||
$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
|
||||
|
||||
If you configured OpenSSL to be installed to a different location, the paths will
|
||||
vary accordingly. In the rare case that you need to install the fipsmodule.cnf
|
||||
to non-standard location, you can execute the `openssl fipsinstall` command manually.
|
||||
|
||||
Using the FIPS Module in applications
|
||||
=====================================
|
||||
|
||||
Documentation about using the FIPS module is available on the [fips_module(7)]
|
||||
manual page.
|
||||
|
||||
[fips_module(7)]: https://www.openssl.org/docs/man3.0/man7/fips_module.html
|
145
README-PROVIDERS.md
Normal file
145
README-PROVIDERS.md
Normal file
|
@ -0,0 +1,145 @@
|
|||
Providers
|
||||
=========
|
||||
|
||||
- [Standard Providers](#standard-providers)
|
||||
- [The Default Provider](#the-default-provider)
|
||||
- [The Legacy Provider](#the-legacy-provider)
|
||||
- [The FIPS Provider](#the-fips-provider)
|
||||
- [The Base Provider](#the-base-provider)
|
||||
- [The Null Provider](#the-null-provider)
|
||||
- [Loading Providers](#loading-providers)
|
||||
|
||||
Standard Providers
|
||||
==================
|
||||
|
||||
Providers are containers for algorithm implementations. Whenever a cryptographic
|
||||
algorithm is used via the high level APIs a provider is selected. It is that
|
||||
provider implementation that actually does the required work. There are five
|
||||
providers distributed with OpenSSL. In the future we expect third parties to
|
||||
distribute their own providers which can be added to OpenSSL dynamically.
|
||||
Documentation about writing providers is available on the [provider(7)]
|
||||
manual page.
|
||||
|
||||
[provider(7)]: https://www.openssl.org/docs/man3.0/man7/provider.html
|
||||
|
||||
The Default Provider
|
||||
--------------------
|
||||
|
||||
The default provider collects together all of the standard built-in OpenSSL
|
||||
algorithm implementations. If an application doesn't specify anything else
|
||||
explicitly (e.g. in the application or via config), then this is the provider
|
||||
that will be used. It is loaded automatically the first time that we try to
|
||||
get an algorithm from a provider if no other provider has been loaded yet.
|
||||
If another provider has already been loaded then it won't be loaded
|
||||
automatically. Therefore if you want to use it in conjunction with other
|
||||
providers then you must load it explicitly.
|
||||
|
||||
This is a "built-in" provider which means that it is compiled and linked
|
||||
into the libcrypto library and does not exist as a separate standalone module.
|
||||
|
||||
The Legacy Provider
|
||||
-------------------
|
||||
|
||||
The legacy provider is a collection of legacy algorithms that are either no
|
||||
longer in common use or considered insecure and strongly discouraged from use.
|
||||
However, some applications may need to use these algorithms for backwards
|
||||
compatibility reasons. This provider is **not** loaded by default.
|
||||
This may mean that some applications upgrading from earlier versions of OpenSSL
|
||||
may find that some algorithms are no longer available unless they load the
|
||||
legacy provider explicitly.
|
||||
|
||||
Algorithms in the legacy provider include MD2, MD4, MDC2, RMD160, CAST5,
|
||||
BF (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES).
|
||||
|
||||
The FIPS Provider
|
||||
-----------------
|
||||
|
||||
The FIPS provider contains a sub-set of the algorithm implementations available
|
||||
from the default provider, consisting of algorithms conforming to FIPS standards.
|
||||
It is intended that this provider will be FIPS140-2 validated.
|
||||
|
||||
In some cases there may be minor behavioural differences between algorithm
|
||||
implementations in this provider compared to the equivalent algorithm in the
|
||||
default provider. This is typically in order to conform to FIPS standards.
|
||||
|
||||
The Base Provider
|
||||
-----------------
|
||||
|
||||
The base provider contains a small sub-set of non-cryptographic algorithms
|
||||
available in the default provider. For example, it contains algorithms to
|
||||
serialize and deserialize keys to files. If you do not load the default
|
||||
provider then you should always load this one instead (in particular, if
|
||||
you are using the FIPS provider).
|
||||
|
||||
The Null Provider
|
||||
-----------------
|
||||
|
||||
The null provider is "built-in" to libcrypto and contains no algorithm
|
||||
implementations. In order to guarantee that the default provider is not
|
||||
automatically loaded, the null provider can be loaded instead.
|
||||
|
||||
This can be useful if you are using non-default library contexts and want
|
||||
to ensure that the default library context is never used unintentionally.
|
||||
|
||||
Loading Providers
|
||||
=================
|
||||
|
||||
Providers to be loaded can be specified in the OpenSSL config file.
|
||||
See the [config(5)] manual page for information about how to configure
|
||||
providers via the config file, and how to automatically activate them.
|
||||
|
||||
[config(5)]: https://www.openssl.org/docs/man3.0/man5/config.html
|
||||
|
||||
The following is a minimal config file example to load and activate both
|
||||
the legacy and the default provider in the default library context.
|
||||
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
|
||||
[provider_sect]
|
||||
default = default_sect
|
||||
legacy = legacy_sect
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
[legacy_sect]
|
||||
activate = 1
|
||||
|
||||
It is also possible to load providers programmatically. For example you can
|
||||
load the legacy provider into the default library context as shown below.
|
||||
Note that once you have explicitly loaded a provider into the library context
|
||||
the default provider will no longer be automatically loaded. Therefore you will
|
||||
often also want to explicitly load the default provider, as is done here:
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <openssl/provider.h>
|
||||
|
||||
int main(void)
|
||||
{
|
||||
OSSL_PROVIDER *legacy;
|
||||
OSSL_PROVIDER *deflt;
|
||||
|
||||
/* Load Multiple providers into the default (NULL) library context */
|
||||
legacy = OSSL_PROVIDER_load(NULL, "legacy");
|
||||
if (legacy == NULL) {
|
||||
printf("Failed to load Legacy provider\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
deflt = OSSL_PROVIDER_load(NULL, "default");
|
||||
if (deflt == NULL) {
|
||||
printf("Failed to load Default provider\n");
|
||||
OSSL_PROVIDER_unload(legacy);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
/* Rest of application */
|
||||
|
||||
OSSL_PROVIDER_unload(legacy);
|
||||
OSSL_PROVIDER_unload(deflt);
|
||||
exit(EXIT_SUCCESS);
|
||||
}
|
287
README.ENGINE
287
README.ENGINE
|
@ -1,287 +0,0 @@
|
|||
ENGINE
|
||||
======
|
||||
|
||||
With OpenSSL 0.9.6, a new component was added to support alternative
|
||||
cryptography implementations, most commonly for interfacing with external
|
||||
crypto devices (eg. accelerator cards). This component is called ENGINE,
|
||||
and its presence in OpenSSL 0.9.6 (and subsequent bug-fix releases)
|
||||
caused a little confusion as 0.9.6** releases were rolled in two
|
||||
versions, a "standard" and an "engine" version. In development for 0.9.7,
|
||||
the ENGINE code has been merged into the main branch and will be present
|
||||
in the standard releases from 0.9.7 forwards.
|
||||
|
||||
There are currently built-in ENGINE implementations for the following
|
||||
crypto devices:
|
||||
|
||||
o Microsoft CryptoAPI
|
||||
o VIA Padlock
|
||||
o nCipher CHIL
|
||||
|
||||
In addition, dynamic binding to external ENGINE implementations is now
|
||||
provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"
|
||||
section below for details.
|
||||
|
||||
At this stage, a number of things are still needed and are being worked on:
|
||||
|
||||
1 Integration of EVP support.
|
||||
2 Configuration support.
|
||||
3 Documentation!
|
||||
|
||||
1 With respect to EVP, this relates to support for ciphers and digests in
|
||||
the ENGINE model so that alternative implementations of existing
|
||||
algorithms/modes (or previously unimplemented ones) can be provided by
|
||||
ENGINE implementations.
|
||||
|
||||
2 Configuration support currently exists in the ENGINE API itself, in the
|
||||
form of "control commands". These allow an application to expose to the
|
||||
user/admin the set of commands and parameter types a given ENGINE
|
||||
implementation supports, and for an application to directly feed string
|
||||
based input to those ENGINEs, in the form of name-value pairs. This is an
|
||||
extensible way for ENGINEs to define their own "configuration" mechanisms
|
||||
that are specific to a given ENGINE (eg. for a particular hardware
|
||||
device) but that should be consistent across *all* OpenSSL-based
|
||||
applications when they use that ENGINE. Work is in progress (or at least
|
||||
in planning) for supporting these control commands from the CONF (or
|
||||
NCONF) code so that applications using OpenSSL's existing configuration
|
||||
file format can have ENGINE settings specified in much the same way.
|
||||
Presently however, applications must use the ENGINE API itself to provide
|
||||
such functionality. To see first hand the types of commands available
|
||||
with the various compiled-in ENGINEs (see further down for dynamic
|
||||
ENGINEs), use the "engine" openssl utility with full verbosity, ie;
|
||||
openssl engine -vvvv
|
||||
|
||||
3 Documentation? Volunteers welcome! The source code is reasonably well
|
||||
self-documenting, but some summaries and usage instructions are needed -
|
||||
moreover, they are needed in the same POD format the existing OpenSSL
|
||||
documentation is provided in. Any complete or incomplete contributions
|
||||
would help make this happen.
|
||||
|
||||
STABILITY & BUG-REPORTS
|
||||
=======================
|
||||
|
||||
What already exists is fairly stable as far as it has been tested, but
|
||||
the test base has been a bit small most of the time. For the most part,
|
||||
the vendors of the devices these ENGINEs support have contributed to the
|
||||
development and/or testing of the implementations, and *usually* (with no
|
||||
guarantees) have experience in using the ENGINE support to drive their
|
||||
devices from common OpenSSL-based applications. Bugs and/or inexplicable
|
||||
behaviour in using a specific ENGINE implementation should be sent to the
|
||||
author of that implementation (if it is mentioned in the corresponding C
|
||||
file), and in the case of implementations for commercial hardware
|
||||
devices, also through whatever vendor support channels are available. If
|
||||
none of this is possible, or the problem seems to be something about the
|
||||
ENGINE API itself (ie. not necessarily specific to a particular ENGINE
|
||||
implementation) then you should mail complete details to the relevant
|
||||
OpenSSL mailing list. For a definition of "complete details", refer to
|
||||
the OpenSSL "README" file. As for which list to send it to;
|
||||
|
||||
openssl-users: if you are *using* the ENGINE abstraction, either in an
|
||||
pre-compiled application or in your own application code.
|
||||
|
||||
openssl-dev: if you are discussing problems with OpenSSL source code.
|
||||
|
||||
USAGE
|
||||
=====
|
||||
|
||||
The default "openssl" ENGINE is always chosen when performing crypto
|
||||
operations unless you specify otherwise. You must actively tell the
|
||||
openssl utility commands to use anything else through a new command line
|
||||
switch called "-engine". Also, if you want to use the ENGINE support in
|
||||
your own code to do something similar, you must likewise explicitly
|
||||
select the ENGINE implementation you want.
|
||||
|
||||
Depending on the type of hardware, system, and configuration, "settings"
|
||||
may need to be applied to an ENGINE for it to function as expected/hoped.
|
||||
The recommended way of doing this is for the application to support
|
||||
ENGINE "control commands" so that each ENGINE implementation can provide
|
||||
whatever configuration primitives it might require and the application
|
||||
can allow the user/admin (and thus the hardware vendor's support desk
|
||||
also) to provide any such input directly to the ENGINE implementation.
|
||||
This way, applications do not need to know anything specific to any
|
||||
device, they only need to provide the means to carry such user/admin
|
||||
input through to the ENGINE in question. Ie. this connects *you* (and
|
||||
your helpdesk) to the specific ENGINE implementation (and device), and
|
||||
allows application authors to not get buried in hassle supporting
|
||||
arbitrary devices they know (and care) nothing about.
|
||||
|
||||
A new "openssl" utility, "openssl engine", has been added in that allows
|
||||
for testing and examination of ENGINE implementations. Basic usage
|
||||
instructions are available by specifying the "-?" command line switch.
|
||||
|
||||
DYNAMIC ENGINES
|
||||
===============
|
||||
|
||||
The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
|
||||
implementations that aren't pre-compiled and linked into OpenSSL-based
|
||||
applications. This could be because existing compiled-in implementations
|
||||
have known problems and you wish to use a newer version with an existing
|
||||
application. It could equally be because the application (or OpenSSL
|
||||
library) you are using simply doesn't have support for the ENGINE you
|
||||
wish to use, and the ENGINE provider (eg. hardware vendor) is providing
|
||||
you with a self-contained implementation in the form of a shared-library.
|
||||
The other use-case for "dynamic" is with applications that wish to
|
||||
maintain the smallest foot-print possible and so do not link in various
|
||||
ENGINE implementations from OpenSSL, but instead leaves you to provide
|
||||
them, if you want them, in the form of "dynamic"-loadable
|
||||
shared-libraries. It should be possible for hardware vendors to provide
|
||||
their own shared-libraries to support arbitrary hardware to work with
|
||||
applications based on OpenSSL 0.9.7 or later. If you're using an
|
||||
application based on 0.9.7 (or later) and the support you desire is only
|
||||
announced for versions later than the one you need, ask the vendor to
|
||||
backport their ENGINE to the version you need.
|
||||
|
||||
How does "dynamic" work?
|
||||
------------------------
|
||||
The dynamic ENGINE has a special flag in its implementation such that
|
||||
every time application code asks for the 'dynamic' ENGINE, it in fact
|
||||
gets its own copy of it. As such, multi-threaded code (or code that
|
||||
multiplexes multiple uses of 'dynamic' in a single application in any
|
||||
way at all) does not get confused by 'dynamic' being used to do many
|
||||
independent things. Other ENGINEs typically don't do this so there is
|
||||
only ever 1 ENGINE structure of its type (and reference counts are used
|
||||
to keep order). The dynamic ENGINE itself provides absolutely no
|
||||
cryptographic functionality, and any attempt to "initialise" the ENGINE
|
||||
automatically fails. All it does provide are a few "control commands"
|
||||
that can be used to control how it will load an external ENGINE
|
||||
implementation from a shared-library. To see these control commands,
|
||||
use the command-line;
|
||||
|
||||
openssl engine -vvvv dynamic
|
||||
|
||||
The "SO_PATH" control command should be used to identify the
|
||||
shared-library that contains the ENGINE implementation, and "NO_VCHECK"
|
||||
might possibly be useful if there is a minor version conflict and you
|
||||
(or a vendor helpdesk) is convinced you can safely ignore it.
|
||||
"ID" is probably only needed if a shared-library implements
|
||||
multiple ENGINEs, but if you know the engine id you expect to be using,
|
||||
it doesn't hurt to specify it (and this provides a sanity check if
|
||||
nothing else). "LIST_ADD" is only required if you actually wish the
|
||||
loaded ENGINE to be discoverable by application code later on using the
|
||||
ENGINE's "id". For most applications, this isn't necessary - but some
|
||||
application authors may have nifty reasons for using it. The "LOAD"
|
||||
command is the only one that takes no parameters and is the command
|
||||
that uses the settings from any previous commands to actually *load*
|
||||
the shared-library ENGINE implementation. If this command succeeds, the
|
||||
(copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
|
||||
that has been loaded from the shared-library. As such, any control
|
||||
commands supported by the loaded ENGINE could then be executed as per
|
||||
normal. Eg. if ENGINE "foo" is implemented in the shared-library
|
||||
"libfoo.so" and it supports some special control command "CMD_FOO", the
|
||||
following code would load and use it (NB: obviously this code has no
|
||||
error checking);
|
||||
|
||||
ENGINE *e = ENGINE_by_id("dynamic");
|
||||
ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
|
||||
ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
|
||||
|
||||
For testing, the "openssl engine" utility can be useful for this sort
|
||||
of thing. For example the above code excerpt would achieve much the
|
||||
same result as;
|
||||
|
||||
openssl engine dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD \
|
||||
-pre "CMD_FOO:some input data"
|
||||
|
||||
Or to simply see the list of commands supported by the "foo" ENGINE;
|
||||
|
||||
openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD
|
||||
|
||||
Applications that support the ENGINE API and more specifically, the
|
||||
"control commands" mechanism, will provide some way for you to pass
|
||||
such commands through to ENGINEs. As such, you would select "dynamic"
|
||||
as the ENGINE to use, and the parameters/commands you pass would
|
||||
control the *actual* ENGINE used. Each command is actually a name-value
|
||||
pair and the value can sometimes be omitted (eg. the "LOAD" command).
|
||||
Whilst the syntax demonstrated in "openssl engine" uses a colon to
|
||||
separate the command name from the value, applications may provide
|
||||
their own syntax for making that separation (eg. a win32 registry
|
||||
key-value pair may be used by some applications). The reason for the
|
||||
"-pre" syntax in the "openssl engine" utility is that some commands
|
||||
might be issued to an ENGINE *after* it has been initialised for use.
|
||||
Eg. if an ENGINE implementation requires a smart-card to be inserted
|
||||
during initialisation (or a PIN to be typed, or whatever), there may be
|
||||
a control command you can issue afterwards to "forget" the smart-card
|
||||
so that additional initialisation is no longer possible. In
|
||||
applications such as web-servers, where potentially volatile code may
|
||||
run on the same host system, this may provide some arguable security
|
||||
value. In such a case, the command would be passed to the ENGINE after
|
||||
it has been initialised for use, and so the "-post" switch would be
|
||||
used instead. Applications may provide a different syntax for
|
||||
supporting this distinction, and some may simply not provide it at all
|
||||
("-pre" is almost always what you're after, in reality).
|
||||
|
||||
How do I build a "dynamic" ENGINE?
|
||||
----------------------------------
|
||||
This question is trickier - currently OpenSSL bundles various ENGINE
|
||||
implementations that are statically built in, and any application that
|
||||
calls the "ENGINE_load_builtin_engines()" function will automatically
|
||||
have all such ENGINEs available (and occupying memory). Applications
|
||||
that don't call that function have no ENGINEs available like that and
|
||||
would have to use "dynamic" to load any such ENGINE - but on the other
|
||||
hand such applications would only have the memory footprint of any
|
||||
ENGINEs explicitly loaded using user/admin provided control commands.
|
||||
The main advantage of not statically linking ENGINEs and only using
|
||||
"dynamic" for hardware support is that any installation using no
|
||||
"external" ENGINE suffers no unnecessary memory footprint from unused
|
||||
ENGINEs. Likewise, installations that do require an ENGINE incur the
|
||||
overheads from only *that* ENGINE once it has been loaded.
|
||||
|
||||
Sounds good? Maybe, but currently building an ENGINE implementation as
|
||||
a shared-library that can be loaded by "dynamic" isn't automated in
|
||||
OpenSSL's build process. It can be done manually quite easily however.
|
||||
Such a shared-library can either be built with any OpenSSL code it
|
||||
needs statically linked in, or it can link dynamically against OpenSSL
|
||||
if OpenSSL itself is built as a shared library. The instructions are
|
||||
the same in each case, but in the former (statically linked any
|
||||
dependencies on OpenSSL) you must ensure OpenSSL is built with
|
||||
position-independent code ("PIC"). The default OpenSSL compilation may
|
||||
already specify the relevant flags to do this, but you should consult
|
||||
with your compiler documentation if you are in any doubt.
|
||||
|
||||
This example will show building the "atalla" ENGINE in the
|
||||
crypto/engine/ directory as a shared-library for use via the "dynamic"
|
||||
ENGINE.
|
||||
1) "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL
|
||||
source tree.
|
||||
2) Recompile at least one source file so you can see all the compiler
|
||||
flags (and syntax) being used to build normally. Eg;
|
||||
touch hw_atalla.c ; make
|
||||
will rebuild "hw_atalla.o" using all such flags.
|
||||
3) Manually enter the same compilation line to compile the
|
||||
"hw_atalla.c" file but with the following two changes;
|
||||
(a) add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches,
|
||||
(b) change the output file from "hw_atalla.o" to something new,
|
||||
eg. "tmp_atalla.o"
|
||||
4) Link "tmp_atalla.o" into a shared-library using the top-level
|
||||
OpenSSL libraries to resolve any dependencies. The syntax for doing
|
||||
this depends heavily on your system/compiler and is a nightmare
|
||||
known well to anyone who has worked with shared-library portability
|
||||
before. 'gcc' on Linux, for example, would use the following syntax;
|
||||
gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto
|
||||
5) Test your shared library using "openssl engine" as explained in the
|
||||
previous section. Eg. from the top-level directory, you might try;
|
||||
apps/openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD
|
||||
If the shared-library loads successfully, you will see both "-pre"
|
||||
commands marked as "SUCCESS" and the list of control commands
|
||||
displayed (because of "-vvvv") will be the control commands for the
|
||||
*atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add
|
||||
the "-t" switch to the utility if you want it to try and initialise
|
||||
the atalla ENGINE for use to test any possible hardware/driver
|
||||
issues.
|
||||
|
||||
PROBLEMS
|
||||
========
|
||||
|
||||
It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
|
||||
A quick test done right before the release showed that trying "openssl speed
|
||||
-engine cswift" generated errors. If the DSO gets enabled, an attempt is made
|
||||
to write at memory address 0x00000002.
|
||||
|
|
@ -1 +0,0 @@
|
|||
This release does not support a FIPS 140-2 validated module.
|
224
README.md
Normal file
224
README.md
Normal file
|
@ -0,0 +1,224 @@
|
|||
Welcome to the OpenSSL Project
|
||||
==============================
|
||||
|
||||
[![openssl logo]][www.openssl.org]
|
||||
|
||||
[![github actions ci badge]][github actions ci]
|
||||
[![appveyor badge]][appveyor jobs]
|
||||
|
||||
OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit
|
||||
for the Transport Layer Security (TLS) protocol formerly known as the
|
||||
Secure Sockets Layer (SSL) protocol. The protocol implementation is based
|
||||
on a full-strength general purpose cryptographic library, which can also
|
||||
be used stand-alone.
|
||||
|
||||
OpenSSL is descended from the SSLeay library developed by Eric A. Young
|
||||
and Tim J. Hudson.
|
||||
|
||||
The official Home Page of the OpenSSL Project is [www.openssl.org].
|
||||
|
||||
Table of Contents
|
||||
=================
|
||||
|
||||
- [Overview](#overview)
|
||||
- [Download](#download)
|
||||
- [Build and Install](#build-and-install)
|
||||
- [Documentation](#documentation)
|
||||
- [License](#license)
|
||||
- [Support](#support)
|
||||
- [Contributing](#contributing)
|
||||
- [Legalities](#legalities)
|
||||
|
||||
Overview
|
||||
========
|
||||
|
||||
The OpenSSL toolkit includes:
|
||||
|
||||
- **libssl**
|
||||
an implementation of all TLS protocol versions up to TLSv1.3 ([RFC 8446]).
|
||||
|
||||
- **libcrypto**
|
||||
a full-strength general purpose cryptographic library. It constitutes the
|
||||
basis of the TLS implementation, but can also be used independently.
|
||||
|
||||
- **openssl**
|
||||
the OpenSSL command line tool, a swiss army knife for cryptographic tasks,
|
||||
testing and analyzing. It can be used for
|
||||
- creation of key parameters
|
||||
- creation of X.509 certificates, CSRs and CRLs
|
||||
- calculation of message digests
|
||||
- encryption and decryption
|
||||
- SSL/TLS client and server tests
|
||||
- handling of S/MIME signed or encrypted mail
|
||||
- and more...
|
||||
|
||||
Download
|
||||
========
|
||||
|
||||
For Production Use
|
||||
------------------
|
||||
|
||||
Source code tarballs of the official releases can be downloaded from
|
||||
[www.openssl.org/source](https://www.openssl.org/source).
|
||||
The OpenSSL project does not distribute the toolkit in binary form.
|
||||
|
||||
However, for a large variety of operating systems precompiled versions
|
||||
of the OpenSSL toolkit are available. In particular on Linux and other
|
||||
Unix operating systems it is normally recommended to link against the
|
||||
precompiled shared libraries provided by the distributor or vendor.
|
||||
|
||||
For Testing and Development
|
||||
---------------------------
|
||||
|
||||
Although testing and development could in theory also be done using
|
||||
the source tarballs, having a local copy of the git repository with
|
||||
the entire project history gives you much more insight into the
|
||||
code base.
|
||||
|
||||
The official OpenSSL Git Repository is located at [git.openssl.org].
|
||||
There is a GitHub mirror of the repository at [github.com/openssl/openssl],
|
||||
which is updated automatically from the former on every commit.
|
||||
|
||||
A local copy of the Git Repository can be obtained by cloning it from
|
||||
the original OpenSSL repository using
|
||||
|
||||
git clone git://git.openssl.org/openssl.git
|
||||
|
||||
or from the GitHub mirror using
|
||||
|
||||
git clone https://github.com/openssl/openssl.git
|
||||
|
||||
If you intend to contribute to OpenSSL, either to fix bugs or contribute
|
||||
new features, you need to fork the OpenSSL repository openssl/openssl on
|
||||
GitHub and clone your public fork instead.
|
||||
|
||||
git clone https://github.com/yourname/openssl.git
|
||||
|
||||
This is necessary, because all development of OpenSSL nowadays is done via
|
||||
GitHub pull requests. For more details, see [Contributing](#contributing).
|
||||
|
||||
Build and Install
|
||||
=================
|
||||
|
||||
After obtaining the Source, have a look at the [INSTALL](INSTALL.md) file for
|
||||
detailed instructions about building and installing OpenSSL. For some
|
||||
platforms, the installation instructions are amended by a platform specific
|
||||
document.
|
||||
|
||||
* [Notes for UNIX-like platforms](NOTES-UNIX.md)
|
||||
* [Notes for Android platforms](NOTES-ANDROID.md)
|
||||
* [Notes for Windows platforms](NOTES-WINDOWS.md)
|
||||
* [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
|
||||
* [Notes for the OpenVMS platform](NOTES-VMS.md)
|
||||
* [Notes on Perl](NOTES-PERL.md)
|
||||
* [Notes on Valgrind](NOTES-VALGRIND.md)
|
||||
|
||||
Specific notes on upgrading to OpenSSL 3.0 from previous versions can be found
|
||||
in the [migration_guide(7ossl)] manual page.
|
||||
|
||||
Documentation
|
||||
=============
|
||||
|
||||
Manual Pages
|
||||
------------
|
||||
|
||||
The manual pages for the master branch and all current stable releases are
|
||||
available online.
|
||||
|
||||
- [OpenSSL master](https://www.openssl.org/docs/manmaster)
|
||||
- [OpenSSL 3.0](https://www.openssl.org/docs/man3.0)
|
||||
- [OpenSSL 1.1.1](https://www.openssl.org/docs/man1.1.1)
|
||||
|
||||
Wiki
|
||||
----
|
||||
|
||||
There is a Wiki at [wiki.openssl.org] which is currently not very active.
|
||||
It contains a lot of useful information, not all of which is up to date.
|
||||
|
||||
License
|
||||
=======
|
||||
|
||||
OpenSSL is licensed under the Apache License 2.0, which means that
|
||||
you are free to get and use it for commercial and non-commercial
|
||||
purposes as long as you fulfill its conditions.
|
||||
|
||||
See the [LICENSE.txt](LICENSE.txt) file for more details.
|
||||
|
||||
Support
|
||||
=======
|
||||
|
||||
There are various ways to get in touch. The correct channel depends on
|
||||
your requirement. see the [SUPPORT](SUPPORT.md) file for more details.
|
||||
|
||||
Contributing
|
||||
============
|
||||
|
||||
If you are interested and willing to contribute to the OpenSSL project,
|
||||
please take a look at the [CONTRIBUTING](CONTRIBUTING.md) file.
|
||||
|
||||
Legalities
|
||||
==========
|
||||
|
||||
A number of nations restrict the use or export of cryptography. If you are
|
||||
potentially subject to such restrictions you should seek legal advice before
|
||||
attempting to develop or distribute cryptographic code.
|
||||
|
||||
Copyright
|
||||
=========
|
||||
|
||||
Copyright (c) 1998-2022 The OpenSSL Project
|
||||
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
All rights reserved.
|
||||
|
||||
<!-- Links -->
|
||||
|
||||
[www.openssl.org]:
|
||||
<https://www.openssl.org>
|
||||
"OpenSSL Homepage"
|
||||
|
||||
[git.openssl.org]:
|
||||
<https://git.openssl.org>
|
||||
"OpenSSL Git Repository"
|
||||
|
||||
[git.openssl.org]:
|
||||
<https://git.openssl.org>
|
||||
"OpenSSL Git Repository"
|
||||
|
||||
[github.com/openssl/openssl]:
|
||||
<https://github.com/openssl/openssl>
|
||||
"OpenSSL GitHub Mirror"
|
||||
|
||||
[wiki.openssl.org]:
|
||||
<https://wiki.openssl.org>
|
||||
"OpenSSL Wiki"
|
||||
|
||||
[migration_guide(7ossl)]:
|
||||
<https://www.openssl.org/docs/man3.0/man7/migration_guide.html>
|
||||
"OpenSSL Migration Guide"
|
||||
|
||||
[RFC 8446]:
|
||||
<https://tools.ietf.org/html/rfc8446>
|
||||
|
||||
<!-- Logos and Badges -->
|
||||
|
||||
[openssl logo]:
|
||||
doc/images/openssl.svg
|
||||
"OpenSSL Logo"
|
||||
|
||||
[github actions ci badge]:
|
||||
<https://github.com/openssl/openssl/workflows/GitHub%20CI/badge.svg>
|
||||
"GitHub Actions CI Status"
|
||||
|
||||
[github actions ci]:
|
||||
<https://github.com/openssl/openssl/actions?query=workflow%3A%22GitHub+CI%22>
|
||||
"GitHub Actions CI"
|
||||
|
||||
[appveyor badge]:
|
||||
<https://ci.appveyor.com/api/projects/status/8e10o7xfrg73v98f/branch/master?svg=true>
|
||||
"AppVeyor Build Status"
|
||||
|
||||
[appveyor jobs]:
|
||||
<https://ci.appveyor.com/project/openssl/openssl/branch/master>
|
||||
"AppVeyor Jobs"
|
93
SUPPORT.md
Normal file
93
SUPPORT.md
Normal file
|
@ -0,0 +1,93 @@
|
|||
OpenSSL User Support resources
|
||||
==============================
|
||||
|
||||
See the <https://www.openssl.org/support/contracts.html> for details on how to
|
||||
obtain commercial technical support.
|
||||
|
||||
If you have general questions about using OpenSSL
|
||||
-------------------------------------------------
|
||||
|
||||
In this case the [openssl-users] mailing list is the right place for you.
|
||||
The list is not only watched by the OpenSSL team members, but also by many
|
||||
other OpenSSL users. Here you will most likely get the answer to your questions.
|
||||
An overview over the [mailing lists](#mailing-lists) can be found below.
|
||||
|
||||
If you think you found a Bug
|
||||
----------------------------
|
||||
|
||||
*NOTE: this section assumes that you want to report it or figure it out and
|
||||
fix it. What's written here is not to be taken as a recipe for how to get a
|
||||
working production installation*
|
||||
|
||||
If you have any problems with OpenSSL then please take the following steps
|
||||
first:
|
||||
|
||||
- Search the mailing lists and/or the GitHub issues to find out whether
|
||||
the problem has already been reported.
|
||||
- Download the latest version from the repository to see if the problem
|
||||
has already been addressed.
|
||||
- Configure without assembler support (`no-asm`) and check whether the
|
||||
problem persists.
|
||||
- Remove compiler optimization flags.
|
||||
|
||||
Please keep in mind: Just because something doesn't work the way you expect
|
||||
does not mean it is necessarily a bug in OpenSSL. If you are not sure,
|
||||
consider searching the mail archives and posting a question to the
|
||||
[openssl-users] mailing list first.
|
||||
|
||||
### Open an Issue
|
||||
|
||||
If you wish to report a bug, please open an [issue][github-issues] on GitHub
|
||||
and include the following information:
|
||||
|
||||
- OpenSSL version: output of `openssl version -a`
|
||||
- Configuration data: output of `perl configdata.pm --dump`
|
||||
- OS Name, Version, Hardware platform
|
||||
- Compiler Details (name, version)
|
||||
- Application Details (name, version)
|
||||
- Problem Description (steps that will reproduce the problem, if known)
|
||||
- Stack Traceback (if the application dumps core)
|
||||
|
||||
Not only errors in the software, also errors in the documentation, in
|
||||
particular the manual pages, can be reported as issues.
|
||||
|
||||
### Submit a Pull Request
|
||||
|
||||
The fastest way to get a bug fixed is to fix it yourself ;-). If you are
|
||||
experienced in programming and know how to fix the bug, you can open a
|
||||
pull request. The details are covered in the [Contributing][contributing] section.
|
||||
|
||||
Don't hesitate to open a pull request, even if it's only a small change
|
||||
like a grammatical or typographical error in the documentation.
|
||||
|
||||
Mailing Lists
|
||||
=============
|
||||
|
||||
The OpenSSL maintains a number of [mailing lists] for various purposes.
|
||||
The most important lists are:
|
||||
|
||||
- [openssl-users] for general questions about using the OpenSSL software
|
||||
and discussions between OpenSSL users.
|
||||
|
||||
- [openssl-announce] for official announcements to the OpenSSL community.
|
||||
|
||||
- [openssl-project] for discussion about the development roadmap
|
||||
and governance.
|
||||
|
||||
Only subscribers can post to [openssl-users] or [openssl-project]. The
|
||||
archives are made public, however. For more information, see the [mailing
|
||||
lists] page.
|
||||
|
||||
There was an [openssl-dev] list that has been discontinued since development
|
||||
is now taking place in the form of GitHub pull requests. Although not active
|
||||
anymore, the searchable archive may still contain useful information.
|
||||
|
||||
<!-- Links -->
|
||||
|
||||
[mailing lists]: https://www.openssl.org/community/mailinglists.html
|
||||
[openssl-users]: https://mta.openssl.org/mailman/listinfo/openssl-users
|
||||
[openssl-announce]: https://mta.openssl.org/mailman/listinfo/openssl-announce
|
||||
[openssl-project]: https://mta.openssl.org/mailman/listinfo/openssl-project
|
||||
[openssl-dev]: https://mta.openssl.org/mailman/listinfo/openssl-dev
|
||||
[github-issues]: https://github.com/openssl/openssl/issues/new/choose
|
||||
[contributing]: https://github.com/openssl/openssl/blob/master/CONTRIBUTING.md
|
7
VERSION.dat
Normal file
7
VERSION.dat
Normal file
|
@ -0,0 +1,7 @@
|
|||
MAJOR=3
|
||||
MINOR=0
|
||||
PATCH=8
|
||||
PRE_RELEASE_TAG=
|
||||
BUILD_METADATA=
|
||||
RELEASE_DATE="7 Feb 2023"
|
||||
SHLIB_VERSION=3
|
134
apps/CA.pl.in
134
apps/CA.pl.in
|
@ -1,7 +1,7 @@
|
|||
#!{- $config{HASHBANGPERL} -}
|
||||
# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
# in the file LICENSE in the source distribution or at
|
||||
# https://www.openssl.org/source/license.html
|
||||
|
@ -14,57 +14,63 @@
|
|||
use strict;
|
||||
use warnings;
|
||||
|
||||
my $openssl = "openssl";
|
||||
if(defined $ENV{'OPENSSL'}) {
|
||||
$openssl = $ENV{'OPENSSL'};
|
||||
} else {
|
||||
$ENV{'OPENSSL'} = $openssl;
|
||||
}
|
||||
|
||||
my $verbose = 1;
|
||||
my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
|
||||
|
||||
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
|
||||
my $DAYS = "-days 365";
|
||||
my $CADAYS = "-days 1095"; # 3 years
|
||||
my $openssl = $ENV{'OPENSSL'} // "openssl";
|
||||
$ENV{'OPENSSL'} = $openssl;
|
||||
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} // "";
|
||||
|
||||
# Command invocations.
|
||||
my $REQ = "$openssl req $OPENSSL_CONFIG";
|
||||
my $CA = "$openssl ca $OPENSSL_CONFIG";
|
||||
my $VERIFY = "$openssl verify";
|
||||
my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# default openssl.cnf file has setup as per the following
|
||||
# Default values for various configuration settings.
|
||||
my $CATOP = "./demoCA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
my $CACRL = "crl.pem";
|
||||
my $DIRMODE = 0777;
|
||||
|
||||
my $DAYS = "-days 365";
|
||||
my $CADAYS = "-days 1095"; # 3 years
|
||||
my $NEWKEY = "newkey.pem";
|
||||
my $NEWREQ = "newreq.pem";
|
||||
my $NEWCERT = "newcert.pem";
|
||||
my $NEWP12 = "newcert.p12";
|
||||
my $RET = 0;
|
||||
my $WHAT = shift @ARGV || "";
|
||||
my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
|
||||
my %EXTRA = extra_args(\@ARGV, "-extra-");
|
||||
my $FILE;
|
||||
|
||||
sub extra_args {
|
||||
my ($args_ref, $arg_prefix) = @_;
|
||||
my %eargs = map {
|
||||
if ($_ < $#$args_ref) {
|
||||
my ($arg, $value) = splice(@$args_ref, $_, 2);
|
||||
$arg =~ s/$arg_prefix//;
|
||||
($arg, $value);
|
||||
} else {
|
||||
();
|
||||
}
|
||||
} reverse grep($$args_ref[$_] =~ /$arg_prefix/, 0..$#$args_ref);
|
||||
my %empty = map { ($_, "") } @OPENSSL_CMDS;
|
||||
return (%empty, %eargs);
|
||||
# Commandline parsing
|
||||
my %EXTRA;
|
||||
my $WHAT = shift @ARGV || "";
|
||||
@ARGV = parse_extra(@ARGV);
|
||||
my $RET = 0;
|
||||
|
||||
# Split out "-extra-CMD value", and return new |@ARGV|. Fill in
|
||||
# |EXTRA{CMD}| with list of values.
|
||||
sub parse_extra
|
||||
{
|
||||
foreach ( @OPENSSL_CMDS ) {
|
||||
$EXTRA{$_} = '';
|
||||
}
|
||||
|
||||
my @result;
|
||||
while ( scalar(@_) > 0 ) {
|
||||
my $arg = shift;
|
||||
if ( $arg !~ m/-extra-([a-z0-9]+)/ ) {
|
||||
push @result, $arg;
|
||||
next;
|
||||
}
|
||||
$arg =~ s/-extra-//;
|
||||
die("Unknown \"-${arg}-extra\" option, exiting")
|
||||
unless scalar grep { $arg eq $_ } @OPENSSL_CMDS;
|
||||
$EXTRA{$arg} .= " " . shift;
|
||||
}
|
||||
return @result;
|
||||
}
|
||||
|
||||
|
||||
# See if reason for a CRL entry is valid; exit if not.
|
||||
sub crl_reason_ok
|
||||
{
|
||||
|
@ -113,19 +119,25 @@ sub run
|
|||
|
||||
|
||||
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
|
||||
print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
|
||||
print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
|
||||
print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n";
|
||||
print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
|
||||
print STDERR <<EOF;
|
||||
Usage:
|
||||
CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
|
||||
CA.pl -pkcs12 [certname]
|
||||
CA.pl -verify certfile ...
|
||||
CA.pl -revoke certfile [reason]
|
||||
EOF
|
||||
exit 0;
|
||||
}
|
||||
|
||||
if ($WHAT eq '-newcert' ) {
|
||||
# create a certificate
|
||||
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
|
||||
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"
|
||||
. " $EXTRA{req}");
|
||||
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-precert' ) {
|
||||
# create a pre-certificate
|
||||
$RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
|
||||
$RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS"
|
||||
. " $EXTRA{req}");
|
||||
print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
||||
} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
|
||||
# create a certificate request
|
||||
|
@ -133,11 +145,20 @@ if ($WHAT eq '-newcert' ) {
|
|||
print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-newca' ) {
|
||||
# create the directory hierarchy
|
||||
mkdir ${CATOP}, $DIRMODE;
|
||||
mkdir "${CATOP}/certs", $DIRMODE;
|
||||
mkdir "${CATOP}/crl", $DIRMODE ;
|
||||
mkdir "${CATOP}/newcerts", $DIRMODE;
|
||||
mkdir "${CATOP}/private", $DIRMODE;
|
||||
my @dirs = ( "${CATOP}", "${CATOP}/certs", "${CATOP}/crl",
|
||||
"${CATOP}/newcerts", "${CATOP}/private" );
|
||||
die "${CATOP}/index.txt exists.\nRemove old sub-tree to proceed,"
|
||||
if -f "${CATOP}/index.txt";
|
||||
die "${CATOP}/serial exists.\nRemove old sub-tree to proceed,"
|
||||
if -f "${CATOP}/serial";
|
||||
foreach my $d ( @dirs ) {
|
||||
if ( -d $d ) {
|
||||
warn "Directory $d exists" if -d $d;
|
||||
} else {
|
||||
mkdir $d or die "Can't mkdir $d, $!";
|
||||
}
|
||||
}
|
||||
|
||||
open OUT, ">${CATOP}/index.txt";
|
||||
close OUT;
|
||||
open OUT, ">${CATOP}/crlnumber";
|
||||
|
@ -145,6 +166,7 @@ if ($WHAT eq '-newcert' ) {
|
|||
close OUT;
|
||||
# ask user for existing CA certificate
|
||||
print "CA certificate filename (or enter to create)\n";
|
||||
my $FILE;
|
||||
$FILE = "" unless defined($FILE = <STDIN>);
|
||||
$FILE =~ s{\R$}{};
|
||||
if ($FILE ne "") {
|
||||
|
@ -152,43 +174,43 @@ if ($WHAT eq '-newcert' ) {
|
|||
copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
|
||||
} else {
|
||||
print "Making CA certificate ...\n";
|
||||
$RET = run("$REQ -new -keyout"
|
||||
. " ${CATOP}/private/$CAKEY"
|
||||
$RET = run("$REQ -new -keyout ${CATOP}/private/$CAKEY"
|
||||
. " -out ${CATOP}/$CAREQ $EXTRA{req}");
|
||||
$RET = run("$CA -create_serial"
|
||||
. " -out ${CATOP}/$CACERT $CADAYS -batch"
|
||||
. " -keyfile ${CATOP}/private/$CAKEY -selfsign"
|
||||
. " -extensions v3_ca $EXTRA{ca}"
|
||||
. " -infiles ${CATOP}/$CAREQ") if $RET == 0;
|
||||
. " -extensions v3_ca"
|
||||
. " -infiles ${CATOP}/$CAREQ $EXTRA{ca}") if $RET == 0;
|
||||
print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
|
||||
}
|
||||
} elsif ($WHAT eq '-pkcs12' ) {
|
||||
my $cname = $ARGV[0];
|
||||
$cname = "My Certificate" unless defined $cname;
|
||||
$RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
|
||||
. " -certfile ${CATOP}/$CACERT"
|
||||
. " -out $NEWP12"
|
||||
. " -certfile ${CATOP}/$CACERT -out $NEWP12"
|
||||
. " -export -name \"$cname\" $EXTRA{pkcs12}");
|
||||
print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-xsign' ) {
|
||||
$RET = run("$CA -policy policy_anything $EXTRA{ca} -infiles $NEWREQ");
|
||||
$RET = run("$CA -policy policy_anything -infiles $NEWREQ $EXTRA{ca}");
|
||||
} elsif ($WHAT eq '-sign' ) {
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT $EXTRA{ca} -infiles $NEWREQ");
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||
. " -infiles $NEWREQ $EXTRA{ca}");
|
||||
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-signCA' ) {
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||
. " -extensions v3_ca $EXTRA{ca} -infiles $NEWREQ");
|
||||
. " -extensions v3_ca -infiles $NEWREQ $EXTRA{ca}");
|
||||
print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-signcert' ) {
|
||||
$RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
|
||||
. " -out tmp.pem $EXTRA{x509}");
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||
. "$EXTRA{ca} -infiles tmp.pem") if $RET == 0;
|
||||
. "-infiles tmp.pem $EXTRA{ca}") if $RET == 0;
|
||||
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-verify' ) {
|
||||
my @files = @ARGV ? @ARGV : ( $NEWCERT );
|
||||
my $file;
|
||||
foreach $file (@files) {
|
||||
foreach my $file (@files) {
|
||||
# -CAfile quoted for VMS, since the C RTL downcases all unquoted
|
||||
# arguments to C programs
|
||||
my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}");
|
||||
$RET = $status if $status != 0;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -19,7 +19,7 @@
|
|||
#include <openssl/asn1t.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
|
||||
OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
|
||||
OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM,
|
||||
|
@ -27,27 +27,32 @@ typedef enum OPTION_choice {
|
|||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS asn1parse_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"oid", OPT_OID, '<', "file of extra oid definitions"},
|
||||
|
||||
OPT_SECTION("I/O"),
|
||||
{"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
|
||||
{"in", OPT_IN, '<', "input file"},
|
||||
{"out", OPT_OUT, '>', "output file (output format is always DER)"},
|
||||
{"i", OPT_INDENT, 0, "indents the output"},
|
||||
{"noout", OPT_NOOUT, 0, "do not produce any output"},
|
||||
{"offset", OPT_OFFSET, 'p', "offset into file"},
|
||||
{"length", OPT_LENGTH, 'p', "length of section in file"},
|
||||
{"oid", OPT_OID, '<', "file of extra oid definitions"},
|
||||
{"dump", OPT_DUMP, 0, "unknown data in hex form"},
|
||||
{"dlimit", OPT_DLIMIT, 'p',
|
||||
"dump the first arg bytes of unknown data in hex form"},
|
||||
{"strparse", OPT_STRPARSE, 'p',
|
||||
"offset; a series of these can be used to 'dig'"},
|
||||
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
|
||||
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
|
||||
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
|
||||
{"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
|
||||
{OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
|
||||
{"strictpem", OPT_STRICTPEM, 0,
|
||||
"do not attempt base64 decode outside PEM markers"},
|
||||
{"item", OPT_ITEM, 's', "item to parse and print"},
|
||||
{OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
|
||||
|
||||
OPT_SECTION("Formatting"),
|
||||
{"i", OPT_INDENT, 0, "indents the output"},
|
||||
{"dump", OPT_DUMP, 0, "unknown data in hex form"},
|
||||
{"dlimit", OPT_DLIMIT, 'p',
|
||||
"dump the first arg bytes of unknown data in hex form"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -152,6 +157,8 @@ int asn1parse_main(int argc, char **argv)
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
147
apps/build.info
147
apps/build.info
|
@ -1,79 +1,90 @@
|
|||
{- our @apps_openssl_src =
|
||||
qw(openssl.c
|
||||
asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
|
||||
enc.c errstr.c
|
||||
genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
|
||||
pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
|
||||
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
|
||||
verify.c version.c x509.c rehash.c storeutl.c);
|
||||
our @apps_lib_src =
|
||||
( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
|
||||
split(/\s+/, $target{apps_aux_src}) );
|
||||
our @apps_init_src = split(/\s+/, $target{apps_init_src});
|
||||
"" -}
|
||||
SUBDIRS=lib
|
||||
|
||||
# Program init source, that don't have direct linkage with the rest of the
|
||||
# source, and can therefore not be part of a library.
|
||||
IF[{- !$disabled{uplink} -}]
|
||||
$INITSRC=../ms/applink.c
|
||||
ENDIF
|
||||
IF[{- $config{target} =~ /^vms-/ -}]
|
||||
$INITSRC=vms_decc_init.c
|
||||
ENDIF
|
||||
|
||||
# Source for the 'openssl' program
|
||||
$OPENSSLSRC=\
|
||||
openssl.c \
|
||||
asn1parse.c ca.c ciphers.c crl.c crl2pkcs7.c dgst.c \
|
||||
enc.c errstr.c \
|
||||
genpkey.c kdf.c mac.c nseq.c passwd.c pkcs7.c \
|
||||
pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
|
||||
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
|
||||
spkac.c verify.c version.c x509.c rehash.c storeutl.c \
|
||||
list.c info.c fipsinstall.c pkcs12.c
|
||||
IF[{- !$disabled{'ec'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ocsp'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC ocsp.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'srp'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC srp.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ts'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC ts.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dh'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC dhparam.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dsa'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC dsa.c dsaparam.c gendsa.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'engine'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC engine.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'rsa'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC rsa.c genrsa.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'deprecated-3.0'} -}]
|
||||
IF[{- !$disabled{'rsa'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC rsautl.c
|
||||
ENDIF
|
||||
ENDIF
|
||||
IF[{- !$disabled{'cms'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC cms.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'cmp'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC cmp.c lib/cmp_mock_srv.c
|
||||
ENDIF
|
||||
|
||||
IF[{- !$disabled{apps} -}]
|
||||
LIBS_NO_INST=libapps.a
|
||||
SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
|
||||
INCLUDE[libapps.a]=.. ../include
|
||||
|
||||
PROGRAMS=openssl
|
||||
SOURCE[openssl]={- join(" ", @apps_init_src) -}
|
||||
SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
|
||||
INCLUDE[openssl]=.. ../include
|
||||
SOURCE[openssl]=$INITSRC $OPENSSLSRC
|
||||
INCLUDE[openssl]=.. ../include include
|
||||
DEPEND[openssl]=libapps.a ../libssl
|
||||
IF[{- !$disabled{'des'} -}]
|
||||
SOURCE[openssl]=pkcs12.c
|
||||
DEPEND[pkcs12.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ec'} -}]
|
||||
SOURCE[openssl]=ec.c ecparam.c
|
||||
DEPEND[ec.o]=progs.h
|
||||
DEPEND[ecparam.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ocsp'} -}]
|
||||
SOURCE[openssl]=ocsp.c
|
||||
DEPEND[ocsp.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'srp'} -}]
|
||||
SOURCE[openssl]=srp.c
|
||||
DEPEND[srp.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ts'} -}]
|
||||
SOURCE[openssl]=ts.c
|
||||
DEPEND[ts.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dh'} -}]
|
||||
SOURCE[openssl]=dhparam.c
|
||||
DEPEND[dhparam.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dsa'} -}]
|
||||
SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
|
||||
DEPEND[dsa.o]=progs.h
|
||||
DEPEND[dsaparam.o]=progs.h
|
||||
DEPEND[gendsa.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'engine'} -}]
|
||||
SOURCE[openssl]=engine.c
|
||||
DEPEND[engine.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'rsa'} -}]
|
||||
SOURCE[openssl]=rsa.c rsautl.c genrsa.c
|
||||
DEPEND[rsa.o]=progs.h
|
||||
DEPEND[rsautl.o]=progs.h
|
||||
DEPEND[genrsa.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
|
||||
|
||||
# The nocheck attribute is picked up by progs.pl as a signal not to look
|
||||
# at that file; some systems may have locked it as the output file, and
|
||||
# therefore don't allow it to be read at the same time, making progs.pl
|
||||
# fail.
|
||||
SOURCE[openssl]{nocheck}=progs.c
|
||||
DEPEND[${OPENSSLSRC/.c/.o} progs.o]=progs.h
|
||||
GENERATE[progs.c]=progs.pl "-C" $(APPS_OPENSSL)
|
||||
GENERATE[progs.h]=progs.pl "-H" $(APPS_OPENSSL)
|
||||
# progs.pl tries to read all 'openssl' sources, including progs.c, so we make
|
||||
# sure things are generated in the correct order.
|
||||
DEPEND[progs.h]=progs.c
|
||||
# Because the files to look through may change (depends on $OPENSSLSRC),
|
||||
# always depend on a changed configuration.
|
||||
DEPEND[progs.c]=../configdata.pm
|
||||
|
||||
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
|
||||
GENERATE[openssl.rc]=../util/mkrc.pl openssl
|
||||
SOURCE[openssl]=openssl.rc
|
||||
ENDIF
|
||||
|
||||
{- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
|
||||
@apps_openssl_src) -}
|
||||
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
|
||||
DEPEND[progs.h]=../configdata.pm
|
||||
|
||||
SCRIPTS=CA.pl tsget.pl
|
||||
SCRIPTS{misc}=CA.pl
|
||||
SOURCE[CA.pl]=CA.pl.in
|
||||
# linkname tells build files that a symbolic link or copy of this script
|
||||
# without extension must be installed as well. Unix or Unix lookalike only.
|
||||
SCRIPTS{misc,linkname=tsget}=tsget.pl
|
||||
SOURCE[tsget.pl]=tsget.in
|
||||
ENDIF
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -14,9 +14,10 @@
|
|||
#include "progs.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include "s_apps.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_STDNAME,
|
||||
OPT_CONVERT,
|
||||
OPT_SSL3,
|
||||
|
@ -27,39 +28,50 @@ typedef enum OPTION_choice {
|
|||
OPT_PSK,
|
||||
OPT_SRP,
|
||||
OPT_CIPHERSUITES,
|
||||
OPT_V, OPT_UPPER_V, OPT_S
|
||||
OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS ciphers_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
|
||||
{"V", OPT_UPPER_V, '-', "Even more verbose"},
|
||||
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
|
||||
{"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
|
||||
|
||||
OPT_SECTION("Cipher specification"),
|
||||
{"s", OPT_S, '-', "Only supported ciphers"},
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
{"ssl3", OPT_SSL3, '-', "SSL3 mode"},
|
||||
{"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1
|
||||
{"tls1", OPT_TLS1, '-', "TLS1 mode"},
|
||||
{"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1_1
|
||||
{"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
|
||||
{"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
{"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
|
||||
{"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
{"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},
|
||||
{"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"},
|
||||
#endif
|
||||
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
{"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
|
||||
{"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
{"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"},
|
||||
{"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"},
|
||||
#endif
|
||||
{"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
|
||||
{"ciphersuites", OPT_CIPHERSUITES, 's',
|
||||
"Configure the TLSv1.3 ciphersuites to use"},
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"cipher", 0, 0, "Cipher string to decode (optional)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -72,12 +84,6 @@ static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
|
|||
return 0;
|
||||
}
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static char *dummy_srp(SSL *ssl, void *arg)
|
||||
{
|
||||
return "";
|
||||
}
|
||||
#endif
|
||||
|
||||
int ciphers_main(int argc, char **argv)
|
||||
{
|
||||
|
@ -159,13 +165,18 @@ int ciphers_main(int argc, char **argv)
|
|||
case OPT_CIPHERSUITES:
|
||||
ciphersuites = opt_arg();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Optional arg is cipher name. */
|
||||
argv = opt_rest();
|
||||
argc = opt_num_rest();
|
||||
|
||||
if (argc == 1)
|
||||
ciphers = *argv;
|
||||
ciphers = argv[0];
|
||||
else if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
|
@ -176,7 +187,7 @@ int ciphers_main(int argc, char **argv)
|
|||
goto end;
|
||||
}
|
||||
|
||||
ctx = SSL_CTX_new(meth);
|
||||
ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
||||
|
@ -190,7 +201,7 @@ int ciphers_main(int argc, char **argv)
|
|||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
if (srp)
|
||||
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
|
||||
set_up_dummy_srp(ctx);
|
||||
#endif
|
||||
|
||||
if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
|
||||
|
@ -216,6 +227,10 @@ int ciphers_main(int argc, char **argv)
|
|||
if (!verbose) {
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
|
||||
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
|
||||
|
||||
if (!ossl_assert(c != NULL))
|
||||
continue;
|
||||
|
||||
p = SSL_CIPHER_get_name(c);
|
||||
if (p == NULL)
|
||||
break;
|
||||
|
@ -231,6 +246,9 @@ int ciphers_main(int argc, char **argv)
|
|||
|
||||
c = sk_SSL_CIPHER_value(sk, i);
|
||||
|
||||
if (!ossl_assert(c != NULL))
|
||||
continue;
|
||||
|
||||
if (Verbose) {
|
||||
unsigned long id = SSL_CIPHER_get_id(c);
|
||||
int id0 = (int)(id >> 24);
|
||||
|
@ -248,7 +266,7 @@ int ciphers_main(int argc, char **argv)
|
|||
const char *nm = SSL_CIPHER_standard_name(c);
|
||||
if (nm == NULL)
|
||||
nm = "UNKNOWN";
|
||||
BIO_printf(bio_out, "%s - ", nm);
|
||||
BIO_printf(bio_out, "%-45s - ", nm);
|
||||
}
|
||||
BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf)));
|
||||
}
|
||||
|
|
3023
apps/cmp.c
Normal file
3023
apps/cmp.c
Normal file
File diff suppressed because it is too large
Load diff
689
apps/cms.c
689
apps/cms.c
File diff suppressed because it is too large
Load diff
134
apps/crl.c
134
apps/crl.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -19,22 +19,38 @@
|
|||
#include <openssl/pem.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
|
||||
OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
|
||||
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
|
||||
OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
|
||||
OPT_NOOUT, OPT_NAMEOPT, OPT_MD
|
||||
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
|
||||
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_DATEOPT, OPT_TEXT, OPT_HASH,
|
||||
OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS crl_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format; default PEM"},
|
||||
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
{"out", OPT_OUT, '>', "output file - default stdout"},
|
||||
{"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"},
|
||||
{"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"},
|
||||
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
|
||||
{"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "output file - default stdout"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
{"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
|
||||
{"text", OPT_TEXT, '-', "Print out a text format version"},
|
||||
{"hash", OPT_HASH, '-', "Print hash value"},
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
|
||||
#endif
|
||||
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
|
||||
{"", OPT_MD, '-', "Any supported digest"},
|
||||
|
||||
OPT_SECTION("CRL"),
|
||||
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
|
||||
{"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
|
||||
{"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
|
||||
|
@ -43,20 +59,18 @@ const OPTIONS crl_options[] = {
|
|||
{"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
|
||||
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
|
||||
{"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
|
||||
|
||||
OPT_SECTION("Certificate"),
|
||||
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
|
||||
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
|
||||
{"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"},
|
||||
{"no-CAfile", OPT_NOCAFILE, '-',
|
||||
"Do not load the default certificates file"},
|
||||
{"no-CApath", OPT_NOCAPATH, '-',
|
||||
"Do not load certificates from the default certificates directory"},
|
||||
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
|
||||
{"text", OPT_TEXT, '-', "Print out a text format version"},
|
||||
{"hash", OPT_HASH, '-', "Print hash value"},
|
||||
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
|
||||
{"", OPT_MD, '-', "Any supported digest"},
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
|
||||
#endif
|
||||
{"no-CAstore", OPT_NOCASTORE, '-',
|
||||
"Do not load certificates from the default certificates store"},
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -69,14 +83,16 @@ int crl_main(int argc, char **argv)
|
|||
X509_LOOKUP *lookup = NULL;
|
||||
X509_OBJECT *xobj = NULL;
|
||||
EVP_PKEY *pkey;
|
||||
const EVP_MD *digest = EVP_sha1();
|
||||
EVP_MD *digest = (EVP_MD *)EVP_sha1();
|
||||
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
|
||||
const char *CAfile = NULL, *CApath = NULL, *prog;
|
||||
char *digestname = NULL;
|
||||
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
|
||||
OPTION_CHOICE o;
|
||||
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF;
|
||||
int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
|
||||
int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
|
||||
int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0;
|
||||
unsigned long dateopt = ASN1_DTFLGS_RFC822;
|
||||
int i;
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
int hash_old = 0;
|
||||
|
@ -109,7 +125,7 @@ int crl_main(int argc, char **argv)
|
|||
outfile = opt_arg();
|
||||
break;
|
||||
case OPT_KEYFORM:
|
||||
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
|
||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_KEY:
|
||||
|
@ -126,12 +142,19 @@ int crl_main(int argc, char **argv)
|
|||
CAfile = opt_arg();
|
||||
do_ver = 1;
|
||||
break;
|
||||
case OPT_CASTORE:
|
||||
CAstore = opt_arg();
|
||||
do_ver = 1;
|
||||
break;
|
||||
case OPT_NOCAPATH:
|
||||
noCApath = 1;
|
||||
break;
|
||||
case OPT_NOCAFILE:
|
||||
noCAfile = 1;
|
||||
break;
|
||||
case OPT_NOCASTORE:
|
||||
noCAstore = 1;
|
||||
break;
|
||||
case OPT_HASH_OLD:
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
hash_old = ++num;
|
||||
|
@ -140,6 +163,10 @@ int crl_main(int argc, char **argv)
|
|||
case OPT_VERIFY:
|
||||
do_ver = 1;
|
||||
break;
|
||||
case OPT_DATEOPT:
|
||||
if (!set_dateopt(&dateopt, opt_arg()))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
|
@ -156,7 +183,7 @@ int crl_main(int argc, char **argv)
|
|||
nextupdate = ++num;
|
||||
break;
|
||||
case OPT_NOOUT:
|
||||
noout = ++num;
|
||||
noout = 1;
|
||||
break;
|
||||
case OPT_FINGERPRINT:
|
||||
fingerprint = ++num;
|
||||
|
@ -172,20 +199,31 @@ int crl_main(int argc, char **argv)
|
|||
goto opthelp;
|
||||
break;
|
||||
case OPT_MD:
|
||||
if (!opt_md(opt_unknown(), &digest))
|
||||
goto opthelp;
|
||||
digestname = opt_unknown();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No remaining args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
x = load_crl(infile, informat);
|
||||
if (digestname != NULL) {
|
||||
if (!opt_md(digestname, &digest))
|
||||
goto opthelp;
|
||||
}
|
||||
x = load_crl(infile, informat, 1, "CRL");
|
||||
if (x == NULL)
|
||||
goto end;
|
||||
|
||||
if (do_ver) {
|
||||
if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
|
||||
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
|
||||
CAstore, noCAstore)) == NULL)
|
||||
goto end;
|
||||
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
||||
if (lookup == NULL)
|
||||
|
@ -204,7 +242,7 @@ int crl_main(int argc, char **argv)
|
|||
}
|
||||
pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj));
|
||||
X509_OBJECT_free(xobj);
|
||||
if (!pkey) {
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
|
||||
goto end;
|
||||
}
|
||||
|
@ -218,17 +256,17 @@ int crl_main(int argc, char **argv)
|
|||
BIO_printf(bio_err, "verify OK\n");
|
||||
}
|
||||
|
||||
if (crldiff) {
|
||||
if (crldiff != NULL) {
|
||||
X509_CRL *newcrl, *delta;
|
||||
if (!keyfile) {
|
||||
BIO_puts(bio_err, "Missing CRL signing key\n");
|
||||
goto end;
|
||||
}
|
||||
newcrl = load_crl(crldiff, informat);
|
||||
newcrl = load_crl(crldiff, informat, 0, "other CRL");
|
||||
if (!newcrl)
|
||||
goto end;
|
||||
pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
|
||||
if (!pkey) {
|
||||
if (pkey == NULL) {
|
||||
X509_CRL_free(newcrl);
|
||||
goto end;
|
||||
}
|
||||
|
@ -254,39 +292,54 @@ int crl_main(int argc, char **argv)
|
|||
if (num) {
|
||||
for (i = 1; i <= num; i++) {
|
||||
if (issuer == i) {
|
||||
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
|
||||
get_nameopt());
|
||||
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x));
|
||||
}
|
||||
if (crlnumber == i) {
|
||||
ASN1_INTEGER *crlnum;
|
||||
|
||||
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
|
||||
BIO_printf(bio_out, "crlNumber=");
|
||||
if (crlnum) {
|
||||
BIO_puts(bio_out, "0x");
|
||||
i2a_ASN1_INTEGER(bio_out, crlnum);
|
||||
ASN1_INTEGER_free(crlnum);
|
||||
} else
|
||||
} else {
|
||||
BIO_puts(bio_out, "<NONE>");
|
||||
}
|
||||
BIO_printf(bio_out, "\n");
|
||||
}
|
||||
if (hash == i) {
|
||||
BIO_printf(bio_out, "%08lx\n",
|
||||
X509_NAME_hash(X509_CRL_get_issuer(x)));
|
||||
int ok;
|
||||
unsigned long hash_value =
|
||||
X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
|
||||
app_get0_propq(), &ok);
|
||||
|
||||
if (num > 1)
|
||||
BIO_printf(bio_out, "issuer name hash=");
|
||||
if (ok) {
|
||||
BIO_printf(bio_out, "%08lx\n", hash_value);
|
||||
} else {
|
||||
BIO_puts(bio_out, "<ERROR>");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
if (hash_old == i) {
|
||||
if (num > 1)
|
||||
BIO_printf(bio_out, "issuer name old hash=");
|
||||
BIO_printf(bio_out, "%08lx\n",
|
||||
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
|
||||
}
|
||||
#endif
|
||||
if (lastupdate == i) {
|
||||
BIO_printf(bio_out, "lastUpdate=");
|
||||
ASN1_TIME_print(bio_out, X509_CRL_get0_lastUpdate(x));
|
||||
ASN1_TIME_print_ex(bio_out, X509_CRL_get0_lastUpdate(x), dateopt);
|
||||
BIO_printf(bio_out, "\n");
|
||||
}
|
||||
if (nextupdate == i) {
|
||||
BIO_printf(bio_out, "nextUpdate=");
|
||||
if (X509_CRL_get0_nextUpdate(x))
|
||||
ASN1_TIME_print(bio_out, X509_CRL_get0_nextUpdate(x));
|
||||
ASN1_TIME_print_ex(bio_out, X509_CRL_get0_nextUpdate(x), dateopt);
|
||||
else
|
||||
BIO_printf(bio_out, "NONE");
|
||||
BIO_printf(bio_out, "\n");
|
||||
|
@ -301,7 +354,7 @@ int crl_main(int argc, char **argv)
|
|||
goto end;
|
||||
}
|
||||
BIO_printf(bio_out, "%s Fingerprint=",
|
||||
OBJ_nid2sn(EVP_MD_type(digest)));
|
||||
EVP_MD_get0_name(digest));
|
||||
for (j = 0; j < (int)n; j++) {
|
||||
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
|
||||
? '\n' : ':');
|
||||
|
@ -335,6 +388,7 @@ int crl_main(int argc, char **argv)
|
|||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free_all(out);
|
||||
EVP_MD_free(digest);
|
||||
X509_CRL_free(x);
|
||||
X509_STORE_CTX_free(ctx);
|
||||
X509_STORE_free(store);
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -22,19 +22,27 @@
|
|||
static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS crl2pkcs7_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
{"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
|
||||
{"certfile", OPT_CERTFILE, '<',
|
||||
"File of chain of certs to a trusted CA; can be repeated"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -88,8 +96,14 @@ int crl2pkcs7_main(int argc, char **argv)
|
|||
if (!sk_OPENSSL_STRING_push(certflst, opt_arg()))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No remaining args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
316
apps/dgst.c
316
apps/dgst.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -24,7 +24,7 @@
|
|||
#undef BUFSIZE
|
||||
#define BUFSIZE 1024*8
|
||||
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
|
||||
EVP_PKEY *key, unsigned char *sigin, int siglen,
|
||||
const char *sig_name, const char *md_name,
|
||||
const char *file);
|
||||
|
@ -36,49 +36,58 @@ struct doall_dgst_digests {
|
|||
};
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_LIST,
|
||||
OPT_COMMON,
|
||||
OPT_LIST,
|
||||
OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
|
||||
OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
|
||||
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
|
||||
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
|
||||
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_XOFLEN,
|
||||
OPT_DIGEST,
|
||||
OPT_R_ENUM
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dgst_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
|
||||
{OPT_HELP_STR, 1, '-',
|
||||
" file... files to digest (default is stdin)\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"list", OPT_LIST, '-', "List digests"},
|
||||
{"c", OPT_C, '-', "Print the digest with separating colons"},
|
||||
{"r", OPT_R, '-', "Print the digest in coreutils format"},
|
||||
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"sign", OPT_SIGN, 's', "Sign digest using private key"},
|
||||
{"verify", OPT_VERIFY, 's',
|
||||
"Verify a signature using public key"},
|
||||
{"prverify", OPT_PRVERIFY, 's',
|
||||
"Verify a signature using private key"},
|
||||
{"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
|
||||
{"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
|
||||
{"hex", OPT_HEX, '-', "Print as hex dump"},
|
||||
{"binary", OPT_BINARY, '-', "Print in binary form"},
|
||||
{"d", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
|
||||
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
|
||||
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
|
||||
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
|
||||
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
|
||||
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
|
||||
{"", OPT_DIGEST, '-', "Any supported digest"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
{"engine_impl", OPT_ENGINE_IMPL, '-',
|
||||
"Also use engine given by -engine for digest operations"},
|
||||
#endif
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"c", OPT_C, '-', "Print the digest with separating colons"},
|
||||
{"r", OPT_R, '-', "Print the digest in coreutils format"},
|
||||
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
|
||||
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
|
||||
{"hex", OPT_HEX, '-', "Print as hex dump"},
|
||||
{"binary", OPT_BINARY, '-', "Print in binary form"},
|
||||
{"xoflen", OPT_XOFLEN, 'p', "Output length for XOF algorithms. To obtain the maximum security strength set this to 32 (or greater) for SHAKE128, and 64 (or greater) for SHAKE256"},
|
||||
{"d", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
|
||||
OPT_SECTION("Signing"),
|
||||
{"sign", OPT_SIGN, 's', "Sign digest using private key"},
|
||||
{"verify", OPT_VERIFY, 's', "Verify a signature using public key"},
|
||||
{"prverify", OPT_PRVERIFY, 's', "Verify a signature using private key"},
|
||||
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
|
||||
{"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
|
||||
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
|
||||
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
|
||||
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
|
||||
{"", OPT_DIGEST, '-', "Any supported digest"},
|
||||
{"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
|
||||
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"file", 0, 0, "Files to digest (optional; default is stdin)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -89,21 +98,24 @@ int dgst_main(int argc, char **argv)
|
|||
EVP_PKEY *sigkey = NULL;
|
||||
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
|
||||
char *hmac_key = NULL;
|
||||
char *mac_name = NULL;
|
||||
char *mac_name = NULL, *digestname = NULL;
|
||||
char *passinarg = NULL, *passin = NULL;
|
||||
const EVP_MD *md = NULL, *m;
|
||||
EVP_MD *md = NULL;
|
||||
const char *outfile = NULL, *keyfile = NULL, *prog = NULL;
|
||||
const char *sigfile = NULL;
|
||||
const char *md_name = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
|
||||
int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
|
||||
int separator = 0, debug = 0, keyform = FORMAT_UNDEF, siglen = 0;
|
||||
int i, ret = EXIT_FAILURE, out_bin = -1, want_pub = 0, do_verify = 0;
|
||||
int xoflen = 0;
|
||||
unsigned char *buf = NULL, *sigbuf = NULL;
|
||||
int engine_impl = 0;
|
||||
struct doall_dgst_digests dec;
|
||||
|
||||
prog = opt_progname(argv[0]);
|
||||
buf = app_malloc(BUFSIZE, "I/O buffer");
|
||||
md = EVP_get_digestbyname(prog);
|
||||
md = (EVP_MD *)EVP_get_digestbyname(argv[0]);
|
||||
if (md != NULL)
|
||||
digestname = argv[0];
|
||||
|
||||
prog = opt_init(argc, argv, dgst_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
|
@ -115,7 +127,7 @@ int dgst_main(int argc, char **argv)
|
|||
goto end;
|
||||
case OPT_HELP:
|
||||
opt_help(dgst_options);
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
goto end;
|
||||
case OPT_LIST:
|
||||
BIO_printf(bio_out, "Supported digests:\n");
|
||||
|
@ -124,7 +136,7 @@ int dgst_main(int argc, char **argv)
|
|||
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
|
||||
show_digests, &dec);
|
||||
BIO_printf(bio_out, "\n");
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
goto end;
|
||||
case OPT_C:
|
||||
separator = 1;
|
||||
|
@ -172,6 +184,9 @@ int dgst_main(int argc, char **argv)
|
|||
case OPT_BINARY:
|
||||
out_bin = 1;
|
||||
break;
|
||||
case OPT_XOFLEN:
|
||||
xoflen = atoi(opt_arg());
|
||||
break;
|
||||
case OPT_DEBUG:
|
||||
debug = 1;
|
||||
break;
|
||||
|
@ -197,18 +212,29 @@ int dgst_main(int argc, char **argv)
|
|||
goto opthelp;
|
||||
break;
|
||||
case OPT_DIGEST:
|
||||
if (!opt_md(opt_unknown(), &m))
|
||||
goto opthelp;
|
||||
md = m;
|
||||
digestname = opt_unknown();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Remaining args are files to digest. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
if (keyfile != NULL && argc > 1) {
|
||||
BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
if (digestname != NULL) {
|
||||
if (!opt_md(digestname, &md))
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (do_verify && sigfile == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
|
@ -220,13 +246,11 @@ int dgst_main(int argc, char **argv)
|
|||
|
||||
in = BIO_new(BIO_s_file());
|
||||
bmd = BIO_new(BIO_f_md());
|
||||
if ((in == NULL) || (bmd == NULL)) {
|
||||
ERR_print_errors(bio_err);
|
||||
if (in == NULL || bmd == NULL)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (debug) {
|
||||
BIO_set_callback(in, BIO_debug_callback);
|
||||
BIO_set_callback_ex(in, BIO_debug_callback_ex);
|
||||
/* needed for windows 3.1 */
|
||||
BIO_set_callback_arg(in, (char *)bio_err);
|
||||
}
|
||||
|
@ -248,7 +272,7 @@ int dgst_main(int argc, char **argv)
|
|||
goto end;
|
||||
|
||||
if ((!(mac_name == NULL) + !(keyfile == NULL) + !(hmac_key == NULL)) > 1) {
|
||||
BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
|
||||
BIO_printf(bio_err, "MAC and signing key cannot both be specified\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -256,16 +280,16 @@ int dgst_main(int argc, char **argv)
|
|||
int type;
|
||||
|
||||
if (want_pub)
|
||||
sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file");
|
||||
sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key");
|
||||
else
|
||||
sigkey = load_key(keyfile, keyform, 0, passin, e, "key file");
|
||||
sigkey = load_key(keyfile, keyform, 0, passin, e, "private key");
|
||||
if (sigkey == NULL) {
|
||||
/*
|
||||
* load_[pub]key() has already printed an appropriate message
|
||||
*/
|
||||
goto end;
|
||||
}
|
||||
type = EVP_PKEY_id(sigkey);
|
||||
type = EVP_PKEY_get_id(sigkey);
|
||||
if (type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448) {
|
||||
/*
|
||||
* We implement PureEdDSA for these which doesn't have a separate
|
||||
|
@ -278,36 +302,34 @@ int dgst_main(int argc, char **argv)
|
|||
|
||||
if (mac_name != NULL) {
|
||||
EVP_PKEY_CTX *mac_ctx = NULL;
|
||||
int r = 0;
|
||||
if (!init_gen_str(&mac_ctx, mac_name, impl, 0))
|
||||
goto mac_end;
|
||||
|
||||
if (!init_gen_str(&mac_ctx, mac_name, impl, 0, NULL, NULL))
|
||||
goto end;
|
||||
if (macopts != NULL) {
|
||||
char *macopt;
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
|
||||
macopt = sk_OPENSSL_STRING_value(macopts, i);
|
||||
char *macopt = sk_OPENSSL_STRING_value(macopts, i);
|
||||
|
||||
if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"MAC parameter error \"%s\"\n", macopt);
|
||||
ERR_print_errors(bio_err);
|
||||
goto mac_end;
|
||||
EVP_PKEY_CTX_free(mac_ctx);
|
||||
BIO_printf(bio_err, "MAC parameter error \"%s\"\n", macopt);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) {
|
||||
BIO_puts(bio_err, "Error generating key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto mac_end;
|
||||
}
|
||||
r = 1;
|
||||
mac_end:
|
||||
|
||||
sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */);
|
||||
/* Verbose output would make external-tests gost-engine fail */
|
||||
EVP_PKEY_CTX_free(mac_ctx);
|
||||
if (r == 0)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (hmac_key != NULL) {
|
||||
if (md == NULL) {
|
||||
md = (EVP_MD *)EVP_sha256();
|
||||
digestname = SN_sha256;
|
||||
}
|
||||
sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl,
|
||||
(unsigned char *)hmac_key, -1);
|
||||
(unsigned char *)hmac_key,
|
||||
strlen(hmac_key));
|
||||
if (sigkey == NULL)
|
||||
goto end;
|
||||
}
|
||||
|
@ -315,28 +337,37 @@ int dgst_main(int argc, char **argv)
|
|||
if (sigkey != NULL) {
|
||||
EVP_MD_CTX *mctx = NULL;
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
int r;
|
||||
int res;
|
||||
|
||||
if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
|
||||
BIO_printf(bio_err, "Error getting context\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (do_verify)
|
||||
r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
|
||||
if (impl == NULL)
|
||||
res = EVP_DigestVerifyInit_ex(mctx, &pctx, digestname,
|
||||
app_get0_libctx(),
|
||||
app_get0_propq(), sigkey, NULL);
|
||||
else
|
||||
res = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
|
||||
else
|
||||
r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
|
||||
if (!r) {
|
||||
if (impl == NULL)
|
||||
res = EVP_DigestSignInit_ex(mctx, &pctx, digestname,
|
||||
app_get0_libctx(),
|
||||
app_get0_propq(), sigkey, NULL);
|
||||
else
|
||||
res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
|
||||
if (res == 0) {
|
||||
BIO_printf(bio_err, "Error setting context\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (sigopts != NULL) {
|
||||
char *sigopt;
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
|
||||
sigopt = sk_OPENSSL_STRING_value(sigopts, i);
|
||||
char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
|
||||
|
||||
if (pkey_ctrl_string(pctx, sigopt) <= 0) {
|
||||
BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Signature parameter error \"%s\"\n",
|
||||
sigopt);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
@ -347,32 +378,29 @@ int dgst_main(int argc, char **argv)
|
|||
EVP_MD_CTX *mctx = NULL;
|
||||
if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
|
||||
BIO_printf(bio_err, "Error getting context\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (md == NULL)
|
||||
md = EVP_sha256();
|
||||
md = (EVP_MD *)EVP_sha256();
|
||||
if (!EVP_DigestInit_ex(mctx, md, impl)) {
|
||||
BIO_printf(bio_err, "Error setting digest\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (sigfile != NULL && sigkey != NULL) {
|
||||
BIO *sigbio = BIO_new_file(sigfile, "rb");
|
||||
|
||||
if (sigbio == NULL) {
|
||||
BIO_printf(bio_err, "Error opening signature file %s\n", sigfile);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
siglen = EVP_PKEY_size(sigkey);
|
||||
siglen = EVP_PKEY_get_size(sigkey);
|
||||
sigbuf = app_malloc(siglen, "signature buffer");
|
||||
siglen = BIO_read(sigbio, sigbuf, siglen);
|
||||
BIO_free(sigbio);
|
||||
if (siglen <= 0) {
|
||||
BIO_printf(bio_err, "Error reading signature file %s\n", sigfile);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
@ -380,48 +408,62 @@ int dgst_main(int argc, char **argv)
|
|||
|
||||
if (md == NULL) {
|
||||
EVP_MD_CTX *tctx;
|
||||
|
||||
BIO_get_md_ctx(bmd, &tctx);
|
||||
md = EVP_MD_CTX_md(tctx);
|
||||
md = EVP_MD_CTX_get1_md(tctx);
|
||||
}
|
||||
if (md != NULL)
|
||||
md_name = EVP_MD_get0_name(md);
|
||||
|
||||
if (xoflen > 0) {
|
||||
if (!(EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF)) {
|
||||
BIO_printf(bio_err, "Length can only be specified for XOF\n");
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Signing using XOF is not supported by any algorithms currently since
|
||||
* each algorithm only calls EVP_DigestFinal_ex() in their sign_final
|
||||
* and verify_final methods.
|
||||
*/
|
||||
if (sigkey != NULL) {
|
||||
BIO_printf(bio_err, "Signing key cannot be specified for XOF\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (argc == 0) {
|
||||
BIO_set_fp(in, stdin, BIO_NOCLOSE);
|
||||
ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
|
||||
siglen, NULL, NULL, "stdin");
|
||||
ret = do_fp(out, buf, inp, separator, out_bin, xoflen, sigkey, sigbuf,
|
||||
siglen, NULL, md_name, "stdin");
|
||||
} else {
|
||||
const char *md_name = NULL, *sig_name = NULL;
|
||||
if (!out_bin) {
|
||||
if (sigkey != NULL) {
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ameth = EVP_PKEY_get0_asn1(sigkey);
|
||||
if (ameth)
|
||||
EVP_PKEY_asn1_get0_info(NULL, NULL,
|
||||
NULL, NULL, &sig_name, ameth);
|
||||
}
|
||||
if (md != NULL)
|
||||
md_name = EVP_MD_name(md);
|
||||
const char *sig_name = NULL;
|
||||
|
||||
if (out_bin == 0) {
|
||||
if (sigkey != NULL)
|
||||
sig_name = EVP_PKEY_get0_type_name(sigkey);
|
||||
}
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
for (i = 0; i < argc; i++) {
|
||||
int r;
|
||||
if (BIO_read_filename(in, argv[i]) <= 0) {
|
||||
perror(argv[i]);
|
||||
ret++;
|
||||
ret = EXIT_FAILURE;
|
||||
continue;
|
||||
} else {
|
||||
r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
|
||||
siglen, sig_name, md_name, argv[i]);
|
||||
if (do_fp(out, buf, inp, separator, out_bin, xoflen,
|
||||
sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
|
||||
ret = EXIT_FAILURE;
|
||||
}
|
||||
if (r)
|
||||
ret = r;
|
||||
(void)BIO_reset(bmd);
|
||||
}
|
||||
}
|
||||
end:
|
||||
if (ret != EXIT_SUCCESS)
|
||||
ERR_print_errors(bio_err);
|
||||
OPENSSL_clear_free(buf, BUFSIZE);
|
||||
BIO_free(in);
|
||||
OPENSSL_free(passin);
|
||||
BIO_free_all(out);
|
||||
EVP_MD_free(md);
|
||||
EVP_PKEY_free(sigkey);
|
||||
sk_OPENSSL_STRING_free(sigopts);
|
||||
sk_OPENSSL_STRING_free(macopts);
|
||||
|
@ -444,7 +486,7 @@ static void show_digests(const OBJ_NAME *name, void *arg)
|
|||
return;
|
||||
|
||||
/* Filter out message digests that we cannot use */
|
||||
md = EVP_get_digestbyname(name->name);
|
||||
md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
|
||||
if (md == NULL)
|
||||
return;
|
||||
|
||||
|
@ -496,20 +538,19 @@ static const char *newline_escape_filename(const char *file, int * backslash)
|
|||
}
|
||||
|
||||
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
|
||||
EVP_PKEY *key, unsigned char *sigin, int siglen,
|
||||
const char *sig_name, const char *md_name,
|
||||
const char *file)
|
||||
{
|
||||
size_t len = BUFSIZE;
|
||||
int i, backslash = 0, ret = 1;
|
||||
unsigned char *sigbuf = NULL;
|
||||
int i, backslash = 0, ret = EXIT_FAILURE;
|
||||
unsigned char *allocated_buf = NULL;
|
||||
|
||||
while (BIO_pending(bp) || !BIO_eof(bp)) {
|
||||
i = BIO_read(bp, (char *)buf, BUFSIZE);
|
||||
if (i < 0) {
|
||||
BIO_printf(bio_err, "Read Error in %s\n", file);
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Read error in %s\n", file);
|
||||
goto end;
|
||||
}
|
||||
if (i == 0)
|
||||
|
@ -522,37 +563,52 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
|||
if (i > 0) {
|
||||
BIO_printf(out, "Verified OK\n");
|
||||
} else if (i == 0) {
|
||||
BIO_printf(out, "Verification Failure\n");
|
||||
BIO_printf(out, "Verification failure\n");
|
||||
goto end;
|
||||
} else {
|
||||
BIO_printf(bio_err, "Error Verifying Data\n");
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error verifying data\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
goto end;
|
||||
}
|
||||
if (key != NULL) {
|
||||
EVP_MD_CTX *ctx;
|
||||
int pkey_len;
|
||||
size_t tmplen;
|
||||
|
||||
BIO_get_md_ctx(bp, &ctx);
|
||||
pkey_len = EVP_PKEY_size(key);
|
||||
if (pkey_len > BUFSIZE) {
|
||||
len = pkey_len;
|
||||
sigbuf = app_malloc(len, "Signature buffer");
|
||||
buf = sigbuf;
|
||||
if (!EVP_DigestSignFinal(ctx, NULL, &tmplen)) {
|
||||
BIO_printf(bio_err, "Error getting maximum length of signed data\n");
|
||||
goto end;
|
||||
}
|
||||
if (tmplen > BUFSIZE) {
|
||||
len = tmplen;
|
||||
allocated_buf = app_malloc(len, "Signature buffer");
|
||||
buf = allocated_buf;
|
||||
}
|
||||
if (!EVP_DigestSignFinal(ctx, buf, &len)) {
|
||||
BIO_printf(bio_err, "Error Signing Data\n");
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error signing data\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (xoflen > 0) {
|
||||
EVP_MD_CTX *ctx;
|
||||
|
||||
len = xoflen;
|
||||
if (len > BUFSIZE) {
|
||||
allocated_buf = app_malloc(len, "Digest buffer");
|
||||
buf = allocated_buf;
|
||||
}
|
||||
|
||||
BIO_get_md_ctx(bp, &ctx);
|
||||
|
||||
if (!EVP_DigestFinalXOF(ctx, buf, len)) {
|
||||
BIO_printf(bio_err, "Error Digesting Data\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
len = BIO_gets(bp, (char *)buf, BUFSIZE);
|
||||
if ((int)len < 0) {
|
||||
ERR_print_errors(bio_err);
|
||||
if ((int)len < 0)
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (binout) {
|
||||
|
@ -587,10 +643,10 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
|||
BIO_printf(out, "\n");
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
end:
|
||||
if (sigbuf != NULL)
|
||||
OPENSSL_clear_free(sigbuf, len);
|
||||
if (allocated_buf != NULL)
|
||||
OPENSSL_clear_free(allocated_buf, len);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
|
||||
Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
|
||||
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 1024-bit DH parameters from "Internet Key Exchange
|
||||
Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
|
@ -1,14 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 2048-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
https://tools.ietf.org/html/rfc3526
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 4096-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
https://tools.ietf.org/html/rfc3526
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
436
apps/dhparam.c
436
apps/dhparam.c
|
@ -1,13 +1,14 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
|
@ -17,61 +18,73 @@
|
|||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dsa.h>
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
# include <openssl/dsa.h>
|
||||
#endif
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/param_build.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/decoder.h>
|
||||
|
||||
#define DEFBITS 2048
|
||||
|
||||
static int dh_cb(int p, int n, BN_GENCB *cb);
|
||||
static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh);
|
||||
static int gendh_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
|
||||
OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
|
||||
OPT_DSAPARAM, OPT_C, OPT_2, OPT_5,
|
||||
OPT_R_ENUM
|
||||
OPT_DSAPARAM, OPT_2, OPT_3, OPT_5,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dhparam_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Valid options are:\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"check", OPT_CHECK, '-', "Check the DH parameters"},
|
||||
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
|
||||
OPT_R_OPTIONS,
|
||||
{"C", OPT_C, '-', "Print C code"},
|
||||
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
|
||||
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
|
||||
{"dsaparam", OPT_DSAPARAM, '-',
|
||||
"Read or generate DSA parameters, convert to DH"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
|
||||
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
|
||||
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
|
||||
{"3", OPT_3, '-', "Generate parameters using 3 as the generator value"},
|
||||
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int dhparam_main(int argc, char **argv)
|
||||
{
|
||||
BIO *in = NULL, *out = NULL;
|
||||
DH *dh = NULL;
|
||||
EVP_PKEY *pkey = NULL, *tmppkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
ENGINE *e = NULL;
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
int dsaparam = 0;
|
||||
#endif
|
||||
int i, text = 0, C = 0, ret = 1, num = 0, g = 0;
|
||||
int text = 0, ret = 1, num = 0, g = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
|
||||
OPTION_CHOICE o;
|
||||
|
||||
|
@ -111,16 +124,14 @@ int dhparam_main(int argc, char **argv)
|
|||
text = 1;
|
||||
break;
|
||||
case OPT_DSAPARAM:
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
dsaparam = 1;
|
||||
#endif
|
||||
break;
|
||||
case OPT_C:
|
||||
C = 1;
|
||||
break;
|
||||
case OPT_2:
|
||||
g = 2;
|
||||
break;
|
||||
case OPT_3:
|
||||
g = 3;
|
||||
break;
|
||||
case OPT_5:
|
||||
g = 5;
|
||||
break;
|
||||
|
@ -131,24 +142,33 @@ int dhparam_main(int argc, char **argv)
|
|||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One optional argument, bitsize to generate. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
|
||||
if (argv[0] != NULL && (!opt_int(argv[0], &num) || num <= 0))
|
||||
if (argc == 1) {
|
||||
if (!opt_int(argv[0], &num) || num <= 0)
|
||||
goto opthelp;
|
||||
} else if (argc != 0) {
|
||||
goto opthelp;
|
||||
}
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
if (g && !num)
|
||||
num = DEFBITS;
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (dsaparam && g) {
|
||||
BIO_printf(bio_err,
|
||||
"generator may not be chosen for DSA parameters\n");
|
||||
"Error, generator may not be chosen for DSA parameters\n");
|
||||
goto end;
|
||||
}
|
||||
#endif
|
||||
|
||||
out = bio_open_default(outfile, 'w', outformat);
|
||||
if (out == NULL)
|
||||
|
@ -159,216 +179,238 @@ int dhparam_main(int argc, char **argv)
|
|||
g = 2;
|
||||
|
||||
if (num) {
|
||||
const char *alg = dsaparam ? "DSA" : "DH";
|
||||
|
||||
BN_GENCB *cb;
|
||||
cb = BN_GENCB_new();
|
||||
if (cb == NULL) {
|
||||
ERR_print_errors(bio_err);
|
||||
if (infile != NULL) {
|
||||
BIO_printf(bio_err, "Warning, input file %s ignored\n", infile);
|
||||
}
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), alg, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, %s param generation context allocation failed\n",
|
||||
alg);
|
||||
goto end;
|
||||
}
|
||||
EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
BIO_printf(bio_err,
|
||||
"Generating %s parameters, %d bit long %sprime\n",
|
||||
alg, num, dsaparam ? "" : "safe ");
|
||||
|
||||
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, unable to initialise %s parameters\n",
|
||||
alg);
|
||||
goto end;
|
||||
}
|
||||
|
||||
BN_GENCB_set(cb, dh_cb, bio_err);
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (dsaparam) {
|
||||
DSA *dsa = DSA_new();
|
||||
|
||||
BIO_printf(bio_err,
|
||||
"Generating DSA parameters, %d bit long prime\n", num);
|
||||
if (dsa == NULL
|
||||
|| !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
|
||||
cb)) {
|
||||
DSA_free(dsa);
|
||||
BN_GENCB_free(cb);
|
||||
ERR_print_errors(bio_err);
|
||||
if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err, "Error, unable to set DSA prime length\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
dh = DSA_dup_DH(dsa);
|
||||
DSA_free(dsa);
|
||||
if (dh == NULL) {
|
||||
BN_GENCB_free(cb);
|
||||
ERR_print_errors(bio_err);
|
||||
} else {
|
||||
if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err, "Error, unable to set DH prime length\n");
|
||||
goto end;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
dh = DH_new();
|
||||
BIO_printf(bio_err,
|
||||
"Generating DH parameters, %d bit long safe prime, generator %d\n",
|
||||
num, g);
|
||||
BIO_printf(bio_err, "This is going to take a long time\n");
|
||||
if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
|
||||
BN_GENCB_free(cb);
|
||||
ERR_print_errors(bio_err);
|
||||
if (EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, g) <= 0) {
|
||||
BIO_printf(bio_err, "Error, unable to set generator\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
BN_GENCB_free(cb);
|
||||
tmppkey = app_paramgen(ctx, alg);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
ctx = NULL;
|
||||
if (dsaparam) {
|
||||
pkey = dsa_to_dh(tmppkey);
|
||||
if (pkey == NULL)
|
||||
goto end;
|
||||
EVP_PKEY_free(tmppkey);
|
||||
} else {
|
||||
pkey = tmppkey;
|
||||
}
|
||||
tmppkey = NULL;
|
||||
} else {
|
||||
OSSL_DECODER_CTX *decoderctx = NULL;
|
||||
const char *keytype = "DH";
|
||||
int done;
|
||||
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (dsaparam) {
|
||||
DSA *dsa;
|
||||
do {
|
||||
/*
|
||||
* We assume we're done unless we explicitly want to retry and set
|
||||
* this to 0 below.
|
||||
*/
|
||||
done = 1;
|
||||
/*
|
||||
* We set NULL for the keytype to allow any key type. We don't know
|
||||
* if we're going to get DH or DHX (or DSA in the event of dsaparam).
|
||||
* We check that we got one of those key types afterwards.
|
||||
*/
|
||||
decoderctx
|
||||
= OSSL_DECODER_CTX_new_for_pkey(&tmppkey,
|
||||
(informat == FORMAT_ASN1)
|
||||
? "DER" : "PEM",
|
||||
NULL,
|
||||
(informat == FORMAT_ASN1)
|
||||
? keytype : NULL,
|
||||
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
||||
NULL, NULL);
|
||||
|
||||
if (informat == FORMAT_ASN1)
|
||||
dsa = d2i_DSAparams_bio(in, NULL);
|
||||
else /* informat == FORMAT_PEM */
|
||||
dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
|
||||
|
||||
if (dsa == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DSA parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
dh = DSA_dup_DH(dsa);
|
||||
DSA_free(dsa);
|
||||
if (dh == NULL) {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
if (informat == FORMAT_ASN1) {
|
||||
if (decoderctx != NULL
|
||||
&& !OSSL_DECODER_from_bio(decoderctx, in)
|
||||
&& informat == FORMAT_ASN1
|
||||
&& strcmp(keytype, "DH") == 0) {
|
||||
/*
|
||||
* We have no PEM header to determine what type of DH params it
|
||||
* is. We'll just try both.
|
||||
* When reading DER we explicitly state the expected keytype
|
||||
* because, unlike PEM, there is no header to declare what
|
||||
* the contents of the DER file are. The decoders just try
|
||||
* and guess. Unfortunately with DHX key types they may guess
|
||||
* wrong and think we have a DSA keytype. Therefore we try
|
||||
* both DH and DHX sequentially.
|
||||
*/
|
||||
keytype = "DHX";
|
||||
/*
|
||||
* BIO_reset() returns 0 for success for file BIOs only!!!
|
||||
* This won't work for stdin (and never has done)
|
||||
*/
|
||||
dh = d2i_DHparams_bio(in, NULL);
|
||||
/* BIO_reset() returns 0 for success for file BIOs only!!! */
|
||||
if (dh == NULL && BIO_reset(in) == 0)
|
||||
dh = d2i_DHxparams_bio(in, NULL);
|
||||
} else {
|
||||
/* informat == FORMAT_PEM */
|
||||
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
|
||||
}
|
||||
|
||||
if (dh == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DH parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
if (BIO_reset(in) == 0)
|
||||
done = 0;
|
||||
}
|
||||
OSSL_DECODER_CTX_free(decoderctx);
|
||||
} while (!done);
|
||||
if (tmppkey == NULL) {
|
||||
BIO_printf(bio_err, "Error, unable to load parameters\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* dh != NULL */
|
||||
if (dsaparam) {
|
||||
if (!EVP_PKEY_is_a(tmppkey, "DSA")) {
|
||||
BIO_printf(bio_err, "Error, unable to load DSA parameters\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = dsa_to_dh(tmppkey);
|
||||
if (pkey == NULL)
|
||||
goto end;
|
||||
} else {
|
||||
if (!EVP_PKEY_is_a(tmppkey, "DH")
|
||||
&& !EVP_PKEY_is_a(tmppkey, "DHX")) {
|
||||
BIO_printf(bio_err, "Error, unable to load DH parameters\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = tmppkey;
|
||||
tmppkey = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (text) {
|
||||
DHparams_print(out, dh);
|
||||
}
|
||||
if (text)
|
||||
EVP_PKEY_print_params(out, pkey, 4, NULL);
|
||||
|
||||
if (check) {
|
||||
if (!DH_check(dh, &i)) {
|
||||
ERR_print_errors(bio_err);
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "Error, failed to check DH parameters\n");
|
||||
goto end;
|
||||
}
|
||||
if (i & DH_CHECK_P_NOT_PRIME)
|
||||
BIO_printf(bio_err, "WARNING: p value is not prime\n");
|
||||
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
|
||||
BIO_printf(bio_err, "WARNING: p value is not a safe prime\n");
|
||||
if (i & DH_CHECK_Q_NOT_PRIME)
|
||||
BIO_printf(bio_err, "WARNING: q value is not a prime\n");
|
||||
if (i & DH_CHECK_INVALID_Q_VALUE)
|
||||
BIO_printf(bio_err, "WARNING: q value is invalid\n");
|
||||
if (i & DH_CHECK_INVALID_J_VALUE)
|
||||
BIO_printf(bio_err, "WARNING: j value is invalid\n");
|
||||
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
|
||||
BIO_printf(bio_err,
|
||||
"WARNING: unable to check the generator value\n");
|
||||
if (i & DH_NOT_SUITABLE_GENERATOR)
|
||||
BIO_printf(bio_err, "WARNING: the g value is not a generator\n");
|
||||
if (i == 0)
|
||||
BIO_printf(bio_err, "DH parameters appear to be ok.\n");
|
||||
if (num != 0 && i != 0) {
|
||||
/*
|
||||
* We have generated parameters but DH_check() indicates they are
|
||||
* invalid! This should never happen!
|
||||
*/
|
||||
BIO_printf(bio_err, "ERROR: Invalid parameters generated\n");
|
||||
if (EVP_PKEY_param_check(ctx) <= 0) {
|
||||
BIO_printf(bio_err, "Error, invalid parameters generated\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (C) {
|
||||
unsigned char *data;
|
||||
int len, bits;
|
||||
const BIGNUM *pbn, *gbn;
|
||||
|
||||
len = DH_size(dh);
|
||||
bits = DH_bits(dh);
|
||||
DH_get0_pqg(dh, &pbn, NULL, &gbn);
|
||||
data = app_malloc(len, "print a BN");
|
||||
|
||||
BIO_printf(out, "static DH *get_dh%d(void)\n{\n", bits);
|
||||
print_bignum_var(out, pbn, "dhp", bits, data);
|
||||
print_bignum_var(out, gbn, "dhg", bits, data);
|
||||
BIO_printf(out, " DH *dh = DH_new();\n"
|
||||
" BIGNUM *p, *g;\n"
|
||||
"\n"
|
||||
" if (dh == NULL)\n"
|
||||
" return NULL;\n");
|
||||
BIO_printf(out, " p = BN_bin2bn(dhp_%d, sizeof(dhp_%d), NULL);\n",
|
||||
bits, bits);
|
||||
BIO_printf(out, " g = BN_bin2bn(dhg_%d, sizeof(dhg_%d), NULL);\n",
|
||||
bits, bits);
|
||||
BIO_printf(out, " if (p == NULL || g == NULL\n"
|
||||
" || !DH_set0_pqg(dh, p, NULL, g)) {\n"
|
||||
" DH_free(dh);\n"
|
||||
" BN_free(p);\n"
|
||||
" BN_free(g);\n"
|
||||
" return NULL;\n"
|
||||
" }\n");
|
||||
if (DH_get_length(dh) > 0)
|
||||
BIO_printf(out,
|
||||
" if (!DH_set_length(dh, %ld)) {\n"
|
||||
" DH_free(dh);\n"
|
||||
" return NULL;\n"
|
||||
" }\n", DH_get_length(dh));
|
||||
BIO_printf(out, " return dh;\n}\n");
|
||||
OPENSSL_free(data);
|
||||
BIO_printf(bio_err, "DH parameters appear to be ok.\n");
|
||||
}
|
||||
|
||||
if (!noout) {
|
||||
const BIGNUM *q;
|
||||
DH_get0_pqg(dh, NULL, &q, NULL);
|
||||
if (outformat == FORMAT_ASN1) {
|
||||
if (q != NULL)
|
||||
i = i2d_DHxparams_bio(out, dh);
|
||||
else
|
||||
i = i2d_DHparams_bio(out, dh);
|
||||
} else if (q != NULL) {
|
||||
i = PEM_write_bio_DHxparams(out, dh);
|
||||
} else {
|
||||
i = PEM_write_bio_DHparams(out, dh);
|
||||
}
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write DH parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
OSSL_ENCODER_CTX *ectx =
|
||||
OSSL_ENCODER_CTX_new_for_pkey(pkey,
|
||||
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
||||
outformat == FORMAT_ASN1
|
||||
? "DER" : "PEM",
|
||||
NULL, NULL);
|
||||
|
||||
if (ectx == NULL || !OSSL_ENCODER_to_bio(ectx, out)) {
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
BIO_printf(bio_err, "Error, unable to write DH parameters\n");
|
||||
goto end;
|
||||
}
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free(in);
|
||||
BIO_free_all(out);
|
||||
DH_free(dh);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_free(tmppkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
release_engine(e);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dh_cb(int p, int n, BN_GENCB *cb)
|
||||
/*
|
||||
* Historically we had the low level call DSA_dup_DH() to do this.
|
||||
* That is now deprecated with no replacement. Since we still need to do this
|
||||
* for backwards compatibility reasons, we do it "manually".
|
||||
*/
|
||||
static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh)
|
||||
{
|
||||
OSSL_PARAM_BLD *tmpl = NULL;
|
||||
OSSL_PARAM *params = NULL;
|
||||
BIGNUM *bn_p = NULL, *bn_q = NULL, *bn_g = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
|
||||
if (!EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_P, &bn_p)
|
||||
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_Q, &bn_q)
|
||||
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_G, &bn_g)) {
|
||||
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((tmpl = OSSL_PARAM_BLD_new()) == NULL
|
||||
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P,
|
||||
bn_p)
|
||||
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q,
|
||||
bn_q)
|
||||
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G,
|
||||
bn_g)
|
||||
|| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
|
||||
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DHX", app_get0_propq());
|
||||
if (ctx == NULL
|
||||
|| EVP_PKEY_fromdata_init(ctx) <= 0
|
||||
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) {
|
||||
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
err:
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
OSSL_PARAM_free(params);
|
||||
OSSL_PARAM_BLD_free(tmpl);
|
||||
BN_free(bn_p);
|
||||
BN_free(bn_q);
|
||||
BN_free(bn_g);
|
||||
return pkey;
|
||||
}
|
||||
|
||||
static int gendh_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
static const char symbols[] = ".+*\n";
|
||||
char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
|
||||
|
||||
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
|
||||
(void)BIO_flush(BN_GENCB_get_arg(cb));
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
}
|
||||
|
|
219
apps/dsa.c
219
apps/dsa.c
|
@ -1,13 +1,14 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
@ -21,29 +22,29 @@
|
|||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
# define DEFAULT_PVK_ENCR_STRENGTH 2
|
||||
#else
|
||||
# define DEFAULT_PVK_ENCR_STRENGTH 0
|
||||
#endif
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE,
|
||||
/* Do not change the order here; see case statements below */
|
||||
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
|
||||
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
|
||||
OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT
|
||||
OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dsa_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
|
||||
{"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
|
||||
{"in", OPT_IN, 's', "Input key"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't print key out"},
|
||||
{"text", OPT_TEXT, '-', "Print the key in text"},
|
||||
{"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
|
||||
|
@ -53,24 +54,43 @@ const OPTIONS dsa_options[] = {
|
|||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, 's', "Input key"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't print key out"},
|
||||
{"text", OPT_TEXT, '-', "Print the key in text"},
|
||||
{"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
|
||||
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int dsa_main(int argc, char **argv)
|
||||
{
|
||||
BIO *out = NULL;
|
||||
DSA *dsa = NULL;
|
||||
ENGINE *e = NULL;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
int pvk_encr = 2;
|
||||
#endif
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int modulus = 0, pubin = 0, pubout = 0, ret = 1;
|
||||
int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
|
||||
int private = 0;
|
||||
const char *output_type = NULL, *ciphername = NULL;
|
||||
const char *output_structure = NULL;
|
||||
int selection = 0;
|
||||
OSSL_ENCODER_CTX *ectx = NULL;
|
||||
|
||||
prog = opt_init(argc, argv, dsa_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
|
@ -131,15 +151,24 @@ int dsa_main(int argc, char **argv)
|
|||
pubout = 1;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto end;
|
||||
}
|
||||
private = pubin || pubout ? 0 : 1;
|
||||
if (text && !pubin)
|
||||
private = 1;
|
||||
|
@ -150,24 +179,20 @@ int dsa_main(int argc, char **argv)
|
|||
}
|
||||
|
||||
BIO_printf(bio_err, "read DSA key\n");
|
||||
{
|
||||
EVP_PKEY *pkey;
|
||||
if (pubin)
|
||||
pkey = load_pubkey(infile, informat, 1, passin, e, "public key");
|
||||
else
|
||||
pkey = load_key(infile, informat, 1, passin, e, "private key");
|
||||
|
||||
if (pubin)
|
||||
pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
|
||||
else
|
||||
pkey = load_key(infile, informat, 1, passin, e, "Private Key");
|
||||
|
||||
if (pkey != NULL) {
|
||||
dsa = EVP_PKEY_get1_DSA(pkey);
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
}
|
||||
if (dsa == NULL) {
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(bio_err, "unable to load Key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (!EVP_PKEY_is_a(pkey, "DSA")) {
|
||||
BIO_printf(bio_err, "Not a DSA key\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
out = bio_open_owner(outfile, outformat, private);
|
||||
if (out == NULL)
|
||||
|
@ -175,7 +200,8 @@ int dsa_main(int argc, char **argv)
|
|||
|
||||
if (text) {
|
||||
assert(pubin || private);
|
||||
if (!DSA_print(out, dsa, 0)) {
|
||||
if ((pubin && EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
|
||||
|| (!pubin && EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)) {
|
||||
perror(outfile);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
|
@ -183,11 +209,16 @@ int dsa_main(int argc, char **argv)
|
|||
}
|
||||
|
||||
if (modulus) {
|
||||
const BIGNUM *pub_key = NULL;
|
||||
DSA_get0_key(dsa, &pub_key, NULL);
|
||||
BIGNUM *pub_key = NULL;
|
||||
|
||||
if (!EVP_PKEY_get_bn_param(pkey, "pub", &pub_key)) {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(out, "Public Key=");
|
||||
BN_print(out, pub_key);
|
||||
BIO_printf(out, "\n");
|
||||
BN_free(pub_key);
|
||||
}
|
||||
|
||||
if (noout) {
|
||||
|
@ -196,63 +227,83 @@ int dsa_main(int argc, char **argv)
|
|||
}
|
||||
BIO_printf(bio_err, "writing DSA key\n");
|
||||
if (outformat == FORMAT_ASN1) {
|
||||
if (pubin || pubout) {
|
||||
i = i2d_DSA_PUBKEY_bio(out, dsa);
|
||||
} else {
|
||||
assert(private);
|
||||
i = i2d_DSAPrivateKey_bio(out, dsa);
|
||||
}
|
||||
output_type = "DER";
|
||||
} else if (outformat == FORMAT_PEM) {
|
||||
if (pubin || pubout) {
|
||||
i = PEM_write_bio_DSA_PUBKEY(out, dsa);
|
||||
} else {
|
||||
assert(private);
|
||||
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
|
||||
NULL, 0, NULL, passout);
|
||||
}
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
|
||||
EVP_PKEY *pk;
|
||||
pk = EVP_PKEY_new();
|
||||
if (pk == NULL)
|
||||
goto end;
|
||||
|
||||
EVP_PKEY_set1_DSA(pk, dsa);
|
||||
if (outformat == FORMAT_PVK) {
|
||||
if (pubin) {
|
||||
BIO_printf(bio_err, "PVK form impossible with public key input\n");
|
||||
EVP_PKEY_free(pk);
|
||||
goto end;
|
||||
}
|
||||
assert(private);
|
||||
# ifdef OPENSSL_NO_RC4
|
||||
BIO_printf(bio_err, "PVK format not supported\n");
|
||||
EVP_PKEY_free(pk);
|
||||
output_type = "PEM";
|
||||
} else if (outformat == FORMAT_MSBLOB) {
|
||||
output_type = "MSBLOB";
|
||||
} else if (outformat == FORMAT_PVK) {
|
||||
if (pubin) {
|
||||
BIO_printf(bio_err, "PVK form impossible with public key input\n");
|
||||
goto end;
|
||||
# else
|
||||
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
|
||||
# endif
|
||||
} else if (pubin || pubout) {
|
||||
i = i2b_PublicKey_bio(out, pk);
|
||||
} else {
|
||||
assert(private);
|
||||
i = i2b_PrivateKey_bio(out, pk);
|
||||
}
|
||||
EVP_PKEY_free(pk);
|
||||
#endif
|
||||
output_type = "PVK";
|
||||
} else {
|
||||
BIO_printf(bio_err, "bad output format specified for outfile\n");
|
||||
goto end;
|
||||
}
|
||||
if (i <= 0) {
|
||||
BIO_printf(bio_err, "unable to write private key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
|
||||
if (outformat == FORMAT_ASN1 || outformat == FORMAT_PEM) {
|
||||
if (pubout || pubin)
|
||||
output_structure = "SubjectPublicKeyInfo";
|
||||
else
|
||||
output_structure = "type-specific";
|
||||
}
|
||||
|
||||
/* Select what you want in the output */
|
||||
if (pubout || pubin) {
|
||||
selection = OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
|
||||
} else {
|
||||
assert(private);
|
||||
selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
|
||||
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
|
||||
}
|
||||
|
||||
/* Perform the encoding */
|
||||
ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, output_type,
|
||||
output_structure, NULL);
|
||||
if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
|
||||
BIO_printf(bio_err, "%s format not supported\n", output_type);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* Passphrase setup */
|
||||
if (enc != NULL)
|
||||
OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(enc), NULL);
|
||||
|
||||
/* Default passphrase prompter */
|
||||
if (enc != NULL || outformat == FORMAT_PVK) {
|
||||
OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
|
||||
if (passout != NULL)
|
||||
/* When passout given, override the passphrase prompter */
|
||||
OSSL_ENCODER_CTX_set_passphrase(ectx,
|
||||
(const unsigned char *)passout,
|
||||
strlen(passout));
|
||||
}
|
||||
|
||||
/* PVK requires a bit more */
|
||||
if (outformat == FORMAT_PVK) {
|
||||
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
|
||||
|
||||
params[0] = OSSL_PARAM_construct_int("encrypt-level", &pvk_encr);
|
||||
if (!OSSL_ENCODER_CTX_set_params(ectx, params)) {
|
||||
BIO_printf(bio_err, "invalid PVK encryption level\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (!OSSL_ENCODER_to_bio(ectx, out)) {
|
||||
BIO_printf(bio_err, "unable to write key\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
BIO_free_all(out);
|
||||
DSA_free(dsa);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_CIPHER_free(enc);
|
||||
release_engine(e);
|
||||
OPENSSL_free(passin);
|
||||
OPENSSL_free(passout);
|
||||
|
|
221
apps/dsaparam.c
221
apps/dsaparam.c
|
@ -1,15 +1,17 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include "apps.h"
|
||||
#include <time.h>
|
||||
#include <string.h>
|
||||
#include "apps.h"
|
||||
|
@ -21,39 +23,54 @@
|
|||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
static int dsa_cb(int p, int n, BN_GENCB *cb);
|
||||
static int verbose = 0;
|
||||
|
||||
static int gendsa_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
|
||||
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_R_ENUM
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
|
||||
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dsaparam_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"text", OPT_TEXT, '-', "Print as text"},
|
||||
{"C", OPT_C, '-', "Output C code"},
|
||||
{"noout", OPT_NOOUT, '-', "No output"},
|
||||
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
{"text", OPT_TEXT, '-', "Print as text"},
|
||||
{"noout", OPT_NOOUT, '-', "No output"},
|
||||
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
||||
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int dsaparam_main(int argc, char **argv)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
DSA *dsa = NULL;
|
||||
BIO *in = NULL, *out = NULL;
|
||||
BN_GENCB *cb = NULL;
|
||||
BIO *out = NULL;
|
||||
EVP_PKEY *params = NULL, *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
int numbits = -1, num = 0, genkey = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0;
|
||||
int ret = 1, i, text = 0, private = 0;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
OPTION_CHOICE o;
|
||||
|
@ -90,9 +107,6 @@ int dsaparam_main(int argc, char **argv)
|
|||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_C:
|
||||
C = 1;
|
||||
break;
|
||||
case OPT_GENKEY:
|
||||
genkey = 1;
|
||||
break;
|
||||
|
@ -100,29 +114,45 @@ int dsaparam_main(int argc, char **argv)
|
|||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_NOOUT:
|
||||
noout = 1;
|
||||
break;
|
||||
case OPT_VERBOSE:
|
||||
verbose = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Optional arg is bitsize. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
|
||||
if (argc == 1) {
|
||||
if (!opt_int(argv[0], &num) || num < 0)
|
||||
goto end;
|
||||
/* generate a key */
|
||||
numbits = num;
|
||||
goto opthelp;
|
||||
} else if (argc != 0) {
|
||||
goto opthelp;
|
||||
}
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
/* generate a key */
|
||||
numbits = num;
|
||||
private = genkey ? 1 : 0;
|
||||
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
out = bio_open_owner(outfile, outformat, private);
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA parameter generation context allocation failed\n");
|
||||
goto end;
|
||||
}
|
||||
if (numbits > 0) {
|
||||
if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
BIO_printf(bio_err,
|
||||
|
@ -130,74 +160,34 @@ int dsaparam_main(int argc, char **argv)
|
|||
" Your key size is %d! Larger key size may behave not as expected.\n",
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
|
||||
|
||||
cb = BN_GENCB_new();
|
||||
if (cb == NULL) {
|
||||
BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
|
||||
EVP_PKEY_CTX_set_cb(ctx, gendsa_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
if (verbose) {
|
||||
BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
|
||||
num);
|
||||
BIO_printf(bio_err, "This could take some time\n");
|
||||
}
|
||||
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA key generation paramgen init failed\n");
|
||||
goto end;
|
||||
}
|
||||
BN_GENCB_set(cb, dsa_cb, bio_err);
|
||||
dsa = DSA_new();
|
||||
if (dsa == NULL) {
|
||||
BIO_printf(bio_err, "Error allocating DSA object\n");
|
||||
if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA key generation setting bit length failed\n");
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
|
||||
num);
|
||||
BIO_printf(bio_err, "This could take some time\n");
|
||||
if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) {
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error, DSA key generation failed\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (informat == FORMAT_ASN1) {
|
||||
dsa = d2i_DSAparams_bio(in, NULL);
|
||||
params = app_paramgen(ctx, "DSA");
|
||||
} else {
|
||||
dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
|
||||
params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters");
|
||||
}
|
||||
if (dsa == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DSA parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
if (params == NULL) {
|
||||
/* Error message should already have been displayed */
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (text) {
|
||||
DSAparams_print(out, dsa);
|
||||
}
|
||||
|
||||
if (C) {
|
||||
const BIGNUM *p = NULL, *q = NULL, *g = NULL;
|
||||
unsigned char *data;
|
||||
int len, bits_p;
|
||||
|
||||
DSA_get0_pqg(dsa, &p, &q, &g);
|
||||
len = BN_num_bytes(p);
|
||||
bits_p = BN_num_bits(p);
|
||||
|
||||
data = app_malloc(len + 20, "BN space");
|
||||
|
||||
BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p);
|
||||
print_bignum_var(bio_out, p, "dsap", bits_p, data);
|
||||
print_bignum_var(bio_out, q, "dsaq", bits_p, data);
|
||||
print_bignum_var(bio_out, g, "dsag", bits_p, data);
|
||||
BIO_printf(bio_out, " DSA *dsa = DSA_new();\n"
|
||||
" BIGNUM *p, *q, *g;\n"
|
||||
"\n");
|
||||
BIO_printf(bio_out, " if (dsa == NULL)\n"
|
||||
" return NULL;\n");
|
||||
BIO_printf(bio_out, " if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n",
|
||||
bits_p, bits_p);
|
||||
BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n",
|
||||
bits_p, bits_p);
|
||||
BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n",
|
||||
bits_p, bits_p);
|
||||
BIO_printf(bio_out, " DSA_free(dsa);\n"
|
||||
" BN_free(p);\n"
|
||||
" BN_free(q);\n"
|
||||
" BN_free(g);\n"
|
||||
" return NULL;\n"
|
||||
" }\n"
|
||||
" return dsa;\n}\n");
|
||||
OPENSSL_free(data);
|
||||
EVP_PKEY_print_params(out, params, 0, NULL);
|
||||
}
|
||||
|
||||
if (outformat == FORMAT_ASN1 && genkey)
|
||||
|
@ -205,49 +195,62 @@ int dsaparam_main(int argc, char **argv)
|
|||
|
||||
if (!noout) {
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_DSAparams_bio(out, dsa);
|
||||
i = i2d_KeyParams_bio(out, params);
|
||||
else
|
||||
i = PEM_write_bio_DSAparams(out, dsa);
|
||||
i = PEM_write_bio_Parameters(out, params);
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write DSA parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error, unable to write DSA parameters\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (genkey) {
|
||||
DSA *dsakey;
|
||||
|
||||
if ((dsakey = DSAparams_dup(dsa)) == NULL)
|
||||
goto end;
|
||||
if (!DSA_generate_key(dsakey)) {
|
||||
ERR_print_errors(bio_err);
|
||||
DSA_free(dsakey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
|
||||
app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA key generation context allocation failed\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, unable to initialise for key generation\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = app_keygen(ctx, "DSA", numbits, verbose);
|
||||
assert(private);
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_DSAPrivateKey_bio(out, dsakey);
|
||||
i = i2d_PrivateKey_bio(out, pkey);
|
||||
else
|
||||
i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
|
||||
NULL);
|
||||
DSA_free(dsakey);
|
||||
i = PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL);
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
BN_GENCB_free(cb);
|
||||
BIO_free(in);
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free_all(out);
|
||||
DSA_free(dsa);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_free(params);
|
||||
release_engine(e);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dsa_cb(int p, int n, BN_GENCB *cb)
|
||||
static int gendsa_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
static const char symbols[] = ".+*\n";
|
||||
char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
|
||||
int p;
|
||||
char c;
|
||||
BIO *b;
|
||||
|
||||
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
|
||||
(void)BIO_flush(BN_GENCB_get_arg(cb));
|
||||
if (!verbose)
|
||||
return 1;
|
||||
|
||||
b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
|
||||
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
}
|
||||
|
|
286
apps/ec.c
286
apps/ec.c
|
@ -1,84 +1,84 @@
|
|||
/*
|
||||
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/decoder.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
static OPT_PAIR conv_forms[] = {
|
||||
{"compressed", POINT_CONVERSION_COMPRESSED},
|
||||
{"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
|
||||
{"hybrid", POINT_CONVERSION_HYBRID},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static OPT_PAIR param_enc[] = {
|
||||
{"named_curve", OPENSSL_EC_NAMED_CURVE},
|
||||
{"explicit", 0},
|
||||
{NULL}
|
||||
};
|
||||
#include "ec_common.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
|
||||
OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
|
||||
OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
|
||||
OPT_NO_PUBLIC, OPT_CHECK
|
||||
OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS ec_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, 's', "Input file"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format - DER or PEM"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"check", OPT_CHECK, '-', "check key consistency"},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't print key out"},
|
||||
{"text", OPT_TEXT, '-', "Print the key"},
|
||||
{"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
|
||||
{"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
|
||||
{"check", OPT_CHECK, '-', "check key consistency"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int ec_main(int argc, char **argv)
|
||||
{
|
||||
BIO *in = NULL, *out = NULL;
|
||||
OSSL_ENCODER_CTX *ectx = NULL;
|
||||
OSSL_DECODER_CTX *dctx = NULL;
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
EVP_PKEY *eckey = NULL;
|
||||
BIO *out = NULL;
|
||||
ENGINE *e = NULL;
|
||||
EC_KEY *eckey = NULL;
|
||||
const EC_GROUP *group;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
|
||||
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
|
||||
int no_public = 0, check = 0;
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0;
|
||||
int check = 0;
|
||||
char *asn1_encoding = NULL;
|
||||
char *point_format = NULL;
|
||||
int no_public = 0;
|
||||
|
||||
prog = opt_init(argc, argv, ec_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
|
@ -131,20 +131,17 @@ int ec_main(int argc, char **argv)
|
|||
e = setup_engine(opt_arg(), 0);
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
goto opthelp;
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_CONV_FORM:
|
||||
if (!opt_pair(opt_arg(), conv_forms, &i))
|
||||
point_format = opt_arg();
|
||||
if (!opt_string(point_format, point_format_options))
|
||||
goto opthelp;
|
||||
new_form = 1;
|
||||
form = i;
|
||||
break;
|
||||
case OPT_PARAM_ENC:
|
||||
if (!opt_pair(opt_arg(), param_enc, &i))
|
||||
asn1_encoding = opt_arg();
|
||||
if (!opt_string(asn1_encoding, asn1_encoding_options))
|
||||
goto opthelp;
|
||||
new_asn1_flag = 1;
|
||||
asn1_flag = i;
|
||||
break;
|
||||
case OPT_NO_PUBLIC:
|
||||
no_public = 1;
|
||||
|
@ -152,12 +149,22 @@ int ec_main(int argc, char **argv)
|
|||
case OPT_CHECK:
|
||||
check = 1;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto opthelp;
|
||||
}
|
||||
private = param_out || pubin || pubout ? 0 : 1;
|
||||
if (text && !pubin)
|
||||
private = 1;
|
||||
|
@ -167,37 +174,15 @@ int ec_main(int argc, char **argv)
|
|||
goto end;
|
||||
}
|
||||
|
||||
if (informat != FORMAT_ENGINE) {
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "read EC key\n");
|
||||
if (informat == FORMAT_ASN1) {
|
||||
if (pubin)
|
||||
eckey = d2i_EC_PUBKEY_bio(in, NULL);
|
||||
else
|
||||
eckey = d2i_ECPrivateKey_bio(in, NULL);
|
||||
} else if (informat == FORMAT_ENGINE) {
|
||||
EVP_PKEY *pkey;
|
||||
if (pubin)
|
||||
pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
|
||||
else
|
||||
pkey = load_key(infile, informat, 1, passin, e, "Private Key");
|
||||
if (pkey != NULL) {
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
} else {
|
||||
if (pubin)
|
||||
eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
|
||||
else
|
||||
eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
|
||||
}
|
||||
|
||||
if (pubin)
|
||||
eckey = load_pubkey(infile, informat, 1, passin, e, "public key");
|
||||
else
|
||||
eckey = load_key(infile, informat, 1, passin, e, "private key");
|
||||
|
||||
if (eckey == NULL) {
|
||||
BIO_printf(bio_err, "unable to load Key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -205,74 +190,105 @@ int ec_main(int argc, char **argv)
|
|||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
group = EC_KEY_get0_group(eckey);
|
||||
if (point_format
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
||||
point_format)) {
|
||||
BIO_printf(bio_err, "unable to set point conversion format\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_form)
|
||||
EC_KEY_set_conv_form(eckey, form);
|
||||
if (asn1_encoding != NULL
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
|
||||
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_asn1_flag)
|
||||
EC_KEY_set_asn1_flag(eckey, asn1_flag);
|
||||
|
||||
if (no_public)
|
||||
EC_KEY_set_enc_flags(eckey, EC_PKEY_NO_PUBKEY);
|
||||
if (no_public) {
|
||||
if (!EVP_PKEY_set_int_param(eckey, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 0)) {
|
||||
BIO_printf(bio_err, "unable to disable public key encoding\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
if (!EVP_PKEY_set_int_param(eckey, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 1)) {
|
||||
BIO_printf(bio_err, "unable to enable public key encoding\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (text) {
|
||||
assert(pubin || private);
|
||||
if (!EC_KEY_print(out, eckey, 0)) {
|
||||
perror(outfile);
|
||||
ERR_print_errors(bio_err);
|
||||
if ((pubin && EVP_PKEY_print_public(out, eckey, 0, NULL) <= 0)
|
||||
|| (!pubin && EVP_PKEY_print_private(out, eckey, 0, NULL) <= 0)) {
|
||||
BIO_printf(bio_err, "unable to print EC key\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (check) {
|
||||
if (EC_KEY_check_key(eckey) == 1) {
|
||||
BIO_printf(bio_err, "EC Key valid.\n");
|
||||
} else {
|
||||
pctx = EVP_PKEY_CTX_new_from_pkey(NULL, eckey, NULL);
|
||||
if (pctx == NULL) {
|
||||
BIO_printf(bio_err, "unable to check EC key\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_check(pctx) <= 0)
|
||||
BIO_printf(bio_err, "EC Key Invalid!\n");
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
}
|
||||
|
||||
if (noout) {
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "writing EC key\n");
|
||||
if (outformat == FORMAT_ASN1) {
|
||||
if (param_out) {
|
||||
i = i2d_ECPKParameters_bio(out, group);
|
||||
} else if (pubin || pubout) {
|
||||
i = i2d_EC_PUBKEY_bio(out, eckey);
|
||||
} else {
|
||||
assert(private);
|
||||
i = i2d_ECPrivateKey_bio(out, eckey);
|
||||
}
|
||||
} else {
|
||||
if (param_out) {
|
||||
i = PEM_write_bio_ECPKParameters(out, group);
|
||||
} else if (pubin || pubout) {
|
||||
i = PEM_write_bio_EC_PUBKEY(out, eckey);
|
||||
} else {
|
||||
assert(private);
|
||||
i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
|
||||
NULL, 0, NULL, passout);
|
||||
}
|
||||
}
|
||||
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write private key\n");
|
||||
else
|
||||
BIO_printf(bio_err, "EC Key valid.\n");
|
||||
ERR_print_errors(bio_err);
|
||||
} else {
|
||||
ret = 0;
|
||||
}
|
||||
end:
|
||||
BIO_free(in);
|
||||
|
||||
if (!noout) {
|
||||
int selection;
|
||||
const char *output_type = outformat == FORMAT_ASN1 ? "DER" : "PEM";
|
||||
const char *output_structure = "type-specific";
|
||||
|
||||
BIO_printf(bio_err, "writing EC key\n");
|
||||
if (param_out) {
|
||||
selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
|
||||
} else if (pubin || pubout) {
|
||||
selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS
|
||||
| OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
|
||||
output_structure = "SubjectPublicKeyInfo";
|
||||
} else {
|
||||
selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
assert(private);
|
||||
}
|
||||
|
||||
ectx = OSSL_ENCODER_CTX_new_for_pkey(eckey, selection,
|
||||
output_type, output_structure,
|
||||
NULL);
|
||||
if (enc != NULL) {
|
||||
OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(enc), NULL);
|
||||
/* Default passphrase prompter */
|
||||
OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
|
||||
if (passout != NULL)
|
||||
/* When passout given, override the passphrase prompter */
|
||||
OSSL_ENCODER_CTX_set_passphrase(ectx,
|
||||
(const unsigned char *)passout,
|
||||
strlen(passout));
|
||||
}
|
||||
if (!OSSL_ENCODER_to_bio(ectx, out)) {
|
||||
BIO_printf(bio_err, "unable to write EC key\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free_all(out);
|
||||
EC_KEY_free(eckey);
|
||||
EVP_PKEY_free(eckey);
|
||||
EVP_CIPHER_free(enc);
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
OSSL_DECODER_CTX_free(dctx);
|
||||
EVP_PKEY_CTX_free(pctx);
|
||||
release_engine(e);
|
||||
OPENSSL_free(passin);
|
||||
OPENSSL_free(passout);
|
||||
if (passin != NULL)
|
||||
OPENSSL_clear_free(passin, strlen(passin));
|
||||
if (passout != NULL)
|
||||
OPENSSL_clear_free(passout, strlen(passout));
|
||||
return ret;
|
||||
}
|
||||
|
|
488
apps/ecparam.c
488
apps/ecparam.c
|
@ -1,92 +1,115 @@
|
|||
/*
|
||||
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <string.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/decoder.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
#include "ec_common.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
|
||||
OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
|
||||
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE,
|
||||
OPT_R_ENUM
|
||||
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS ecparam_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"out", OPT_OUT, '>', "Output file - default stdout"},
|
||||
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
|
||||
{"C", OPT_C, '-', "Print a 'C' function creating the parameters"},
|
||||
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
|
||||
{"list_curves", OPT_LIST_CURVES, '-',
|
||||
"Prints a list of all curve 'short names'"},
|
||||
{"no_seed", OPT_NO_SEED, '-',
|
||||
"If 'explicit' parameters are chosen do not use the seed"},
|
||||
{"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
|
||||
{"name", OPT_NAME, 's',
|
||||
"Use the ec parameters with specified 'short name'"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
|
||||
{"out", OPT_OUT, '>', "Output file - default stdout"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
|
||||
{"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
|
||||
OPT_SECTION("Parameter"),
|
||||
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
|
||||
{"check_named", OPT_CHECK_NAMED, '-',
|
||||
"Check that named EC curve parameters have not been modified"},
|
||||
{"no_seed", OPT_NO_SEED, '-',
|
||||
"If 'explicit' parameters are chosen do not use the seed"},
|
||||
{"name", OPT_NAME, 's',
|
||||
"Use the ec parameters with specified 'short name'"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static OPT_PAIR forms[] = {
|
||||
{"compressed", POINT_CONVERSION_COMPRESSED},
|
||||
{"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
|
||||
{"hybrid", POINT_CONVERSION_HYBRID},
|
||||
{NULL}
|
||||
};
|
||||
static int list_builtin_curves(BIO *out)
|
||||
{
|
||||
int ret = 0;
|
||||
EC_builtin_curve *curves = NULL;
|
||||
size_t n, crv_len = EC_get_builtin_curves(NULL, 0);
|
||||
|
||||
static OPT_PAIR encodings[] = {
|
||||
{"named_curve", OPENSSL_EC_NAMED_CURVE},
|
||||
{"explicit", 0},
|
||||
{NULL}
|
||||
};
|
||||
curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
|
||||
if (!EC_get_builtin_curves(curves, crv_len))
|
||||
goto end;
|
||||
|
||||
for (n = 0; n < crv_len; n++) {
|
||||
const char *comment = curves[n].comment;
|
||||
const char *sname = OBJ_nid2sn(curves[n].nid);
|
||||
|
||||
if (comment == NULL)
|
||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||
if (sname == NULL)
|
||||
sname = "";
|
||||
|
||||
BIO_printf(out, " %-10s: ", sname);
|
||||
BIO_printf(out, "%s\n", comment);
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
OPENSSL_free(curves);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ecparam_main(int argc, char **argv)
|
||||
{
|
||||
EVP_PKEY_CTX *gctx_params = NULL, *gctx_key = NULL, *pctx = NULL;
|
||||
EVP_PKEY *params_key = NULL, *key = NULL;
|
||||
OSSL_ENCODER_CTX *ectx_key = NULL, *ectx_params = NULL;
|
||||
OSSL_DECODER_CTX *dctx_params = NULL;
|
||||
ENGINE *e = NULL;
|
||||
BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
|
||||
BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL;
|
||||
BIO *in = NULL, *out = NULL;
|
||||
EC_GROUP *group = NULL;
|
||||
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
|
||||
BIO *out = NULL;
|
||||
char *curve_name = NULL;
|
||||
char *asn1_encoding = NULL;
|
||||
char *point_format = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
unsigned char *buffer = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0;
|
||||
int ret = 1, private = 0;
|
||||
int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
|
||||
int text = 0, i, genkey = 0;
|
||||
int no_seed = 0, check = 0, check_named = 0, text = 0, genkey = 0;
|
||||
int list_curves = 0;
|
||||
|
||||
prog = opt_init(argc, argv, ecparam_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
|
@ -117,12 +140,12 @@ int ecparam_main(int argc, char **argv)
|
|||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_C:
|
||||
C = 1;
|
||||
break;
|
||||
case OPT_CHECK:
|
||||
check = 1;
|
||||
break;
|
||||
case OPT_CHECK_NAMED:
|
||||
check_named = 1;
|
||||
break;
|
||||
case OPT_LIST_CURVES:
|
||||
list_curves = 1;
|
||||
break;
|
||||
|
@ -136,15 +159,14 @@ int ecparam_main(int argc, char **argv)
|
|||
curve_name = opt_arg();
|
||||
break;
|
||||
case OPT_CONV_FORM:
|
||||
if (!opt_pair(opt_arg(), forms, &new_form))
|
||||
point_format = opt_arg();
|
||||
if (!opt_string(point_format, point_format_options))
|
||||
goto opthelp;
|
||||
form = new_form;
|
||||
new_form = 1;
|
||||
break;
|
||||
case OPT_PARAM_ENC:
|
||||
if (!opt_pair(opt_arg(), encodings, &asn1_flag))
|
||||
asn1_encoding = opt_arg();
|
||||
if (!opt_string(asn1_encoding, asn1_encoding_options))
|
||||
goto opthelp;
|
||||
new_asn1_flag = 1;
|
||||
break;
|
||||
case OPT_GENKEY:
|
||||
genkey = 1;
|
||||
|
@ -153,292 +175,178 @@ int ecparam_main(int argc, char **argv)
|
|||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_ENGINE:
|
||||
e = setup_engine(opt_arg(), 0);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
private = genkey ? 1 : 0;
|
||||
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
out = bio_open_owner(outfile, outformat, private);
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
if (list_curves) {
|
||||
EC_builtin_curve *curves = NULL;
|
||||
size_t crv_len = EC_get_builtin_curves(NULL, 0);
|
||||
size_t n;
|
||||
|
||||
curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
|
||||
if (!EC_get_builtin_curves(curves, crv_len)) {
|
||||
OPENSSL_free(curves);
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (n = 0; n < crv_len; n++) {
|
||||
const char *comment;
|
||||
const char *sname;
|
||||
comment = curves[n].comment;
|
||||
sname = OBJ_nid2sn(curves[n].nid);
|
||||
if (comment == NULL)
|
||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||
if (sname == NULL)
|
||||
sname = "";
|
||||
|
||||
BIO_printf(out, " %-10s: ", sname);
|
||||
BIO_printf(out, "%s\n", comment);
|
||||
}
|
||||
|
||||
OPENSSL_free(curves);
|
||||
ret = 0;
|
||||
if (list_builtin_curves(out))
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (curve_name != NULL) {
|
||||
int nid;
|
||||
OSSL_PARAM params[4];
|
||||
OSSL_PARAM *p = params;
|
||||
|
||||
/*
|
||||
* workaround for the SECG curve names secp192r1 and secp256r1 (which
|
||||
* are the same as the curves prime192v1 and prime256v1 defined in
|
||||
* X9.62)
|
||||
*/
|
||||
if (strcmp(curve_name, "secp192r1") == 0) {
|
||||
BIO_printf(bio_err, "using curve name prime192v1 "
|
||||
"instead of secp192r1\n");
|
||||
nid = NID_X9_62_prime192v1;
|
||||
BIO_printf(bio_err,
|
||||
"using curve name prime192v1 instead of secp192r1\n");
|
||||
curve_name = SN_X9_62_prime192v1;
|
||||
} else if (strcmp(curve_name, "secp256r1") == 0) {
|
||||
BIO_printf(bio_err, "using curve name prime256v1 "
|
||||
"instead of secp256r1\n");
|
||||
nid = NID_X9_62_prime256v1;
|
||||
} else {
|
||||
nid = OBJ_sn2nid(curve_name);
|
||||
BIO_printf(bio_err,
|
||||
"using curve name prime256v1 instead of secp256r1\n");
|
||||
curve_name = SN_X9_62_prime256v1;
|
||||
}
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
curve_name, 0);
|
||||
if (asn1_encoding != NULL)
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
|
||||
asn1_encoding, 0);
|
||||
if (point_format != NULL)
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(
|
||||
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
||||
point_format, 0);
|
||||
*p = OSSL_PARAM_construct_end();
|
||||
|
||||
if (nid == 0)
|
||||
nid = EC_curve_nist2nid(curve_name);
|
||||
|
||||
if (nid == 0) {
|
||||
BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
|
||||
if (OPENSSL_strcasecmp(curve_name, "SM2") == 0)
|
||||
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "sm2",
|
||||
app_get0_propq());
|
||||
else
|
||||
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "ec",
|
||||
app_get0_propq());
|
||||
if (gctx_params == NULL
|
||||
|| EVP_PKEY_keygen_init(gctx_params) <= 0
|
||||
|| EVP_PKEY_CTX_set_params(gctx_params, params) <= 0
|
||||
|| EVP_PKEY_keygen(gctx_params, ¶ms_key) <= 0) {
|
||||
BIO_printf(bio_err, "unable to generate key\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
group = EC_GROUP_new_by_curve_name(nid);
|
||||
if (group == NULL) {
|
||||
BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name);
|
||||
goto end;
|
||||
}
|
||||
EC_GROUP_set_asn1_flag(group, asn1_flag);
|
||||
EC_GROUP_set_point_conversion_form(group, form);
|
||||
} else if (informat == FORMAT_ASN1) {
|
||||
group = d2i_ECPKParameters_bio(in, NULL);
|
||||
} else {
|
||||
group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
|
||||
params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters");
|
||||
if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC"))
|
||||
goto end;
|
||||
if (point_format
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
||||
point_format)) {
|
||||
BIO_printf(bio_err, "unable to set point conversion format\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (asn1_encoding != NULL
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
|
||||
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (group == NULL) {
|
||||
BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
|
||||
if (no_seed
|
||||
&& !EVP_PKEY_set_octet_string_param(params_key, OSSL_PKEY_PARAM_EC_SEED,
|
||||
NULL, 0)) {
|
||||
BIO_printf(bio_err, "unable to clear seed\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_form)
|
||||
EC_GROUP_set_point_conversion_form(group, form);
|
||||
|
||||
if (new_asn1_flag)
|
||||
EC_GROUP_set_asn1_flag(group, asn1_flag);
|
||||
|
||||
if (no_seed) {
|
||||
EC_GROUP_set_seed(group, NULL, 0);
|
||||
if (text
|
||||
&& !EVP_PKEY_print_params(out, params_key, 0, NULL)) {
|
||||
BIO_printf(bio_err, "unable to print params\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (text) {
|
||||
if (!ECPKParameters_print(out, group, 0))
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (check) {
|
||||
if (check || check_named) {
|
||||
BIO_printf(bio_err, "checking elliptic curve parameters: ");
|
||||
if (!EC_GROUP_check(group, NULL)) {
|
||||
|
||||
if (check_named
|
||||
&& !EVP_PKEY_set_utf8_string_param(params_key,
|
||||
OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
|
||||
OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
|
||||
BIO_printf(bio_err, "unable to set check_type\n");
|
||||
goto end;
|
||||
}
|
||||
pctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
|
||||
app_get0_propq());
|
||||
if (pctx == NULL || EVP_PKEY_param_check(pctx) <= 0) {
|
||||
BIO_printf(bio_err, "failed\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(bio_err, "ok\n");
|
||||
|
||||
}
|
||||
|
||||
if (C) {
|
||||
size_t buf_len = 0, tmp_len = 0;
|
||||
const EC_POINT *point;
|
||||
int is_prime, len = 0;
|
||||
const EC_METHOD *meth = EC_GROUP_method_of(group);
|
||||
|
||||
if ((ec_p = BN_new()) == NULL
|
||||
|| (ec_a = BN_new()) == NULL
|
||||
|| (ec_b = BN_new()) == NULL
|
||||
|| (ec_gen = BN_new()) == NULL
|
||||
|| (ec_order = BN_new()) == NULL
|
||||
|| (ec_cofactor = BN_new()) == NULL) {
|
||||
perror("Can't allocate BN");
|
||||
goto end;
|
||||
}
|
||||
|
||||
is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
|
||||
if (!is_prime) {
|
||||
BIO_printf(bio_err, "Can only handle X9.62 prime fields\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!EC_GROUP_get_curve(group, ec_p, ec_a, ec_b, NULL))
|
||||
goto end;
|
||||
|
||||
if ((point = EC_GROUP_get0_generator(group)) == NULL)
|
||||
goto end;
|
||||
if (!EC_POINT_point2bn(group, point,
|
||||
EC_GROUP_get_point_conversion_form(group),
|
||||
ec_gen, NULL))
|
||||
goto end;
|
||||
if (!EC_GROUP_get_order(group, ec_order, NULL))
|
||||
goto end;
|
||||
if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
|
||||
goto end;
|
||||
|
||||
if (!ec_p || !ec_a || !ec_b || !ec_gen || !ec_order || !ec_cofactor)
|
||||
goto end;
|
||||
|
||||
len = BN_num_bits(ec_order);
|
||||
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
|
||||
buffer = app_malloc(buf_len, "BN buffer");
|
||||
|
||||
BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len);
|
||||
print_bignum_var(out, ec_p, "ec_p", len, buffer);
|
||||
print_bignum_var(out, ec_a, "ec_a", len, buffer);
|
||||
print_bignum_var(out, ec_b, "ec_b", len, buffer);
|
||||
print_bignum_var(out, ec_gen, "ec_gen", len, buffer);
|
||||
print_bignum_var(out, ec_order, "ec_order", len, buffer);
|
||||
print_bignum_var(out, ec_cofactor, "ec_cofactor", len, buffer);
|
||||
BIO_printf(out, " int ok = 0;\n"
|
||||
" EC_GROUP *group = NULL;\n"
|
||||
" EC_POINT *point = NULL;\n"
|
||||
" BIGNUM *tmp_1 = NULL;\n"
|
||||
" BIGNUM *tmp_2 = NULL;\n"
|
||||
" BIGNUM *tmp_3 = NULL;\n"
|
||||
"\n");
|
||||
|
||||
BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_p_%d, sizeof(ec_p_%d), NULL)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_a_%d, sizeof(ec_a_%d), NULL)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_b_%d, sizeof(ec_b_%d), NULL)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)\n"
|
||||
" goto err;\n"
|
||||
"\n");
|
||||
BIO_printf(out, " /* build generator */\n");
|
||||
BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_gen_%d, sizeof(ec_gen_%d), tmp_1)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " point = EC_POINT_bn2point(group, tmp_1, NULL, NULL);\n");
|
||||
BIO_printf(out, " if (point == NULL)\n"
|
||||
" goto err;\n");
|
||||
BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_order_%d, sizeof(ec_order_%d), tmp_2)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_cofactor_%d, sizeof(ec_cofactor_%d), tmp_3)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if (!EC_GROUP_set_generator(group, point, tmp_2, tmp_3))\n"
|
||||
" goto err;\n"
|
||||
"ok = 1;"
|
||||
"\n");
|
||||
BIO_printf(out, "err:\n"
|
||||
" BN_free(tmp_1);\n"
|
||||
" BN_free(tmp_2);\n"
|
||||
" BN_free(tmp_3);\n"
|
||||
" EC_POINT_free(point);\n"
|
||||
" if (!ok) {\n"
|
||||
" EC_GROUP_free(group);\n"
|
||||
" return NULL;\n"
|
||||
" }\n"
|
||||
" return (group);\n"
|
||||
"}\n");
|
||||
}
|
||||
|
||||
if (outformat == FORMAT_ASN1 && genkey)
|
||||
noout = 1;
|
||||
|
||||
if (!noout) {
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_ECPKParameters_bio(out, group);
|
||||
else
|
||||
i = PEM_write_bio_ECPKParameters(out, group);
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write elliptic "
|
||||
"curve parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ectx_params = OSSL_ENCODER_CTX_new_for_pkey(
|
||||
params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
||||
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
|
||||
if (!OSSL_ENCODER_to_bio(ectx_params, out)) {
|
||||
BIO_printf(bio_err, "unable to write elliptic curve parameters\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (genkey) {
|
||||
EC_KEY *eckey = EC_KEY_new();
|
||||
|
||||
if (eckey == NULL)
|
||||
goto end;
|
||||
|
||||
if (EC_KEY_set_group(eckey, group) == 0) {
|
||||
BIO_printf(bio_err, "unable to set group when generating key\n");
|
||||
EC_KEY_free(eckey);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_form)
|
||||
EC_KEY_set_conv_form(eckey, form);
|
||||
|
||||
if (!EC_KEY_generate_key(eckey)) {
|
||||
/*
|
||||
* NOTE: EC keygen does not normally need to pass in the param_key
|
||||
* for named curves. This can be achieved using:
|
||||
* gctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||
* EVP_PKEY_keygen_init(gctx);
|
||||
* EVP_PKEY_CTX_set_group_name(gctx, curvename);
|
||||
* EVP_PKEY_keygen(gctx, &key) <= 0)
|
||||
*/
|
||||
gctx_key = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
|
||||
app_get0_propq());
|
||||
if (EVP_PKEY_keygen_init(gctx_key) <= 0
|
||||
|| EVP_PKEY_keygen(gctx_key, &key) <= 0) {
|
||||
BIO_printf(bio_err, "unable to generate key\n");
|
||||
EC_KEY_free(eckey);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
assert(private);
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_ECPrivateKey_bio(out, eckey);
|
||||
else
|
||||
i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
|
||||
NULL, 0, NULL, NULL);
|
||||
EC_KEY_free(eckey);
|
||||
ectx_key = OSSL_ENCODER_CTX_new_for_pkey(
|
||||
key, OSSL_KEYMGMT_SELECT_ALL,
|
||||
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
|
||||
if (!OSSL_ENCODER_to_bio(ectx_key, out)) {
|
||||
BIO_printf(bio_err, "unable to write elliptic "
|
||||
"curve parameters\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
BN_free(ec_p);
|
||||
BN_free(ec_a);
|
||||
BN_free(ec_b);
|
||||
BN_free(ec_gen);
|
||||
BN_free(ec_order);
|
||||
BN_free(ec_cofactor);
|
||||
OPENSSL_free(buffer);
|
||||
EC_GROUP_free(group);
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
release_engine(e);
|
||||
BIO_free(in);
|
||||
EVP_PKEY_free(params_key);
|
||||
EVP_PKEY_free(key);
|
||||
EVP_PKEY_CTX_free(pctx);
|
||||
EVP_PKEY_CTX_free(gctx_params);
|
||||
EVP_PKEY_CTX_free(gctx_key);
|
||||
OSSL_DECODER_CTX_free(dctx_params);
|
||||
OSSL_ENCODER_CTX_free(ectx_params);
|
||||
OSSL_ENCODER_CTX_free(ectx_key);
|
||||
BIO_free_all(out);
|
||||
return ret;
|
||||
}
|
||||
|
|
228
apps/enc.c
228
apps/enc.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -39,38 +39,51 @@ struct doall_enc_ciphers {
|
|||
};
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_LIST,
|
||||
OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
|
||||
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
|
||||
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
|
||||
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
|
||||
OPT_R_ENUM
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS enc_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"list", OPT_LIST, '-', "List ciphers"},
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
{"ciphers", OPT_LIST, '-', "Alias for -list"},
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"pass", OPT_PASS, 's', "Passphrase source"},
|
||||
#endif
|
||||
{"e", OPT_E, '-', "Encrypt"},
|
||||
{"d", OPT_D, '-', "Decrypt"},
|
||||
{"p", OPT_P, '-', "Print the iv/key"},
|
||||
{"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"k", OPT_K, 's', "Passphrase"},
|
||||
{"kfile", OPT_KFILE, '<', "Read passphrase from file"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"pass", OPT_PASS, 's', "Passphrase source"},
|
||||
{"v", OPT_V, '-', "Verbose output"},
|
||||
{"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
|
||||
{"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
|
||||
{"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
|
||||
{"base64", OPT_A, '-', "Same as option -a"},
|
||||
{"A", OPT_UPPER_A, '-',
|
||||
"Used with -[base64|a] to specify base64 buffer as a single line"},
|
||||
|
||||
OPT_SECTION("Encryption"),
|
||||
{"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
|
||||
{"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
|
||||
{"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
|
||||
{"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
|
||||
{"k", OPT_K, 's', "Passphrase"},
|
||||
{"kfile", OPT_KFILE, '<', "Read passphrase from file"},
|
||||
{"K", OPT_UPPER_K, 's', "Raw key, in hex"},
|
||||
{"S", OPT_UPPER_S, 's', "Salt, in hex"},
|
||||
{"iv", OPT_IV, 's', "IV in hex"},
|
||||
|
@ -78,14 +91,13 @@ const OPTIONS enc_options[] = {
|
|||
{"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"},
|
||||
{"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"},
|
||||
{"none", OPT_NONE, '-', "Don't encrypt"},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifdef ZLIB
|
||||
{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -97,11 +109,13 @@ int enc_main(int argc, char **argv)
|
|||
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
|
||||
NULL, *wbio = NULL;
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
const EVP_CIPHER *cipher = NULL, *c;
|
||||
const EVP_MD *dgst = NULL;
|
||||
EVP_CIPHER *cipher = NULL;
|
||||
EVP_MD *dgst = NULL;
|
||||
const char *digestname = NULL;
|
||||
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
|
||||
const char *ciphername = NULL;
|
||||
char mbuf[sizeof(magic) - 1];
|
||||
OPTION_CHOICE o;
|
||||
int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
|
||||
|
@ -119,21 +133,15 @@ int enc_main(int argc, char **argv)
|
|||
BIO *bzl = NULL;
|
||||
#endif
|
||||
|
||||
/* first check the program name */
|
||||
prog = opt_progname(argv[0]);
|
||||
if (strcmp(prog, "base64") == 0) {
|
||||
/* first check the command name */
|
||||
if (strcmp(argv[0], "base64") == 0)
|
||||
base64 = 1;
|
||||
#ifdef ZLIB
|
||||
} else if (strcmp(prog, "zlib") == 0) {
|
||||
else if (strcmp(argv[0], "zlib") == 0)
|
||||
do_zlib = 1;
|
||||
#endif
|
||||
} else {
|
||||
cipher = EVP_get_cipherbyname(prog);
|
||||
if (cipher == NULL && strcmp(prog, "enc") != 0) {
|
||||
BIO_printf(bio_err, "%s is not a known cipher\n", prog);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
else if (strcmp(argv[0], "enc") != 0)
|
||||
ciphername = argv[0];
|
||||
|
||||
prog = opt_init(argc, argv, enc_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
|
@ -252,17 +260,13 @@ int enc_main(int argc, char **argv)
|
|||
hiv = opt_arg();
|
||||
break;
|
||||
case OPT_MD:
|
||||
if (!opt_md(opt_arg(), &dgst))
|
||||
goto opthelp;
|
||||
digestname = opt_arg();
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &c))
|
||||
goto opthelp;
|
||||
cipher = c;
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_ITER:
|
||||
if (!opt_int(opt_arg(), &iter))
|
||||
goto opthelp;
|
||||
iter = opt_int_arg();
|
||||
pbkdf2 = 1;
|
||||
break;
|
||||
case OPT_PBKDF2:
|
||||
|
@ -277,25 +281,31 @@ int enc_main(int argc, char **argv)
|
|||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (opt_num_rest() != 0) {
|
||||
BIO_printf(bio_err, "Extra arguments given.\n");
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
||||
BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
|
||||
BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
|
||||
goto end;
|
||||
/* Get the cipher name, either from progname (if set) or flag. */
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &cipher))
|
||||
goto opthelp;
|
||||
}
|
||||
if (digestname != NULL) {
|
||||
if (!opt_md(digestname, &dgst))
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (dgst == NULL)
|
||||
dgst = EVP_sha256();
|
||||
dgst = (EVP_MD *)EVP_sha256();
|
||||
|
||||
if (iter == 0)
|
||||
iter = 1;
|
||||
|
@ -342,7 +352,7 @@ int enc_main(int argc, char **argv)
|
|||
char prompt[200];
|
||||
|
||||
BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:",
|
||||
OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
|
||||
EVP_CIPHER_get0_name(cipher),
|
||||
(enc) ? "encryption" : "decryption");
|
||||
strbuf[0] = '\0';
|
||||
i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
|
||||
|
@ -371,8 +381,8 @@ int enc_main(int argc, char **argv)
|
|||
goto end;
|
||||
|
||||
if (debug) {
|
||||
BIO_set_callback(in, BIO_debug_callback);
|
||||
BIO_set_callback(out, BIO_debug_callback);
|
||||
BIO_set_callback_ex(in, BIO_debug_callback_ex);
|
||||
BIO_set_callback_ex(out, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(in, (char *)bio_err);
|
||||
BIO_set_callback_arg(out, (char *)bio_err);
|
||||
}
|
||||
|
@ -385,7 +395,7 @@ int enc_main(int argc, char **argv)
|
|||
if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
|
||||
goto end;
|
||||
if (debug) {
|
||||
BIO_set_callback(bzl, BIO_debug_callback);
|
||||
BIO_set_callback_ex(bzl, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(bzl, (char *)bio_err);
|
||||
}
|
||||
if (enc)
|
||||
|
@ -399,7 +409,7 @@ int enc_main(int argc, char **argv)
|
|||
if ((b64 = BIO_new(BIO_f_base64())) == NULL)
|
||||
goto end;
|
||||
if (debug) {
|
||||
BIO_set_callback(b64, BIO_debug_callback);
|
||||
BIO_set_callback_ex(b64, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(b64, (char *)bio_err);
|
||||
}
|
||||
if (olb64)
|
||||
|
@ -411,14 +421,11 @@ int enc_main(int argc, char **argv)
|
|||
}
|
||||
|
||||
if (cipher != NULL) {
|
||||
/*
|
||||
* Note that str is NULL if a key was passed on the command line, so
|
||||
* we get no salt in that case. Is this a bug?
|
||||
*/
|
||||
if (str != NULL) {
|
||||
if (str != NULL) { /* a passphrase is available */
|
||||
/*
|
||||
* Salt handling: if encrypting generate a salt and write to
|
||||
* output BIO. If decrypting read salt from input BIO.
|
||||
* Salt handling: if encrypting generate a salt if not supplied,
|
||||
* and write to output BIO. If decrypting use salt from input BIO
|
||||
* if not given with args
|
||||
*/
|
||||
unsigned char *sptr;
|
||||
size_t str_len = strlen(str);
|
||||
|
@ -426,36 +433,47 @@ int enc_main(int argc, char **argv)
|
|||
if (nosalt) {
|
||||
sptr = NULL;
|
||||
} else {
|
||||
if (enc) {
|
||||
if (hsalt) {
|
||||
if (!set_hex(hsalt, salt, sizeof(salt))) {
|
||||
BIO_printf(bio_err, "invalid hex salt value\n");
|
||||
if (hsalt != NULL && !set_hex(hsalt, salt, sizeof(salt))) {
|
||||
BIO_printf(bio_err, "invalid hex salt value\n");
|
||||
goto end;
|
||||
}
|
||||
if (enc) { /* encryption */
|
||||
if (hsalt == NULL) {
|
||||
if (RAND_bytes(salt, sizeof(salt)) <= 0) {
|
||||
BIO_printf(bio_err, "RAND_bytes failed\n");
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* If -P option then don't bother writing.
|
||||
* If salt is given, shouldn't either ?
|
||||
*/
|
||||
if ((printkey != 2)
|
||||
&& (BIO_write(wbio, magic,
|
||||
sizeof(magic) - 1) != sizeof(magic) - 1
|
||||
|| BIO_write(wbio,
|
||||
(char *)salt,
|
||||
sizeof(salt)) != sizeof(salt))) {
|
||||
BIO_printf(bio_err, "error writing output file\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (RAND_bytes(salt, sizeof(salt)) <= 0) {
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* If -P option then don't bother writing
|
||||
*/
|
||||
if ((printkey != 2)
|
||||
&& (BIO_write(wbio, magic,
|
||||
sizeof(magic) - 1) != sizeof(magic) - 1
|
||||
|| BIO_write(wbio,
|
||||
(char *)salt,
|
||||
sizeof(salt)) != sizeof(salt))) {
|
||||
BIO_printf(bio_err, "error writing output file\n");
|
||||
goto end;
|
||||
} else { /* decryption */
|
||||
if (hsalt == NULL) {
|
||||
if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf)) {
|
||||
BIO_printf(bio_err, "error reading input file\n");
|
||||
goto end;
|
||||
}
|
||||
if (memcmp(mbuf, magic, sizeof(mbuf)) == 0) { /* file IS salted */
|
||||
if (BIO_read(rbio, salt,
|
||||
sizeof(salt)) != sizeof(salt)) {
|
||||
BIO_printf(bio_err, "error reading input file\n");
|
||||
goto end;
|
||||
}
|
||||
} else { /* file is NOT salted, NO salt available */
|
||||
BIO_printf(bio_err, "bad magic number\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
} else if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf)
|
||||
|| BIO_read(rbio,
|
||||
(unsigned char *)salt,
|
||||
sizeof(salt)) != sizeof(salt)) {
|
||||
BIO_printf(bio_err, "error reading input file\n");
|
||||
goto end;
|
||||
} else if (memcmp(mbuf, magic, sizeof(magic) - 1)) {
|
||||
BIO_printf(bio_err, "bad magic number\n");
|
||||
goto end;
|
||||
}
|
||||
sptr = salt;
|
||||
}
|
||||
|
@ -466,8 +484,8 @@ int enc_main(int argc, char **argv)
|
|||
* concatenated into a temporary buffer
|
||||
*/
|
||||
unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
|
||||
int iklen = EVP_CIPHER_key_length(cipher);
|
||||
int ivlen = EVP_CIPHER_iv_length(cipher);
|
||||
int iklen = EVP_CIPHER_get_key_length(cipher);
|
||||
int ivlen = EVP_CIPHER_get_iv_length(cipher);
|
||||
/* not needed if HASH_UPDATE() is fixed : */
|
||||
int islen = (sptr != NULL ? sizeof(salt) : 0);
|
||||
if (!PKCS5_PBKDF2_HMAC(str, str_len, sptr, islen,
|
||||
|
@ -499,7 +517,7 @@ int enc_main(int argc, char **argv)
|
|||
OPENSSL_cleanse(str, str_len);
|
||||
}
|
||||
if (hiv != NULL) {
|
||||
int siz = EVP_CIPHER_iv_length(cipher);
|
||||
int siz = EVP_CIPHER_get_iv_length(cipher);
|
||||
if (siz == 0) {
|
||||
BIO_printf(bio_err, "warning: iv not used by this cipher\n");
|
||||
} else if (!set_hex(hiv, iv, siz)) {
|
||||
|
@ -508,7 +526,7 @@ int enc_main(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
if ((hiv == NULL) && (str == NULL)
|
||||
&& EVP_CIPHER_iv_length(cipher) != 0) {
|
||||
&& EVP_CIPHER_get_iv_length(cipher) != 0) {
|
||||
/*
|
||||
* No IV was explicitly set and no IV was generated.
|
||||
* Hence the IV is undefined, making correct decryption impossible.
|
||||
|
@ -517,12 +535,12 @@ int enc_main(int argc, char **argv)
|
|||
goto end;
|
||||
}
|
||||
if (hkey != NULL) {
|
||||
if (!set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
|
||||
if (!set_hex(hkey, key, EVP_CIPHER_get_key_length(cipher))) {
|
||||
BIO_printf(bio_err, "invalid hex key value\n");
|
||||
goto end;
|
||||
}
|
||||
/* wiping secret data as we no longer need it */
|
||||
OPENSSL_cleanse(hkey, strlen(hkey));
|
||||
cleanse(hkey);
|
||||
}
|
||||
|
||||
if ((benc = BIO_new(BIO_f_cipher())) == NULL)
|
||||
|
@ -535,9 +553,9 @@ int enc_main(int argc, char **argv)
|
|||
|
||||
BIO_get_cipher_ctx(benc, &ctx);
|
||||
|
||||
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
|
||||
if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
|
||||
BIO_printf(bio_err, "Error setting cipher %s\n",
|
||||
EVP_CIPHER_name(cipher));
|
||||
EVP_CIPHER_get0_name(cipher));
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
@ -547,13 +565,13 @@ int enc_main(int argc, char **argv)
|
|||
|
||||
if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
|
||||
BIO_printf(bio_err, "Error setting cipher %s\n",
|
||||
EVP_CIPHER_name(cipher));
|
||||
EVP_CIPHER_get0_name(cipher));
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (debug) {
|
||||
BIO_set_callback(benc, BIO_debug_callback);
|
||||
BIO_set_callback_ex(benc, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(benc, (char *)bio_err);
|
||||
}
|
||||
|
||||
|
@ -564,15 +582,15 @@ int enc_main(int argc, char **argv)
|
|||
printf("%02X", salt[i]);
|
||||
printf("\n");
|
||||
}
|
||||
if (EVP_CIPHER_key_length(cipher) > 0) {
|
||||
if (EVP_CIPHER_get_key_length(cipher) > 0) {
|
||||
printf("key=");
|
||||
for (i = 0; i < EVP_CIPHER_key_length(cipher); i++)
|
||||
for (i = 0; i < EVP_CIPHER_get_key_length(cipher); i++)
|
||||
printf("%02X", key[i]);
|
||||
printf("\n");
|
||||
}
|
||||
if (EVP_CIPHER_iv_length(cipher) > 0) {
|
||||
if (EVP_CIPHER_get_iv_length(cipher) > 0) {
|
||||
printf("iv =");
|
||||
for (i = 0; i < EVP_CIPHER_iv_length(cipher); i++)
|
||||
for (i = 0; i < EVP_CIPHER_get_iv_length(cipher); i++)
|
||||
printf("%02X", iv[i]);
|
||||
printf("\n");
|
||||
}
|
||||
|
@ -614,6 +632,8 @@ int enc_main(int argc, char **argv)
|
|||
BIO_free_all(out);
|
||||
BIO_free(benc);
|
||||
BIO_free(b64);
|
||||
EVP_MD_free(dgst);
|
||||
EVP_CIPHER_free(cipher);
|
||||
#ifdef ZLIB
|
||||
BIO_free(bzl);
|
||||
#endif
|
||||
|
@ -632,9 +652,9 @@ static void show_ciphers(const OBJ_NAME *name, void *arg)
|
|||
|
||||
/* Filter out ciphers that we cannot use */
|
||||
cipher = EVP_get_cipherbyname(name->name);
|
||||
if (cipher == NULL ||
|
||||
(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)
|
||||
if (cipher == NULL
|
||||
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|
||||
|| EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
|
||||
return;
|
||||
|
||||
BIO_printf(dec->bio, "-%-25s", name->name);
|
||||
|
|
|
@ -1,13 +1,17 @@
|
|||
/*
|
||||
* Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/* We need to use some engine deprecated APIs */
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <stdio.h>
|
||||
|
@ -19,27 +23,32 @@
|
|||
#include <openssl/store.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
|
||||
OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS engine_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
|
||||
{OPT_HELP_STR, 1, '-',
|
||||
" engine... Engines to load\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"t", OPT_T, '-', "Check that specified engine is available"},
|
||||
{"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
|
||||
{"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"v", OPT_V, '-', "List 'control commands' For each specified engine"},
|
||||
{"vv", OPT_VV, '-', "Also display each command's description"},
|
||||
{"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
|
||||
{"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
|
||||
{"c", OPT_C, '-', "List the capabilities of specified engine"},
|
||||
{"t", OPT_T, '-', "Check that specified engine is available"},
|
||||
{"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
|
||||
{"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
|
||||
{"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
|
||||
{OPT_MORE_STR, OPT_EOF, 1,
|
||||
"Commands are like \"SO_PATH:/lib/libdriver.so\""},
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"engine", 0, 0, "ID of engine(s) to load"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -351,7 +360,7 @@ int engine_main(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
|
||||
/* Allow any trailing parameters as engine names. */
|
||||
/* Any remaining arguments are engine names. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
for ( ; *argv; argv++) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -22,8 +22,12 @@ typedef enum OPTION_choice {
|
|||
|
||||
const OPTIONS errstr_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
|
||||
{OPT_HELP_STR, 1, '-', " errnum Error number\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"errnum", 0, 0, "Error number(s) to decode"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -48,16 +52,19 @@ int errstr_main(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* We're not really an SSL application so this won't auto-init, but
|
||||
* we're still interested in SSL error strings
|
||||
*/
|
||||
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
|
||||
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
|
||||
/* All remaining arg are error code. */
|
||||
ret = 0;
|
||||
for (argv = opt_rest(); *argv; argv++) {
|
||||
for (argv = opt_rest(); *argv != NULL; argv++) {
|
||||
if (sscanf(*argv, "%lx", &l) == 0) {
|
||||
ret++;
|
||||
} else {
|
||||
/* We're not really an SSL application so this won't auto-init, but
|
||||
* we're still interested in SSL error strings
|
||||
*/
|
||||
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
|
||||
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
ERR_error_string_n(l, buf, sizeof(buf));
|
||||
BIO_printf(bio_out, "%s\n", buf);
|
||||
}
|
||||
|
|
590
apps/fipsinstall.c
Normal file
590
apps/fipsinstall.c
Normal file
|
@ -0,0 +1,590 @@
|
|||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/fips_names.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/self_test.h>
|
||||
#include <openssl/fipskey.h>
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
|
||||
#define BUFSIZE 4096
|
||||
|
||||
/* Configuration file values */
|
||||
#define VERSION_KEY "version"
|
||||
#define VERSION_VAL "1"
|
||||
#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN"
|
||||
|
||||
static OSSL_CALLBACK self_test_events;
|
||||
static char *self_test_corrupt_desc = NULL;
|
||||
static char *self_test_corrupt_type = NULL;
|
||||
static int self_test_log = 1;
|
||||
static int quiet = 0;
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_COMMON,
|
||||
OPT_IN, OPT_OUT, OPT_MODULE,
|
||||
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
|
||||
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
|
||||
OPT_NO_CONDITIONAL_ERRORS,
|
||||
OPT_NO_SECURITY_CHECKS,
|
||||
OPT_SELF_TEST_ONLOAD
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS fipsinstall_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"verify", OPT_VERIFY, '-',
|
||||
"Verify a config file instead of generating one"},
|
||||
{"module", OPT_MODULE, '<', "File name of the provider module"},
|
||||
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
|
||||
{"section_name", OPT_SECTION_NAME, 's',
|
||||
"FIPS Provider config section name (optional)"},
|
||||
{"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
|
||||
"Disable the ability of the fips module to enter an error state if"
|
||||
" any conditional self tests fail"},
|
||||
{"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
|
||||
"Disable the run-time FIPS security checks in the module"},
|
||||
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
|
||||
"Forces self tests to always run on module load"},
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input config file, used when verifying"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output config file, used when generating"},
|
||||
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
|
||||
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. "
|
||||
"See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
|
||||
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
|
||||
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
|
||||
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
|
||||
{"config", OPT_CONFIG, '<', "The parent config to verify"},
|
||||
{"quiet", OPT_QUIET, '-', "No messages, just exit status"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
|
||||
unsigned char *out, size_t *out_len)
|
||||
{
|
||||
int ret = 0;
|
||||
int i;
|
||||
size_t outsz = *out_len;
|
||||
|
||||
if (!EVP_MAC_init(ctx, NULL, 0, NULL))
|
||||
goto err;
|
||||
if (EVP_MAC_CTX_get_mac_size(ctx) > outsz)
|
||||
goto end;
|
||||
while ((i = BIO_read(in, (char *)tmp, BUFSIZE)) != 0) {
|
||||
if (i < 0 || !EVP_MAC_update(ctx, tmp, i))
|
||||
goto err;
|
||||
}
|
||||
end:
|
||||
if (!EVP_MAC_final(ctx, out, out_len, outsz))
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int load_fips_prov_and_run_self_test(const char *prov_name)
|
||||
{
|
||||
int ret = 0;
|
||||
OSSL_PROVIDER *prov = NULL;
|
||||
|
||||
prov = OSSL_PROVIDER_load(NULL, prov_name);
|
||||
if (prov == NULL) {
|
||||
BIO_printf(bio_err, "Failed to load FIPS module\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
OSSL_PROVIDER_unload(prov);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
|
||||
size_t len)
|
||||
{
|
||||
int ret;
|
||||
char *hexstr = NULL;
|
||||
|
||||
hexstr = OPENSSL_buf2hexstr(mac, (long)len);
|
||||
if (hexstr == NULL)
|
||||
return 0;
|
||||
ret = BIO_printf(bio, "%s = %s\n", label, hexstr);
|
||||
OPENSSL_free(hexstr);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int write_config_header(BIO *out, const char *prov_name,
|
||||
const char *section)
|
||||
{
|
||||
return BIO_printf(out, "openssl_conf = openssl_init\n\n")
|
||||
&& BIO_printf(out, "[openssl_init]\n")
|
||||
&& BIO_printf(out, "providers = provider_section\n\n")
|
||||
&& BIO_printf(out, "[provider_section]\n")
|
||||
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
|
||||
}
|
||||
|
||||
/*
|
||||
* Outputs a fips related config file that contains entries for the fips
|
||||
* module checksum, installation indicator checksum and the options
|
||||
* conditional_errors and security_checks.
|
||||
*
|
||||
* Returns 1 if the config file is written otherwise it returns 0 on error.
|
||||
*/
|
||||
static int write_config_fips_section(BIO *out, const char *section,
|
||||
unsigned char *module_mac,
|
||||
size_t module_mac_len,
|
||||
int conditional_errors,
|
||||
int security_checks,
|
||||
unsigned char *install_mac,
|
||||
size_t install_mac_len)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
if (BIO_printf(out, "[%s]\n", section) <= 0
|
||||
|| BIO_printf(out, "activate = 1\n") <= 0
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
|
||||
VERSION_VAL) <= 0
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
|
||||
conditional_errors ? "1" : "0") <= 0
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
|
||||
security_checks ? "1" : "0") <= 0
|
||||
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
|
||||
module_mac_len))
|
||||
goto end;
|
||||
|
||||
if (install_mac != NULL && install_mac_len > 0) {
|
||||
if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
|
||||
install_mac_len)
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
|
||||
INSTALL_STATUS_VAL) <= 0)
|
||||
goto end;
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static CONF *generate_config_and_load(const char *prov_name,
|
||||
const char *section,
|
||||
unsigned char *module_mac,
|
||||
size_t module_mac_len,
|
||||
int conditional_errors,
|
||||
int security_checks)
|
||||
{
|
||||
BIO *mem_bio = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
mem_bio = BIO_new(BIO_s_mem());
|
||||
if (mem_bio == NULL)
|
||||
return 0;
|
||||
if (!write_config_header(mem_bio, prov_name, section)
|
||||
|| !write_config_fips_section(mem_bio, section,
|
||||
module_mac, module_mac_len,
|
||||
conditional_errors,
|
||||
security_checks,
|
||||
NULL, 0))
|
||||
goto end;
|
||||
|
||||
conf = app_load_config_bio(mem_bio, NULL);
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
|
||||
if (CONF_modules_load(conf, NULL, 0) <= 0)
|
||||
goto end;
|
||||
BIO_free(mem_bio);
|
||||
return conf;
|
||||
end:
|
||||
NCONF_free(conf);
|
||||
BIO_free(mem_bio);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static void free_config_and_unload(CONF *conf)
|
||||
{
|
||||
if (conf != NULL) {
|
||||
NCONF_free(conf);
|
||||
CONF_modules_unload(1);
|
||||
}
|
||||
}
|
||||
|
||||
static int verify_module_load(const char *parent_config_file)
|
||||
{
|
||||
return OSSL_LIB_CTX_load_config(NULL, parent_config_file);
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns 1 if the config file entries match the passed in module_mac and
|
||||
* install_mac values, otherwise it returns 0.
|
||||
*/
|
||||
static int verify_config(const char *infile, const char *section,
|
||||
unsigned char *module_mac, size_t module_mac_len,
|
||||
unsigned char *install_mac, size_t install_mac_len)
|
||||
{
|
||||
int ret = 0;
|
||||
char *s = NULL;
|
||||
unsigned char *buf1 = NULL, *buf2 = NULL;
|
||||
long len;
|
||||
CONF *conf = NULL;
|
||||
|
||||
/* read in the existing values and check they match the saved values */
|
||||
conf = app_load_config(infile);
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_VERSION);
|
||||
if (s == NULL || strcmp(s, VERSION_VAL) != 0) {
|
||||
BIO_printf(bio_err, "version not found\n");
|
||||
goto end;
|
||||
}
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_MODULE_MAC);
|
||||
if (s == NULL) {
|
||||
BIO_printf(bio_err, "Module integrity MAC not found\n");
|
||||
goto end;
|
||||
}
|
||||
buf1 = OPENSSL_hexstr2buf(s, &len);
|
||||
if (buf1 == NULL
|
||||
|| (size_t)len != module_mac_len
|
||||
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
|
||||
BIO_printf(bio_err, "Module integrity mismatch\n");
|
||||
goto end;
|
||||
}
|
||||
if (install_mac != NULL && install_mac_len > 0) {
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS);
|
||||
if (s == NULL || strcmp(s, INSTALL_STATUS_VAL) != 0) {
|
||||
BIO_printf(bio_err, "install status not found\n");
|
||||
goto end;
|
||||
}
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC);
|
||||
if (s == NULL) {
|
||||
BIO_printf(bio_err, "Install indicator MAC not found\n");
|
||||
goto end;
|
||||
}
|
||||
buf2 = OPENSSL_hexstr2buf(s, &len);
|
||||
if (buf2 == NULL
|
||||
|| (size_t)len != install_mac_len
|
||||
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
|
||||
BIO_printf(bio_err, "Install indicator status mismatch\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
OPENSSL_free(buf1);
|
||||
OPENSSL_free(buf2);
|
||||
NCONF_free(conf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int fipsinstall_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0;
|
||||
int enable_conditional_errors = 1, enable_security_checks = 1;
|
||||
const char *section_name = "fips_sect";
|
||||
const char *mac_name = "HMAC";
|
||||
const char *prov_name = "fips";
|
||||
BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL;
|
||||
char *in_fname = NULL, *out_fname = NULL, *prog;
|
||||
char *module_fname = NULL, *parent_config = NULL, *module_path = NULL;
|
||||
const char *tail;
|
||||
EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL;
|
||||
STACK_OF(OPENSSL_STRING) *opts = NULL;
|
||||
OPTION_CHOICE o;
|
||||
unsigned char *read_buffer = NULL;
|
||||
unsigned char module_mac[EVP_MAX_MD_SIZE];
|
||||
size_t module_mac_len = EVP_MAX_MD_SIZE;
|
||||
unsigned char install_mac[EVP_MAX_MD_SIZE];
|
||||
size_t install_mac_len = EVP_MAX_MD_SIZE;
|
||||
EVP_MAC *mac = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
goto end;
|
||||
|
||||
prog = opt_init(argc, argv, fipsinstall_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
case OPT_EOF:
|
||||
case OPT_ERR:
|
||||
opthelp:
|
||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
||||
goto cleanup;
|
||||
case OPT_HELP:
|
||||
opt_help(fipsinstall_options);
|
||||
ret = 0;
|
||||
goto end;
|
||||
case OPT_IN:
|
||||
in_fname = opt_arg();
|
||||
break;
|
||||
case OPT_OUT:
|
||||
out_fname = opt_arg();
|
||||
break;
|
||||
case OPT_NO_CONDITIONAL_ERRORS:
|
||||
enable_conditional_errors = 0;
|
||||
break;
|
||||
case OPT_NO_SECURITY_CHECKS:
|
||||
enable_security_checks = 0;
|
||||
break;
|
||||
case OPT_QUIET:
|
||||
quiet = 1;
|
||||
/* FALLTHROUGH */
|
||||
case OPT_NO_LOG:
|
||||
self_test_log = 0;
|
||||
break;
|
||||
case OPT_CORRUPT_DESC:
|
||||
self_test_corrupt_desc = opt_arg();
|
||||
break;
|
||||
case OPT_CORRUPT_TYPE:
|
||||
self_test_corrupt_type = opt_arg();
|
||||
break;
|
||||
case OPT_PROV_NAME:
|
||||
prov_name = opt_arg();
|
||||
break;
|
||||
case OPT_MODULE:
|
||||
module_fname = opt_arg();
|
||||
break;
|
||||
case OPT_SECTION_NAME:
|
||||
section_name = opt_arg();
|
||||
break;
|
||||
case OPT_MAC_NAME:
|
||||
mac_name = opt_arg();
|
||||
break;
|
||||
case OPT_CONFIG:
|
||||
parent_config = opt_arg();
|
||||
break;
|
||||
case OPT_MACOPT:
|
||||
if (!sk_OPENSSL_STRING_push(opts, opt_arg()))
|
||||
goto opthelp;
|
||||
if (strncmp(opt_arg(), "hexkey:", 7) == 0)
|
||||
gotkey = 1;
|
||||
else if (strncmp(opt_arg(), "digest:", 7) == 0)
|
||||
gotdigest = 1;
|
||||
break;
|
||||
case OPT_VERIFY:
|
||||
verify = 1;
|
||||
break;
|
||||
case OPT_SELF_TEST_ONLOAD:
|
||||
self_test_onload = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0 || (verify && in_fname == NULL))
|
||||
goto opthelp;
|
||||
|
||||
if (parent_config != NULL) {
|
||||
/* Test that a parent config can load the module */
|
||||
if (verify_module_load(parent_config)) {
|
||||
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "FIPS provider is %s\n",
|
||||
ret == 0 ? "available" : " not available");
|
||||
}
|
||||
goto end;
|
||||
}
|
||||
if (module_fname == NULL)
|
||||
goto opthelp;
|
||||
|
||||
tail = opt_path_end(module_fname);
|
||||
if (tail != NULL) {
|
||||
module_path = OPENSSL_strdup(module_fname);
|
||||
if (module_path == NULL)
|
||||
goto end;
|
||||
module_path[tail - module_fname] = '\0';
|
||||
if (!OSSL_PROVIDER_set_default_search_path(NULL, module_path))
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (self_test_log
|
||||
|| self_test_corrupt_desc != NULL
|
||||
|| self_test_corrupt_type != NULL)
|
||||
OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL);
|
||||
|
||||
/* Use the default FIPS HMAC digest and key if not specified. */
|
||||
if (!gotdigest && !sk_OPENSSL_STRING_push(opts, "digest:SHA256"))
|
||||
goto end;
|
||||
if (!gotkey && !sk_OPENSSL_STRING_push(opts, "hexkey:" FIPS_KEY_STRING))
|
||||
goto end;
|
||||
|
||||
module_bio = bio_open_default(module_fname, 'r', FORMAT_BINARY);
|
||||
if (module_bio == NULL) {
|
||||
BIO_printf(bio_err, "Failed to open module file\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
read_buffer = app_malloc(BUFSIZE, "I/O buffer");
|
||||
if (read_buffer == NULL)
|
||||
goto end;
|
||||
|
||||
mac = EVP_MAC_fetch(app_get0_libctx(), mac_name, app_get0_propq());
|
||||
if (mac == NULL) {
|
||||
BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name);
|
||||
goto end;
|
||||
}
|
||||
|
||||
ctx = EVP_MAC_CTX_new(mac);
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "Unable to create MAC CTX for module check\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (opts != NULL) {
|
||||
int ok = 1;
|
||||
OSSL_PARAM *params =
|
||||
app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
|
||||
|
||||
if (params == NULL)
|
||||
goto end;
|
||||
|
||||
if (!EVP_MAC_CTX_set_params(ctx, params)) {
|
||||
BIO_printf(bio_err, "MAC parameter error\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ok = 0;
|
||||
}
|
||||
app_params_free(params);
|
||||
if (!ok)
|
||||
goto end;
|
||||
}
|
||||
|
||||
ctx2 = EVP_MAC_CTX_dup(ctx);
|
||||
if (ctx2 == NULL) {
|
||||
BIO_printf(bio_err, "Unable to create MAC CTX for install indicator\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
|
||||
goto end;
|
||||
|
||||
if (self_test_onload == 0) {
|
||||
mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
|
||||
strlen(INSTALL_STATUS_VAL));
|
||||
if (mem_bio == NULL) {
|
||||
BIO_printf(bio_err, "Unable to create memory BIO\n");
|
||||
goto end;
|
||||
}
|
||||
if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
|
||||
goto end;
|
||||
} else {
|
||||
install_mac_len = 0;
|
||||
}
|
||||
|
||||
if (verify) {
|
||||
if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
|
||||
install_mac, install_mac_len))
|
||||
goto end;
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "VERIFY PASSED\n");
|
||||
} else {
|
||||
|
||||
conf = generate_config_and_load(prov_name, section_name, module_mac,
|
||||
module_mac_len,
|
||||
enable_conditional_errors,
|
||||
enable_security_checks);
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
if (!load_fips_prov_and_run_self_test(prov_name))
|
||||
goto end;
|
||||
|
||||
fout =
|
||||
out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
|
||||
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
|
||||
if (fout == NULL) {
|
||||
BIO_printf(bio_err, "Failed to open file\n");
|
||||
goto end;
|
||||
}
|
||||
if (!write_config_fips_section(fout, section_name,
|
||||
module_mac, module_mac_len,
|
||||
enable_conditional_errors,
|
||||
enable_security_checks,
|
||||
install_mac, install_mac_len))
|
||||
goto end;
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "INSTALL PASSED\n");
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret == 1) {
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
|
||||
cleanup:
|
||||
OPENSSL_free(module_path);
|
||||
BIO_free(fout);
|
||||
BIO_free(mem_bio);
|
||||
BIO_free(module_bio);
|
||||
sk_OPENSSL_STRING_free(opts);
|
||||
EVP_MAC_free(mac);
|
||||
EVP_MAC_CTX_free(ctx2);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
OPENSSL_free(read_buffer);
|
||||
free_config_and_unload(conf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int self_test_events(const OSSL_PARAM params[], void *arg)
|
||||
{
|
||||
const OSSL_PARAM *p = NULL;
|
||||
const char *phase = NULL, *type = NULL, *desc = NULL;
|
||||
int ret = 0;
|
||||
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
|
||||
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
goto err;
|
||||
phase = (const char *)p->data;
|
||||
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
|
||||
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
goto err;
|
||||
desc = (const char *)p->data;
|
||||
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
|
||||
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
goto err;
|
||||
type = (const char *)p->data;
|
||||
|
||||
if (self_test_log) {
|
||||
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
|
||||
BIO_printf(bio_err, "%s : (%s) : ", desc, type);
|
||||
else if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
|
||||
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
|
||||
BIO_printf(bio_err, "%s\n", phase);
|
||||
}
|
||||
/*
|
||||
* The self test code will internally corrupt the KAT test result if an
|
||||
* error is returned during the corrupt phase.
|
||||
*/
|
||||
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
|
||||
&& (self_test_corrupt_desc != NULL
|
||||
|| self_test_corrupt_type != NULL)) {
|
||||
if (self_test_corrupt_desc != NULL
|
||||
&& strcmp(self_test_corrupt_desc, desc) != 0)
|
||||
goto end;
|
||||
if (self_test_corrupt_type != NULL
|
||||
&& strcmp(self_test_corrupt_type, type) != 0)
|
||||
goto end;
|
||||
BIO_printf(bio_err, "%s ", phase);
|
||||
goto err;
|
||||
}
|
||||
end:
|
||||
ret = 1;
|
||||
err:
|
||||
return ret;
|
||||
}
|
105
apps/gendsa.c
105
apps/gendsa.c
|
@ -1,13 +1,14 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
|
@ -22,22 +23,30 @@
|
|||
#include <openssl/pem.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER,
|
||||
OPT_R_ENUM
|
||||
OPT_COMMON,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS gendsa_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Valid options are:\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] dsaparam-file\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"out", OPT_OUT, '>', "Output the key to the specified file"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
OPT_R_OPTIONS,
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output the key to the specified file"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"dsaparam-file", 0, 0, "File containing DSA parameters"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -45,13 +54,13 @@ int gendsa_main(int argc, char **argv)
|
|||
{
|
||||
ENGINE *e = NULL;
|
||||
BIO *out = NULL, *in = NULL;
|
||||
DSA *dsa = NULL;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
char *dsaparams = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
char *dsaparams = NULL, *ciphername = NULL;
|
||||
char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
|
||||
OPTION_CHOICE o;
|
||||
int ret = 1, private = 0;
|
||||
const BIGNUM *p = NULL;
|
||||
int ret = 1, private = 0, verbose = 0, nbits;
|
||||
|
||||
prog = opt_init(argc, argv, gendsa_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
|
@ -78,55 +87,71 @@ int gendsa_main(int argc, char **argv)
|
|||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_VERBOSE:
|
||||
verbose = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One argument, the params file. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
private = 1;
|
||||
|
||||
if (argc != 1)
|
||||
goto opthelp;
|
||||
dsaparams = *argv;
|
||||
dsaparams = argv[0];
|
||||
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto end;
|
||||
}
|
||||
private = 1;
|
||||
|
||||
if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
|
||||
BIO_printf(bio_err, "Error getting password\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
|
||||
if (in == NULL)
|
||||
goto end2;
|
||||
|
||||
if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DSA parameter file\n");
|
||||
goto end;
|
||||
}
|
||||
BIO_free(in);
|
||||
in = NULL;
|
||||
pkey = load_keyparams(dsaparams, FORMAT_UNDEF, 1, "DSA", "DSA parameters");
|
||||
|
||||
out = bio_open_owner(outfile, FORMAT_PEM, private);
|
||||
if (out == NULL)
|
||||
goto end2;
|
||||
|
||||
DSA_get0_pqg(dsa, &p, NULL, NULL);
|
||||
|
||||
if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
nbits = EVP_PKEY_get_bits(pkey);
|
||||
if (nbits > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
BIO_printf(bio_err,
|
||||
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
|
||||
" Your key size is %d! Larger key size may behave not as expected.\n",
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
|
||||
|
||||
BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
|
||||
if (!DSA_generate_key(dsa))
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "unable to create PKEY context\n");
|
||||
goto end;
|
||||
}
|
||||
EVP_PKEY_free(pkey);
|
||||
pkey = NULL;
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err, "unable to set up for key generation\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = app_keygen(ctx, "DSA", nbits, verbose);
|
||||
|
||||
assert(private);
|
||||
if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
|
||||
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) {
|
||||
BIO_printf(bio_err, "unable to output generated key\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
|
@ -134,7 +159,9 @@ int gendsa_main(int argc, char **argv)
|
|||
end2:
|
||||
BIO_free(in);
|
||||
BIO_free_all(out);
|
||||
DSA_free(dsa);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_CIPHER_free(enc);
|
||||
release_engine(e);
|
||||
OPENSSL_free(passout);
|
||||
return ret;
|
||||
|
|
214
apps/genpkey.c
214
apps/genpkey.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -14,34 +14,44 @@
|
|||
#include <openssl/pem.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
#endif
|
||||
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e);
|
||||
static int quiet;
|
||||
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
|
||||
OSSL_LIB_CTX *libctx, const char *propq);
|
||||
static int genpkey_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
|
||||
OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER
|
||||
OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER,
|
||||
OPT_QUIET, OPT_CONFIG,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS genpkey_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
|
||||
{"pass", OPT_PASS, 's', "Output file pass phrase source"},
|
||||
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
|
||||
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
|
||||
{"pkeyopt", OPT_PKEYOPT, 's',
|
||||
"Set the public key algorithm option as opt:value"},
|
||||
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
|
||||
{"text", OPT_TEXT, '-', "Print the in text"},
|
||||
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
|
||||
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
|
||||
{"quiet", OPT_QUIET, '-', "Do not output status while generating keys"},
|
||||
{"pkeyopt", OPT_PKEYOPT, 's',
|
||||
"Set the public key algorithm option as opt:value"},
|
||||
OPT_CONFIG_OPTION,
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
|
||||
{"pass", OPT_PASS, 's', "Output file pass phrase source"},
|
||||
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
|
||||
{"text", OPT_TEXT, '-', "Print the in text"},
|
||||
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
/* This is deliberately last. */
|
||||
{OPT_HELP_STR, 1, 1,
|
||||
"Order of options may be important! See the documentation.\n"},
|
||||
|
@ -50,17 +60,24 @@ const OPTIONS genpkey_options[] = {
|
|||
|
||||
int genpkey_main(int argc, char **argv)
|
||||
{
|
||||
CONF *conf = NULL;
|
||||
BIO *in = NULL, *out = NULL;
|
||||
ENGINE *e = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
|
||||
const EVP_CIPHER *cipher = NULL;
|
||||
char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p;
|
||||
const char *ciphername = NULL, *paramfile = NULL, *algname = NULL;
|
||||
EVP_CIPHER *cipher = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
|
||||
int private = 0;
|
||||
int private = 0, i;
|
||||
OSSL_LIB_CTX *libctx = app_get0_libctx();
|
||||
STACK_OF(OPENSSL_STRING) *keyopt = NULL;
|
||||
|
||||
prog = opt_init(argc, argv, genpkey_options);
|
||||
keyopt = sk_OPENSSL_STRING_new_null();
|
||||
if (keyopt == NULL)
|
||||
goto end;
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
case OPT_EOF:
|
||||
|
@ -88,56 +105,70 @@ int genpkey_main(int argc, char **argv)
|
|||
case OPT_PARAMFILE:
|
||||
if (do_param == 1)
|
||||
goto opthelp;
|
||||
if (!init_keygen_file(&ctx, opt_arg(), e))
|
||||
goto end;
|
||||
paramfile = opt_arg();
|
||||
break;
|
||||
case OPT_ALGORITHM:
|
||||
if (!init_gen_str(&ctx, opt_arg(), e, do_param))
|
||||
goto end;
|
||||
algname = opt_arg();
|
||||
break;
|
||||
case OPT_PKEYOPT:
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
|
||||
goto opthelp;
|
||||
}
|
||||
if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Error setting %s parameter:\n",
|
||||
prog, opt_arg());
|
||||
ERR_print_errors(bio_err);
|
||||
if (!sk_OPENSSL_STRING_push(keyopt, opt_arg()))
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
case OPT_QUIET:
|
||||
quiet = 1;
|
||||
break;
|
||||
case OPT_GENPARAM:
|
||||
if (ctx != NULL)
|
||||
goto opthelp;
|
||||
do_param = 1;
|
||||
break;
|
||||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &cipher)
|
||||
|| do_param == 1)
|
||||
goto opthelp;
|
||||
if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) {
|
||||
BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_CONFIG:
|
||||
conf = app_load_config_modules(opt_arg());
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
private = do_param ? 0 : 1;
|
||||
|
||||
/* Fetch cipher, etc. */
|
||||
if (paramfile != NULL) {
|
||||
if (!init_keygen_file(&ctx, paramfile, e, libctx, app_get0_propq()))
|
||||
goto end;
|
||||
}
|
||||
if (algname != NULL) {
|
||||
if (!init_gen_str(&ctx, algname, e, do_param, libctx, app_get0_propq()))
|
||||
goto end;
|
||||
}
|
||||
if (ctx == NULL)
|
||||
goto opthelp;
|
||||
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(keyopt); i++) {
|
||||
p = sk_OPENSSL_STRING_value(keyopt, i);
|
||||
if (pkey_ctrl_string(ctx, p) <= 0) {
|
||||
BIO_printf(bio_err, "%s: Error setting %s parameter:\n", prog, p);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (ciphername != NULL)
|
||||
if (!opt_cipher(ciphername, &cipher) || do_param == 1)
|
||||
goto opthelp;
|
||||
|
||||
private = do_param ? 0 : 1;
|
||||
|
||||
if (!app_passwd(passarg, NULL, &pass, NULL)) {
|
||||
BIO_puts(bio_err, "Error getting password\n");
|
||||
goto end;
|
||||
|
@ -150,19 +181,8 @@ int genpkey_main(int argc, char **argv)
|
|||
EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
|
||||
if (do_param) {
|
||||
if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
|
||||
BIO_puts(bio_err, "Error generating parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
|
||||
BIO_puts(bio_err, "Error generating key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
pkey = do_param ? app_paramgen(ctx, algname)
|
||||
: app_keygen(ctx, algname, 0, 0 /* not verbose */);
|
||||
|
||||
if (do_param) {
|
||||
rv = PEM_write_bio_Parameters(out, pkey);
|
||||
|
@ -181,7 +201,6 @@ int genpkey_main(int argc, char **argv)
|
|||
|
||||
if (rv <= 0) {
|
||||
BIO_puts(bio_err, "Error writing key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ret = 1;
|
||||
}
|
||||
|
||||
|
@ -193,22 +212,27 @@ int genpkey_main(int argc, char **argv)
|
|||
|
||||
if (rv <= 0) {
|
||||
BIO_puts(bio_err, "Error printing key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ret = 1;
|
||||
}
|
||||
}
|
||||
|
||||
end:
|
||||
sk_OPENSSL_STRING_free(keyopt);
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_CIPHER_free(cipher);
|
||||
BIO_free_all(out);
|
||||
BIO_free(in);
|
||||
release_engine(e);
|
||||
OPENSSL_free(pass);
|
||||
NCONF_free(conf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
BIO *pbio;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
|
@ -219,20 +243,23 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
|
|||
}
|
||||
|
||||
pbio = BIO_new_file(file, "r");
|
||||
if (!pbio) {
|
||||
if (pbio == NULL) {
|
||||
BIO_printf(bio_err, "Can't open parameter file %s\n", file);
|
||||
return 0;
|
||||
}
|
||||
|
||||
pkey = PEM_read_bio_Parameters(pbio, NULL);
|
||||
pkey = PEM_read_bio_Parameters_ex(pbio, NULL, libctx, propq);
|
||||
BIO_free(pbio);
|
||||
|
||||
if (!pkey) {
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(bio_err, "Error reading parameter file %s\n", file);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ctx = EVP_PKEY_CTX_new(pkey, e);
|
||||
if (e != NULL)
|
||||
ctx = EVP_PKEY_CTX_new(pkey, e);
|
||||
else
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0)
|
||||
|
@ -251,11 +278,10 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
|
|||
}
|
||||
|
||||
int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
const char *algname, ENGINE *e, int do_param)
|
||||
const char *algname, ENGINE *e, int do_param,
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ENGINE *tmpeng = NULL;
|
||||
int pkey_id;
|
||||
|
||||
if (*pctx) {
|
||||
|
@ -263,27 +289,13 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
|
|||
return 0;
|
||||
}
|
||||
|
||||
ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
|
||||
pkey_id = get_legacy_pkey_id(libctx, algname, e);
|
||||
if (pkey_id != NID_undef)
|
||||
ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
|
||||
else
|
||||
ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq);
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (!ameth && e)
|
||||
ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
|
||||
#endif
|
||||
|
||||
if (!ameth) {
|
||||
BIO_printf(bio_err, "Algorithm %s not found\n", algname);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ERR_clear_error();
|
||||
|
||||
EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE_finish(tmpeng);
|
||||
#endif
|
||||
ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
|
||||
|
||||
if (!ctx)
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
if (do_param) {
|
||||
if (EVP_PKEY_paramgen_init(ctx) <= 0)
|
||||
|
@ -308,16 +320,22 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
|
|||
{
|
||||
char c = '*';
|
||||
BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
int p;
|
||||
p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
if (p == 0)
|
||||
|
||||
if (quiet)
|
||||
return 1;
|
||||
|
||||
switch (EVP_PKEY_CTX_get_keygen_info(ctx, 0)) {
|
||||
case 0:
|
||||
c = '.';
|
||||
if (p == 1)
|
||||
break;
|
||||
case 1:
|
||||
c = '+';
|
||||
if (p == 2)
|
||||
c = '*';
|
||||
if (p == 3)
|
||||
break;
|
||||
case 3:
|
||||
c = '\n';
|
||||
break;
|
||||
}
|
||||
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
|
|
173
apps/genrsa.c
173
apps/genrsa.c
|
@ -1,13 +1,14 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
|
@ -26,52 +27,72 @@
|
|||
#define DEFBITS 2048
|
||||
#define DEFPRIMES 2
|
||||
|
||||
static int genrsa_cb(int p, int n, BN_GENCB *cb);
|
||||
static int verbose = 0;
|
||||
|
||||
static int genrsa_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_3, OPT_F4, OPT_ENGINE,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES,
|
||||
OPT_R_ENUM
|
||||
OPT_COMMON,
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
OPT_3,
|
||||
#endif
|
||||
OPT_F4, OPT_ENGINE,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS genrsa_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] numbits\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"3", OPT_3, '-', "Use 3 for the E value"},
|
||||
{"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
|
||||
{"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
|
||||
{"out", OPT_OUT, '>', "Output the key to specified file"},
|
||||
OPT_R_OPTIONS,
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
{"3", OPT_3, '-', "(deprecated) Use 3 for the E value"},
|
||||
#endif
|
||||
{"F4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
|
||||
{"f4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output the key to specified file"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
|
||||
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
||||
{"traditional", OPT_TRADITIONAL, '-',
|
||||
"Use traditional format for private keys"},
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"numbits", 0, 0, "Size of key in bits"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int genrsa_main(int argc, char **argv)
|
||||
{
|
||||
BN_GENCB *cb = BN_GENCB_new();
|
||||
PW_CB_DATA cb_data;
|
||||
ENGINE *eng = NULL;
|
||||
BIGNUM *bn = BN_new();
|
||||
BIO *out = NULL;
|
||||
const BIGNUM *e;
|
||||
RSA *rsa = NULL;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
int ret = 1, num = DEFBITS, private = 0, primes = DEFPRIMES;
|
||||
unsigned long f4 = RSA_F4;
|
||||
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
|
||||
char *prog, *hexe, *dece;
|
||||
char *prog, *hexe, *dece, *ciphername = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int traditional = 0;
|
||||
|
||||
if (bn == NULL || cb == NULL)
|
||||
goto end;
|
||||
|
||||
BN_GENCB_set(cb, genrsa_cb, bio_err);
|
||||
|
||||
prog = opt_init(argc, argv, genrsa_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
|
@ -84,9 +105,11 @@ int genrsa_main(int argc, char **argv)
|
|||
ret = 0;
|
||||
opt_help(genrsa_options);
|
||||
goto end;
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
case OPT_3:
|
||||
f4 = 3;
|
||||
f4 = RSA_3;
|
||||
break;
|
||||
#endif
|
||||
case OPT_F4:
|
||||
f4 = RSA_F4;
|
||||
break;
|
||||
|
@ -100,19 +123,29 @@ int genrsa_main(int argc, char **argv)
|
|||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PASSOUT:
|
||||
passoutarg = opt_arg();
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
goto end;
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_PRIMES:
|
||||
if (!opt_int(opt_arg(), &primes))
|
||||
goto end;
|
||||
primes = opt_int_arg();
|
||||
break;
|
||||
case OPT_VERBOSE:
|
||||
verbose = 1;
|
||||
break;
|
||||
case OPT_TRADITIONAL:
|
||||
traditional = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One optional argument, the bitsize. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
|
||||
|
@ -129,7 +162,14 @@ int genrsa_main(int argc, char **argv)
|
|||
goto opthelp;
|
||||
}
|
||||
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
private = 1;
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto end;
|
||||
}
|
||||
if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
|
||||
BIO_printf(bio_err, "Error getting password\n");
|
||||
goto end;
|
||||
|
@ -139,37 +179,65 @@ int genrsa_main(int argc, char **argv)
|
|||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus (%d primes)\n",
|
||||
num, primes);
|
||||
rsa = eng ? RSA_new_method(eng) : RSA_new();
|
||||
if (rsa == NULL)
|
||||
if (!init_gen_str(&ctx, "RSA", eng, 0, app_get0_libctx(),
|
||||
app_get0_propq()))
|
||||
goto end;
|
||||
|
||||
if (!BN_set_word(bn, f4)
|
||||
|| !RSA_generate_multi_prime_key(rsa, num, primes, bn, cb))
|
||||
goto end;
|
||||
EVP_PKEY_CTX_set_cb(ctx, genrsa_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
|
||||
RSA_get0_key(rsa, NULL, &e, NULL);
|
||||
hexe = BN_bn2hex(e);
|
||||
dece = BN_bn2dec(e);
|
||||
if (hexe && dece) {
|
||||
BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
|
||||
if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err, "Error setting RSA length\n");
|
||||
goto end;
|
||||
}
|
||||
OPENSSL_free(hexe);
|
||||
OPENSSL_free(dece);
|
||||
cb_data.password = passout;
|
||||
cb_data.prompt_info = outfile;
|
||||
assert(private);
|
||||
if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
|
||||
(pem_password_cb *)password_callback,
|
||||
&cb_data))
|
||||
if (!BN_set_word(bn, f4)) {
|
||||
BIO_printf(bio_err, "Error allocating RSA public exponent\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bn) <= 0) {
|
||||
BIO_printf(bio_err, "Error setting RSA public exponent\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, primes) <= 0) {
|
||||
BIO_printf(bio_err, "Error setting number of primes\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = app_keygen(ctx, "RSA", num, verbose);
|
||||
|
||||
if (verbose) {
|
||||
BIGNUM *e = NULL;
|
||||
|
||||
/* Every RSA key has an 'e' */
|
||||
EVP_PKEY_get_bn_param(pkey, "e", &e);
|
||||
if (e == NULL) {
|
||||
BIO_printf(bio_err, "Error cannot access RSA e\n");
|
||||
goto end;
|
||||
}
|
||||
hexe = BN_bn2hex(e);
|
||||
dece = BN_bn2dec(e);
|
||||
if (hexe && dece) {
|
||||
BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
|
||||
}
|
||||
OPENSSL_free(hexe);
|
||||
OPENSSL_free(dece);
|
||||
BN_free(e);
|
||||
}
|
||||
if (traditional) {
|
||||
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
|
||||
NULL, passout))
|
||||
goto end;
|
||||
} else {
|
||||
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
|
||||
goto end;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
BN_free(bn);
|
||||
BN_GENCB_free(cb);
|
||||
RSA_free(rsa);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_CIPHER_free(enc);
|
||||
BIO_free_all(out);
|
||||
release_engine(eng);
|
||||
OPENSSL_free(passout);
|
||||
|
@ -178,9 +246,14 @@ int genrsa_main(int argc, char **argv)
|
|||
return ret;
|
||||
}
|
||||
|
||||
static int genrsa_cb(int p, int n, BN_GENCB *cb)
|
||||
static int genrsa_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
char c = '*';
|
||||
BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
|
||||
if (!verbose)
|
||||
return 1;
|
||||
|
||||
if (p == 0)
|
||||
c = '.';
|
||||
|
@ -190,7 +263,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
|
|||
c = '*';
|
||||
if (p == 3)
|
||||
c = '\n';
|
||||
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
|
||||
(void)BIO_flush(BN_GENCB_get_arg(cb));
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
}
|
||||
|
|
22
apps/include/__DECC_INCLUDE_EPILOGUE.H
Normal file
22
apps/include/__DECC_INCLUDE_EPILOGUE.H
Normal file
|
@ -0,0 +1,22 @@
|
|||
/*
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* This file is only used by HP C/C++ on VMS, and is included automatically
|
||||
* after each header file from this directory
|
||||
*/
|
||||
|
||||
/*
|
||||
* The C++ compiler doesn't understand these pragmas, even though it
|
||||
* understands the corresponding command line qualifier.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
/* restore state. Must correspond to the save in __decc_include_prologue.h */
|
||||
# pragma names restore
|
||||
#endif
|
26
apps/include/__DECC_INCLUDE_PROLOGUE.H
Normal file
26
apps/include/__DECC_INCLUDE_PROLOGUE.H
Normal file
|
@ -0,0 +1,26 @@
|
|||
/*
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* This file is only used by HP C/C++ on VMS, and is included automatically
|
||||
* after each header file from this directory
|
||||
*/
|
||||
|
||||
/*
|
||||
* The C++ compiler doesn't understand these pragmas, even though it
|
||||
* understands the corresponding command line qualifier.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
/* save state */
|
||||
# pragma names save
|
||||
/* have the compiler shorten symbols larger than 31 chars to 23 chars
|
||||
* followed by a 8 hex char CRC
|
||||
*/
|
||||
# pragma names as_is,shortened
|
||||
#endif
|
20
apps/include/app_libctx.h
Normal file
20
apps/include/app_libctx.h
Normal file
|
@ -0,0 +1,20 @@
|
|||
/*
|
||||
* Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_LIBCTX_H
|
||||
# define OSSL_APPS_LIBCTX_H
|
||||
|
||||
# include <openssl/types.h>
|
||||
|
||||
OSSL_LIB_CTX *app_create_libctx(void);
|
||||
OSSL_LIB_CTX *app_get0_libctx(void);
|
||||
int app_set_propq(const char *arg);
|
||||
const char *app_get0_propq(void);
|
||||
|
||||
#endif
|
14
apps/include/app_params.h
Normal file
14
apps/include/app_params.h
Normal file
|
@ -0,0 +1,14 @@
|
|||
/*
|
||||
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/core.h>
|
||||
|
||||
int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent);
|
||||
void print_param_value(const OSSL_PARAM *p, int indent);
|
||||
|
348
apps/include/apps.h
Normal file
348
apps/include/apps.h
Normal file
|
@ -0,0 +1,348 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_H
|
||||
# define OSSL_APPS_H
|
||||
|
||||
# include "e_os.h" /* struct timeval for DTLS */
|
||||
# include "internal/nelem.h"
|
||||
# include "internal/sockets.h" /* for openssl_fdset() */
|
||||
# include "internal/cryptlib.h" /* ossl_assert() */
|
||||
# include <assert.h>
|
||||
|
||||
# include <stdarg.h>
|
||||
# include <sys/types.h>
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
# include <sys/stat.h>
|
||||
# include <fcntl.h>
|
||||
# endif
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
# include <openssl/types.h>
|
||||
# include <openssl/bio.h>
|
||||
# include <openssl/x509.h>
|
||||
# include <openssl/conf.h>
|
||||
# include <openssl/txt_db.h>
|
||||
# include <openssl/engine.h>
|
||||
# include <openssl/ocsp.h>
|
||||
# include <openssl/http.h>
|
||||
# include <signal.h>
|
||||
# include "apps_ui.h"
|
||||
# include "opt.h"
|
||||
# include "fmt.h"
|
||||
# include "platform.h"
|
||||
# include "engine_loader.h"
|
||||
# include "app_libctx.h"
|
||||
|
||||
/*
|
||||
* quick macro when you need to pass an unsigned char instead of a char.
|
||||
* this is true for some implementations of the is*() functions, for
|
||||
* example.
|
||||
*/
|
||||
# define _UC(c) ((unsigned char)(c))
|
||||
|
||||
void app_RAND_load_conf(CONF *c, const char *section);
|
||||
int app_RAND_write(void);
|
||||
int app_RAND_load(void);
|
||||
|
||||
extern char *default_config_file; /* may be "" */
|
||||
extern BIO *bio_in;
|
||||
extern BIO *bio_out;
|
||||
extern BIO *bio_err;
|
||||
extern const unsigned char tls13_aes128gcmsha256_id[];
|
||||
extern const unsigned char tls13_aes256gcmsha384_id[];
|
||||
extern BIO_ADDR *ourpeer;
|
||||
|
||||
BIO *dup_bio_in(int format);
|
||||
BIO *dup_bio_out(int format);
|
||||
BIO *dup_bio_err(int format);
|
||||
BIO *bio_open_owner(const char *filename, int format, int private);
|
||||
BIO *bio_open_default(const char *filename, char mode, int format);
|
||||
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
|
||||
CONF *app_load_config_bio(BIO *in, const char *filename);
|
||||
#define app_load_config(filename) app_load_config_internal(filename, 0)
|
||||
#define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
|
||||
CONF *app_load_config_internal(const char *filename, int quiet);
|
||||
CONF *app_load_config_verbose(const char *filename, int verbose);
|
||||
int app_load_modules(const CONF *config);
|
||||
CONF *app_load_config_modules(const char *configfile);
|
||||
void unbuffer(FILE *fp);
|
||||
void wait_for_async(SSL *s);
|
||||
# if defined(OPENSSL_SYS_MSDOS)
|
||||
int has_stdin_waiting(void);
|
||||
# endif
|
||||
|
||||
void corrupt_signature(const ASN1_STRING *signature);
|
||||
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
int days);
|
||||
int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
|
||||
int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
|
||||
long days, long hours, long secs);
|
||||
|
||||
typedef struct args_st {
|
||||
int size;
|
||||
int argc;
|
||||
char **argv;
|
||||
} ARGS;
|
||||
|
||||
/* We need both wrap and the "real" function because libcrypto uses both. */
|
||||
int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
|
||||
|
||||
int chopup_args(ARGS *arg, char *buf);
|
||||
void dump_cert_text(BIO *out, X509 *x);
|
||||
void print_name(BIO *out, const char *title, const X509_NAME *nm);
|
||||
void print_bignum_var(BIO *, const BIGNUM *, const char*,
|
||||
int, unsigned char *);
|
||||
void print_array(BIO *, const char *, int, const unsigned char *);
|
||||
int set_nameopt(const char *arg);
|
||||
unsigned long get_nameopt(void);
|
||||
int set_dateopt(unsigned long *dateopt, const char *arg);
|
||||
int set_cert_ex(unsigned long *flags, const char *arg);
|
||||
int set_name_ex(unsigned long *flags, const char *arg);
|
||||
int set_ext_copy(int *copy_type, const char *arg);
|
||||
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
|
||||
char *get_passwd(const char *pass, const char *desc);
|
||||
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
|
||||
int add_oid_section(CONF *conf);
|
||||
X509_REQ *load_csr(const char *file, int format, const char *desc);
|
||||
X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, const char *desc);
|
||||
#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
|
||||
X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
|
||||
const char *desc);
|
||||
void cleanse(char *str);
|
||||
void clear_free(char *str);
|
||||
EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *desc);
|
||||
EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *desc);
|
||||
EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
|
||||
const char *keytype, const char *desc);
|
||||
EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin,
|
||||
const char *keytype, const char *desc,
|
||||
int suppress_decode_errors);
|
||||
char *next_item(char *opt); /* in list separated by comma and/or space */
|
||||
int load_cert_certs(const char *uri,
|
||||
X509 **pcert, STACK_OF(X509) **pcerts,
|
||||
int exclude_http, const char *pass, const char *desc,
|
||||
X509_VERIFY_PARAM *vpm);
|
||||
STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
|
||||
const char *desc, X509_VERIFY_PARAM *vpm);
|
||||
X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
|
||||
X509_VERIFY_PARAM *vpm);
|
||||
int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
|
||||
const char *pass, const char *desc);
|
||||
int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
|
||||
const char *pass, const char *desc);
|
||||
int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, const char *desc,
|
||||
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
|
||||
EVP_PKEY **pparams,
|
||||
X509 **pcert, STACK_OF(X509) **pcerts,
|
||||
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
|
||||
int load_key_cert_crl(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, const char *desc,
|
||||
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
|
||||
X509 **pcert, X509_CRL **pcrl);
|
||||
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
|
||||
const char *CApath, int noCApath,
|
||||
const char *CAstore, int noCAstore);
|
||||
__owur int ctx_set_verify_locations(SSL_CTX *ctx,
|
||||
const char *CAfile, int noCAfile,
|
||||
const char *CApath, int noCApath,
|
||||
const char *CAstore, int noCAstore);
|
||||
|
||||
# ifndef OPENSSL_NO_CT
|
||||
|
||||
/*
|
||||
* Sets the file to load the Certificate Transparency log list from.
|
||||
* If path is NULL, loads from the default file path.
|
||||
* Returns 1 on success, 0 otherwise.
|
||||
*/
|
||||
__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
|
||||
|
||||
# endif
|
||||
|
||||
ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug);
|
||||
# define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
|
||||
void release_engine(ENGINE *e);
|
||||
int init_engine(ENGINE *e);
|
||||
int finish_engine(ENGINE *e);
|
||||
char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc);
|
||||
|
||||
int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
|
||||
const EVP_MD *get_digest_from_engine(const char *name);
|
||||
const EVP_CIPHER *get_cipher_from_engine(const char *name);
|
||||
|
||||
# ifndef OPENSSL_NO_OCSP
|
||||
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
|
||||
const char *port, const char *path,
|
||||
const char *proxy, const char *no_proxy,
|
||||
int use_ssl, STACK_OF(CONF_VALUE) *headers,
|
||||
int req_timeout);
|
||||
# endif
|
||||
|
||||
/* Functions defined in ca.c and also used in ocsp.c */
|
||||
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
|
||||
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
|
||||
|
||||
# define DB_type 0
|
||||
# define DB_exp_date 1
|
||||
# define DB_rev_date 2
|
||||
# define DB_serial 3 /* index - unique */
|
||||
# define DB_file 4
|
||||
# define DB_name 5 /* index - unique when active and not
|
||||
* disabled */
|
||||
# define DB_NUMBER 6
|
||||
|
||||
# define DB_TYPE_REV 'R' /* Revoked */
|
||||
# define DB_TYPE_EXP 'E' /* Expired */
|
||||
# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
|
||||
# define DB_TYPE_SUSP 'S' /* Suspended */
|
||||
|
||||
typedef struct db_attr_st {
|
||||
int unique_subject;
|
||||
} DB_ATTR;
|
||||
typedef struct ca_db_st {
|
||||
DB_ATTR attributes;
|
||||
TXT_DB *db;
|
||||
char *dbfname;
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
struct stat dbst;
|
||||
# endif
|
||||
} CA_DB;
|
||||
|
||||
void app_bail_out(char *fmt, ...);
|
||||
void *app_malloc(size_t sz, const char *what);
|
||||
|
||||
/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
|
||||
BIGNUM *load_serial(const char *serialfile, int *exists, int create,
|
||||
ASN1_INTEGER **retai);
|
||||
int save_serial(const char *serialfile, const char *suffix,
|
||||
const BIGNUM *serial, ASN1_INTEGER **retai);
|
||||
int rotate_serial(const char *serialfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
|
||||
|
||||
CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
|
||||
int index_index(CA_DB *db);
|
||||
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
|
||||
int rotate_index(const char *dbfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
void free_index(CA_DB *db);
|
||||
# define index_name_cmp_noconst(a, b) \
|
||||
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
|
||||
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
|
||||
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
|
||||
int parse_yesno(const char *str, int def);
|
||||
|
||||
X509_NAME *parse_name(const char *str, int chtype, int multirdn,
|
||||
const char *desc);
|
||||
void policies_print(X509_STORE_CTX *ctx);
|
||||
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
|
||||
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
|
||||
int x509_ctrl_string(X509 *x, const char *value);
|
||||
int x509_req_ctrl_string(X509_REQ *x, const char *value);
|
||||
int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
const char *algname, ENGINE *e, int do_param,
|
||||
OSSL_LIB_CTX *libctx, const char *propq);
|
||||
int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
|
||||
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
|
||||
int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey,
|
||||
STACK_OF(OPENSSL_STRING) *vfyopts);
|
||||
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
|
||||
extern char *psk_key;
|
||||
|
||||
|
||||
unsigned char *next_protos_parse(size_t *outlen, const char *in);
|
||||
|
||||
void print_cert_checks(BIO *bio, X509 *x,
|
||||
const char *checkhost,
|
||||
const char *checkemail, const char *checkip);
|
||||
|
||||
void store_setup_crl_download(X509_STORE *st);
|
||||
|
||||
typedef struct app_http_tls_info_st {
|
||||
const char *server;
|
||||
const char *port;
|
||||
int use_proxy;
|
||||
long timeout;
|
||||
SSL_CTX *ssl_ctx;
|
||||
} APP_HTTP_TLS_INFO;
|
||||
BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
|
||||
int connect, int detail);
|
||||
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info);
|
||||
# ifndef OPENSSL_NO_SOCK
|
||||
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
|
||||
const char *no_proxy, SSL_CTX *ssl_ctx,
|
||||
const STACK_OF(CONF_VALUE) *headers,
|
||||
long timeout, const char *expected_content_type,
|
||||
const ASN1_ITEM *it);
|
||||
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
|
||||
const char *path, const char *proxy,
|
||||
const char *no_proxy, SSL_CTX *ctx,
|
||||
const STACK_OF(CONF_VALUE) *headers,
|
||||
const char *content_type,
|
||||
ASN1_VALUE *req, const ASN1_ITEM *req_it,
|
||||
const char *expected_content_type,
|
||||
long timeout, const ASN1_ITEM *rsp_it);
|
||||
# endif
|
||||
|
||||
# define EXT_COPY_NONE 0
|
||||
# define EXT_COPY_ADD 1
|
||||
# define EXT_COPY_ALL 2
|
||||
|
||||
# define NETSCAPE_CERT_HDR "certificate"
|
||||
|
||||
# define APP_PASS_LEN 1024
|
||||
|
||||
/*
|
||||
* IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
|
||||
* so that the first bit will never be one, so that the DER encoding
|
||||
* rules won't force a leading octet.
|
||||
*/
|
||||
# define SERIAL_RAND_BITS 159
|
||||
|
||||
int app_isdir(const char *);
|
||||
int app_access(const char *, int flag);
|
||||
int fileno_stdin(void);
|
||||
int fileno_stdout(void);
|
||||
int raw_read_stdin(void *, int);
|
||||
int raw_write_stdout(const void *, int);
|
||||
|
||||
# define TM_START 0
|
||||
# define TM_STOP 1
|
||||
double app_tminterval(int stop, int usertime);
|
||||
|
||||
void make_uppercase(char *string);
|
||||
|
||||
typedef struct verify_options_st {
|
||||
int depth;
|
||||
int quiet;
|
||||
int error;
|
||||
int return_error;
|
||||
} VERIFY_CB_ARGS;
|
||||
|
||||
extern VERIFY_CB_ARGS verify_args;
|
||||
|
||||
OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
|
||||
const OSSL_PARAM *paramdefs);
|
||||
void app_params_free(OSSL_PARAM *params);
|
||||
int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name);
|
||||
void app_providers_cleanup(void);
|
||||
|
||||
EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose);
|
||||
EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg);
|
||||
|
||||
#endif
|
29
apps/include/apps_ui.h
Normal file
29
apps/include/apps_ui.h
Normal file
|
@ -0,0 +1,29 @@
|
|||
/*
|
||||
* Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_UI_H
|
||||
# define OSSL_APPS_UI_H
|
||||
|
||||
|
||||
# define PW_MIN_LENGTH 4
|
||||
typedef struct pw_cb_data {
|
||||
const void *password;
|
||||
const char *prompt_info;
|
||||
} PW_CB_DATA;
|
||||
|
||||
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
|
||||
|
||||
int setup_ui_method(void);
|
||||
void destroy_ui_method(void);
|
||||
int set_base_ui_method(const UI_METHOD *ui_method);
|
||||
const UI_METHOD *get_ui_method(void);
|
||||
|
||||
extern BIO *bio_err;
|
||||
|
||||
#endif
|
35
apps/include/cmp_mock_srv.h
Normal file
35
apps/include/cmp_mock_srv.h
Normal file
|
@ -0,0 +1,35 @@
|
|||
/*
|
||||
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright Siemens AG 2018-2020
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_CMP_MOCK_SRV_H
|
||||
# define OSSL_APPS_CMP_MOCK_SRV_H
|
||||
|
||||
# include <openssl/opensslconf.h>
|
||||
# ifndef OPENSSL_NO_CMP
|
||||
|
||||
# include <openssl/cmp.h>
|
||||
|
||||
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
|
||||
const char *propq);
|
||||
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
|
||||
|
||||
int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
|
||||
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *chain);
|
||||
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *caPubs);
|
||||
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
|
||||
int fail_info, const char *text);
|
||||
int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val);
|
||||
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
|
||||
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
|
||||
|
||||
# endif /* !defined(OPENSSL_NO_CMP) */
|
||||
#endif /* !defined(OSSL_APPS_CMP_MOCK_SRV_H) */
|
23
apps/include/ec_common.h
Normal file
23
apps/include/ec_common.h
Normal file
|
@ -0,0 +1,23 @@
|
|||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static const char *point_format_options[] = {
|
||||
"uncompressed",
|
||||
"compressed",
|
||||
"hybrid",
|
||||
NULL
|
||||
};
|
||||
|
||||
static const char *asn1_encoding_options[] = {
|
||||
"named_curve",
|
||||
"explicit",
|
||||
NULL
|
||||
};
|
||||
#endif
|
21
apps/include/engine_loader.h
Normal file
21
apps/include/engine_loader.h
Normal file
|
@ -0,0 +1,21 @@
|
|||
/*
|
||||
* Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#ifndef HEADER_ENGINE_LOADER_H
|
||||
# define HEADER_ENGINE_LOADER_H
|
||||
|
||||
# include <openssl/store.h>
|
||||
|
||||
/* this is a private URI scheme */
|
||||
# define ENGINE_SCHEME "org.openssl.engine"
|
||||
# define ENGINE_SCHEME_COLON (ENGINE_SCHEME ":")
|
||||
|
||||
int setup_engine_loader(void);
|
||||
void destroy_engine_loader(void);
|
||||
|
||||
#endif
|
45
apps/include/fmt.h
Normal file
45
apps/include/fmt.h
Normal file
|
@ -0,0 +1,45 @@
|
|||
/*
|
||||
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Options are shared by apps (see apps.h) and the test system
|
||||
* (see test/testutil.h').
|
||||
* In order to remove the dependency between apps and options, the following
|
||||
* shared fields have been moved into this file.
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_FMT_H
|
||||
#define OSSL_APPS_FMT_H
|
||||
|
||||
/*
|
||||
* On some platforms, it's important to distinguish between text and binary
|
||||
* files. On some, there might even be specific file formats for different
|
||||
* contents. The FORMAT_xxx macros are meant to express an intent with the
|
||||
* file being read or created.
|
||||
*/
|
||||
# define B_FORMAT_TEXT 0x8000
|
||||
# define FORMAT_UNDEF 0
|
||||
# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
|
||||
# define FORMAT_BINARY 2 /* Generic binary */
|
||||
# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
|
||||
# define FORMAT_ASN1 4 /* ASN.1/DER */
|
||||
# define FORMAT_PEM (5 | B_FORMAT_TEXT)
|
||||
# define FORMAT_PKCS12 6
|
||||
# define FORMAT_SMIME (7 | B_FORMAT_TEXT)
|
||||
# define FORMAT_ENGINE 8 /* Not really a file format */
|
||||
# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPublicKey format */
|
||||
# define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
|
||||
# define FORMAT_MSBLOB 11 /* MS Key blob format */
|
||||
# define FORMAT_PVK 12 /* MS PVK file format */
|
||||
# define FORMAT_HTTP 13 /* Download using HTTP */
|
||||
# define FORMAT_NSS 14 /* NSS keylog format */
|
||||
|
||||
int FMT_istext(int format);
|
||||
|
||||
#endif /* OSSL_APPS_FMT_H_ */
|
44
apps/include/function.h
Normal file
44
apps/include/function.h
Normal file
|
@ -0,0 +1,44 @@
|
|||
/*
|
||||
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_FUNCTION_H
|
||||
# define OSSL_APPS_FUNCTION_H
|
||||
|
||||
# include <openssl/lhash.h>
|
||||
# include "opt.h"
|
||||
|
||||
#define DEPRECATED_NO_ALTERNATIVE "unknown"
|
||||
|
||||
typedef enum FUNC_TYPE {
|
||||
FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
|
||||
FT_md_alg, FT_cipher_alg
|
||||
} FUNC_TYPE;
|
||||
|
||||
typedef struct function_st {
|
||||
FUNC_TYPE type;
|
||||
const char *name;
|
||||
int (*func)(int argc, char *argv[]);
|
||||
const OPTIONS *help;
|
||||
const char *deprecated_alternative;
|
||||
const char *deprecated_version;
|
||||
} FUNCTION;
|
||||
|
||||
DEFINE_LHASH_OF(FUNCTION);
|
||||
|
||||
/* Structure to hold the number of columns to be displayed and the
|
||||
* field width used to display them.
|
||||
*/
|
||||
typedef struct {
|
||||
int columns;
|
||||
int width;
|
||||
} DISPLAY_COLUMNS;
|
||||
|
||||
void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc);
|
||||
|
||||
#endif
|
125
apps/include/http_server.h
Normal file
125
apps/include/http_server.h
Normal file
|
@ -0,0 +1,125 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_HTTP_SERVER_H
|
||||
# define OSSL_HTTP_SERVER_H
|
||||
|
||||
# include "apps.h"
|
||||
|
||||
# ifndef HAVE_FORK
|
||||
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
|
||||
# define HAVE_FORK 0
|
||||
# else
|
||||
# define HAVE_FORK 1
|
||||
# endif
|
||||
# endif
|
||||
|
||||
# if HAVE_FORK
|
||||
# undef NO_FORK
|
||||
# else
|
||||
# define NO_FORK
|
||||
# endif
|
||||
|
||||
# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
|
||||
&& !defined(OPENSSL_NO_POSIX_IO)
|
||||
# define HTTP_DAEMON
|
||||
# include <sys/types.h>
|
||||
# include <sys/wait.h>
|
||||
# include <syslog.h>
|
||||
# include <signal.h>
|
||||
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
|
||||
# else
|
||||
# undef LOG_DEBUG
|
||||
# undef LOG_INFO
|
||||
# undef LOG_WARNING
|
||||
# undef LOG_ERR
|
||||
# define LOG_DEBUG 7
|
||||
# define LOG_INFO 6
|
||||
# define LOG_WARNING 4
|
||||
# define LOG_ERR 3
|
||||
# endif
|
||||
|
||||
/*-
|
||||
* Log a message to syslog if multi-threaded HTTP_DAEMON, else to bio_err
|
||||
* prog: the name of the current app
|
||||
* level: the severity of the message, e.g., LOG_ERR
|
||||
* fmt: message with potential extra parameters like with printf()
|
||||
* returns nothing
|
||||
*/
|
||||
void log_message(const char *prog, int level, const char *fmt, ...);
|
||||
|
||||
# ifndef OPENSSL_NO_SOCK
|
||||
/*-
|
||||
* Initialize an HTTP server by setting up its listening BIO
|
||||
* prog: the name of the current app
|
||||
* port: the port to listen on
|
||||
* returns a BIO for accepting requests, NULL on error
|
||||
*/
|
||||
BIO *http_server_init_bio(const char *prog, const char *port);
|
||||
|
||||
/*-
|
||||
* Accept an ASN.1-formatted HTTP request
|
||||
* it: the expected request ASN.1 type
|
||||
* preq: pointer to variable where to place the parsed request
|
||||
* ppath: pointer to variable where to place the request path, or NULL
|
||||
* pcbio: pointer to variable where to place the BIO for sending the response to
|
||||
* acbio: the listening bio (typically as returned by http_server_init_bio())
|
||||
* found_keep_alive: for returning flag if client requests persistent connection
|
||||
* prog: the name of the current app, for diagnostics only
|
||||
* port: the local port listening to, for diagnostics only
|
||||
* accept_get: whether to accept GET requests (in addition to POST requests)
|
||||
* timeout: connection timeout (in seconds), or 0 for none/infinite
|
||||
* returns 0 in case caller should retry, then *preq == *ppath == *pcbio == NULL
|
||||
* returns -1 on fatal error; also then holds *preq == *ppath == *pcbio == NULL
|
||||
* returns 1 otherwise. In this case it is guaranteed that *pcbio != NULL while
|
||||
* *ppath == NULL and *preq == NULL if and only if the request is invalid,
|
||||
* On return value 1 the caller is responsible for sending an HTTP response,
|
||||
* using http_server_send_asn1_resp() or http_server_send_status().
|
||||
* The caller must free any non-NULL *preq, *ppath, and *pcbio pointers.
|
||||
*/
|
||||
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
|
||||
char **ppath, BIO **pcbio, BIO *acbio,
|
||||
int *found_keep_alive,
|
||||
const char *prog, const char *port,
|
||||
int accept_get, int timeout);
|
||||
|
||||
/*-
|
||||
* Send an ASN.1-formatted HTTP response
|
||||
* cbio: destination BIO (typically as returned by http_server_get_asn1_req())
|
||||
* note: cbio should not do an encoding that changes the output length
|
||||
* keep_alive: grant persistent connnection
|
||||
* content_type: string identifying the type of the response
|
||||
* it: the response ASN.1 type
|
||||
* resp: the response to send
|
||||
* returns 1 on success, 0 on failure
|
||||
*/
|
||||
int http_server_send_asn1_resp(BIO *cbio, int keep_alive,
|
||||
const char *content_type,
|
||||
const ASN1_ITEM *it, const ASN1_VALUE *resp);
|
||||
|
||||
/*-
|
||||
* Send a trivial HTTP response, typically to report an error or OK
|
||||
* cbio: destination BIO (typically as returned by http_server_get_asn1_req())
|
||||
* status: the status code to send
|
||||
* reason: the corresponding human-readable string
|
||||
* returns 1 on success, 0 on failure
|
||||
*/
|
||||
int http_server_send_status(BIO *cbio, int status, const char *reason);
|
||||
|
||||
# endif
|
||||
|
||||
# ifdef HTTP_DAEMON
|
||||
extern int multi;
|
||||
extern int acfd;
|
||||
|
||||
void socket_timeout(int signum);
|
||||
void spawn_loop(const char *prog);
|
||||
# endif
|
||||
|
||||
#endif
|
17
apps/include/names.h
Normal file
17
apps/include/names.h
Normal file
|
@ -0,0 +1,17 @@
|
|||
/*
|
||||
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/safestack.h>
|
||||
|
||||
/* Standard comparing function for names */
|
||||
int name_cmp(const char * const *a, const char * const *b);
|
||||
/* collect_names is meant to be used with EVP_{type}_doall_names */
|
||||
void collect_names(const char *name, void *vdata);
|
||||
/* Sorts and prints a stack of names to |out| */
|
||||
void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names);
|
|
@ -1,92 +1,20 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#ifndef OSSL_APPS_OPT_H
|
||||
#define OSSL_APPS_OPT_H
|
||||
|
||||
#ifndef OSSL_APPS_H
|
||||
# define OSSL_APPS_H
|
||||
#include <sys/types.h>
|
||||
#include <openssl/e_os2.h>
|
||||
#include <openssl/types.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
# include "e_os.h" /* struct timeval for DTLS */
|
||||
# include "internal/nelem.h"
|
||||
# include <assert.h>
|
||||
|
||||
# include <sys/types.h>
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
# include <sys/stat.h>
|
||||
# include <fcntl.h>
|
||||
# endif
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
# include <openssl/ossl_typ.h>
|
||||
# include <openssl/bio.h>
|
||||
# include <openssl/x509.h>
|
||||
# include <openssl/conf.h>
|
||||
# include <openssl/txt_db.h>
|
||||
# include <openssl/engine.h>
|
||||
# include <openssl/ocsp.h>
|
||||
# include <signal.h>
|
||||
|
||||
# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
|
||||
# define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
|
||||
# else
|
||||
# define openssl_fdset(a,b) FD_SET(a, b)
|
||||
# endif
|
||||
|
||||
/*
|
||||
* quick macro when you need to pass an unsigned char instead of a char.
|
||||
* this is true for some implementations of the is*() functions, for
|
||||
* example.
|
||||
*/
|
||||
#define _UC(c) ((unsigned char)(c))
|
||||
|
||||
void app_RAND_load_conf(CONF *c, const char *section);
|
||||
void app_RAND_write(void);
|
||||
|
||||
extern char *default_config_file;
|
||||
extern BIO *bio_in;
|
||||
extern BIO *bio_out;
|
||||
extern BIO *bio_err;
|
||||
extern const unsigned char tls13_aes128gcmsha256_id[];
|
||||
extern const unsigned char tls13_aes256gcmsha384_id[];
|
||||
extern BIO_ADDR *ourpeer;
|
||||
|
||||
BIO_METHOD *apps_bf_prefix(void);
|
||||
/*
|
||||
* The control used to set the prefix with BIO_ctrl()
|
||||
* We make it high enough so the chance of ever clashing with the BIO library
|
||||
* remains unlikely for the foreseeable future and beyond.
|
||||
*/
|
||||
#define PREFIX_CTRL_SET_PREFIX (1 << 15)
|
||||
/*
|
||||
* apps_bf_prefix() returns a dynamically created BIO_METHOD, which we
|
||||
* need to destroy at some point. When created internally, it's stored
|
||||
* in an internal pointer which can be freed with the following function
|
||||
*/
|
||||
void destroy_prefix_method(void);
|
||||
|
||||
BIO *dup_bio_in(int format);
|
||||
BIO *dup_bio_out(int format);
|
||||
BIO *dup_bio_err(int format);
|
||||
BIO *bio_open_owner(const char *filename, int format, int private);
|
||||
BIO *bio_open_default(const char *filename, char mode, int format);
|
||||
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
|
||||
CONF *app_load_config_bio(BIO *in, const char *filename);
|
||||
CONF *app_load_config(const char *filename);
|
||||
CONF *app_load_config_quiet(const char *filename);
|
||||
int app_load_modules(const CONF *config);
|
||||
void unbuffer(FILE *fp);
|
||||
void wait_for_async(SSL *s);
|
||||
# if defined(OPENSSL_SYS_MSDOS)
|
||||
int has_stdin_waiting(void);
|
||||
# endif
|
||||
|
||||
void corrupt_signature(const ASN1_STRING *signature);
|
||||
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
int days);
|
||||
#define OPT_COMMON OPT_ERR = -1, OPT_EOF = 0, OPT_HELP
|
||||
|
||||
/*
|
||||
* Common verification options.
|
||||
|
@ -106,6 +34,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
OPT_V__LAST
|
||||
|
||||
# define OPT_V_OPTIONS \
|
||||
OPT_SECTION("Validation"), \
|
||||
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
|
||||
{ "purpose", OPT_V_PURPOSE, 's', \
|
||||
"certificate chain purpose"}, \
|
||||
|
@ -198,15 +127,16 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
OPT_X__LAST
|
||||
|
||||
# define OPT_X_OPTIONS \
|
||||
OPT_SECTION("Extended certificate"), \
|
||||
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
|
||||
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
|
||||
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
|
||||
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
|
||||
"build certificate chain for the extended certificates"}, \
|
||||
{ "xcertform", OPT_X_CERTFORM, 'F', \
|
||||
"format of Extended certificate (PEM or DER) PEM default " }, \
|
||||
"format of Extended certificate (PEM/DER/P12); has no effect" }, \
|
||||
{ "xkeyform", OPT_X_KEYFORM, 'F', \
|
||||
"format of Extended certificate's key (PEM or DER) PEM default"}
|
||||
"format of Extended certificate's key (DER/PEM/P12); has no effect"}
|
||||
|
||||
# define OPT_X_CASES \
|
||||
OPT_X__FIRST: case OPT_X__LAST: break; \
|
||||
|
@ -225,16 +155,18 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
OPT_S__FIRST=3000, \
|
||||
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
|
||||
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
|
||||
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
|
||||
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
|
||||
OPT_S_LEGACYCONN, \
|
||||
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \
|
||||
OPT_S_PRIORITIZE_CHACHA, \
|
||||
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
|
||||
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
|
||||
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
|
||||
OPT_S_MINPROTO, OPT_S_MAXPROTO, \
|
||||
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
|
||||
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, OPT_S__LAST
|
||||
|
||||
# define OPT_S_OPTIONS \
|
||||
OPT_SECTION("TLS/SSL"), \
|
||||
{"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
|
||||
{"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
|
||||
{"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
|
||||
|
@ -248,6 +180,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
{"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
|
||||
{"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
|
||||
"Enable use of legacy renegotiation (dangerous)"}, \
|
||||
{"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
|
||||
"Allow client-initiated renegotiation" }, \
|
||||
{"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
|
||||
"Disable all renegotiation."}, \
|
||||
{"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
|
||||
|
@ -282,7 +216,9 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
|
||||
"Perform all sorts of protocol violations for testing purposes"}, \
|
||||
{"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
|
||||
"Disable TLSv1.3 middlebox compat mode" }
|
||||
"Disable TLSv1.3 middlebox compat mode" }, \
|
||||
{"no_etm", OPT_S_NO_ETM, '-', \
|
||||
"Disable Encrypt-then-Mac extension"}
|
||||
|
||||
# define OPT_S_CASES \
|
||||
OPT_S__FIRST: case OPT_S__LAST: break; \
|
||||
|
@ -297,6 +233,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
case OPT_S_NOTICKET: \
|
||||
case OPT_S_SERVERPREF: \
|
||||
case OPT_S_LEGACYRENEG: \
|
||||
case OPT_S_CLIENTRENEG: \
|
||||
case OPT_S_LEGACYCONN: \
|
||||
case OPT_S_ONRESUMP: \
|
||||
case OPT_S_NOLEGACYCONN: \
|
||||
|
@ -315,7 +252,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
case OPT_S_MINPROTO: \
|
||||
case OPT_S_MAXPROTO: \
|
||||
case OPT_S_DEBUGBROKE: \
|
||||
case OPT_S_NO_MIDDLEBOX
|
||||
case OPT_S_NO_MIDDLEBOX: \
|
||||
case OPT_S_NO_ETM
|
||||
|
||||
#define IS_NO_PROT_FLAG(o) \
|
||||
(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
|
||||
|
@ -328,18 +266,45 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
|
||||
|
||||
# define OPT_R_OPTIONS \
|
||||
{"rand", OPT_R_RAND, 's', "Load the file(s) into the random number generator"}, \
|
||||
OPT_SECTION("Random state"), \
|
||||
{"rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator"}, \
|
||||
{"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
|
||||
|
||||
# define OPT_R_CASES \
|
||||
OPT_R__FIRST: case OPT_R__LAST: break; \
|
||||
case OPT_R_RAND: case OPT_R_WRITERAND
|
||||
|
||||
/*
|
||||
* Provider options.
|
||||
*/
|
||||
# define OPT_PROV_ENUM \
|
||||
OPT_PROV__FIRST=1600, \
|
||||
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
|
||||
OPT_PROV__LAST
|
||||
|
||||
# define OPT_CONFIG_OPTION \
|
||||
{ "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
|
||||
|
||||
# define OPT_PROV_OPTIONS \
|
||||
OPT_SECTION("Provider"), \
|
||||
{ "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
|
||||
{ "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
|
||||
{ "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
|
||||
|
||||
# define OPT_PROV_CASES \
|
||||
OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
|
||||
case OPT_PROV_PROVIDER: \
|
||||
case OPT_PROV_PROVIDER_PATH: \
|
||||
case OPT_PROV_PROPQUERY
|
||||
|
||||
/*
|
||||
* Option parsing.
|
||||
*/
|
||||
extern const char OPT_HELP_STR[];
|
||||
extern const char OPT_MORE_STR[];
|
||||
extern const char OPT_SECTION_STR[];
|
||||
extern const char OPT_PARAM_STR[];
|
||||
|
||||
typedef struct options_st {
|
||||
const char *name;
|
||||
int retval;
|
||||
|
@ -352,6 +317,9 @@ typedef struct options_st {
|
|||
int valtype;
|
||||
const char *helpstr;
|
||||
} OPTIONS;
|
||||
/* Special retval values: */
|
||||
#define OPT_PARAM 0 /* same as OPT_EOF usually defined in apps */
|
||||
#define OPT_DUP -2 /* marks duplicate occurrence of option in help output */
|
||||
|
||||
/*
|
||||
* A string/int pairing; widely use for option value lookup, hence the
|
||||
|
@ -381,255 +349,52 @@ typedef struct string_int_pair_st {
|
|||
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
|
||||
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
|
||||
|
||||
char *opt_progname(const char *argv0);
|
||||
char *opt_getprog(void);
|
||||
/* Divide options into sections when displaying usage */
|
||||
#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" }
|
||||
#define OPT_PARAMETERS() { OPT_PARAM_STR, 1, '-', "Parameters:\n" }
|
||||
|
||||
const char *opt_path_end(const char *filename);
|
||||
char *opt_init(int ac, char **av, const OPTIONS * o);
|
||||
char *opt_progname(const char *argv0);
|
||||
char *opt_appname(const char *argv0);
|
||||
char *opt_getprog(void);
|
||||
void opt_help(const OPTIONS * list);
|
||||
|
||||
void opt_begin(void);
|
||||
int opt_next(void);
|
||||
int opt_format(const char *s, unsigned long flags, int *result);
|
||||
int opt_int(const char *arg, int *result);
|
||||
int opt_ulong(const char *arg, unsigned long *result);
|
||||
int opt_long(const char *arg, long *result);
|
||||
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
|
||||
defined(INTMAX_MAX) && defined(UINTMAX_MAX)
|
||||
int opt_imax(const char *arg, intmax_t *result);
|
||||
int opt_umax(const char *arg, uintmax_t *result);
|
||||
#else
|
||||
# define opt_imax opt_long
|
||||
# define opt_umax opt_ulong
|
||||
# define intmax_t long
|
||||
# define uintmax_t unsigned long
|
||||
#endif
|
||||
int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
|
||||
int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
|
||||
int opt_md(const char *name, const EVP_MD **mdp);
|
||||
char *opt_arg(void);
|
||||
char *opt_flag(void);
|
||||
char *opt_arg(void);
|
||||
char *opt_unknown(void);
|
||||
char **opt_rest(void);
|
||||
int opt_num_rest(void);
|
||||
int opt_cipher(const char *name, EVP_CIPHER **cipherp);
|
||||
int opt_cipher_any(const char *name, EVP_CIPHER **cipherp);
|
||||
int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp);
|
||||
int opt_md(const char *name, EVP_MD **mdp);
|
||||
int opt_md_silent(const char *name, EVP_MD **mdp);
|
||||
|
||||
int opt_int(const char *arg, int *result);
|
||||
int opt_int_arg(void);
|
||||
int opt_long(const char *arg, long *result);
|
||||
int opt_ulong(const char *arg, unsigned long *result);
|
||||
int opt_intmax(const char *arg, ossl_intmax_t *result);
|
||||
int opt_uintmax(const char *arg, ossl_uintmax_t *result);
|
||||
|
||||
int opt_isdir(const char *name);
|
||||
int opt_format(const char *s, unsigned long flags, int *result);
|
||||
void print_format_error(int format, unsigned long flags);
|
||||
int opt_printf_stderr(const char *fmt, ...);
|
||||
int opt_string(const char *name, const char **options);
|
||||
int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
|
||||
|
||||
int opt_verify(int i, X509_VERIFY_PARAM *vpm);
|
||||
int opt_rand(int i);
|
||||
void opt_help(const OPTIONS * list);
|
||||
int opt_format_error(const char *s, unsigned long flags);
|
||||
int opt_provider(int i);
|
||||
int opt_provider_option_given(void);
|
||||
|
||||
typedef struct args_st {
|
||||
int size;
|
||||
int argc;
|
||||
char **argv;
|
||||
} ARGS;
|
||||
char **opt_rest(void);
|
||||
int opt_num_rest(void);
|
||||
|
||||
/*
|
||||
* VMS C only for now, implemented in vms_decc_init.c
|
||||
* If other C compilers forget to terminate argv with NULL, this function
|
||||
* can be re-used.
|
||||
*/
|
||||
char **copy_argv(int *argc, char *argv[]);
|
||||
/*
|
||||
* Win32-specific argv initialization that splits OS-supplied UNICODE
|
||||
* command line string to array of UTF8-encoded strings.
|
||||
*/
|
||||
void win32_utf8argv(int *argc, char **argv[]);
|
||||
/* Returns non-zero if legacy paths are still available */
|
||||
int opt_legacy_okay(void);
|
||||
|
||||
|
||||
# define PW_MIN_LENGTH 4
|
||||
typedef struct pw_cb_data {
|
||||
const void *password;
|
||||
const char *prompt_info;
|
||||
} PW_CB_DATA;
|
||||
|
||||
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
|
||||
|
||||
int setup_ui_method(void);
|
||||
void destroy_ui_method(void);
|
||||
const UI_METHOD *get_ui_method(void);
|
||||
|
||||
int chopup_args(ARGS *arg, char *buf);
|
||||
int dump_cert_text(BIO *out, X509 *x);
|
||||
void print_name(BIO *out, const char *title, X509_NAME *nm,
|
||||
unsigned long lflags);
|
||||
void print_bignum_var(BIO *, const BIGNUM *, const char*,
|
||||
int, unsigned char *);
|
||||
void print_array(BIO *, const char *, int, const unsigned char *);
|
||||
int set_nameopt(const char *arg);
|
||||
unsigned long get_nameopt(void);
|
||||
int set_cert_ex(unsigned long *flags, const char *arg);
|
||||
int set_name_ex(unsigned long *flags, const char *arg);
|
||||
int set_ext_copy(int *copy_type, const char *arg);
|
||||
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
|
||||
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
|
||||
int add_oid_section(CONF *conf);
|
||||
X509 *load_cert(const char *file, int format, const char *cert_descrip);
|
||||
X509_CRL *load_crl(const char *infile, int format);
|
||||
EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *key_descrip);
|
||||
EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *key_descrip);
|
||||
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
|
||||
const char *pass, const char *cert_descrip);
|
||||
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
|
||||
const char *pass, const char *cert_descrip);
|
||||
X509_STORE *setup_verify(const char *CAfile, const char *CApath,
|
||||
int noCAfile, int noCApath);
|
||||
__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
|
||||
const char *CApath, int noCAfile,
|
||||
int noCApath);
|
||||
|
||||
#ifndef OPENSSL_NO_CT
|
||||
|
||||
/*
|
||||
* Sets the file to load the Certificate Transparency log list from.
|
||||
* If path is NULL, loads from the default file path.
|
||||
* Returns 1 on success, 0 otherwise.
|
||||
*/
|
||||
__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
|
||||
|
||||
#endif
|
||||
|
||||
ENGINE *setup_engine(const char *engine, int debug);
|
||||
void release_engine(ENGINE *e);
|
||||
|
||||
# ifndef OPENSSL_NO_OCSP
|
||||
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
|
||||
const char *host, const char *path,
|
||||
const char *port, int use_ssl,
|
||||
STACK_OF(CONF_VALUE) *headers,
|
||||
int req_timeout);
|
||||
# endif
|
||||
|
||||
/* Functions defined in ca.c and also used in ocsp.c */
|
||||
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
|
||||
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
|
||||
|
||||
# define DB_type 0
|
||||
# define DB_exp_date 1
|
||||
# define DB_rev_date 2
|
||||
# define DB_serial 3 /* index - unique */
|
||||
# define DB_file 4
|
||||
# define DB_name 5 /* index - unique when active and not
|
||||
* disabled */
|
||||
# define DB_NUMBER 6
|
||||
|
||||
# define DB_TYPE_REV 'R' /* Revoked */
|
||||
# define DB_TYPE_EXP 'E' /* Expired */
|
||||
# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
|
||||
# define DB_TYPE_SUSP 'S' /* Suspended */
|
||||
|
||||
typedef struct db_attr_st {
|
||||
int unique_subject;
|
||||
} DB_ATTR;
|
||||
typedef struct ca_db_st {
|
||||
DB_ATTR attributes;
|
||||
TXT_DB *db;
|
||||
char *dbfname;
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
struct stat dbst;
|
||||
# endif
|
||||
} CA_DB;
|
||||
|
||||
void* app_malloc(int sz, const char *what);
|
||||
|
||||
/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
|
||||
BIGNUM *load_serial(const char *serialfile, int *exists, int create,
|
||||
ASN1_INTEGER **retai);
|
||||
int save_serial(const char *serialfile, const char *suffix,
|
||||
const BIGNUM *serial, ASN1_INTEGER **retai);
|
||||
int rotate_serial(const char *serialfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
|
||||
CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
|
||||
int index_index(CA_DB *db);
|
||||
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
|
||||
int rotate_index(const char *dbfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
void free_index(CA_DB *db);
|
||||
# define index_name_cmp_noconst(a, b) \
|
||||
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
|
||||
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
|
||||
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
|
||||
int parse_yesno(const char *str, int def);
|
||||
|
||||
X509_NAME *parse_name(const char *str, long chtype, int multirdn);
|
||||
void policies_print(X509_STORE_CTX *ctx);
|
||||
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
|
||||
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
|
||||
int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
const char *algname, ENGINE *e, int do_param);
|
||||
int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
|
||||
extern char *psk_key;
|
||||
|
||||
|
||||
unsigned char *next_protos_parse(size_t *outlen, const char *in);
|
||||
|
||||
void print_cert_checks(BIO *bio, X509 *x,
|
||||
const char *checkhost,
|
||||
const char *checkemail, const char *checkip);
|
||||
|
||||
void store_setup_crl_download(X509_STORE *st);
|
||||
|
||||
/* See OPT_FMT_xxx, above. */
|
||||
/* On some platforms, it's important to distinguish between text and binary
|
||||
* files. On some, there might even be specific file formats for different
|
||||
* contents. The FORMAT_xxx macros are meant to express an intent with the
|
||||
* file being read or created.
|
||||
*/
|
||||
# define B_FORMAT_TEXT 0x8000
|
||||
# define FORMAT_UNDEF 0
|
||||
# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
|
||||
# define FORMAT_BINARY 2 /* Generic binary */
|
||||
# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
|
||||
# define FORMAT_ASN1 4 /* ASN.1/DER */
|
||||
# define FORMAT_PEM (5 | B_FORMAT_TEXT)
|
||||
# define FORMAT_PKCS12 6
|
||||
# define FORMAT_SMIME (7 | B_FORMAT_TEXT)
|
||||
# define FORMAT_ENGINE 8 /* Not really a file format */
|
||||
# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPubicKey format */
|
||||
# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */
|
||||
# define FORMAT_MSBLOB 11 /* MS Key blob format */
|
||||
# define FORMAT_PVK 12 /* MS PVK file format */
|
||||
# define FORMAT_HTTP 13 /* Download using HTTP */
|
||||
# define FORMAT_NSS 14 /* NSS keylog format */
|
||||
|
||||
# define EXT_COPY_NONE 0
|
||||
# define EXT_COPY_ADD 1
|
||||
# define EXT_COPY_ALL 2
|
||||
|
||||
# define NETSCAPE_CERT_HDR "certificate"
|
||||
|
||||
# define APP_PASS_LEN 1024
|
||||
|
||||
/*
|
||||
* IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
|
||||
* so that the first bit will never be one, so that the DER encoding
|
||||
* rules won't force a leading octet.
|
||||
*/
|
||||
# define SERIAL_RAND_BITS 159
|
||||
|
||||
int app_isdir(const char *);
|
||||
int app_access(const char *, int flag);
|
||||
int fileno_stdin(void);
|
||||
int fileno_stdout(void);
|
||||
int raw_read_stdin(void *, int);
|
||||
int raw_write_stdout(const void *, int);
|
||||
|
||||
# define TM_START 0
|
||||
# define TM_STOP 1
|
||||
double app_tminterval(int stop, int usertime);
|
||||
|
||||
void make_uppercase(char *string);
|
||||
|
||||
typedef struct verify_options_st {
|
||||
int depth;
|
||||
int quiet;
|
||||
int error;
|
||||
int return_error;
|
||||
} VERIFY_CB_ARGS;
|
||||
|
||||
extern VERIFY_CB_ARGS verify_args;
|
||||
|
||||
#endif
|
||||
#endif /* OSSL_APPS_OPT_H */
|
32
apps/include/platform.h
Normal file
32
apps/include/platform.h
Normal file
|
@ -0,0 +1,32 @@
|
|||
/*
|
||||
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_PLATFORM_H
|
||||
# define OSSL_APPS_PLATFORM_H
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
|
||||
# if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
||||
/*
|
||||
* VMS C only for now, implemented in vms_decc_init.c
|
||||
* If other C compilers forget to terminate argv with NULL, this function
|
||||
* can be re-used.
|
||||
*/
|
||||
char **copy_argv(int *argc, char *argv[]);
|
||||
# endif
|
||||
|
||||
# ifdef _WIN32
|
||||
/*
|
||||
* Win32-specific argv initialization that splits OS-supplied UNICODE
|
||||
* command line string to array of UTF8-encoded strings.
|
||||
*/
|
||||
void win32_utf8argv(int *argc, char **argv[]);
|
||||
# endif
|
||||
|
||||
#endif
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -10,11 +10,13 @@
|
|||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/srp.h>
|
||||
|
||||
#define PORT "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
|
||||
typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
|
||||
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
|
||||
int do_server(int *accept_sock, const char *host, const char *port,
|
||||
int family, int type, int protocol, do_server_cb cb,
|
||||
unsigned char *context, int naccept, BIO *bio_s_out);
|
||||
|
@ -32,9 +34,10 @@ int init_client(int *sock, const char *host, const char *port,
|
|||
const char *bindhost, const char *bindport,
|
||||
int family, int type, int protocol);
|
||||
int should_retry(int i);
|
||||
void do_ssl_shutdown(SSL *ssl);
|
||||
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
|
||||
int argi, long argl, int ret, size_t *processed);
|
||||
|
||||
void apps_ssl_info_callback(const SSL *s, int where, int ret);
|
||||
void msg_cb(int write_p, int version, int content_type, const void *buf,
|
||||
|
@ -69,9 +72,37 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
|
|||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
|
||||
int crl_download);
|
||||
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
|
||||
const char *vfyCAfile, const char *chCApath,
|
||||
const char *chCAfile, STACK_OF(X509_CRL) *crls,
|
||||
const char *vfyCAfile, const char *vfyCAstore,
|
||||
const char *chCApath, const char *chCAfile,
|
||||
const char *chCAstore, STACK_OF(X509_CRL) *crls,
|
||||
int crl_download);
|
||||
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
|
||||
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
|
||||
void print_ca_names(BIO *bio, SSL *s);
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
/* The client side SRP context that we pass to all SRP related callbacks */
|
||||
typedef struct srp_arg_st {
|
||||
char *srppassin;
|
||||
char *srplogin;
|
||||
int msg; /* copy from c_msg */
|
||||
int debug; /* copy from c_debug */
|
||||
int amp; /* allow more groups */
|
||||
int strength; /* minimal size for N */
|
||||
} SRP_ARG;
|
||||
|
||||
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
|
||||
int c_debug);
|
||||
void set_up_dummy_srp(SSL_CTX *ctx);
|
||||
|
||||
/* The server side SRP context that we pass to all SRP related callbacks */
|
||||
typedef struct srpsrvparm_st {
|
||||
char *login;
|
||||
SRP_VBASE *vb;
|
||||
SRP_user_pwd *user;
|
||||
} srpsrvparm;
|
||||
|
||||
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
|
||||
char *srpuserseed, char *srp_verifier_file);
|
||||
void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
|
||||
#endif /* OPENSSL_NO_SRP */
|
31
apps/include/vms_term_sock.h
Normal file
31
apps/include/vms_term_sock.h
Normal file
|
@ -0,0 +1,31 @@
|
|||
/*
|
||||
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016 VMS Software, Inc. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_VMS_TERM_SOCK_H
|
||||
# define OSSL_APPS_VMS_TERM_SOCK_H
|
||||
|
||||
/*
|
||||
** Terminal Socket Function Codes
|
||||
*/
|
||||
# define TERM_SOCK_CREATE 1
|
||||
# define TERM_SOCK_DELETE 2
|
||||
|
||||
/*
|
||||
** Terminal Socket Status Codes
|
||||
*/
|
||||
# define TERM_SOCK_FAILURE 0
|
||||
# define TERM_SOCK_SUCCESS 1
|
||||
|
||||
/*
|
||||
** Terminal Socket Prototype
|
||||
*/
|
||||
int TerminalSocket (int FunctionCode, int *ReturnSocket);
|
||||
|
||||
#endif
|
104
apps/info.c
Normal file
104
apps/info.c
Normal file
|
@ -0,0 +1,104 @@
|
|||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_COMMON,
|
||||
OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
|
||||
OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS info_options[] = {
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"},
|
||||
{"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"},
|
||||
{"modulesdir", OPT_MODULESDIR, '-',
|
||||
"Default module directory (other than engine modules)"},
|
||||
{"dsoext", OPT_DSOEXT, '-', "Configured extension for modules"},
|
||||
{"dirnamesep", OPT_DIRNAMESEP, '-', "Directory-filename separator"},
|
||||
{"listsep", OPT_LISTSEP, '-', "List separator character"},
|
||||
{"seeds", OPT_SEEDS, '-', "Seed sources"},
|
||||
{"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int info_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, dirty = 0, type = 0;
|
||||
char *prog;
|
||||
OPTION_CHOICE o;
|
||||
|
||||
prog = opt_init(argc, argv, info_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
default:
|
||||
opthelp:
|
||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
||||
goto end;
|
||||
case OPT_HELP:
|
||||
opt_help(info_options);
|
||||
ret = 0;
|
||||
goto end;
|
||||
case OPT_CONFIGDIR:
|
||||
type = OPENSSL_INFO_CONFIG_DIR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_ENGINESDIR:
|
||||
type = OPENSSL_INFO_ENGINES_DIR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_MODULESDIR:
|
||||
type = OPENSSL_INFO_MODULES_DIR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_DSOEXT:
|
||||
type = OPENSSL_INFO_DSO_EXTENSION;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_DIRNAMESEP:
|
||||
type = OPENSSL_INFO_DIR_FILENAME_SEPARATOR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_LISTSEP:
|
||||
type = OPENSSL_INFO_LIST_SEPARATOR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_SEEDS:
|
||||
type = OPENSSL_INFO_SEED_SOURCE;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_CPUSETTINGS:
|
||||
type = OPENSSL_INFO_CPU_SETTINGS;
|
||||
dirty++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (opt_num_rest() != 0)
|
||||
goto opthelp;
|
||||
if (dirty > 1) {
|
||||
BIO_printf(bio_err, "%s: Only one item allowed\n", prog);
|
||||
goto opthelp;
|
||||
}
|
||||
if (dirty == 0) {
|
||||
BIO_printf(bio_err, "%s: No items chosen\n", prog);
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
BIO_printf(bio_out, "%s\n", OPENSSL_info(type));
|
||||
ret = 0;
|
||||
end:
|
||||
return ret;
|
||||
}
|
BIN
apps/insta.ca.crt
Normal file
BIN
apps/insta.ca.crt
Normal file
Binary file not shown.
211
apps/kdf.c
Normal file
211
apps/kdf.c
Normal file
|
@ -0,0 +1,211 @@
|
|||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/params.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_COMMON,
|
||||
OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT,
|
||||
OPT_CIPHER, OPT_DIGEST, OPT_MAC,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS kdf_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form"},
|
||||
{"cipher", OPT_CIPHER, 's', "Cipher"},
|
||||
{"digest", OPT_DIGEST, 's', "Digest"},
|
||||
{"mac", OPT_MAC, 's', "MAC"},
|
||||
{OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n"},
|
||||
{"keylen", OPT_KEYLEN, 's', "The size of the output derived key"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
|
||||
{"binary", OPT_BIN, '-',
|
||||
"Output in binary format (default is hexadecimal)"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"kdf_name", 0, 0, "Name of the KDF algorithm"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static char *alloc_kdf_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
|
||||
const char *name, const char *arg)
|
||||
{
|
||||
size_t len = strlen(name) + strlen(arg) + 2;
|
||||
char *res;
|
||||
|
||||
if (*optp == NULL)
|
||||
*optp = sk_OPENSSL_STRING_new_null();
|
||||
if (*optp == NULL)
|
||||
return NULL;
|
||||
|
||||
res = app_malloc(len, "algorithm name");
|
||||
BIO_snprintf(res, len, "%s:%s", name, arg);
|
||||
if (sk_OPENSSL_STRING_push(*optp, res))
|
||||
return res;
|
||||
OPENSSL_free(res);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int kdf_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, out_bin = 0;
|
||||
OPTION_CHOICE o;
|
||||
STACK_OF(OPENSSL_STRING) *opts = NULL;
|
||||
char *prog, *hexout = NULL;
|
||||
const char *outfile = NULL;
|
||||
unsigned char *dkm_bytes = NULL;
|
||||
size_t dkm_len = 0;
|
||||
BIO *out = NULL;
|
||||
EVP_KDF *kdf = NULL;
|
||||
EVP_KDF_CTX *ctx = NULL;
|
||||
char *digest = NULL, *cipher = NULL, *mac = NULL;
|
||||
|
||||
prog = opt_init(argc, argv, kdf_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
default:
|
||||
opthelp:
|
||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
||||
goto err;
|
||||
case OPT_HELP:
|
||||
opt_help(kdf_options);
|
||||
ret = 0;
|
||||
goto err;
|
||||
case OPT_BIN:
|
||||
out_bin = 1;
|
||||
break;
|
||||
case OPT_KEYLEN:
|
||||
dkm_len = (size_t)atoi(opt_arg());
|
||||
break;
|
||||
case OPT_OUT:
|
||||
outfile = opt_arg();
|
||||
break;
|
||||
case OPT_KDFOPT:
|
||||
if (opts == NULL)
|
||||
opts = sk_OPENSSL_STRING_new_null();
|
||||
if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg()))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
OPENSSL_free(cipher);
|
||||
cipher = alloc_kdf_algorithm_name(&opts, "cipher", opt_arg());
|
||||
if (cipher == NULL)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_DIGEST:
|
||||
OPENSSL_free(digest);
|
||||
digest = alloc_kdf_algorithm_name(&opts, "digest", opt_arg());
|
||||
if (digest == NULL)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_MAC:
|
||||
OPENSSL_free(mac);
|
||||
mac = alloc_kdf_algorithm_name(&opts, "mac", opt_arg());
|
||||
if (mac == NULL)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto err;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One argument, the KDF name. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
if (argc != 1)
|
||||
goto opthelp;
|
||||
|
||||
if ((kdf = EVP_KDF_fetch(app_get0_libctx(), argv[0],
|
||||
app_get0_propq())) == NULL) {
|
||||
BIO_printf(bio_err, "Invalid KDF name %s\n", argv[0]);
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
ctx = EVP_KDF_CTX_new(kdf);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
|
||||
if (opts != NULL) {
|
||||
int ok = 1;
|
||||
OSSL_PARAM *params =
|
||||
app_params_new_from_opts(opts, EVP_KDF_settable_ctx_params(kdf));
|
||||
|
||||
if (params == NULL)
|
||||
goto err;
|
||||
|
||||
if (!EVP_KDF_CTX_set_params(ctx, params)) {
|
||||
BIO_printf(bio_err, "KDF parameter error\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ok = 0;
|
||||
}
|
||||
app_params_free(params);
|
||||
if (!ok)
|
||||
goto err;
|
||||
}
|
||||
|
||||
out = bio_open_default(outfile, 'w', out_bin ? FORMAT_BINARY : FORMAT_TEXT);
|
||||
if (out == NULL)
|
||||
goto err;
|
||||
|
||||
if (dkm_len <= 0) {
|
||||
BIO_printf(bio_err, "Invalid derived key length.\n");
|
||||
goto err;
|
||||
}
|
||||
dkm_bytes = app_malloc(dkm_len, "out buffer");
|
||||
if (dkm_bytes == NULL)
|
||||
goto err;
|
||||
|
||||
if (!EVP_KDF_derive(ctx, dkm_bytes, dkm_len, NULL)) {
|
||||
BIO_printf(bio_err, "EVP_KDF_derive failed\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (out_bin) {
|
||||
BIO_write(out, dkm_bytes, dkm_len);
|
||||
} else {
|
||||
hexout = OPENSSL_buf2hexstr(dkm_bytes, dkm_len);
|
||||
if (hexout == NULL) {
|
||||
BIO_printf(bio_err, "Memory allocation failure\n");
|
||||
goto err;
|
||||
}
|
||||
BIO_printf(out, "%s\n\n", hexout);
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
err:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
OPENSSL_clear_free(dkm_bytes, dkm_len);
|
||||
sk_OPENSSL_STRING_free(opts);
|
||||
EVP_KDF_free(kdf);
|
||||
EVP_KDF_CTX_free(ctx);
|
||||
BIO_free(out);
|
||||
OPENSSL_free(hexout);
|
||||
OPENSSL_free(cipher);
|
||||
OPENSSL_free(digest);
|
||||
OPENSSL_free(mac);
|
||||
return ret;
|
||||
}
|
48
apps/lib/app_libctx.c
Normal file
48
apps/lib/app_libctx.c
Normal file
|
@ -0,0 +1,48 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#include "app_libctx.h"
|
||||
#include "apps.h"
|
||||
|
||||
static OSSL_LIB_CTX *app_libctx = NULL;
|
||||
static const char *app_propq = NULL;
|
||||
|
||||
int app_set_propq(const char *arg)
|
||||
{
|
||||
app_propq = arg;
|
||||
return 1;
|
||||
}
|
||||
|
||||
const char *app_get0_propq(void)
|
||||
{
|
||||
return app_propq;
|
||||
}
|
||||
|
||||
OSSL_LIB_CTX *app_get0_libctx(void)
|
||||
{
|
||||
return app_libctx;
|
||||
}
|
||||
|
||||
OSSL_LIB_CTX *app_create_libctx(void)
|
||||
{
|
||||
/*
|
||||
* Load the NULL provider into the default library context and create a
|
||||
* library context which will then be used for any OPT_PROV options.
|
||||
*/
|
||||
if (app_libctx == NULL) {
|
||||
if (!app_provider_load(NULL, "null")) {
|
||||
opt_printf_stderr( "Failed to create null provider\n");
|
||||
return NULL;
|
||||
}
|
||||
app_libctx = OSSL_LIB_CTX_new();
|
||||
}
|
||||
if (app_libctx == NULL)
|
||||
opt_printf_stderr("Failed to create library context\n");
|
||||
return app_libctx;
|
||||
}
|
||||
|
132
apps/lib/app_params.c
Normal file
132
apps/lib/app_params.c
Normal file
|
@ -0,0 +1,132 @@
|
|||
/*
|
||||
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include "app_params.h"
|
||||
|
||||
static int describe_param_type(char *buf, size_t bufsz, const OSSL_PARAM *param)
|
||||
{
|
||||
const char *type_mod = "";
|
||||
const char *type = NULL;
|
||||
int show_type_number = 0;
|
||||
int printed_len;
|
||||
|
||||
switch (param->data_type) {
|
||||
case OSSL_PARAM_UNSIGNED_INTEGER:
|
||||
type_mod = "unsigned ";
|
||||
/* FALLTHRU */
|
||||
case OSSL_PARAM_INTEGER:
|
||||
type = "integer";
|
||||
break;
|
||||
case OSSL_PARAM_UTF8_PTR:
|
||||
type_mod = "pointer to a ";
|
||||
/* FALLTHRU */
|
||||
case OSSL_PARAM_UTF8_STRING:
|
||||
type = "UTF8 encoded string";
|
||||
break;
|
||||
case OSSL_PARAM_OCTET_PTR:
|
||||
type_mod = "pointer to an ";
|
||||
/* FALLTHRU */
|
||||
case OSSL_PARAM_OCTET_STRING:
|
||||
type = "octet string";
|
||||
break;
|
||||
default:
|
||||
type = "unknown type";
|
||||
show_type_number = 1;
|
||||
break;
|
||||
}
|
||||
|
||||
printed_len = BIO_snprintf(buf, bufsz, "%s: ", param->key);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
printed_len = BIO_snprintf(buf, bufsz, "%s%s", type_mod, type);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
if (show_type_number) {
|
||||
printed_len = BIO_snprintf(buf, bufsz, " [%d]", param->data_type);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
}
|
||||
if (param->data_size == 0)
|
||||
printed_len = BIO_snprintf(buf, bufsz, " (arbitrary size)");
|
||||
else
|
||||
printed_len = BIO_snprintf(buf, bufsz, " (max %zu bytes large)",
|
||||
param->data_size);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
*buf = '\0';
|
||||
return 1;
|
||||
}
|
||||
|
||||
int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent)
|
||||
{
|
||||
if (pdefs == NULL) {
|
||||
return 1;
|
||||
} else if (pdefs->key == NULL) {
|
||||
/*
|
||||
* An empty list? This shouldn't happen, but let's just make sure to
|
||||
* say something if there's a badly written provider...
|
||||
*/
|
||||
BIO_printf(bio_out, "%*sEmpty list of %s (!!!)\n", indent, "", thing);
|
||||
} else {
|
||||
BIO_printf(bio_out, "%*s%s:\n", indent, "", thing);
|
||||
for (; pdefs->key != NULL; pdefs++) {
|
||||
char buf[200]; /* This should be ample space */
|
||||
|
||||
describe_param_type(buf, sizeof(buf), pdefs);
|
||||
BIO_printf(bio_out, "%*s %s\n", indent, "", buf);
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void print_param_value(const OSSL_PARAM *p, int indent)
|
||||
{
|
||||
int64_t i;
|
||||
uint64_t u;
|
||||
|
||||
printf("%*s%s: ", indent, "", p->key);
|
||||
switch (p->data_type) {
|
||||
case OSSL_PARAM_UNSIGNED_INTEGER:
|
||||
if (OSSL_PARAM_get_uint64(p, &u))
|
||||
BIO_printf(bio_out, "%llu\n", (unsigned long long int)u);
|
||||
else
|
||||
BIO_printf(bio_out, "error getting value\n");
|
||||
break;
|
||||
case OSSL_PARAM_INTEGER:
|
||||
if (OSSL_PARAM_get_int64(p, &i))
|
||||
BIO_printf(bio_out, "%lld\n", (long long int)i);
|
||||
else
|
||||
BIO_printf(bio_out, "error getting value\n");
|
||||
break;
|
||||
case OSSL_PARAM_UTF8_PTR:
|
||||
BIO_printf(bio_out, "'%s'\n", *(char **)(p->data));
|
||||
break;
|
||||
case OSSL_PARAM_UTF8_STRING:
|
||||
BIO_printf(bio_out, "'%s'\n", (char *)p->data);
|
||||
break;
|
||||
case OSSL_PARAM_OCTET_PTR:
|
||||
case OSSL_PARAM_OCTET_STRING:
|
||||
BIO_printf(bio_out, "<%zu bytes>\n", p->data_size);
|
||||
break;
|
||||
default:
|
||||
BIO_printf(bio_out, "unknown type (%u) of %zu bytes\n",
|
||||
p->data_type, p->data_size);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
92
apps/lib/app_provider.c
Normal file
92
apps/lib/app_provider.c
Normal file
|
@ -0,0 +1,92 @@
|
|||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include <string.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/safestack.h>
|
||||
|
||||
/* Non-zero if any of the provider options have been seen */
|
||||
static int provider_option_given = 0;
|
||||
|
||||
DEFINE_STACK_OF(OSSL_PROVIDER)
|
||||
|
||||
/*
|
||||
* See comments in opt_verify for explanation of this.
|
||||
*/
|
||||
enum prov_range { OPT_PROV_ENUM };
|
||||
|
||||
static STACK_OF(OSSL_PROVIDER) *app_providers = NULL;
|
||||
|
||||
static void provider_free(OSSL_PROVIDER *prov)
|
||||
{
|
||||
OSSL_PROVIDER_unload(prov);
|
||||
}
|
||||
|
||||
int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name)
|
||||
{
|
||||
OSSL_PROVIDER *prov;
|
||||
|
||||
prov = OSSL_PROVIDER_load(libctx, provider_name);
|
||||
if (prov == NULL) {
|
||||
opt_printf_stderr("%s: unable to load provider %s\n"
|
||||
"Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n",
|
||||
opt_getprog(), provider_name);
|
||||
ERR_print_errors(bio_err);
|
||||
return 0;
|
||||
}
|
||||
if (app_providers == NULL)
|
||||
app_providers = sk_OSSL_PROVIDER_new_null();
|
||||
if (app_providers == NULL
|
||||
|| !sk_OSSL_PROVIDER_push(app_providers, prov)) {
|
||||
app_providers_cleanup();
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void app_providers_cleanup(void)
|
||||
{
|
||||
sk_OSSL_PROVIDER_pop_free(app_providers, provider_free);
|
||||
app_providers = NULL;
|
||||
}
|
||||
|
||||
static int opt_provider_path(const char *path)
|
||||
{
|
||||
if (path != NULL && *path == '\0')
|
||||
path = NULL;
|
||||
return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
|
||||
}
|
||||
|
||||
int opt_provider(int opt)
|
||||
{
|
||||
const int given = provider_option_given;
|
||||
|
||||
provider_option_given = 1;
|
||||
switch ((enum prov_range)opt) {
|
||||
case OPT_PROV__FIRST:
|
||||
case OPT_PROV__LAST:
|
||||
return 1;
|
||||
case OPT_PROV_PROVIDER:
|
||||
return app_provider_load(app_get0_libctx(), opt_arg());
|
||||
case OPT_PROV_PROVIDER_PATH:
|
||||
return opt_provider_path(opt_arg());
|
||||
case OPT_PROV_PROPQUERY:
|
||||
return app_set_propq(opt_arg());
|
||||
}
|
||||
/* Should never get here but if we do, undo what we did earlier */
|
||||
provider_option_given = given;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int opt_provider_option_given(void)
|
||||
{
|
||||
return provider_option_given;
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -14,6 +14,7 @@
|
|||
#include <openssl/conf.h>
|
||||
|
||||
static char *save_rand_file;
|
||||
static STACK_OF(OPENSSL_STRING) *randfiles;
|
||||
|
||||
void app_RAND_load_conf(CONF *c, const char *section)
|
||||
{
|
||||
|
@ -27,8 +28,14 @@ void app_RAND_load_conf(CONF *c, const char *section)
|
|||
BIO_printf(bio_err, "Can't load %s into RNG\n", randfile);
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
if (save_rand_file == NULL)
|
||||
if (save_rand_file == NULL) {
|
||||
save_rand_file = OPENSSL_strdup(randfile);
|
||||
/* If some internal memory errors have occurred */
|
||||
if (save_rand_file == NULL) {
|
||||
BIO_printf(bio_err, "Can't duplicate %s\n", randfile);
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int loadfiles(char *name)
|
||||
|
@ -57,16 +64,34 @@ static int loadfiles(char *name)
|
|||
return ret;
|
||||
}
|
||||
|
||||
void app_RAND_write(void)
|
||||
int app_RAND_load(void)
|
||||
{
|
||||
char *p;
|
||||
int i, ret = 1;
|
||||
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(randfiles); i++) {
|
||||
p = sk_OPENSSL_STRING_value(randfiles, i);
|
||||
if (!loadfiles(p))
|
||||
ret = 0;
|
||||
}
|
||||
sk_OPENSSL_STRING_free(randfiles);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int app_RAND_write(void)
|
||||
{
|
||||
int ret = 1;
|
||||
|
||||
if (save_rand_file == NULL)
|
||||
return;
|
||||
return 1;
|
||||
if (RAND_write_file(save_rand_file) == -1) {
|
||||
BIO_printf(bio_err, "Cannot write random bytes:\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ret = 0;
|
||||
}
|
||||
OPENSSL_free(save_rand_file);
|
||||
save_rand_file = NULL;
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
|
@ -82,11 +107,17 @@ int opt_rand(int opt)
|
|||
case OPT_R__LAST:
|
||||
break;
|
||||
case OPT_R_RAND:
|
||||
return loadfiles(opt_arg());
|
||||
if (randfiles == NULL
|
||||
&& (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
return 0;
|
||||
if (!sk_OPENSSL_STRING_push(randfiles, opt_arg()))
|
||||
return 0;
|
||||
break;
|
||||
case OPT_R_WRITERAND:
|
||||
OPENSSL_free(save_rand_file);
|
||||
save_rand_file = OPENSSL_strdup(opt_arg());
|
||||
if (save_rand_file == NULL)
|
||||
return 0;
|
||||
break;
|
||||
}
|
||||
return 1;
|
137
apps/lib/app_x509.c
Normal file
137
apps/lib/app_x509.c
Normal file
|
@ -0,0 +1,137 @@
|
|||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "apps.h"
|
||||
|
||||
/*
|
||||
* X509_ctrl_str() is sorely lacking in libcrypto, but is still needed to
|
||||
* allow the application to process verification options in a manner similar
|
||||
* to signature or other options that pass through EVP_PKEY_CTX_ctrl_str(),
|
||||
* for uniformity.
|
||||
*
|
||||
* As soon as more stuff is added, the code will need serious rework. For
|
||||
* the moment, it only handles the FIPS 196 / SM2 distinguishing ID.
|
||||
*/
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n)
|
||||
{
|
||||
ASN1_OCTET_STRING *v = ASN1_OCTET_STRING_new();
|
||||
|
||||
if (v == NULL) {
|
||||
BIO_printf(bio_err, "error: allocation failed\n");
|
||||
} else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) {
|
||||
ASN1_OCTET_STRING_free(v);
|
||||
v = NULL;
|
||||
}
|
||||
return v;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int x509_ctrl(void *object, int cmd, void *value, size_t value_n)
|
||||
{
|
||||
switch (cmd) {
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
case EVP_PKEY_CTRL_SET1_ID:
|
||||
{
|
||||
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
|
||||
|
||||
if (v == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"error: setting distinguishing ID in certificate failed\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
X509_set0_distinguishing_id(object, v);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return -2; /* typical EVP_PKEY return for "unsupported" */
|
||||
}
|
||||
|
||||
static int x509_req_ctrl(void *object, int cmd, void *value, size_t value_n)
|
||||
{
|
||||
switch (cmd) {
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
case EVP_PKEY_CTRL_SET1_ID:
|
||||
{
|
||||
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
|
||||
|
||||
if (v == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"error: setting distinguishing ID in certificate signing request failed\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
X509_REQ_set0_distinguishing_id(object, v);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return -2; /* typical EVP_PKEY return for "unsupported" */
|
||||
}
|
||||
|
||||
static int do_x509_ctrl_string(int (*ctrl)(void *object, int cmd,
|
||||
void *value, size_t value_n),
|
||||
void *object, const char *value)
|
||||
{
|
||||
int rv = 0;
|
||||
char *stmp, *vtmp = NULL;
|
||||
size_t vtmp_len = 0;
|
||||
int cmd = 0; /* Will get command values that make sense somehow */
|
||||
|
||||
stmp = OPENSSL_strdup(value);
|
||||
if (stmp == NULL)
|
||||
return -1;
|
||||
vtmp = strchr(stmp, ':');
|
||||
if (vtmp != NULL) {
|
||||
*vtmp = 0;
|
||||
vtmp++;
|
||||
vtmp_len = strlen(vtmp);
|
||||
}
|
||||
|
||||
if (strcmp(stmp, "distid") == 0) {
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
cmd = EVP_PKEY_CTRL_SET1_ID; /* ... except we put it in X509 */
|
||||
#endif
|
||||
} else if (strcmp(stmp, "hexdistid") == 0) {
|
||||
if (vtmp != NULL) {
|
||||
void *hexid;
|
||||
long hexid_len = 0;
|
||||
|
||||
hexid = OPENSSL_hexstr2buf((const char *)vtmp, &hexid_len);
|
||||
OPENSSL_free(stmp);
|
||||
stmp = vtmp = hexid;
|
||||
vtmp_len = (size_t)hexid_len;
|
||||
}
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
cmd = EVP_PKEY_CTRL_SET1_ID; /* ... except we put it in X509 */
|
||||
#endif
|
||||
}
|
||||
|
||||
rv = ctrl(object, cmd, vtmp, vtmp_len);
|
||||
|
||||
OPENSSL_free(stmp);
|
||||
return rv;
|
||||
}
|
||||
|
||||
int x509_ctrl_string(X509 *x, const char *value)
|
||||
{
|
||||
return do_x509_ctrl_string(x509_ctrl, x, value);
|
||||
}
|
||||
|
||||
int x509_req_ctrl_string(X509_REQ *x, const char *value)
|
||||
{
|
||||
return do_x509_ctrl_string(x509_req_ctrl, x, value);
|
||||
}
|
File diff suppressed because it is too large
Load diff
223
apps/lib/apps_ui.c
Normal file
223
apps/lib/apps_ui.c
Normal file
|
@ -0,0 +1,223 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ui.h>
|
||||
#include "apps_ui.h"
|
||||
|
||||
static UI_METHOD *ui_method = NULL;
|
||||
static const UI_METHOD *ui_base_method = NULL;
|
||||
|
||||
static int ui_open(UI *ui)
|
||||
{
|
||||
int (*opener)(UI *ui) = UI_method_get_opener(ui_base_method);
|
||||
|
||||
if (opener != NULL)
|
||||
return opener(ui);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ui_read(UI *ui, UI_STRING *uis)
|
||||
{
|
||||
int (*reader)(UI *ui, UI_STRING *uis) = NULL;
|
||||
|
||||
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
||||
&& UI_get0_user_data(ui)) {
|
||||
switch (UI_get_string_type(uis)) {
|
||||
case UIT_PROMPT:
|
||||
case UIT_VERIFY:
|
||||
{
|
||||
const char *password =
|
||||
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
||||
|
||||
if (password != NULL) {
|
||||
UI_set_result(ui, uis, password);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case UIT_NONE:
|
||||
case UIT_BOOLEAN:
|
||||
case UIT_INFO:
|
||||
case UIT_ERROR:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
reader = UI_method_get_reader(ui_base_method);
|
||||
if (reader != NULL)
|
||||
return reader(ui, uis);
|
||||
/* Default to the empty password if we've got nothing better */
|
||||
UI_set_result(ui, uis, "");
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ui_write(UI *ui, UI_STRING *uis)
|
||||
{
|
||||
int (*writer)(UI *ui, UI_STRING *uis) = NULL;
|
||||
|
||||
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
||||
&& UI_get0_user_data(ui)) {
|
||||
switch (UI_get_string_type(uis)) {
|
||||
case UIT_PROMPT:
|
||||
case UIT_VERIFY:
|
||||
{
|
||||
const char *password =
|
||||
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
||||
|
||||
if (password != NULL)
|
||||
return 1;
|
||||
}
|
||||
break;
|
||||
case UIT_NONE:
|
||||
case UIT_BOOLEAN:
|
||||
case UIT_INFO:
|
||||
case UIT_ERROR:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
writer = UI_method_get_writer(ui_base_method);
|
||||
if (writer != NULL)
|
||||
return writer(ui, uis);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ui_close(UI *ui)
|
||||
{
|
||||
int (*closer)(UI *ui) = UI_method_get_closer(ui_base_method);
|
||||
|
||||
if (closer != NULL)
|
||||
return closer(ui);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* object_name defaults to prompt_info from ui user data if present */
|
||||
static char *ui_prompt_construct(UI *ui, const char *phrase_desc,
|
||||
const char *object_name)
|
||||
{
|
||||
PW_CB_DATA *cb_data = (PW_CB_DATA *)UI_get0_user_data(ui);
|
||||
|
||||
if (phrase_desc == NULL)
|
||||
phrase_desc = "pass phrase";
|
||||
if (object_name == NULL && cb_data != NULL)
|
||||
object_name = cb_data->prompt_info;
|
||||
return UI_construct_prompt(NULL, phrase_desc, object_name);
|
||||
}
|
||||
|
||||
int set_base_ui_method(const UI_METHOD *ui_meth)
|
||||
{
|
||||
if (ui_meth == NULL)
|
||||
ui_meth = UI_null();
|
||||
ui_base_method = ui_meth;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int setup_ui_method(void)
|
||||
{
|
||||
ui_base_method = UI_null();
|
||||
#ifndef OPENSSL_NO_UI_CONSOLE
|
||||
ui_base_method = UI_OpenSSL();
|
||||
#endif
|
||||
ui_method = UI_create_method("OpenSSL application user interface");
|
||||
return ui_method != NULL
|
||||
&& 0 == UI_method_set_opener(ui_method, ui_open)
|
||||
&& 0 == UI_method_set_reader(ui_method, ui_read)
|
||||
&& 0 == UI_method_set_writer(ui_method, ui_write)
|
||||
&& 0 == UI_method_set_closer(ui_method, ui_close)
|
||||
&& 0 == UI_method_set_prompt_constructor(ui_method,
|
||||
ui_prompt_construct);
|
||||
}
|
||||
|
||||
void destroy_ui_method(void)
|
||||
{
|
||||
if (ui_method != NULL) {
|
||||
UI_destroy_method(ui_method);
|
||||
ui_method = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
const UI_METHOD *get_ui_method(void)
|
||||
{
|
||||
return ui_method;
|
||||
}
|
||||
|
||||
static void *ui_malloc(int sz, const char *what)
|
||||
{
|
||||
void *vp = OPENSSL_malloc(sz);
|
||||
|
||||
if (vp == NULL) {
|
||||
BIO_printf(bio_err, "Could not allocate %d bytes for %s\n", sz, what);
|
||||
ERR_print_errors(bio_err);
|
||||
exit(1);
|
||||
}
|
||||
return vp;
|
||||
}
|
||||
|
||||
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data)
|
||||
{
|
||||
int res = 0;
|
||||
UI *ui;
|
||||
int ok = 0;
|
||||
char *buff = NULL;
|
||||
int ui_flags = 0;
|
||||
const char *prompt_info = NULL;
|
||||
char *prompt;
|
||||
|
||||
if ((ui = UI_new_method(ui_method)) == NULL)
|
||||
return 0;
|
||||
|
||||
if (cb_data != NULL && cb_data->prompt_info != NULL)
|
||||
prompt_info = cb_data->prompt_info;
|
||||
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
||||
if (prompt == NULL) {
|
||||
BIO_printf(bio_err, "Out of memory\n");
|
||||
UI_free(ui);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
|
||||
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
|
||||
|
||||
/* We know that there is no previous user data to return to us */
|
||||
(void)UI_add_user_data(ui, cb_data);
|
||||
|
||||
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
|
||||
PW_MIN_LENGTH, bufsiz - 1);
|
||||
|
||||
if (ok >= 0 && verify) {
|
||||
buff = ui_malloc(bufsiz, "password buffer");
|
||||
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
|
||||
PW_MIN_LENGTH, bufsiz - 1, buf);
|
||||
}
|
||||
if (ok >= 0)
|
||||
do {
|
||||
ok = UI_process(ui);
|
||||
} while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
|
||||
|
||||
OPENSSL_clear_free(buff, (unsigned int)bufsiz);
|
||||
|
||||
if (ok >= 0)
|
||||
res = strlen(buf);
|
||||
if (ok == -1) {
|
||||
BIO_printf(bio_err, "User interface error\n");
|
||||
ERR_print_errors(bio_err);
|
||||
OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
||||
res = 0;
|
||||
}
|
||||
if (ok == -2) {
|
||||
BIO_printf(bio_err, "aborted!\n");
|
||||
OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
||||
res = 0;
|
||||
}
|
||||
UI_free(ui);
|
||||
OPENSSL_free(prompt);
|
||||
return res;
|
||||
}
|
23
apps/lib/build.info
Normal file
23
apps/lib/build.info
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Auxiliary program source
|
||||
IF[{- $config{target} =~ /^(?:VC-|mingw|BC-)/ -}]
|
||||
# It's called 'init', but doesn't have much 'init' in it...
|
||||
$AUXLIBAPPSSRC=win32_init.c
|
||||
ENDIF
|
||||
IF[{- $config{target} =~ /^vms-/ -}]
|
||||
$AUXLIBAPPSSRC=vms_term_sock.c vms_decc_argv.c
|
||||
ENDIF
|
||||
|
||||
# Source for libapps
|
||||
$LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \
|
||||
columns.c app_params.c names.c app_provider.c app_x509.c http_server.c \
|
||||
engine.c engine_loader.c app_libctx.c
|
||||
|
||||
IF[{- !$disabled{apps} -}]
|
||||
LIBS{noinst}=../libapps.a
|
||||
SOURCE[../libapps.a]=$LIBAPPSSRC $AUXLIBAPPSSRC
|
||||
INCLUDE[../libapps.a]=../.. ../../include ../include
|
||||
ENDIF
|
||||
|
||||
IF[{- !$disabled{srp} -}]
|
||||
SOURCE[../libapps.a]=tlssrp_depr.c
|
||||
ENDIF
|
450
apps/lib/cmp_mock_srv.c
Normal file
450
apps/lib/cmp_mock_srv.c
Normal file
|
@ -0,0 +1,450 @@
|
|||
/*
|
||||
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright Siemens AG 2018-2020
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or atf
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include "cmp_mock_srv.h"
|
||||
|
||||
#include <openssl/cmp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/cmperr.h>
|
||||
|
||||
/* the context for the CMP mock server */
|
||||
typedef struct
|
||||
{
|
||||
X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
|
||||
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
|
||||
STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
|
||||
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
|
||||
int sendError; /* send error response also on valid requests */
|
||||
OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
|
||||
int certReqId; /* id of last ir/cr/kur, used for polling */
|
||||
int pollCount; /* number of polls before actual cert response */
|
||||
int curr_pollCount; /* number of polls so far for current request */
|
||||
int checkAfterTime; /* time the client should wait between polling */
|
||||
} mock_srv_ctx;
|
||||
|
||||
|
||||
static void mock_srv_ctx_free(mock_srv_ctx *ctx)
|
||||
{
|
||||
if (ctx == NULL)
|
||||
return;
|
||||
|
||||
OSSL_CMP_PKISI_free(ctx->statusOut);
|
||||
X509_free(ctx->certOut);
|
||||
sk_X509_pop_free(ctx->chainOut, X509_free);
|
||||
sk_X509_pop_free(ctx->caPubsOut, X509_free);
|
||||
OSSL_CMP_MSG_free(ctx->certReq);
|
||||
OPENSSL_free(ctx);
|
||||
}
|
||||
|
||||
static mock_srv_ctx *mock_srv_ctx_new(void)
|
||||
{
|
||||
mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
|
||||
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
|
||||
if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
|
||||
goto err;
|
||||
|
||||
ctx->certReqId = -1;
|
||||
|
||||
/* all other elements are initialized to 0 or NULL, respectively */
|
||||
return ctx;
|
||||
err:
|
||||
mock_srv_ctx_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (cert == NULL || X509_up_ref(cert)) {
|
||||
X509_free(ctx->certOut);
|
||||
ctx->certOut = cert;
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *chain)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
STACK_OF(X509) *chain_copy = NULL;
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
|
||||
return 0;
|
||||
sk_X509_pop_free(ctx->chainOut, X509_free);
|
||||
ctx->chainOut = chain_copy;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *caPubs)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
STACK_OF(X509) *caPubs_copy = NULL;
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
|
||||
return 0;
|
||||
sk_X509_pop_free(ctx->caPubsOut, X509_free);
|
||||
ctx->caPubsOut = caPubs_copy;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
|
||||
int fail_info, const char *text)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
OSSL_CMP_PKISI *si;
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
|
||||
return 0;
|
||||
OSSL_CMP_PKISI_free(ctx->statusOut);
|
||||
ctx->statusOut = si;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
ctx->sendError = val != 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (count < 0) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
|
||||
return 0;
|
||||
}
|
||||
ctx->pollCount = count;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
ctx->checkAfterTime = sec;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *cert_req,
|
||||
int certReqId,
|
||||
const OSSL_CRMF_MSG *crm,
|
||||
const X509_REQ *p10cr,
|
||||
X509 **certOut,
|
||||
STACK_OF(X509) **chainOut,
|
||||
STACK_OF(X509) **caPubs)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
OSSL_CMP_PKISI *si = NULL;
|
||||
|
||||
if (ctx == NULL || cert_req == NULL
|
||||
|| certOut == NULL || chainOut == NULL || caPubs == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return NULL;
|
||||
}
|
||||
if (ctx->sendError) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
*certOut = NULL;
|
||||
*chainOut = NULL;
|
||||
*caPubs = NULL;
|
||||
ctx->certReqId = certReqId;
|
||||
|
||||
if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
|
||||
/* start polling */
|
||||
if (ctx->certReq != NULL) {
|
||||
/* already in polling mode */
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
|
||||
return NULL;
|
||||
}
|
||||
if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
|
||||
return NULL;
|
||||
return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
|
||||
}
|
||||
if (ctx->curr_pollCount >= ctx->pollCount)
|
||||
/* give final response after polling */
|
||||
ctx->curr_pollCount = 0;
|
||||
|
||||
if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
|
||||
&& crm != NULL && ctx->certOut != NULL) {
|
||||
const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
|
||||
const X509_NAME *issuer = X509_get_issuer_name(ctx->certOut);
|
||||
const ASN1_INTEGER *serial = X509_get0_serialNumber(ctx->certOut);
|
||||
|
||||
if (cid == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
|
||||
return NULL;
|
||||
}
|
||||
if (issuer != NULL
|
||||
&& X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
|
||||
return NULL;
|
||||
}
|
||||
if (serial != NULL
|
||||
&& ASN1_INTEGER_cmp(serial,
|
||||
OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (ctx->certOut != NULL
|
||||
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
|
||||
goto err;
|
||||
if (ctx->chainOut != NULL
|
||||
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
|
||||
goto err;
|
||||
if (ctx->caPubsOut != NULL
|
||||
&& (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
|
||||
goto err;
|
||||
if (ctx->statusOut != NULL
|
||||
&& (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
|
||||
goto err;
|
||||
return si;
|
||||
|
||||
err:
|
||||
X509_free(*certOut);
|
||||
*certOut = NULL;
|
||||
sk_X509_pop_free(*chainOut, X509_free);
|
||||
*chainOut = NULL;
|
||||
sk_X509_pop_free(*caPubs, X509_free);
|
||||
*caPubs = NULL;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *rr,
|
||||
const X509_NAME *issuer,
|
||||
const ASN1_INTEGER *serial)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL || rr == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return NULL;
|
||||
}
|
||||
if (ctx->sendError || ctx->certOut == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Allow any RR derived from CSR, which may include subject and serial */
|
||||
if (issuer == NULL || serial == NULL)
|
||||
return OSSL_CMP_PKISI_dup(ctx->statusOut);
|
||||
|
||||
/* accept revocation only for the certificate we sent in ir/cr/kur */
|
||||
if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
|
||||
|| ASN1_INTEGER_cmp(serial,
|
||||
X509_get0_serialNumber(ctx->certOut)) != 0) {
|
||||
ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
|
||||
"wrong certificate to revoke");
|
||||
return NULL;
|
||||
}
|
||||
return OSSL_CMP_PKISI_dup(ctx->statusOut);
|
||||
}
|
||||
|
||||
static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *genm,
|
||||
const STACK_OF(OSSL_CMP_ITAV) *in,
|
||||
STACK_OF(OSSL_CMP_ITAV) **out)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
|
||||
OSSL_CMP_ITAV_free);
|
||||
return *out != NULL;
|
||||
}
|
||||
|
||||
static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
|
||||
const OSSL_CMP_PKISI *statusInfo,
|
||||
const ASN1_INTEGER *errorCode,
|
||||
const OSSL_CMP_PKIFREETEXT *errorDetails)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
char buf[OSSL_CMP_PKISI_BUFLEN];
|
||||
char *sibuf;
|
||||
int i;
|
||||
|
||||
if (ctx == NULL || error == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "mock server received error:\n");
|
||||
|
||||
if (statusInfo == NULL) {
|
||||
BIO_printf(bio_err, "pkiStatusInfo absent\n");
|
||||
} else {
|
||||
sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
|
||||
BIO_printf(bio_err, "pkiStatusInfo: %s\n",
|
||||
sibuf != NULL ? sibuf: "<invalid>");
|
||||
}
|
||||
|
||||
if (errorCode == NULL)
|
||||
BIO_printf(bio_err, "errorCode absent\n");
|
||||
else
|
||||
BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
|
||||
|
||||
if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
|
||||
BIO_printf(bio_err, "errorDetails absent\n");
|
||||
} else {
|
||||
BIO_printf(bio_err, "errorDetails: ");
|
||||
for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
|
||||
if (i > 0)
|
||||
BIO_printf(bio_err, ", ");
|
||||
BIO_printf(bio_err, "\"");
|
||||
ASN1_STRING_print(bio_err,
|
||||
sk_ASN1_UTF8STRING_value(errorDetails, i));
|
||||
BIO_printf(bio_err, "\"");
|
||||
}
|
||||
BIO_printf(bio_err, "\n");
|
||||
}
|
||||
}
|
||||
|
||||
static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *certConf, int certReqId,
|
||||
const ASN1_OCTET_STRING *certHash,
|
||||
const OSSL_CMP_PKISI *si)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
ASN1_OCTET_STRING *digest;
|
||||
|
||||
if (ctx == NULL || certConf == NULL || certHash == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->sendError || ctx->certOut == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (certReqId != ctx->certReqId) {
|
||||
/* in case of error, invalid reqId -1 */
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
|
||||
return 0;
|
||||
if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
|
||||
ASN1_OCTET_STRING_free(digest);
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
|
||||
return 0;
|
||||
}
|
||||
ASN1_OCTET_STRING_free(digest);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *pollReq, int certReqId,
|
||||
OSSL_CMP_MSG **certReq, int64_t *check_after)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL || pollReq == NULL
|
||||
|| certReq == NULL || check_after == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->sendError) {
|
||||
*certReq = NULL;
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->certReq == NULL) {
|
||||
/* not currently in polling mode */
|
||||
*certReq = NULL;
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (++ctx->curr_pollCount >= ctx->pollCount) {
|
||||
/* end polling */
|
||||
*certReq = ctx->certReq;
|
||||
ctx->certReq = NULL;
|
||||
*check_after = 0;
|
||||
} else {
|
||||
*certReq = NULL;
|
||||
*check_after = ctx->checkAfterTime;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
|
||||
mock_srv_ctx *ctx = mock_srv_ctx_new();
|
||||
|
||||
if (srv_ctx != NULL && ctx != NULL
|
||||
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
|
||||
process_rr, process_genm, process_error,
|
||||
process_certConf, process_pollReq))
|
||||
return srv_ctx;
|
||||
|
||||
mock_srv_ctx_free(ctx);
|
||||
OSSL_CMP_SRV_CTX_free(srv_ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
|
||||
{
|
||||
if (srv_ctx != NULL)
|
||||
mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
|
||||
OSSL_CMP_SRV_CTX_free(srv_ctx);
|
||||
}
|
27
apps/lib/columns.c
Normal file
27
apps/lib/columns.c
Normal file
|
@ -0,0 +1,27 @@
|
|||
/*
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "apps.h"
|
||||
#include "function.h"
|
||||
|
||||
void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc)
|
||||
{
|
||||
FUNCTION *f;
|
||||
int len, maxlen = 0;
|
||||
|
||||
for (f = functions; f->name != NULL; ++f)
|
||||
if (f->type == FT_general || f->type == FT_md || f->type == FT_cipher)
|
||||
if ((len = strlen(f->name)) > maxlen)
|
||||
maxlen = len;
|
||||
|
||||
dc->width = maxlen + 2;
|
||||
dc->columns = (80 - 1) / dc->width;
|
||||
}
|
||||
|
193
apps/lib/engine.c
Normal file
193
apps/lib/engine.c
Normal file
|
@ -0,0 +1,193 @@
|
|||
/*
|
||||
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Here is a set of wrappers for the ENGINE API, which are no-ops when the
|
||||
* ENGINE API is disabled / removed.
|
||||
* We need to suppress deprecation warnings to make this work.
|
||||
*/
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <string.h> /* strcmp */
|
||||
|
||||
#include <openssl/types.h> /* Ensure we have the ENGINE type, regardless */
|
||||
#include <openssl/err.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
#endif
|
||||
#include "apps.h"
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* Try to load an engine in a shareable library */
|
||||
static ENGINE *try_load_engine(const char *engine)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
|
||||
if ((e = ENGINE_by_id("dynamic")) != NULL) {
|
||||
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
|
||||
|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
|
||||
ENGINE_free(e);
|
||||
e = NULL;
|
||||
}
|
||||
}
|
||||
return e;
|
||||
}
|
||||
#endif
|
||||
|
||||
ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (id != NULL) {
|
||||
if (strcmp(id, "auto") == 0) {
|
||||
BIO_printf(bio_err, "Enabling auto ENGINE support\n");
|
||||
ENGINE_register_all_complete();
|
||||
return NULL;
|
||||
}
|
||||
if ((e = ENGINE_by_id(id)) == NULL
|
||||
&& (e = try_load_engine(id)) == NULL) {
|
||||
BIO_printf(bio_err, "Invalid engine \"%s\"\n", id);
|
||||
ERR_print_errors(bio_err);
|
||||
return NULL;
|
||||
}
|
||||
if (debug)
|
||||
(void)ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
|
||||
if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0,
|
||||
(void *)get_ui_method(), 0, 1)
|
||||
|| !ENGINE_set_default(e, methods)) {
|
||||
BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e));
|
||||
ERR_print_errors(bio_err);
|
||||
ENGINE_free(e);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "Engine \"%s\" set.\n", ENGINE_get_id(e));
|
||||
}
|
||||
#endif
|
||||
return e;
|
||||
}
|
||||
|
||||
void release_engine(ENGINE *e)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* Free our "structural" reference. */
|
||||
ENGINE_free(e);
|
||||
#endif
|
||||
}
|
||||
|
||||
int init_engine(ENGINE *e)
|
||||
{
|
||||
int rv = 1;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
rv = ENGINE_init(e);
|
||||
#endif
|
||||
return rv;
|
||||
}
|
||||
|
||||
int finish_engine(ENGINE *e)
|
||||
{
|
||||
int rv = 1;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
rv = ENGINE_finish(e);
|
||||
#endif
|
||||
return rv;
|
||||
}
|
||||
|
||||
char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc)
|
||||
{
|
||||
char *new_uri = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (e == NULL) {
|
||||
BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
|
||||
} else if (key_id == NULL) {
|
||||
BIO_printf(bio_err, "No engine key id specified for loading %s\n", desc);
|
||||
} else {
|
||||
const char *engineid = ENGINE_get_id(e);
|
||||
size_t uri_sz =
|
||||
sizeof(ENGINE_SCHEME_COLON) - 1
|
||||
+ strlen(engineid)
|
||||
+ 1 /* : */
|
||||
+ strlen(key_id)
|
||||
+ 1 /* \0 */
|
||||
;
|
||||
|
||||
new_uri = OPENSSL_malloc(uri_sz);
|
||||
if (new_uri != NULL) {
|
||||
OPENSSL_strlcpy(new_uri, ENGINE_SCHEME_COLON, uri_sz);
|
||||
OPENSSL_strlcat(new_uri, engineid, uri_sz);
|
||||
OPENSSL_strlcat(new_uri, ":", uri_sz);
|
||||
OPENSSL_strlcat(new_uri, key_id, uri_sz);
|
||||
}
|
||||
}
|
||||
#else
|
||||
BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
|
||||
#endif
|
||||
return new_uri;
|
||||
}
|
||||
|
||||
int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
|
||||
{
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ENGINE *tmpeng = NULL;
|
||||
int pkey_id = NID_undef;
|
||||
|
||||
ERR_set_mark();
|
||||
ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
|
||||
|
||||
#if !defined(OPENSSL_NO_ENGINE)
|
||||
ENGINE_finish(tmpeng);
|
||||
|
||||
if (ameth == NULL && e != NULL)
|
||||
ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
|
||||
else
|
||||
#endif
|
||||
/* We're only interested if it comes from an ENGINE */
|
||||
if (tmpeng == NULL)
|
||||
ameth = NULL;
|
||||
|
||||
ERR_pop_to_mark();
|
||||
if (ameth == NULL)
|
||||
return NID_undef;
|
||||
|
||||
EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
|
||||
|
||||
return pkey_id;
|
||||
}
|
||||
|
||||
const EVP_MD *get_digest_from_engine(const char *name)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *eng;
|
||||
|
||||
eng = ENGINE_get_digest_engine(OBJ_sn2nid(name));
|
||||
if (eng != NULL) {
|
||||
ENGINE_finish(eng);
|
||||
return EVP_get_digestbyname(name);
|
||||
}
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const EVP_CIPHER *get_cipher_from_engine(const char *name)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *eng;
|
||||
|
||||
eng = ENGINE_get_cipher_engine(OBJ_sn2nid(name));
|
||||
if (eng != NULL) {
|
||||
ENGINE_finish(eng);
|
||||
return EVP_get_cipherbyname(name);
|
||||
}
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
203
apps/lib/engine_loader.c
Normal file
203
apps/lib/engine_loader.c
Normal file
|
@ -0,0 +1,203 @@
|
|||
/*
|
||||
* Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Here is an STORE loader for ENGINE backed keys. It relies on deprecated
|
||||
* functions, and therefore need to have deprecation warnings suppressed.
|
||||
* This file is not compiled at all in a '--api=3 no-deprecated' configuration.
|
||||
*/
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include "apps.h"
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
|
||||
# include <stdarg.h>
|
||||
# include <string.h>
|
||||
# include <openssl/engine.h>
|
||||
# include <openssl/store.h>
|
||||
|
||||
/*
|
||||
* Support for legacy private engine keys via the 'org.openssl.engine:' scheme
|
||||
*
|
||||
* org.openssl.engine:{engineid}:{keyid}
|
||||
*
|
||||
* Note: we ONLY support ENGINE_load_private_key() and ENGINE_load_public_key()
|
||||
* Note 2: This scheme has a precedent in code in PKIX-SSH. for exactly
|
||||
* this sort of purpose.
|
||||
*/
|
||||
|
||||
/* Local definition of OSSL_STORE_LOADER_CTX */
|
||||
struct ossl_store_loader_ctx_st {
|
||||
ENGINE *e; /* Structural reference */
|
||||
char *keyid;
|
||||
int expected;
|
||||
int loaded; /* 0 = key not loaded yet, 1 = key loaded */
|
||||
};
|
||||
|
||||
static OSSL_STORE_LOADER_CTX *OSSL_STORE_LOADER_CTX_new(ENGINE *e, char *keyid)
|
||||
{
|
||||
OSSL_STORE_LOADER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
||||
|
||||
if (ctx != NULL) {
|
||||
ctx->e = e;
|
||||
ctx->keyid = keyid;
|
||||
}
|
||||
return ctx;
|
||||
}
|
||||
|
||||
static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
if (ctx != NULL) {
|
||||
ENGINE_free(ctx->e);
|
||||
OPENSSL_free(ctx->keyid);
|
||||
OPENSSL_free(ctx);
|
||||
}
|
||||
}
|
||||
|
||||
static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader,
|
||||
const char *uri,
|
||||
const UI_METHOD *ui_method,
|
||||
void *ui_data)
|
||||
{
|
||||
const char *p = uri, *q;
|
||||
ENGINE *e = NULL;
|
||||
char *keyid = NULL;
|
||||
OSSL_STORE_LOADER_CTX *ctx = NULL;
|
||||
|
||||
if (OPENSSL_strncasecmp(p, ENGINE_SCHEME_COLON, sizeof(ENGINE_SCHEME_COLON) - 1)
|
||||
!= 0)
|
||||
return NULL;
|
||||
p += sizeof(ENGINE_SCHEME_COLON) - 1;
|
||||
|
||||
/* Look for engine ID */
|
||||
q = strchr(p, ':');
|
||||
if (q != NULL /* There is both an engine ID and a key ID */
|
||||
&& p[0] != ':' /* The engine ID is at least one character */
|
||||
&& q[1] != '\0') { /* The key ID is at least one character */
|
||||
char engineid[256];
|
||||
size_t engineid_l = q - p;
|
||||
|
||||
strncpy(engineid, p, engineid_l);
|
||||
engineid[engineid_l] = '\0';
|
||||
e = ENGINE_by_id(engineid);
|
||||
|
||||
keyid = OPENSSL_strdup(q + 1);
|
||||
}
|
||||
|
||||
if (e != NULL && keyid != NULL)
|
||||
ctx = OSSL_STORE_LOADER_CTX_new(e, keyid);
|
||||
|
||||
if (ctx == NULL) {
|
||||
OPENSSL_free(keyid);
|
||||
ENGINE_free(e);
|
||||
}
|
||||
|
||||
return ctx;
|
||||
}
|
||||
|
||||
static int engine_expect(OSSL_STORE_LOADER_CTX *ctx, int expected)
|
||||
{
|
||||
if (expected == 0
|
||||
|| expected == OSSL_STORE_INFO_PUBKEY
|
||||
|| expected == OSSL_STORE_INFO_PKEY) {
|
||||
ctx->expected = expected;
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx,
|
||||
const UI_METHOD *ui_method, void *ui_data)
|
||||
{
|
||||
EVP_PKEY *pkey = NULL, *pubkey = NULL;
|
||||
OSSL_STORE_INFO *info = NULL;
|
||||
|
||||
if (ctx->loaded == 0) {
|
||||
if (ENGINE_init(ctx->e)) {
|
||||
if (ctx->expected == 0
|
||||
|| ctx->expected == OSSL_STORE_INFO_PKEY)
|
||||
pkey =
|
||||
ENGINE_load_private_key(ctx->e, ctx->keyid,
|
||||
(UI_METHOD *)ui_method, ui_data);
|
||||
if ((pkey == NULL && ctx->expected == 0)
|
||||
|| ctx->expected == OSSL_STORE_INFO_PUBKEY)
|
||||
pubkey =
|
||||
ENGINE_load_public_key(ctx->e, ctx->keyid,
|
||||
(UI_METHOD *)ui_method, ui_data);
|
||||
ENGINE_finish(ctx->e);
|
||||
}
|
||||
}
|
||||
|
||||
ctx->loaded = 1;
|
||||
|
||||
if (pubkey != NULL)
|
||||
info = OSSL_STORE_INFO_new_PUBKEY(pubkey);
|
||||
else if (pkey != NULL)
|
||||
info = OSSL_STORE_INFO_new_PKEY(pkey);
|
||||
if (info == NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_free(pubkey);
|
||||
}
|
||||
return info;
|
||||
}
|
||||
|
||||
static int engine_eof(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
return ctx->loaded != 0;
|
||||
}
|
||||
|
||||
static int engine_error(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int engine_close(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
OSSL_STORE_LOADER_CTX_free(ctx);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int setup_engine_loader(void)
|
||||
{
|
||||
OSSL_STORE_LOADER *loader = NULL;
|
||||
|
||||
if ((loader = OSSL_STORE_LOADER_new(NULL, ENGINE_SCHEME)) == NULL
|
||||
|| !OSSL_STORE_LOADER_set_open(loader, engine_open)
|
||||
|| !OSSL_STORE_LOADER_set_expect(loader, engine_expect)
|
||||
|| !OSSL_STORE_LOADER_set_load(loader, engine_load)
|
||||
|| !OSSL_STORE_LOADER_set_eof(loader, engine_eof)
|
||||
|| !OSSL_STORE_LOADER_set_error(loader, engine_error)
|
||||
|| !OSSL_STORE_LOADER_set_close(loader, engine_close)
|
||||
|| !OSSL_STORE_register_loader(loader)) {
|
||||
OSSL_STORE_LOADER_free(loader);
|
||||
loader = NULL;
|
||||
}
|
||||
|
||||
return loader != NULL;
|
||||
}
|
||||
|
||||
void destroy_engine_loader(void)
|
||||
{
|
||||
OSSL_STORE_LOADER *loader = OSSL_STORE_unregister_loader(ENGINE_SCHEME);
|
||||
OSSL_STORE_LOADER_free(loader);
|
||||
}
|
||||
|
||||
#else /* !OPENSSL_NO_ENGINE */
|
||||
|
||||
int setup_engine_loader(void)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
void destroy_engine_loader(void)
|
||||
{
|
||||
}
|
||||
|
||||
#endif
|
15
apps/lib/fmt.c
Normal file
15
apps/lib/fmt.c
Normal file
|
@ -0,0 +1,15 @@
|
|||
/*
|
||||
* Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "fmt.h"
|
||||
|
||||
int FMT_istext(int format)
|
||||
{
|
||||
return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT;
|
||||
}
|
533
apps/lib/http_server.c
Normal file
533
apps/lib/http_server.c
Normal file
|
@ -0,0 +1,533 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/* Very basic HTTP server */
|
||||
|
||||
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
|
||||
/*
|
||||
* On VMS, you need to define this to get the declaration of fileno(). The
|
||||
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
|
||||
*/
|
||||
# define _POSIX_C_SOURCE 2
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
#include "http_server.h"
|
||||
#include "internal/sockets.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include "s_apps.h"
|
||||
|
||||
#if defined(__TANDEM)
|
||||
# if defined(OPENSSL_TANDEM_FLOSS)
|
||||
# include <floss.h(floss_fork)>
|
||||
# endif
|
||||
#endif
|
||||
|
||||
static int verbosity = LOG_INFO;
|
||||
|
||||
#define HTTP_PREFIX "HTTP/"
|
||||
#define HTTP_VERSION_PATT "1." /* allow 1.x */
|
||||
#define HTTP_PREFIX_VERSION HTTP_PREFIX""HTTP_VERSION_PATT
|
||||
#define HTTP_1_0 HTTP_PREFIX_VERSION"0" /* "HTTP/1.0" */
|
||||
|
||||
#ifdef HTTP_DAEMON
|
||||
|
||||
int multi = 0; /* run multiple responder processes */
|
||||
int acfd = (int) INVALID_SOCKET;
|
||||
|
||||
static int print_syslog(const char *str, size_t len, void *levPtr)
|
||||
{
|
||||
int level = *(int *)levPtr;
|
||||
int ilen = len > MAXERRLEN ? MAXERRLEN : len;
|
||||
|
||||
syslog(level, "%.*s", ilen, str);
|
||||
|
||||
return ilen;
|
||||
}
|
||||
#endif
|
||||
|
||||
void log_message(const char *prog, int level, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
if (verbosity < level)
|
||||
return;
|
||||
|
||||
va_start(ap, fmt);
|
||||
#ifdef HTTP_DAEMON
|
||||
if (multi) {
|
||||
char buf[1024];
|
||||
|
||||
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0)
|
||||
syslog(level, "%s", buf);
|
||||
if (level <= LOG_ERR)
|
||||
ERR_print_errors_cb(print_syslog, &level);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
BIO_printf(bio_err, "%s: ", prog);
|
||||
BIO_vprintf(bio_err, fmt, ap);
|
||||
BIO_printf(bio_err, "\n");
|
||||
(void)BIO_flush(bio_err);
|
||||
}
|
||||
va_end(ap);
|
||||
}
|
||||
|
||||
#ifdef HTTP_DAEMON
|
||||
void socket_timeout(int signum)
|
||||
{
|
||||
if (acfd != (int)INVALID_SOCKET)
|
||||
(void)shutdown(acfd, SHUT_RD);
|
||||
}
|
||||
|
||||
static void killall(int ret, pid_t *kidpids)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < multi; ++i)
|
||||
if (kidpids[i] != 0)
|
||||
(void)kill(kidpids[i], SIGTERM);
|
||||
OPENSSL_free(kidpids);
|
||||
ossl_sleep(1000);
|
||||
exit(ret);
|
||||
}
|
||||
|
||||
static int termsig = 0;
|
||||
|
||||
static void noteterm(int sig)
|
||||
{
|
||||
termsig = sig;
|
||||
}
|
||||
|
||||
/*
|
||||
* Loop spawning up to `multi` child processes, only child processes return
|
||||
* from this function. The parent process loops until receiving a termination
|
||||
* signal, kills extant children and exits without returning.
|
||||
*/
|
||||
void spawn_loop(const char *prog)
|
||||
{
|
||||
pid_t *kidpids = NULL;
|
||||
int status;
|
||||
int procs = 0;
|
||||
int i;
|
||||
|
||||
openlog(prog, LOG_PID, LOG_DAEMON);
|
||||
|
||||
if (setpgid(0, 0)) {
|
||||
syslog(LOG_ERR, "fatal: error detaching from parent process group: %s",
|
||||
strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
kidpids = app_malloc(multi * sizeof(*kidpids), "child PID array");
|
||||
for (i = 0; i < multi; ++i)
|
||||
kidpids[i] = 0;
|
||||
|
||||
signal(SIGINT, noteterm);
|
||||
signal(SIGTERM, noteterm);
|
||||
|
||||
while (termsig == 0) {
|
||||
pid_t fpid;
|
||||
|
||||
/*
|
||||
* Wait for a child to replace when we're at the limit.
|
||||
* Slow down if a child exited abnormally or waitpid() < 0
|
||||
*/
|
||||
while (termsig == 0 && procs >= multi) {
|
||||
if ((fpid = waitpid(-1, &status, 0)) > 0) {
|
||||
for (i = 0; i < procs; ++i) {
|
||||
if (kidpids[i] == fpid) {
|
||||
kidpids[i] = 0;
|
||||
--procs;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i >= multi) {
|
||||
syslog(LOG_ERR, "fatal: internal error: "
|
||||
"no matching child slot for pid: %ld",
|
||||
(long) fpid);
|
||||
killall(1, kidpids);
|
||||
}
|
||||
if (status != 0) {
|
||||
if (WIFEXITED(status))
|
||||
syslog(LOG_WARNING, "child process: %ld, exit status: %d",
|
||||
(long)fpid, WEXITSTATUS(status));
|
||||
else if (WIFSIGNALED(status))
|
||||
syslog(LOG_WARNING, "child process: %ld, term signal %d%s",
|
||||
(long)fpid, WTERMSIG(status),
|
||||
# ifdef WCOREDUMP
|
||||
WCOREDUMP(status) ? " (core dumped)" :
|
||||
# endif
|
||||
"");
|
||||
ossl_sleep(1000);
|
||||
}
|
||||
break;
|
||||
} else if (errno != EINTR) {
|
||||
syslog(LOG_ERR, "fatal: waitpid(): %s", strerror(errno));
|
||||
killall(1, kidpids);
|
||||
}
|
||||
}
|
||||
if (termsig)
|
||||
break;
|
||||
|
||||
switch (fpid = fork()) {
|
||||
case -1: /* error */
|
||||
/* System critically low on memory, pause and try again later */
|
||||
ossl_sleep(30000);
|
||||
break;
|
||||
case 0: /* child */
|
||||
OPENSSL_free(kidpids);
|
||||
signal(SIGINT, SIG_DFL);
|
||||
signal(SIGTERM, SIG_DFL);
|
||||
if (termsig)
|
||||
_exit(0);
|
||||
if (RAND_poll() <= 0) {
|
||||
syslog(LOG_ERR, "fatal: RAND_poll() failed");
|
||||
_exit(1);
|
||||
}
|
||||
return;
|
||||
default: /* parent */
|
||||
for (i = 0; i < multi; ++i) {
|
||||
if (kidpids[i] == 0) {
|
||||
kidpids[i] = fpid;
|
||||
procs++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i >= multi) {
|
||||
syslog(LOG_ERR, "fatal: internal error: no free child slots");
|
||||
killall(1, kidpids);
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* The loop above can only break on termsig */
|
||||
syslog(LOG_INFO, "terminating on signal: %d", termsig);
|
||||
killall(0, kidpids);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
BIO *http_server_init_bio(const char *prog, const char *port)
|
||||
{
|
||||
BIO *acbio = NULL, *bufbio;
|
||||
int asock;
|
||||
|
||||
bufbio = BIO_new(BIO_f_buffer());
|
||||
if (bufbio == NULL)
|
||||
goto err;
|
||||
acbio = BIO_new(BIO_s_accept());
|
||||
if (acbio == NULL
|
||||
|| BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
|
||||
|| BIO_set_accept_port(acbio, port) < 0) {
|
||||
log_message(prog, LOG_ERR, "Error setting up accept BIO");
|
||||
goto err;
|
||||
}
|
||||
|
||||
BIO_set_accept_bios(acbio, bufbio);
|
||||
bufbio = NULL;
|
||||
if (BIO_do_accept(acbio) <= 0) {
|
||||
log_message(prog, LOG_ERR, "Error starting accept");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Report back what address and port are used */
|
||||
BIO_get_fd(acbio, &asock);
|
||||
if (!report_server_accept(bio_out, asock, 1, 1)) {
|
||||
log_message(prog, LOG_ERR, "Error printing ACCEPT string");
|
||||
goto err;
|
||||
}
|
||||
|
||||
return acbio;
|
||||
|
||||
err:
|
||||
BIO_free_all(acbio);
|
||||
BIO_free(bufbio);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Decode %xx URL-decoding in-place. Ignores malformed sequences.
|
||||
*/
|
||||
static int urldecode(char *p)
|
||||
{
|
||||
unsigned char *out = (unsigned char *)p;
|
||||
unsigned char *save = out;
|
||||
|
||||
for (; *p; p++) {
|
||||
if (*p != '%') {
|
||||
*out++ = *p;
|
||||
} else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
|
||||
/* Don't check, can't fail because of ixdigit() call. */
|
||||
*out++ = (OPENSSL_hexchar2int(p[1]) << 4)
|
||||
| OPENSSL_hexchar2int(p[2]);
|
||||
p += 2;
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
*out = '\0';
|
||||
return (int)(out - save);
|
||||
}
|
||||
|
||||
/* if *pcbio != NULL, continue given connected session, else accept new */
|
||||
/* if found_keep_alive != NULL, return this way connection persistence state */
|
||||
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
|
||||
char **ppath, BIO **pcbio, BIO *acbio,
|
||||
int *found_keep_alive,
|
||||
const char *prog, const char *port,
|
||||
int accept_get, int timeout)
|
||||
{
|
||||
BIO *cbio = *pcbio, *getbio = NULL, *b64 = NULL;
|
||||
int len;
|
||||
char reqbuf[2048], inbuf[2048];
|
||||
char *meth, *url, *end;
|
||||
ASN1_VALUE *req;
|
||||
int ret = 0;
|
||||
|
||||
*preq = NULL;
|
||||
if (ppath != NULL)
|
||||
*ppath = NULL;
|
||||
|
||||
if (cbio == NULL) {
|
||||
log_message(prog, LOG_DEBUG,
|
||||
"Awaiting new connection on port %s...", port);
|
||||
if (BIO_do_accept(acbio) <= 0)
|
||||
/* Connection loss before accept() is routine, ignore silently */
|
||||
return ret;
|
||||
|
||||
*pcbio = cbio = BIO_pop(acbio);
|
||||
} else {
|
||||
log_message(prog, LOG_DEBUG, "Awaiting next request...");
|
||||
}
|
||||
if (cbio == NULL) {
|
||||
/* Cannot call http_server_send_status(cbio, ...) */
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
# ifdef HTTP_DAEMON
|
||||
if (timeout > 0) {
|
||||
(void)BIO_get_fd(cbio, &acfd);
|
||||
alarm(timeout);
|
||||
}
|
||||
# endif
|
||||
|
||||
/* Read the request line. */
|
||||
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
|
||||
if (len == 0)
|
||||
return ret;
|
||||
ret = 1;
|
||||
if (len < 0) {
|
||||
log_message(prog, LOG_WARNING, "Request line read error");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
if ((end = strchr(reqbuf, '\r')) != NULL
|
||||
|| (end = strchr(reqbuf, '\n')) != NULL)
|
||||
*end = '\0';
|
||||
log_message(prog, LOG_INFO, "Received request, 1st line: %s", reqbuf);
|
||||
|
||||
meth = reqbuf;
|
||||
url = meth + 3;
|
||||
if ((accept_get && strncmp(meth, "GET ", 4) == 0)
|
||||
|| (url++, strncmp(meth, "POST ", 5) == 0)) {
|
||||
static const char http_version_str[] = " "HTTP_PREFIX_VERSION;
|
||||
static const size_t http_version_str_len = sizeof(http_version_str) - 1;
|
||||
|
||||
/* Expecting (GET|POST) {sp} /URL {sp} HTTP/1.x */
|
||||
*(url++) = '\0';
|
||||
while (*url == ' ')
|
||||
url++;
|
||||
if (*url != '/') {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Invalid %s -- URL does not begin with '/': %s",
|
||||
meth, url);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
url++;
|
||||
|
||||
/* Splice off the HTTP version identifier. */
|
||||
for (end = url; *end != '\0'; end++)
|
||||
if (*end == ' ')
|
||||
break;
|
||||
if (strncmp(end, http_version_str, http_version_str_len) != 0) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Invalid %s -- bad HTTP/version string: %s",
|
||||
meth, end + 1);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
*end = '\0';
|
||||
/* above HTTP 1.0, connection persistence is the default */
|
||||
if (found_keep_alive != NULL)
|
||||
*found_keep_alive = end[http_version_str_len] > '0';
|
||||
|
||||
/*-
|
||||
* Skip "GET / HTTP..." requests often used by load-balancers.
|
||||
* 'url' was incremented above to point to the first byte *after*
|
||||
* the leading slash, so in case 'GET / ' it is now an empty string.
|
||||
*/
|
||||
if (strlen(meth) == 3 && url[0] == '\0') {
|
||||
(void)http_server_send_status(cbio, 200, "OK");
|
||||
goto out;
|
||||
}
|
||||
|
||||
len = urldecode(url);
|
||||
if (len < 0) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Invalid %s request -- bad URL encoding: %s",
|
||||
meth, url);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
if (strlen(meth) == 3) { /* GET */
|
||||
if ((getbio = BIO_new_mem_buf(url, len)) == NULL
|
||||
|| (b64 = BIO_new(BIO_f_base64())) == NULL) {
|
||||
log_message(prog, LOG_ERR,
|
||||
"Could not allocate base64 bio with size = %d",
|
||||
len);
|
||||
goto fatal;
|
||||
}
|
||||
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
|
||||
getbio = BIO_push(b64, getbio);
|
||||
}
|
||||
} else {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"HTTP request does not begin with %sPOST: %s",
|
||||
accept_get ? "GET or " : "", reqbuf);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* chop any further/duplicate leading or trailing '/' */
|
||||
while (*url == '/')
|
||||
url++;
|
||||
while (end >= url + 2 && end[-2] == '/' && end[-1] == '/')
|
||||
end--;
|
||||
*end = '\0';
|
||||
|
||||
/* Read and skip past the headers. */
|
||||
for (;;) {
|
||||
char *key, *value, *line_end = NULL;
|
||||
|
||||
len = BIO_gets(cbio, inbuf, sizeof(inbuf));
|
||||
if (len <= 0) {
|
||||
log_message(prog, LOG_WARNING, "Error reading HTTP header");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (inbuf[0] == '\r' || inbuf[0] == '\n')
|
||||
break;
|
||||
|
||||
key = inbuf;
|
||||
value = strchr(key, ':');
|
||||
if (value == NULL) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Error parsing HTTP header: missing ':'");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
*(value++) = '\0';
|
||||
while (*value == ' ')
|
||||
value++;
|
||||
line_end = strchr(value, '\r');
|
||||
if (line_end == NULL) {
|
||||
line_end = strchr(value, '\n');
|
||||
if (line_end == NULL) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Error parsing HTTP header: missing end of line");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
*line_end = '\0';
|
||||
/* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */
|
||||
if (found_keep_alive != NULL
|
||||
&& OPENSSL_strcasecmp(key, "Connection") == 0) {
|
||||
if (OPENSSL_strcasecmp(value, "keep-alive") == 0)
|
||||
*found_keep_alive = 1;
|
||||
else if (OPENSSL_strcasecmp(value, "close") == 0)
|
||||
*found_keep_alive = 0;
|
||||
}
|
||||
}
|
||||
|
||||
# ifdef HTTP_DAEMON
|
||||
/* Clear alarm before we close the client socket */
|
||||
alarm(0);
|
||||
timeout = 0;
|
||||
# endif
|
||||
|
||||
/* Try to read and parse request */
|
||||
req = ASN1_item_d2i_bio(it, getbio != NULL ? getbio : cbio, NULL);
|
||||
if (req == NULL) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Error parsing DER-encoded request content");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
} else if (ppath != NULL && (*ppath = OPENSSL_strdup(url)) == NULL) {
|
||||
log_message(prog, LOG_ERR,
|
||||
"Out of memory allocating %zu bytes", strlen(url) + 1);
|
||||
ASN1_item_free(req, it);
|
||||
goto fatal;
|
||||
}
|
||||
|
||||
*preq = req;
|
||||
|
||||
out:
|
||||
BIO_free_all(getbio);
|
||||
# ifdef HTTP_DAEMON
|
||||
if (timeout > 0)
|
||||
alarm(0);
|
||||
acfd = (int)INVALID_SOCKET;
|
||||
# endif
|
||||
return ret;
|
||||
|
||||
fatal:
|
||||
(void)http_server_send_status(cbio, 500, "Internal Server Error");
|
||||
if (ppath != NULL) {
|
||||
OPENSSL_free(*ppath);
|
||||
*ppath = NULL;
|
||||
}
|
||||
BIO_free_all(cbio);
|
||||
*pcbio = NULL;
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* assumes that cbio does not do an encoding that changes the output length */
|
||||
int http_server_send_asn1_resp(BIO *cbio, int keep_alive,
|
||||
const char *content_type,
|
||||
const ASN1_ITEM *it, const ASN1_VALUE *resp)
|
||||
{
|
||||
int ret = BIO_printf(cbio, HTTP_1_0" 200 OK\r\n%s"
|
||||
"Content-type: %s\r\n"
|
||||
"Content-Length: %d\r\n\r\n",
|
||||
keep_alive ? "Connection: keep-alive\r\n" : "",
|
||||
content_type,
|
||||
ASN1_item_i2d(resp, NULL, it)) > 0
|
||||
&& ASN1_item_i2d_bio(it, cbio, resp) > 0;
|
||||
|
||||
(void)BIO_flush(cbio);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int http_server_send_status(BIO *cbio, int status, const char *reason)
|
||||
{
|
||||
int ret = BIO_printf(cbio, HTTP_1_0" %d %s\r\n\r\n",
|
||||
/* This implicitly cancels keep-alive */
|
||||
status, reason) > 0;
|
||||
|
||||
(void)BIO_flush(cbio);
|
||||
return ret;
|
||||
}
|
||||
#endif
|
45
apps/lib/names.c
Normal file
45
apps/lib/names.c
Normal file
|
@ -0,0 +1,45 @@
|
|||
/*
|
||||
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/safestack.h>
|
||||
#include "names.h"
|
||||
#include "openssl/crypto.h"
|
||||
|
||||
int name_cmp(const char * const *a, const char * const *b)
|
||||
{
|
||||
return OPENSSL_strcasecmp(*a, *b);
|
||||
}
|
||||
|
||||
void collect_names(const char *name, void *vdata)
|
||||
{
|
||||
STACK_OF(OPENSSL_CSTRING) *names = vdata;
|
||||
|
||||
sk_OPENSSL_CSTRING_push(names, name);
|
||||
}
|
||||
|
||||
void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names)
|
||||
{
|
||||
int i = sk_OPENSSL_CSTRING_num(names);
|
||||
int j;
|
||||
|
||||
sk_OPENSSL_CSTRING_sort(names);
|
||||
if (i > 1)
|
||||
BIO_printf(out, "{ ");
|
||||
for (j = 0; j < i; j++) {
|
||||
const char *name = sk_OPENSSL_CSTRING_value(names, j);
|
||||
|
||||
if (j > 0)
|
||||
BIO_printf(out, ", ");
|
||||
BIO_printf(out, "%s", name);
|
||||
}
|
||||
if (i > 1)
|
||||
BIO_printf(out, " }");
|
||||
}
|
|
@ -1,27 +1,38 @@
|
|||
/*
|
||||
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#include "apps.h"
|
||||
|
||||
/*
|
||||
* This file is also used by the test suite. Do not #include "apps.h".
|
||||
*/
|
||||
#include "opt.h"
|
||||
#include "fmt.h"
|
||||
#include "app_libctx.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/numbers.h"
|
||||
#include <string.h>
|
||||
#if !defined(OPENSSL_SYS_MSDOS)
|
||||
# include OPENSSL_UNISTD
|
||||
# include <unistd.h>
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <errno.h>
|
||||
#include <ctype.h>
|
||||
#include <limits.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#define MAX_OPT_HELP_WIDTH 30
|
||||
const char OPT_HELP_STR[] = "--";
|
||||
const char OPT_MORE_STR[] = "---";
|
||||
const char OPT_HELP_STR[] = "-H";
|
||||
const char OPT_MORE_STR[] = "-M";
|
||||
const char OPT_SECTION_STR[] = "-S";
|
||||
const char OPT_PARAM_STR[] = "-P";
|
||||
|
||||
/* Our state */
|
||||
static char **argv;
|
||||
|
@ -38,18 +49,27 @@ static char prog[40];
|
|||
* Return the simple name of the program; removing various platform gunk.
|
||||
*/
|
||||
#if defined(OPENSSL_SYS_WIN32)
|
||||
|
||||
const char *opt_path_end(const char *filename)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
/* find the last '/', '\' or ':' */
|
||||
for (p = filename + strlen(filename); --p > filename; )
|
||||
if (*p == '/' || *p == '\\' || *p == ':') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
return p;
|
||||
}
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
{
|
||||
size_t i, n;
|
||||
const char *p;
|
||||
char *q;
|
||||
|
||||
/* find the last '/', '\' or ':' */
|
||||
for (p = argv0 + strlen(argv0); --p > argv0;)
|
||||
if (*p == '/' || *p == '\\' || *p == ':') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
p = opt_path_end(argv0);
|
||||
|
||||
/* Strip off trailing nonsense. */
|
||||
n = strlen(p);
|
||||
|
@ -68,19 +88,28 @@ char *opt_progname(const char *argv0)
|
|||
|
||||
#elif defined(OPENSSL_SYS_VMS)
|
||||
|
||||
const char *opt_path_end(const char *filename)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
/* Find last special character sys:[foo.bar]openssl */
|
||||
for (p = filename + strlen(filename); --p > filename;)
|
||||
if (*p == ':' || *p == ']' || *p == '>') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
return p;
|
||||
}
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
{
|
||||
const char *p, *q;
|
||||
|
||||
/* Find last special character sys:[foo.bar]openssl */
|
||||
for (p = argv0 + strlen(argv0); --p > argv0;)
|
||||
if (*p == ':' || *p == ']' || *p == '>') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
|
||||
p = opt_path_end(argv0);
|
||||
q = strrchr(p, '.');
|
||||
strncpy(prog, p, sizeof(prog) - 1);
|
||||
if (prog != p)
|
||||
strncpy(prog, p, sizeof(prog) - 1);
|
||||
prog[sizeof(prog) - 1] = '\0';
|
||||
if (q != NULL && q - p < sizeof(prog))
|
||||
prog[q - p] = '\0';
|
||||
|
@ -89,22 +118,40 @@ char *opt_progname(const char *argv0)
|
|||
|
||||
#else
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
const char *opt_path_end(const char *filename)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
/* Could use strchr, but this is like the ones above. */
|
||||
for (p = argv0 + strlen(argv0); --p > argv0;)
|
||||
for (p = filename + strlen(filename); --p > filename;)
|
||||
if (*p == '/') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
strncpy(prog, p, sizeof(prog) - 1);
|
||||
return p;
|
||||
}
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
p = opt_path_end(argv0);
|
||||
if (prog != p)
|
||||
strncpy(prog, p, sizeof(prog) - 1);
|
||||
prog[sizeof(prog) - 1] = '\0';
|
||||
return prog;
|
||||
}
|
||||
#endif
|
||||
|
||||
char *opt_appname(const char *argv0)
|
||||
{
|
||||
size_t len = strlen(prog);
|
||||
|
||||
if (argv0 != NULL)
|
||||
BIO_snprintf(prog + len, sizeof(prog) - len - 1, " %s", argv0);
|
||||
return prog;
|
||||
}
|
||||
|
||||
char *opt_getprog(void)
|
||||
{
|
||||
return prog;
|
||||
|
@ -116,32 +163,41 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
|
|||
/* Store state. */
|
||||
argc = ac;
|
||||
argv = av;
|
||||
opt_index = 1;
|
||||
opt_begin();
|
||||
opts = o;
|
||||
opt_progname(av[0]);
|
||||
unknown = NULL;
|
||||
|
||||
for (; o->name; ++o) {
|
||||
/* Make sure prog name is set for usage output */
|
||||
(void)opt_progname(argv[0]);
|
||||
|
||||
/* Check all options up until the PARAM marker (if present) */
|
||||
for (; o->name != NULL && o->name != OPT_PARAM_STR; ++o) {
|
||||
#ifndef NDEBUG
|
||||
const OPTIONS *next;
|
||||
int duplicated, i;
|
||||
#endif
|
||||
|
||||
if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR)
|
||||
if (o->name == OPT_HELP_STR
|
||||
|| o->name == OPT_MORE_STR
|
||||
|| o->name == OPT_SECTION_STR)
|
||||
continue;
|
||||
#ifndef NDEBUG
|
||||
i = o->valtype;
|
||||
|
||||
/* Make sure options are legit. */
|
||||
assert(o->name[0] != '-');
|
||||
assert(o->retval > 0);
|
||||
OPENSSL_assert(o->name[0] != '-');
|
||||
if (o->valtype == '.')
|
||||
OPENSSL_assert(o->retval == OPT_PARAM);
|
||||
else
|
||||
OPENSSL_assert(o->retval == OPT_DUP || o->retval > OPT_PARAM);
|
||||
switch (i) {
|
||||
case 0: case '-': case '/': case '<': case '>': case 'E': case 'F':
|
||||
case 0: case '-': case '.':
|
||||
case '/': case '<': case '>': case 'E': case 'F':
|
||||
case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
|
||||
case 'u': case 'c':
|
||||
case 'u': case 'c': case ':': case 'N':
|
||||
break;
|
||||
default:
|
||||
assert(0);
|
||||
OPENSSL_assert(0);
|
||||
}
|
||||
|
||||
/* Make sure there are no duplicates. */
|
||||
|
@ -149,14 +205,19 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
|
|||
/*
|
||||
* Some compilers inline strcmp and the assert string is too long.
|
||||
*/
|
||||
duplicated = strcmp(o->name, next->name) == 0;
|
||||
assert(!duplicated);
|
||||
duplicated = next->retval != OPT_DUP
|
||||
&& strcmp(o->name, next->name) == 0;
|
||||
if (duplicated) {
|
||||
opt_printf_stderr("%s: Internal error: duplicate option %s\n",
|
||||
prog, o->name);
|
||||
OPENSSL_assert(!duplicated);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if (o->name[0] == '\0') {
|
||||
assert(unknown == NULL);
|
||||
OPENSSL_assert(unknown == NULL);
|
||||
unknown = o;
|
||||
assert(unknown->valtype == 0 || unknown->valtype == '-');
|
||||
OPENSSL_assert(unknown->valtype == 0 || unknown->valtype == '-');
|
||||
}
|
||||
}
|
||||
return prog;
|
||||
|
@ -176,19 +237,19 @@ static OPT_PAIR formats[] = {
|
|||
};
|
||||
|
||||
/* Print an error message about a failed format parse. */
|
||||
int opt_format_error(const char *s, unsigned long flags)
|
||||
static int opt_format_error(const char *s, unsigned long flags)
|
||||
{
|
||||
OPT_PAIR *ap;
|
||||
|
||||
if (flags == OPT_FMT_PEMDER) {
|
||||
BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n",
|
||||
prog, s);
|
||||
opt_printf_stderr("%s: Bad format \"%s\"; must be pem or der\n",
|
||||
prog, s);
|
||||
} else {
|
||||
BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n",
|
||||
prog, s);
|
||||
opt_printf_stderr("%s: Bad format \"%s\"; must be one of:\n",
|
||||
prog, s);
|
||||
for (ap = formats; ap->name; ap++)
|
||||
if (flags & ap->retval)
|
||||
BIO_printf(bio_err, " %s\n", ap->name);
|
||||
opt_printf_stderr(" %s\n", ap->name);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -198,6 +259,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
|
|||
{
|
||||
switch (*s) {
|
||||
default:
|
||||
opt_printf_stderr("%s: Bad format \"%s\"\n", prog, s);
|
||||
return 0;
|
||||
case 'D':
|
||||
case 'd':
|
||||
|
@ -264,6 +326,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
|
|||
return opt_format_error(s, flags);
|
||||
*result = FORMAT_PKCS12;
|
||||
} else {
|
||||
opt_printf_stderr("%s: Bad format \"%s\"\n", prog, s);
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
|
@ -271,28 +334,132 @@ int opt_format(const char *s, unsigned long flags, int *result)
|
|||
return 1;
|
||||
}
|
||||
|
||||
/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
|
||||
int opt_cipher(const char *name, const EVP_CIPHER **cipherp)
|
||||
/* Return string representing the given format. */
|
||||
static const char *format2str(int format)
|
||||
{
|
||||
*cipherp = EVP_get_cipherbyname(name);
|
||||
if (*cipherp != NULL)
|
||||
switch (format) {
|
||||
default:
|
||||
return "(undefined)";
|
||||
case FORMAT_PEM:
|
||||
return "PEM";
|
||||
case FORMAT_ASN1:
|
||||
return "DER";
|
||||
case FORMAT_TEXT:
|
||||
return "TEXT";
|
||||
case FORMAT_NSS:
|
||||
return "NSS";
|
||||
case FORMAT_SMIME:
|
||||
return "SMIME";
|
||||
case FORMAT_MSBLOB:
|
||||
return "MSBLOB";
|
||||
case FORMAT_ENGINE:
|
||||
return "ENGINE";
|
||||
case FORMAT_HTTP:
|
||||
return "HTTP";
|
||||
case FORMAT_PKCS12:
|
||||
return "P12";
|
||||
case FORMAT_PVK:
|
||||
return "PVK";
|
||||
}
|
||||
}
|
||||
|
||||
/* Print an error message about unsuitable/unsupported format requested. */
|
||||
void print_format_error(int format, unsigned long flags)
|
||||
{
|
||||
(void)opt_format_error(format2str(format), flags);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse a cipher name, put it in *cipherp after freeing what was there, if
|
||||
* cipherp is not NULL. Return 0 on failure, else 1.
|
||||
*/
|
||||
int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp)
|
||||
{
|
||||
EVP_CIPHER *c;
|
||||
|
||||
ERR_set_mark();
|
||||
if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name,
|
||||
app_get0_propq())) != NULL
|
||||
|| (opt_legacy_okay()
|
||||
&& (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) {
|
||||
ERR_pop_to_mark();
|
||||
if (cipherp != NULL) {
|
||||
EVP_CIPHER_free(*cipherp);
|
||||
*cipherp = c;
|
||||
} else {
|
||||
EVP_CIPHER_free(c);
|
||||
}
|
||||
return 1;
|
||||
BIO_printf(bio_err, "%s: Unrecognized flag %s\n", prog, name);
|
||||
}
|
||||
ERR_clear_last_mark();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_cipher_silent(name, cipherp)) == 0)
|
||||
opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int opt_cipher(const char *name, EVP_CIPHER **cipherp)
|
||||
{
|
||||
int mode, ret = 0;
|
||||
unsigned long int flags;
|
||||
EVP_CIPHER *c = NULL;
|
||||
|
||||
if (opt_cipher_any(name, &c)) {
|
||||
mode = EVP_CIPHER_get_mode(c);
|
||||
flags = EVP_CIPHER_get_flags(c);
|
||||
if (mode == EVP_CIPH_XTS_MODE) {
|
||||
opt_printf_stderr("%s XTS ciphers not supported\n", prog);
|
||||
} else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
|
||||
opt_printf_stderr("%s: AEAD ciphers not supported\n", prog);
|
||||
} else {
|
||||
ret = 1;
|
||||
if (cipherp != NULL)
|
||||
*cipherp = c;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1.
|
||||
*/
|
||||
int opt_md(const char *name, const EVP_MD **mdp)
|
||||
int opt_md_silent(const char *name, EVP_MD **mdp)
|
||||
{
|
||||
*mdp = EVP_get_digestbyname(name);
|
||||
if (*mdp != NULL)
|
||||
EVP_MD *md;
|
||||
|
||||
ERR_set_mark();
|
||||
if ((md = EVP_MD_fetch(app_get0_libctx(), name, app_get0_propq())) != NULL
|
||||
|| (opt_legacy_okay()
|
||||
&& (md = (EVP_MD *)EVP_get_digestbyname(name)) != NULL)) {
|
||||
ERR_pop_to_mark();
|
||||
if (mdp != NULL) {
|
||||
EVP_MD_free(*mdp);
|
||||
*mdp = md;
|
||||
} else {
|
||||
EVP_MD_free(md);
|
||||
}
|
||||
return 1;
|
||||
BIO_printf(bio_err, "%s: Unrecognized flag %s\n", prog, name);
|
||||
}
|
||||
ERR_clear_last_mark();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int opt_md(const char *name, EVP_MD **mdp)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_md_silent(name, mdp)) == 0)
|
||||
opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog,
|
||||
name != NULL ? name : "\"\"");
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Look through a list of name/value pairs. */
|
||||
int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
|
||||
{
|
||||
|
@ -303,9 +470,23 @@ int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
|
|||
*result = pp->retval;
|
||||
return 1;
|
||||
}
|
||||
BIO_printf(bio_err, "%s: Value must be one of:\n", prog);
|
||||
opt_printf_stderr("%s: Value must be one of:\n", prog);
|
||||
for (pp = pairs; pp->name; pp++)
|
||||
BIO_printf(bio_err, "\t%s\n", pp->name);
|
||||
opt_printf_stderr("\t%s\n", pp->name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Look through a list of valid names */
|
||||
int opt_string(const char *name, const char **options)
|
||||
{
|
||||
const char **p;
|
||||
|
||||
for (p = options; *p != NULL; p++)
|
||||
if (strcmp(*p, name) == 0)
|
||||
return 1;
|
||||
opt_printf_stderr("%s: Value must be one of:\n", prog);
|
||||
for (p = options; *p != NULL; p++)
|
||||
opt_printf_stderr("\t%s\n", *p);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -318,13 +499,22 @@ int opt_int(const char *value, int *result)
|
|||
return 0;
|
||||
*result = (int)l;
|
||||
if (*result != l) {
|
||||
BIO_printf(bio_err, "%s: Value \"%s\" outside integer range\n",
|
||||
prog, value);
|
||||
opt_printf_stderr("%s: Value \"%s\" outside integer range\n",
|
||||
prog, value);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Parse and return an integer, assuming range has been checked before. */
|
||||
int opt_int_arg(void)
|
||||
{
|
||||
int result = -1;
|
||||
|
||||
(void)opt_int(arg, &result);
|
||||
return result;
|
||||
}
|
||||
|
||||
static void opt_number_error(const char *v)
|
||||
{
|
||||
size_t i = 0;
|
||||
|
@ -339,13 +529,12 @@ static void opt_number_error(const char *v)
|
|||
|
||||
for (i = 0; i < OSSL_NELEM(b); i++) {
|
||||
if (strncmp(v, b[i].prefix, strlen(b[i].prefix)) == 0) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Can't parse \"%s\" as %s number\n",
|
||||
prog, v, b[i].name);
|
||||
opt_printf_stderr("%s: Can't parse \"%s\" as %s number\n",
|
||||
prog, v, b[i].name);
|
||||
return;
|
||||
}
|
||||
}
|
||||
BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n", prog, v);
|
||||
opt_printf_stderr("%s: Can't parse \"%s\" as a number\n", prog, v);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -372,10 +561,11 @@ int opt_long(const char *value, long *result)
|
|||
}
|
||||
|
||||
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
|
||||
defined(INTMAX_MAX) && defined(UINTMAX_MAX)
|
||||
defined(INTMAX_MAX) && defined(UINTMAX_MAX) && \
|
||||
!defined(OPENSSL_NO_INTTYPES_H)
|
||||
|
||||
/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
|
||||
int opt_imax(const char *value, intmax_t *result)
|
||||
int opt_intmax(const char *value, ossl_intmax_t *result)
|
||||
{
|
||||
int oerrno = errno;
|
||||
intmax_t m;
|
||||
|
@ -385,19 +575,26 @@ int opt_imax(const char *value, intmax_t *result)
|
|||
m = strtoimax(value, &endp, 0);
|
||||
if (*endp
|
||||
|| endp == value
|
||||
|| ((m == INTMAX_MAX || m == INTMAX_MIN) && errno == ERANGE)
|
||||
|| ((m == INTMAX_MAX || m == INTMAX_MIN)
|
||||
&& errno == ERANGE)
|
||||
|| (m == 0 && errno != 0)) {
|
||||
opt_number_error(value);
|
||||
errno = oerrno;
|
||||
return 0;
|
||||
}
|
||||
*result = m;
|
||||
/* Ensure that the value in |m| is never too big for |*result| */
|
||||
if (sizeof(m) > sizeof(*result)
|
||||
&& (m < OSSL_INTMAX_MIN || m > OSSL_INTMAX_MAX)) {
|
||||
opt_number_error(value);
|
||||
return 0;
|
||||
}
|
||||
*result = (ossl_intmax_t)m;
|
||||
errno = oerrno;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Parse a uintmax_t, put it into *result; return 0 on failure, else 1. */
|
||||
int opt_umax(const char *value, uintmax_t *result)
|
||||
int opt_uintmax(const char *value, ossl_uintmax_t *result)
|
||||
{
|
||||
int oerrno = errno;
|
||||
uintmax_t m;
|
||||
|
@ -413,10 +610,37 @@ int opt_umax(const char *value, uintmax_t *result)
|
|||
errno = oerrno;
|
||||
return 0;
|
||||
}
|
||||
*result = m;
|
||||
/* Ensure that the value in |m| is never too big for |*result| */
|
||||
if (sizeof(m) > sizeof(*result)
|
||||
&& m > OSSL_UINTMAX_MAX) {
|
||||
opt_number_error(value);
|
||||
return 0;
|
||||
}
|
||||
*result = (ossl_intmax_t)m;
|
||||
errno = oerrno;
|
||||
return 1;
|
||||
}
|
||||
#else
|
||||
/* Fallback implementations based on long */
|
||||
int opt_intmax(const char *value, ossl_intmax_t *result)
|
||||
{
|
||||
long m;
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_long(value, &m)))
|
||||
*result = m;
|
||||
return ret;
|
||||
}
|
||||
|
||||
int opt_uintmax(const char *value, ossl_uintmax_t *result)
|
||||
{
|
||||
unsigned long m;
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_ulong(value, &m)))
|
||||
*result = m;
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -458,9 +682,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
|||
X509_PURPOSE *xptmp;
|
||||
const X509_VERIFY_PARAM *vtmp;
|
||||
|
||||
assert(vpm != NULL);
|
||||
assert(opt > OPT_V__FIRST);
|
||||
assert(opt < OPT_V__LAST);
|
||||
OPENSSL_assert(vpm != NULL);
|
||||
OPENSSL_assert(opt > OPT_V__FIRST);
|
||||
OPENSSL_assert(opt < OPT_V__LAST);
|
||||
|
||||
switch ((enum range)opt) {
|
||||
case OPT_V__FIRST:
|
||||
|
@ -469,7 +693,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
|||
case OPT_V_POLICY:
|
||||
otmp = OBJ_txt2obj(opt_arg(), 0);
|
||||
if (otmp == NULL) {
|
||||
BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
|
||||
opt_printf_stderr("%s: Invalid Policy %s\n", prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
X509_VERIFY_PARAM_add0_policy(vpm, otmp);
|
||||
|
@ -478,7 +702,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
|||
/* purpose name -> purpose index */
|
||||
i = X509_PURPOSE_get_by_sname(opt_arg());
|
||||
if (i < 0) {
|
||||
BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
|
||||
opt_printf_stderr("%s: Invalid purpose %s\n", prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -489,17 +713,16 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
|||
i = X509_PURPOSE_get_id(xptmp);
|
||||
|
||||
if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Internal error setting purpose %s\n",
|
||||
prog, opt_arg());
|
||||
opt_printf_stderr("%s: Internal error setting purpose %s\n",
|
||||
prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
case OPT_V_VERIFY_NAME:
|
||||
vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
|
||||
if (vtmp == NULL) {
|
||||
BIO_printf(bio_err, "%s: Invalid verify name %s\n",
|
||||
prog, opt_arg());
|
||||
opt_printf_stderr("%s: Invalid verify name %s\n",
|
||||
prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
X509_VERIFY_PARAM_set1(vpm, vtmp);
|
||||
|
@ -515,11 +738,11 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
|||
X509_VERIFY_PARAM_set_auth_level(vpm, i);
|
||||
break;
|
||||
case OPT_V_ATTIME:
|
||||
if (!opt_imax(opt_arg(), &t))
|
||||
if (!opt_intmax(opt_arg(), &t))
|
||||
return 0;
|
||||
if (t != (time_t)t) {
|
||||
BIO_printf(bio_err, "%s: epoch time out of range %s\n",
|
||||
prog, opt_arg());
|
||||
opt_printf_stderr("%s: epoch time out of range %s\n",
|
||||
prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
|
||||
|
@ -606,6 +829,13 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
|||
|
||||
}
|
||||
|
||||
void opt_begin(void)
|
||||
{
|
||||
opt_index = 1;
|
||||
arg = NULL;
|
||||
flag = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the next flag (and value if specified), return 0 if done, -1 on
|
||||
* error, otherwise the flag's retval.
|
||||
|
@ -645,14 +875,15 @@ int opt_next(void)
|
|||
*arg++ = '\0';
|
||||
for (o = opts; o->name; ++o) {
|
||||
/* If not this option, move on to the next one. */
|
||||
if (strcmp(p, o->name) != 0)
|
||||
if (!(strcmp(p, "h") == 0 && strcmp(o->name, "help") == 0)
|
||||
&& strcmp(p, o->name) != 0)
|
||||
continue;
|
||||
|
||||
/* If it doesn't take a value, make sure none was given. */
|
||||
if (o->valtype == 0 || o->valtype == '-') {
|
||||
if (arg) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Option -%s does not take a value\n", prog, p);
|
||||
opt_printf_stderr("%s: Option -%s does not take a value\n",
|
||||
prog, p);
|
||||
return -1;
|
||||
}
|
||||
return o->retval;
|
||||
|
@ -661,8 +892,8 @@ int opt_next(void)
|
|||
/* Want a value; get the next param if =foo not used. */
|
||||
if (arg == NULL) {
|
||||
if (argv[opt_index] == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Option -%s needs a value\n", prog, o->name);
|
||||
opt_printf_stderr("%s: Option -%s needs a value\n",
|
||||
prog, o->name);
|
||||
return -1;
|
||||
}
|
||||
arg = argv[opt_index++];
|
||||
|
@ -672,12 +903,16 @@ int opt_next(void)
|
|||
switch (o->valtype) {
|
||||
default:
|
||||
case 's':
|
||||
case ':':
|
||||
/* Just a string. */
|
||||
break;
|
||||
case '.':
|
||||
/* Parameters */
|
||||
break;
|
||||
case '/':
|
||||
if (app_isdir(arg) > 0)
|
||||
if (opt_isdir(arg) > 0)
|
||||
break;
|
||||
BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg);
|
||||
opt_printf_stderr("%s: Not a directory: %s\n", prog, arg);
|
||||
return -1;
|
||||
case '<':
|
||||
/* Input file. */
|
||||
|
@ -687,45 +922,35 @@ int opt_next(void)
|
|||
break;
|
||||
case 'p':
|
||||
case 'n':
|
||||
if (!opt_int(arg, &ival)
|
||||
|| (o->valtype == 'p' && ival <= 0)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Non-positive number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
case 'N':
|
||||
if (!opt_int(arg, &ival))
|
||||
return -1;
|
||||
if (o->valtype == 'p' && ival <= 0) {
|
||||
opt_printf_stderr("%s: Non-positive number \"%s\" for option -%s\n",
|
||||
prog, arg, o->name);
|
||||
return -1;
|
||||
}
|
||||
if (o->valtype == 'N' && ival < 0) {
|
||||
opt_printf_stderr("%s: Negative number \"%s\" for option -%s\n",
|
||||
prog, arg, o->name);
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'M':
|
||||
if (!opt_imax(arg, &imval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_intmax(arg, &imval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'U':
|
||||
if (!opt_umax(arg, &umval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_uintmax(arg, &umval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'l':
|
||||
if (!opt_long(arg, &lval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_long(arg, &lval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'u':
|
||||
if (!opt_ulong(arg, &ulval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_ulong(arg, &ulval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'c':
|
||||
case 'E':
|
||||
|
@ -737,9 +962,8 @@ int opt_next(void)
|
|||
o->valtype == 'F' ? OPT_FMT_PEMDER
|
||||
: OPT_FMT_ANY, &ival))
|
||||
break;
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid format \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
opt_printf_stderr("%s: Invalid format \"%s\" for option -%s\n",
|
||||
prog, arg, o->name);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -750,7 +974,7 @@ int opt_next(void)
|
|||
dunno = p;
|
||||
return unknown->retval;
|
||||
}
|
||||
BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p);
|
||||
opt_printf_stderr("%s: Unknown option: -%s\n", prog, p);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -760,7 +984,7 @@ char *opt_arg(void)
|
|||
return arg;
|
||||
}
|
||||
|
||||
/* Return the most recent flag. */
|
||||
/* Return the most recent flag (option name including the preceding '-'). */
|
||||
char *opt_flag(void)
|
||||
{
|
||||
return flag;
|
||||
|
@ -796,6 +1020,8 @@ static const char *valtype2param(const OPTIONS *o)
|
|||
case 0:
|
||||
case '-':
|
||||
return "";
|
||||
case ':':
|
||||
return "uri";
|
||||
case 's':
|
||||
return "val";
|
||||
case '/':
|
||||
|
@ -820,21 +1046,75 @@ static const char *valtype2param(const OPTIONS *o)
|
|||
return "format";
|
||||
case 'M':
|
||||
return "intmax";
|
||||
case 'N':
|
||||
return "nonneg";
|
||||
case 'U':
|
||||
return "uintmax";
|
||||
}
|
||||
return "parm";
|
||||
}
|
||||
|
||||
static void opt_print(const OPTIONS *o, int doingparams, int width)
|
||||
{
|
||||
const char* help;
|
||||
char start[80 + 1];
|
||||
char *p;
|
||||
|
||||
help = o->helpstr ? o->helpstr : "(No additional info)";
|
||||
if (o->name == OPT_HELP_STR) {
|
||||
opt_printf_stderr(help, prog);
|
||||
return;
|
||||
}
|
||||
if (o->name == OPT_SECTION_STR) {
|
||||
opt_printf_stderr("\n");
|
||||
opt_printf_stderr(help, prog);
|
||||
return;
|
||||
}
|
||||
if (o->name == OPT_PARAM_STR) {
|
||||
opt_printf_stderr("\nParameters:\n");
|
||||
return;
|
||||
}
|
||||
|
||||
/* Pad out prefix */
|
||||
memset(start, ' ', sizeof(start) - 1);
|
||||
start[sizeof(start) - 1] = '\0';
|
||||
|
||||
if (o->name == OPT_MORE_STR) {
|
||||
/* Continuation of previous line; pad and print. */
|
||||
start[width] = '\0';
|
||||
opt_printf_stderr("%s %s\n", start, help);
|
||||
return;
|
||||
}
|
||||
|
||||
/* Build up the "-flag [param]" part. */
|
||||
p = start;
|
||||
*p++ = ' ';
|
||||
if (!doingparams)
|
||||
*p++ = '-';
|
||||
if (o->name[0])
|
||||
p += strlen(strcpy(p, o->name));
|
||||
else
|
||||
*p++ = '*';
|
||||
if (o->valtype != '-') {
|
||||
*p++ = ' ';
|
||||
p += strlen(strcpy(p, valtype2param(o)));
|
||||
}
|
||||
*p = ' ';
|
||||
if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
|
||||
*p = '\0';
|
||||
opt_printf_stderr("%s\n", start);
|
||||
memset(start, ' ', sizeof(start));
|
||||
}
|
||||
start[width] = '\0';
|
||||
opt_printf_stderr("%s %s\n", start, help);
|
||||
}
|
||||
|
||||
void opt_help(const OPTIONS *list)
|
||||
{
|
||||
const OPTIONS *o;
|
||||
int i;
|
||||
int i, sawparams = 0, width = 5;
|
||||
int standard_prolog;
|
||||
int width = 5;
|
||||
char start[80 + 1];
|
||||
char *p;
|
||||
const char *help;
|
||||
|
||||
/* Starts with its own help message? */
|
||||
standard_prolog = list[0].name != OPT_HELP_STR;
|
||||
|
@ -848,51 +1128,71 @@ void opt_help(const OPTIONS *list)
|
|||
i += 1 + strlen(valtype2param(o));
|
||||
if (i < MAX_OPT_HELP_WIDTH && i > width)
|
||||
width = i;
|
||||
assert(i < (int)sizeof(start));
|
||||
OPENSSL_assert(i < (int)sizeof(start));
|
||||
}
|
||||
|
||||
if (standard_prolog)
|
||||
BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n",
|
||||
prog);
|
||||
if (standard_prolog) {
|
||||
opt_printf_stderr("Usage: %s [options]\n", prog);
|
||||
if (list[0].name != OPT_SECTION_STR)
|
||||
opt_printf_stderr("Valid options are:\n", prog);
|
||||
}
|
||||
|
||||
/* Now let's print. */
|
||||
for (o = list; o->name; o++) {
|
||||
help = o->helpstr ? o->helpstr : "(No additional info)";
|
||||
if (o->name == OPT_HELP_STR) {
|
||||
BIO_printf(bio_err, help, prog);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Pad out prefix */
|
||||
memset(start, ' ', sizeof(start) - 1);
|
||||
start[sizeof(start) - 1] = '\0';
|
||||
|
||||
if (o->name == OPT_MORE_STR) {
|
||||
/* Continuation of previous line; pad and print. */
|
||||
start[width] = '\0';
|
||||
BIO_printf(bio_err, "%s %s\n", start, help);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Build up the "-flag [param]" part. */
|
||||
p = start;
|
||||
*p++ = ' ';
|
||||
*p++ = '-';
|
||||
if (o->name[0])
|
||||
p += strlen(strcpy(p, o->name));
|
||||
else
|
||||
*p++ = '*';
|
||||
if (o->valtype != '-') {
|
||||
*p++ = ' ';
|
||||
p += strlen(strcpy(p, valtype2param(o)));
|
||||
}
|
||||
*p = ' ';
|
||||
if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
|
||||
*p = '\0';
|
||||
BIO_printf(bio_err, "%s\n", start);
|
||||
memset(start, ' ', sizeof(start));
|
||||
}
|
||||
start[width] = '\0';
|
||||
BIO_printf(bio_err, "%s %s\n", start, help);
|
||||
if (o->name == OPT_PARAM_STR)
|
||||
sawparams = 1;
|
||||
opt_print(o, sawparams, width);
|
||||
}
|
||||
}
|
||||
|
||||
/* opt_isdir section */
|
||||
#ifdef _WIN32
|
||||
# include <windows.h>
|
||||
int opt_isdir(const char *name)
|
||||
{
|
||||
DWORD attr;
|
||||
# if defined(UNICODE) || defined(_UNICODE)
|
||||
size_t i, len_0 = strlen(name) + 1;
|
||||
WCHAR tempname[MAX_PATH];
|
||||
|
||||
if (len_0 > MAX_PATH)
|
||||
return -1;
|
||||
|
||||
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
||||
if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH))
|
||||
# endif
|
||||
for (i = 0; i < len_0; i++)
|
||||
tempname[i] = (WCHAR)name[i];
|
||||
|
||||
attr = GetFileAttributes(tempname);
|
||||
# else
|
||||
attr = GetFileAttributes(name);
|
||||
# endif
|
||||
if (attr == INVALID_FILE_ATTRIBUTES)
|
||||
return -1;
|
||||
return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0);
|
||||
}
|
||||
#else
|
||||
# include <sys/stat.h>
|
||||
# ifndef S_ISDIR
|
||||
# if defined(_S_IFMT) && defined(_S_IFDIR)
|
||||
# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
|
||||
# else
|
||||
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
|
||||
# endif
|
||||
# endif
|
||||
|
||||
int opt_isdir(const char *name)
|
||||
{
|
||||
# if defined(S_ISDIR)
|
||||
struct stat st;
|
||||
|
||||
if (stat(name, &st) == 0)
|
||||
return S_ISDIR(st.st_mode);
|
||||
else
|
||||
return -1;
|
||||
# else
|
||||
return -1;
|
||||
# endif
|
||||
}
|
||||
#endif
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -12,6 +12,8 @@
|
|||
#include <stdlib.h>
|
||||
#include <string.h> /* for memcpy() and strcmp() */
|
||||
#include "apps.h"
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/x509.h>
|
||||
|
@ -150,6 +152,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
|
|||
STACK_OF(X509) *chain, int build_chain)
|
||||
{
|
||||
int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
|
||||
|
||||
if (cert == NULL)
|
||||
return 1;
|
||||
if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
|
||||
|
@ -194,7 +197,7 @@ static STRINT_PAIR cert_type_list[] = {
|
|||
{"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
|
||||
{"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
|
||||
{"GOST01 Sign", TLS_CT_GOST01_SIGN},
|
||||
{"GOST12 Sign", TLS_CT_GOST12_SIGN},
|
||||
{"GOST12 Sign", TLS_CT_GOST12_IANA_SIGN},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
|
@ -203,6 +206,7 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s)
|
|||
const unsigned char *p;
|
||||
int i;
|
||||
int cert_type_num = SSL_get0_certificate_types(s, &p);
|
||||
|
||||
if (!cert_type_num)
|
||||
return;
|
||||
BIO_puts(bio, "Client Certificate Types: ");
|
||||
|
@ -232,22 +236,22 @@ static const char *get_sigtype(int nid)
|
|||
case EVP_PKEY_DSA:
|
||||
return "DSA";
|
||||
|
||||
case EVP_PKEY_EC:
|
||||
case EVP_PKEY_EC:
|
||||
return "ECDSA";
|
||||
|
||||
case NID_ED25519:
|
||||
case NID_ED25519:
|
||||
return "Ed25519";
|
||||
|
||||
case NID_ED448:
|
||||
case NID_ED448:
|
||||
return "Ed448";
|
||||
|
||||
case NID_id_GostR3410_2001:
|
||||
case NID_id_GostR3410_2001:
|
||||
return "gost2001";
|
||||
|
||||
case NID_id_GostR3410_2012_256:
|
||||
case NID_id_GostR3410_2012_256:
|
||||
return "gost2012_256";
|
||||
|
||||
case NID_id_GostR3410_2012_512:
|
||||
case NID_id_GostR3410_2012_512:
|
||||
return "gost2012_512";
|
||||
|
||||
default:
|
||||
|
@ -258,6 +262,7 @@ static const char *get_sigtype(int nid)
|
|||
static int do_print_sigalgs(BIO *out, SSL *s, int shared)
|
||||
{
|
||||
int i, nsig, client;
|
||||
|
||||
client = SSL_is_server(s) ? 0 : 1;
|
||||
if (shared)
|
||||
nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL);
|
||||
|
@ -300,6 +305,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
|
|||
int ssl_print_sigalgs(BIO *out, SSL *s)
|
||||
{
|
||||
int nid;
|
||||
|
||||
if (!SSL_is_server(s))
|
||||
ssl_print_client_cert_types(out, s);
|
||||
do_print_sigalgs(out, s, 0);
|
||||
|
@ -316,6 +322,7 @@ int ssl_print_point_formats(BIO *out, SSL *s)
|
|||
{
|
||||
int i, nformats;
|
||||
const char *pformats;
|
||||
|
||||
nformats = SSL_get0_ec_point_formats(s, &pformats);
|
||||
if (nformats <= 0)
|
||||
return 1;
|
||||
|
@ -349,7 +356,6 @@ int ssl_print_point_formats(BIO *out, SSL *s)
|
|||
int ssl_print_groups(BIO *out, SSL *s, int noshared)
|
||||
{
|
||||
int i, ngroups, *groups, nid;
|
||||
const char *gname;
|
||||
|
||||
ngroups = SSL_get1_groups(s, NULL);
|
||||
if (ngroups <= 0)
|
||||
|
@ -357,39 +363,25 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
|
|||
groups = app_malloc(ngroups * sizeof(int), "groups to print");
|
||||
SSL_get1_groups(s, groups);
|
||||
|
||||
BIO_puts(out, "Supported Elliptic Groups: ");
|
||||
BIO_puts(out, "Supported groups: ");
|
||||
for (i = 0; i < ngroups; i++) {
|
||||
if (i)
|
||||
BIO_puts(out, ":");
|
||||
nid = groups[i];
|
||||
/* If unrecognised print out hex version */
|
||||
if (nid & TLSEXT_nid_unknown) {
|
||||
BIO_printf(out, "0x%04X", nid & 0xFFFF);
|
||||
} else {
|
||||
/* TODO(TLS1.3): Get group name here */
|
||||
/* Use NIST name for curve if it exists */
|
||||
gname = EC_curve_nid2nist(nid);
|
||||
if (gname == NULL)
|
||||
gname = OBJ_nid2sn(nid);
|
||||
BIO_printf(out, "%s", gname);
|
||||
}
|
||||
BIO_printf(out, "%s", SSL_group_to_name(s, nid));
|
||||
}
|
||||
OPENSSL_free(groups);
|
||||
if (noshared) {
|
||||
BIO_puts(out, "\n");
|
||||
return 1;
|
||||
}
|
||||
BIO_puts(out, "\nShared Elliptic groups: ");
|
||||
BIO_puts(out, "\nShared groups: ");
|
||||
ngroups = SSL_get_shared_group(s, -1);
|
||||
for (i = 0; i < ngroups; i++) {
|
||||
if (i)
|
||||
BIO_puts(out, ":");
|
||||
nid = SSL_get_shared_group(s, i);
|
||||
/* TODO(TLS1.3): Convert for DH groups */
|
||||
gname = EC_curve_nid2nist(nid);
|
||||
if (gname == NULL)
|
||||
gname = OBJ_nid2sn(nid);
|
||||
BIO_printf(out, "%s", gname);
|
||||
BIO_printf(out, "%s", SSL_group_to_name(s, nid));
|
||||
}
|
||||
if (ngroups == 0)
|
||||
BIO_puts(out, "NONE");
|
||||
|
@ -405,39 +397,37 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
|
|||
if (!SSL_get_peer_tmp_key(s, &key))
|
||||
return 1;
|
||||
BIO_puts(out, "Server Temp Key: ");
|
||||
switch (EVP_PKEY_id(key)) {
|
||||
switch (EVP_PKEY_get_id(key)) {
|
||||
case EVP_PKEY_RSA:
|
||||
BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
|
||||
BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_get_bits(key));
|
||||
break;
|
||||
|
||||
case EVP_PKEY_DH:
|
||||
BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
|
||||
BIO_printf(out, "DH, %d bits\n", EVP_PKEY_get_bits(key));
|
||||
break;
|
||||
#ifndef OPENSSL_NO_EC
|
||||
case EVP_PKEY_EC:
|
||||
{
|
||||
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
|
||||
int nid;
|
||||
const char *cname;
|
||||
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
|
||||
EC_KEY_free(ec);
|
||||
cname = EC_curve_nid2nist(nid);
|
||||
if (cname == NULL)
|
||||
cname = OBJ_nid2sn(nid);
|
||||
BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key));
|
||||
char name[80];
|
||||
size_t name_len;
|
||||
|
||||
if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
name, sizeof(name), &name_len))
|
||||
strcpy(name, "?");
|
||||
BIO_printf(out, "ECDH, %s, %d bits\n", name, EVP_PKEY_get_bits(key));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_id(key)),
|
||||
EVP_PKEY_bits(key));
|
||||
BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_get_id(key)),
|
||||
EVP_PKEY_get_bits(key));
|
||||
}
|
||||
EVP_PKEY_free(key);
|
||||
return 1;
|
||||
}
|
||||
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret)
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
|
||||
int argi, long argl, int ret, size_t *processed)
|
||||
{
|
||||
BIO *out;
|
||||
|
||||
|
@ -446,14 +436,23 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
|||
return ret;
|
||||
|
||||
if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
|
||||
BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
||||
(void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
|
||||
BIO_dump(out, argp, (int)ret);
|
||||
return ret;
|
||||
if (ret > 0 && processed != NULL) {
|
||||
BIO_printf(out, "read from %p [%p] (%zu bytes => %zu (0x%zX))\n",
|
||||
(void *)bio, (void *)argp, len, *processed, *processed);
|
||||
BIO_dump(out, argp, (int)*processed);
|
||||
} else {
|
||||
BIO_printf(out, "read from %p [%p] (%zu bytes => %d)\n",
|
||||
(void *)bio, (void *)argp, len, ret);
|
||||
}
|
||||
} else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
|
||||
BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
||||
(void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
|
||||
BIO_dump(out, argp, (int)ret);
|
||||
if (ret > 0 && processed != NULL) {
|
||||
BIO_printf(out, "write to %p [%p] (%zu bytes => %zu (0x%zX))\n",
|
||||
(void *)bio, (void *)argp, len, *processed, *processed);
|
||||
BIO_dump(out, argp, (int)*processed);
|
||||
} else {
|
||||
BIO_printf(out, "write to %p [%p] (%zu bytes => %d)\n",
|
||||
(void *)bio, (void *)argp, len, ret);
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
@ -569,8 +568,8 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
|||
{
|
||||
BIO *bio = arg;
|
||||
const char *str_write_p = write_p ? ">>>" : "<<<";
|
||||
const char *str_version = lookup(version, ssl_versions, "???");
|
||||
const char *str_content_type = "", *str_details1 = "", *str_details2 = "";
|
||||
char tmpbuf[128];
|
||||
const char *str_version, *str_content_type = "", *str_details1 = "", *str_details2 = "";
|
||||
const unsigned char* bp = buf;
|
||||
|
||||
if (version == SSL3_VERSION ||
|
||||
|
@ -579,11 +578,14 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
|||
version == TLS1_2_VERSION ||
|
||||
version == TLS1_3_VERSION ||
|
||||
version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
|
||||
str_version = lookup(version, ssl_versions, "???");
|
||||
switch (content_type) {
|
||||
case 20:
|
||||
case SSL3_RT_CHANGE_CIPHER_SPEC:
|
||||
/* type 20 */
|
||||
str_content_type = ", ChangeCipherSpec";
|
||||
break;
|
||||
case 21:
|
||||
case SSL3_RT_ALERT:
|
||||
/* type 21 */
|
||||
str_content_type = ", Alert";
|
||||
str_details1 = ", ???";
|
||||
if (len == 2) {
|
||||
|
@ -598,32 +600,32 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
|||
str_details2 = lookup((int)bp[1], alert_types, " ???");
|
||||
}
|
||||
break;
|
||||
case 22:
|
||||
case SSL3_RT_HANDSHAKE:
|
||||
/* type 22 */
|
||||
str_content_type = ", Handshake";
|
||||
str_details1 = "???";
|
||||
if (len > 0)
|
||||
str_details1 = lookup((int)bp[0], handshakes, "???");
|
||||
break;
|
||||
case 23:
|
||||
case SSL3_RT_APPLICATION_DATA:
|
||||
/* type 23 */
|
||||
str_content_type = ", ApplicationData";
|
||||
break;
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
case 24:
|
||||
str_details1 = ", Heartbeat";
|
||||
|
||||
if (len > 0) {
|
||||
switch (bp[0]) {
|
||||
case 1:
|
||||
str_details1 = ", HeartbeatRequest";
|
||||
break;
|
||||
case 2:
|
||||
str_details1 = ", HeartbeatResponse";
|
||||
break;
|
||||
}
|
||||
}
|
||||
case SSL3_RT_HEADER:
|
||||
/* type 256 */
|
||||
str_content_type = ", RecordHeader";
|
||||
break;
|
||||
#endif
|
||||
case SSL3_RT_INNER_CONTENT_TYPE:
|
||||
/* type 257 */
|
||||
str_content_type = ", InnerContent";
|
||||
break;
|
||||
default:
|
||||
BIO_snprintf(tmpbuf, sizeof(tmpbuf)-1, ", Unknown (content_type=%d)", content_type);
|
||||
str_content_type = tmpbuf;
|
||||
}
|
||||
} else {
|
||||
BIO_snprintf(tmpbuf, sizeof(tmpbuf)-1, "Not TLS data or unknown version (version=%d, content_type=%d)", version, content_type);
|
||||
str_version = tmpbuf;
|
||||
}
|
||||
|
||||
BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version,
|
||||
|
@ -663,7 +665,6 @@ static STRINT_PAIR tlsext_types[] = {
|
|||
{"SRP", TLSEXT_TYPE_srp},
|
||||
{"signature algorithms", TLSEXT_TYPE_signature_algorithms},
|
||||
{"use SRTP", TLSEXT_TYPE_use_srtp},
|
||||
{"heartbeat", TLSEXT_TYPE_heartbeat},
|
||||
{"session ticket", TLSEXT_TYPE_session_ticket},
|
||||
{"renegotiation info", TLSEXT_TYPE_renegotiate},
|
||||
{"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
|
||||
|
@ -750,13 +751,14 @@ void tlsext_cb(SSL *s, int client_server, int type,
|
|||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
unsigned int *cookie_len)
|
||||
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
size_t *cookie_len)
|
||||
{
|
||||
unsigned char *buffer;
|
||||
unsigned char *buffer = NULL;
|
||||
size_t length = 0;
|
||||
unsigned short port;
|
||||
BIO_ADDR *lpeer = NULL, *peer = NULL;
|
||||
int res = 0;
|
||||
|
||||
/* Initialize a random secret */
|
||||
if (!cookie_initialized) {
|
||||
|
@ -783,6 +785,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
|||
/* Create buffer with peer's address and port */
|
||||
if (!BIO_ADDR_rawaddress(peer, NULL, &length)) {
|
||||
BIO_printf(bio_err, "Failed getting peer address\n");
|
||||
BIO_ADDR_free(lpeer);
|
||||
return 0;
|
||||
}
|
||||
OPENSSL_assert(length != 0);
|
||||
|
@ -793,26 +796,31 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
|||
memcpy(buffer, &port, sizeof(port));
|
||||
BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);
|
||||
|
||||
/* Calculate HMAC of buffer using the secret */
|
||||
HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
|
||||
buffer, length, cookie, cookie_len);
|
||||
|
||||
if (EVP_Q_mac(NULL, "HMAC", NULL, "SHA1", NULL,
|
||||
cookie_secret, COOKIE_SECRET_LENGTH, buffer, length,
|
||||
cookie, DTLS1_COOKIE_LENGTH, cookie_len) == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error calculating HMAC-SHA1 of buffer with secret\n");
|
||||
goto end;
|
||||
}
|
||||
res = 1;
|
||||
end:
|
||||
OPENSSL_free(buffer);
|
||||
BIO_ADDR_free(lpeer);
|
||||
|
||||
return 1;
|
||||
return res;
|
||||
}
|
||||
|
||||
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
unsigned int cookie_len)
|
||||
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
size_t cookie_len)
|
||||
{
|
||||
unsigned char result[EVP_MAX_MD_SIZE];
|
||||
unsigned int resultlength;
|
||||
size_t resultlength;
|
||||
|
||||
/* Note: we check cookie_initialized because if it's not,
|
||||
* it cannot be valid */
|
||||
if (cookie_initialized
|
||||
&& generate_cookie_callback(ssl, result, &resultlength)
|
||||
&& generate_stateless_cookie_callback(ssl, result, &resultlength)
|
||||
&& cookie_len == resultlength
|
||||
&& memcmp(result, cookie, resultlength) == 0)
|
||||
return 1;
|
||||
|
@ -820,21 +828,21 @@ int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
size_t *cookie_len)
|
||||
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
unsigned int *cookie_len)
|
||||
{
|
||||
unsigned int temp;
|
||||
int res = generate_cookie_callback(ssl, cookie, &temp);
|
||||
size_t temp = 0;
|
||||
int res = generate_stateless_cookie_callback(ssl, cookie, &temp);
|
||||
|
||||
if (res != 0)
|
||||
*cookie_len = temp;
|
||||
*cookie_len = (unsigned int)temp;
|
||||
return res;
|
||||
}
|
||||
|
||||
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
size_t cookie_len)
|
||||
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
unsigned int cookie_len)
|
||||
{
|
||||
return verify_cookie_callback(ssl, cookie, cookie_len);
|
||||
return verify_stateless_cookie_callback(ssl, cookie, cookie_len);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
@ -898,6 +906,7 @@ static int set_cert_cb(SSL *ssl, void *arg)
|
|||
SSL_EXCERT *exc = arg;
|
||||
#ifdef CERT_CB_TEST_RETRY
|
||||
static int retry_cnt;
|
||||
|
||||
if (retry_cnt < 5) {
|
||||
retry_cnt++;
|
||||
BIO_printf(bio_err,
|
||||
|
@ -996,6 +1005,7 @@ void ssl_excert_free(SSL_EXCERT *exc)
|
|||
int load_excert(SSL_EXCERT **pexc)
|
||||
{
|
||||
SSL_EXCERT *exc = *pexc;
|
||||
|
||||
if (exc == NULL)
|
||||
return 1;
|
||||
/* If nothing in list, free and set to NULL */
|
||||
|
@ -1015,16 +1025,15 @@ int load_excert(SSL_EXCERT **pexc)
|
|||
return 0;
|
||||
if (exc->keyfile != NULL) {
|
||||
exc->key = load_key(exc->keyfile, exc->keyform,
|
||||
0, NULL, NULL, "Server Key");
|
||||
0, NULL, NULL, "server key");
|
||||
} else {
|
||||
exc->key = load_key(exc->certfile, exc->certform,
|
||||
0, NULL, NULL, "Server Key");
|
||||
0, NULL, NULL, "server key");
|
||||
}
|
||||
if (exc->key == NULL)
|
||||
return 0;
|
||||
if (exc->chainfile != NULL) {
|
||||
if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
|
||||
"Server Chain"))
|
||||
if (!load_certs(exc->chainfile, 0, &exc->chain, NULL, "server chain"))
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -1080,11 +1089,11 @@ int args_excert(int opt, SSL_EXCERT **pexc)
|
|||
exc->build_chain = 1;
|
||||
break;
|
||||
case OPT_X_CERTFORM:
|
||||
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform))
|
||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->certform))
|
||||
return 0;
|
||||
break;
|
||||
case OPT_X_KEYFORM:
|
||||
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform))
|
||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->keyform))
|
||||
return 0;
|
||||
break;
|
||||
}
|
||||
|
@ -1102,6 +1111,7 @@ static void print_raw_cipherlist(SSL *s)
|
|||
const unsigned char *rlist;
|
||||
static const unsigned char scsv_id[] = { 0, 0xFF };
|
||||
size_t i, rlistlen, num;
|
||||
|
||||
if (!SSL_is_server(s))
|
||||
return;
|
||||
num = SSL_get0_raw_cipherlist(s, NULL);
|
||||
|
@ -1210,7 +1220,7 @@ void print_ssl_summary(SSL *s)
|
|||
c = SSL_get_current_cipher(s);
|
||||
BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
|
||||
do_print_sigalgs(bio_err, s, 0);
|
||||
peer = SSL_get_peer_certificate(s);
|
||||
peer = SSL_get0_peer_certificate(s);
|
||||
if (peer != NULL) {
|
||||
int nid;
|
||||
|
||||
|
@ -1226,7 +1236,6 @@ void print_ssl_summary(SSL *s)
|
|||
} else {
|
||||
BIO_puts(bio_err, "No peer certificate\n");
|
||||
}
|
||||
X509_free(peer);
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ssl_print_point_formats(bio_err, s);
|
||||
if (SSL_is_server(s))
|
||||
|
@ -1248,12 +1257,10 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
|
|||
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
|
||||
const char *flag = sk_OPENSSL_STRING_value(str, i);
|
||||
const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
|
||||
|
||||
if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
|
||||
if (arg != NULL)
|
||||
BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
|
||||
flag, arg);
|
||||
else
|
||||
BIO_printf(bio_err, "Error with command: \"%s\"\n", flag);
|
||||
BIO_printf(bio_err, "Call to SSL_CONF_cmd(%s, %s) failed\n",
|
||||
flag, arg == NULL ? "<NULL>" : arg);
|
||||
ERR_print_errors(bio_err);
|
||||
return 0;
|
||||
}
|
||||
|
@ -1269,17 +1276,20 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
|
|||
static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
|
||||
{
|
||||
X509_CRL *crl;
|
||||
int i;
|
||||
int i, ret = 1;
|
||||
|
||||
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
||||
crl = sk_X509_CRL_value(crls, i);
|
||||
X509_STORE_add_crl(st, crl);
|
||||
if (!X509_STORE_add_crl(st, crl))
|
||||
ret = 0;
|
||||
}
|
||||
return 1;
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
|
||||
{
|
||||
X509_STORE *st;
|
||||
|
||||
st = SSL_CTX_get_cert_store(ctx);
|
||||
add_crls_store(st, crls);
|
||||
if (crl_download)
|
||||
|
@ -1289,27 +1299,38 @@ int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
|
|||
|
||||
int ssl_load_stores(SSL_CTX *ctx,
|
||||
const char *vfyCApath, const char *vfyCAfile,
|
||||
const char *vfyCAstore,
|
||||
const char *chCApath, const char *chCAfile,
|
||||
const char *chCAstore,
|
||||
STACK_OF(X509_CRL) *crls, int crl_download)
|
||||
{
|
||||
X509_STORE *vfy = NULL, *ch = NULL;
|
||||
int rv = 0;
|
||||
if (vfyCApath != NULL || vfyCAfile != NULL) {
|
||||
|
||||
if (vfyCApath != NULL || vfyCAfile != NULL || vfyCAstore != NULL) {
|
||||
vfy = X509_STORE_new();
|
||||
if (vfy == NULL)
|
||||
goto err;
|
||||
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
|
||||
if (vfyCAfile != NULL && !X509_STORE_load_file(vfy, vfyCAfile))
|
||||
goto err;
|
||||
if (vfyCApath != NULL && !X509_STORE_load_path(vfy, vfyCApath))
|
||||
goto err;
|
||||
if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
|
||||
goto err;
|
||||
add_crls_store(vfy, crls);
|
||||
SSL_CTX_set1_verify_cert_store(ctx, vfy);
|
||||
if (crl_download)
|
||||
store_setup_crl_download(vfy);
|
||||
}
|
||||
if (chCApath != NULL || chCAfile != NULL) {
|
||||
if (chCApath != NULL || chCAfile != NULL || chCAstore != NULL) {
|
||||
ch = X509_STORE_new();
|
||||
if (ch == NULL)
|
||||
goto err;
|
||||
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
|
||||
if (chCAfile != NULL && !X509_STORE_load_file(ch, chCAfile))
|
||||
goto err;
|
||||
if (chCApath != NULL && !X509_STORE_load_path(ch, chCApath))
|
||||
goto err;
|
||||
if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
|
||||
goto err;
|
||||
SSL_CTX_set1_chain_cert_store(ctx, ch);
|
||||
}
|
||||
|
@ -1362,6 +1383,7 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
|
|||
int rv, show_bits = 1, cert_md = 0;
|
||||
const char *nm;
|
||||
int show_nm;
|
||||
|
||||
rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex);
|
||||
if (rv == 1 && sdb->verbose < 2)
|
||||
return 1;
|
||||
|
@ -1410,27 +1432,26 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
|
|||
BIO_puts(sdb->out, cname);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
case SSL_SECOP_OTHER_DH:
|
||||
{
|
||||
DH *dh = other;
|
||||
BIO_printf(sdb->out, "%d", DH_bits(dh));
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
case SSL_SECOP_OTHER_CERT:
|
||||
{
|
||||
if (cert_md) {
|
||||
int sig_nid = X509_get_signature_nid(other);
|
||||
|
||||
BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
|
||||
} else {
|
||||
EVP_PKEY *pkey = X509_get0_pubkey(other);
|
||||
const char *algname = "";
|
||||
EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
|
||||
&algname, EVP_PKEY_get0_asn1(pkey));
|
||||
BIO_printf(sdb->out, "%s, bits=%d",
|
||||
algname, EVP_PKEY_bits(pkey));
|
||||
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(sdb->out, "Public key missing");
|
||||
} else {
|
||||
const char *algname = "";
|
||||
|
||||
EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
|
||||
&algname, EVP_PKEY_get0_asn1(pkey));
|
||||
BIO_printf(sdb->out, "%s, bits=%d",
|
||||
algname, EVP_PKEY_get_bits(pkey));
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
|
@ -26,12 +26,27 @@
|
|||
typedef unsigned int u_int;
|
||||
#endif
|
||||
|
||||
#ifdef _WIN32
|
||||
# include <process.h>
|
||||
|
||||
/* MSVC renamed some POSIX functions to have an underscore prefix. */
|
||||
# ifdef _MSC_VER
|
||||
# define getpid _getpid
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
|
||||
# include "apps.h"
|
||||
# include "s_apps.h"
|
||||
# include "internal/sockets.h"
|
||||
|
||||
# if defined(__TANDEM)
|
||||
# if defined(OPENSSL_TANDEM_FLOSS)
|
||||
# include <floss.h(floss_read)>
|
||||
# endif
|
||||
# endif
|
||||
|
||||
# include <openssl/bio.h>
|
||||
# include <openssl/err.h>
|
||||
|
||||
|
@ -160,7 +175,9 @@ int init_client(int *sock, const char *host, const char *port,
|
|||
if (*sock == INVALID_SOCKET) {
|
||||
if (bindaddr != NULL && !found) {
|
||||
BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
|
||||
#ifdef AF_INET6
|
||||
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
|
||||
#endif
|
||||
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
|
||||
BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
|
||||
bindhost != NULL ? bindhost : "",
|
||||
|
@ -183,6 +200,42 @@ int init_client(int *sock, const char *host, const char *port,
|
|||
return ret;
|
||||
}
|
||||
|
||||
int report_server_accept(BIO *out, int asock, int with_address, int with_pid)
|
||||
{
|
||||
int success = 1;
|
||||
|
||||
if (BIO_printf(out, "ACCEPT") <= 0)
|
||||
return 0;
|
||||
if (with_address) {
|
||||
union BIO_sock_info_u info;
|
||||
char *hostname = NULL;
|
||||
char *service = NULL;
|
||||
|
||||
if ((info.addr = BIO_ADDR_new()) != NULL
|
||||
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)
|
||||
&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL
|
||||
&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL) {
|
||||
success = BIO_printf(out,
|
||||
strchr(hostname, ':') == NULL
|
||||
? /* IPv4 */ " %s:%s"
|
||||
: /* IPv6 */ " [%s]:%s",
|
||||
hostname, service) > 0;
|
||||
} else {
|
||||
(void)BIO_printf(out, "unknown:error\n");
|
||||
success = 0;
|
||||
}
|
||||
OPENSSL_free(hostname);
|
||||
OPENSSL_free(service);
|
||||
BIO_ADDR_free(info.addr);
|
||||
}
|
||||
if (with_pid)
|
||||
success = success && BIO_printf(out, " PID=%d", getpid()) > 0;
|
||||
success = success && BIO_printf(out, "\n") > 0;
|
||||
(void)BIO_flush(out);
|
||||
|
||||
return success;
|
||||
}
|
||||
|
||||
/*
|
||||
* do_server - helper routine to perform a server operation
|
||||
* @accept_sock: pointer to storage of resulting socket.
|
||||
|
@ -239,6 +292,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
|||
sock_protocol = BIO_ADDRINFO_protocol(res);
|
||||
sock_address = BIO_ADDRINFO_address(res);
|
||||
next = BIO_ADDRINFO_next(res);
|
||||
#ifdef AF_INET6
|
||||
if (sock_family == AF_INET6)
|
||||
sock_options |= BIO_SOCK_V6_ONLY;
|
||||
if (next != NULL
|
||||
|
@ -257,6 +311,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
|||
sock_options &= ~BIO_SOCK_V6_ONLY;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
|
||||
if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
|
||||
|
@ -296,36 +351,10 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
|||
BIO_ADDRINFO_free(res);
|
||||
res = NULL;
|
||||
|
||||
if (sock_port == 0) {
|
||||
/* dynamically allocated port, report which one */
|
||||
union BIO_sock_info_u info;
|
||||
char *hostname = NULL;
|
||||
char *service = NULL;
|
||||
int success = 0;
|
||||
|
||||
if ((info.addr = BIO_ADDR_new()) != NULL
|
||||
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)
|
||||
&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL
|
||||
&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL
|
||||
&& BIO_printf(bio_s_out,
|
||||
strchr(hostname, ':') == NULL
|
||||
? /* IPv4 */ "ACCEPT %s:%s\n"
|
||||
: /* IPv6 */ "ACCEPT [%s]:%s\n",
|
||||
hostname, service) > 0)
|
||||
success = 1;
|
||||
|
||||
(void)BIO_flush(bio_s_out);
|
||||
OPENSSL_free(hostname);
|
||||
OPENSSL_free(service);
|
||||
BIO_ADDR_free(info.addr);
|
||||
if (!success) {
|
||||
BIO_closesocket(asock);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
(void)BIO_printf(bio_s_out, "ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
if (!report_server_accept(bio_s_out, asock, sock_port == 0, 0)) {
|
||||
BIO_closesocket(asock);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (accept_sock != NULL)
|
||||
|
@ -402,4 +431,25 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
|||
return ret;
|
||||
}
|
||||
|
||||
void do_ssl_shutdown(SSL *ssl)
|
||||
{
|
||||
int ret;
|
||||
|
||||
do {
|
||||
/* We only do unidirectional shutdown */
|
||||
ret = SSL_shutdown(ssl);
|
||||
if (ret < 0) {
|
||||
switch (SSL_get_error(ssl, ret)) {
|
||||
case SSL_ERROR_WANT_READ:
|
||||
case SSL_ERROR_WANT_WRITE:
|
||||
case SSL_ERROR_WANT_ASYNC:
|
||||
case SSL_ERROR_WANT_ASYNC_JOB:
|
||||
/* We just do busy waiting. Nothing clever */
|
||||
continue;
|
||||
}
|
||||
ret = 0;
|
||||
}
|
||||
} while (ret < 0);
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_NO_SOCK */
|
231
apps/lib/tlssrp_depr.c
Normal file
231
apps/lib/tlssrp_depr.c
Normal file
|
@ -0,0 +1,231 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* This file is to enable backwards compatibility for the SRP features of
|
||||
* s_client, s_server and ciphers. All of those features are deprecated and will
|
||||
* eventually disappear. In the meantime, to continue to support them, we
|
||||
* need to access deprecated SRP APIs.
|
||||
*/
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/srp.h>
|
||||
#include "apps_ui.h"
|
||||
#include "apps.h"
|
||||
#include "s_apps.h"
|
||||
|
||||
static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
|
||||
{
|
||||
BN_CTX *bn_ctx = BN_CTX_new();
|
||||
BIGNUM *p = BN_new();
|
||||
BIGNUM *r = BN_new();
|
||||
int ret =
|
||||
g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
|
||||
BN_check_prime(N, bn_ctx, NULL) == 1 &&
|
||||
p != NULL && BN_rshift1(p, N) &&
|
||||
/* p = (N-1)/2 */
|
||||
BN_check_prime(p, bn_ctx, NULL) == 1 &&
|
||||
r != NULL &&
|
||||
/* verify g^((N-1)/2) == -1 (mod N) */
|
||||
BN_mod_exp(r, g, p, N, bn_ctx) &&
|
||||
BN_add_word(r, 1) && BN_cmp(r, N) == 0;
|
||||
|
||||
BN_free(r);
|
||||
BN_free(p);
|
||||
BN_CTX_free(bn_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*-
|
||||
* This callback is used here for two purposes:
|
||||
* - extended debugging
|
||||
* - making some primality tests for unknown groups
|
||||
* The callback is only called for a non default group.
|
||||
*
|
||||
* An application does not need the call back at all if
|
||||
* only the standard groups are used. In real life situations,
|
||||
* client and server already share well known groups,
|
||||
* thus there is no need to verify them.
|
||||
* Furthermore, in case that a server actually proposes a group that
|
||||
* is not one of those defined in RFC 5054, it is more appropriate
|
||||
* to add the group to a static list and then compare since
|
||||
* primality tests are rather cpu consuming.
|
||||
*/
|
||||
|
||||
static int ssl_srp_verify_param_cb(SSL *s, void *arg)
|
||||
{
|
||||
SRP_ARG *srp_arg = (SRP_ARG *)arg;
|
||||
BIGNUM *N = NULL, *g = NULL;
|
||||
|
||||
if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL))
|
||||
return 0;
|
||||
if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
|
||||
BIO_printf(bio_err, "SRP parameters:\n");
|
||||
BIO_printf(bio_err, "\tN=");
|
||||
BN_print(bio_err, N);
|
||||
BIO_printf(bio_err, "\n\tg=");
|
||||
BN_print(bio_err, g);
|
||||
BIO_printf(bio_err, "\n");
|
||||
}
|
||||
|
||||
if (SRP_check_known_gN_param(g, N))
|
||||
return 1;
|
||||
|
||||
if (srp_arg->amp == 1) {
|
||||
if (srp_arg->debug)
|
||||
BIO_printf(bio_err,
|
||||
"SRP param N and g are not known params, going to check deeper.\n");
|
||||
|
||||
/*
|
||||
* The srp_moregroups is a real debugging feature. Implementors
|
||||
* should rather add the value to the known ones. The minimal size
|
||||
* has already been tested.
|
||||
*/
|
||||
if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g))
|
||||
return 1;
|
||||
}
|
||||
BIO_printf(bio_err, "SRP param N and g rejected.\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define PWD_STRLEN 1024
|
||||
|
||||
static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
|
||||
{
|
||||
SRP_ARG *srp_arg = (SRP_ARG *)arg;
|
||||
char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer");
|
||||
PW_CB_DATA cb_tmp;
|
||||
int l;
|
||||
|
||||
cb_tmp.password = (char *)srp_arg->srppassin;
|
||||
cb_tmp.prompt_info = "SRP user";
|
||||
if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
|
||||
BIO_printf(bio_err, "Can't read Password\n");
|
||||
OPENSSL_free(pass);
|
||||
return NULL;
|
||||
}
|
||||
*(pass + l) = '\0';
|
||||
|
||||
return pass;
|
||||
}
|
||||
|
||||
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
|
||||
int c_debug)
|
||||
{
|
||||
if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg->srplogin)) {
|
||||
BIO_printf(bio_err, "Unable to set SRP username\n");
|
||||
return 0;
|
||||
}
|
||||
srp_arg->msg = c_msg;
|
||||
srp_arg->debug = c_debug;
|
||||
SSL_CTX_set_srp_cb_arg(ctx, &srp_arg);
|
||||
SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
|
||||
SSL_CTX_set_srp_strength(ctx, srp_arg->strength);
|
||||
if (c_msg || c_debug || srp_arg->amp == 0)
|
||||
SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static char *dummy_srp(SSL *ssl, void *arg)
|
||||
{
|
||||
return "";
|
||||
}
|
||||
|
||||
void set_up_dummy_srp(SSL_CTX *ctx)
|
||||
{
|
||||
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
|
||||
}
|
||||
|
||||
/*
|
||||
* This callback pretends to require some asynchronous logic in order to
|
||||
* obtain a verifier. When the callback is called for a new connection we
|
||||
* return with a negative value. This will provoke the accept etc to return
|
||||
* with an LOOKUP_X509. The main logic of the reinvokes the suspended call
|
||||
* (which would normally occur after a worker has finished) and we set the
|
||||
* user parameters.
|
||||
*/
|
||||
static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
|
||||
{
|
||||
srpsrvparm *p = (srpsrvparm *) arg;
|
||||
int ret = SSL3_AL_FATAL;
|
||||
|
||||
if (p->login == NULL && p->user == NULL) {
|
||||
p->login = SSL_get_srp_username(s);
|
||||
BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (p->user == NULL) {
|
||||
BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (SSL_set_srp_server_param
|
||||
(s, p->user->N, p->user->g, p->user->s, p->user->v,
|
||||
p->user->info) < 0) {
|
||||
*ad = SSL_AD_INTERNAL_ERROR;
|
||||
goto err;
|
||||
}
|
||||
BIO_printf(bio_err,
|
||||
"SRP parameters set: username = \"%s\" info=\"%s\" \n",
|
||||
p->login, p->user->info);
|
||||
ret = SSL_ERROR_NONE;
|
||||
|
||||
err:
|
||||
SRP_user_pwd_free(p->user);
|
||||
p->user = NULL;
|
||||
p->login = NULL;
|
||||
return ret;
|
||||
}
|
||||
|
||||
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
|
||||
char *srpuserseed, char *srp_verifier_file)
|
||||
{
|
||||
int ret;
|
||||
|
||||
srp_callback_parm->vb = SRP_VBASE_new(srpuserseed);
|
||||
srp_callback_parm->user = NULL;
|
||||
srp_callback_parm->login = NULL;
|
||||
|
||||
if (srp_callback_parm->vb == NULL) {
|
||||
BIO_printf(bio_err, "Failed to initialize SRP verifier file \n");
|
||||
return 0;
|
||||
}
|
||||
if ((ret =
|
||||
SRP_VBASE_init(srp_callback_parm->vb,
|
||||
srp_verifier_file)) != SRP_NO_ERROR) {
|
||||
BIO_printf(bio_err,
|
||||
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
|
||||
srp_verifier_file, ret);
|
||||
return 0;
|
||||
}
|
||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
|
||||
SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
|
||||
SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out)
|
||||
{
|
||||
SRP_user_pwd_free(srp_callback_parm->user);
|
||||
srp_callback_parm->user = SRP_VBASE_get1_by_user(srp_callback_parm->vb,
|
||||
srp_callback_parm->login);
|
||||
|
||||
if (srp_callback_parm->user != NULL)
|
||||
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
||||
srp_callback_parm->user->info);
|
||||
else
|
||||
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue